#modules

looking back i DID get the display with root

the only other thing is just reset your vm/machine and try again

sometimes it's the simplest/easiest solution

the login info i also found gives my a !mD error

put the password in single quotes

! is a special character in bash that invokes history

awesome! thank you both very much!

Edit: nm. You're on SQL Writing Files? You should be able to do it like how they showed.

Hello everyone, I'm doing the AD Enumeration & Attacks Module in the Credentialed Enumeration - from Windows section, and I am stuck on the first question "Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer) "

I used sharphound and uploaded the zip file to bloodhound. When I run the "All Kerberoastable accounts" pre-made query, it returns 12 users, but it seems like 12 is the wrong answer. am I doing something wrong here?

it does say use a webshell tho, there's no way to cat flag.txt if I don't know the filename

If you've uploaded the PHP shell you can find the flag by looking around

I checked the hint and it says I need to find a folder, probably in /var/www/html that I have write access to but I'm stuck on this

Thanks

i feroxbuster'd it

Have you tried one of the two directories the section teaches you?

It gives it to you in one of the commands

I did try the /tmp folder and it uploaded but I can't access it

Okay, did you try the other one? It looks like they give you the exact command you need.

nvmd, apparently BH CE is just giving me wrong results? I used the BH GUI provided on the windows rdp box and it worked

Hey guys, i have a problem connecting to the module machine can I ask here ?

yes

I am on the "Knowledge Check" section of the "Getting Started" module.

I managed to get the user flag both by uploading a rev shell manually and by metasploit. And I managed to get the root flag by using ||sudo php -r "system('/bin/bash');"|| to escalate my shell to root.

However the exercise says:

There are two ways to escalate privileges to root on the target after obtaining a foothold. Make use of helper scripts such as LinEnum and LinPEAS to assist you. Filter through the information searching for two well-known privilege escalation techniques.

I can't find the second way to privesc, any nudges?

I'm working on the "Detecting RDP and brute-force attacks" section from the Windows Attacks with Splunk module.
I was given the IP address and instructed to use port 8000, but after following the instructions, I got an error when trying to connect.

htb academy can’t login?

what about https

Oh it actually worked, thank you so much ! 🔥

Hi All,

I am working on the Password Attacks Module > Windows Lateral Movement > Pass the Ticket (PtT) from Linux. When trying to authenticate to dc01 from linux01 using a valid ticket, I am recieving the following error "session setup failed: NT_STATUS_CONNECTIONRESET"

I have tried resetting my machine and the target and still receive the same error. The ticket I am using is valid and expires on 05/30.

Any suggestions?

This is the questions I am on: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG).

I figured it out. For some reason using ||"smbclient //dc01.inlanefreight.htb/linux01 -k"|| doesnt work but ||"smbclient //dc01/linux01 -k"|| does.

is that an /etc/hosts issue?

Hi,
I actually need help with the skill assessment for Application of AI in InfoSec module as part of AI red teamer path. As per the confusion matrix the accuracy is 100% but still it shows 0% for the given model file I upload

Module - Attacking Enterprise Network

Section : Lateral Movement

Whenver I'm uploading SharpHound.exe resulted file getting stucked here everytime..
Image

Ensure your SharpHound collector is on the same version as BloodHound

Probably cos it would've been: inlanefreight.local OR inlanefreight.com and not inlanefreight.htb

But if you dont specify it'd pick the right one by default from its hosts file

how can i?

Or DNS

Bloodhound should have a setting somewhere called Download Supported Ingestors

Roughly

haven't find can you drop a screenshot of exact option kindly

In a bit when I get home, which BH you using? CE or normal?

which is installed by default on HTB Pwnbox

No clue

Will have to check ig.

Easiest way is probably take a screenshot of the entire app rn

I think that's a normal one, because CE runs in browser

here it is

Yeah looks like normal one, will have a look see when I get on a computer

I am also struggling with this one, is anyone able to help? I am on the last step where I have XML payload just not sure where to place Type class generated from AssemblyQualifiedName. Thank you! 🙂

Heelo

I just joined

Started yesterday

I am getting ma skills up

Welp, my bloodhound's broken just letting you know might take a while to fix

damn just realized kali's on CE

leave it i'm going to install BloodHound CE for future proofing..Thanks for your time

Hi guys, I need help with Footprinting module Oracle TNS, I completed all the module except for this. Someone can help?

Has anyone run into this issue on the WPS exercise?

Running sudo reaver -i mon0 -c 1 -b D8:D6:3D:EB:29:D5 -vv is not getting a challenge response. Error message loop:

[+] Sending association request
[+] Associated with D8:D6:3D:EB:29:D5 (ESSID: HackTheWireless)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
...

Edit: Solved by restarting the target many times until it worked.

السلام عليكم

Hi, English only please

I can’t speak English

Well this is an English only server... 😅

#rules message

I am Arabic

Anyone Arabic

There's probably some Arabic people around but they speak English too

Anyway this isn't #general go get identified, instructions in #welcome so you can access #general

My English is so bad

Use translator😂

Hey guys , is Linux Local Privilege Escalation - Skills Assessment working for anyone have tried TCP and UDP on different servers , nothing works Connection reset by 10.129.27.142 port 22. Get this while sshing in

Hey community and idea?

Make sure that "SocksOverRDP-Plugin.dll" is a valid DLL or OCX file and then try again.

yo guys im on pivoting, socks tunneling over RDP section

when i try to load SocksOverRDP-Plugin.dll, i get this

sometimes getting its not loaded cuz its malicous or contains a virus

i also noticed that it sometimes get automatically removed

there's real-time protection running

from linux fundaments. would anyone please help me how to find this?

think first of how you regularly install packages; there's a way for that tool to list the installed packages 😉

i have been working on this for hours. almost 4 hours+🥲 i tried so many ways but all seems to not work. could i get a hint at least🥲

can you double check the output of the commands you use? it may include a header line

so you might be counting the correct number + 1

i did that also

i foudn the answer finally

dpkg-query -f '${Status}\t${binary:Package}\n' -W | grep "install ok installed" | wc -l

I don't think I used this complicated of a command

good luck though! I really enjoyed the questions in this section, they're good puzzles

thanks for the huge help. you helped me out a lot.

that's a very complex query tbh

you can just grep for ii with dpkg

apt list --installed is another method

apt isn't made to be used for piping to other output; so you'll get an off-by-one issue

yeah but that also includes the header line. i didnt know about that so the answer was coming wrong

which you can account for 😉

i.e. apt list --installed | head <- this will show you if the extra line is at the start;
apt list --installed | tail <- this will show the last set of lines, in case it's a "finished listing" line

Hi all, am i allowed to post online guides to modules or is that not allowed? I wouldn't reveal answers obviously but will show the process on how to get the answers

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Cheers! @fathom pendant

showing the process is essentially the same as showing the answer tbqh

Why is this allowed if piping to another output isn't possible?

it's possible

i never said it wasn't possible

whenever you pipe apt you get a general warning that "hey apt isn't made to be piped, so output may not be what you intend"

all piping does is take stdout and redirects it somewhere else (typically)

ohh, I get it, isn't there a flag for this? I think I recall finding one about headers that didn't do what I wanted.

? i don't think there's a flag to remove the header

Yeah tbf you're right, what i wanted to do is against TOS anyway as the machines in question aren't retired. Thanks anyway!

you can do something like piping to "grep -v header text"; which would remove the header text line then piping that to whatever you need

Hi chat

I got issue with sign in process

It's keeping saying that there is an issue with user name whatever the user name that I put

reach out to support

genuinely if there's an issue with them signing in to htb, there's nothing you can functionally do

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I think so . It's saying your first name and last name must separated with space. When I do that they keeping exchanging to other issues name

reach out to support

discord isn't an official method of support

I will send them mail putting a picture of the error.

is someon have some idea about Login brute forcing > web services questions

the module is about medusa ssh and web services

but when try all what i learned nothing happend

first ssh requires an key that i don't have to access it and the ftp port is not opened

and the question is about an ftp user and crack ssh session how that can be happend ???

ERROR: No supported authentication methods located.

i've tryed with medusa and hydra both gives the same thing

Hi guys struggling once again - not getting the same results as others on walkthroughs

*deleted

FIXED

was looking at the wrong port for the ftp server

make sure to specify port

the section goes over the steps

medusa -h IP -u ftpuser -P /usr/share/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt -M ssh -f 22

it si specifid

iirc you're given a public ip and port to attack

so ssh won't be running on 22

well, at least not the one you're meant to attack

thanks for help

but how i can know that the ssh port is the given while nmap give the ssh port 22 ?

when the exercise gives you a port; use that port

the public IPs are docker containers where your scope is limited solely to the given port

this is explained in the intro to a Academy module, if i recall

sure thank you

Hey can you provide some suggestions how to do this correctly, because i am giving this command: gobuster vhost -u http://inlanefreight.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain,
but it says domain not found or response error

Unable to validate base domain: inlanefreight.htb (lookup inlanefreight.htb on 1.1.1.1:53: no such host)
It is showing this type of error.

Need help whit Windows privilege escalation - windows Server. I can't obtain a meterpreter reverse shell. This is the error i get. I'm using the pwnbox spawned through the site.

add inlanefreight.htb to your /etc/hosts file

thanks it got solved.

I am regretting buying this module - Introduction to Windows Evasion Techniques - how can you not allow the abilty to unquarantine your binary before AMSI removes it from your share - If I click on my share to copy over the binary to follow this question on Page 3 Follow the steps of this section to recreate the shellcode injector (with your own shellcode), compile it, and place the EXE file inside "C:\Alpha\Static". After placing the file, wait up to a minute; if all checks pass, the file "C:\Alpha\Static\flag.txt" will be created, containing the flag. my binary get quarantined by defender with no way to login as administrator and unquarantine it so I can minimally answer the question.

any reason why in File Upload Attacks module when uploading files i am getting this. Is this a skill issue?
man i am dum as heeeell( problem solved )

I now have to restart the EVASION-DEV Recompile my exploit and make sure I do not click on the share folder. Pour execution for learning

anyone sovled fluffy?

The target is set with different accounts to each section’s exercise in a single Host. This is to grant you different revshells and directory access.
I don’t remember quite so how I transferred, but I’m pretty sure I used RDP

It didn’t removed my binary when I transferred to the exercise directory

#1375894619287584920 ; read and follow #welcome to access

such a PITA

I am using a SAMBA share. I'll try rdp share

what is the name of the SMB share you set up? :P

actually nvm rereading the error; it's because it's detecting it as malicious

I'm suppose to move the .exe to the C:\alpha\static folder but AMSI flags it immediately -

then quarantines it. It's the same code in the module

and again -

it's touching disk so of course it going to flag it

Is it suppose to bypass static detection? That code\method is old it's no bypassing anything

@reef holly Try using sudo

Oh OK

Don’t think it does

I can try to compile it a minute and check again

Is this for both types of payloads? XOR and AES?

yes and I used confuserEX on it. Still can't transfer it to the folder

OK sudo worked up until it hung...
Trying to use VPN: sudo openvpn academy-regular.ovpn
.....
.....
2025-05-30 15:09:12 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 3, compression: 'lzo'
2025-05-30 15:09:12 Timers: ping 10, ping-restart 120
2025-05-30 15:09:12 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt
.....
.....just hangs here.....

that's normal

if you look around that line it should say "initialization sequence completed"

Ah OK - it gave me prompt now

that means it's connected, and will remain connected until you close that terminal

it shouldn't return you to a regular prompt

unless you cancel [ctrl-c] it

oh no I though i got a prompt but.... that was my VM prompt after exiting:
2025-05-30 15:12:23 Closing TUN/TAP interface
2025-05-30 15:12:23 net_addr_v4_del: 10.10.16.38 dev tun0
2025-05-30 15:12:23 net_addr_v6_del: dead:beef:4::1024/64 dev tun0
2025-05-30 15:12:23 SIGINT[hard,] received, process exiting

For that one I don't recall doing anything outside of the material to get it to work. I'll spin it up real quick since I have some time and see if I am getting the same.

I had that init line after that it hung and then exit

don't exit, SIGINT means that you did [ctrl-c]

OK lemme try again

after it launches: just open a new terminal and you should be able to connect to the target/see a tun0 device if you do ip a

I see tun0 but hung here:
2025-05-30 15:16:26 net_route_v6_add: dead:beef::/64 via :: dev tun0 table 0 metric -1
2025-05-30 15:16:26 Initialization Sequence Completed
2025-05-30 15:16:26 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 3, compression: 'lzo'
2025-05-30 15:16:26 Timers: ping 10, ping-restart 120
2025-05-30 15:16:26 Protocol options: protocol-flags cc-exit tls-ekm dyn-tls-crypt

the "hanging" is normal

how long?

it's not hanging, this is expected behavior

maybe I should take a walk LOL

open a NEW terminal

and you'll be able to connect

do not close this terminal window

Crazy, It just keeps quarantining my binary no matter how I try to transfer it. I just used the code from the course

ok so run openvpn command again?

no

new terminal just takes me to my local shell

the "hanging" means that you're connected

type ip a in the terminal: do you see a tun0 interface? if so, congrats it's all working

@reef holly look at the output of your machine it should show like this and you're looking for the part I highlighted -

they got that output as they pasted above

they're just misunderstanding how it works

Ah gotcha.

they're expecting it to return to a shell env after it connects, which is not what it does

Yeah - I have
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen

I open new terminal --> i am in local shell

yes; that's expected

you're not gonna be dropped into a random shell environment

I want to be on remote machinf

machine

the target tells you the expected method of connecting to it

oh go back to my module and find out ?

ssh user@ip then copy and paste the password, to paste into terminal the default is [ctrl + shift + v]

yes

the openvpn command is solely to connect to the hackthebox vpn network, so that you can interact with machines on the private network [10.129.x.x]

Got it !!!!! LOL!!! Ima so dumb!😂 TYVM

I'm fairly certain the Intro to Academy module goes over a fair bit of how it works

Don't feel like that we all started somewhere too.

you get used to it

Re read the the intro if you don't understand

I get it now... I don't know how I skipped that explanation. Pretty sure I skimmed through it all but where it says to** openvpn academy-regular.ovpn**it doesn't say anything else. Now I found a video on HTB intro I didn't see before, so maybe it is in there..
Anyway, thank you guys!

I didn't have an issue on my end copying it over from smb share or transferring it via iwr. You can DM if you'd like and maybe we can figure it out.

Was going crazy during the WordPress skills assessment because I was pointing my attacks to blog.inlanefreight.com instead of .local oops

Hello there, I'm facing a weird problem in this module : Information Gathering - Web Edition

Section Web Archives

I'm asked to browse the waybackmachine to 8 august 2018, I can see the snapshot and the link but I get redirected to a random snapshot from 2020.

Also other snapshots are not working....

what question is this for?

I tried archive.ph as someone suggested in hackthebox forums but oldest snapshot is from 2020

if it's for the hackthebox website question: hackthebox didn't always use .com

Even If I can see a snapshot from 2018 using hackthebox.com?

should be hackthebox.eu?

damn me..

thanks, wasted way too much time on this one

sure I don't see why mine gets flagged asap

makes zero sense

I just finished compiling. Gonna spin up the target to confirm

ok, if you don't get flagged it's def a me issue. As soon as I click the share folder it get quarantined or if I copy it from my share to the C:\alpha\static folder same thing

Nah... It's flagging as well

Let me just check on something if it will work

ok

guys i'm stuck on network foundation on the question:
" In which architecture is the control plane separated from the data plane? (Format: two words, one of which is hyphenated) "
i know its sdn but it keeps refusing it

software-defined should be the answer @torpid pewter

are you using the abbreviation or the full words

i tried both

he said 2 words right

so

the entire word most prob

tried searching in google

i tried every combination

indeed

control-plane archit... maybe

well there's an additional word

so technically 3 words

control-plane

didn't work

even a mod didn't solve it

huh?
they are mod dude , they arent the guys who made all the modules or who have done all of it

it's not control plane

mods should be experienced (i'm joking)

sdn is correct; you just gotta type out the full thing

s-d n

this is completely wrong

ic,

didn't work

thanks for saying that

wait cube talk

refresh the page and try again [ctrl+shift+r]

but software-defined is close, just need the net word after 😉

Hey, @echo roost DM

i've been trying for like 3 days

in this case: software-defined is being treated as one word

Defender is flagging MSF, which, in any case, wouldn't be that strange

Just in the module is, but...

Hi guys, I have problems with Footprinting module Oracle TNS...someone can help me? It's 2 days I'm stuck because I can't run sqlplus

use dbeaver

yo guys im on SOCKS over RDP section from pivoting

i transfered over the SocksOverRDP-x64.zip

when i extracted the dll, i get this when i try to load it

Disable real-time protection

theres no one

ah wait

there it is

but

also running the server says dll not loaded

ahh bro seriously i wasnt running cmd as admin

Hello agin, can someone help me at CRUID API under web requests- Can someoen see why this is not working i been trying for 20 min

curl -X POST http://94.237.55.43:31485/api.php/city/ -d '{"city_name":"HTB_City", "country_name":"HTB"}' -H 'Content-Type: application/json'

Trying to create a new city

POST isn't one of the methods under CRUD; Create, Read, Update, Delete

Good afternoon

hello!

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

Hey can anyone suggests what tool should I use, I have already used feroxbuster, gobuster, finalrecon, zap but nothing is giving me the answer.

Best to say which module and section you're on

I am at skills asessment in information gathering-web edition.

@pearl ledge I remember having to re-read through some of those information gathering sections. There was typically something like a different way to use the flag provided by one of the tools presented earlier.

That was my experience, anyway.

not really, it's the skills assessment.

that's kinda the point of it.

Sounds like you have some strange proxychains setup. You should be using the IP instead of 'localhost'

👋

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to most channels on the server.

That's because your VPN/Pwnbox can't access the internal VLAN, which is why you need proxychains to use the connection as a tunnel to the internal VLAN.

Right, so you'd need to connect to the listener machine, not the remote machine.

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

Hey can anyone help with what tool should I use, I have already used feroxbuster, gobuster, finalrecon, zap but nothing is giving me the answer.

Hi, all can somebody help me with Manipulating the Model i can not find the Exploit a flaw in the web

I need some help!!!
when am trying in my virtual machine
ssh htb-student@10.129.45.40
it shows,
connection closed by 10.129.45.40 port 22

cracks knuckles gonna see how much of a 220,000 entry word list ffuf can get through in 38 minutes... 😎

(nailed it)

Someone know if there a plan to put some module on C2 ?

is SSH listening on port 22?

There already is. Sliver module.

hi I have to redo question 3 for the skills assessment for pivoting, tunneling, and port forwarding

I have the IP address needed as answer but I am having a lot of trouble getting fping to work or nmap

in terms of scanning internal network

neither has worked, with or without proxychains

regardless of if I use proxychains4 of just proxychains

@cloud urchin thank you,

yess

I need to get the IP address of the target host to show up

in order to log into that host again

I am using ligolo because that's what worked last time

I have a route I know that is not the issue

can someone help me out?

I hope I'm not spoiling anything

I have flags for questions 3 and four because solved it yesterday but I need to make sure I can connect to internal network is issue

Why can't you just use your notes to set things back up?

I could but I forgot to take notes this last time I did skills assessment and I forgot the command.

I know how to do most of it from your video

Sounds like a great opportunity to start over and fill in the gaps within your notes, as your notes should be helping you throughout the SAs.

ok

well, anyway, I did start over

I'm in the part where I have connected via ligolo to ubuntu server

IMO the repetition is good.

ya and I got into the windows host last time and technically know the IP address because I found it before but I need help getting something like fping to work

if that makes sense

Can you live off the land to get that IP?

I tried using fping from the pivot host it didn't work. I could ask chatgpt to write a bash script to ping everything manually. But then there's no understanding of what I'm doing from that.

that's the way I initially thought of

and run the bash script on pivot host

Well if your ligolo pivot is setup correctly you should be able to reach the internal side from your VM and could just use nmap. If that's not working, you can DM and I can help you troubleshoot it.

thanks ya that didn't work

Can I DM you too? I got some question on this module too

wait my bash script one liner I did in chatgpt is getting stuff to show up

Sure

Anyone else getting An exception occurred while uninstalling. while testing the payload in the LOLBAS: InstallUtil section of the Windows evasion module?

Asking for @dapper moth and @round marten since they seem to be the only two thus far who have figured this out.

hey guys i want to ask for people who worked on cwee path

no i parachused 2 modules intro to whitebox and whitebox attacks

so what is the best module to buy now after those in this path

Don't think I have. But can check it later

I'm looking for a mentor in networking security bug bounties. I'm quite new to the whole community so I only know nmap although i know it well and, quite determined to improve. sorry if I'm not supposed to post here. please feel free to dm me

Switching to the unencrypted version of micr0_shell fixed it. For whatever reason I'm just never able to get AES to work properly with micr0_shell; unless, of course, you must use AES128 instead of AES256 which defeats the whole purpose of it.

???

What's happening with VPNs and RDP connections? They are so bad.

i lost to much time because of this 😕

Not the correct channel for this. I think most people would point you to the HTB CBBH path. Make sure to read the #rules and follow the instructions in #welcome to gain access other channels.

Try a different one, though occasionally I've seen it where closing and reopening msfconsole fixes it, also deleting your message since S&P is above tier 0

And you spoiled info

Sorry. Thanks, I’ve even reset the instance a few times. It also probably doesn’t help I was trying to do it via rep on my phone when in work. I’ll give it a go soon

Hey guys! For pen testing career is it always a good idea to start as blue team because from what I seen pen testing is one of the jobs that are one of the hardest to get in cyber rn im a jr sys admin 4 months and have 8 months software engineer intern exp just graduated with a cs/cyber degree

Hello i really dont get whats wrong here am at CRUD API web request and i found the FLAg

But it dosnt work?

no bro blue team is a far from pentesting

I understand that but from what I have seen most people say to start in blue team before pen testing

rn im sys admin

who says

no one says that bro

In general I seen most people on linkedin start as info sec analysts and overall from what I have seen but some just start off as jr pentester.

@lunar wraith Do not post flags.

oh

thouge it only was mine pga the Ip change

I was just about to ping the serious rule break role about that.

no no bro pentesting is a path and soc is another path every one has its own thing

in some parts while studying pentesting you will be face some senarios of how blue team deals with that

but you dont need to be as blue teamer or soc analyst if you want pentesting

choose your track and move on it every track have its own things maybe there will be some commons but choose you track

@blissful terrace @robust ingot you should move your conversation to #careers-and-certs, which you can access if you follow the steps in #welcome

also @robust ingot maybe people there have another opinion

The academy modules all have static flags, so they'd be the same for everyone

does anyone else in australia have experience anything to do with rdp to be extremely slow and painfull

Thank you again for the help. I used option 0 instead of 2, and it ended up crashing the machine, because I wasn't able to ping it. All fixed now : )

good thing it's a test machine and not production :D

if i have to buy one from these
buy this

Attacking Authentication Mechanisms
or
Modern Web Exploitation Techniques

No one can really answer that for you. You'd probably want to look at what's covered in each module and decide for yourself what interests you more.

Hey everyone, would someone be willing to quickly discuss the skill assessment in Windows Lateral Movement? I'm working on the last question, and I'm 99% sure what I'm supposed to be doing, but the command I'm running isn't doing what I'm expecting it to. I'd greatly appreciate a sanity check on my syntax.

You can DM what you're trying

Hey can someone tutor me for CAPE modules

Thanks so much, sent you a DM

How far along are you?

Just go through the path content and you'll be fine

Hi

Hi, please read the #rules and follow the instructions in #welcome to gain access to most of the server.

Hi! I'm in the Linux Local Privilege Escalation - Skills Assessment, and someone could give a hint please? about getting connection without SSH. Do I have to do a web exploitation? or is something more related to persistence?
Help please

Like 17 percent

Pretty much the LDAP part

to be exact doing the skills assessment rn

But like it’s pretty hectic bro

Up to Evasion Skills Assessment II myself, and then MSSQL next week and then I'm done. You're already in my DMs so after I finish my first CAPE exam attempt, you know what to do.

Anyone else find an extra flag (or maybe a fake flag?) in the first part of the attacking common services skills questions?

Hi!! IS THIS NORMAL? I'm in the Linux Local Privilege Escalation - Skills Assessment and the PORT 22 SSH is super unstable, every now and then it takes me out!!!

Is how is expected to be? or is an error?

I cannot even write a command

Hi guys, would anyone be able to help me with Advanced Deserialization XML payload? I can't figure out where to place type in XML in order to achieve RCE? I tried with both manual way and automated wat with ysoserial.exe but nothing works on my end. Thank you! 🙂

Did you solve it?

It's borked , support confirmed SSH is not working on the box , so waiting for a fix , trying the Hardmode cause it doesn't need SSH but haven't worked it out yet

Ohhh good to know!

Maybe I’m the only one that found that lol

Maybe you'll need it in the following sections 😉

Naw, I was curious and put the flag in the medium and hard skill assessments just to see, and it didint work for them either. However, the actual flag that I was working on said “there are two ways to do this.” Which, makes sense…

Could I have some assistance with Password Reuse / Default Passwords (Password Attacks). 3306 is closed.

Nevermind, I'm 0iq

Using whois.
Analyzing robots.txt.
Performing subdomain brute forcing.
Crawling and analyzing results.

None of this is working on this question: What is the API key in the hidden admin directory that you have discovered on the target system?

Can anyone suggest me what to do?
I am at information gathering-web edition.

How long did it take you to finish it up to that module ?

Started on Tuesday and finished today.

What about the whole thing

How long ……..

Started in January after I finished my first CPTS attempt and a month before I started my second. Helped me get through the retake too.

I had to combine it with 2 community college classes, otherwise it would have gone faster. Even then, it's been almost a sort of unofficial third class in terms of time allotment.

Have you enumerated thoroughly? The hint is in the question "... admin directory ..." how do you enumerate that?

Hi for reconspider tool, whenever i tried to install it always show like this, can anyone help?

are you using the reconspider.py from the module or the one from github; they are different tools

from github

the reconspider from github is a different tool than the ReconSpider that the module is telling you to use, they provide a link to pull the one for the module.

it is actually a custom written tool

ohh thank you, didn't see that cuz i skip to assessment

Hi everyone! Are the 'Introduction to Networking' and 'Network Foundations' modules sufficient for understanding networking?

they're sufficient for understanding basic networking

but networking is very broad

API Attacks -> Broken Object Property Level Authorization -> Exploit another Mass Assignment vulnerability and submit the flag.

i am stuck on this question can anyone give some hints

thank you!

Is there anyone i can DM about the MSSQL,Exchange, anad SCCM skills assesssment? i think i did a unintentional method...

You can DM but I don't think I did it the intended way either.

dmed, thanks!

It is not

It’s that straight up

Hey can anyone check the information gathering -web edition module skill assessment chapter whether the academy stops to showing email information for the inlanefreight.htb using the reconspider tool from the module.

Out of curiosity, what did you find? Can i dm?

sure

was a lil dissapointed.. but im sure theres more than one method

is it normal for attacking common apps - gitlab exploitation user enumeration to take 7 million years

i feel like im watching the poles melt🫃

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.
Password attacks ko Password mutations module how much time will it take

been 84 years

helllo

here i need your help guys

am fromuganda

howw does te hackbot work

Hey,

I am currently doing the “Setting up” module for Linux, I have installed ParrotOS on VirtualBox. I have selected the options to Erase Disk (swap - no hibernate) and also created a passphrase to encrypt the system.

Once I have completed installation and proceeded to reboot. I am not prompted to Unlock the LVM partition with the passphrase I created?

ey guys Good Afternoon I need a little help with this. I don't know where is put in these values with Ai

I advice you to use Kali instead of Parrot because Parrot misses many tools which Kali already has and you will have to install them while they are already pre installed in Kali

Great, I will use Kali instead then. Thank you for the help 🙂

Maybe someone here can help me with “Attacking WPA/WPA2 Wi-Fi Networks - Skills Assessment”. I'm stuck on the question: Connect to the StarLight Wi-Fi network and submit the flag found at 192.168.1.1." All other questions were solved without any problems.

I took a closer look at the .cap file and realized that the client uses EAP-TLS.

So I tried to redirect the client to my fake AP with patched hostapd-wpe. (Also edited the eap_server_tls.c...)

Unfortunately unsuccessful:
authentication failed - EAP type: 0 (unknown)
Supplicant used different EAP type: 13 (TLS)
deauthenticated due to local deauth request

I also intercepted the certificate and provided it, but unfortunately that didn't help either.

hellooo

Hi

hey did you figure this out?

Yes, there are

Hello Team,

any one have done this module #AI Red Teamer Fundamentals of AI/Skills Assessment

looking for hint last questions

Anyone can provide a nudge for the command injection skills assessment please ? I’ve tried to separate the operations and fuzz them individually. I used characters and bypass techniques from the module. I tried to google a few things, but unable to get a meaningful error. A nudge would be appreciated.

Can somenone DM my for helpen with "Introduction to Deserialization Attacks - Skills Assessment II Q2 RCE"?

Hi all. I'm stuck on what's seemingly a dead simple question in the "Intro to C#" module. The following:

How can you access the element in the third row and second column of a two-dimensional array named grid in C#?
I've finished the rest of the module already without much troubles but I just don't get this one. I've tried a lot of syntax variations already. Can anyone help?

ey guys i'm stul with the AI 😦

stuck

just to assure, when i click on Cancel subscription, it (just) stop auto renewal, but still keep exam voucher, access to modules i haven't owned yet, the step by step feature in the modules, etc.. correct??

Yeah, this should be the case. It’ll all end on the last day of the billing cycle

ok thanks 😄

Anyone know if Ligolo-ng gets covered in the AD pentester path?

It's not covered per se, but there's a subsection in the "SCCM Site Takeover I" for the MSSQL, Exchange, and SCCM Attacks Module

ah okay thanks 🙂

Hey can anyone check the information gathering -web edition module skill assessment chapter whether the academy stops to showing email information for the inlanefreight.htb using the reconspider tool from the module.

You can use Ysoserial

ey guys someone had completed the Module AI the last exercise Skills assessment?

There’s a lot of AI modules, gonna need to be more specific 😅

applications xD

I think it's the IMDB dataset SA that a lot of people are having trouble to get their model's accuracy up

That one is plain simple tbh

I had an accuracy of 1

Feel free to dm your question

Im putting my kids in bed so no fast reply guaranteed as they’re unpredictable and there’s a thunderstorm starting

don't worry i understand

I thought mine was less.
Just went to check and 😂 :

Your model achieved an accuracy of 1.0.```

but i don't need speed just i need help xD

Dm me and I’ll try 🙂

guys can someone help me phising lab in xss path?

just ask your question, don't ask to ask

pls help me i m unable to connect to vpn

vpn of htb module

sudo openvpn <filename>.ovpn

i did that

i downloaded and ran it

there's no "Htb module" vpn; there's the HTB academy vpn

let me guess: it just "hangs"?

wait ill tell vpn name

vpn name doesn't matter

acadamey regula

it loads

but dont work

if you see the > Initialization sequence completed < then you're connected

and you just open a new terminal and you'll be able to interact with the internal lab environment (10.129.x.x)

it shows

Initialization sequence completed

ping 10.129.221.254
PING 10.129.221.254 (10.129.221.254) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
From 10.10.14.1 icmp_seq=2 Destination Host Unreachable
From 10.10.14.1 icmp_seq=3 Destination Host Unreachable
From 10.10.14.1 icmp_seq=4 Destination Host Unreachable
From 10.10.14.1 icmp_seq=5 Destination Host Unreachable
From 10.10.14.1 icmp_seq=6 Destination Host Unreachable
From 10.10.14.1 icmp_seq=7 Destination Host Unreachable
^C
--- 10.129.221.254 ping statistics ---
7 packets transmitted, 0 received, +7 errors, 100% packet loss, time 6096ms
pipe 4

not all devices respond to pings: are you also running the pwnbox at the same time?

no

its time finished

sorry xd

don't run the vpn and pwnbox at the same time

I cant send a picture here

i m not

To show which lab I cant solve

you shouldn't need a picture to ask your question

i terminated

do this in a new terminal

sudo killall openvpn

then rerun the connection command

Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.

I cant do this task

ok

try restarting the target

skill issue

i did 2 times

:(

but on a real note: you didn't explain the issue you're having

the module walks you through crafting the payload

payload works normally, but I cant send it to admin

then change vpn regions and reset target

yoo

thank you

it worked

why was it not working though

no idea

ohk

thx anyways

back to you:
make sure you pay attention to where the payload is injected

Hello

Don't share the payload @mellow sky

ah ok, sorry , i am new

so how can i explain it?

@bronze bobcat read the #rules before asking

my payload works on /phising/index.php not in /phising/send.php

Explain the issue/error rather than just pasting the payload

Or if someone else wants to take to dms to help you they can

I would appreciate. I spent 5 hours for this, I couldnt solve it yet

phishing/send.php

Invalid URL!

Okay, I've read the rules, Nothing surprising in there.

I was working on Module: Attacking Web Applications with Ffuf, Section 4: Page Fuzzing.

How many user u have ? I have a feeling that iam not havind the correct dataset 😄

Nevermind, I solved the problem.

Can also someone confirm that the data in the Bloodhoud module that is obtained form SharpHound is not up to date? I obtained the data for the legacy version and for teh CE version, but in both cases it is not the same as in the excersises in the academy module. Thanks al lot!

The sections aren't always a 1:1 replica of what's in the challenge. Another thing to consider is the user context you're running the collector under.

Thanks for your reply. I do understand that. However, for example, even the collected data available in the lab VM isn’t the same. I mean, what’s the point then, since the questions seem to refer to a different (and possibly more complete) dataset.

See my 2nd sentence in the reply above.

I see it. If you mean to run SharpHound of BloodHound as an admin, that doesn't change anything for me. Or am I completlly on the wrong track?

Yeah running as admin can yield different results

the collector, not bh

In my case it doesnt change anything. I will reset the VM and run once again as an admin, maybe doing something wrong.

still same results.

Could someone possibly help with Attacking Active Directory & NTDS.dit. I've ran username-anarchy and used crackmapexec against the user and used the fasttrack wordlist for password. Any help would be much appreciated!

Someone could probably help if you mentioned the specific section you're on

always best to name the module, section, and question you're on

Iam working on Active Directory BloodHound module and right now in 'Edges' section. Logged in in the target machine and collected data with SH (as an admin). The attack path that I am seeing, in target VM, from grace to srv01 is different than in the module excercise and that is only one example of mismatches. Because of that I am not able to reproduce the steps in the same way as mentioned.

I just looked at this module for you. I RDP'd into the target and found a bloodhound folder in c:\tools, as well as the bloodhound data zip file. I uploaded that to the provided bloodhound app and it's working just fine. My guess is you're not supposed to use sharphound here but the provided tools.

Iam doing exactly what you are saying. It is working fine, but the data is not the same. Thats the whole point. But thanks anyway. 🙂

That's not what you said a minute ago

you just told me you were using sharphound to collect the data and upload it, you tried it under the admin and user context

did you use the already provided bloodhound_data.zip?

New here guys

Hi, welcome. Make sure to read the #rules and follow the instructions in #welcome to gain access to most of the server.

I have done that already, do how do things work here because I'm really a complete newbie could show me around

This is not the place for that, this is for discussion of the modules on HTB. You'll want to ask in #general or something. Regardles...

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Yes I did, but maybe I am misunderstanding the exercise. Let met read it once again....

What I'm seeing matches up with the module. The grace user doesn't have direct perms over SRV01. If you look in the table, grace has rights over another user, not the computer.

#modules message
I've ran
crackmapexec smb <TARGET> -u <User List> -p <Password List>
I've used the names provided from the question below, and used username-anarchy
For the password list I've used fasttrack.txt and mutated the list. Nothing is working and I'm getting frustrated. Am I missing something?

Please do not ping people or channels like that.

It was a link to my own message?

Oh lol my bad

all good 🙂

Try using the password list provided in the "Resources" section of the module instead of fasttrack.

Ignore my question I am dumb

I've used that and fasttrack in the pwnbox. I've even used a mutated version of fasttrack using provided custom rules. Do I need to mutate the provided list from resources?

Looks like you'll need the mutated list of the password file provided. When a module provides a resource like that, you don't need to use something else (like fasttrack). If you have a properly mutated pw list, it may be you did not generate the correct username with username anarchy.

I ran ||hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list|| I also utilised || firstinitiallastname || for the discovered employees

but I did originally just use username-anarchy for all the provided employees

Maybe redo all the steps then, make sure everything is correct. Should work as long as you have the mutated password list and used anarchy correctly.

I've repeated this a few times now, could I send you my userlist?

ok

gimmie 2 secs to recreate it

I am currently on the module "PKI - ESC1" on "WINDOWS ATTACKS & DEFENSE". For doing exercise of that module, I have to first connect to kali using "SSH" or "RDP". Then I have to connect to WS001 from kali, and I am not able to do that.

I have tried "xfreerdp" and "rdesktop" from kali but it is giving me the error of display variable. "Remmina" is not present on the kali machine. I also tried tunneling from kali machine, but that is also not working for me.

Does anyone has any idea about it?

Did you read the section above the skill assessment? It gives instructions on what to do, you're not supposed to RDP into the Windows machine from the target you spawn, but instead from your own attack box via dynamic port forwarding and proxychains.

The reason it's failing for you is because ssh is just terminal access, not gui access, so when you launch rdp it fails because those rdp applications are trying to use a gui, which you cannot use over a terminal.

Okay, I understood it now. I missed it previously. Thank you!

But why -L (Local Port Forwarding) is not working and -D (Dynamic is working)?

ssh -D 9050 kali@10.129.221.192 [working]
ssh -L 3389:172.16.18.25:3389 kali@10.129.221.192 [Not working]

because the target host isn't reachable by the ssh server, it cannot reach the host's subnet

Now, I am getting this error. Is it any known error?

Yeah re-spawn the target. If it persists change servers and/or regions.

Okay, thanks!

@main halo Just DM a mod/admin instead of using the serious rule break tag please.

Hi, I think my VM spawned the wrong machine/box - I'm doing the 'Hacking WordPress' skills assessment and as far as I can tell, the site isn't a WP site.

There's none of the typical indicators that it's a WP site

I just want to get confirmation that the box might be broken, rather than giving me hints

Because I'm fairly confident something's wrong with it

If you think it's broken: reach out to support

Well It's spawned a target with .html files instead of .php haha

ok? that doesn't inherently make it wrong

No, except for the fact that WordPress is powered by php, and doesn't use static files
I do understand your point though

if you change vpn regions and respawn the target and the issue persists, maybe there's more to it than meets the eye

I'll try - it just seems very abnormal - could be me though!

perhaps there's an endpoint like website/blog/ that's powered by wordpress

Maybe, bet I'll kick myself in a second knowing me - thanks for your help!

oh look at that, kicking myself 😠

Nevermind, lesson learnt I suppose.

Hello I am a new member

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to most of the server like general chat.

Guys hello. I have a problem not very much related to module. I have forgotten email for which I registered one account. What can I do? May be to look in credentials in config?

Not what this discord is for, contact the service provider for assistance.

No.

Not what the server is about; see #welcome

Okay am done reading

Anyone knows the way to find the hidden admin directory on the target system? I am really stuck.

Always best to include the module, section, and question you're on to get better help.

To answer your question, fuzz it.

https://academy.hackthebox.com/module/144/section/1311

What is the API key in the hidden admin directory that you have discovered on the target system?

I have already done fuzzing but it is not showing

Robots are your friend

robots.txt file is not there

Wrong subdomain then :) it's not that deep

Thanks very much

Anyone?

@keen pewter Please do not post flags.

sorry

NVM, just figured it out... If anyone else is stuck on this part please reach out

Guys hello while doing Oracle TNS in Footprinting found the user and trying to use sql but getting this error qlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
There is such file in the folder libsqlplus.so

Try this (from an old writeup of mine, I recognized the error)

sudo apt update
sudo apt install -y oracle-instantclient-sqlplus

# Set an environment variable so the sqlplus client
# Can load the shared libraries
export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib

# Add the environment variable to .zshrc so that
# It's set every time a shell opens
echo 'export LD_LIBRARY_PATH=/usr/lib/oracle/19.6/client64/lib' >> ~/.zshrc

oracle path under /usr/lib might differ slightly, as the writeup is a few years old.

So, might be a different version than 19.6 or something

can somebody help me with a challenge named "Simple Encryptor"

Thank you let me try)

thanks it really helped me to create a shell

but doesn't allow me to authenticate with found credentials and thee is an error ORA-12541: TNS:no listener

Which module/section is this?

reversing

that's not a module or section

wdym

I mean which module and section are you working on that you have this question about?

i have questions about the flag

bec i have the flag i guess but it wont work

Okay whenever you want help just let us know which module and section.

check if you have copied it correctly may be there is a space left

what you mean with module and section what does that mean

i did

This channel is for discussion of the modules on HTB's Academy platform.

ohhhhhhhhh

Lennox module is a topic you are working about the sections are the parts of this big topic for example Footprinting is a module and Oracle TNS inside Footprinting is a section

my bad im sorry

You'll need to follow the instructions in #welcome to gain access to most of the server, if your question is about the other platform/boxes/etc.

for resources attached to modules, like a wordlist, how do you get them onto the pwnbox?

Hey yall whats a good box you could recommend?

right-click -> copy link -> wget <paste link>

#general or #boxes for that question

tried accessing the share with smblcient or smbmap?

smbclient*

I accesed using smbclient

but for the other questions i had to use rpcclient

what module is this?

Footprinting then SMB

for CPTS

it worked but i tried that ngl

it makes me think im high 😦

thankyou!

bit of head scratcher, but i guess it wanted it in that format: "/home/user"

yes on to the next

Remember it's against the rules to reveal content above tier 0, and please do not give flags away.

Hello Guys
Does anyone has an idea why this error occured when trying to resolve the exrercice of xfreerdp in Tier 0 section(explosion)

19:20:46:103] [43714:43715] [ERROR][com.freerdp.core] - transport_ssl_cb:freerdp_set_last_error_ex ERRCONNECT_PASSWORD_CERTAINLY_EXPIRED [0x0002000F]
[19:20:46:103] [43714:43715] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:0A000438:SSL routines::tlsv1 alert internal error

Explosion sounds like a box not a module

so where should i ask this question

I don't think there is a section in a module called explosion

starting point>Tier 0> explosion

If it's for a box, ask in #boxes. You'll need to verify your account by following the instructions in #welcome.

Oh that's #starting-point then.

This channel is for discussion of the Academy modules

but i don't have access on it

I know

That's why I gave you instructions on how to access it

So what should i od

You need to verify your account before you can access most of the server. Read the #rules and follow the instructions in #welcome.

Done

Thank you so much

man i am doing password attacks default creds/ password reuse i cant get past its question of loging in sql

Hey guys, probably not the right place to send this but don't have access to the general channel. I've been struggling to land a Cyber Security position. I've been at this for about a year in 5 months now in terms of really diving deep and learning hands on. My heart is in offensive security, but I've been applying to any and all Cyber Security positions that are more junior level. I'm 29 years old, and I'm debating on joining the AirForce as I feel that my options are very narrow right now on the commercial level having very little IT experience. I've revised my resume several times and have had a total of 5 IT interviews in the past year. If anyone else has been in a similar position and has any advice on it, I would greatly appreciate it. I know this probably isn't the place to post this, but again I don't have access to the general chat.

Follow the instructions in #welcome to gain access to #general.

Probably a stupid question but where would account identifier be? Would that just be my email?

It's on the profile settings page on the main platform, the instructions give you the link. https://app.hackthebox.com/profile/settings

I think I got it, thank you.

Hi, i need some hints for skill assignment - dacl attack 2. First q. I think action with SPN is right way, but can’t get hash SDE01.

Please dm me

If you can't get the hash, can you think of another way to get credentials?

Can i dm you? I have to use method’s explained in this module. I checked other options, there aren’t suite or i missing something

ok

Any help with the SQLMap Running SQLMap on an HTTP Request part of the module? I get this error every single time I run the tool: [CRITICAL] connection reset to the target URL

I tried tamper templates with no luck. I ran some payloads manually, and at some point the payload just gives me the "The connection was reset" error

I ran it through proxychains to see the requests in Burp, and the tool actually ran all the way through, but it didn't extract anything; rather than stopping the tool, it kept going even if the page was getting the reset error

Figured it out

Got it?

https://academy.hackthebox.com/module/54/section/511
Can anyone help me with the question : Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
No matter how many times i try it is showing only .phps .

Which question?

To solve this, you'll need to:

1. Identify the domains or URLs in question.
2. Analyze the web server's configuration or the website's behavior to determine the accepted file extensions.

Some common methods to discover accepted extensions include:

• Checking the web server's configuration files (e.g., Apache's httpd.conf).
• Analyzing the website's source code or HTTP responses.
• Using tools like curl or wget to test different extensions.

Once you've identified the accepted extensions, you can proceed with the extension fuzzing scan.

How to check config files.

Please don't post this AI slop..

?

which command do you use?

ffuf -w /opt/useful/seclists/Discovery/Web-Content/web-extensions-big.txt:FUZZ -u http://xxxxx.academy.htb:55512/*FUZZ -t 3000 -fs 287

there's a... stray*

you don't want that

can you show me how to do correctly?

Did you try all addresses?

yes

Did you try other files than web-extensions-big.txt?

i have tried extensions.txt,extensions-large.txt,raft-large-files,raft-large-extensions

extensions.txt did work for me

ok my command syntax is correct?

May be try some other filters, I didn't use any filters on that

may be try -ic

ok roger that. thanks for your suggestion.

you're welcome 🙂

By the way http://xxxxx.academy.htb:55512/*FUZZ is this part right?

indexFUZZ at the end

http://xxxxx.academy.htb:55512/indexFUZZ

because it adds the dot

ok thanks

hope that helps 🙂

Hey! First time asking.. I am having trouble with Port Forwarding https://academy.hackthebox.com/module/158/section/1426
Usually I was able to find help on forums reading the posts. However that's the first time when I am doing everything by book and it doesn't work. Please tell me what I did wrong. Here all the commands and infos:

Maybe try port forwarding the rdp port

worked thx!!!

may I ask you why it works?

cos SOCKS doesn't forward every protocol

and it's acting in the other direction

Hello! I need common advice regarding the passwords module. I cracked the hash for a certain .docx file but I just can't figure out how to open/read the file. I tried to install Libreoffice but it just doesn't work on my Kali. Any terminal tools to decrypt and read .docx file? Thanks..

If you're using Windows you can just transfer the file and open it with Word, or transfer it to a Google account and look at it in Google docs.

google docs should work in your browser

@cloud urchin The VM is Kali and my Host is Mint so no Windows

try google docs then

Ok! Thanks, will do

supposedly for terminal there's this https://docx2txt.sourceforge.net/ but i got it from google so i haven't tried it. or this https://pandoc.org/.

I tried those already, ChatGPT suggested. But it doesn't convert because the file is still encrypted

well yeah you'll want to decrypt it first

Yeah, the problem is how the hell am I gonna decrypt it 😄 I've got the password for it already with john.

any program that can open it should allow you to enter the password

Apparently google docs can't decrypt files either

This is bad when even ChatGPT is clueless how to help me 😄

@cloud urchin I got it..! There's a cli-tool called msoffcrypto-tool which got the job done for me.

isn't there a docx2john somewhere?

https://github.com/openwall/john/blob/bleeding-jumbo/run/office2john.py

here we go

They got the pwd but didn't have an app to open it that asked them for the pw when opening.

does libre office not do it ?

also office files are just zip files

They couldn't get that working

Libreoffice doesn't work on Kali (or at least on my Kali vm..) and couldn't unzip it because it's encrypted. That's where I was stuck

wouldn't the password work for unencrypting it?

The issue was how do I decrypt it? There wasn't a prompt asking me to enter a password. I eventually found a CLI-tool called msoffcrypto-tool and was able to decrypt it with the tool using the cracked password.

https://tenor.com/view/spongebob-patrick-star-noted-notes-gif-26231953

hi i m doing the acadamey it is asking for What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

i did find / -type f -name *.conf -user root -size +25k --newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

but no output

what ever i m typing i m not getting any output

why are you filtering the user?

it's not specified

oh

Quick question. Do you know if you can run Responder from your attack host if you have set up a logolo tunnel. I assume you just run responder -i ligolo (or whatever the tunnel name is called) but I dont get any output. But if I run it on the target host that the ligolo agent is I do get information. (maybe the targets just send requests to that target and not my attackhost)

I mean: it depends

You absolutely can

All you need is to forward port 445 from your ligolo proxy settings

When you do this, ensure that you specify all interfaces or your vpn interface

Do you mean port forward the trafinc that comes on the target on port 445 to go to my attack host?

And thanks for the help :))

Yeah something like that should look something like this
listener_add —addr 0.0.0.0:445 —to <tun0ip>:445

Then start up responder and get those hashes

port forwarding on 445 requires higher priv but I can portforward internally to a higher port and then tunnel it. Anyways, I got the gist of it. Thanks a lot @harsh gorge 🙂

Good morning, colleagues. I'd like to ask you a specific question. When you don't understand a specific topic, which HTB makes complicated in theory, how do you understand the concept from scratch? Or what resources do you use?

If it's related to an attack vector, I usually use https://ippsec.rocks/ (goated).

Just type what you need, you should get a box-solving video where he teaches about that particular topic. It starts directly from that timestamp.

And by chance there are written resources. I'm more of a reading person, but this resource is good, thanks.

Hello
In the using web proxies module they have given this tip. But looking at the GitHub issues for the hud repository and personal experience it is very buggy. It would be nice to ignore that. Just putting it out here

You can use https://0xdf.gitlab.io/search by 0xdf.

0xdf are the best writeups

he's a crack

hey everyone! Can someone give me some tips on powershell? I have come to understand that powershell mostly relies on cmdlet commands i:e, verb-noun combo, but it is a little difficult to remember the commands

use something like Get-Command -Verb Get to find cmdlets you need for info gathering, and the more you use it the better you get at it

Any one have done this module #AI Red Teamer | Fundamentals of AI | Skills Assessment

Anyone got a solution to setting up the windows vm when the developer page of microsoft has shut down downloads?

just set up a regular windows vm

you don't need the dev version

So just set up reg win10 with chocolatey manager?

I have the win10 set up as standard with no tools atm

has anyone had difficulty setting up proxmox on virtualbox? I keep getting a black screen when starting the download. I already disabled secure boot and enabled virtualization in my UEFI.

also you don't need to do everything from the setting up module, think of it as a rough guide -- not commandments

Yeah I had the same, it was a setting issue

What settings did you change?

I can help you in like 20-30

alright thanks!

Dm me

Ooh aight. I'm completely new to this so I have no idea. Just finished the parrot os and tool installation

the tools.list they provide is by no means an exhaustive list

@hardy spire thankyou much appreciated

you can and will run into tools you'll need to install at the moment

i.e. a github repo tool, or something directly from academy to download

would i not type dpkg - l | wc -l to find the number of directorys ?

packages

Do someone have 3 min to explain to me something about javascript? in voicechat

https://dontasktoask.com/

Is learning AI red teaming worth it? I have interest in AI as well as Cybersecurity, but I can’t find anyone else or lot of people recommending me this path. I just wanna know that before I unlock the module

ok i double checked the command and its saying my number is still wrong

ah i figured it out i was including headers

https://academy.hackthebox.com/module/54/section/511
Can anyone help me with the question : Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
Can anyone tell me how many extensions are there in correct answer?

instead of asking for the number you should be asking what you're doing wrong, the module teaches you how to do an extension fuzz; http://website/indexFUZZ

i have done this but the answer is showing not correct.

it's expecting a list as ext1 ext2 ext3 ... not as a list like ext1,ext2,ext3

also make sure you do your fuzzing on all subdomains

ok thanks

so I have question that I know it doesn't belong to here but this is the only channel I have access to:
How can I access #general channel ?
How can I access the channels associated with HTB lab ?
what subscription do I need to access pro labs in HTB lab website ?

1. there are instructions in #welcome
2. see point 1
3. Pro Labs subscription, it's separate from vip/vip+

thx

anyone got experience with chocolatey installation?

Any anyone tried dnscat2-server instead of the external one?

Is there an issue with the module labs currently? In the pivoting section sock over rdp part, it seems like the second server isn't coming up

hey guys, after completing a module on the cpts path, I’ll like to solve some machines relevant to the module to reinforce my understanding, how can I know these machines

if its black screen press enter

otherwise specifiy the problem

after completing modules it shows relevant machines you can do them

or watch ippsec videos on youtube

I mean the server literally doesn't come up, it does not respond to pings or rdp's

hey fam! Need the suggestion here, I just complete the fundamentals of linux and windows OS , what should i study after this?

thank you 🫡

Definitely go and study networking

Is there anything I can do to troubleshoot this? I've cleared my cache/cookies and logged back on. Still cannot get a PWNbox session to open.

Me too! 😦

Anyone know if I have ligolo-ng agent running on a PC say (FS01), will a machine that is on the same LAN be able to access my Kali VM that is only available on a VPN, since FS01 is also connected to the VPN?

Yes

I changed to another pwnbox location and now i can use it.

Error code ID-107, no issues here on lab side

i am also geting bad request when trying to open to a new window

Do u need help bro

tried switching locations like @void tendon but still get bad connection

bad request*

To which location did you try connecting? First, I tried another one in the US and it didn't work. After that, I tried UK and it worked

reach out to support if you're continuing to have issues

ok will try UK

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Well…somehow JxxxS sql account disappeared on me….

what module? 🤨

lol I just came here to see if anyone else was having the same issue

Hey everyone! I’m Austin — I’m 17 and a high school junior currently in a programming course at Wilson Talent Center.

I just got my Java certification and I’m starting a cybersecurity program later this year. Super interested in ethical hacking, blue team stuff, and just learning as much as I can right now.

Always down to chat or learn from people in the field — excited to be here!

In the module "Detecting Windows Attacks with Splunk " are we suppose to have a splunk instance already?

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer. where do i even begin at to solve this on my own

start with curl

Thats sounds like normal enumeration for me, maybe do a script that do it and then promt the final result of counting

consider the important bits of the question;

• curl https://www.inlanefreight.com
• filter in some way whenever there's a link/reference to https://www.inlanefreight.com/somedir
• make sure there's no duplicates (unique paths)

could u help me too marcie pls

i haven't touched that module

😦

ok thank you 😄

but i recall a splunk instance existing on the target

i no have anyone