Password is wrong. Try loop0p1.

Tried that, didnt work

Password is wrong, missing a -u before the password as well.

That syntax from the module had that for pw?

It helps to know the module/section as well

Yeah that's 90% of my problem, I haven't understood 95% of the entirety of pw attacks, genuinely making me want to toss Kali and not look back

Lol

What section is this from lmao

So i can help to sanity check

Cracking archives I think

Just to be clear you ran the sudo losetup command?

Yeah

mfs at htb academy have been doing it wrong

?

This thing should be in insane tier

Windows Kernel Telemetry & Detection Techniques

where is our academy's insane tier

we need a separate module for this alone - Windows Filtering Platform (WFP)

well it is a TIER 4 module

rated HARD doesn't sound fair

hard is generally fair. It doesn't look like it requires you to stare into the abyss to learn anything

If fixing the typo on the password and changing the /dev/loop0p2 to /dev/loop0p1 doesn't work, you have done something wrong beforehand.

and hard also means that it supposes you already have a grasp on the underlying principles before it (same with it being a tier 4 module)

Is there a reason I don't have a loop0p2? Just trying to understand I guess

It lies in the partition layout of the .vhd file (Private.vhd) and how it is mapped when attached as a loop device using losetup.

@grizzled schooner as a general note; whenever you mount a device with something like loop; do lsblk which will show you the mount partitions of a mounted device like a vhd

i was able to perform the instructions nearly identitically (save for the -u<password>) and /dev/loopNpY

as a note with any partition type; /dev/typeNpY; N is the disk # and Y is the partition #

if it was a full vhd device, (OS and everything) it may have had more partitions on it like a boot partition/recovery partition/etc

Hey, guys when i use this command impacket-ntlmrelayx -t http://10.129.234.172/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication
I get this message [-] Authenticating against http://10.129.234.172 as / FAILED
[*] GOT CERTIFICATE! ID 13
Exception in thread Thread-6:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1041, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

on a constructive note - we need bare minimum these modules/sections, I mean I don't have any issues, but its addition would be of great help, I really love the material from our HTB Academy, the authors are amazing, so any additional knowledge and input is much appreciated. Attaching the table for reference -

where is this table from? is it in the module and referencing the other sections within it?

or is it your own notes

my partial table which I made

Ran into this earlier scroll up and theres a solution

also labeling the left side as "module" can be misleading @polar widget ; it'd be more apt to call the lefthand side "topic(s)"

yeah topics

The essence being - roughly you can club 2/3 sections from that module and have 1 dedicated module separately, because it is so much interlinked

havent unlocked it, but will comment for sure

to-do@KS7

yeah if you haven't actually done the content yet it's kinda hard to comment on what ought to be the case

i'd have been surprised if you did it all that fast

Well its a beautiful module, good things take time

It's a fairly specialized module, true, but if you have the necessary prerequisites (described in the introduction), you should be fine.

yeah man absolutely

jesus I was reading your blog last month on the EDRs

hats off to your content!

Thanks! even though I still have a lot to learn hehe :p

you're way above than average souls like me

Heyy all I'm new here need help with some stuff where do i ask ? Can't text on general group

If your question is related to an academy module, this channel. Depending on the nature of your question, read #rules and #welcome for instructions on how to link your htb account to the discord

Yeah we don't do that kind of thing here

And yes what you did is patently illegal, you should not be testing the validity of something like that

proud of you, it takes time !

congrats fam!!!!

anyway I can stream my screen somewhere for help

what are you working on?

I doubt I can help, but I'll give it a try

if the module is above tier 0 you wouldn't be able to stream the screen due to ToS

but it helps to say what module and section you're working on

uhh its the HTTP request section of the Javascript Deobfucation module inside Craacking Hack The Box module think

one sec so i can pull it up

okiii

ah all you gotta do is send the curl request to http://ip:port/serial.php with no other methods

I got to the point where I decoed the serial.php into a message

it should return a random string

that string is what you input, not the decoded string

you worked one-step ahead :D

The base64 string? o h

this module really does get you with those

woooopppsss

so just curl http://ip:port/serial.php ?

Im completely lost LOL

Ok peeps. I been stuck on this Burp Intruder section all day. No matter what I do, I get 404, no 200s to find the flag on the lab at the end of the section. I’m going nuts. Any advice?

hello all, i'm stuck in the password attacks module section: hunting for credentials in network shares, question 2: As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

I've ran snaffler, netexec, and the other docker tool but they all werent helping so i tried to write custom scripts or manually look for pass in admin$ share but to no avail

im going to retry with hamspider

manspider*

I’m annoyed because I’m finding the stupid 403 forbidden directories right away. I wonder if I need to use a diff word list.

your post request should be to /serial.php with the -d(ata)

sorry for the spoiler screenshot, my bad. i managed to solve the question

@grand timber you need to include the data with your post request

where the data is in the format "serial=(decoded output from previous section)"

@grizzled schooner Please take care to not spoil content from modules above tier 0

What module/section?

@grand timber so you're misunderstanding how requests work, also your screenshot is containing spoilers.
curl -X POST http://ip:port/serial.php -d "serial=<insert decoded thing here>"

so just a modivifed version of curl -s http://SERVER_IP:PORT/ -X POST -d "param1=sample"? where the qutation gives value to the -d?

you're told what the param1 is in the question => serial

and you're told that the value of serial is the decoded output

as a general note, whenever you include data in your curl request, it's assumed post

that's why you were getting the string again

I didnt see and pram in the question-

nvm I figured it out

Now im at this point. I needed the question previous you were ahead of me by one, I might have given you the wrong lession, but i was on the HttP request question not the decoding

ah

then you have the answer :)

i thought you answered already LOL

the answer is the N2... string

Is it just me or does the method they provide to solve the last two questions in getting started under the penetration tester path not work at all? I’m pulling my hair out at this point. Like I made it all the way through the enumeration steps and got to the exploitation steps. But that’s when I noticed nothing worked. So I read the guide they provide and none of those steps worked either.

what do you mean last two questions, you mean the Knowledge Check?

Yes the knowledge check

So now i would use the
curl -X POST http://ip:port/serial.php -d "serial=<insert decoded thing here>"

so the answer to the http-request section is the N2 string, not decoded

the following section is what uses the decoded string

It got mad at me for sendingthe undecode stream

OH NOPE sorry misred

we got wires crossed somewhere lol

so now i decode the n2 string and thats the answer?

the http-requests section is only expecting the encoded string you get sending an empty post request to the server

okay, that was the n2 segment. so now for the decoding section I need to decodde that string to get the answer?

yep

the question gives you all the elements to get the proper answer

Yes I was referring to the knowledge check sorry

so following this (and putting my decoded n2 string) keeps returning th n2 string lol

yeah i was spawning the target hold on

dm me with what you're doing to avoid spoiling

i'm not having issues gaining the foothold or anything of that nature

Are you using the mfsconsole or the manual method academy provides?

i did the manual method

i believe the first time I ran through this i used the msfconsole method

Weird I followed it to a T and the php shell command I placed inside the themes document never connected back to my nc listener, and when I tried the msfconsole method it would say started tcp listener but would never progress past that

did you replace the php exec command with your system's IP and port to call back to?

Do you mean the part where it says PWNIP and PWNPO? Yes

I replaced that with my ip and port number for the listener

and you had the listener started before trying the exploit?

Correct

I even cntrl c out of it and restarted the listener multiple times

dm me with the screenshots of what you're doing

Oof I kinda already terminated the instances… but for clarification when you asked if I replaced the php exec command do you mean replaced the php exec phrase with my ip and port or the PWNIP and PWNPO part like I mentioned? Because I left the php exec part in there

hey @sacred rock i was messing around and looked at the walkthrough for the alternate way to root the knowledge check, i ran the tool mentioned in the guide but i didn't get the output that indicated the specific file with the info mind if i dm to discuss?

`python passthecert.py -action ldap-shell -crt user.crt -key user.key -domain <domain> -dc-ip <ip>
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies

("('socket ssl wrapping error: TLS/SSL connection has been closed (EOF) (_ssl.c:992)',)",)
`
What am I doing wrong here ? I'm piping this through ligolo could this be the issue?

the /dev/tcp/pwnip/pwnpo part replacing the pwnip with your.ip.goes.here and the pwnpo with your port

So basically like this, /dev/tcp/10.10.10.24/1234 right? Because that’s how I had that part.

yep you do need the whole rest of the portion

but without seeing the output/what you did it's hard to say where you messed up

Right the php encasing with the php exec part right?

yeah

and ending the php with ;

the ; is required at the end of every php command

nvm @sacred rock ; it looks like the issue was a limitation of the terminal size/screen scroll

Crazy I have no idea why it didn’t work then. I set my nc listener to 1234 to match the port in the code is it because it set it to 1234?

yes

you want the port you're calling to to match the port you're listening on

the caller doesn't know you meant 4321 if you put 1234

it thinks you meant 1234 and if it's not open it just fails to connect

Huh? No I put 1234 for both

i'm just making a generalized example

if you dial 911; you're not gonna be connected to a pizza place if that makes more sense

Oh gotcha so I had it correct there as well then. 1234 in the php code and 1234 in the nc listener. Odd. Well maybe it’s a one off situation for me I appreciate your help.

the last thing of course is actually visiting the page at /theme/<Themename>/template.php

the code doesn't execute on the editor page

Oh I know I did that too even tried refreshing the page but it would load into a black blank page

blank page isn't necessarily a bad thing, especially if it's still trying to load. if it stops trying to load/loads a blank page then that's an issue

(in firefox) the infinite loading until you close the connection

Ya it loaded into that. I had ‘ marks in my php code towards the end. If these marks aren’t supposed to be present maybe that’s why it loaded into that? Caused a loading error which means the code didn’t execute

Loaded into a blank black page I mean not into the infinite loading thing you mentioned

well you can dm me when you get back to it

Sounds good I appreciate your help 🙂

If anyone’s working on windows-kernel-telemetry-detection-techniques then lemme know, I’ll be your buddy.

bro bought the flags to the new module (kidding ofc)

does anyone know how to solve this error in Linux Privilege Escalation -> Miscellaneous Techniques?
I run the shell binary in victim pwnbox and i got this error. tried to gcc compile it in victim box and then transfer it to attacker box via wget and it can't be transfer.

./shell: /lib/x86_64-linux-gnu/libc.so.6: version 'GLIBC_2.34' not found (required by ./shell)

You should be able to transfer the library files if you cant get it to compile on the victim side

👍 👍

Can somsone provide a nudge for the password skills assessment. I discovred hw user/pass but cant do anything with it. Help would be very much appreciated please.

I tried "tryhackme" a little while ago and was turned off by the beginner modules which weren't skipable does htb have that sort of thing or can I just jump in

None of the modules force you to take them, that being said it's still recommended you don't skip out on fundamentals

ty

Hello

got to #welcome and verify your account by following the introduction

Ok

the. u get general access

hello

can someone help me with the brute forcing module

I have been trying the exact command it asks me to in the module and have even tried specifying the command further by specifying the authentication type yet I get 0 matches every time for the password.

I dont know how to send images here but I have screenshots of the commands I have used

@reef thorn welcome! you can send images if you verify your account as per the instructions in #welcome 🙂 then you should be able to send screenshots in here

I am doing Pivoting, Tunneling, and Port Forwarding module, on ICMP Tunneling with SOCKS right now the task is to launch a ptunnel-ng on target host but i am facing with this error:
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory
anyone got fixes for it? I read that most people downloaded other vms or docker images to fix it

Not the right place, mate. Read the rules

From memory, I built the static binary and didn't have a problem

Can someone please dm me the root flag for nibbles privilege escalation pen tester path? I found the root flag but as I went to screen shot it I accidentally reset my pwn box and nearly drove myself crazy trying to go through the process again. For everyone else out there starting the path I highly recommend just setting up your own VM.

I don't think you should be asking that question here

I finally found it, tysm

hi, Im currently trying to do the Windows Attack & Defense - PKI module. I've solved the first part and moved on to the second, but I am unable to connect to PKI.eagle.local (tried using both hostname and IP address to RDP, but it does not connect)

both the Kali jumphost and the WS001 machine cannot reach the server

Can i do cyber security on Android

?

hi guys, im trying to do pass the certificate section in password attacks module
im trying to RDP into the machine but get an error

i also tried remmina and it still fails

"authenticate" does not always mean rdp; as a side note, none of the techniques involve being rdped into the machine to perform

Authenticate, in this instance, means using the given user:pass to perform the attacks

.

thanks

you'd have a lot of trouble doing the modules on a mobile device

if you mean in-general, even more so. Not a lot of tools exist for use with android/mobile devices

Im new sorry i want to protect myself from getting hacked or something in android so

the simple answer to not getting hacked on android is not running sketchy apps or clicking on sketchy links sent to you

Ok thx u

aside from that, the conversation is off-topic to this channel. I suggest reading #rules and #welcome

Can i scan in virustotal?

Ok thx so much

I can't chat in general

if you want to continue engaging in off-topic convos, you'll need to:

1. make a hackthebox account
2. follow the instructions in #welcome to link your account

Ok thx

So i can be in this seveer if am an Andorid user?

Server*

you can

Hey guys, I am on module 143, section 1509 of CPTS ... Attacking Domain Trusts - Cross-Forest Trust Abuse - From Linux.

I am facing a problem. For the second question, the hash I get from first question is unrecognizable by hashcat. Mode 13100 is not working because hash is unrecognizable. Thus I am unable to crack it.

it helps to give the module and section name; as well my suggestion to copy the full hash starting from the initial $

if the hash does start with $krb5tgs$23$ then 13100 should work

But It's not working

https://hashcat.net/wiki/doku.php?id=example_hashes

Yeah I checked it there

then you likely didn't save or copy the full hash if you're using it independently

But I have noticed that length of hash that I am getting is way longer than specified on Hashcat wiki page for 13100

it's gonna be a variable length

it's not a static length

no reach out to instagram support. If they can't help you're SoL

@feral basin i just spawned a fresh target and was able to request the ticket as well as crack it properly not sure what you're doing wrong tbh

the only thing i can think of is you need to run the hashcat command on your host machine/pwnbox not on the target jump-host that you ssh into

I'm not stuck but kind of confused. On the Pivoting / Tunelling module of CPTS I have just finished my SSH port forwarding section and now on the Remote/Reverse Port Forwarding bit.

The module text says to go ahead and get a reverse shell from the windows host sat on the 172.16.x.x network, but we haven't been given RDP credentials over there, only credentials we have is on the ubuntu server. Since this module isn't pushing us to hunt for credentials on the system or look for misconfigurations. I'm confused why the module is asking for things like "download the payload onto the windows device" To do that we'd need to know the credentials wouldnt we??

this is sort of optional I guess but given the text clearly says we should give it a go, it feels backwards

it's placing you in the position of victim; but yes you have credentials you can use

huh I must have missed the windows credentials in the module text, ill have a look then thanks marcie

i'm running into an issue with Login Brute Forcing - Skills Assessment Part 2 - https://academy.hackthebox.com/module/57/section/516
i have already SSHed into the provided IP, and have read the incident report that provides the FTP user's name. Based on this, I have used username-anarchy to create a relatively small list. I believe my problem however lies with my password list. I've tried the passwords.txt on the SSHed host to no avail. I went on to create a new list using "cupp -i" that adds numbers and special characters, but the resulting list would take days to iterate through with Hydra.
Also, I tried to apply the regex from the "custom wordlists" section to trim it down, and the output is completely empty.
In case this is relevant, I am using this syntax on the SSHed host: ||hydra -l userlist.txt -P passwords.txt ftp://94.237.56.47||

that's a public ip and port you're given, so the only scope externally is the initial service

you shouldn't be using the external ip when messing with internal services 😉

hello

aaaaaaaaaand i got the password in 10 seconds (i've been at this question for an hour and a half)

https://nohello.net

tysm @fathom pendant

i see you helping everyone and you're the goat btw

if it hasn't been given in previous sections it's the Victor:p*

as the windows IP; it looks like the example for "logging into the windows host" is missing that crucial bit of text

I'm doing the "Attacking Authentication Mechanisms" module, I'm in the "SAML SIgnature Wrapping Attack", I modify the SAML Response but I get a "Invalid SAML Response". WHen I validate it with an online validator it passes the check, so I guess there's something with the encoding. Can someone halp, please?

it really is! I didnt want to bash the module as its written well just felt like I was missing something to proceed... thank you ❤️

I'm base64 and then URL encoding all characters in CyberChef

just to be clear @digital pendant it's this section? Remote/Reverse Port Forwarding with SSH

also don't really worry about practicing it on that section, plenty of other sections to practice on

Yeah thats the one

the module is littered with windows hosts to practice with

I will get on with it then 😛 that RDP pass worked thank you

@earnest leaf that would be considered a spoiler btw

why? it's literally a link

the link you posted contains potential spoilers for the SAML you're sending

-_-

okay, sorry..........

could you help please?

i haven't done the module, so you'll have to be patient and wait for someone that has

okay

Thanks, I was able to crack it.

Windows PrivESC -> Pillaging
Optional Exercises
when trying to pass the hash of admin getting this screen is it intentional or i did something wrong?
Is it coz of blank password thing? coz i am using PTH

DisableRestrictedAdmin; if you're unsure about that Pass The Hash from Password Attacks module should be helpful

ok got it i am sure about PTH tho

i was more pointing to the relevant module/section that would have the info i'm talking about

thanks

I'm working on Attacking Common Services > Attacking Email Services
I tried smtp-user-enum with the provided users.list and with all methods (VRFY, EXPN and RCPT) for the target.
I got nothing in return.
smtp-user-enum -M <method> -U users.list -D inlanefreight.htb -t <target ip> -w 25
Can anyone help me?

hi guys, in the password attack module, skill assessment, that .pcap file is the right vector?

Also tried all methods without the -w option?

Yes

What module is recommended next, after completing "windows os fundamentals" and "windows cli module"?

Hello, no

finally works after restarting the vm few times

Hey all. I've finally figured out Q2 of the "NTLM Relay Attacks" Skills Assessment after quite a bit of head scratching and am now trying to figure out what to do with the access to get the password for Q3. I've been through the module content a few times and can't figure out how to make use of the privileged access. Can anyone provide a pointer or two pls? Cheers!

Doing Pivoting, Tunneling, and Port Forwarding , on the RDP and SOCKS Tunneling with SocksOverRDP question rn.
I believe that i've done everything correct, but it just does not wanna load it for me.
anyone faces such issues with the connectivity?

Solved it eventually, had to re-launch rdp about 10 times to make it work lol

Explore C: drive

Thanks. I'll have another look!

So, I've searched the Discord channel for other ppl stuck at the same spot. Seems the consensus is to check shares on the host. So maybe craft a malicious .lnk in the ShareBackups folder?

Hello guys someone can give me some help on the Skill Assessment of wkhtmltopdf, PDF generators, In Injection attacks Module?

so new blue modules are now only released for 90€ each and not included in gold annual? 🆒 🆒 🆒

Feel free to DM

they later will

Hey! Did you ever get through Q3 on the NTLM Relay module as I'm now stuck too! I reckon the way forward is to do with a malicious lnk file on backup01 but can't see the wood for the trees.

token manipulation was released half a year ago already and is still 90€ and contains (i guess) lots of information microsoft currently is deprecating because they rework the tokens and admin accounts...

guys hello I am getting this kind of an error ./kernel_exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./kernel_exploit)

can someone guide how to solve it?

expect the path to finish in maybe the start to mid of next year , it should contain 15 modules just like the cwee and cape , and about the token manipulation they might rework it too if microsoft did , or change the module to something else

Try compiling the exploit with the static flag on your attacker machine

you mean gcc?

Yep

I did it already

What module and section are you on

kernel exploit

linux priv escalation

it means that the version of glibc on target is older then my

I think it worked for me, so not sure about this. Maybe someone else can help

which exploit did you use?

Hi everyone,I was doing skill assessment From the CBBH (File-Upload module), I uploaded the web shell but i cannot read the flag that is on the root directory like when i do cat /flag....txt . It doesn't show me any result. My question is, Am I still missing something or not doing enough to get flag. EDIT: Dang it, URL Encoding got me . Fixed do proper url encoding while getting the flag and i was able to grab the flag

move it to the target machine and compile it there if you can.

I have already compiled it on my attack host

on target glibc is version 2.27 and exploit requires version 2.34

i don't have permissions to upgrade the system

you can also just: transfer the libraries

you mean me?

yeah

if a file isn't found on the system... transfer the file to the system

simple as

compiled directly on the target machine.

Hey guys little question about the Windows Event Logs & Finding Evil module in the Analyzing Evil With Sysmon & Event Logs
section, I found all the awnsers of the questions but I'm trying to digging deeper, when I launch mimikatz, as they say in the module It will access another service (LSASS) so it is an event ID 10, but when I go in the event viewer and filter on id 10 after using mimikatz, I have 0 entries do you know whyK?

thank you

good afternoon, anyone here to help me? i'm stuck

Probably ask your question and then someone can help you 😅

i'm currently stuck @ Spraying, Stuffing, and Defaults "Password Cracking module"

so i've SSH'd to the VM. Found a notes.zip on another users desktop. Tried to crack the password, but my cracking fails. i know there's info in this zip to find the password for the user that can connect to the SQL server since i also found a id_rsa file in this users folder but can't access it and my exploits seem to fail

anything i missed?

use the tool showed in the section

is it just me, or are the Academy VPN connections not very stable?

I've gotten disconnected from any RDP session I create within 5 minutes

and then cannot connect again unless I reset the machine

reach out to support to further troubleshoot the behavior

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

alright thx

Anyone else experiencing issues with "Target(s) are spawning..." being stuck forever? Never experienced this before

Had it happen to me once, waited it out and it let me spawn them again

need some help in Password Attack Skill Assesment

when I try to use nmap through proxychain it give me a error and I dont know why

proxychains nmap -sT -Pn --open 172.16.119.11 172.16.119.10 -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985 -oA internal_domain_scan
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-25 12:23 UTC
dig: parse of /etc/resolv.conf failed
dig: parse of /etc/resolv.conf failed
dig: parse of /etc/resolv.conf failed
dig: parse of /etc/resolv.conf failed
dig: parse of /etc/resolv.conf failed

uncomment proxy_dns in your proxychains conf

Already configured

sudo cat /etc/proxychains.conf

proxychains.conf VER 3.1

HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

The option below identifies how the ProxyList is treated.

only one option should be uncommented at time,

otherwise the last appearing option will be accepted

dynamic_chain

Dynamic - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

at least one proxy must be online to play in chain

(dead proxies are skipped)

otherwise EINTR is returned to the app

#strict_chain

Strict - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

all proxies must be online to play in chain

otherwise EINTR is returned to the app

#random_chain

Random - Each connection will be done via random proxy

(or proxy chain, see chain_len) from the list.

this option is good to test your IDS 🙂

Make sense only if random_chain

#chain_len = 2

Quiet mode (no output from library)

quiet_mode

Proxy DNS requests - no leak for DNS data

proxy_dns

Some timeouts in milliseconds

tcp_read_time_out 15000
tcp_connect_time_out 8000

ProxyList format

type host port [user pass]

(values separated by 'tab' or 'blank')

Examples:

socks5 192.168.67.78 1080 lamer secret

http 192.168.89.3 8080 justu hidden

socks4 192.168.1.49 1080

http 192.168.39.93 8080

proxy types: http, socks4, socks5

( auth types supported: "basic"-http "user/pass"-socks )

[ProxyList]

add proxy here ...

meanwile

defaults set to "tor"

#socks4 127.0.0.1 9050
socks5 127.0.0.1 9050

you don't need to copy the whole config file to say it's already configured

-n on nmap maybe?

@fathom pendant mind if i bother you in PM?

about?

a module i'm stuck at atm but don't want to spoil too much info

well it helps to know which module so i know what portion of my notes to look at

Password attacks - Spraying, Stuffing, and Defaults

While that's easy, think easier.

i don't have updated notes for pw attacks

looks like it hasn't really changed (at least the method/answer); the hint here is defaults

so i'll have to look further into: "creds"

the only creds you need to care about are what's given to you, after that you have to research what default passwords may exist (there is a tool/repo linked in the module)

and i'm going way to far?

you don't need to bruteforce anything with tools

there's a cheat-sheet linked 😉

that's all i can tell you

you don't need to put extra spaces in your question/request. it just pushes other peoples asks out of the way
With that being said; if it's hanging then i suggest restarting the target

also deleting bc spoilers (yes even though the creds are given)

aight, i'll start over thanks 🙂

@fathom pendant Is there a tutorial on hackthebox on how to setup a secure Linux VPS?

you don't need to use a VPS; there's a rough setting up module that shouldn't be used as gospel. But VPS aren't needed to interact with HTB so they don't have a specific tutorial for it

Oh no, it's just in general for use

cause I have a project i need to put up

The general tip for securing any VPS is not to use default passwords or insecure passwords, where possible use stuff like PKI for authentication. I.e. RSA keys to log in via ssh

found it @fathom pendant i was in waaaaaay too deep

yeah, I used a random generated password with random chars

thanks alot!

either way there's no module that specifically talks about hardening a VPS

would be cool to be a thing

feel free to submit /feedback

The nmap command worked but when i tried to escalate further by nexexec my system crashes

There is no way to get 100 cubes when doing the final exercise from Unexpected Input - PoC and Patching (Parameter Logic Bugs) the max with 5 dollars is 80 cubes. tried tones of variations. Can someone help me with this????

@gray yacht OK thanks. This Q3 is a doozy! I'll get some food and revisit the compromised host with fresh eyes!

If you still aren't getting anywhere, send me a DM. If you've done the CAPE modules in order, revisit your notes made on the CME module that hits on shares.

@gray yacht ah that might be the issue with the lack of familiarity - I'm working through tbe CREST CPSA/CRT path not CAPE.

All good, as there are likely more ways to do it. If you aren't familiar with netexec you can visit the wiki and read up on its functionality with shares. Like I said, if you don't make any progress you can DM and I'll help you come up with some ideas on how to move forward.

Are you connected to the VPN?

@gray yacht thank you again. I'll check out the netexec wiki as I've not used the tool before. Hopefully this will help the penny drop but very much appreciate the DM offer! I may hold you to that!

Is this from the Footprinting module? I doubled checked it and it is, so please refrain from posting content from modules over Tier 0, which is why I deleted your message. There are other ways to explain your issue, without spilling that information.

Yeah, just verified the question was from the Footprinting module.

It seems to be solved though.

anyone available for a nudge on the password assessment please. Discovered two creds, setup tunnels to use them but unable to connect to anything. help would be appreciated.

If you cannot connect to anything through your tunnel, I would troubleshoot that part first.

i can setup the tunnel and reach the other internal servers. The two sets of creds i discovered don't work against internal network (or so it seems).

Have you tried those creds for all protocols on the internal servers?

clearly not, thanks for the nudge. I ran an nmap scan through the tunnel for the top 20 ports and used with creds. But maybe i missed something.

I think top 20 ports would have found what you need to be honest.

maybe i missed something, i tried both local-auth and normal authentication against smb with nxc. I'll reset everything and give it another go!! Thanks

Are you getting auth failures with nxc or something else?

guys i'm trying to run a psession via winrm but seams like my attack machine is not in the trusted host list, how can i connect remotely via winrm to the target machine?

there is actually

The introduction to the infosec path briefly mentions some general tips and guidelines.

let me see what page it was

Hey folks, in the secure coding 101: JS module, the description mentions that the module is the "first module in the Secure Coding path." But I dont see a path focused on secure code, anyone have any info if that is something in the works? Or is there a path/module that I am not seeing

setting up, has a simple page about VPS hardening to get you started

hi

first time using discord. have a question regards to Active Directory LDAP module- I was struggling with the last question... Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group.

is there someone i can talk to?

guys ! i think i messed up winrm application on my lab machine xD

i had a tough time trying to configure winrm and some how i try to configure the winrm and it just broke down

on the Password Attacks module Skills Assessment, i'm totally stuck at the first hurdle.

With only a single ssh port, and a potentially correct password, I just don'tk now how to get past the first step. I've tried so many permutations of the given user's name and the company name for a domain, but just nothing works.
(betty jayde)

Surely I'm missing something? But there's no website to scrape for additional info to inform the username or anything. This is making me pull my hair out.

Hi
Is there anyone can help me with this module "Rapid Triage Examination & Analysis Tools"?

Please DM

Done with the web proxies module.

I am pretty sure the cheat sheet gives a wordlist or username list, I don't remember 100% but I was stuck for awhile before finding it

thanks, got it. That was annoying as hell. The tool referenced in the cheatsheet isn't in the "custom wordlists" section but in another section, so i was forgetting about it. I've added it to my notes for custom wordlists now. I am so annoyed by this lol

Yeah, I had some very frustrating experiences, but it makes them more memorable

Do you recommend finishing networking first and then moving on to Linux fundamentals, or is it possible to do both at the same time?

Hi

Hi colleagues, I'm doing the exercise https://academy.hackthebox.com/module/113/section/1209
but I'm running drupalgeddon3.py and I have the admin cookie, which has the privileges to delete and add nodes, but I don't get the rce

• python3 drupalgeddon3.py http://drupal-qa.inlanefreight.local/ "SESS7480629f2a60f8ea10a4824d0c05b9ed=pUnAAe4roFEl0BHBsDh5v_JsG2GUj1VU3K8q1eydhHU" 2 "whoami"

@proud pine i redeem gift card but how do i use the balance now

Contact site support for help with the site.

Can someone help me with parameters logic bugs unexpected input

Password Attacks?

You are given a name and a likely password. What tool can you use with the name that was taught in the module? What can you do next?

Oh yeah! Stay focused, you got this!

You don't need this. You need the tool that will generate potencial usernames out of a name.

Review the module: Attacking Active Directory and NTDS.dit

the tool you need is in there

you bet! best of luck to you 🙂

The cheat sheet has it too, don't sleep on the cheat sheet

i forgot those exist too haha, thanks for the reminder!

someone who wants to help me, I need it, because I don't know what else to do, I'm in the password attacks section specifically already in the last Skills Assessment module Has anyone finished it? Does anyone know how to complete this module? write me by private message

Just ask your question clearly in this channel and people will see if they can answer it or not.

please do not share spoilers of modules above tier 0 :)

Have you looked at the most likely files that have credentials, but have nothing, no way to download them all, and then search within them if you have any keywords? since when you cat to some of those files, they look very bad, they look weird, I have to open them one by one with freeoffice

Generally on a windows system, the files most likely to contain passwords or password hashes are the SAM and SYSTEM files and you use secretsdump to view them.

not a request for help yet, but just a comment. I should have listened when the module said to start the target and then read the section for this specific AD module. I'm on AD Enumeration and Attacks module.

I am doing the section I'm on tho its been a few days since I last did HTB

past couple days have been trying to get a job

I might have a desktop technician job soon

I don't have access to the remote system, I only have access to the smb, thank friend

Are you sure? Whenever you find credentials it's good to try them against every running service on the target.

Can someone please dm me the root flag for nibbles privilege escalation pen tester path? I found the root flag but as I went to screen shot it I accidentally reset my pwn box and nearly drove myself crazy trying to go through the process again. For everyone else out there starting the path I highly recommend just setting up your own VM.

Why is my target unreachable? The ping said that too

no one is gonna dm you the flag; it's potentially sus just asking for the flag. I suggest just going through the process and getting it again

are you connected to the vpn?

Yes

also not all targets might be able to be pinged/respond to ICMP echo requests

Okay.

Sometimes I get this issue too, try to connect to VPN again or change VPN server

anyone able to help me understand proxy chains within the password attacks skills assessment? i've setup my proxychain, but unsure where to go now

I tried the pwnbox on the website it does respond but not to me even tho im using the parrot htb os

It was just working yesterday too

Damn am i not supposed to update the packages

Can someone help me w/ something?

I use this website called cheaters.fun and I also use VSCode. I copy and paste the load string, but that doesn’t work. Can someone help?

Can I DM anyone for a nudge in the Password Attacks Skill Assessment?

bumping this too, stuck on pivoting

Damn i was using the starting point vpn instead of the academy no wonder it cant ping

See if you can research dynamic port forwarding with SSH and get something working.

Yeah you can DM.

the new update passwords attack improves the quality of lessons effectively, hope more updates

I've done the same thing before 😄

How slowly nmap runs through proxychains and openvpn (like 0.1% per minute, literally) makes me feel like i have no shot at the CPTS exam, practically speaking.

you can always try ligolo

Like i want to pivot but i can't even do a basic nmap scan through proxychains without waiting 3 hours

but proxychains shouldnt be that slow in my experience

Yeah idk what the issue is

have you tried running with sudo and -sT?

Yep, and also tried cranking it with -T5 and upping min parallelism, no dns resolution, still snails pace impractically slow

I've had this issue on several boxes now. Not always but i worry it'll happen in the exam

Like it was literally faster to jusy bruteforce guess which services were gunna be active on the target host on default ports than wait for nmap to scan even top 100.

yeah thats why a lot chose ligolo going into the exam

Guys, I'm stuck on the attacking enterprise networks module, I'm on the last question, obtain the ntlmv2 password hash for mpalledorous, but the inveigh doesn't capture anything, i already tried with .exe and .ps1 versions

I'll double check that my hypervisor isn't throttling bandwidth on my VM

are you running as admin

I'll also try going from my bare metal kali lappy and if i have any better luck that way. Could just be VM jank

Yep, on the .50

Im having an issue with the module "Password Attacks: Remote Password Attacks" issue with the rdp question. no matter what i do, im having severe connection issues when trying to bruteforce the creds with the given lists

And i already tried a solution from a guy here 6 months ago, but it still doesn't work

Virtual hosting, i'm running gobuster without errors but my results are coming up empty and even the output file is empty, i've tried different word lists, slowing down the scan, speeding it up, and using the wildcard (which i feel gives me a bunch of BS) what am i doing wrong?

nvm, i think i might have found what i was doing wrong

what is the Windows machine's address that I need to connect to for Windows Attack & Defense - Skills Assessment?

Try looking in the "Overview and Lab Environment" section

I see, thanks

i take it back, i think i'm still doing it wrong

Best to say the module name along with the section. Also providing the error may be benefiical as there could be a million different errors you're getting.

Virtual hosting, i'm running gobuster without errors but my results are coming up empty and even the output file is empty, i've tried different word lists, slowing down the scan, speeding it up, and using the wildcard (which i feel gives me a bunch of BS) what am i doing wrong?

Virtual hosting is not a module

information gathering web edition - vitual hosts

did you add the hostname to your /etc/hosts file?

Do you have the append domain flag?

yes

what host file? gobuster is just asking for the target IP and a wordlist

That's probably your problem, although I haven't done that module since the update. You need to add the domain to /etc/hosts, if you look at the example gobuster command provided they are using the hostname not the IP.

I do see they also have one example with the IP and appending the domain, but yeah idk I didn't do it after the update. Maybe try the other way they show.

also make sure you're using the correct port.

i'm using what HTB gives me as a target

You cant enumerate for vhosts using an IP you need the target's domain

This is all explained in that section (maybe in the previous one, cant exactly recall)

@magic mango its specified that you need to put the ip and the domain into your hosts file (/etc/hosts)

i'm just gonna go put my foot in my mouth

for Windows Attack & Defense, why doesnt this work?

cant send pictures apparently

no need really, you can just explain the issue

when copy-pasting the certificate obtained using the previous steps, then pasting it into Rubeus on the target Windows machine, it just says KRB-ERROR (16): KDC_ERR_PADATA_TYPE_NOSUPP

Skills Assessment module

ok I think I know why

ok yeah it still fails, not sure why

Hey guys I’m currently doing the JavaScript Deobfuscation Module and I’m seem to be stuck for this question

Repeat what you learned in this section, and you should fine a secret flag, what is it ?
Answer : HTB{1_4……0r!}

I did decode it and got the flag but it does not seem to accept the answer. Is there any issues with the question or what am I missing out

make sure to include the HTB part and the brackets, but it sounds like you got it. maybe manually type it make sure there are no whitespaces

Tried it as well, does not seem to work 🥲

hi

hi bro

Hey

hey bro where are you from

This isn't #general chat. Please read the #rules and follow the instructions in #welcome to gain access to #general. This channel is purely for discussion of the various modules on HTB's Academy platform.

bro my general chat not opening

Read the message instead of only a few words.

done reading? check out modules show

Alright got it man, it’s working now.

Struggling on pivoting through networks on password cracking module on skills assessment

There's a set of three instructions

I need help with the passwors module skills assessment section, i found the ssh credentials just pivoting around the network is the harder bit for me rn

when restarting the skills assessment for Windows Attack & Defense, I got a "Trust relationship" error when trying to logon

Give it more time to boot

Usually need to restart it again to fix that

or that

takes 3~5 mins for environments to fully spawn

its been 20min tho

yeah restart the target then

i haven't redone this section

Before or after you connected?

oof ok

Oh, may we do it together?

no

20min since I connected to the Kali jumphost

i don't do content with other people

yeah I'll restart the VM

Ah. Yeah that module is always a doozy. Dw. The boxes are a little finicky but if you stick to the lab instructions when accessing the local domain machines once you connect to your initial host you have creds for (should be Bob with slavi123 or something like that if I remember) you'll moving like butter!

if you do echo -n 'flag_here' | md5sum what is the result (only share the result, not the command, as that would contain the flag)

694d8832765cae433777b347b4ac4b7b - should be the result @viral raven if it doesn't match that, then you're missing something

alright, I'll try again later

time to take a nap while I wait for it to fully boot

this is the way

Hey, may you help me with password cracking skills assessment?

don't keep asking in this way

What could i do? I';m struggling really badly

i got the ssh creds, but pivoting im not sure what the move is

Hi there! I think there might be an issue with the "Attacking WPA/WPA2 Wi-Fi Networks" Module on Page "Reconnaissance and Bruteforce". Is someone available to check whether i'm being stupid or whether there'sa a legit issue?

Edit: The issue is that sending the brute force request results in the following TimeOut errors when the -vv flag is used:

[+] Associated with D8:D6:3D:EB:29:D5 (ESSID: HackTheWireless)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred

Thanks!

just have patience and someone may help @young gale

Alrigvht

generally proxychains [command] to go through proxy

yeah did this but issue is i dont rly know what elkse i can try

i suggest posting possible module errors in #1234357888114364508

Thanks! Will do

I was retaking the AD Skills Assessment 2 and when I ran mimikatz as system on SQL01 host, it returned the wrong Administrator NTLM Hash. I had to reuse the hash I found during my first attempt at this lab and worked.
Does anyone know why mimikatz would return an NTLM hash that doesn’t work?

It would only work if that local admin password was being reused on other hosts.

try a different vpn region

Ah I think i misinterpreted what was being said.

Thanks. Will try that out.

minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-25 22:54:21,624 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
File "/opt/PKINITtools/gettgtpkinit.py", line 349, in <module>
main()
File "/opt/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
File "/opt/PKINITtools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.20-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv
minikerberos.protocol.errors.KerberosError: Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication

Getting this error on BleedingEdge section in AD module of CPTS path.

This is while requesting TGT using gettgtpkinit.py with base64 certificate received.

Can you send your full command, removing any spoilers?

python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ -pfx-base64 <place_holder> = dc01.ccache

might wanna specify dc ip

still same error

can you show the entry for inlanefreight.local and its DC in your /etc/hosts file?

For your reference this article shows the correct order:
https://notes.benheater.com/link/441#bkmrk-option-b)-hosts-file

https://postimg.cc/06VYXkfd

Looks like you got too many entries 😅 you should do:

<ip> <dc FQDN> <FQDN>

still no

what tool did you use to get the pfx?

ntlmrelayx.py

Maybe try escaping the $ character at the end of the machine name

e.g.
ACADEMY-EA-DC01\$

yeah tried that as well 😄

welp, time to get a new pfx I guess 😅

🥲

any idea why it's working in the pwnbox but not in the VM ?
VPN connection is good i don't have any idea
module "Getting Started" - section ''public exploits"
i can ping the machine ,
enumerate it

You can't use both pwnbox and vpn at the same time

Should be working, try prefixing the IP:Port with http://

Also you don't need the VPN cos it's a public IP

i got it now why you said it lmao feeling dumb now haha

Public IP, no VPN required

oh lol you got it

i tried all of the lol
terminated the pwnbox , killed the vpn connection and used http
still it's mad for some reason

working from my pc

the fact it worked on my windows but not in the VM is funny

try on your host computer instead of your vm

can you reach google in your vm?

it worked

yes

also don't use tun0 in your curl, tun0 is for the VPN IP which can't reach it

yeah idk then. really should work it sounds like. are you using bridge mode, nat, something else?

bride mode
thx for help i will try again ❤️

that may be why. i'm using NAT.

it may seem stupit but should i put it in /etc/hosts ?

no that's only to resolve hosts

there is no host to resolve, you're using the IP

Windows PrivESC (Miscellaneous Techniques) is way tooo easy should be changed (my opinion)

ok more troubleshooting and i will come later
and yea NAT doesn't word ether

Welp, in the mean time if you want to continue you could just do it from the pwnbox.

pwnbox for some reason full it's 38gig of 40 idk why

remove the .iso file/change boot order

i tried but i really don't know there that is or how to do it

in vm settings

how can i access pwnbox vm settings ?"HTB pwnbox"

pwnbox you can't access the settings sorry i thought you meant your own vm

pwnbox settings can't be changed or adjusted aside from spawn region and vpn region

@snow mirage oh yeah restarting and waiting 20min did help, now the ticket is imported successfully

thanks

np , thx for help

for Intro to Malware Analysis: Debugging module, is it normal that once you click run, the executable gets stuck on the EntryPoint and doesnt proceed further?

also according to the module, it says notepad.exe should've been opened, but I dont see the program launched

Hi Guys,

someone know why this command not working? its Freeze ...

mysql -u robin -probin -h 10.129.89.192

MYSQL module

I don't think there's a MYSQL module, did you mean: Attacking Common Services module - sql section?

got it working, apparently it might take a while for the program to finish running, especially if your RDP session is slow as molasses (Asia problems ;-; )

this path i mean - https://academy.hackthebox.com/module/112/section/1238

Ohh footprinting module mysql section

yeah dude

3306 port his open on HTB and have ping there, i cant to figured out the issue

if you did it without the password you'd find an ssl error which you can fix by using the --skip-ssl flag

0xWILD you are champ! its worked :))) many thanks!

guys in password attack skills assessment we are given betty jayde's password do we have to figure out the username?

first

Sharing accounts is against ToS

this is from the mysql section in footprinting

ah it was cleared up

gotta love when my brain isn't fully functional yet

Seriously with all the content within the modules how do you remember which one it was from specifically?

i recently helped a client with it

my mind also happens to be a vault sometimes (never anything actually important)

Do you also teach methodology or just help with the modules?

methodology; i engage with the socratic method of teaching. Asking questions to help engage the student with understanding how to link concepts together

i.e. "what does this tell you?" when looking at scan results or important text files

Hey are you a good hacker is aura.com good for hackers

wdym "good for hackers?" it's just basically an anti-phishing tool

Like the vpn or does it track stuff

That you do

no idea what it does i never looked too deep into it; but also that's completely unrelated to this channel

i suggest reading #welcome to see what this server is about

Ok

I am stuck at Skill Assessment in Password Attacks. Need help for nudge

DM

Is this statement correct?

i have been struggling with getting the admin password for question in passwords attacks module on the credentials hunting in network shares
can anyone give me a clue on this

yes, the PHK is what fingerprints the server;
Say you always ssh to somewebsite.com and suddenly that signature changes because some malicious actor somewhere in the DNS chain changed the resolution of somewebsite.com to their own website, they can't fake that signature and you'd be prompted with it. Likewise (and this is often the case when you do and redo enough modules) you'll get a message that says "oh this host already exists in your .ssh/hosts file or something along those lines.

like how browsers will generally alert you when there's a certificate error or mismatch when browsing websites, "hey this information doesn't match what is stored, are you sure you want to continue?"

Hi everyone,
does someone know in Module "Dynamic Port Forwarding with SSH and SOCKS Tunneling" Pivoting Tunneling and port forwarding how to make nmap scan the RDP port in the machine and not return "filtered". I can connect via RDP and proxychains, but nmap does not say its open, just filtered: I used this for example: -v -Pn -sT -p 3389

It can be a lot of things. Try it with sudo and comment out the proxy_dns line in /etc/proxychains.conf and see if it works after.

Ah for some reason with sudo it works. Did not try that didn't think anything would need sudo here, but apparently yes

Thanks dude

but the image says the client sends a public host key to server, shouldn't it be opposite as server host key is compared by client to well_known hosts file?

it's both ways

server needs to know that you exist, and are who you say you are (say if there's some additional filtering in place)

if you feel that this is a problem with the reading though feel free to submit over in #1234357888114364508

This is an English only server

You are correct, I will change it now.

Hey all, is there anyone I can DM for a sanity check on AI Red Teamer - LLM Output Attacks Skill Assessment? I have an idea of what I am attempting to do as I have gone through module material ideas, but no jackpot yet.

Probably ligolo-ng is the most used alternative right now, chisel too.

Correct you do. Same for chisel.

Hi

For pivoting you'll most likely need to transfer an agent to work unless you know enough ssh and ssh is installed on the target and pivot box and you have root access on the pivot box to create tunnel interfaces, but that's getting too complicated.

It's all up to preference and the scenario, they both can do port forwarding and socks proxy

Hi everyone, I'm still stuck at the firewall and IDS/IPS Evasion- Hard lab

@upper haven can you write me in private? i think that your module is broken https://academy.hackthebox.com/module/details/307

yep, you want an agent on the network where you want to pivot to.

I'd probably just transfer nmap over to the machine connected to the internal network

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap

Then yeah you'd need either chisel+proxychains, or MSF, or ligolo to pivot to that internal network

that's not how that internal range works for 172

at least use the proper range lol

it's just as bad as hollywood using 274.295.499.231

i don't need the snark.

very funny

i mean it's still not an internal range, but at this point it'd just be passive aggressive back and forth

It is, you put 170.16.10.0/24

^

lol

ngl didn't read the ips the first time just assumed they were right

if you had a server on that IP it'd be public so the whole pivoting thing wouldn't apply

technically the cidr for the 172.x.x.x is 172.15.0.0/16 from the range 172.15.0.0 -> 172.32.255.255 if i'm remmebering correctly

it's either 172.32 or 172.31

it's a narrow range ik that

ye you wouldn't need a pivot on a public IP and tbh, i probably wouldn't have given a second thought to the 172 start tbh "eh close enough" kinda thing

but in all reality that 172 private range is just one of the more weird ones to remember

i'm just needlessly pedantic at times

169.254.0.0/16 (technically LLA but still private )

just don't want to confuse others that stumble into and read this

oh yeah APIPA

if you ever see APIPA on your network: you fucked up

anyway i think i derailed the chat enough for now, i need breakfast... or at least to wake up a bit more

Hi all, just started the Lateral Movement section within Attacking Enterpirse Networks - https://academy.hackthebox.com/module/163/section/1549. What is the username and password for bloodhound? neo4j is not working

neo4j:neo4j

Thank you, i've tried that already and it does not work

you should really be doing AEN blind for the most part; not reading the module or questions

Ah my bad! there was a spcae after the username

That set of credentials work for the bloodhound ui

Got it thank you!

Okay noted, I'll follow the guide and then tackle it again on my own. Cheers @fathom pendant

well... following the guide defeats the purpose of doing it blind. If you're doing the CPTS path, the path gives you all the tools to be able to do this without reading the guide

If I may recommend, Rustscan if you wanted to drag an executable to a pivot machine https://github.com/bee-san/RustScan

I prefer nmap cos it's familiar and I already have the static binary in my tools folder

fair

Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.

what is this question asking .. and what does this mean when it says customized version

why?

Why?

-top secret-

This is an educational server.

yo im learning web security and trying to find vulnerabilities and tryin to find admin panel but im stuck at a step for hours can anyone help pls

this is the best

I'm not doing a module from any platform — I'm practicing on a real site (not behind login) just for educational purposes. I'm currently trying to find the admin panel (admin hunting)

i'm assuming this is the SMB section from Footprinting? there's a few things you can do to figure out the customized version of a share, rpc might be helpful -- you will need to make some leaps in logic in order to connect the dots

then at what channel should i go

do you have permission to test this?

if not - you're up to illegal activities - no place for that in this server

It’s a free practice site made for learning web security totally legal and safe to test on... i cant chat on general chat i dont know why

Read and follow instructions in #welcome

Your question might be a better fit for #web

What is the NTLM hash of NEXURA\Administrator?
Skills Assessment - Password Attacks

I found credentials, conducting pivoting now i cannot connect to RDP for some reason, does anyone know if i should try nmaping the environment?

only tcp/53 exists

You might have to rdp from inside the local network itself. If its not working, you may have to reset the box

Rdp inside an rdp

Actually, when i did do that it says if i want to accept the certifcate through the pivot environment. then it just never worked

i resetted the machine and it's doing the same thing again

are you using the windows rdp or the attack box rdp?

wait can i send u the ss i took in dms?

1. I started ssh -D 9050 (this port is in the proxychain config) then i gave it's IP and user and signed in.

2. performewd a ping sweep in the environment to see what other network interfaces i can access to pivot to
   64 bytes from 172.16.119.11: icmp_seq=1 ttl=128 time=2.18 ms
   64 bytes from 172.16.119.13: icmp_seq=1 ttl=64 time=0.016 ms

3. I then tried xfreerdp with proxychains on the attacker machine above was in the internal network

4. then it didn't decide to work when i wanted to accept the cert to auth to the RDP

Wait thats weird i tried to jump into the JUMP01, and it said the cert thing..

can anyone help with win priv esk skills assess 1

-s reads from stdin

Maybe some hosts do not reply to pings

: is a function call

im coming back to it later my head hurts im not sure why it's not giving me the rdp pivot

I know that. But why is it used?

anyone have a hint on where to go after hwilliam in Passwords Attacks assesment? i checked his desktop and smb shares but didnt find anything

It looks like it's doing the shellshock vuln

It's not necessary for the shellshock vuln that's why it confused me

I doubt it's there for no reason

Also module is above tier 0, so spoilers

Hello everyone!

I decided to refresh some memories after passing CPTS, I open one of the modules and start the virtual machine. And the virtual machine does not correspond to what is written in the module. In this case, the user should have SeDebugPrivilege rights, but for some reason it do not. The module is dedicated to the method of increasing privileges via SeDebugPrivilege, I start the virtual machine at the end of the module.

https://academy.hackthebox.com/module/67/section/631

What should I do?

pivot and spray those credentials across multiple protocols of all hosts and see if something sticks.

hey jarvis

hello everyone,

Do you recommend finishing networking first and then moving on to Linux fundamentals, or is it possible to do both at the same time?

i mean you can't do 2 modules at once, generally, but i suggest focusing on one topic at a time

i am stuck in this question from Infiltrating Unix/Linux , Shells & Payloads ... the question is : Exploit the target and find the hostname of the router in the devicedetails directory at the root of the file system.

metasploit shows these

hey))

break the question down into its components:
exploit the target
find the hostname of the router in a specific directory at the filesystem root

also: you can't share images since your account isn't linked

did you get it ?

I am facing problem in password attack skill assessment, I am going crazy 😧

https://tenor.com/view/if-you-think-of-an-gif-20132469

Any tips on HTTP Response Splitting works on the use but nothing with the admin, the key steps are there 1. no location 2. header 3. script tried all kind of encoding https://academy.hackthebox.com/module/191/section/2056

Any tips appreciated

I don't have credentials I don't able to pivot

Please help, since 4 days i am trying

well the starting thing is connecting to an existing proxy server

so you pivot through that

Ya i connected to DMZ01

and there may or may not be open SMB shares 😉

Ya 1 internal IP has open smb shares

You think I understood what you want to teach me ?

😉

well i wasn't aware of which specific point you're at. but open shares means you gotta dig around for creds

139 is open

Port on main DC

Hello. For "Firewall and IDS/IPS Evasion - Hard Lab" I ran nmap -sS -sV .... --source-port 53... etc and it found the open port in question. Then I tried to apply what I learned in the lecture and run netcat to attempt to login using source port 53. That port was "occupied" on the local_host by dnsmasq. I proceeded to kill that process, reran the netcat and got the flag. The question is why did nmap work using source port 53 while netcat did not?

because nmap doesn't actually use the port; the reason you need sudo for specifying source-port is actually because it requires raw packet editing; nmap writes the raw packet to say "yeah source is 53" if i remember correctly

OK. That would make sense. Thank you - I will try to read up on that specifically.

did you make sure to set content type?

I went crazy, set the content-type, added the cookie, added the content security header for unsafe inline, added a <!-- at the end to comment out any extra html

Does anyone know in DACL attacks2 logon scripts module are the users supposed to login autmatically for the exercise questions. ive foudn the attack path and added the logonscript but it says the target user has not logged in at all ?

the solution I have written down just sets content type and then does the standard html and script tags

Yes it should be automated.

looks like its not working for some reason

Did you use the correct path that is mentioned in the question?

You can also DM to avoid spoiling.

Hi, I am having an issue with the flag I gained through the ncdu exploit from Linux Privilege Escalation: Environment Enumeration. When trying to submit the flag from /root/flag.txt I always get "Incorrect Answer". Tried to refresh, logout and login again, restarted the lab and the target as well. Any ideas what I could do? I mean it sure won't be another flag in a different directory right?

That's not the correct flag that I am aware of, unless the section changed. The section is Enumeration so an exploit likely isn't necessary.

yeah this section isn't about exploiting anything

just looking for potential flags in a file on the system. (may not be a .txt file)

Got it, thanks

Tapping Into ETW
Practical Exercise

I am currently doing this module, made it onto the practical part, did everything correctly but when i go to the etw.json file and look for ManagedInteropMethodName using ctrl F, the closest I get to the answer is TdhGetEventMapInformation or TdhGetEventInformation. I even tried redoing the SILKEtw and it still did not work. Im not sure what i did wrong? If anyone able to help, DM me or @ me please

Hey boss I tried everything smb is open but i not have username and nor have password how I bruteforc ? 😞😞😞😞😞😞

I am mad !

did you try every method aside from bruteforce?

Ya i tried what I learnt but many method very slow, then also I tried

Please help me it's my 4 hour

did you try blanks?

Fir blanks I want username

To try with blank password

why do you need a username to try with a blank password?

Did you update your hosts file?

hmm with the dc01 ip or the another?, do yo u have an example?

Also refrain from posting content above Tier 0.

In your command you had @STUFF.STUFF.local is that in your hosts file?

Hello,

Guys, I need help with getting OneDrive password for mcharles. I dont really understand what is going on there,

How I can run cmd as admin?

I am not having any progress after loggin in as rdp......

Follow what is covered in the section.

I am trying,, the section was moving as sadams user but used mimikatz.exe as admin. i am wondering how he was able to get admin access.

https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets

Thanks let me check

Follow the module 😅
All of this was also explained in module, but I find above share method to be more practical and easy

please don't share spoilers for modules above t0 :)))

mimikatz doesn't run as advertised in the section it requires diving into UAC bypass techniques (though lazagne works

i am sorry if i did something wrong, thank you for the direction

Ah, I simply spun it up and used LaZagne when it was updated. Guessing it isn't covered in that section?

the examples show just running Mimikatz right out the gate (but the user(s) don't have the appropriate privileges to run the mimikatz command)

Well then I stand corrected, thanks! Time to spin it up and go through the section content so I can give some better advice.

the hint mentions UAC bypass (and that's generally for mimikatz, lazagne works just fine)

Hi all, I have a question concerning the Active Directory Enumeration & Attacks - Privileged Access: I can't get SQLAdmin code execution to work for PowerUpSQL.ps1. Happy to provide more details in DMs, but don't want to spoiler anything. Did anyone got it to work and can share their approach?

I somewhat getting, please last give me tool name or first 3 alphabet of tool, which I use while dynamically forwarded my traffic to DMZ01

Please one more !

no more

you should have all the tools and info to get through this on your own

I am using smbcliet

and that'll work for connecting to smb

proxychains is gonna be the tool to use through this type of proxy

Ya wait

I am doing like this

It says "not enough" 😧 ?? But what ?

do \\\\ip\\ instead

i think proxychains breaks some stuff

also learn how to take proper screenshots/rotate images

breaking my neck trying to read that

Sorry boss 😔

BTW I also tried with //// but it says connection refused ! 😕

i'm already judging you for runing around your system as root shell ¯_(ツ)_/¯

but also maybe that's not the only system in the subnet that has smb enabled

nxc is a decent tool for mass enumeration as well

Ohh let me check 😅

actually taking a look at it more

did you search for a keyword on the file system as the initial user?

Try it with -N -L, I remember arrangements of arguments causing issues in smbclient

i may have been mistaken, it's hot and my brain is more scrambled then a Denny's Grand Slam

Can anyone help with win priv esc skills assessment

It works fine with //ip/share, atleast latest version do

It says smb not available but port 139 is open

Still stuck

LLM output is interesting to play with

Send me a dm

Just a gentle reminder. If you see that someone was given permission to dm someone for some help with a module, that doesn’t give you the permission as well. Always ask for permission before DM’ing someone. #rules

Is somebody able to help me with DNS? I’m in the Footprinting module and the last question it wants is the FQDN with a last octet being .203

I’ve been running wordlists from seclists/Discovery/DNS

And been finding absolutely no hits and I’m lost afff

You need small lists. Lists with 5000 entries or more are too large

So I should just wc whatever’s in the DNS folder and run those?

And I’ll rephrase from I’m not getting the hit I need, I keep getting the same other 3 that keep getting hits but they’re not my task

i think there might be something wrong with the badges system - see: https://academy.hackthebox.com/achievement/badge/dfa35f21-52ae-11f0-bcfd-bea50ffe6cb4

I believe there is no badge image for that module yet

hi anyone knows the reason for this in pass the certificate section , new password module └─$ impacket-secretsdump -k -no-pass -dc-ip 10.129.75.174 -just-dc-user Administrator 'inlanefreight.local/DC01$'@dc01.inlanefreight.local

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

/etc/hosts and /etc/krb5.conf configured correctly? imported ticket using KRB5CCNAME?

new modules generally don't have badges immediately give it a few days/weeks

did it thanks i forgot /etc/hosts