#modules

i suggest not doing multiple modules at the same time, as you'll only end up compounding your frustrations

what can i do ? 😔 i successfully wasted 4 days on it but not getting anything

difficult module ever had

an easy way is to ffuf it, /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt. Or you can even script it yourself.

If you PC freezes after 5000 could you alter the script to start from 5000 instead @junior fjord ? 🙂

Or do what Faiz said ? 🙂

ya trying

thanks faiz it works

what was your issue/what section were you stuck on pw attacks?

if it's the skill assessment, i just listed out the vague enough hints to progress here

@junior fjord try spraying the credentials across all the known hosts

you can use a list/txt file with nxc

ok RDP and SMB right ? any other in list ?

the list isn't for protocols

the list is for the host ips

well I suggest, using ligolo-ng to pivot and enumerate whole network, proxychains is tcp only and causes issue, you can also transfer static binaries to the dmz and avoid pivoting

nxc <protocol here> <host_list> -u 'username' -p 'password' (additional options)

ya but execpt SMB and RDP is there any other service for do stuff ?

focus on stuff you know first

before worrying about what you don't know

also nmap -Pn because windows avoid ping.

OK i am trying again

ok brother

rather than asking, do the scanning.

ligolo is goated, in the official guide the writer used ligolo for pivoting

^

Meanwhile it's not taught anywhere in the modules

we've given more than enough information for you to be able to find the next step, and my handy dandy list of hints should be enough to point in potential right directions

obviously it's not directly step/by/step hints

but enough to nudge forward in thinking

exactly

Thank you for your pointers with this. I've now cracked Q3! Now onto Q4 🙂

i mean i'm sure it can be done with other tools

but much more pain

I'm aware, I'm the one person in my team that doesn't use ligolo

chisel?

reverse_ssh https://github.com/NHAS/reverse_ssh

I USE SOCAT AND PROXYCHAIN

or did you just raw ssh -D ?

socat is also good

you don't need to use caps lock, i suggest focusing on the rest of the skill assessment :)

i think i messed with pwncat a bit; it's been a hot minute

I'll be damned if I have to multi pivot through chisel, such a pain

the square socket goes in the round connector

also the nmap -Pn isn't needed, the PW attacks skill assessment provides you all the internal host IPs

Not sure if this is the right spot to ask, but I'm working on the Linux Fundamentals modules. I'm on the section Find Files and Directions and I'm stuck on the first question:
What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
This is the command I tried using:
find / -type f -name *.config -size +25k -size -28k -newermt 2020-03-03 -exec ls -al {} ; 2>/dev/null

are you ssh into the target?

:)

i did ssh in.

and are you running that command in the ssh session?

i am.

take a screenshot of the terminal and dm it to me

am i sending the screenshot in this thread?

you don't have image embed perms to send it here

that's why i asked to dm it to me; if you want perms there's instructions in #welcome to link your htb account to the discord

dm means direct message btw; so send it to me directly lol

how do i send the dm? i clicked on ur profile picture but it wont let me past the pic in the msg spot.

you can right click their name and click message

thank you.

i just did the link. i can put the picture here now.

ye

so your size isn't specific enough

also you need the *.config

the command you're showing isn't the same as this command up here

when specifying size, it's important to add the size type i.e. kilobyte,megabyte,gigabyte, etc

your minimum size isn't correct

you're missing something important

yep if you are talking about network scanning but when you nmap the file and jump ones, on them icmp is blocked, ig due to windows firewall, so nmap assume they are down and does not proceed with the scan

when i put the k after the 25, now i get nothing.

i was more referring to the fact that nmap wasn't required for this

the assessment provides you a list of hosts

not all config files are named .config

but you have to port scan the hosts 😅

sometimes they're named something.conf or .cfg

not really, you can kinda just throw nxc at it

Does anyone know why I get the message Request validation failed when I start a new instance of pwnbox? I've tried changing servers, logging out and back in, and using a different browser, but nothing.

spray and pray with protocols

nice methodology

log out; ctrl+shift+r to clear cache, then try loggin in

if that doesn't work you'll need to reach out to htb support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

i got it. thank you for the help. i forgot to check *.conf. lol. probably shouldnt do this at 3:41am. lol.

when i logged in i got this message {"error":"invalid_request","error_description":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.","hint":"Device ID is not set"}

and still doesnt work

you'll need to reach out to support; best guess is you have some plugin/add-on that's blocking the request

Okay ty

I turned off Wappalyzer and now it’s working ty

Can smb help me with Password Attacks -> Attacking Windows Credential Manager? I think I did everything correctly, but still cannot find that password

Hello guys, I'm doing Skills Assessment - Password Attacks
I got access to jump01 as admin, dumped, sam,security,security files and lsas.
what to do now, where to head from here?
thank you in advance

did you forget to runas?

nope

did runas and UAC upgrade, with mimikatz credman I can only see one password that is not the correct one, and with cred::vault I see nothing

What other tools can you use apart from mimikatz?

the password should be I...5

I tried meterpreter with load_kiwi credsall and kiwi_cmd and got the same results

yeah, I only see proof...!

That's still mimikatz, what other tools does the module talk about?

well try uploading mimikatz directly and running it in the shell as
mimikatz.exe "command1" "command2" .... exit

if you have a privileged shell at least

because you have to think, the user you have doesn't have the same credkey access (no matter how much you elevate) as the user they can impersonate (runas)

same result

maybe I can look at rundll32

i think the issue partly lies in the fact that you're trying to do stuff via meterpreter. But you're also gonna look at the wrong thing with rundll32

I am not right now, but I also tried meterpreter before

the note just above the question segment/pwnbox spawn area

it gives another tool 😉 one that bakes pretty well without the need for UAC bypasses

But isn't it weird that mimikatz is not working? In a machine without having this question I would have thought that vault was empty

you're likely just missing a key component

LaZagne works! Still don't get why mimikatz didn't

because i'm assuming you got the cmd running as admin before runas with <person>

but i can't answer why it's not working the way you think/want it to

okk thanks anyway!

hey i got access in jump01

and try my hard to enumerate the windows

RDP really works

i appreciate when you reply to a message completely unrelated to what you're saying

?

i taken RDP access to JUMP01 FROM DMZ01

via RDP ! now i have to go into FILE01

congrats; i was more saying that the message you replied to regarding you telling me you got access had nothing to do with it

OO means JUMP01 machine cant give me frutfull results ?

that's not what i'm saying at all

what i'm saying is Don't reply to unrelated messages

the message you replied to before had NOTHING to do with you, and was in response to a different user on a different section

ok sorry

I suggest you keep digging around don't just jump to the discord for validation. Because it comes off as you just fishing around for hints to move forward. Gotta learn how to unstick yourself or move forward on your own

Module: Attacking Common Applications
Section: Application Discovery & Enumeration

I am facing issues with eyewtiness. the hostnames inside the /etc/hosts file and the web_discovery.xml is the output I received from the nmap scan
Does somebody know how to resolve it ?

eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness
Starting Web Requests (17 Hosts)
Message: Process unexpectedly closed with status 1

Finished in 1.82088041305542 seconds
[*] No report files found to open, perhaps no hosts were successful

please don't post the full thing, because discord uses markdown, it floods the chat thinking you're trying to write some lines as headers

without knowing where it errored at (i think eyewitness as a verbose mode or debug mode) it's hard for us to tell you what's going on

okay thanks, i think it might be an arch issue because i am suing kali linux arm64

try disconnecting from the vpn and trying the same thing on the pwnbox then ¯_(ツ)_/¯

basic troubleshooting 101

okay thank you so much 🙂

is anyone having a problem with the EU vpn? when i ping only one reaches and the rest don't

have you tried changing vpn regions?

i tried chaning from UK to DE and still nothing works

so UK/DE those are pwnbox regions, not VPN regions

at least if you're referring to HTB academy

oh you mean the ones above? i still tried changing it

i tried the one that says recommended which didn't work then i tried changing to EU 6

when you change you have to download a new one. If you're using the vpn, you shouldn't be using the pwnbox at the same time

that will cause problems

i actually never noticed that the UK/DE thing is for pwnbox only so thank you lol

start instance != spawn target

i think i should try the UDP vpn its been a while since ive used it

tcp is generally more reliable

and works better with most tools

udp is generally better if you have bad internet

so higher rates of potential packet loss

but in short: you should not be pressing this button if you're using your own vm/machine

Thank you so much i think pwnbox was making the problems i actually never knew about having them both on at the same time that it will get me problems

PING 10.129.82.71 (10.129.82.71) 56(84) bytes of data.
64 bytes from 10.129.82.71: icmp_seq=1 ttl=63 time=103 ms
64 bytes from 10.129.82.71: icmp_seq=2 ttl=63 time=86.6 ms
64 bytes from 10.129.82.71: icmp_seq=3 ttl=63 time=117 ms
64 bytes from 10.129.82.71: icmp_seq=4 ttl=63 time=86.8 ms
64 bytes from 10.129.82.71: icmp_seq=5 ttl=63 time=86.2 ms
64 bytes from 10.129.82.71: icmp_seq=6 ttl=63 time=145 ms
64 bytes from 10.129.82.71: icmp_seq=7 ttl=63 time=119 ms

Now it works

Correct because of the magic of how the vpn works; it assigns the same ip, because its hard baked into the vpn pack

Im working on "Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer." in the "Attacking DNS" section in the "Attacking common services" module.

So far im using the subbrute tool as suggested and found 4 subdomains so far. i tried querying them with dig and so far nothing that stands out as a flag. ive been running for ~20 min should i except it to take this long or am i missing something here?

Attacking DNS isn't a module, it's a section in a module

k, fixd

any other adivce? looks like the script just errored out after finding the four subdomains, so either something i need to check with the script or one of these domains have the answer though not finding anything after i dig each one

what do you mean by "error out" the only thing you need in the resolvers.txt file is the target IP

yep i put the IP there and after running for about 30 min it finally ended with

ProcessLookupError: [Errno 3] No such process

looks like it just tried to killproc so my guess is its just not ending gracefully

give me one moment to sanity check you 👍

also make sure you're doing a zone transfer request on the subdomains you find

not just a blank dig request i.e. dig something.inlanefreight.htb @target_ip

ah this looks to be the piece i was missing here. i tried adding that and looks like i finally returned something useful for one of the domains

useful=the flag

thanks for the help

np

im so lost in Password Attacks skills assesment. I gained access to hw* user but i cant get past that user. i have looked into every smb file on every share, look through the users desktop and i found a cred but that cred doesnt work anywhere

sniff for something interesting

LMAO i was messing around with libreoffice to open the xslx file that's from the protected file section some pretty great confidential info in there

as a note for everyone; if you're using pwnbox or parrot and are having issues opening protected files; just do sudo apt install libreoffice --reinstall --fix-broken that'll force it to fix any broken dependencies and reinstall libreoffice. I only really figured it out bc i was curious why i wasn't getting a pw prompt (and therefore couldn't open files)

Find another valid user on the target GitLab instance. (Attacking Common Applications: Attacking Gitlab Section)

Guys any help on this question? i tried xato 10 million and Names/names.txt for like 10 minutes each and nothing worked

is there even anything in the files? I just completed the assessment but I didn't use it.

"What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name)" Please teach me this question

AD module

Initial Enumeration of the Domai

you'll need to do some pivoting and scanning

they give you a jump host that has parrot installed to scan from

I see! I'll give it a try!

Any tips on HTTP Response Splitting works on the use but nothing with the admin, the key steps are there 1. no location 2. header 3. script tried all kind of encoding https://academy.hackthebox.com/module/191/section/2056

Any tips appreciated, all variations seem to work for the user but not the admin, any hints of where is the catch

Is this channel the right place to ask these questions?

yes; the only stipulation for asking questions is that you try not to spoil module content.
tips for not spoiling module content while expressing where you're stuck
redacting strings with the first/secondchar* method i.e. jmarston -> jm*; password123 -> pa*;

if you want to sanity check a flag there's a few different ways i'm a fan of doing:
echo -n 'flag_here' | md5sum in your linux machine which will give the md5 hash of the flag with minimal risk of leaking it

👍

another way is doing HTB{ab..90} (or if the flag isn't in HTB{} format, ab..90)

it's not particularly rare for you to have the right flag/answer but it doesn't accept, then you refresh the page and it accepts

sometimes it is a case of having an extra space or invisible character at the start/end

hello, is anyone currently doing the password attacks skill assesment? i managed to obtain credentials to login to jump host and i was looking for assistance from there, i could help with previous steps

the catch with this lab is that there's no writeups/forum posts about the updated version

Hey any tips on this one if you completed it

but there is no target to scan ?

last result...from the reading 😉

yes i just find it

thanks

well writeups shouldn't exist period as it's a tier 1 module (Content guidelines)

i've done a fair bit this morning, jump host is the h* user yeah?

if so; sharing is caring would be the hint

That's what always gets me man xD

the hint help me

Hey guys, what does grep -P do ?

You have targets, and you have domain credentails of a user, you shuold try to enumerate and see how things go.

It's the flag for Perl RegEx

see what other services are running on the machines

I know that, I have read the man page and googled it

and if you can reuse the credentuals

https://man7.org/linux/man-pages/man1/grep.1.html

Some languages have minor semantic differences in how they handle regex

https://www.rexegg.com/regex-perl.php

Thx. I will have a look at that

There's also the quick start guide that's just a good cheat-sheet

I am beginner in here some body please give some course

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Yep, and I already had that user's creds. What I'm gonna do now is run nmap

Can i get some hints on this assessment?
LLM Output Attacks > Skills Assessment
https://academy.hackthebox.com/module/307/section/3597#questionsDiv

Can 0$ can some give 1 month redeem code

hello guys , anyone know how to rdp to the windows target , Remote/Reverse Port Forwarding with SSH , What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x) ?

@fathom pendant Thx a lot man. This post was helpful

You can dm me. (To all others finding this via the search function , do not dm me, read this: #modules message)

I cant ask for someone whose good at ethical hacking?

No, this is not a hacker for hire platform

Need Help ! guys i'm stuck at the task 3 of the module assesment for "Intro to windows CLI" , i've found the hostname for the user2 although i cannot seem to find the flag itself, i tried searching with this command for any .txt file containing the hostname "||where /R C:\ *.txt | findstr /i "ACADEMY-ICL11||"" still no luck

what should i do ? any clues?

anyone there to help?

Ohhhh this is a hacking education platform

Need some help w/ Pivoting/Tunneling/Port forwaring, specifically ||w/ the SocksOverRDP section. When i copy the SocksOverRDPx64.zip over to the windows machine and extract it, the dll inside it disappears after a few seconds and im unable to load the SocksOverRDP-Plugin.dll with regsvr32.exe; it fails every time and keeps saying to debug/make sure its in the right directory, etc.|| Has anyone encountered this?

i might be the dumbest person right now ! Got the answer to the task 3 though ! xD

All good I'm right there with ya..

Yo just finished the cyber security 101 path in tryhackme
Wondering if i should continue in htb and what to continue with

Look at this Path

https://academy.hackthebox.com/path/preview/information-security-foundations

I so wish you could test out of sections of the path. I’m in this awkward intermediate-but-not-senior position, meaning I know plenty about basics and understanding them very well having to repeat them for their paths is challenging

You will generally learn something even on the most basic modules

that’s true and I try to keep that in my mind

I haven't done that section yet. That said, if you have a password it's trivial to convert it to a hash, you can google "convert ntlm to hash" and find some online resource to do it I'm sure.

You'll have to be patient for someone to help. As it's a skill assessment you should probably also take it to DM's. I haven't done the updated module yet.

DM

Do I need mathematics for programming and hacking, If so then what mathematics do I need? I'm totally beginner in this field so this is a question out of curiosity. Please be kind enough to answer my questions 🙏

Do I need mathematics for programming and hacking, If so then what mathematics do I need? I'm totally beginner in this field so this is a question out of curiosity. Please be kind enough to answer my questions 🙏

getting very frustrated. Idk why nmap thru proxychains is taking so long (Skills Assessment on Password Attacks)

at 0.90% done after 2 minutes. Scan no more complex than -sT even. (Have tried multiple different scans at different performance settings and they all make no difference, this same sub 0.5% p/minute speed no matter what

Have tried swapping from UDP vpn to TCP.

running -v I see a lot of these events during the scan attempt:

adjust_timeouts2: packet supposedly had rtt of 15015035 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 15015035 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 15015113 microseconds.  Ignoring time.
 

Try transferring the nmap static binary, or you can also try rustscan

I kind of want to diagnose what the issue is here though. If this happens during exam I'm probably boned

Nmap over proxychains/tunnel is almost always temperamental.

3hr duration for nmap scan of a single host lol

If you can just upload the binary or live off the land, that's always better

Do I need mathematics for programming and hacking, If so then what mathematics do I need? I'm totally beginner in this field so this is a question out of curiosity. Please be kind enough to answer my questions 🙏

yeah but like, I'm trying to strictly follow the module

And transfering the nmap binary isn't really the kind of luxury I expect to have very often

Depends upon what you want in the field, ai == calculus, data science == statistics, cryptography== number theory, boolean algebra helps in low level, general maths is helpful in programming but it depends.

the module expects you to be able to scan via nmap thru proxychains, so that's what I'm trying to stick to. I just wish it would, ya know, work :)

I think being too strict in tool usage is not good, if something is not working, you should be flexible enough to try other things

@faint hamlet boolean algebra helps in low level and you said general mathematics is helpful in programming but it depends. Can you explain it in a bit details please.

i fully agree, but i strongly dislike moving away from the proposed expected solution just because it isn't working, if it should work according to the module, because otherwise I don't learn what the issue is

For the password assessment and connecting to rdp as h*, do i have to configure my krb5.conf file to connect properly through the tunnel ?

This channel is for discussion of the modules on HTB Academy. For your question you'll want to ask in #programming and you'll need to read the #rules and follow the instructions in #welcome to gain access.

help would be appreciated.

for the password assessment i have h* creds and b* creds but stuck 😦

If you have access to shares, I would revisit the section that covers this or spend some time enumerating them.

I ran into the same exact thing so it's not just you!

i didn't once need to use nmap; i just spammed nxc and basic windows services

i didn't need to use nmap at all on the password attacks skill assessment

also ligolo-ng is a great pivoting tool; it'll generally be more useful in terms of getting nmap to cooperate through a pivot than chisel/proxychains. (this is because it works at a different layer, so it allows TCP and ICMP traffic through)

also nxc can be just as valuable at enumerating through proxychains

but if you're gonna nmap through proxychains you'll need to add -Pn to the nmap command

did not help. Literally no combination of nmap opts made any difference to its rate for some reason. Idk why.

why are you so bent on using nmap to try and enumerate? and what are you doing with nmap to try and enumerate would be my question

I'm already long past it now (instead wrestling with system cannot find the path specified when trying to copy a .dit after shadow copy :) )

But I just wanted to get it to work because the module described it (and included it in its cheat sheet). So i just wanted to confirm for myself that I could get it going in a sane way, but can't.

proxychains and nmap famously get along like oil and water;

also the proxychains bit is assuming you're using a pivoting tool that uses socksproxy/proxychains

Best ai for pentesting?

AIs aren't fully at the level of autonomous pentesting just yet. But that's irrelevant to this channel. I suggest reading and following #welcome to access #general and other channels

K

AI is a tool, and why would you want to submit your critical and creative thinking to AI? I mean I get it. I use it to adjust a switch in commands here and there, but man…

This is off-topic for this channel

I'm going to ask to drop the conversation here as it's off-topic

I prefer ligolo-ng as my pivoting tool, way more user friendly

Aside from that nxc is a hard carry

I’m sorry, I’m dropping it as I said what I had to say about it. Just tired of everyone thinking AI is the end all be all with everything. It’s over rated.

Lets try not to spoil things

https://github.com/nicocha30/ligolo-ng/releases/tag/v0.8.2

I love Ligolo.

It’s extremely useful to learn, and fun.

have you connected to jump01 or is that what you're stuck on @rustic sage

And way less frustrating than normal pivoting

ah

yeah

here's my general hints for the different stages

also don't forget: the assessment briefing gives you the various internal IPs

cat << EOF > hosts.list
ip1
ip2
ip3
ip4
EOF

nxc <protocol> hosts.list -u <username> -p <password>

nxc is netexec

it's the replacement to crackmapexec

...netexec is gone over in the module

nxc is just the shorthand for it

if you're gonna do the dynamic port forwarding you'll need to set up your /etc/proxychains.conf or /etc/proxychains4.conf to use socks4 9050

and add proxychains to the front of the nxc command

generally proxychains -q to suppress the proxychains messages

proxychains -q [other command here]

finally done with that dang module

not sure I solved it in any of the intended ways or not but i got the admin hash so that's all that matters i can move onw ith my life

there's no one fully correct way

i used a dump tool to get the secrets/hash, for instance

did you enumerate with the ||snaff tool||?

jw

yeah the host itself can be included in the list of ips

yep it'll happen

well don't just stick to one protocol, try figuring out if there's a way to make it easier to parse. maybe remote access 😉

try nxc with other common windows protocols 😉

Does any one know a few machines i can take to test if i am ready to take the CPTS exam

Chrome is frustrating me very much. that is all.

At least it's not internet explorer

i mean... that's sort of a low bar, though, isn't it?

Bet thanks a lot

hey in Attacking Applications Connecting to Services, after running octopus_checker, why am i getting "0x11b0 SQLDriverConnect@plt" instead of "0x5555555551b0 SQLDriverConnect@plt"?

i ask because using the breakpoint "b *0x11b0" does not work

nah I used / 🐧 🫛

but would say they were a bit overkill really lol

am i missunderstanding somethin here? these two are different

hello guys , anyone know how to rdp to the windows target , module: Remote/Reverse Port Forwarding with SSH , What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x) ?

consider an OS-native tool that can give you info on the different interfaces on your host

anyone available to ask a question regarding NTLM Relay Attacks - Skills Assessment Q4 ?

the ifconfig , but how i am gone access the windows target while its not reachable ?

well the question you asked is concerned with the attack host so that seems a bit irrelevant in the immediate

That section covers the configuration of the multi handler.

Now that i'm less frustrated I have a clearer way of answering this.

It's just the way I learn really. I want to familiarize myself with the given tool (in this case, the combo of proxychains + nmap) to the point of not feeling like i have unanswered questions about it. Being able to sidestep it or use a different tool doesn't achieve my personal learning objective. It might sound kinda silly, but just how I operate with such things.

Are you stuck or do you simply have a question? If you can't ask without spoiling content, you can DM.

i know , but i made the payload and transfer it to the target then i need to run the payload in the windows system , my problem is how i am gone access the windows target ?

yeah but you know how we can solve the other qustion witch is how to access the windows target ?

Go back to the section called Dynamic Port Forwarding with SSH and SOCKS Tunneling as that should help you perform this part.

ohhhh ok so i need to make dynamic port first then remote port second ?

Yeah I'd revisit that section and see how you can use that information to access a remote service, like RDP or something on that internal target you want to reach.

yo

can someone teach me how to hckkk

?

hi guys I am trying to crack this password for the LLMNR / NBT-NS Poisoning Section - Linuxof AD Enumeration and Attacks module and the exact command to crack the password won't work. This is for the section question in the section. I think the file I am using is not formatted correctly.

Can someone help me correct the file?

its a formatting issue I think

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

The above is in response to your question.

I also suggest reading the #rules and follow the steps in #welcome. If this server is what you are looking for and please adhere to the rules and do not randomly DM others without permission.

@gray yacht hey can I DM you and maybe we can chat? I don't know how to get any more specific with my question without spoiling.

I've used this link before to check hash formats, it may help you. https://hashcat.net/wiki/doku.php?id=example_hashes

ok

Should be pretty cut and dry, copy the output, then run it through hashcat.

ok thanks I will look at that

I did that it didn't work.

You can send me what you are having issues with in a DM.

I think there's some stupid formatting detail I'm missing

great thanks

SMB is just a file share. If you upload a file to the file share and then run the binary, the binary will run on whatever machine you executed it on.

Not sure what you mean really. NetExec will execute commands on the remote machine.

it's better to just say which module/section/question you're on rather than random questions

in that case best to take it to DM's if you need a nudge as that's a skill assessment

i haven't done that so i can't help

Seems like this module makes up the vast majority of requests for help lol

Its recently been updated so people wanna do it

You can send a DM if you are stuck here. I actually just pushed out a netexec video today. It might help you.

The difference is there because that binary has not started running yet. 0x55* address is the full address the binary got allotted while 0x11b0 is relative address to base address.

b *0x11b0 should have worked. You can also try b*main+some number, you can see that when you disassemble the binary.

If you want to do b *0x55*, do b *main, then run and then disassemble to see the full address.

They're two different tools alltogether, while yes there's some overlap, especially in the case of SMB because SMB communicates through RPC, they're not used for completely the same purpose.

sqlmap essentials, attack tunning question 2 any one willing to point me in hte right direction ?

Does anyone knows whether signal strength plays a huge role in determining the success of KARMA/MANA attack? will the karma/mana attack fail if the rogue AP has weaker signal than the legitimate AP?

There's a tool showcased in the module to help enumerate shares. There definitely is a file thats useful that you may have overlooked

To add on, the desktop comment is to do with the found file

@trim bough Even with spoiler text I encourage you to redact things. But i am telling you: ||sharing is caring|| <-- this is the hint to move forward

As i have settings to not show the spoiler blocking (on desktop), and anyone can enable/disable that setting

There's a reason I redacted info in my general hints

My redaction in my initial h* was the username, not the sharename

./

Right, I understand. It's just that I cannot find any information or help online besides your message which is frustrating because the h* hint you gave might be misleading

But nonetheless, thank you for helping out 🙏

You're focusing on the h*, not the rest of the message

But there's tools to help enumerate shares showcased in the module

Yup, I am looking into that now.

Thank you

Also you're generally not gonna find online information for the module because:

• the module was updated
• any writeup or guide of the module is against ToS
• the forums are being axed

Nope

It's in one of the credential hunting sections though

Is that for any module, or just paid (cubes) modules? For guides about them I mean.

Paid modules (tier 1 and higher)

If you find a website/video that's spoiling content/breaking the content guidelines you can report with /spoiler

Make sure to tap the hackster /spoiler one

Still don't get it.
Am I at least in the right direction of sharing is caring for h*?
Because I really cannot find anything in there

And are the tools to be used contained in this section https://academy.hackthebox.com/module/147/section/1334?

Yep. The first tool is helpful

It even categorizes the findings

And I assume I need to run on the file01 host right?
But I do not have access to that machine

And I also did try running the tool on JUMP01, it could not find anything

It should find something the finding will be labeled as {BLACK}

You don't have to run it on FILE01, the tool enumerates shares available to the user.

No.

😟

🙈

And to be clear, no one on this server will. This is an educational platform, if you're not here to learn, its not the place for you.

is there anyone who knows alternative for mimikatz (like pwdump or something)?

which module and section is this about

I love LaZagneeeeeee. Thank you for the support. I did it.

I learned a lot from this section. File transfer & mimikatz & lazagne & UAC bypass.

lazagne is for like uk getting clear text passwords i want tools which can help me get the ntlm hashes from system

which section are you in?

Hello everyone. I stuck at the last part in Skills Assessment - Password Attacks. I can get every host's administrator NTLM hash but they look like local administrator. How can I get domain administrator?

anyone able to give some pointers on 'credentialed enum - from linux' (the ad set) struggling with bloodhound a bit

NTLM relay on SMB only works for adminsitrator accounts?

I’m using my laptop on windows with CMD terminal and Linux
subset . Can’t get the dancing on penetration basics to work on WiFi and I don’t want to be on wired connection. It just sits there

Sudo is turned on

Even tried unprivileged

Did u find out ??I don't understand what is required here

Guys hello in Linux Priv Escalation in Python Library Hijacking section which file should be modified can someone explain?

The question in the module is explained in a quite weird way I to be honest can't understand which file I have to modify and how

COMMAND:
bloodhound-ce-python -d dc01.tomwatcher.htb. -c All -u henry -p 'H3nry_987TGV!' -ns 10.10.11.72 --dns-timeout 15
INFO: BloodHound.py for BloodHound Community Edition

Traceback (most recent call last):
....................<REDACTED>
File "/home/kali/.local/share/pipx/venvs/bloodhound-ce/lib/python3.13/site-packages/dns/resolver.py", line 764, in next_nameserver
raise NoNameservers(request=self.request, errors=self.errors)
dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.pdc._msdcs.dc01.tomwatcher.htb. IN SRV: Server Do53:10.10.11.72@53 answered SERVFAIL

getting nameserver error while solving tomwatcher.htb (already got user flag but stuck now). can anyone help me out!

Hey, i need some help with a module relating to privesc, i started ssh with user1, moved to user2 and got the flag, now am not sure where to go in order for me to get to the root flag, any help?

if you want to dm me we can chat on it

Alright this one is making me feel stupid. Im doing the footprinting mod and im in the snmp section. I am looking at /usr/share/flag.sh with my eyes. But I have no idea how to get it onto my machine or how to run it remotely and receive output. And after Google searching for 2 hours im clearly the only person to have ever had this issue. Any nudge would be appreciated.

Nvm. I misunderstood the question. I don't mean to be salty but you may want to reword that one. (Solved)

I restarted installing Kali Linux most things work but I have a long way to go.

Any one who just completed the windows cli module? #windowscli

I completed the skills assessment with a few holes in my skill set, where should i go from here? any suggestions?

well depends what you mean by "holes"; i suggest windows fundamentals and intro to AD if it's windows/AD related stuff

Thanks for the suggestion bruv, i'll work on AD soon as well, and by holes i mean usage of powershell in basic scripting while utilizing loops like foreach-object and a good understanding of variables in powershell.

Thats just something you practice and get good at, it's not really something you can just read and immediately get

hi, im working on the footprinting module medium lab and ive managed to mount the share and get alex's credentials. was wondering how others were able to connect the dots and use these credentials for RDP? Was unsure what to do with them before checking some forums/guides online

Am stuck on the skills assessment for pivoting/tunneling/port forwarding. ||For Q3, im fairly certain that we should need to nmap the other subnet to find the other IP. I tried doing a ping sweep but the shell just failed a bunch and it never worked. We can't use the mlefay user creds yet until we get to presumably the next pivot host. What am i missing here?||

Well it's a bit of a logical leap, requiring a small bit of knowledge of sql account names

i see, i assume sa is a common sql account name then? and that it will probably come with more experience? thanks for your help!

Google it and it may enlighten you 😉 id say its a standard name, not just common, like how there's standard windows usernames

Guys hello in Linux Privilege Escalation who has completed the sudo?

I am trying everything and nothing works

Can anyone teach me how to hack?

study!

start with tier 0 on htb

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@olive niche ^

Hey folks! Probably a basic question but i'm a bit too sleep deprived to grasp maybe.... i've been trying to use xfreerdp for getting through some of the intro to windows and other courses but it rarely seems to stay open? It connects, but then closes seconds later and I cant for the life of me understand why. I've tried in the pwnbox and my own setup and get the same results

I know, i signed up on the website and stuff. But i'm just like super dumb, so i have no idea what to do.

you start from the beginning, there's the Information Security Foundations skill path in HTB academy, which gets you a lot of the basic fundamentals of many things you'd encounter.

try changing vpn regions, also make sure you don't use the pwnbox and your own vm/vpn at the same time [i'm not saying this is what you do, just a common point of fault]

Yea i know.. but i have no idea man. I'm just dumb.

that's why i said start from the beginning, the basics

Can you send the link?

Yeah i made sure to have them separate. I'll try out different regions and see if it helps.

When i click on like ''spawn machine'' it says ''Error!

You already have an active instance'

don't put yourself down my guy, around this same time 2-3 years ago now i didn't even know what NMAP even was/did/for

well spawn machine is for the main labs site, not academy. Upper left of the search bar should show a machine icon you can click on to go to and terminate

o

I still don't know wtf to do. This is hard 😭 There some guys i know from discord, they hacked tons of peoples accounts and stuff.

well to be more specific, the "you already have an active instance" is very much more specific to the main labs site, the academy has a "smarter" method, it terminates any existing lab running for you and starts a new one

you're not gonna learn how to hack peoples accounts here. This is all about ethical, legal, hacking

if that is your end goal, then this server isn't for you.

I know, i don't want to HACK someone.

I just want to stop them, and protect myselfs and stuff.

If you read #welcome it contains instructions on how to link your account in order to access more of the server

the way they "hack" accounts is by engaging in phishing/sending malicious files that steal credentials and account tokens

it's not a thing where they just guess your password and they're in.

ik.

also if you have proof of them admitting to these things you can report them to discord lol

but this is veering heavily off-topic

if your only goal is to learn how to protect yourself, learning hacking really isn't the way. It's just general internet safety:

• Don't trust random files sent to you
• Don't trust any bit of urgency from random people
• Don't join random discord servers that have you sign in to discord off-app

I want to HACK HACK, not in the bad way. But good way.

but as i said, this is veering off-topic of the channel; you can link your account via the instructions in #welcome and gain access to more channels

such as the starting point (#starting-point) channel, which are sets of machines that have guides and are free to learn with (even if they may be a bit outdated)

don't spoil modules above tier 0 @flint palm ;

i suggest utilizing gtfobins to help solve your issues

I utilized already and still no way

@fathom pendant Follow up to the freerdp item. Still not opening and giving me connection failed errors now.... should I just switch over to using remmia or something else? A bit confused why its not working since the module specifically shows freerdp getting used

i suggest reaching out to support then

you can log in to the shell environment via one of the files you see and ssh

I think im hacked.

I heard voices in my headset.

you likely had some video on in the background, i doubt you're hacked

or a game running that just had a random audio

It's litteraly just me home.

possibly it is white noise such things happen or some video

Unless fortnite say's that, nope.

yes, fortnite does sometimes

No, not when u turned voice chat off.

either way

it's irrelevant to this chat

hey guys, im stuck on the skills assessment for web services and api attacks, i have my soap request made but cannot get the sql injection. would appreciate some help

Pull the file to your own machine, web shells are notoriously finicky

Deleting the messages btw, even though you're using spoiler text you should still be redacting information. Seeing as anyone can click on the spoiler text and read it. It's why I try and be vague enough to point forward

Also ww* isn't the user to ssh as

Hint: what /home/ are you in?

i imagine we're supposed to use scp but ||we don't know the password of weba* 's password and trying to use mle* 's password doesn't work either.||

Or you can just read it and copy/paste

WOW WE ARE SO BACK IN BUSINESS we are ssh'd thx a bunch for sticking with me

Sometimes it's the most simple solutions to the problem

uh another roadblock; ||dynamic port fwd isn't working. ssh -D 9050 -i id_rsa web*@x.x.x.x. proxychains.conf file is completely fine but literally nothing is getting thru my tunnel. Everything on the 172.x.x.x subnet shows up as down which can't be right so idk what's up||

Proxychains and icmp don't get along

odd that it works in the academy "labs" but not here

? Proxychains doesn't generally forward icmp (ping) requests

tcp connect scan shows it'll take 3hrs 🔥

There's other ways to check (from the host)

how so

||should i like send an nmap binary to the remote machine and scan there||

Or utilize a ping sweep from inside the host

||tried a ping sweep on the web shell and it didn't work but ill give it a go on ssh now ig||

Google "bash ping sweep" though I'm sure its covered in one of the sections

Again, web shells are gonna be very limited

BAHAHAHA THAT WAS INSTANT

Hey everybody!
I have got an unusual question I guess, it's about note-takinga

I take modules in obsidian as Md format and start highlighting what I think is important, type notes beside, etc...
but I feel like say I wanna get back to that at some point it might feel difficult after progressing far in the path for example

but then when I make a seperate file for just note taking, I struggle to find what to type there.

anyone got any tips for note-taking in general through the modules?

web sucks

my notes for each module is just one file with each section as its own heading

i leave a callout at the root of each heading with a tldr statement abt important stuff as needed

It's why you should always try and get a full shell asap

Rewrite things in your own words to help you understand concepts

Definitions should be verbatim ofc

hey what should we learn to start htb

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

The general skill floor for htb "easy" is fundamentals and research skills

here it says to learn python is it enogh to start htb

You don't need to learn a coding language to start hacking

The best way to start is just to start

knowing a language is like icing to a cupcake but to start you js start

real

I'm not trying to fear monger

And it's off-topic for this channel

wdym by just start you mean like just learn by myself from tier 0

Yep

Thanks for helping me

remember to be patient and have fun frl it can be very mind tormenting 🙏

I will and thanks bro

Also using writeups for retired machines isn't inherently a bad thing. It's when you start relying on them that it becomes a problem

Hi guys, after failing oscp few times, will cpts module be a helpful one before next attempt?
I feel lost and don't know which area of knowledge I should improve.

Hi, I don't know if anyone can help me. I'm trying to log into my Hack the Box account, and when I enter valid credentials, it tells me "We think you're a bot, please resubmit the form." It's repeated several times.

Have you tried disabling adblockers? Try a different browser

Some extensions get marked as being a supposed bot

I mean they are similar enough and people have often stated that they were able to clear OSCP after doing the CPTS course

but that's a question more for #careers-and-certs (and you can look for they keywords OSCP and CPTS there)

I tried from my virtual machine and nothing, I tried in incognito mode and nothing, I tried from my own machine and nothing. I don't have any ad blockers.

Might wanna contact support to troubleshoot

I was thinking about that, thank you very much for your time and help.

So i know this migh be a dumb question

Analyzing Evil With Sysmon & Event Logs , im trynig to run the reflective DLL hack lol

and when i try to move calc it says i need permission from the trusted installer

I got it to work yesterday but im not sure how

Thanks you so much for advice. I feel like a dumb when fail, and can't ask any question with the machine I can't solve. Really need this resource.

you and me both brother lol, someteimes computers make us feel dumb as hell

Failures are all in how you approach the problem

the only advice Ill ever give is, once you know how to do something, it was always a simple fix , you just didn't know where to look

It's why I'm always in favor of documenting when you run into errors (even user ones) and how you resolved them

when i started help desk it was all scary and new, and then even the hardest shit you just needed to know where to look and what to do once you got there

so im in the user management section of the linux fundamentals module and one of the questions is "Which option needs to be set to create a home directory for a new user using "useradd" command?

I know the answer but i dont think anything in this module has gone over that option.

Are we expected to just google these questions if we dont know?

I couldn't agree with more. But the problem is I can see other people's walkthrough to know what I don't know, oscp exam can't provide any feedback so I still can't realize what I lack...

it's always in the frame of how you view the problem. What you lack is what you were struggling with to move forward

whether it's some simple fundamental understanding of the issue, or some command syntax that makes you go "oh, duh"

Lol, like for some reason im stuck trying to get reflective dll to override calc and its not working =[

I literally googled this and not even getting the same questions as other people

Hey I just used yt to complete meom that's not bad right ?

Like most computer problems, Im now watching a youtube of someone speaking a completely different language 🤣

lol what the hell

I had to move the dll to the desktop, copy the calculator to that, put the dll into the recycling bin and pull it out ? makes no sense

my best guess is that the "trusted installer" is because you're trying to move it somewhere "protected"

but i haven't done that module so i couldn't tell you

I thought for some reason you couldn't copy it from sys32 but had to move it

but copy worked, you just had to move the DLL to recycling bin then bring it back to desktop and then it overrode the calc.exe on desktop, dunno why

likely something with windows updating things when you move files

Support just indicated I should check here haha. I played around a bit more and coulnt get freerdp to work... so I switched to Remmina and it worked just fine so theres that at least

let me guess, you selected "content guidance" as the option

I did haha since it specified "tech difficulties" - I was unsure if something was truly broken

it could 1000% be user error

well, next time "technical difficulties" would be more appropriate if the error is in the pwnbox as well

Duly noted

thank you!

in the module AD enumeration & attacks in Kerberoasting - from Linux
do i need to find valid creds by myself to launch GetUsersSpns.py or i am missing something

yes you need valid creds

the general syntax is GetUserSPNs.py --dc-ip <insert-ip> domain/user (it'll prompt for a password)

you'll need to statically compile chisel

yeah, but i assume i need to find valid creds by myself since there is no creds given right?

yeah and the target system doesn't have that same glib

the ad module reuses creds all over the place

ooh ok, tysm

i believe you can add the --static flag to the build

#modules message

took a few seconds to find using ctrl+f

guys when make is not found and you can't install it with what i can be replaced?

Academy > Job role path > PT path > getting started > Privilege escalation

The First mission is connecting through ssh to user1 with password1
I used
"ssh -i key user1@83.136.253.59 -p 41730"
and it ask me for user1 password, and its worked!
how really howwww it worked?
For this command work means my public key must be at the athurized keys file on the victim machine ,
I never do something like that before, I never put my pub key to there, so who did?
and I hate just to solved rooms without understand the logic behind
Please someone help and tell me what's going on

if it asks for a password: then the public key authentication didn't work

oohhh

public key authentication should not prompt for a password (unless the private key is password protected, otherwise it'll ask for the pw to the private key)

But. why when I used simple command like "ssh user1@83.136.253.59 -p 41730" without "i key" he let me nnly "yes" or "no" and when I choose "yes" he said the key not good, means he didnt let me even try password
only when I use "i key"

if you provide a private key here's the flow:

• it checks if the private key matches the public key in the authorized_users file
  • if that succeeds then you're good
  • if it fails -> if the settings allow, it'll fall back on password authentication
    • if password auth isn't allowed then it gives you the error with the authentication method

In my case the key fall under Permission denied (publickey), and not fall back on password authentication , just
Permission denied (publickey) @fathom pendant

i was able to log in just fine with user1 @odd scroll

like this? "ssh user1@83.136.253.59 -p 41730"

is SSH on port 41730?

Very cool thing in Linux Priv Escalation Sudo section on half of targets I can't cd I don't see where I am moving and where I am. Command make doesn't exist and as I am not root I can't install it. On several targets even ls wasn't working

yep i used that exact command (and used your target) and logged in

it didn't fail on me

thanks ok

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

good to know

Vulnerable Password Reset ?

it helps to know what module you're doing

and what section

Broken Authentication --> Brute-Forcing Password Reset Tokens
First Q

The answer is on the page, just need to ensure you get the wording/format down

incorrect answer!

remove the s

yo

thanks

the reading has it in the singular

Hi everyone!
I’m working on an Android application static analysis challenge and I’m a bit stuck. There’s an APK file inside a ZIP archive. The task is to analyze the APK and find out what the value of the "message" key is after logging into the remote service using the debugging code.

Could anyone please give me some advice or point me in the right direction?
Thanks in advance!

I got user2 flag
but I stuck with root's flag mission
I read about Enumeration Scripts but there is no way out to WAN from HTB box, I should download "LinEnum" tool localy? to my machine? and use it?

you'll have to transfer files over, scp is a good file transfer tool, scp source username@destination:/file/path -P port

but i suggest seeing if user2 can see anything they're not supposed to before running an enumeration tool like LinEnum or LinPeas

what is scp? 🙄

secure copy; it uses ssh to transfer files

ohhhh the bash history of user1

wait wait I think I'v got it

well the bash history of user1 isn't that important for user2

No I dont

you right 😫

I turn back to read the module 2-3 times!

looking for hint

i believe the section may refer to hidden files

hidden files hmmm 🤔

I remember something like that

But it was about web server

you had a right idea regarding the -i option

that is the moment I start to sweat and my mouth is dry

-i option?

-i is for an identity file (like the id_rsa file)

ssh -i id_rsa username@host [-p port]

I will try

what happened to me right now?

Connection closed? I did something wrong? 🫣 Or just the time pass.. and I need to refresh ?

The reason is due to the other host closed the ssh connection.

Just because the time passed right?

the box likely died

ok

What can I do if I'm stuck in one machine?

Like artificial.

You can go to #boxes to ask for a nudge/assistance, or if it is still one of the latest active boxes you can use the named channel for it. But you won't get any nudges/hints for the newest box for 24 hours.

Artificial still has a named channel here: #1386042800323301447

you'll need to link your account via the #welcome instructions -- the latest 2 active boxes will have their own named channels, i.e. #1386042800323301447

It says to the link "No Access"

lol caught it before you typed it out, see the message just above

Still, "No Access".

first half of my reply

Your account isn't linked yet

you'll need to link your account :)

Okay, that makes sense. thanks.

soon.tm (like within the next couple weeks) they're revamping the account link process

Why??

Just done it, bruh.

Probably to make it easier, lot's of people don't do it/don't realise how to do it

well also adding actual functionality to the discord account link https://account.hackthebox.com/security-settings

rn it's just a button that looks pretty

I didn't even realise there was a button for it on that page

Had enough problems, just getting the work account linked

Does anyone here have any solutions for pth with RDP? xfreerdp version 2 is not available on newer kali machines, and it doesn't look like there's a straight forward way to install it, and xfreerdp3 is absolutely awful, I've not been able to connect to any machines using it, with or without pass the hash?

Is there enough information in the module itself to guide me to the solution?
reading the module thoroughly actually lead me to the solution?
for example, in the case of SUID the only time it's mentioned is as part of the output from a script (LinPEAS), but there's almost no explanation or focus on what SUID is or how to use it for privilege escalation.

I just want to understand if I expected to recognize this on my own from external knowledge, or was there supposed to be a clearer hint inside the module?

Because I considering to read it all from the beginning the fourth time thanks a lot 💗

What path are you doing, it is explained in the Linux Fundamentals course what a SUID is afaik.

Linpeas may lead you to the answer, it also gives a lot of extra info

You don't need to exploit anything to move forward. Consider that user2 may be an administrator of some kind, and can see a file in /root/

ok I will go in this way, Linpeas i mean

I saw the flag

but when I want to read it with cat

hidden things

it ask for password for user2

I thought this is the "hidden" we are talking about LOL because I didnt mannage to see it with user1

Academy > Job role path > PT path > getting started > Privilege escalation

No, in linux, hidden refers to the files/directories prefixed with .

la -a you mean

ls -a

So the .ssh/ directory would be a hidden directory

.bash_history,.bashrc

OMG RIGHT

Guys if anyone can guide me how to pass linux priv escalation sudo section please dm me

you found the n* binary, just type b when you run it

Easy just do sudo -l and when you see something, look it up on GTFObins

https://gtfobins.github.io/

aha and it asks me a sudo password

have done many times

the user's password, yes

yes and when I enter user's password tells me sorry it is incorrect

"sudo rights abuse" section yeah?

or which section specifically?

no just SUDO

0 days

Sounds like you aren't using the right password

ah now i got it

They are teaching 0-days on hack the box now?

use one of the methods described

Every box is the opportunity to get a 0 day

well it's no longer a 0day once it's been released :) (and likely already patched)

make command is not working on machine so I going to compile it and transfer

on target machine

First of all thanks! I managed to read the private SSH key for root eventully
But I only did it because the hint you gave me, and because you helped me.
I'm really grateful for that first of all
but what I want to say is that I feel kind of disappointed from myself Honestly, I’m even a little sad Frustrated.

because this is something I should have figured out on my own.
At least, I feel like I should have had the intuition to try checking if I could peek at root's private key.
Isn’t that supposed to be an instinct?
or am I too hard on myself?

And sometimes I have this moment of confusion like:
"Wait... where even am I right now? Hold on a sec..."
I'm on my host machine > running VMware > inside that I have Kali Linux > inside that, I'm connected to HTB with box with VPN > SSH (with IP and port).
Inside that, I'm logged in as user2 from user1
And now I'm trying to SSH again as root from within there?!
I’m basically in SSH inside SSH inside SSH inside SSH.
And I just feel totally disoriented.
I’m really sorry if this isn’t the right place to share this, and I know I’m writing a lot but my pont is I should feel like that?
I want to use this Discord and this community to ask about these feelings if its OK and natural to have these struggles in this profession.

Is it natural to feel like this?
Is this a normal part of the learning process?

you don't need the make command

read the very last example for what you can do

I read the very last example and found what can be executed as root but when I try to do it I am asked for password and even have entered b and c and other things but still no shell

are you sure you did the -u example?

yes

also make sure to specify the full path

yes there was a full path I user whereis command to find a full path

typically to find the full path which binaryname

i.e. which sudo

spun up the lab; was able to get it to work with no effort

try copying/pasting the password again

tried again without specifying the full path and it also worked just fine

Hey, guys. Does anyone here tried doing Windows File Transfer Methods from WSL especially during the RDP question?

It throws me somewhere and asks to use arrows instead of shell may be it is cause of kali

nope it doesn't, this is where b is useful 😉

aaaa

@sharp torrent redact usernames better, even behind spoiler text

consider that anyone can click on the spoiler text (or just disable it in their settings)

sorry about that i'll edit the question.

ok I am pressing b and it just types b))))

aaa lol

well once you get b* user try checking everything he has access to with nxc

got it

hehe

basically spray protocols whenever you get new credentials

b was for return )))

Thanks Marcie

Please give me your idea 🙏 please
@fathom pendant

Your opinion matter for me

it's easy to get overwhelmed, especially once you start getting frustrated

and then when the answer turns out to be "simple" you get even more frustrated in yourself because you feel like you somehow should have known that

Hydra and Medusa are my friends in that case

well, not entirely

my message (in context) is if you have the user:pass credentials of another user: spray with a tool like nxc (which allows you to test multiple hosts at once) to see if maybe nxc tells you pwn3d! for something like rdp or winrm, which tells you the user has admin access

the attacking gitlab section for attacking common services is not finding the user even when using xato and the provided scripts.

Oh yeah totally, that's very useful in a lot of situations, nxc is the swiss army knife for a lot of protocols, especially for AD environments.

there's another problem where once you've done enough CTFs / boxes on platforms like this and get kind of wise to what you're likely to be able to "get away with" and what the box's creator is likely to have thought of to stop you doing that, you get a bit lazy. "surely root won't be accessible, so I'll just look somewhere else".

So there's a lesson in there about being really disciplined with your enumeration because you just never know what simple thing is actually available. Especially if a module teaches you a bunch of more complex concepts and you trick yourself into thinking you need to execute those, when the easier concepts will suffice

ok im seeing that people trying the attacking gitlab module are saying its 7 MILLION users into xato..

The answer was not simple for me, I wouldn't do it without your help, I just ask If it is legit

the feelings are legitimate; it's all in how you choose to learn from those feelings that matters. You can sit in the feelings of self doubt or see it as just another thing to keep an eye out for in the future

Stuck on Pentest role path module "Writing Custom Wordlists and Rules - Finding Marks Password" I even tried the walkthrough and it didn't work. Originally I tried creating my own custom wordlists based off the information provided and custom hashcat rule list. Still couldn't crack the hash.

you'll need to create your own custom hashcat rule for this

consider the year and common endings; bonus points for taking into consideration other information about the password complexity requirements

I mean, is it legitimate to not be able to complete the challenge without help from here

Okay for those wondering why the walkthrough doesn't work it's because the custom.rules are escaped with backwards slashes. Remove those and the rule set works...

i mean for some people yeah

yeah that's why i don't blindly trust it

Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.

Has anyone done this part in the Windows File Transfers part of the File Transfers module? I cannot get the RDP to work

hi hashcat isn't working for the section I'm on. this is for the LLMNR/NBT-NS Poisoning - from Linux section of AD Enumeration and Attacks

┌──(kali㉿kali)-[~/Documents]
└─$ hashcat -m 5600 backup2.hash /usr/share/wordlists/rockyou.txt -O
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) Ultra 7 155H, 708/1480 MB (256 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

* Device #1: Not enough allocatable device memory for this attack.

Started: Sat Jun 28 17:13:52 2025
Stopped: Sat Jun 28 17:13:53 2025

I figured out the attacking gitlab thing, its the ||cirt wordlist||.

I tried updating and upgrading kali

it will won't work even if I use -O

I have a laptop with a fuckton of memory should I allocate more to kali?

how much ram are you giving it

2048MB so that's like very little GB

6-8 GB is usually enough to not haveto worry about it ever again (unless you are doing something ridiculous)

settings has RAM slider greyed out

RAM slider will be greyed out when the vm is in use

you can't "hotswap" (adjust on the fly) the RAM

right I turned VM off

but its still greyed out

Does it normally work?

ok just adjusted RAM

now turning VM back on

yep that fixed it

hashcat is running I think soon I will get the hash

Is there a way to transfer a file to my PwnBox from my PC?

yep hashcat cracked it a minute ago got the flag

Yeah, try the file transfer module. It shows you a ton of ways to transfer files.

good old curl and http.server; the pwnbox has a WAN ip

if we use cubes to purchase the detection & opsec cyber range, does this mean we get continued access to the cyber range indefinitely?

as opposed to using cubes from the subscriptions

i'll let you in on a secret, they're the same cubes

modules unlocked with cubes are yours indefinitely

Hello, 👋

I successfully gained access to JUMP01 in skill assessment of password attacks !

But after doing enumeration and all I still stuck !

Please help 🙏

sniff around for something that's shared

What section? Was it Bad Crytography Implementation?

Like in FILE01 there is a file ________.xlsx ?

well if you have the h* user, an enumeration tool can be useful

Hello!
Android Application Static Analysis:Reversing Hybrid Apps

both my machine and pwnbox cant ping my target

what do i do? i restarted my vpn and even changed it i cant fix it on my part let alone the pwnbox itself

omit the port when pinging

well i see the problem now

but you shouldn't be running your own machine and the pwnbox at the same time.

the issue isn't vpn related though, as that target is a public_ip:port; so the scope is gonna be the given ip:port

Yes i just tested it

If it can ping on the pawnbox too but my other problem was i cant open it on web

well does the question for the section give you any directions?

Also to visit in the webpage you have to specify the port as http://ip:port

(If it's running as a web server)

Its just white page

This is the last stage in web request

Well it'd be helpful if you told us the module and section you're working on

For crud api

Does the question tell you to visit an /endpoint or perform tasks?

Ah the CRUD api, you won't be interacting much with the browser then

Ah i see alright

I suggest following along with the section examples

This section is all about interacting with the CRUD (Create, Read, Update, Delete) api

And generally api interaction is done via command line (or tools a dev made for it)

Yea thats why when i checked it on browser it was empty and i also cant ping it even tho in the previous "stages" i could even with port i panicked a little

Because pwnbox cant also ping it

i wouldn't necesssarily worry too much if it doesn't respond to pings

the section shows you specifically how to interact with the machine

Pinging the IP address of the docker container is not actually the way of verifying your target working

To have a better understanding if it is working you can either:
a) Visit it through the browser depending on the module/section
b) Do banner grabbing with netcat or other tools

The types of targets (VM or Docker) have been explained in the Intro to Academy module

Hii

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to other channels like #general where you can say hi, etc. This channel is dedicated for discussion of the various modules on HTB's Academy platform.

I am something understanding your hint :- USER :- h_____am ? And TOOL :- L_Z__n_e ?

something for sharing

Sharing tool ? Or port forwarding ?

sharing is the key word

🧐🧐🤔🤔

Is there a troubleshooting section here? I'm trying to follow aa hack the box module, but I keep getting connection errors within the lab and then I run out of time and can't connect to the instance because I've used it. Help?

you can ask for module help here. your issue sounds connection related. are you using the pwnbox, the vpn, or both?

Hello! I'm working on https://academy.hackthebox.com/module/147/section/3714 - Password Attacks - Attacking Windows Credential Manager

I've got mimikatz running ||(having bypassed UAC)|| as per the module info, however when I run it to dump creds using sekurlsa::credman, I don't see anything for OneDrive 🥺

Am I missing something here?

@full patio What user/level of privilege are you running mimikatz as?

Thanks for getting back, I finally figured it out. I think I initiated the initial cmd prompt and thus msconfig using sadams

🤦‍♂️

Aha, it happens. Figured something like that may have been the case 🙂

Hey using ligolo is better because till now I am just using proxychains and ssh to do remotel for forward ⏩ or DYNAMIC port forward ⏩

And I found thses esay, because, i think ligolo want go language on system to run properly, which is not available in most of the cases,

BTW :- In PENTESTER PATH HTB also don't teach ligolo-ng into its port forwarding and pivoting module ! 😁😁😁😁

Are u asking or telling? Are you in favor of ligolo or opposition?

Bloodhound module --> assessment, last question: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).
Found users is 13, one without path but that does not work. ANyone a nudge?

Hi

The point is :- " IF it's not teched by HTB in course then i have to learn this for exam or not ? "

I am asking for advice or you guys views

I currently have a ligolo double pivot running in background lol.
Absolutely recommend it

I haven't looked back ever since I started using it

OK does it need GO language on windows or Linux to run ?

Not sure. I don't remember it having any dependency problems at all

Even works fine on whatever target HTB gives

OK 👌 then it's looks like good deal to learn this tool

I have a problem at the same Question. I found the debug key and I tried to transmit it as query parameter with different parameter names and also as json payload with different key names. I always get the response:

{
"message": "Invalid credentials!",
"status": "failure"
}

Any ideas?

Anyone available for a nudge on credential hunting in network shares? I’m using manspider and only found non working creds. I’ve used the reading material search keywords with no success. I’m trying to answer the second question in the lab. Any tips or nudges would be appreciated.

You can DM.

As usual, shortly after asking I found the solution myself. The source code suggested that the endpoint accepts the payload in json format which is not true. Using burp and analyzing the request revealed, that the payload is trnasferred as a key/value pair.

The netexec stuff they cover in the section can work, just try using a keyword from the question itself.

thanks

Hello there! I am trying to start learning using HTB Academy. I am unsure where to ask, so please be kind :)

So, i am at the Linux Fundamentals Module and right now trying the "System Information" Section. I need to connect to a target using ssh, but it does not work. I am using the vpn, i can ping the target, but using ssh just gets stuck and nothing happens. Some time later i get the message connection closed by [Target IP]. On the pwnbox i can connect, but i do want to use my own VM, as i am more familiar with Kali Linux. Did someone encounter the same issue?

change vpn regions, ensure you're not using the pwnbox at the same time

Okay i tried that, same result. The pwnbox is not running.

also ensure you don't have multiple vpn processes running

Ah okay, changing the protocol from udp to tcp solves my issue. Just in case, do you know why that might be? Are there any downsides to changing the protocol? Still, thank you very much for offering your help 🙏

too many external factors to say what the issue could be

tcp is generally more reliable

okay, thank you very much!

trying to do proxy chains skill assessment. Everytime I try to copy and paste the IP address of the pivot machine into the web browser, I get a cannot connect error message

how come?

this has been going on for a couple of days and really frustrating

it looks like the HTB academy servers are buggy

Hey one more problem :-
Scenario :- I want to transfer xyz.psafe3 file into my attacking host Kali from my target which is an internal network ( PC 3 ) WHICH IS only accessible by my pivot ( PC 2)

INSHORT :- I want to transfer a file from Windows to Linux, I am not administrative user, I am not able to spawn http server via powershell, also python is not installed into that window machine now, and while using nc binary to transfer it shows transfer successfully but the file bytes are 0 ! ?

If you are connected via xfreerdp use the options
+clipboard
/drive:parrotshare,/home/htb-user/Desktop/

That will open up a share upon connecting. You're welcome

yoooooo , hello guys
recently i have faced a problem which is in the LLMNR and NTB-NS Poisoning
the problem is after executing the responder and retrive the hashes i want to crack it with hashcat but i can't find where the responder save these hashes ???

anyone can help ??

In the output

pivoting generally mean you can access internal network from your attacking host, and the file is accessible after pivot through various file transfer methods and || even without you spawning anything ||.

Why are there so many content errors on HTB? It seems like every single fricken time I try to learn with it, there are problems which prevent completion.

I mean, you could ask him
but if you're looking for other means, you better read #rules

Hello I need help with the deobfuscation skill assessment

I get the flag variable and input but it it keeps saying incorrect answer

Can anyone help ??

Contact rainbolt

???

Hello y'all!

I'm currently at the File Upload Attacks - Blacklist Filters but facing an issue in solving the challenge

Which asks for uploading a web shell in order to get the flag

so i tried fuzzing for the allowed extensions

but burp suite shows them all as allowed

If it is in HTB{flag} format, check for spaces

i found that it is possible with .php2, but when i upload the web shell the php code is put in comments

I did that already but it doesn’t seem to work

DM

even with something like shell.php%00.jpg doesnt work and still put between comments. Any ideas how to solve it?