#modules

@slender pendant not what this server is about, read #welcome and #rules

I have not

Yeah, not a good experience 😅

Gave up cos pwnbox was wonky with my bt keyboard and using touch

anyone finished with active Directory Enumeration & Attacks/Kerberoasting - from Linux? in the example you are supposed to use the account forend with the users password to authenticate but there is no mention of the password anywhere?

The password should've been found from previous sections, a lesson to save all credentials

sure, that makes no difference now

Hello people

if anyone runs into same problem check credential enumeration section there to find creds

Done

Hi I'm stuck on Web Proxies module -> more specifically the Skills Assessment - Using Web Proxies.

The second question asks: The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer
hint: For the first value try multiple encoders until you get a clear text value.

I'm not understanding the hint properly. When I get the admin cookie why would I try multiple encoders? Shouldn't I just try to decode it? I've already tried multiple decoding styles like trying to decode the cookie into URL decode then using the output and decoding that with Base64 but at some point of doing that over and over, none of the decoders work.

I'm also using Zaproxys built in decoder for this task

You have to use a very specific order and it has to be done a certain amount of times

Im kind of too lazy to figure it out and I did spend a good amount of time on it lol

Do you happen to know the order by chance

If anyone has time to teach me how to hack, send me a direct message!

hey guys! i just started doing hackthebox and i was wondering how benefitial do you guys find it for someone who wants to work in the cybersecurity field. Is this something i can put as experience on my resume and stuff?

You only need to use 2 decoders to get it...

Base64 and URL, im assuming

Hello there

in the module footprinting

smb

URL encoding means there's % symbols... are there % symbols?

hey, did you solve it?

i am asked to retrieve flag.txt

howeverm the value of flag.txt is different when viewed on the server then when viewed locally

why is that?

I can't share screenshots here either, it seems

@wanton wraith this might help you out:
Hexadecimal contains: 0-9,A-F
Base64 Contains: A-Z,a-z,0-9,+.=
Urlencoded: %00-%7E

No

Yeah I just went back and checked what I was doing. I got the cookie then used the Full URL decoder -> Base64 decoder ->stuck

I appreciate it. I'm not that beginner loll but Im just confused about the proper way to decode a hash thats used multiple algorithms to hash it

Why are you URL decoding it when it doesn't have any % symbols?

can anyone help me in this As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

bc it gives me an output different to what I inputed so I'm assuming it decoded it to a different algorithm

but it gives the same output

you using the cookie cookie and not the PHPSESSID cookie?

Is the jump box in the MSSQL, Exchange, and SCCM Attacks skills assessment supposed to straight-up crash every single time Invoke-PasswordSprayOWA is attempted?

yes

Am i able to send a screenshot

DM me

-# Unsolicited DM's Will be ignored

Literally every single move causes the target to either crash or hang. Why?

anyone

can you dm me?

sure

Is this supposed to be happening every 5 requests? Anyone? @waxen totem ?

ERROR: 20:44:10 brute.go:193: An error occured in connection - Get "https://10.129.231.78/autodiscover/autodiscover.xml": Get "https://10.129.231.78/autodiscover/autodiscover.xml": net/http: request canceled

just did

i just needed fresh mind

Yes.

I'm still stuck on "What's the password for the account you were able to compromise?" because of how painfully slow the machine has been all day.

Also, none of the following password spray attempts work for the first question:

• Logistics<year>
• Freightlogistics<year>
• L0gistics<year>
• Welcome1

What else could there possibly be?

Can u give me a hint on it?

xfreerdp /v:10.129.182.186 /u:Administrator /p:AnotherC0mpl3xP4$$ /dynamic-resolution

[23:46:24:506] [14361:14362] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[23:46:24:506] [14361:14362] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[23:46:25:707] [14361:14362] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[23:46:25:707] [14361:14362] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[23:46:25:707] [14361:14362] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[23:46:25:707] [14361:14362] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

why do i get this error

My guess would be because you didn't wrap the password in quotes or didn't wait long enough for the box to spawn.

oh ye might be

dm

On web requests-POST. I'm not seeing any POST when doing the JSON part. All I get is GET.

Looks like it's working to me, just didn't find any creds.

That's the problem. The first question of the MSSQL/Exchange/SCCM assessment is supposed to be a password spray, correct?

I don't know I haven't done that module

Are sections still being added within already existing Modules?

Pretty sure there are 2 new sections in Password Attacks, or I might just be going crazy

Sometimes modules get updated and the content changes quite a bit or new sections appear yes. Password Attacks was just updated a day or two ago.

my overall % went down for Penetration Tester path 😦 pain

yay more content though? lol

Module: Paassword Attacks
Section: Pass the Certificate
Link: https://academy.hackthebox.com/module/147/section/1335
Question: What are the contents of flag.txt on Administrator's desktop?

Anyone able to solve it?

Also send the link of that module

Added

Hey, on the bright side, you get grandfathered in if you got the cert before the change.

Since you are 3 sections ahead, have you done the Credential Hunting in Network Traffic section?

yeah

is ||1234 5678 9012 3456|| not the correct answer for question 1?

getting really confused

wait nvm

im dumb

No

Look it's in get request. So definitely some predefined data bloated with.

Was looking at the placeholder lmaooooo

yeah rabit hole haha

True but I was so close to being done with Password Attacks haha

Will the previous modules stay completed if new content is added?

@foggy monolith that an invitation to DM?

Nope.

Hello
https://academy.hackthebox.com/module/110/section/1055
Web Proxies - Skills assessment test 3
I got the ||cookie, fuzzed it, encoded and then sent it through intruder. But the response length is same for all.|| How do I know which value gives the flag?

I cross checked the values and everything I have done seems to be working perfectly.

||The response length shouldn't be the same, something is off. ||

They are all 2240 or 2239

I hope this is not the request length

did you check the content?

Like content of all the responses? For all the 2XX responses I did.

yeah

I see

I think there's nothing wrong here. All the responses looked the same to me. Maybe I making a mistake

yeah you are fuzzing incorrectly.

oh

What's wrong then? I decoded a couple of requests and they matched with the format

Hi all, I am on the HTTP/TLS attacks module and I am a little confused about what a question is asking in section TLS 1.3. Not sure if I am being dumb but it doesn't quite make sense to me.

you need to understand what value is supposed to be fuzzed, it is the actual cookie of the decoded value from the cookie

right now you are fuzzing the encoded cookie.

not the value that you decoded from this.

But if I fuzz the decoded cookie how will I be able to encode and send requests?

Because it only encodes the fuzzed part

you got it, you are to figure that out.

I think I may have got it now. I'll retry

great

is there a module related to JWT attacks?

Attacking Authentication Mechanisms has a pretty good section on JWTs

Tysm!!

Okay I finally understood the error. But I still don't know how to encode the entire cookie and not just the part which is being fuzzed.

the way you are doing it in burp is correct, using payload processing.

Oh wait. I found another way.

Does anyone know how the days are calculated within modules / paths? for example the Penetration Tester path being 40 days, is that 40 x 24hr?

Not sure how they estimated it but tbh, its probably not worth thinking about it too much. It's a really low end estimate giving the length of some of the materials

tbf not really basing anything on it but just curious

I believe it adds up the number of days that were set in the description of the module

@low seal Thanks a lot for the help. Got it 😉

I didn't know there was a prefix option in intruder

solved myself
I was being dumb
Though it's related to ADCS
The instruction in theory wasn't much clear

No, contact Instagram support for issues relating to lost accounts or passwords

That is not what this server is about, read #rules and #welcome

Need help on the new module.
What is the password mcharles uses for OneDrive?
Section: Attacking Windows Credential Manager
Module: Password Attacks

Issue is, i transfered mimikatz but i cant get myself to administrator access

Hint: msconfig UAC bypass

Link: https://academy.hackthebox.com/module/147/section/1322
Module: Password Attacks
Section: Cracking Protected Files
I can't seem to crack any of the hashes I found I did ||office2john Confidential.xlsx|| but I'm uncertain of the format I did try crack those hashes but had no success

i cant connect to the machines

In password attacks, section: Pass the certificate, when i run printbug.py I get this error DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Here's the command I used: ||printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.174 10.129.234.172||

Ok maybe this isn't what i'm supposed to do

ok now winrm is killing me

fixed!!! woohoo

Still can't figure it out, anyone who can point me in the right direction?

it worked fine for me

did you pipe the output to a file?

yea

what command are you using to crack the hash

yes this is correct

tried multiple with both john and hashcat

john --wordlist=/usr/share/wordlist/rockyou.txt conf.hash

hashcat -m 0 conf.hash /usr/share/wordlist/rockyou.txt

multiple different hash modes with hashcat aswell

john should crack that

do john --show conf.hash

It says DONE session completed but then when I do --show it says 0 cracked, 1 left

very weird

Please don't share hashes here 😅

did you specify the format?

both when cracking and when showing?

No, didn't know I had to tbh, was just following the instructions

Ok, now i'm completely lost on how to get the certificate from DC01$, if anyone could point me to the right direction it would be appreciated

Nothing shows up on ntlmrelayx when doing the printerbug

what would the command look like though? when trying -format:MD5 or any others I get "Unknown ciphertext format name requested" even though its from john manual

--format=MD5

Did anyone else have trouble with the SHA1 hash for Academy#2025 in the new CPTS Password Cracking module?

What do you mean trouble?

I just used cyberchef ngl

I have tried hashing it with sha1 in several different ways, but it keeps rejecting my answer

That is really weird. It worked flawlessly with Cyberchef, but not when i try it on my own VM or in the HTB provided VM

Thanks!

did you use the -n flag?

No i did not

Ok so you have 2 IPS, One for DC and another CA
You need to utilize both IPs
Check how it works

Can I dm you regarding this?

ok

doesn't work with --format

anyone else have issues with Print Spooler & NTLM Relaying module

🖐️

nice

on the first question?

no clue, used hashcat

this is what chatgpt said

hashcat don't work either xd

It says wrong password...

It cant be when its the one that was given to me

Slavi123 in the module

I am at a total loss here. I've been running ffuf scans multiple ways and multiple times to answer this question in the skills assessment. Following the hint provided and copy and pasting results I'm getting incorrect answer. Anyone else having this issue?

put the module name in your msg

Attacking Web Applications with FFUF // Skills Assessment -Web Fuzzing

Use:
reg add HKCU\Software\Classes\ms-settings\shell\open\command /d "cmd.exe" /f
reg add HKCU\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f
C:\Windows\System32\fodhelper.exe
Instead of msconfig UAC bypass

That's all well and good but also: msconfig, launch cmd.exe, ez UAC bypass 😅

hey all, for the new section Credential Hunting in Network Traffic within the Password Attacks module I recommened you to use Network Miner as well. as someone who comes from the DFIR world i can tell you this would help you in network analysis

could i get a nudge on nosql injection skills assessment 2? ive got the username but cant get anything from the token 🙂

Hi everyone, I am in File Transfers module f in section Windows File TRansfer Method. I am unable to get around installing pyftpdlib, tried multiple methods, using pipx , pip3 etc. but end up getting this error , whereas i have installed it successfully

Has anyone able to progress beyond this

This is not a dating server... go look for a commitment IRL

🫣

I used a venv to install it.

i'm stuck at the last question of the pass the hash section, "Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.". no matter what i did i can't get that damned reverse shell i followed the instruction of the section step by step to no avail. any hint will help and thanks

and after that are you able to run it ?

Yes

You can DM if you are having issues

Cool, i just had a glance of your screenshot, let me try

Yeah sorry, I didn't want to post content above Tier 0 and I think that module is, so hence the DM if you need to.

Medium is Tier 1 ?

Just checked its a Tier 0.

All good

I cannot for the life of me get this ntlm relay attack to work

What module/section are you working on?

Password attack > Pass the certificate

apparently everyone is on password attacks rn lol

That's one of the updated sections?

yessir

I haven't done it, but you can DM what you are trying and maybe something will stick out. Might be as simple as running something as root.

alright, will DM you

I just want to ask, what was the point of providing Snaffler and PowerHuntShares in Credential Hunting in Network Shares in Password attacks? Or were they useful to someone else and I am the odd one?

I remember using powerhuntshares I think

but they weren't useful perse, just wanted to learn a new tool

Hi im doing documentation and reporting module -> "how to write up a finding"
And im not sure what is my assignment

Hello, guys

I am in the skills assesment module of the shells and payloads module, wh th rovided foothold machine doesnt have a browser ?

"Firefox" in the terminal

it's 40x8

Thank you

The question asks you what you think about that quoted sentence in a commercial grade report and tells you which answers it expects from you. Its one or the other.

very noob question but just been thru nibbles and curious to know if anyone found other ways to exploit it apart from ways mentioned in the walkthrough?

nibbles is a retired box and you can ask in #boxes; i understand it's part of the getting started module -- but your question goes beyond the scope of the module

my bad - just started using the discord, will ask there

How did you get MSSQL sysadmin? Domain user has no impersonation rights, all databases are owned by sa rendering the trustworthy databases method useless, attempting UNC path injection gives you the hash of a machine account, and attempting to relay the hash from one machine to the other causes an untrusted domain error.

Thanks but i was referring to the second optional question

That's on you. If you want you can access the provided target and practice writing up findings. It's optional.

imo the better writeup opportunity is in the AEN lab; doing it blind and performing a writeup

Good afternoon, guys. I'm on the Practice Lab of the Documentation and Reporting module. I'm enjoying this module a lot, however, I noticed it is painfully slow. I've tried connecting through Pwnbox and my own Kali VM. Is this normal? Is the CPTS exam equally slow?

Thanks can i dm you?

Sure

have anyone done command injection skills assessment? I would like to see how yall did the task, i tried to do it in both ways manually, but the second way(reversing the string) did not work.

Hi, I'm on Windows Priv Esc Skills 1 and I've gained shell access as a low-priv user, my next question wants me to find a file that I've exhausted so many tools looking for. I'm not sure what to do (Should I skip enumerating and just attempt to escalate privileges then re-try after?)

DM

If you are on Q2, yes I would skip it until you've escalated privs.

Yes thank you

That started to really confuse me, knowing low-users won't find much at all

Windows Lateral Movement Server Message Block (SMB) question #2 Use any tool to get a shell on SRV02 using the service Application Layer Gateway Service (ALG) and read the flag located at C:\Flags\serviceflag.txt: I am able to edit and ALG service with a payload but when I start it I get this error. I tested the payload on a dev machine and it work fine via smb guest access. It won't work when I start the service. Did anyone else have this issue?

The payload it there and works but it won't fire when I start the ALGservice.

Here is the annoying part I went a step further and just cracked the hash of the user the service was running as to login as that user and get the flag. That's not how it suppose to work but it worked. #hacking

This should spin up a reverse shell and it's doesn't. I even used a payload that bypasses AMSI and defender but that's not the issue.

You can DM what you have tried.

Do you mind if I dm you about Skills Assessment (Windows PrivEsc) please & thanks? Been stuck on low-priv user

Sure, I don't mind

I'm also witnessing some struggles with this question aswell. I am creating a wordlist with mark white information and trying different rules and etc.. Nothing seems to stick

already solved

takes time

and patience... a lot XD

lol, i get that. Ill keep going at it but man i just feel like there's something im missing or not understanding that i cant figure out

if you want dm and we take a look what you are doing

ok perfect

I’m stuck on one of the new modules Attacking Windows Credential Manager . I’m not quite sure what the hint means but I’ve got mimikatz on there what step am I missing

I can’t get the Creds with mimikatz or lasagne

Lazagne

is there a way to check if my rev shell is correct? im following step by step yet i made a mistake im sure. i've been stuck for atleast 1 hour now.. im working on Nibbles, came as far as uploading my rev shell, i also set up NC to listen, HTB says: go to the URL to start the shell, wich i do, but i do not get any response on my listening port. anyone that could have a quick look or might know whats going on?

DM. EDIT: SORTED

When I ran the debugger from code_timing_users webapp I get the following error: **'from Helper import send_email' ** 'Whitebox Attacks - User Enumeration via Response Timing'. Is this normal for this application? Also the zip package does not contain 'instance/users.db'. So I cannot run the app locally.

found it.. the target time on HTB ran out... so no IP to be found.. 🥲

Has anyone done the HTTPs/TLS attacks module? I don't understand the last question within the TLS 1.3 section so I can't finish the section.

htb-student@nixfund:/var/mail$ cd /var/spool/mail/htb-student
-bash: cd: /var/spool/mail/htb-student: No such file or directory
htb-student@nixfund:/var/mail$

In operating systems

Doing Page 13 Attacking EAP-TLS Authentication of the Attacking WPA/WPA2 Wi-Fi Networks Module, in this section i am being asked to set up a wifi portal to capture credentials. the questions then ask what the password and username was but how the hell im i supposed to know that when I need to type in the credentials?

Hey can you DM how you solved this? Is there a bug in this section? I cant use msconfig because I am not a local admin and also I cant manually back up because I cant press ctrl alt delete while rdp-ed

hey everyone, is there no browser in the shells&payloads live engagement skills foothold machine? Are we supposed to use only the command line?

There should be a browser

Hi, Does anyone know if there is a module in the academy that talks about resource based constrained delegation ?

Probably one of the higher tier ad modules in CAPE

firefox in the terminal

Can someone help me please

If you can dm me

Help with what?

We can't help with what you want @paper marten what you want is illegal, read #rules

Hello

that was great help marcie, appreciate it

https://tenor.com/view/the-goonies-wiggle-fat-kid-truffle-shuffle-gif-4950425

got it!

I definitely need to invest in the labs...

https://academy.hackthebox.com/module/147/section/1657
"Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory. "

Cant tell iif HTB is doing a cute trick here or not but i cant get into the ssh with the creds they provided me.

looks like Password Attacks recently updated and Credential Hunting in Network Traffic has a question

"The packet capture contains cleartext credit card information. What is the number that was transmitted?"

im 99% sure I have what its looking for and tried the format in the pcap, putting in the digits only and adding hyphens however it still is giving me the red shakes. anyone get this one and able to tell me if its a format issue or maybe i did in fact miss it?

never mind have no idea what i did differently this time other then copy the field in wireshark as opposed to just highlighting the text.

the username is 'david@inlanefreight.htb' you need to specify the host

i.e. ssh 'david@inlanefreight.htb'@ip -p 2222

this is typically because on domain joined linux machines; the format is user@domain instead of the windows domain\user

🤦‍♂️ Tyvm i feel silly now

For the first question of the live engagement of shells&payloads, I have found the answer by browsing to the ip-port:8080 and used creds to log into admin page. There at the bottom was the hostname. Is this how we're supposed to find this answer? It felt off

that's one way to get the answer

there's not always a singular method to achieving an answer

Hello fam,
I'm a newbie here in HTB and as I was doing Linux fundamentals. I'm seeing that those exercises at the end of the module are super tough. I wanted to know if there is some way to know the answers to those questions with explanations

is there a way to get to this answer using metasploit? I have been trying it but can't seem to locate the vulnerability for the apache tomcat 10.0.11

hint: war

I believe one of the sections provides a list of commands you may be expected to use

you can utilize google to format queries like
"How do you do X in linux"

Can someone help me on **Active Directory Enumeration & Attacks ** - Privileged Access:

With question 1, I tried to run the query from foothold machine (ACADEMY-EA-MS01) and only got 1 result in return. I also ran sharphound and uploaded the ingest data into BloodHound, but the query provided didn't work. Am I supposed to be running the query from ACADEMY-EA-MS01 or am I missing something?

Have you tried all the queries shown in the entire section?

I ran:
Enumerating the Remote Management Users Group

and the cypher query for WinRM section

You can DM me if you want

Do I need to be running as another user? I'm just running under htb-student

can i dm you? I was able to solve both questions about host 1 but I need a nudge to find the hostname via msfconsole cuz I can't seem to make it work

i want to learn to hack guys

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

HEY I NEED HELP WITH SOEMTHING

https://academy.hackthebox.com/module/18/section/70

don't ask for illegal stuff

wym

were you asking that question for charity purposes? what do you mean wym

yo can anyone help me with this

check your dm bro

https://academy.hackthebox.com/module/87/section/883

Can some one help me out here ?

#rules

you don't have to follow the setting up module 100%

env is a useful command

thanks

Hi! im new to hackthebox, and im having trouble with one of the intro modules. (hope this is the right place for this)
the http module has an exercise where i demonstrate curl, and im successfully downloading the file i think? but all thats in it is an error message about it being moved permanently. not sure if i did it wrong, or if its something im supposed to trace further?

This is the correct place. Best to state which module, section, and question you're on

module 35 section 219, according to the url

better to name it no one's gonna find it that way

is it web requests for the name? or hyper text transfer protocol

or smth else?

that's the web requests module, the hypertext transfer protocol section

what command did you use?

curl -O inlanefreight.com/download.php

i also tried with https:// and :80 after .com

the -O option tells it to save the file

ya

so i cat the download.php

and its just an html script that says it was moved permanently

try without -O, also you don't want to target inlanefreight.com, you need to target the IP:Port provided when you spawned the target

ahhhh ok will try. i sadly killed the spawn since im still on the free trial, so ill have to try it tmr. thank you for your help

not the pwnbox

the target at the bottom

Recommend doing the Intro to Academy Module so you know where things are at

ahhhh ok will do. thanks!

Hello guys, Im new to this also. I seems to have a problem when I downloaded the parrot in Virtual box. It says " Command <i>/usr/sbin/bootloader-config</i> failed to finish in 600 seconds
There was no output from the command.

Probably best to go to the ParrotOS discord and ask there

Oh sorry, Its part of the hack the box guide so I decided to ask here. and also I dont know where the discord link of that

https://parrotsec.org/community/ there's a discord link somewhere down the bottom

Thank you much

hi guys!! anyone who can check the lab for "HTTP Response Splitting" and can make a sanity check wether the admin visit the link because i have the payload working for me and i know how to write the admin cookie without an external server but get nothing back, i tried double and triple encoding, still didnt worked

hello guys i am leamring operating fundamnetals but i think it will not be enough if u have some video of it can u pls share

can anyone say why i keep getting this error
smbclient //dc01/C$ -k -c ls -no-pass
when i try to access domain share

gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

ik its dumb, but my english isnt good and i cant understand the "Firewall and IDS/IPS Evasion - Medium Lab" in the network enumeration with nmap, im really stuck and i need a hint, and also i dont want to google the answer

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. this one?

yeah

what does dns port runs on

53

adn what it uses tcp or udp

both

most common

can i dm u?

sure

can anyone say why i keep getting this error
smbclient //dc01/C$ -k -c ls -no-pass
when i try to access domain share

gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

Hello, need help on Active Directory Enumeration & Attacks, ACL Abuse Tactics section. I keep on getting user/domain not available in powershell

nvm i solved i am dumb

It's a good modules ,everyone should try it

sure

On the AD skill assessment 1, on the target IP there used to be port 3389 open and now doesn't matter how many times I spam the box It isn't open, any idea why ??

hi..
I want to asking about module Information Gathering - Web Edition / Web Archives - the question is "How many members did HackTheBox have on the 10th June 2017? Answer with an integer, eg 1234." ..I tried using WayBackMachine , but the asnwer is not the. anyone can help ? maybe for hint . please

There is but you just have to look closely

im using https://www.hackthebox.eu/en .. did i do correctly?

ok . i got it . hehe

im still stuck on the skills assessment 2 for nosql injection if anyone can help, have the username and have found the second injection point but cant find a payload that works 🙂

Error detecting the version of libcrypto
I get this while running gettgtpkinit.py in pwnbox any help its from i also installed library oscrypto but still doesnt seem to work.
Its from pass the certificate section.

hi im doing the new credential hunting in network shares for password attacks, can i get some hints for the first question? not sure how i am able to just look for a credential in that huge output, thanks!

dm

└──╼ [★]$  python3 gettgtpkinit.py 
Traceback (most recent call last):
  File "/home/htb-ac-1518820/PKINITtools/gettgtpkinit.py", line 19, in <module>
    from oscrypto.keys import parse_pkcs12, parse_certificate, parse_private
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/keys.py", line 5, in <module>
    from ._asymmetric import parse_certificate, parse_private, parse_public
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/_asymmetric.py", line 27, in <module>
    from .kdf import pbkdf1, pbkdf2, pkcs12_kdf
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/kdf.py", line 9, in <module>
    from .util import rand_bytes
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/util.py", line 14, in <module>
    from ._openssl.util import rand_bytes
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/_openssl/util.py", line 6, in <module>
    from ._libcrypto import libcrypto, libcrypto_version_info, handle_openssl_error
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/_openssl/_libcrypto.py", line 9, in <module>
    from ._libcrypto_cffi import (
  File "/home/htb-ac-1518820/PKINITtools/.venv/lib/python3.11/site-packages/oscrypto/_openssl/_libcrypto_cffi.py", line 44, in <module>
    raise LibraryNotFoundError('Error detecting the version of libcrypto')
oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
(.venv) ┌─[eu-academy-1]─[10.10.14.71]─[htb-ac-1518820@htb-ks9ets2vuh]─[~/PKINITtools]

Hey can anyone help me in this

Just found out that runas isn't really opening cmd as the target user, but i don't know why

hi guys!! anyone who can check the lab for "HTTP Response Splitting" and can make a sanity check wether the admin visit the link because i have the payload working for me and i know how to write the admin cookie without an external server but get nothing back, i tried double and triple encoding, still didnt worked

runas will only use the creds for remote auth like a share listing

for local stuff you are limited by your user right

well thats confusing because in the dssync module they do that

you can dcsync since it is remote auth

Hello, working on this module https://academy.hackthebox.com/module/22/section/157
one of the questions asks for users with unconstrained delegation enabled and is a protected account, I used this ldap filter: ||'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=524288)(adminCount=1))'|| with windapsearch, also tried >=0 but it returns no output, excluding the adminCount for protected users returns 3 accounts. any reason why? or is this intended for the environment?

now the password did work with runas, guess i didn't paste it in properly

Hi, windapsearch has some built in options you can use instead of ldap queries.

Heyy thank you! I tried this earlier just wanted to play with filters, so the issue is this doesnt find the answer, the source code of the tool basically doesnt treat protected users as privileged users because it adds a couple groups to an array and only finds users within
I pretty much just looked into the DN of protected users and crafted an ldap query to find users there who also have unconstrained deleg rather than guessing which of the 3 is

Hey if you still not able to solve you can dm me

Yea You can dm me if you are still not able to solce

Has anyone completed the new Skill Assessment in the Password Attack module? Can't jump from DMZ to internal network...

Try some basic enumeration on DMZ01

I found the login and password, but the hosts from the lab description do not respond....

You can DM if you'd like. You're going to need to setup a pivot to hit them from your VM.

Am I supposed to get the admin password from one of the shared files?

stuck here for an hour xD

You can DM what you have tried, trying, where you are, etc.

Linux PrivESC skill assessment
getting this when trying to connect to target : Connection reset by 10.x.x.x port 22

Can someone help me with Whitebox Race condition. I dont get 10 redeem codes with the second function that should be vulnerable.

You can use the search feature to search for others that had the same or similar issue and try some of those recommendations.

You have to use an SSH dynamic port forwarding technique to reach the internal network. Or at least it is what it lead me to it.

.

Any advice on OPTIONS verb tampering?
Both curl -i -X OPTIONS or burpsuite tampering don't seem to return an allow header. Working on AEN currently, but recall having the same issue in the tampering module.

sometimes OPTIONS just isn't configured/allowed

For sure, the writup says the dev sub should be responding to it. And I do get just the full page returned otherwise, not an error about using options.

try without -i?

¯_(ツ)_/¯

i don't really recall too many issues with AEN tbh; but i also didn't really follow a walkthrough/guide

i just went through it blind - not answering the questions nor reading the content

just get the html body alone without.

For sure, and I was going at it blind, but just ran against a wall. Finally looked to see it recommended there. And the verb tampering is supposed to lead to other disclosure. Idk, I remember having the same issue during the verb tampering module originally.

Ah, well. Keep playing with it. Appreciate it.

OPTIONS isn't the only other verb

try other standard verbs ¯_(ツ)_/¯

For sure, and I had done a few of the others to no real effect. It's been driving me bonkers haha, why I ended up looking at the write up which says it should respond to options to get further.

I'm having one of these days again where RDP is just infuriating. I'm working on the final exercise in "Shells&Payloads" where you connect to the target through a jump host. so PwnBox 'xfreerdp' --> jumphost (Parrot) --> target
My problem is that I just cannot find a good way to have that window that opens up for RDP in a usable size / resolution
I've tried dynamic-resolution, -gfx, anything to make the task bar of the jump host fit on my screen. Just can't get it to work

Usually, when it's a windows host, I make due with the windows key somehow, but here I'm not able to switch between windows on the jump host. Like, I minimzed Firefox while setting up the payload and the netcat listener, but now I just can't get them back 😅

unfortunately the jump host doesn't have a dynamic resolution it's a static resolution

alright, I'll try to find some other way to switch between windows there then. Or just gotta be reeeeally careful not to minimze anything that I might need again 😉

hello guys , i finished a module and want to share it to linked but when clicking a share it pop up a window of my linked but without nothing .just the home

home mean feed

Hi All, can you help me with Obtain the flag by getting the CEO banned from their own website- i dont see the flag

Hello, can someone help me with File Upload Attacks - File Type filter? I found the extensions that seem to work, but the php shell doesn't work.

Dm

Hey so, i was doing the enumerate all ports and service with a flag, and i found the flag yet i dont know what to copy

theres the long algorithm of letters and numbers but theres also htb and ||220||

Copy the HTB{}

Thank you

Do i still need to use tcpdump or is this it

Not sure what module your on

Was that the last question on the page?

yeah im on nmap

how do I get access to general. I don't have the HTB - Noob role

verify your htb account

ah okay thanks

#welcome i think its in here

Correct

Hello! I'm quite new to all of this and I'm trying the Getting Started Module, but I'm completely stuck on the Nibbles - Privilege Escalation. Anyone kind enough to give a hand that I can pester via DM?

Anyone have any advice for 2nd question of credential hunting in network shares?

Windows Lateral Movement Winrm - Connect to DC01 as Leonvqz and read the flag located at C:\Users\Leonvqz\Desktop\flag.txt I cannot get to DC01 using winrm anyone available to assist?

You can DM

I put the htb flag for Nmap Enumeration section Nmap Scripting Engine and well it told me im wrong

Hello! I have problem with "Password Attacks / Introduction to John The Ripper", Question is: "Use wordlist-mode with rockyou.txt to crack the RIPEMD-128 password."

Which hash needs to be hacked? Is it the same one from r0lf or another one?

2 minutes of life left.. its so over

Anyone elses netexec smb for credential harvesting just stop working and error out? ive added timeouts but doesnt seem to fix it

Hello,
could someone help me out
its not accepting anyyy answerr?

are you ssh on the system
did you use find

if it's not accepting "any" answer, have you considered your answer is incorrect

it also helps to provide the module and section name

yess i did soo i tried evryhting from 1 to 100 soo um yaa

you shouldn't be guessing

try refreshing the page and inputting the answer if you believe you did it properly

i wasnt i tried using all commands i knew i was getting the ans to be 12

it's definitely not 12

Has anyone completed the updated Password Attacks Skill assessment?

read the question carefully; it's asking for the number for the entire system

not just within /etc/ as per the example

yuppp i did

are you sure you're ssh and your terminal states htb-student@nixfund$ ?

because i just loaded up the lab and got the expected answer, and it's definitely not 12

they're talking to me not you regarding my questions of what they're doing
also don't spoil things

i am suree

ill try disconecting and reconnecting again

share the screenshot here

or share your command here

Opps my b

consider usernames/users/lab info as spoilers

if you need to specify help using a user, best practice is to do the Initial * method, I.E. B* R* (Bob Ross)

I see, thanks!

yes it workedd noww before ig it wasnt loading all of the .bin files or somin

Has anyone finished || Password attacks skill assessment (updated version)||. I’m currently on ||the dmz account for B* J*||

Just looking for a little advice since I’m stuck and can’t find much online ||(since the module just got updated).||

I would perform credential hunting on that host.

Got ya! I’ll take another shoot. Thanks

Anyone?

ANyone online who have completed Windows Privilege Escalation? Im stuck on Citrix breakout. I am to the point where I am supposed to run PowerUp.ps1 but I get an error that it cant be loaded because execution of scripts has been disabled.

rep

If that isn't working, maybe copy the sharable link and use it in a post on LinkedIn if that's what you are trying to do.

Perhaps there is a way to bypass that policy?

Are you referring to the BypassUAC.ps1? Cant run that either.

No. Highly likely you can Google your error and get some ideas on what you can try.

anyone have any issues running printerbug.py? and getting error lines with ntlmrelayx?

You can DM your errors

reposting cuse posten in wrong chan

Hey! so I just noticed something.

I have been having a heck of a time trying to get reverse connections to work with HTB. I use a kali VM on my home computer and connect through Openvpn to htb. Whenever I have done modules that require a reverse connection (HTB target connecting to my machine) even though I use the IP address given to me by OpenVPN, it will not for the life of me work.

I cant even ping my own machine from the HTB target using the IP address given.

I just started the server side attacks module and am doing the SSTI lab. What i noticed was after putting in the payload into the simple test server, it gives my response, but i also noticed its showing me "Your IP" then an address.

I noticed that IP address is completely different then the one given to me by OpenVPN

Is your address not actully the one that OpenVPN lists under tun0? and if not, how do i find the correct one to use.

it works fine through the pwnbox but never works on my machine

it almost looks like the one on OpenVPN is the network address cuse it has never changed whenever i connect

Revshells are going to connect to your HTB VPN IP, tun0. You can also just use 0.0.0.0 to listen on all interfaces, but the revshell will need to connect to your VPN IP.

hmmm

cuse yeah iv tried that over and over and i cant get it to ping my tun0 address

its so weird

im thinking it might be vmware but im still trying to figure that out

threw me though when i saw a diff IP

if you can reach the target it should be able to reach you.. don't see why not since it has to send packets back to your machine if you're successfully communicating with it.

yeah i really dont get it

could you be creating the revshell incorrectly maybe? or not doing a step right?

iv got my own home lab and tested it on my local network and it worked fine. Same with when i tried the pwnbox

it seems whenever i VPN in i cant get it to function

Do by chance run a host VPN like NordVPN or similar when doing labs on your VM?

nope

i have vmware set to bridged

Try it using NAT instead of bridged. That's how I am configured with VMware and don't have any issues.

ooo i havent tried that

Yeah that's likely your issue

k cool ill give that a shot and see what happens

was driving me nuts lol

Anyone else having issues accessing ||file01|| from ||dmz01|| ||(password attacks skill assessment||. I already have the creds for || H* W*|| but can’t access any other internal machines

You're going to have to setup a pivot.

Should it be ||jump01||? I can’t seem to access that machine either from ||dmz01||

You can DM if you'd like.

can anyone ping at the machine of Windows Privilege Escalation Skills Assessment - Part I? it seems unreachable

i need some help understanding the footprinting lab-hard.
with the services that are showing how would you know to try differnet ports, even looking at the top 100 for the open UDP ports? also, going off what information that's given back i dont see anything that would suggest community strings to use for enumeration? what am i missing? what am i doing wrong?

Anyone run into this issue with impacket?

specifically the ntlm-relay

anyone around to help Ben and I?

Are you having impacket issues? Nevermind, just read up.

I'll try again tomorrow, I know it's late for some

If you cant find anything, cant hurt to scan UDP. I make it a point that if I dont find what I expect I scan UDP. For instance if I see a TTL of 127 which would indicate a windows target but find ssh... something is a bit iffy.

In the SNMP section of that module community strings is what is mentioned as the enumeration for SNMP. You can even UDP scan only port 161 (SNMP), an easy way to remember this is the One-sixty one tool whose name is based off the port. This and 53(DNS) are the two most common UDP ports so it makes sense to only scan these two ports if you're short on time

Greatly appreciated. Its not a short on time thing, it's more the experience and knowledge of knowing where to look...and if im being honest what to look for sometimes

Enumeration is king, try to find as many avenues as possible before going down a route. That being said it can slow you down which is why for competitive situations like HTB seasons a lot of people for-go slow scans such as UDP. They can do this because of experience and knowledge. However in a real engagement you would try to find as many vulnerabilities as you can provided that you meet the client's evasion requirements and don't perform any enumeration that may break their systems(unlikely, you're more likely to break something while exploiting)

dm me if u can

@old lake No. Not what this discord is about.

oh shit

mb i’m a bit of a idiot

sorry

Hi I've just started learning linux shell and I was wondering how I would connect with ssh to "htb-student" with the password like it says?
I tried ssh htb-student@127.0.0.1 which is the ipv4 address shown in the command ip addr but it says Connection refused.

Any help is appreciated

I'm a bit of an idiot I just started learning this stuff haha

127.0.0.1 is the localhost, it's the computer you're running the command from. You'll need to use the IP of the target you spawned.

Ah okay. I wrote ssh htb-student@10.129.137.177 which was the ip address of the target I spawned but it just made a newline and did nothing else. Am I supposed to write the password or something?

Oh wait by the way I'm using the parrot OS htb virtual machine maybe that's why

Am I like required to use the pwnbox for this?

are you connected to the VPN?

No I'm not how do I connect to it on my VM? I have the file but I don't know what to do with it

You use the command openvpn. openvpn <file you downloaded> then background it with & at the end and you can close the terminal, or just leave the terminal up.

How would I navigate to the file in the linux terminal for the <file you downloaded>? because I don't see it anything in downloads in the linux file explorer

Would it be somewhere else?

wherever you downloaded it to

browsers usually have an 'open file location' feature

in kali it's usually ~/Downloads

I'm using parrot os

There's nothing in the vm file explorer that's in my actual computer's file explorer

I don't use Parrot so I have no idea the folder structure

ah

Do you have a GUI in your VM?

you should have the full desktop experience

Yeah I do

The file explorer looks pretty much the same as my normal windows one but without any of my files

look in your browser's settings for the download location maybe

No like I know where I downloaded it to on my computer I can see it in my file explorer

It's just that my virtual machine doesn't have any of the files that are on my normal computer

Is it supposed to?

You need to download it within the VM or transfer it to the VM.

OHH it worked I'm stupid

well now there's another problem I believe

oh nvm I think I fixed it I just had to write the command as root

Might wanna look into this module: https://academy.hackthebox.com/course/preview/getting-started

Ah thank you I will look into it

It is not letting me type anything did I do something wrong?

it's a protection mechanism built into linux

Your password isn't visible when you type

it is taking your input, it's just not displaying

Just believe and type

Ohhhhhh I see that's pretty cool lol thanks

ctrl+shift+v

linux skill assessment keeps Connection reset is this a target sided problem?

You can always try changing servers or regions and seeing if it's more stable

I am once again asking for your help on nosql skill assessment ii, I have found the second injection point (I believe) however I cannot find a working payload

I was on nmap enumeration NSE section and i got the flag yet it marked it as wrong it was HTB{and then a long hash}

probably a flag for someting else or you have an extra space or something

This is my medium account please follow and read my write ups

Need support

@woven valley This is not the channel for advertising. Please read the rules

Ok my bad

Sorry !..

please anyone

Does anyone have video about " how to access dark or tor browser" ?

This isn't the channel for that please read the #rules and follow the instructions in #welcome to gain access to other channels.

oh come on

That module reuses the same target for a few sections so you might find a few flags from following sections

Hey folks, stuck on this HTTPs/TLS Attack module: https://enterprise.hackthebox.com/academy-lab/46638/11460/modules/184/1947

Trying to supply the encrypted_premaster_secret for the bleichenbacher attack from wireshark, however whenever I do, regardless of the format, I get a response that Certutils could not extract the public key. Am I doing something wrong or is the tool just kind of broken in my environment?

in the skills assessment for the windows fundamentals module. my machines life ended and i had to open a new one

and now all SIDs I get are wrong

even though i am sure it is the right answer

what do i do?

module/112/section/2117
The machine is not stable. Sometimes, it responds. Sometimes, it does not. I have reverted it multiple times.

im having the same issue on module/77/section/726

keeps saying host is down, i've tried resetting it multiple times as well

yeah. it has been happening for a few hours already. i have restarted my machine, reconnected the vpn. and tried everything. sometimes, the machine responses to Ping and sometimes it does not

i think ill just wait for a while and try again later

Please don’t just mention the module and section number. Nobody here is a phone book that remembers them

Say their names

Hello. In the module "crackmapexec", I was trying to execute command from my exegol with netexec but didnt get any output. I put the output of the --debug option

it worked on the htb instance but not on my machine, despite resetting the vpn. and the --get-file didn't worked on either of them

Can anyone help me with account recovery I actually lost my friends valuable accounts (i can give my main account if you want and my chess.com account) I lost his account bye clicking to a link. Please help me he is not talking to me. I tried talking to other hackers but they need money and they didn’t help me { this may look fake but it’s the truth please help me)

Figured this one out. You need JDK 11 for TLS Breaker exploits. Pretty awful module if even pwnbox can't use the tools without significant downgrading.

also on my machine the creds are stamped as (admin) instead of (Pwned)

"Hey, I want to disable auto payment from my account and also remove my credit card details. How can I do that?"

You would need to contact the websites support to discuss with them the options. I don't believe you can do that on discord (and especially not this channel) but someone can correct me otherwise.

Please reach out to support

Where can I ask for help about a module from the academy?

I'm currently working on the "Using a Web Proxy" module from Hack The Box, specifically the section involving Burp Suite Intruder. The objective is to discover a .html file under the /admin directory, but despite trying multiple payloads and common wordlists, I haven't been able to identify the correct file or get any valid responses.
I've used Burp Intruder with different file name variations like flag.html, index.html, admin.html, etc., and tested multiple positions and methods (GET requests, URL encoding, changing headers), but every attempt returns a 404 or no useful response.
Is there a specific technique, payload format, or Intruder configuration that I might be missing here? Any hints would be appreciated — I’ve been stuck on this for a while.

intruder is very slow if you are on CE, i would recommned using a tool such as ffuf for this question

from there you can walk backwards and find why it failed with Intruder

I would use big.txt from seclists/discovery/web-content/ to ensure the wordlist contains the right word

@quaint cliff thank you very much for your help!!!

I've found the flag.txt but it shows its incorrect

Check that you don't have a space before or after

tried everything nothing is working

reset the instance, bc either you have a space left or it's a bug

Wait no you need to download it first i think

isnt !cat to read local file flag.txt

i think you're reading a flag.txt on your machine, not the one in the share

yeah i had another flag.txt file in my machine now i get it and it worked now, thanks for you help

so ! in smb is to execute local commands, now you know

i'm doing html injection and it tells me to add <a href="http://www.hackthebox.com">Click Me</a> but when i check the page source theres no way for me to input

Hi,

Module: Documentation & Reporting
Section: Documentation & Reporting Practice Lab
Section Link: https://academy.hackthebox.com/module/162/section/1572

Question: After achieving Domain Admin, submit the NTLM hash of the KRBTGT account.

I have dumped the ntds.dit file and extracted the hash from it. But when I submit it, it says Incorrect Answer. Why?

how do i know what line to inject the html code when looking at the page source ?

put it anywhere in the body? Should work

which one dit you put?

thank you c:

you should only put the NT hash. If it doesnt change between instance, it should start with 16 and end with bc

it is the last part of the hash, without the :: , and check there is no space left

Need to check again. I got different hash😕

You get this one?

yes

I’m still having issues with the mounting bitlocker-encrypted drive Linux part of the cracking protected archives section

Any tips ?

Am I supposed to put the bitlocker mount file in a different directory then the one used in the module

from a redditior, that helped me on another module with bitlocker encrypted drive

https://tenor.com/view/read-gif-27088048

Can you send me the link to the Reddit I wanna know what the commands are for

https://www.reddit.com/r/linuxmint/comments/xha7x2/how_do_you_mount_bitlocker_encrypted_vhd_file/

Thanks

hello im on the new section on password attacks, attacking windows credentials manager

im supposed to use mimikatz but i cant get administrator

Why

There's also a search feature, plenty of people have linked articles on it as well

Try a different tool

Otherwise you'll need to look into uac bypasses

i backup'ed mcharles cred but i cant extract it

wait i didnt try that

I used lazagne

bro im literally trying to get it to run but i couldnt

the python one ?

hello i did the mod that asked me to do What text would be displayed on the page if we use the following payload as our input: <a href="http://www.hackthebox.com">Click Me</a> and i have the words but i have tried Captials for the first letters and lower case but it says i am wrong :<

There's an exe

i cant find it

Under the releases tab dude

ah here it is 🙂

i went transfering the whole repo lol

does the lab need an older release than the lastest?

Hello, I'm doing File Upload Attacks, Type Filters, I found the extension and the content-filter and can upload it but it doesn't work 😦

i used the latest release

without admin i guess i cant change any security setting

Looks like you got the wrong architecture

lemme check

did you do the runas ... mcharles command?

do i need to run it from there ?

well, yes, you're looking for mcharles' stored password

not sadams

hmm makes sense

thats what taking a long time break gets me into

i forgot many things

the section explicitly gives you that command for a reason

Bro I am new what to do?

I mean new on this server

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thnx

find UAC bypass practice and it will help

turns out browser blocked the download for lazagne and it was 0 bytes size

you are doing mcharles yes?

lazagne will not help you there mimikatz works

guys i'm stuck on passwords attacks module pass the certificate section, can y'all give me any hint to get the admin flag, please help

hello i am on the Attacking WPA/WPA2 wifi networks skills assesments and i stuck on the "Connect to the StarLight Wi-Fi network and submit the flag.." (question 2) . I am sure this should be a EAP/TLS Auth attack but i got an error " SSL: SSL3 alert: read (remote end reported an error):fatal:unknown CA " . It means that the client validare the CA Authority before connection. I tried all the others attack (bruteforce, relay, downgrade , evil-tween...) i allways got this same error message. Could you tell me what i am doing wrong please ?

I keep entering Your Cyber Performance Center and it tells me i'm wrong i dont know what to do

What module and section are you doing?

75 / 75

Do I need to transfer over mimikatz to get mcharles password?

It gives me a 200 Ok but doesn't work 😦 can someone help me please?

Sorry, names please, my access is different to yours

you don't need mimikatz; lazagne is just as good

introduction to web applications html injection

if you use mimikatz you'll need to look into UAC bypass

yea but normally the tools are provided at C:\tools\

guessing I have to transfer them myself in this case

yeah this is definitely incorrect

That is not the answer

yeah, you'll need to transfer, don't assume anything is on the target

well damnit :<

Re-read the question a bit, I think you may just be misunderstanding what is being asked

you don't need to click on the injected link

the question is simply "what would be the text on the page if our payload is.."

it's a lot simpler than you may be thinking

do i need to be connected to a vpn to solve the modules?

Some of them, yeah

if you use a vm, for most of them, yes

you can use the built-in pwnbox and not use the vpn

There are a pretty large number of web application ones that don't require a VPN or Pwnbox though which is interesting

i must be stupid because its deff not the Word that starts with C and the other word starts with M

your name 😉

it's the full phrase

where do you see that

wait nrm

so its both phrase

Just to be clear, not A vpn bu the HTB vpn, you need ot download a file from the dashboard then use on linux :sudo openvpn <filedownloaded>

This will create a virtual interface with an IP that allows you to communicate with htb academy machines and labs

This is definitely a question that makes people feel stupid btw 😉

Im trying one of microsoft

I put the right line but it didnt worked

do you have any ideas of what I could do

now i’m lost

The test linux right?

The parrot

im doing that but it isnt working

probably best to say which module/section/question you're on, what you've tried, error messages, etc.

you've provided no information

yeah

wait a minute

I m trying to do RDP in the module windows fundamentals

I need help with setting up pre-configured Windows VM,
on tutorial this for Virtual Box, but i on VMware, and i got this error

https://academy.hackthebox.com/module/87/section/883

well .ova is specifically oracle virtual appliance, not sure if it would still work on vmware which typically uses vmdk files

they are different hypervisors, and as such use different virtual appliance specs

you can retry, as stated in the warning, and see if it still works

to coonect to the vpn you have 2 choices: the pwnbox offered by htb

or you own virtual machine in virtualbox

you should probably try the "getting started module that explains all of it"

i did that

i used the pwnbox

so you are connected to the vpn, it is set by htb when you create the pwnbox

now you can use xfreerdp to connect to the target

i did thaat

do i have to download the vpn conection file?

Its not, i think the best way is to set up all in vmware from zero

or the pwnbox does it automatically?

pwnbox connects to the vpn automatically

ok thanks

i think i did everything alright but it didnt worked

i used the xfreerdp

but it didnt worked

Hello guys
How do i calculate CVSS in sysreptor
For example in the documentation and reporting module they rate LLMNR and all other attacks as 9.5
When i ask chatgpt it says 8.1
When searching google it says 3.8

Use a CVSS calculator

Cvss can also be a little debatable when applying it to certain issues. Sometimes it requires further context before you can accurately map it, which obviously, Google or chatgpt may not have

Is it a problem if i get the CVSS score a little bit off?

did you try googling it

If you clear the file at $HISTFILE that should remove your history, though you may need to restart your shell if you don't want back search or autocomplete to show previous results for that session.

on https://academy.hackthebox.com/module/160/section/1475 i didnt find a sqli, i found a cmd injection, is it correct or am i going the worng way

Hey all, trying to wrap my head conceptually around the ExtraSIDs attack in the AD module. Was wondering if someone could sanity check me - LLMs and Google searches are giving me somewhat contradicting feedback which is why I'm escalating to fellow humans 😉

You have access to the KRBTGT account hash for a child domain. You know the SID of the Enterprise Admins group in the parent domain. You forge a new ticket for a user that includes the SID for the Enterprise Admins group using the child's KRBTGT. This is where I get confused. If I present the forged ticket to the parent domain, am I doing an AS_REQ exchange and getting back a TGT that I can use broadly - or am I using constrained delegation (via S4U2Proxy) where I am presenting a KRB_TGS_REQ with my foged ticket and getting back the KRB_TGS_REP for a specific service whose SPN I know? Or am I fundamentally off base?

it says there to find a sqli

is this okay?

can anyone hlep me

Re-read what the question says.

i am having trouble in the bug bounty path, Introduction to web Applications module in the common WEB vulnerabilities exercise with ( To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to) to my understanding it is one of the above listed exploits in the exercise : SQL(i) ,Malicious file upload, Broken Authentication/Access Control, Command Injection. however evrytime i enter these as an answer i get 'Error Incorrect answer' does anyone have any clue?

im stuck cuz idk how to do the SOAP request, which parts do you add and which do you not

Guys, help this command doesn't seem to work in user enumeration in Broken Authentication

ffuf -ic -c -u http://94.237.55.43:35563/index.php -X POST -d "username=FUZZ&password=dsads" -w /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -fs 2970

helllo

if i want to take penetration tester learning path, how much does it cost ? ( no cpts exam ) just the content.

Same here, I hope someone can help

Hey can someone help me with some basics ?

maybe u should add Content-Type: application/x-www-form-urlencoded

I have just passed the all request using ffuf -request req and it worked

oh yea, thats nice

thanks bro

chill

Can I get personal assistance here ?

If your question is module related just ask here.

hi?

https://tenor.com/view/it-depends-depends-depends-on-you-it-all-depends-gif-23829378

you can get the cubes for the course ~ 1mo plat and 1mo gold
or if you have an academic email ~ $8/mo which grants access to the t2 and below modules

or if you are truly insane buying the cubes outright which is generally more expensive

so i can just buy the 8$/month
it will give me access to ALL content of pentester role right

yep

I'm doing the Interacting WIth Users exercise in the Windows Privilege Escalation module, but the version of Responder on my Attack Machine doesn't seem to have the -r flag or the -f flag. Any have an idea why that might be?

hello

Hi and welcome. Please read the #rules and follow the instructions in #welcome to gain access to most channels.

anyone doing bug bounty

This isn't the channel for that discussion, this is for questions about the Academy modules.

i am having trouble in the bug bounty path, Introduction to web Applications module in the common WEB vulnerabilities exercise with ( To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to) to my understanding it is one of the above listed exploits in the exercise : SQL(i) ,Malicious file upload, Broken Authentication/Access Control, Command Injection. however evrytime i enter these as an answer i get 'Error Incorrect answer' does anyone have any clue?

Hi, I'm looking for a module to learn about networks and firewalls so that in the future I can launch an antiDDoS system

There's an introduction to network module I believe, but nothing about building an anti-ddos system

I cracked the hash but it seems that the password is incorrect

Hello, how are you? Can someone please help me with the final part of the DACL I module? I only need the last two points to finish. I entered the WS01 machine with LAPS and extracted SAM, SYSTEM. I extracted Jose's hash, but that isn't the one. The exercise says that the machine it accesses is WS01, but I don't know if there is another machine or how to extract Jose's hash. Can someone please help me. Thanks.

Doing WordPress module and on my skills assessment part but uh, for some reason it says the remote site is up but not running wordpress when it is

yh i'm sort of confused.. this problem wasn't occuring during the other sections

good luck with that

nevermind, figured it out. Had to add ip and sub to my hosts

Can someone help in getting started module Im stuck on smb enumeration question

Is there any way to quickly download a section's VPN connection file in a VM? because navigating through the browser to that same module and having to log into my htb account in the browser in my VM is painfully slow every time and it doesn't help that my VM's browser is laggy as heck.

Or if anyone knows an easy way to transfer files to the VM that would help

How does one get to Welcome1 please help I dont get how to get it without bruteforcing?

The VPN connects you to the HTB environment for all those modules/sections. You don't need to re-download the VPN every time.

Ah I see, cool. If I take a snapshot of the VM, then next time I power it on and use that snapshot will the VPN file stay?

Just wondering if that's how that works

I doubt it

has anyone had an issue when all otehr boxes work fine connection wise but i cant connect to the windows skill assesment 1 box?

read the section closely

Can someone check https://academy.hackthebox.com/module/81/section/789 and let me know if the FTP file transfer is correct? The question says "What was the filename of the image that contained a certain Transformer Leader? (name.filetype)" but I'm getting a pic of a dog and it's not taking the file name

Academy Module - "Footprinting" > "Oracle TNS"
The target machine is not stable. Sometimes it is reachable and sometimes it is not. The issue is there since yesterday.

Never mind, question was referring to the zip attached which was not clear at all

Hello, how are you? Can someone please help me with the final part of the DACL I module? I only need the last two points to finish. I entered the WS01 machine with LAPS and extracted SAM, SYSTEM. I extracted Jose's hash, but that isn't the one. The exercise says that the machine it accesses is WS01, but I don't know if there is another machine or how to extract Jose's hash. Can someone please help me. Thanks.

You can DM if you're still stuck.

anyone?

skills assesment 2 works fine

just not 1

anyone did htb password attacks new skills assessment

can someone please help me find some flags , my subscription is gonna expired tomorrow , i want read the "password attacks" module . i need this https://academy.hackthebox.com/module/147/section/3715 and https://academy.hackthebox.com/module/147/section/3714

Hello, is there an issue with HTB where the flag is visible on PWNbox but not from a locally hosted machine? or vice versa?

anyone did htb password attacks new skills assessment
Can i get some hint

im finishing the module almost there. can i help you?

i got ssh password and username but ssh port seems to be closed

can someone just check if they can access windows priv esc skills assesment 1 box

please

can you dm me? will try to help you

Other Target machines in other modules also have the same problem. I just tried "footprinting" > "IPMI" target machine. one moment the nmap scan returned result and another moment, the same scan shows host's down. Could someone please help to check on this?

the pre-filled answer isn't the password

reach out to support @leaden rampart

how do i create ticket to support? is it via the chatbot?

yes

awesome!

whenever modules get updated, due to how the backend works -- when sections get updated the old answer is pre-filled if you did it previously, and the answer is then nonsense with the update

no

you'll just have to readjust notes to account for it

May I know, usually, what's the turn around time for a support ticket?

¯_(ツ)_/¯

i'm not staff

hey gang, I am trying to solve a module and will need a hint "Attacking Windows Credential Manager new lab". Is this the right room to ask for hint?

Please, anyone for NoSQL Injection Skills Assessment II, at the second injection point but cant find a payload.

hey can anyone help me in password attack new skill assessment

Hi everyone, I am working on Whitebox Attacks - SECTION: Skills Assessment, got auth bypass but race conditions does not work. Can someone DM me so I can share my turbo intruder script.

Hello, i'm still having issues with module 77 section 726, i've tried resetting host multiple times, but always get the "host seems down" response from nmap

okay thats weird, i tried running the scan from the pwnbox on the website instead of my own linux system, and it worked. could it be something wrong with my vpn config?

Hi, I've an issue to connecte me at module "Navigation" in "Linux fundamentals". I can't do the exercises because when I connect to the user ssh, I can connect but there is absolutely nothing. I don't understand what's going on. Please can someone DM me?

Can you help me with "writing custom wordlists and rules" pls

Sure

if you still need help dm meif you want

Yes, I'm sure

my config was the issue, i figured it out 👍

Oh soryy

I replied to wrong person lol

I meant him

I have a doubt, if for example i gained administrative access to an application, and this application have a funcionality that i can abuse to gain RCE, it could be reported as a finding?

if it's built-in, that's not really a finding

the RCE i mean

the thing is that built-in funcionality is not designed to execute RCE, but i can abuse it to obtain RCE

i would document that under impact

You mean like an admin can upload a php file that can be used as a webshell?

not really a finding
-# imo findings should only be stuff like misconfigs or outdated software that has a bunch of vulnerabilities, an inherent permission isn't really a finding cos how would they mitigate against it?

if it's something well-known like getting admin access to wordpress where you can put PHP code in a 404 page to run commands on the host

that's just the consequence of being admin

i reported just the finding that allowed me to gain admin access

thanks for help

yes something like

you are welcome to document the impact of having admin access due to the vuln (which you should)

Can we document using GitHub writups?

ohh i understand