#modules

Anyone complete the Attacking Common Services Skills Assessment Hard? Asking because I completed it in a maybe 'overcomplicated way' for flag capture and I'm curious what you may have done instead. Feel free to DM me or @ me here

Can anyone give a hint regarding the advance XSS skill assessment? https://academy.hackthebox.com/module/details/235

I am able to trigger the XSS but cannot find a way for the victim to visit the page

by overcomplicated I did a reverse shell option versus trying to do it within sql ^

not everyone has an enterprise account, so sharing the enterprise link isn't helpful

also the enterprise link really isn't helpful for others anyway as the /academy-lab/N/M/ part is specific to your org

I updated the link

are you sure you're attacking the right part; the hint is on the main page telling you that some things need to be approved by admins.

Can I DM you to not potentially provide too much information for other users?

can i DM you about Password attack skill assessment @fathom pendant

no

and no @tranquil sluice ; the only thing i can nudge is js and php

I can try to assist @oak raptor drop me a dm

What in doing worng

nmap -sV -sC -Pn 10.129.141.177
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 15:48 EDT
Nmap scan report for 10.129.141.177
Host is up.
All 1000 scanned ports on 10.129.141.177 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.57 seconds

Im in academy nibbles enumeration, i typed what the step by step solution gave me

Maybe ports are open, outside the top 1000

This

nmap -sC -sV STMIP
The solution

are you connected to the vpn; are you using both the pwnbox and your own vm/vpn at the same time

Im in my virtual machine

Connected to vpn
The terminal says
Initializing sequence completed

No not both

I rebooted my system and it worked

you likely had multiple openvpn processes running

has anyone in here done the Passwords Attack module in the penetration tester path?? in the pass the certficate part of the module the last question/2nd question in that section has anyone got it following the guided solution with the annual plan?

i was able to get it following the guide; but what's your actual question

File "/usr/lib/python3.13/threading.py", line 1041, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

sounds like your python SSL library is broken

i keep getting this error when trying to generate the certificate and ive tried everything to fix it but im lost

do you know how i can fix that

https://github.com/ThePorgs/Exegol-images/issues/367

this maybe

potentially your system just needs to be update && upgraded

thank you very much ill give it a shot and see what happens

i know some things do need to be upgraded but it wont allow it says like 222 programs need to be updated but wont or soething like that haha

because you need to run upgrade after update

the only thing update does is check the repository for updates to installed packages, upgrade actually installs them

0 upgraded, 0 newly installed, 0 to remove and 443 not upgraded.

see i just did sudo apt-get update then sudo apt-get upgrade and that came up afterwards

sudo apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
ark baloo6 bluedevil breeze breeze-cursor-theme breeze-wallpaper
bulk-extractor dolphin dolphin-data dragonplayer drkonqi ffmpegthumbs
frameworkintegration6 gir1.2-javascriptcoregtk-4.1 gir1.2-webkit2-4.1

says that then list all the programs then at the end shows the 0 upgraded, 0 newly installed and so forth

i think i might have figured it out ..

apt-get is heavily deprecated at this point

yeah i have to upgrade the whole dist

thank you btw!

I need a help in password attacks skills assessment
I am already in FILE01 host and I founded an information in a folder in C:\ in a .xml file, now I am stuck trying to use it to go further.

is there any yt playlist that go through certein labs

I'm stuck on Sliver, Probing the Surface. I can't get the reverse shell even after following the same directions. Is there an extra step needed? Edit: Just refresh the page to get the connection.

Academy labs or boxes?

boxes i think

im new so just learning

I would start here: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone done Nmap Scripting Engine

Yeah, working on that now actually, been stuck for a while trying to find the flag. Trying several script combos.

i found the flag

it just keeps saying its wrong

interesting.

Can anyone guide me to the answer

i have found my flag

I wish they had a yt channel that went over all the modules and labs they do

There is one yt that deals with free modules (but I can't remember what its called), however, any module that costs cubes there won't be guides because its against ToS.

And part of being in infosec is being able to learn independently, HTB Academy teaches a lot, but they also encourage finding answers on your own through independent research.

‏Hello, I have a simple university project for network security through Cisco, a brief is to make a full virtual network , if anyone have experience in this field, can contact me

are you copy and pasteing the flags? if so make sure when doing so that you make sure that there is no space after or before the awnser.

ill say this too, if you can afford it pay for the annual subscription cause it has the solution mode where it shows you step by step how to find the flag and answer the questions

I kept working and found it

now just onto the hard lab

nice

what module are you on nmap?

Network enumeration

pentester path?

No just the module

i havent picked a path

oh ok got ya

If that is unattended2.xml, it is useless, that file is in every windows academy machine, I guess used to setup lab.
Enumerate the machine and you will get creds for further access.

thanks for the tip, I was trying to use the password found unattended2.xml with a password spraying and it wasn't working
I will continue the enumeration

Looking for some help with credential hunting in network shares.. Looked through past replies saying to look at question but still not having any luck..

Never mind.. I was doing too much.. for anyone else, ignore the first question/answer.

Hey, im doing NMAP IDS/Firewall evasion HARD and i found the hidden port, but it changed from ||ibm-db2|| to “||tcpwrapped||” is this supposed to mean something?

What have you done so far?

It means that you may need to connect with something else to connect

yeah i see what you mean

I finished it btw and it was my first ever module

Hi, sorry that i have to ask: i am at the smtp footprinting lesson.. The hint aays i should use the footprinting-wordlist provided.. Where is it provided? I can't find it 😦

should be a button labeled "resources"

Omg, i feel so stupid..

Thank you

Found all debug keys but when sending
{
"message": "Invalid credentials!",
"status": "failure"
}

what does your request look like?

Hello! Im just starting to learn and im in the "Introduction to Elastick Stack" module. Theres this exercise:

"Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply". Finally, choose the "windows*" index pattern. Now, execute the KQL query that is mentioned in the "Comparison Operators" part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain."

I try to get in from the browser on the vm, but it doesn't really work. Am i doing something wrong?

Where should i be doing tht

did you spawn the target? [Target IP] is placeholdedr for the 10.129.x.x IP that's spawned

yes, i did, thats why im confused why it doesnt work

also you'll wanna give it a few minutes to allow for it to fully spin up

Alright, i'll wait a bit then :)

you're using POST but supplying a GET?

/endpoint?var=val is GET;

Expected. If you look at the hybrid code one more time, you're missing one piece of information when constructing the http request.

can someone please suggest me where i should start for hacking

i have zero knowledge im a beginner so i would like a beginner friendly suggestion/ small guide

Thank you very much for your help, I figured it out

Thank you very much for your help, I figured it out!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@pine schooner ^

thank you for helping me i really appreciate it marcie

also your bio says you're 17; so gotta inform you that you need the parental consent form https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18

oh okay

@dusky rain don't spoil module content :)

Ok. didn't mean that. Will find another way to ask it

pls wait i have trouble loading the page

you can reach out to support on the hackthebox website to get the info as well

This is my own opinion (not an objection or anything but rather discussion), this is acceptable in some cases. However, in real world app design things will be much more specific for each method based on the Idempotent theory that specified in RFC 7231.

i got it my laptop can load it

ye it depends on the implementation. but it's more niche

Agree.

Is it possible to get false negatives during a ping sweep, where a host (e.g., 172.x.x.x) returns "false" but I’m still able to RDP into it?

yes

How can we make sure we are not skipping any active hosts because of the "false-negatives"?

ill email them within a few days after i get the time to print it out

run the scan a few times to see, use external tools through the pivot (like nxc) to check.

In addition to what Lee just shared, we can use different tools that target different layer of the OSI model to correlate the result.

Ping sweep utlizes ICMP protocol right above the Layer 3 of the OSI model, we can use TCP-Connect scan to see if we can get a different result.
Better yet, capture the network traffic so that you have a complete picture. @dusky rain

Thanks @fathom pendant

@full echo Appreciate valuable input. Thanks mate

In the "advance XSS and CSRF" skills assessment, do I really get the flag via an attack that takes about 40 seconds to trigger the result?

in the "Introduction to active directory" module in the "AD Administration: Guided Lab Part I" it won't let me connect to the lab, it says i have the wrong password. i just wanna ask here as well to see if it's not a syntax issue on my part or something like that. I use the following command on kali to connect since xfreerdp isn't available on kali and rdesktop is: "rdesktop -u htb-student_adm -p Academy_student_DA! <lab_ip_redacted>"
am i doing something wrong here? RDP connects but says wrong user\password...

i belive it is Academy_student_AD! instead of Academy_student_DA!

this is not what is written in the instructions but i'm trying it now, will update in a sec

nope, still wrong user\password

This is AD right? could it be that you'd have to provde a Domain name before the use? You know Like INLANEFREIGHT\someuser

Probably not gonna be the solution, but worth trying I thi k

in the rdp window it shows the domain before my username, so i think it attached that automatically. i tried inputting that manually in the rdp menu aswell

Use xfreerdp to establish an RDP session with the target instead

xfreerdp /v:IP /u:htb-student_adm /p:Academy_student_DA! /dynamic-resolution

And if there is a black screen just hit Enter, Space or ESC to wake up the computer/target

Helo, I’m working on ACADEMY-PWATTACKS-WINSRV. After multiple resets, ports 5985/5986 remain filtered on my target . I can’t connect via WinRM to complete the task.

You have to configure winrm to listen on the target machine, have you tried netstat to confirm wether the ports are actively listening?

The issue is that I do not have access to the target machine yet, so I cannot run netstat or configure WinRM from the inside. The lab challenge implies that WinRM should already be running and accessible from the outside so that the attack can be performed.

It helps to know the module and section

Password Attacks, Network Services

Also when you say the ports are closed are you trying to connect via winrm or are just scanning and they're "filtered/closed"

will the cubes i used for the modules will be in the account or what ? as we need the cubes for further reference right?

?

Cubes are tied to your academy account, yes

But I'm not quite sure what it is you're asking

on purchacing the cubes for modules after using it, will it remain , as i see the support saying "There is no history of cubes usage, so you won't see it "

If you're able to use nxc to grab the password, it's open.

netexec winrm 10.129.103.91 -u /home/ruchit/Remote Password Attacks/username.list -p /home/ruchit/Remote Password Attacks/password.list

evil-winrm -i 10.129.103.91 -u /home/ruchit/Remote Password Attacks/username.list -p /home/ruchit/Remote Password Attacks/password.list

I had ran both of these commands and nothign came back other than a blank line,
I then scanned the ports can it came back as filtered

Try changing vpn regions, making sure you only have one vpn process running, etc

Modules you get with cubes are yours forever

Alr, Ill update you

if you wanna start with making sure only one vpn process is running
sudo killall openvpn
then rerun your vpn connection command (this is assuming you're using your own vm, and not the pwnbox)

I have, I connected to another VPN from HTB.
I ran the scan again and the ports still remain to be filtered.

And winrm doesn't do anything? (It's helpful to use verbose options for debugging)

Nxc winrm*

Hold on, I'm getting confused now (I have done too much)
What excatly do you wanna see

Netexec winrm: does that run?

Yes it does

Ok, then "filtered" doesn't mean much

Nmap isn't the arbiter of truth with ports

But I have run both Netrexec and Evil-WinRM, and both have come back empty handed

Well evil-winrm is just used to connect, it's not a bruteforce tool

You're better off dropping the proper tool on the host you're using to run the collector on, i.e. sharphound.exe

Oh rt mb, but my point still stands. Netrexec does not work.. And I have spent an hour going on forums and ChatGPT tyring to find a solution. And the only thing I can think of so far is that the ports won't allow me to connect to them.

Nxc can take some time to get the answer

Well, for me it took time, came up blank and spawned a new command line for me

If you wanna be sure and see, there's --verbose and --debug

If you'll give me an hour or so, I'll sanity check

There's binaries that already exist. And bloodhound doesn't care what language the collector is written in

It all gets zipped up anyway

──(ruchit㉿Ruchit)-[~]
└─$ netexec winrm 10.129.103.91 -u /home/ruchit/Remote\ Password\ Attacks/username.list -p /home/ruchit/Remote\ Password\ Attacks/password.list --verbose --debug

[11:56:58] INFO Socket info: host=10.129.103.91, hostname=10.129.103.91, kerberos=False, ipv6=False, link-local ipv6=False connection.py:165
[11:57:03] INFO Connection Timeout to WinRM service (max retries exceeded) winrm.py:117
[11:57:06] INFO Connection Timeout to WinRM service (max retries exceeded) winrm.py:117
INFO Failed to create connection object for target 10.129.103.91, exiting... connection.py:230

Hold on, let me make it readable

Did you try changing vpn from us ‐> eu or vice versa?

Yes I did, I changed it to US because it had a Low Load

I can try changing it again but I doubt it would work

Reach out to website support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Alright thanks

You can use bloodhound.py, if it's a domain joined linux machine you just need the valid credentials and dc-ip

😵

Hi, this isn't #general ; you'll need to follow instructions in #welcome to gain more access to the server

If it's compiled, you don't need internet access

You can probably find some compiled collectors online

Well, you can choose to learn so you can maybe understand some of it

Need help please. I do not understand what this question is asking. For Module on Footprinting -> SMB, what does "customized version of that specific share" mean? It could mean a million things and I have been poking around for way too long now. I just do not understand what is being asked,,, Please help.

It means the version that's running. Its obvious once you connect the dots between some information, i.e. information from querydominfo can lead you to the logical leap

OK - let me try again...

Again this isn't #general, you can read #welcome to see what this server is about

Well this server requires you to link your hackthebox account in order to access more of the server

The instructions are listed in #welcome

There's a link to the relevant page

Actually I see you're 12, so you'll need to be banned from the server until you at least reach 13 (per discord ToS)

@fathom pendant

A hacked person...

Ping <@&861185840277487616> next time

thanks

If you have a pivot, you can run netexec ldap with the bloodhound option.

Add dns-timeout and the dns-server options

I recently published a video on this, but give me a second and I can send you some info. You can DM

Hello
where can we see the leaderboard of the ctf

Hi all, someone can help me on dm with Skills Assessment - Password Attacks

Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

I've found the extensions and tried typing them in every order and structure imaginable, yet it still says my answer is wrong.
What am i doing wrong exactly ?

WORKING WITH IDS/IPS

Snort Fundamentals

There is a file named wannamine.pcap in the /home/htb-student/pcaps directory. Run Snort on this PCAP file and enter how many times the rule with sid 1000001 was triggered as your answer.

Run snort on it w -A cmg in the end, there is a section in the end that says number of alerts (that's the right answer), but how how I be sure that all alerts were from the same rule, unless I manually count or use some other text matching, anyone had a more official way of doing it other than finding number and trying it?

Guys hello if someone has completed Linux Priv Escalation Skills Assesment I have found three flags already and found credentials in third flag section but I don't understand where to go for the fourth flag after it

can someone guide?

If I write more details I will spoil the module

It's expecting
.ext1 .ext2 .ext3 .ext4 ...

Hello everyone

Do not send out unsolicited friend requests. Recommend reading over #rules

Hey everyone! i am stuck here, i tried everything and still get the FAILED TO RUN SHELLCODE. The above server simulates an exploitable server you can execute shellcodes on. Use one of the tools to generate a shellcode that prints the content of '/flag.txt', then connect to the server with "nc SERVER_IP PORT" to send the shellcode. Any advice plss 🙏 last piece I tried: echo -ne "$(echo 4831c94881e9fbffffff488d05efffffff48bb9e8e87ee332aa15548315827482df8ffffffe2f4d636a88c5a448e26f68e1ebe6775f333f6a3e4ba6d7849569e8e879d5b2af702cad0edd56b25a455 | sed 's/../\x&/g')" | nc 94.237.60.55 31952

I randomly just decided to add another extension out of boredom, but it somehow worked ?

Imma send friend request its either you accept or decline but calling my request unsolicited you must either be a newbie or English isn't your first language

For extension fuzzing make sure you test on all found subdomains

Unsolicited means it was unwanted/not asked for

I did, i even tested the original domain

He needs the definition not me

Moving forward

Did you do /indexFUZZ

Yes

BTW it worked, but i have no idea how

You may have missed something then, it happens

I used the big extension wordlist in seclist so i doubt that.

But whatever really

¯_(ツ)_/¯

Thanks though

The bottom line is this is not the server to spam others with friend requests or DMs without prior consent.

Okay can you move on already??

grep for the extension grep "^.extn$" password file

It's there, it's also available in the smaller extension file
Also i tried accessing index.extension manually for every subdomain and it's giving a 403, weird.

Weird

Folks, can someone DM about "HTTP Response Splitting" I would appreciate a tip

Sorry for incidentally deleting your message, counting messages is hard

all good

hello guys, im doing the file upload attacks module of CBBH, i have accomplished to upload the files but when I try to access it up, it says "not found" on almost everything I tried that was successfully uploaded

I'm at the "Type Filters" section where I must bypass all filters

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

@median spire avoid spoiling module content, it's a tier 2 module

Also nullbyte uploads are a pain in the ass

oops, sorry

me

with vm on it

@proven gulch Read this page and submit the appropriate form
https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18

Alright so CDSA: https://academy.hackthebox.com/module/216/section/2300

Task:

Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe

In this task it took me much longer than it should have and I am no stranger to event viewer to figure out what it was wanting me to find, I eventually needed to "show solution" the shame, I know.

Anyways as I was going through the writeup trying to understand what it was expected in the writep we swap over to another event ID. This event ID is nowhere hinted in the first event we are looking at and I got to say, after re-reviewing the material, and the task, there is no logical reason that stands out we would have jumped over to the new ID in our custom query. Can anybody explain what was expected here for us to learn? I feel like most people would have not been able to make that leap in logic and its def not explained.

Like legit, would love to speak to someone who went through this module or a mod that might have more info on this, just DM me, because I don't want to get too spoilery here but there is def a flaw in this specific module imo.

I had the same issue 😦

guys how to save file in vim?

As me? It makes no sense right?

And if it does it's certainly not explained why.

But that initial log in no way points to the other event ID with any type of correlation, you find the user ID, and then custom build a query for that ID, then go through the logs, and none of them point towards why you would look for the other event ID.

Kind of maddening really, really hope I don't get some questions like that on the exam that don't have a logical chain to them because if so its gonna be quite the experience.

hi i have to ask again.. i had a lot of fun tinkering with imap footprinting in a lab environment.. i now tried the exercise, but it seems like all mailboxes are empty.. I even tried to unselect, before selecting a new one..

Hmm, not sure, that one worked for me out the box.

yes

i have a proove screenshot but dunno if i am alowed to show it

No I beleive you, and I don't think its showing answers so I would assume it would be fine.

I would say go for it and post it, but I am not a mod. As long as it doesn't show a screenshot of the course material itself or a flag answer, I'm not sure why it would be an issue.

Else how are we supposed to help anybody here lol.

oh, its not allowed i think.. i guess i will reboot the target machine, to see if it will regenerate a new one.. even if i don't like to search the error elsewhere

Remember what the password policy states and does your list along with the custom rules create anything that meets those requirements? Since this content is over Tier 0, I am deleting the screenshots.

can i maybe pn you, so that i don't write a false positive support ticket? 🙂

Some passwords generated fits the policy but i'm not sure how to make it better as it still doesn't find the password for the hash

So is that the rule of thumb for future reference? If the material is over tier 0 no screenshots?

That's what I understand.

maybe i search a bit more..

You can send me a DM and I can explain some things, but from my experience performing pentests and harvesting creds, I've come to see most folks hit the requirements by using things easy for them. For instance if a requirement calls for a number and special character it is usually 1! and that's not all the time, but it is very common. Another trend I come across are people using a year or zip code (US) and a special character so something like 2020! or 25879!. Those patterns aid people in meeting length, numbers, and special characters. So I would take that into consideration when either creating a ruleset and wordlist for this section.

If I ever worry that a nudge or conversation is going to potentially cross the boundary with content over Tier 0, I simply go to DM.

For this module specifically, if you do exactly what they tell you, you will get it I found.

But its super exact lol.

Guys in Linux Priv Escalation Hijacking Python Library I can't save file in directory using vim ?

Are there any other options

?

crazy.. some command i tried on the new machine did not work on the old one.. must have had a typo...
THX for the help ❤️

walk through the investigation as shown in the section, following the similar format

there were correlations within the file that you'd link beyond the initial EventID

I'll add these to my list and try a few other things too, thanks

Cool deal. If you end up still stuck, feel free to send me a DM and I can check some things out for you.

onboarding passwords tend to be <Season><Year>!

I remember coming across 40+ accounts that still had something like Welcome1234! lol

ChangeMe123!

Would love to talk with you about this later if you don't mind. I already logged off for the day though.

But if you have time later would you mind speaking more about this one in a DM?

i would have to rerun it myself to be more helpful, but i recall it just being a (mostly) plug and play of the investigation from the section.

That’s fair if you get a chance and review it ever let me know it’ll be a lot easier for me to explain my specific qualm with it. I would put it here but given we shouldn’t be getting that in depth for modules above tier 0 it makes it difficulty to explain what I mean exactly.

if i recall, that section has a LOT of screenshots

(which i'm not a fan of to be clear)

The screenshots are even missing a step on the specific thing I’m referencing

It’s legit draw the owl status

Hey! im doing the Password Attacks module and im currently at the last question of the "Pass the Certificate" section, ||I set up an ntlmrelayx listener ||but keep running into the same error:
link: https://academy.hackthebox.com/module/147/section/1335

it's likely your impacket is outdated

I got it, very frustrating, I had to keep trying after I solved it just to understand why I got it, for the future xmlHTTPRequest and fetch works - both tested

https://academy.hackthebox.com/module/113/section/1217
Attacking Common Applications
For the question ( Find another valid user on the target GitLab instance. ) Which list is the one i should use? i tried xato-10 but its been running for maybe 40 mins and found 3 other users other than the ones on the module and none of them work

How much time is it going to take for it to give me the correct user? or am i even using a wrong list?

Anyone available for password attacks skills assessment question?

did you try all caps for the answer?

also i suggest trying the cirt wordlist

It worked

I don't know why was that not mentioned?

i thought the users are wrong that i got since i got like 3 more

@true finch ^ see if any of these hints are useful

@karmic raptor don't spoil module content

I've got the creds, having trouble authentiating to any open protocols

you can use a list of hosts with nxc

Can I dm you what I've got?

not taking dms atm

Alright

Guys hello. I am really stuck on Python Library Hijacking. I am trying to save new file in directory but I am not allowed to save it. Can you guide?

you may not be able to do everything described

I understood this already

any hints?

it tells me that I have to write the file in the given directory but may be some different directory?!

@fathom pendant not sure if your aware but you might want to update this:

It’s probably attributing to getting DM bombed or why people ask you.

?

You about on your discord profile says to DM you

yeah for Info regarding the Mentorship/Tutoring

I was just saying if you don’t want that I’m not sure if you forgot to update that or not it might be attributing to unwanted dms

Ah

I filter out my dms regularly, i actually don't get randomly dmed that often

Hell I get dmd pretty consistently for the most obscure stuff I don’t mind people who dm me but sometimes I’m like how the hell did you find me to ask that question lol

But yeah, i also don't push it that much due to the fact that I'm a mod and I can understand how that looks, especially because most people don't know that mod != staff (some mods are staff though)

I'm struggling with Cracking Protected Archives, I believe I have the right command but It keeps aborting "No password candidates received in stdin mode, aborting"
Can I send my command to someones dms for review ?

Yea

you're running hashcat yeah?

Is is the zip archive?

Zip to John it then cat that to a hash

Then crack that hash

That whole module is specific when it comes to whatever conversion you’re doing for cracking

So you have to convert it out it will show you how in the material

it's an xslx file iirc

wait protected archive

i'm dumb

i was thinking the previous section

i'm currently combing through the module to update notes

Yes, I figured it out I didn't supply the wordlist haha. I was kind of going from the preview commands but the wordlist was after the hash so it didnt show and I wasn't thinking about it

A office2john then

it was a bitlocker protected VHD

Dude I did that one time on a hash and walked away and came back and my computer was overheating when I came back lol this was with JTR

Ohhh that one, that one was fun

oh @tropic wind when you're going through unmounting the vhd, also do sudo umount /media/bitlocker/dislocker-file

Getting that damn archive to mount properly was making my eye twitch at first until I realized I was making a typo

that's after you get the flag, of course

I'm struggling with the mount currently haha trying to figure it out

Funny enough I messed this part up and unmounted in the wrong order and it soft locked my mount points I said screw it and rebooted my machine lol

follow the mount steps in the last bit

The dev loop shit man is confusing

from losetup to the rest

So when you run that command it creates a loop device

@htb[/htb]$ sudo dislocker /dev/loop0p2 -u1234qwer -- /media/bitlocker
is giving me trouble lol

You have to note that loop device and mount to for example dev/loop1pt1

Guys I am having a hard time solving the
Password Attacks: Credential Hunting in Network Shares section

I am not able to answer the last 2 questions
I tried snaffler.exe -s
and the PowerHuntShares ... returns too much stuff and a lot of error messages
also on a side note does anyone experience netexec NETBIOS time out issues??? I am facing them a lot...
Anyways I would really appreciate if someone assisted me with the 2 questions of the module

That pt1 bit is important append it to your loop device

It stands for partition

Mon Jun 30 13:59:00 2025 [CRITICAL] Failed to open /dev/loop0p2: No such file or directory
ok let me try that

Nah look at the one it made for you

use lsblk to see the loop devices

ah now i see, thank you

It will def be pt1 that you need

i didnt get a output so i wasnt sure lol

also

That one was legit fun but I struggled on the mounting at first too ngl

you'll want to change the -uqwer1234 -- with the -u<crackedpassword> --

got the flag, thanks

i realized that too when i was trying to read how the command worked lol thanks!

yep just don't forget to unmount after you're done :)

always get in the habit of unmounting devices when you're done with them

guys please help me on this...

hi everyone im stucked at AD Enum& Attacks module DCSync section. In question 2, What is this user's cleartext password?. I try run secretdump and chisel to target 172.16.5.5, but [-] RemoteOperations failed: [Errno Connection error (172.16.5.5:445)] timed out
[*] Cleaning up...
help me pls thanks ...

Not sure if it's just me but in the SMTP portion of the Attacking Common Services module, I've had to restart the target 3 times because it kept crashing, I managed to get the flag though. Might want to look into this?

patterns are useful

do i need a different keyword for pattern like 'domain' or something other than 'passw'???

what is the domain (also all caps for it);

Whenever I have to download files from the pwnbox it continues resizing the window because of the pwnbox preview on the module page im currently working on, is there a way to not make this happen cause it's extremely annoying lol

there is not

it's an unfortunate thing that you gotta deal with whenever you change the pages in academy

it's because it draws the screen size from the last loaded thing

INLANEFREIGHT.LOCAL ig
and i also couldnt find the share how to do that snaffler.exe sends too much info
whatever shares are accessble i tried but doesnt work

you don't need the .LOCAL

I see the only possible directory to write psutil on target is home directory but still can't be root

I assumed so, it's bearable until I have to download a file from it because then it'll resize itself every half second and its a aimtrainer

just refresh the vnc page when it does that

if you're having issues with nxc timing out though i believe that there's a --timeout option

well i accessed the windows machine using RDP then used snaffler.exe which showed the network shares available
and now its asking One of the shares mendres has access to contains valid credentials of another domain user. What is their password?
I tried all the accessible shares but I just don't know which one is it ... and the netexec in pwnbox doesnt work either for spidering the network shares

and the --timeout option are their any values ?? like seconds?

you can also try messing with different vpn regions (i'll be releasing a tool soon.tm to assist with this from CLI)

--timeout is in seconds, yes

unfortunately this doesnt work sometimes I used --debug and just after attempting establish connection with SMBv3 the connection gets timed out ... I don't know why that happens
I set --timeout 9999 but still failure, somedays it works rest timeout

how familiar are you with powershell?

also i don't think nxc will work because i don't think fileshares may be running on that server

so that may be part of your issue

powershell ? not much i can do basic file read write and directory navigations
I think i had to copy a powershell script to disable the AV so that I could use the PowerHuntShares script

so -Recurse can be helpful, and Select-String is Powershell's version of grep (sort of)

Yo whats up im New to this server

this isn't #general
to access general: read and follow the instructions in #welcome

Oh ok thanks

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@molten creek ^; don't dm people without consent

my bad

Ok guys did everything correctly but still I am not root

Im sorry but i dont get it how to see this identefierer

@hazy wigeon

so i just checked and spawned a target, i take it you have already tried resetting the target? because snaffler wasn't empty for me

ye i double checked; nxc would 1000% have made it a lot easier (deleting the message because spoilers)

Get-ChildItem \\path\to\share\ -Recurse -Include "*.*" | Select-String "caseinsensitivesearchhere" with powershell

@flat halo if you want the powershell command to help

it might seem crazy what i'm about to say:
You'll need to link your account via the #welcome instructions

Pretty handy

How to u access #general

scroll up a little bit i've already said it a couple times in this channel, very recently

Hello Guys!
I'm on the password attacks module where i have to extract the onedrive password from mcharles.
I currently have full access on the target, including NT AUTHORITY\SYSTEM and all active sessions using sekurlsa::logonpasswords.
Despite this, I'm unable to extract or locate the OneDrive password for mcharles.
I've also explored the vault paths (vault::list, vault::cred) and attempted to load .vpol files without success. Is there another path or method?

The very last Note in that section provides 3 other tools that may be used. The provided Hint also provides information that might be helpful, however that all depends on how you decide to work the lab.

I'm doing the LLMNR/NBT-NS Poisoning - from Windows section of HTB Academy for AD Enumeration and Attacks module. xfreerdp won't connect to the HTB Academy RDP server. I tried with first recommended VPN connection file and then with a different one, same result. I tried resetting the target it still didn't work. I tried putting the username in quotes and tried putting it with no quotes. Same result. It always gives me this:

└─$ xfreerdp3 /v:<SNIP> /u:<SNIP> /p:<SNIP>  
[16:40:27:519] [114789:0001c066] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]:     : keycode: 0x08 -> no RDP scancode found
[16:40:27:519] [114789:0001c066] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]:     : keycode: 0x5D -> no RDP scancode found
[16:40:30:692] [114789:0001c066] [ERROR][com.freerdp.core.transport] - [transport_default_write]: BIO_should_retry returned a system error 32: Broken pipe
[16:40:30:692] [114789:0001c066] [ERROR][com.freerdp.core] - [transport_default_write]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[16:40:33:782] [114789:0001c066] [ERROR][com.freerdp.core.transport] - [transport_default_write]: BIO_should_retry returned a system error 32: Broken pipe
[16:40:33:782] [114789:0001c066] [ERROR][com.freerdp.core] - [transport_default_write]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[16:40:33:782] [114789:0001c066] [ERROR][com.freerdp.core] - [freerdp_connect]: freerdp_post_connect failed

Can someone help me out here? I got an RDP connection for like one minute but then I was immediately locked out and it won’t let me rdp back in.

Can individuals do business pro labs, i wanna learn cloud pentesting from the Blacksky:clouds lab

hi can someone give a hint or any help about passwords attack module skill assessment logged in and made a thorough scanning saw some stuff don't know what to do next

ok so now look at previous sections in module depending on which ports are open and see if any of those are the same as the ports open in your scan in the skills assessment

then go through that section and see if there's any useful password cracking information (looking at multiple sections might be necessary)

good luck

that doesn't look like a connection error to me

no, individuals can't do enterprise labs

i'll see it

ok

i suggest setting up a pivot

Quick question, if I'm having technical issues with tools on PwnBox during the exam, where would I best send this to?
The Intruder in Burp Suite keeps giving me this popup about throttled attacks in the CE, yada yada.
Problem is though, that if I close the popup, Intruder closes too. And I cannot scroll the results with the popup open.
It works on my Kali machine, same popup, but I can just close it with "ok", I'd just prefer to stick with PwnBox for logistical reasons atm..

website support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

thanks!

Anyone stuck on the LLMPics assessment in the AI Red Team path?

(lol, looks like I butterfingered on modules here, I thought I had clicked on the cbbh channel, apologies for off topic ^^')

Hi anyone know what to do about the issue I asked about an hour ago?

Thanks

Transport failed, sometimes it's just a case of restarting your vm and it just works™

I trued that already

¯_(ツ)_/¯

And I tried two different vpn connection files

AND I tried putting the username in quotes vs not in quotes

And for each vpn connection file I tried twice, restarting in between each time

I know my Kali VM works

So that’s not the issue

Hi

What does your proxychains4.conf look like?

Please read the #rules and follow the instructions in #welcome to gain access to most other channels. This channel is for discussion of the modules on HTB, not for introducing yourself/saying hi etc.

Idud u

I'm new to Discord and servers 🙂

Still having issues?

I'll check things out in a few minutes if you'd like.

Go ahead and DM when you are ready.

Thanks for the hint!
I tried all three tools mentioned . One ran successfully with full admin access on the target, but the loot folder was empty.Also used mimikatz to dump DPAPI masterkeys and vault creds, and checked the usual AppData paths for mcharles, but still no luck.

One of the tools you've mentioned worked for me, did you bypass UAC to launch cmd as admin?

I have full system-level access

If this is true mimikatz should've lit up like a christmas tree

Did ya do an lsa dump?

Yes, I did a full sekurlsa::logonpasswords dump with Mimikatz

Did ya set the debug privilege?

yes

Try the other lsa one, forget the exact command for it

Well you can DM if you are still stuck.

Keep working with W1LD though, since that help was being offered before I sent that.

thank you man from both of you

Did you try it?

-Intro to Academy
-Learning Process
-Linux Fundamentals
-Introduction to Web Applications
-Web Requests
-Introduction to Networking
-Getting Started
-Setting Up
i finished them all , and now im lost what i begin with

No modules cover it, but you can use it if you want

If you are just doing tier 0 modules,
Windows fundamental
File transfer
Introduction to active directory

But really it depends on your goal, there are some web attacks modules like sql injection, file inclusion, some blue team modules like JavaScript deobfuscation, traffic analysis, and some red team modules. I would suggest you take a look at job role paths.

You may want to look for information security foundation skill path

ok completed the section I was working on today. had an issue with too many tun interfaces up.

easy fix. the actual section itself was ezpz

thank you , i just got stuck on getting stared hacking nibbles box , and got frustrated

Ngl that box is weird, aint nobody just gonna guess that pass and given it has a fail2ban system on the website login it cant exactly be fuzzed easily

Path: CPTS
Module: Files Transfer
Section: Living Off The Land
Question:
when I try to download a file via openssl (I did create the certificate and stand up a listener on port 80)
but on the client side, I'm getting this error:

$ openssl s_client -connect 127.0.0.1:80 -quiet > LinEnum.sh
Connecting to 127.0.0.1
Can't use SSL_get_servername
depth=0 C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=127.0.0.1
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=127.0.0.1
verify return:1

I'm trying this on my local server, so I don't think it should be a problem (also tried doing it on the pwnbox)
but I always get this error.
what am I missing here?

I am not sure, but I think this may be due to self-signed certificate, if that's the case, you can pass an argument to disable certificate verification or get an certificate from ig let's encrypt.

it is because of the self-signed cert, but can't find a way to tell openssl to ignore that 😅

Did you locate this file /etc/proxychains.conf and add 1080 at the end ?

I tried this solution but it also didn't work.

Try adding -verify 0 to openssl s_client

this doesn't work because -verify requires a positive integer (and 0 is invalid)

openssl s_client -connect localhost:80 -quiet -verify 0 > output
s_client: Non-positive number "0" for option -verify
s_client: Use -help for summary.

Thought so, google suggested it so I thought might as well try, not on pc right now, might try later

-verify is the server depth to verify CA chains

ncat --send-only --ssl --ssl-key key.pem --ssl-cert certificate.pem -l 127.0.0.1 -p 80 < test.txt

ncat --recv-only --ssl 127.0.0.1 80 > out

this alternative works well, but I was curious why openssl didn't work

can you specify the key.pem file with -cert key.pem ?

yea that also didn't work

Just finished attacking web applications with FUFF

Could not find client certificate private key from /home/kali/Documents/htb/academy/file-transfer/certificate.pem

the reason ncat may work and openssl may not: is likely more simple as: they work differently under the hood

I mean the module didn't mention anything about this error, so I thought it should work as it is

FFUF*

idk if it's just me of the content of CPTS needs some updates?

https://security.stackexchange.com/questions/211085/why-is-openssl-complaining-that-my-certificate-chain-is-self-signed

maybe this SE thread is helpful

i would say if it's not working, then maybe move on to other options and not get too bogged down in it not working. I get wanting to get something to work, but sometimes you start getting too far in the weeds to make it worth it

they'll update it much quicker than OffSec updates OSCP. ippsec probably already thought of that.

totally agree

tbh

I wouldn't even compare CPTS to OSCP

ya because CPTS is objectively better

so far it's the only thing I had issues with, other than that the modules are just perfect

and I also don't like Offsec, and they suck

I agree with you 100% its objectively better

I was just saying because I thought you might be someone that compared the two

and I didn't know if this was a constructive criticism or a complaint or whatever

I agree that CPTS is objectively better. That's why I'm doing CPTS now.

the only reason to do OSCP is industry recognition

I'm not taking OSCP

if you really know your shit you don't really need it

took one offsec cert and that's it, their student support is LITERALLY 0

ya I believe this

the only reason I would ever consider it is if employers never start looking for CPTS certifications

they just tell you try harder to avoid giving any type of help/support

that sounds frustrating

I'm gonna ask we curb the OSCP talk, especially because it's off-topic of this channel

agreed

pretty much most of the stuff still holds, but if you have specifics from a module /feedback is a good place to drop thoughts on what you think should be updated
#1234357888114364508 if you feel something should be added/fixed for a module in particular

it looks like there's the -CAfile option to force it to use a specific file for the CA verification

https://linux.die.net/man/1/verify <- you can use this to verify cert stuff

I used it like:
-CAfile /path/to/certificate.pem and this happened.

Connecting to 127.0.0.1
Can't use SSL_get_servername
depth=0 C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
verify return:1

and the file written is empty

solved it

after doing some testing, it looks like you need to restart the server each time

yes, that's what I was missing

but i just tested @barren apex

didn't need to specify the .pem file

I don't even need the -CAfile option.

output was to test2.txt

deleted my ticket on erratum 😅

well there is an argument to be made that it can be made clear that it's an info message and not an error message

now I know exactly why it didn't work.
I did some google search and found that you can add verify = none to /etc/ssl/openssl.cnf
I added that but didn't restart the server afterwards, so I got the error message and the file written was empty.
all I had to do was restart the server and it works fine

don't even need to do that

the "error" message is just an informational message

yea I don't, but when I first tested it, it didn't work for some reason, so I just started doing random modifications hoping that I can get it to work

my screenshot above is no edits to the /etc/ssl/openssl.cnf, it's just an informative message telling you "hey, this server's cert may be self signed" (no different than when you connect to an https server in the labs sometimes)

I tested it again but used ncat as a client.
the thing is, this transfer method works ONLY once.
you have to restart the server in case you want to download (the same file) again.

Do you think it's a good idea to request adding a note? something like (This method works only once)

@vernal storm that's not what this server is about

What have you done so far?
What is the current payload?

the module is above tier 0 so discussion of payload stuff should be taken to DMs to avoid spoilers

Need help, found the flag for sqlmap essentials skills assessment but it’s saying it’s incorrect when I submit it. Pretty sure it’s the right flag though

I shall try again tomorrow

is it

1. custom terminal
   or
2. they just used paint or something to create it identical
   or
   3.confused coz of the <password Redacted> thing?
   module - reporting and documentation {Notetaking & Organization}

Idk, I think https://carbon.now.sh/

Hi guys .
Just a question , beginner here
i am going through Setting up module
Do i need to install VM of all , or just try each one out?

at minimum, you need an attackhost (can be anything parrot os/kali/black arch, even ubuntu/debian), and I think a windows vm will be helpful in specific cases.
Rest is up to you, if you have specs go for it.

Ok , i did set up Parrot OS , would that be the attack host?

yep

so do i set up a diff VM to be a target host ?

up to you but in htb, you get the target host as labs in academy, machines in main app, etc. you can also try vulnhub for vulnerable vms if you want

Ok , so this is all new to me , im learning from the start its way too much information, so its a bit overwhelming
So for the setting up module , I set up the VM's and play around?

you can, but setting up module as far as I understand help you understand how a professional pentester ideally would setup their tools, VM, VPS, etc.
You can just read, setup according to them, but I personally would not spend too much time on it. We have to revisit it in future anyway

Ok Got it

Thanks @faint hamlet

If you wanna know how the HTB academy is structured, there's the "Introduction to Academy" module

The setting up module is a reference book, not a guide

I am doing this pathway a "Information Security Foundations"

@winged field not what this server is about

Thanks man, yea it can be reproduced with it but its so annoying process 😭 will try to customize my terminal to look like that haha otherwise had to use this site : )

i mean if you want ugly ass terminal background, go for it

if you wanna get into some ricing: https://stackoverflow.com/questions/4842424/list-of-ansi-color-escape-sequences

HELLO, there are also have some tips like this......... we need to follow this ? like if we ignore this for future then it have any problem ?

I would definitely follow such advice. It contains information about further attacks.

OK understood

Isn't this in Linux Privilege Escalation module section Special Permissions wrong?
It says to find setgid binaries use -perm -6000? 6 here means both setuid 4 and setgid 2 bits are turned on.

it's a fuzzy match, not exact

nope its exact match confirmed it

rustykey it maybe hard

Hello

hello

Thanks

hi, Somebody help me question 2 on module Active Directory Enumeration & Attacks (DCSync)

Can someone help me with something?

with what?

Someone keeps on hitting on My Wife

How do you mods deal with this?

And then you decide to sign up for a Discord server on a learning platform for pentesting and ask for help?
Please read #welcome and #rules.

He is clearly trolling; see #cwee

can anyone help me with
Credential Hunting in Network Shares damn stuck here for so long

patterns can be helpful

also don't crosspost

sorry okey ill try

hah?

it's hard to be more specific about what to help with without knowing where you're stuck at more. i,e did you get q1? or are you stuck on q2

ignore them

so i was doing this question One of the shares mendres has access to contains valid credentials of another domain user. What is their password? and after i got the Snaffler results with shares but coundnt find anything valid inside them

snaffler may not give you results, but you can see where to point something like a spider 😉

do i have to manually check all the share files it points to?

nope; it shows you more specifically what folder/subfolder you may have access to in the share it does show

the 'pattern' to look for is hinted at in the question: the domain (minus the .local), you'll need to use all caps if using a tool in linux

i am sorry i am new at this trying to do my best but kindda lost here thanks you for the help ill try with that hint really appreciate it sir

don't call me sir

okey noted

i suggest looking back at the section for a way to use a pattern, or you can use some windows CLI knowledge, like with Powershell, to search for the pattern (case insensitive)

okk thankyou ill do that now :))

Hi guys i am stuck in the "Attacking active directory and NTDS.dit" section at the 3rd question

that's not a module, that's a section

doesnt matter what usernames wordlist i use, kerbrute keeps testing only 21 usernames

well for one you should be using username-anarchy to create a potential username list for the person in question

secondly the kerbrute syntax is
kerbrute usernamelist -d domain --dc ip output.txt

./dist/kerbrute_linux_amd64 userenum --dc 10.129.202.85 --domain inlanefreight.local ../usernames.txt

that's the command I used

and here is the result every time I run it 2025/07/01 04:50:20 > Done! Tested 21 usernames (0 valid) in 0.201 seconds

Im stuck in the same point, did you resolve it?

In the section "How to Write Up a Finding" of the Module "Documentation & Reporting", the author of the section assigned the finding "Kerberoasting" a CVSS 3.1 score of '9.5'.

How did the author come up with this score?
When I was practicing writing findings, I tried to also do it for Kerberoasting, but it seems like the CVSS score assigned to it, isn't universally the same everywhere.
Is this score assigned on personal opinion about the situation?

no, bro

CVSS is generally a "personal opinion" score

I am a new starter in the Hack The Box scene. I am thrilled to have completed my first VIP Tier 0 lab. I know it’s only small fry, but got to start somewhere. I got a question?

@wise galleon #1318239802931286066 ; read and follow #welcome to access, but you may be able to find a team there

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh.. well that explains everything then. My thanks.

there's some factors into it; but that's more nuanced

Hi I need help my company system was hacked and all the files were turned back to XERT files would you like to revert back to original?

I really need the data but the key is with the other party and no other software is there to decode the file

Contact law enforcement and have a cybersecurity specialist investigate the incident.

They will take 15 days to analyse the file so I am exploring options and people who can help

this isn't a hacker4hire server

and secondly it's not like some random person is gonna be able to bruteforce the key

Any recommendated community or services?

third: this is why maintaining backups is important

since you said it's already being looked into, no

No one here will be able to help you. Have a cybersecurity specialist investigate the incident and restore the data from the backup.

Ok thanks

anyone that says they can help you with this, are generally gonna be scammers

Where can I Rate the modules i did, I am planning to give a 5 stars btw lol

Once you have completed a module, you can rate it.

Sorry but where excatly

I am on the module overview page, and I dont see any button to rate anything

Click on the Finish button in the last section of the module.

Oh!, thank you so much

Hi

I wanna become a hacker I have no experiencd

I am using Kerbrute this is my error 2025/07/01 06:32:12 > [!] Car0l.j0hns0n@inlanefreight.local - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...

does it means that the domain used is incorrect ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@frail walrus ^

Nobody had an experience. Register at HTB and study

cause then i don't know what domain to use. It has always been the same domain since i started HTB.

ad enums and attacks? module?

in the "Attacking Active Directory and NTDS.dit" section

gimme 5 mins will help

try using different user maybe?

Hey i need help pls

with what @cunning pivot

i don't think it's the user cause all users give me the same output. i just send you one line of kerbrute result but i have 21 lines.

With password wifi

We can't help you hack WiFi

Or are you talking about a module?

But im english Im dont speak english its hard for me

English only, sorry. #rules

Yes i now

@cunning pivot do you need help with module from Hack The Box?

I need help i can working i dont have wifi and My 4G Its later die

What language do you speak?

You can dm me in your native language.

Are You stuck in an the final Assessment Part? because chisel is needed there.

can u dm the screenshot of output?

Did you try using any of the provided resources provided in the scenario?

STUCK T_T

Footprinting-DNS

we all did lol

Hi,
is there a module bypass EDR except the introduction to Evasion ?

can you help with the last question

Is that the one with x.x.x.203?

yeahh

• Subdomains of subdomans
• start with a small list first ls -lSr sorts in ascending size order
• don't focus on the subdomain from the previous questions

If you need a starting point, zone transfer to the base domain

And look at the A records there*

Thays not how dnsenum works

Well not entirely

You can specify sub.domain.tld

u already said

-o is the output so it's not reading a file

-f is the file to use when bruteforcing so it'll use line1.domain.tld

It's not necessarily 200 codes

hi guys what do I do

SOC path PKI-ESC1

i am just gonna brute force with the top1million-110000 file

The word isn't in that file. I'm gonna save you the hours of your life there

?

bitquark?

Start small, go bigger

whats thta

dig word.domain.tld @dnsserver

Nah. VPS isn't really required. And speed isn't all too relevant

VPS = Virtual Private Server

Not entirely

I don't think it would help much.. from my experience it's the service scanning that takes time. And that's determined by the target server

Speed isn't everything when it comes to scanning ports/services

is there a way to dig to it

No, you gotta use dnsenum

Well, gotta is strong here

whats the reason

You can utilize a for loop with the wordlist and dig

noon guys, I tried my best not asking for help but rn i'm feeling pretty dumb. I'm struggling to understand why my nc is not receiving the response from burp? and yes, it is connected to vpn D:

just do nmap -p- IP and nmap -p 1,2,3 -sVC Ip if u want to be faster

Why are you specifying the dateserver as the target?

Min-rate can cause things to be missed if the service is slow to respond outside that window

Or generate false positives if it's a proto that doesn't respond to requests/accepts the scan request but doesn't say the port is down

I.e. dropping the packet

manual proxy issue maybe?

Following the example on the module

I dont think so, i was able to send other requests

How are you expecting a callback if it's not calling to you

Server cut you off then

Also are you verbatim copying the example?

As in copying the exact ip from the example?

Ah nvm I see it's the same ip in your request

Guys i need help in reverse engineering

send error

NS record query failed: REFUSED

I said earlier: stop focusing on the previous subdomain

Just because some of the other domains from the base zone won't work, doesn't mean they'll all fail

Also: spoilers

Module is tier 2, be mindful of sharing spoilers

Try changing the dateserver ip to your tun0 ip

Anyone ?

I used burp and frida to bypass ssl pinning

But the app is either cutting me of or just giving androidmanifest.xml file error

And idk how to get into that

You're trying to route through a reserved port (22)

What module is this for?

If it's not for an academy module; read and follow #welcome to access #binex-rev @atomic wasp

It has nothing to do with htb academy module then.

Okay i’ll do so

Got it

Hi guys, im stuck on advanced deserialization skills assessment, can someone give me a nudge?

at what part are you stuck?

Thanks for the reply, im stuck at token reversing part, im pretty sure i got the exploit part correct, but i can't reach vulnerable method. I tried decoding some variables during runtime, but that didn't do me much. So far i have realised that i can pass token in header and it then gets decrypted, but i don't have secrets for aes algorithm and i didn't manage to obtain token value.

yea you need to reverse the dev token first. Sadly I only wrote down the final token value and not how I reversed it in my notes

Oh okay, thanks. Just to confirm, this class was also obfuscated for you?

mmm I don't remember anymore :X

Ok, at least i know im on the right path, thanks 🙂

i'm having trouble grasping the concept of active directory any guidance? more visual material etc?

did you check the active directory module? https://academy.hackthebox.com/module/details/74

For the Session Hijacking section of Cross-Site Scripting (XSS), i got everything set up but how do i get the admin to visit the page for me to get the cookie?

Is anyone available for an assist with password attacks skills assessment?

you can dm me

@craggy edge that is where i'm coming from xD

i'm working on the 4th topic for this module, maybe i'm just a bit overwhelmed with the complexity of AD

I would suggest watching youtube video that are geared towards sysadmins, to better grasp the general concept and usecase

I guess you don't come from a sysadmin background then?

Thanks, by the way what challenges did you face while going through AD module?

I didn't do the module you are going through right now. Only the one required for the Pentester path (cpts) "Active Directory Enumeration & Attacks"

Well i was talking in general like what challenges did you face while grasping the essence of AD?

Understanding in depth how kerberos authentication works, which ticket does what, which information was required for what ticket, and ultimately what kerberoasting was really abusing

Thanks, i'll keep that in mind !

All I can recommend is to really go the extra mile and put additional effort in really grasping the concepts

Otherwise it will bite you in the ...

Yes i get what you are saying believe me this is true, i failed CEH around 3-4 years ago with 64% without even grasping the fundamentals of like Windows OS fundamentas, CLI etc, thats why i'm planning to start fresh .

I have done 6 referral to get cubes for my htb account but I didn't get one cube . How can I get cubes for referrals

i did the pivoting part and wonder if you could help with specifically cause i enumerated it and cant see a way in

Yaaaawn… waiting on this PIN number brute forcer… 😠

history is an important subject for the first step forward 😉

really nice but i already got through and had problems turns out it was from the hackthebox servers once i changed i got access as h

lol

you can search up in this channel, i posted a general hint list

Not sure where to post feedback, but I just finished the attacking common services medium skill assessment and I thought it was a lost easier than the easy one (which was also easy)

The hardest part was figuring out that I need to restart the target because the necessary service(s) didn't start on the first target I spawned and I wasted a lot of time

I know I must be late, but using ffuf was way better.

/feedback

@wheat breach i already told you previously about spoiling module content, and i also told you your other issue. The username is spelled wrong

thanks

how the hell password is wrong? trying everything but still couldn't connect

did you try quotes

I don't know that exercise I've just had that issue a few times

single/double quotes

yeah I tried both " and '

try with xfreerdp

Did you try to escape ! with \

xfreerdp + single quotes

lol I literally tried this with my friend and still couldn't

sorry man i don't know what's happening 😬 😅

trying every damn way for 30 mins 😄

re-read the username from the thing, and what you're putting in

you got some letters swapped around

Wasn't it so that rdesktop isn't capable of pass-the-hash? If so I would switch to xfreerdp asap

rdesktop i think is capable of pth

Ah okay, didn't remember that

nah looking at it it looks like rdesktop doesn't have an option

xfreerdp /v:10.129.49.115 /u:htb-student /p:'Academy_student_AD!' /cert:ignore
should I put single quote to username too?

just tried \

module/section?

also it could be because you're running around as root

Academy - Active Directory Enumeration & Attacks - LLMNR/NBT-NS Poisoning - from Windows

i'm also gonna heavily judge you for running around as root, that's bad habits

yea thats right

it helps to see the full error you're getting as well

pls some help

i was able to rdp in just fine with the creds

it helps to know the module and section

not just "please help"

but that looks wrong just from the outset

nmap / Firewall and IDS/IPS Evasion - Hard Lab

yeah that's definitely wrong

ik

reread the dns proxying subsection from the IDS/IPS evasion reading section

genuinely don't know how you got that string

stuck at AD enumeration module in Attacking Domain Trusts - Child -> Parent Trusts - from Windows
the question is
erform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain.

but i can't even run mimikatz because i am getting this error ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
tried some ways but i kept getting other errors lol
can someone help?

did you privilege::debug ?

that command also throws another error XD
privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
doing everything in pwnbox btw

did you run powershell as administrator?

I am currently on a shared internet network in library. Could that be causing the error?

nah, lemme try that
bruh it worked
tysm

it shouldn't be causing an issue if you're the only one using your vpn, if you were able to rdp to other sections just fine with the same connection, then that's likely not the case

:)

it's the simplest solutions

@fathom pendant thx. I could have lost a lot of time with such an issue ... 😂 😭

the hacker's real enemy: spelling

i got stumped on a module before... it was because i was typing inlanefright

it's a big problem

very common

many such cases

so depressing that my silly head didn't think of that simple solution

thanks god finally manage to solve..

hey in Linux Privilege escalation Docker Module, where in the heck is the docker.sock file?

thanks anyways bro love you :3

was it your machine being weird?

sometimes the machine spirits smell weakness

yeah I guess, I actually close and open my VM again then it worked

Puhahahhahahaha

nvm i found it

if you want a cheeky little secret (and yes this works in vms)
shutdown -r 0 should restart your machine, may need to run with sudo

thank you

might save some time from waiting for a vm to fully spin back up

hey, looking through old messages it appears i'm not alone on this one, but has anyone found a work around for Exploiting Web Vulnerabilities in Thick-Client Applications lab? i generally use /smart-sizing:1920x1280 for xfreedrp, but i see the example says to use /dynamic-resolution, can't use both. /smart-size won't works, /dynamic-resolution is too small. even when stretched, the icons are too small. and it's slow, takes a few minute to not stretch properly. then i tried to log in again with /dynamic-resolution, but it wouldn't let me... this appears to be a very glitchy machine. any suggestions?