Okay great

But i don't understand one thing

Shoot

What is the function of file=filename?

To define which file you want if it is available it will download it otherwise not i guess

Hey guys, Im not sure where to write about boxes being down. Im doing Blind SQL Injection skills assesment and the database went offline. I reset the machine several times. I wrote in erratum but I dont want to wait several days to get help. Im paying a lot of money for this service. Now it works again

Okay ty

For future reference, if someone says no to dm, then you call them an asshole. You're less likely to receive help

Don’t act like one so noone will call you that

How was me saying no to a dm me being an asshole? Mind you, I said no after you already dmed and before I saw you ask

In Exploiting internal Web Applications I in the Advanced XSS and CSRF Exploitation module I have found the secrete table but listing it's contents returns a 500 error. The same "select all" query on the other table works perfectly fine... Anyone can help with this?

I dmed you before you said no i said i already did please ignore then i was giving someone hint and you were pointing things out instead of helping or ignoring thats what make me call you that word

The only thing I pointed out was the syntax reverse of privilege::debug

Sorry my mistake for what i did you enjoy your day let me enjoy mine…

What module is this for anyway? If its not directly related (i.e. a module is telling you to do this/giving instructions) then it's better for #programming or #red-team

You have half the answer right there. You need to curl the download.php of that website to get the flag. Go back and look at the curl commands

Hello. I have connection issues on Shells & Payloads module. https://academy.hackthebox.com/module/115/section/1106

for other module like Using the Metasploit Frameworkseem is ok for me.

Can someone from Hackthebox solve this issues?

the shells and payloads module has the jump box you start with via rdp; that has all the tools you'll need

yes I cannot ping or remote

the 10.129 ip is your jump host

for few days now. On Monday is ok for me.

try changing vpn regions

ok let me try again. I already tries.

You can DM me if you still need help

please check

i'm not staff; but are you connected to the vpn to be able to reach the jump host in the first place?

yes bro.

I mean some lab is ok for me.

I had problem only this module Shells & Payloads.

if changing vpn regions doesn't help reach out to support on the website

is very annoy me. I just want to review before taking exam.

Anyone have solved the artificial lab I’m stuck on smth wanna know it

read and follow #welcome and you'll have access to #boxes to ask for nudges

Hi, im working on the Password Attacks: Credential Hunting in Network Shares and am struggling with the 2nd question (As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?)

Ive managed to find jbader's details but not sure how to proceed from here, ive run Snaffler but was just overwhelmed by the amt of output it gives lol

try searching for key phrases or patterns

hmm how can i do that? i ran -h but dont see a flag for me to specify anything, did i miss something?

there's other tools that exist that can allow you to search shares

You can also search manually and look in the text files you’ll find your answer

You can try man spider and nxc but they didn’t worked for me

https://academy.hackthebox.com/module/116/section/1466
I have the login for the user, i accessed the SQL server but wasnt finding anything, i found two .txt files in ftp with the second one signifying that if i can upload a file i can access it, but i don't know how to get to upload

i did give it a go for abit but there were like hundreds of them across like 10+ folders HAHAHA

and i figured i might as well learn it the proper way anyway

If you look harder they are actually in front you your eyes

Just look at what looks suspicious

Dm i’ll give u a little hint

the phpmyadmin db has all empty sets, test databse is empty, and the other 3 look default

Get-Content has a -Recurse option 😉

there's multiple "proper" ways to do it

one being "Get-Content" nxc smb has a pattern option

Anybody who can help a little regarding password attacks skill assessment got password in file01 but to get on jump01 server getting no idea and nmap just showing rdp which is not possible

Any little hint would be helpful

I have sent an PM 🙂

dms ? i can give some advice

shoot me a dm and I'll see if I can help

oh this got me started, thanks for the help!

quick question on

Attacking Common Services | Attacking SMB if anyone has a second, please @ with replies

I want to say that the module is being a little whacky --> used the pw list given in resources and no results are being returned for the user they're asking for... I've let it run a couple of times, and additionally reset the machine as well

guys need help with this

"Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory."

I did find AES hash , but not able to find the password for the svc_workstation. Yes I found the second keytab, but i am lost. Helppp

iirc they give a website you can use to crack some hashes

i think crackstation? it's been a hot minute

It's crackstation 😄 your right

@azure mantle this isn't the server for that

I'm having a bit of a problem. Im unable to complete the skill assessment for Web Fuzzing. I've got the flag, but one of the questions is asking for a url, and it won't accept the url even though that is where I ended up finding the flag

use the literal word PORT

oh, fair enough

Thank you for the help!

np; plenty of people get hung up on that

Hey if anybody has done the miscellaneous techniques module in Windows Priv Escalation Module, which account is the question referring to? i have the hashes for all but none work as the answer

am i using the wrong wordlist with hashcat? is rockyou not enough?

Anyone else have issues with http://127.0.0.1:5000/prompt_inject/direct_1 from https://academy.hackthebox.com/module/297/section/3413 ? The other 3 work just fine, but the last one stalls out no matter what you ask it. I've reset the target system a few times, but no matter what that LLM just spins

Hello

Hi . I want to start this machine. Where I get link to download update VPN file ?

its in the top right

remember to pick the correct vpn too

thanks!

can anybody lend a hand on windows privilege escalation module?

Hey

hi

it's the footpriting module

section imap/pop3

i can't find that flag and the admin mail can someone help me

is this the assessment question?

no

.

did you openssl client?

did i use the openssl client

yes

and you logged in with given robin:robin creds?

robin ¿¿¿¿¿

it's not in this section the user robin

wym? they give it to you

its robin:robin

it's just the example

Can anyone help with:
The packet capture contains cleartext credit card information. What is the number that was transmitted?

From https://academy.hackthebox.com/module/147/section/3715 - Credential Hunting in Network Traffic

I've got Wireshark open and I've used Pcredz, but can't see it anywhere. ||I know the Hint says to use Regex||, but I'm not sure how to apply that in Wireshark.

"In the SMTP section, we have found the user robin. Another member of our team was able to find out that the user also uses his username as a password (robin:robin). We can use these credentials and try them to interact with the IMAP/POP3 services."

ahhh

@wild valve thats what it says at the end of the notes

sorry

np

have you tried http

Cheers, I'll take a look through

Hello, I am doing AD Enumeration & Attacks and I just finished assessment part 2 but i have a question regarding the flag about inveigh if I can DM someone

yes

that part never made sense to me if im thinking about the same part

Guys curl doesn't work on my pwnbox, wtf is wrong, it shows nothing

that's not useful or helpful for us to diagnose anything at all

A

done

Hi, Im right now doing the machine TwoMillions
after I tried every exploit under the name "nginx" withour success , I turned into video explaination
He saw the redirect from the IP number to hostname and than he does something I dont understand
It was very quick and I never learned this before
He uddate somewhere the resolve of the IP number to the HOST NAME like DNS does, but where he go
What is this pleace
and also Why he does that?

"bla bla bla put this in... now the scan with nmap should work bla bla because that why, dont you see how.."

Please help , can someone explain me? 🤷‍♀️

He said "If I have the hostname there" where is "there"
and second after that he refresh the website and he got valid page 🤔

Yeah when they give you a target IP and a host name you have to add it to the /etc/hosts file right under the "localhost". You do this to map that "http://blah-blah.blah-blah" website to the target IP so that you can type it in the browser and visit the page

Oh.. But why ordinary DNS dosnt work this case?

Basically what he is saying is, if you're unable to connect to the website through your machine. You have to add the ip address and the name associated with it to your /etc/hosts file. That file is read by your linux to basically say "Hey, this IP address is this website" and when you enter either the IP address or the Domain Name. It will be able to find it.

thats what I dont understand, first time I do something like that

If it's a private website, DNS won't be able to find it or know it

ohhhh

Its something that happened a lot on CTF ? or chakkanges ?

yeah anyone else having trouble using xfreerdp right now? or is it just me?

You help me thank for you reply and your time, It not obvious

what is your problem ?

helped

im literally trying to connect to this machine in the Windows Priv escalation, WIndows Server Module. Xfreerdp keeps failing. Ive tried to use different region and VPN server. Even tried refreshing target IP

what's your command ?

xfreerdp /v:10.129.150.46 /u:htb-student /p:HTB_@cademy_stdnt!

it keeps throwing me "[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
"

I was just using xfreerdp in the previous module without problem. Thats why im wondering if there is an issue internally for this one specifcally

Did you forget ' ' for the password?

so /p:'PASSWORD'

also if you want a bigger RDP screen use /dynamic-resolution

yes i have the password above, ive been using the same command for the past modules in Windows Priv Escalation so theres no reason i cant get in.

im gonna move onto the next one "Windows Desktop Versions". If it works then its a problem with the Windows Server Module

thank you. I actually use this and also i add the drive for easy copying back and forth

Yeah guys the other modules allow xfreerdp connections the Windows Server module in Windows Priv Escalation is having issues

Does anyone have a quick second to help me with the final question on Attacking Web Applications with Ffuf > Skills Assessment - Web Fuzzing? I've found the parameters correctly and am fuzzing values. Pretty sure my commands are right but I'm not getting results that would indicate a valid value.

You can send a DM

NVM guys i literally missed the Note in the module that said "Note: If gives you errors, try using rdesktop -u htb-student -p HTB_@cademy_stdnt! [IP Address]"

smh

Hello guys! Im new here so i dont know if this is the right channel to talk about this but i will give it a shot. I ve been working on the WiFi penetration testing basics lately and i encountered a problem regarding a question. Could anyone help me with that?

hi

i cant turn the hash into the password

separator unmatched means you copy/pasted the hash incorrectly

how can i do it correctly ?

you just copy/paste as it's shown, you don't add anything to it

it helps as well to know what module and section you're on

it can also be because you're using the wrong mode with the hash

In the "Information Gathering - Web Edition" module, in the section "Creepy Crawlies", there is a script called ReconSpider.py. This script is downloaded from HTB rather than a tool on github. (Though there is a tool on github with the same name, but it is not the same). Is this script just a demo of what can be done with regard to recon? Or is this a script that we should save and have access to for future recon (such as the exam or future boxes)?

i suggest saving it tbh

it's pretty nifty and useful

Hi everyone I need to help in intro to whitebox skill assessment 2 (patch) module? Anyone here complete it?

I patched using different ways but I can't pass the test

there nothing strange in my file

can someone pls crack the hash for me

what module and section is this from?

7300 is ipmi so i'm gonna assume the footprinting module. ipmi section

@rustic sage just helped me

what a goat

but

can someone help me

it's the dns section

same module

ok

i will try

Hi everyone I need to help, I try to install de SO recommend for HTB but when I execute the SO, the machine have a issue,the installation gets stuck and I have an error

does anyone know how to fix it

Subdomains of subdomains enum is key

Im trying to do this but takes so much time

With dnsenum

Its any way to accelerate the proces?
With the script in bash it take too much times too

I mean you can probably script with dig, but it'd take a while

Recon can take a while, same with fuzzing. Just sometimes gotta sit there and let it run

Best time to stretch

The lab for this was pretty stupid the logrot only worked 1/20 times when I did it

Thanks for sharing bro!; I have the same f68king question - WHY ISN'T THE INTENDED METHOD WORKING. HACK THE BOX PLEASE FIX THIS! - I spent 5-6 hours on this one question.

Sometimes there are issues with modules. If you believe that's the case you can report it in #1234357888114364508. Pretty much every time I ran into something like that though I found I wasn't doing something right.

hey im on the first lab for the linux enumeration lab. i feel like its not straight forward at all how they made the lab. could someone help me out real quick? i would really appreciate it.

best to state exactly which module, section, and question you're on

ok. im on the environment enumeration section, linux enumeration module, and im on the "Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer." question. i think they changed the way the answer is found because the forums i found with how to get the answer arent correct.

linux enumeration isn't a module. is this linux fundamentals?

oh, thats my bad. the module is Linux Privilege Escalation

got it confused

ok send me a dm

Im confused about Reflected XSS exploitation. Say you found a POST request that takes your name and imedaietly returns it and you were able to inject JS in it.

What could you do to exploit that?

Can i DM?

please

Hi Guys, should I use this channel for doubts about a specific exercise of Password Attack module?

yeah this channel is for talking about the modules. you can follow instructions in #welcome to gain access to most other channels in the server too.

Reflected XSS in POST requests are rarely useful, however you can try combining this with verb tampering to see if you can use a get request and send the xss through a url

True i tried it again it doesnt seem to work idk why

Hello

am i supposed to run the linux and windows vm inside of the proxmox environment vm? referring to the first 3 modules (virtualization linux windows)

or do i run them in oracle

best to say the specific module and section. but i've never heard of that setup. people generally just run a windows machine with a vm.

In attacking common services in this drupal question Work through all of the examples in this section and gain RCE multiple ways via the various Drupal instances on the target host. When you are done, submit the contents of the flag.txt file in the /var/www/drupal.inlanefreight.local directory. Even tho i enabled that php filter module it doesnt seem to show

Deleteing this cos it contains spoilers, just ask for help and talk in DMs

who can help with Skill Assessment Password Attacks dm me pls

Where should I start with coding

make a lot of projects

start simple, for instance a simple command line adder, then slowly make more complex projects, keep it related to stuff you're interested in and passionate about

Hey, guys. Im currently doing Question number 2 on the Cracking Protected Archives of the Password Attacks module. I've found the flag.txt inside the VHD, but when I submit the contents, it's stated as wrong

Make sure there are no spaces at the beginning or end of the string.

Okay, thank you

Does anyone else’s hashcat be bugging out

hi, I have the problem with module INTRODUCTION TO RED TEAMING AI section Manipulating the Model,
first two question, that are affirmitive sentences, requiers to submit an answer but does not specify what needst to be submited, and I'm stuck with this questions

Considering you're in the HackTheBox discord server, decide what wrappers you might want for the cli tools you use, and figure out how to make those wrappers in bash or powershell. This could be something like making a script that allows you to run a single command that only takes a single domain parameter which runs ffuf for you with whatever predefined parameters you generally want to include when you do dns scanning. Or maybe you want to do vhost scanning and want to be able to quickly give the domain name once instead of manually writing out the headers. Then as you progress, you can expand that to maybe create wrappers for multiple tools, where you run a set of tools in an automated sequence.

Maybe this is not how you should go about starting with coding, but you might learn some things, and would be doing so within a setting that is directly releveant to your interests, which is usually a good hack to stay on task and be more motivated to learn and experiment

need some help please :). I'm doing the 'Identify SSRF' section of the 'Server-Side Attacks' (https://academy.hackthebox.com/module/145/section/1295) and I can't see to get the answer to the question. I have found the 3 ports that are open, and I've tried to browse them, but I get nothing so I can't find the flag. Is anyone able to help?

Hi everyone! Wanted to reach out since I am have been stuck for a couple of days on one of the File Upload Attack questions in the module. So I was able to edit the code on the client side using DOM then I intercepted the request and used Burp after doing the extension fuzz.

Also tried changing the values for the file to the injection using a couple of extension formats for the payload and none work.

Revise the source code as well for to review the js executing in the backend to see what type of filters. The interesting thing is that I was able to successfully upload the file but on the src= url --> it was changing the format to data:image/png/base64/

Does any one know if I need to deobfuscate the min.js file to see if there is more blacklist filtering meaning if its not an image file it will change the value from profile_images/file.type ?

thanks

Mods, i have founded some pastebin link (containing htb academy writeups above tier 0) you guys want link to take it down maybe?

You can use /spoiler

hello i need some help on Skills Assessment - Web Fuzzing

heres the question im stuck on

||One of the pages you will identify should say 'You don't have access!'. What is the full page URL?||
heres my problem im looking at the page that says the key word needed and have put the full page URL yet the answer is comming incorrect

remmina is literally the best for windows RDP. how come xfreerdp is so laggy?

Hi, i have some issues with the RDP on module Passwords Attacks - "Pass the Ticket (PtT) from Windows" : [09:09:00:593] [6777:6778] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[09:09:00:593] [6777:6778] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[09:09:00:593] [6777:6778] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[09:09:00:593] [6777:6778] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
The creds are good : xfreerdp /u:Administrator /p:AnotherC0mpl3xP4$$ /v:10.129.84.166 +clipboard

okay with remmina works...why not

try using backticks for the password

If you found the flag, make sure you don't copy blank spaces.

Nice ! Thanks it works

Usually how long it take?

I'm actually completely lost on Attacking Common Services | Attacking SQL

I have no idea where to even start... Used mssql, and can't access anything, tried xp_cmdshell etc and nothing is working lol - SQL is one of my weakest spots and I could really use a nudge

this is better for #boxes

thanks

stealing hashes

thanks

Bit confused, tried to set it up like the module shows, and responder is just stuck on listening for events, but from what I have tried on the sql side I'm not really able to do anything

use the right interface that can be called to :)

tun0?

xp..dirtree

yeah that's what I did

oh okay nevermind

I thought you had to do dirtree before responder not after

Hey, can anyone provide a hint for the skill assessment for NTLM relay. I am on question three but I am a bit stuck. I have got backup01 access, have my own machine account but I am stuck trying to get the password for sqlftp?

how is it gonna work before responder lol

lmao

Should rockyou work to crack this though? I think I found the right hash, but nothing seems to be cracking it? figured I'm either looking at the wrong one, or I'm doing something wrong

i don't recall if that module has a wordlist

Just a bit lost - I have the output from responder, but I can't get the hash to crack

I have

mssqlsvc::WIN-02:<hash>:<Should be NTLM>:<Super long hash>

But running both hashes through hashcat don't give me anything

the hashmode you need to use is the net ntlmv2 hash mode

when I do mode 5600 [googled for NetNTLMv2 mode] it doesn't load any hashes lol

nevermind - didn't know the format had to be the whole responder output

Hey anyone know why hashcat is getting bug out on using pdf hash I tried there pdf example hash it give seprator mismatch error or token length exeption 🥲

I need help

Anyone can help me

Hello

Anyone here

no need to spam, be patient

I'm so confused, the pw cracks, I got that question right, but sql refuses to let me login with that user.. tried to do the whole execute as login = '<user>' but that fails. Try to login with mssqlclient, and that fails the login as well...

Not that I can necessarily help, but you'll want to provide more information on this. What module, what section, what's the question you're working on

anyone have problem with spawning targets?

me

Anyone available to help with this?

additionally double-checked to see who I could impersonate and the mssqlsvc account isn't listed

-- nevermind apparently it just wants to work now?

Easiest rooms for newbie or academy? To start...

rooms being...? Boxes?

hi

i need help
with this excerciese
https://academy.hackthebox.com/module/21/section/132

i keep getting wrong answer no matter what

can some one just give me the answer

?

Cant do that, but you can dm me with what you have tried so far and I can try to help you.

Hi all, I'm stuck on this Android Fundamentals module question:

Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

I made the device, but my answer is never correct, any help would be appreciated.

Hello, can i have a nudge for Skills Assessment - Password Attacks

search this channel history; i had a list of generalized hints

pls module footpriting section dns

since yesterday i can't find it

and i have to finish this module today to keep my rhythm

Are there all levels of Hacking learning s available on this platform? from beginner to expert?

or like only advanced and expert?

in labs there is rank?s

@wild valve maybe scan all the vhosts?

i tried but nothing

Maybe rev DNS?

nmap -sL ip/24 | grep 203 ?

@wild valve

Guys im new to this what i got a hp pc horrible slow what should i do

If you tried for all the other subdomains then try different wordlist

“Wordlist that contains more internal subdomains”

subdomains-top1million-110000.txt ?

There’s another one that is more targeted for this question

pls what is it

dual boot kali and windows

he said horrible pc

and you think dual boot is the solution

he will lag more

cause windows is stupid

dual booting is better than a vm

you think but not

Hey I'm doing this artificial linux machine, but I can't comprehend what to do I did nmap then I see http open but in the web browser it doesn't works please help

It’s within seclists/DNS

Someone out there can help me out one Advanced XSS and CSRF Exploitation , the skill assessment?
Im stuck on first part

i only have this bitquark-subdomains-top100000.txt deepmagic.com-prefixes-top50000.txt fierce-hostlist.txt namelist.txt shubs-subdomains.txt subdomains-top1million-110000.txt tlds.txt
bug-bounty-program-subdomains-trickest-inventory.txt deepmagic.com-prefixes-top500.txt italian-subdomains.txt README.md sortedcombined-knock-dnsrecon-fierce-reconng.txt subdomains-top1million-20000.txt
combined_subdomains.txt dns-Jhaddix.txt n0kovo_subdomains.txt shubs-stackoverflow.txt subdomains-spanish.txt subdomains-top1million-5000.txt

It’s one of those

And the size isn’t that big

Check for the one that has more internal subdomains

so i use ffuf ?

For what

could someone help me in the module artificial linux easy please

Pm me if you still lost

dnsenum is the key; subdomains of subdomains

start small and go bigger

ls -lSr can sort by size (ascending)

who can help with this section?

https://academy.hackthebox.com/module/113/section/2164

look up the walkthrough for the retired insane machine 'Fatty'

okay thank you

Can anyone help with this question on the using crackmapexec skills assessment Gain access to the DEV01 and submit the contents of the flag located in C:\Users\Administrator\Desktop\flag.txt.

hello, i need help on password attacks skills assessments, i managed to rdp to jump01 trough the user bd** and i have the crendential for st and the 2 passwords of hw** but i don't know how to escalate or to move to dc01

Hi im in the question of imap/pop3
Figure out the exacto organization name from the IMAP/POP3 services and submit it as the answer
I put this information and doesnt work i don't understund why im putting the exacly organization name

nmap?

I find it sorry

send me a pm. Ill drop a few hints for ya

Tell me what task you are on, the module

Footprinting but i solved thanks you

If you have any other questions, please write to me privately.

some can help me in the module Advanced XSS and CSRF Exploitation in the skill assessment

need some help please :). I'm doing the 'Identify SSRF' section of the 'Server-Side Attacks' (https://academy.hackthebox.com/module/145/section/1295) and I can't see to get the answer to the question. I have found the 3 ports that are open, and I've tried to browse them, but I get nothing so I can't find the flag. Is anyone able to help?

You can DM me

sent

You can DM me

currently doing the AD set, does anyone have a quick and easy way to get host names & ip addresses at once?

i.e less messy than nmap

maybe rustscan?

but i always use nmap

get-netcomputer/ldap to dump computer names then a script to resolve them in DNS work?

Means you need an admin to dump

Why is my nmap -p- -sV take so long to scan

try -Pn -n --min-rate 5000

Thank you king

I preciate the info king

Thank u bro

Do you run each individually

can anyone help me in this Work through all of the examples in this section and gain RCE multiple ways via the various Drupal instances on the target host. When you are done, submit the contents of the flag.txt file in the /var/www/drupal.inlanefreight.local directory.

I dont seem to find PHP code while making a basic page

ya but i dont get that option

Okayy but i dont get that php code option

Plguin is also enabled

I just finished my eJPT, instead of feeling happy I realised I know nothing 😂

yeah eJPT is bottom of the barrel next to CEH and Pentest+

Can anyone help with this question on the using crackmapexec skills assessment Gain access to the DEV01 and submit the contents of the flag located in C:\Users\Administrator\Desktop\flag.txt.

#1234357888114364508 is for putting corrections

also they aren't really contradictory

I think I get it

ones for the directory, the other is for the file right?

basically

THIS -P- -SV IS TAKING FOREVER

well yeah -p- is scanning all ports

:)

and -sV runs a version grabbing command

then why is the guy on the starting point official writeup doing it

try adding -sT to the command

also for starting point: #starting-point -- read and follow #welcome to access it

you can try increasing the minimum rate or try scanning for open ports with -p- and scanning the open ports with -sv, those are the ways I know of

it says i need a moderators help to verify my account so i cant even see these channels

you could just follow the section instead of the writeup

looks like you're doing ban evasion :)

yea i got banned a year ago for a little troll

but lets not focus on that rn

lol

looks like it's expired anyway

thanks for the help btw

seriously so i can join back?

dm

sec

this isn't the right channel

read and follow #welcome to access more of the server

While Footprinting dns , what can I do with a txt record and in the most cases the dns is dug to discover more domain and sub domain right ? @fathom pendant

im trying to download the windows developer os from the module "windows"it keeps getting corrupted and it says on the windows site downloads are currently not allowed

does anyone know anything about this?

Cos I'm rn doing the Footprinting -easy and I came across dns,ssh,ftp the gole is to find the flag.txt which probably will be in the ssh . So to connect to it i will be needing credentials , I don't see how dns will come to picture .

What module and section is this?

setting up

you can still download the developer zip from teh link int he guide, but for me its jsut corrupted.

and on the windows site it says they arent allowing downloads for it right now

hello need to know something

Best to post the module, section, and question you're on. If this isn't module related, make sure to read the #rules and follow the instructions in #welcome to gain access to more appropriate channels.

EDIT2: It was 2-way IPS on the router

EDIT: tried to run it on the parrotbox, and it worked fine. It would seem that there is something on my end catching the request and filtering it. Might be something on my router

sql injection - union injection. Whenever I try to construct an injection, following the same or similar format from the article, the request just hangs. Anyone know what might be up with that?

Anyone ?

the credentials are provided in the text at the top

I found the flag anyways thx ..

no problem

was it dns related? i dont remember

na it was not..

who can help with this section? https://academy.hackthebox.com/module/232/section/2578

I am receiving the error below when running ntlmrelayx.py

[(‘SSL routines’, ‘’, ‘no protocols available’)]

Command:

``root@ubuntu:~# sudo ntlmrelayx.py -t mssql://INLANEFREIGHT\NPORTS@172.16.117.60 -smb2support -socks -debug`

I guess in the module Windows Lateral Movement the section SMB needs to be reviewed, seems the lab is broken, I even uploaded the bin on host SRV02 but that's not even working and as I have seen through the chat, many people have complained about it not working

start the ntlmrelay as root

not via sudo, that should help

its mentioned in the course as well afaik

Thank you!

Hello guys, I am facing issue hen connecting RDP into Windows hosts, the UI is too small I bearly can see the PowerShell output.
Connecting from an external monitor 4K/Mac M1

/dynamic-resolution argument should help

Hello

I'm using it, it only allows me to resize the window without any impact on the DPI

B

It is in the works still, not yet available.

Hello i need help

In File Transfers > Windows File Transfer Methods - The Astaroth attack link points to Page Not Found
Instead of /en/security/blog it should be /en-us/security/blog

I will check now, next time it's better if you report it to #1234357888114364508

Has anyone completed the using crackmapexec module

I'm not sure if this is the right place, apologies if it isn't

But do the prices change to CAD if you're in Canada or is it USD? I was looking into VIP plus

can anyone explain me what a index is

An index is like a shortcut—whether in code, databases, or books, it helps you find stuff faster. Think of it as your way to avoid brute-force.

hello i am doing Windows Event Logs & Finding Evil mini-module badgeMini-Module
Page 2
Analyzing Evil With Sysmon & Event Logs Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. "C:\Tools\Sysmon" and "C:\Tools\PSInject" on the spawned target contain everything you need. got the answer ||8D09CE35C987EADCF01686BB559920951B0116985FE4FEB5A488A6A8F7C4BDB9||
saying incorrect

pls help

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer

Anyone with solution with this please help

This is from enumeration

LaB3 hard

what have you tried?

@snow spoke have tried nmap -sV -sS "T2 or T4" -Pn target IP

send me a PM ^

@snow spoke also -D RND:5

pls help

I dont mind trying to assist but I havent done that module yet. I imagine 2 minds are better than one! send me a PM

anyone else getting super delayed responses from other machines in academy? im using ssh and it keeps taking about 5 mins to respond
https://academy.hackthebox.com/module/51/section/474
reset the machine a few times but still

Hi folks. Can someone please help me with the Skills Assesment for "Wifi Penetration Basics"?

On question 2. I keep getting this error
: Packets contained no EAPOL data; unable to process this AP.

I already tried to || de-auth clients and re-run airdump || That did not work. I also reset the Lab.

I was able to solve this but using an approach that is not shown in Academy. I wonder if that's the intended route. It would be great if I can compare with someone who did it already.

Did you end up figuring out what this is?

i see the build number but not in the format they show (edit: found it, not sure why it's called build number though)

Anybody here notice that in the Using Web Proxies section of the Bug Bounty Hunter course they tend to just explain how to use a pre-scripted tool, then teach nothing about how to actually exploit a vulnerability found by them? The questions at the end of each section are usually solved by information that is entirely separate from the module and its getting frustrating having to look up some guide for every single question to find that the answer is usually "yeah that tool is broken, you gotta use this other tool that they didn't teach about at all actually"

I'm looking at you, OWASP ZAP HUD

have anyone had problems with the victim machine in the Linux Privilage Escalition Module? i can't even write 2 commands before freezing

I needed help with the running sqlmap on an http requests section of the sqlmap essentials module, specifically the question "What's the contents of table flag2? (Case #2)
"

hi guys i'm having problem with zap during the Intercepting Web Requests module, i don't know why the instruments doesnt appear also if hud is enabled and more general to solve that part of module

Does anyone know why my account wont work on hthe hrb forum

The forum was sunset and replaced with Discord

You can gain access to more channels for discussion by following the rules in #welcome.

Ok thanks

I am stuck in the info gathering- web edition module's last ATQ, it says to "give the full domain to mail records for facebook.com" but when I enter the domain that I'm getting after doing

dig facebook.com MX

It shows incorrect answer. Maybe the mail server was updated anyone knows the old one so I could pass on with this section

okay I did it again it passed😭

do may some1 can help me out with the second flag on DACL-2 for the Skill Assessment? I am quite far, but a little thing is missing right now. Since I don't won't to spoil anything, feel free to send me a DM.

Password Attacks - Skills Assessment. I'm in DMZ01, used the chisel to make the pivot. with ||proxychains -q nmap -sT -Pn 172.16.119.11 --open -p 5985||, i've found the service ||wsman||. In the machine DMZ01 I can only ping ||172.16.119.11||. Can anyone give me a light?

ZAP HUD doesn't work in HTBA, I may be able to help you with the questions though, I just finished that module

drop me a dm ^

how you solve this problem?

hey i need help

I spent hours trying to get the HUD to work and gave up, which question is the one you're trying to figure out? You can usually use other tools

im kinda new to HTB, I'm having trouble with the Metasploit learning stuff in HTB Can I get any help

ik the metasploit stuff but its the server

what are you working on?

im working on metasploit but then i set up or run a target and i cant get meterpreter session open on the target

i have the vpn up in running but yet again i try to gain access to the target machine the (HTB) it doesnt work idk why

i need help please

What is the module name?

I am also new to HTB, so I may not be much help

I write all the situation in dm

ok!

metasploit

can someone help me like seriouslu

Hi im in the oracle of footprinting module
I have a problem it doesnt work odat.py because the py import asyncore and in the new pyhton modules was eliminated

sure drop me a pm

pm?

private message

Según las fuentes, ODAT (Oracle Database Attacking Tool) es una herramienta de prueba de penetración de código abierto escrita en Python. Está diseñada para enumerar y explotar vulnerabilidades en bases de datos Oracle, incluyendo inyección SQL, ejecución remota de código y escalada de privilegios.

Los pasos para configurar ODAT en un entorno como el Pwnbox o un sistema similar, tal como se describen en las fuentes, son los siguientes:

• Descargar los paquetes instantclient-basic-linux.x64 y instantclient-sqlplus-linux.x64 de Oracle.
• Crear un directorio /opt/oracle y descomprimir ambos archivos ZIP en él.
• Configurar las variables de entorno LD_LIBRARY_PATH y PATH para incluir la ruta del cliente instantáneo de Oracle.
• Clonar el repositorio de ODAT desde GitHub (git clone https://github.com/quentinhardy/odat.git).
• Navegar al directorio odat/ e instalar las dependencias de Python:
  • pip install python-libnmap.
  • git submodule init y git submodule update.
  • pip3 install cx_Oracle.
  • sudo apt-get install python3-scapy -y.
  • sudo pip3 install colorlog termcolor passlib python-libnmap.
  • sudo apt-get install build-essential libgmp-dev -y.
  • pip3 install pycryptodome.
• Después de la instalación, se puede verificar si ODAT funciona correctamente ejecutando odat.py -h.

I do all the steps but they have tnspoison and asyncore that not installted in python 3.7

I deleted all the functions of tnspoison and it worked

In the code

te entiendo, pues entonces tienes estas 3 opciones: Usar una versión de Python más antigua, como Python 3.6, donde asyncore aún funciona.

Modificar el código fuente de ODAT para reemplazar asyncore por otro módulo más moderno (difícil si no eres programador).

Buscar una versión modificada o actualizada de ODAT que ya no use asyncore.

Solo ingles, #rules

backui

bruh i just sat there for like 4 hours trying to figure out the hud issue

It only worked for me when using the builtin ZAP browser

though it still did have its own issues

i tried with the built in & could not even add the website to the scope 🤷🏻‍♂️

Hello, this ain't #general please read and follow #welcome to gain access, also read #rules and #faq

any mods here to confirm it ?

there is someone who completed wifi basics module ? i have a question

i don't even see them using ntlmrelay in the section. what are you talking about specifically?

the second question:
Use any tool to get a shell on SRV02 using the service Application Layer Gateway Service (ALG) and read the flag located at C:\Flags\serviceflag.txt

The problem is,, the user that suppose to connect to smb share is not connecting, instead the machine$ does it, and the problem is always that it cannot find the file, but when I uploaded the file on host srv02, it was not giving such error with FILE_ERR_NOT_FOUND was something similar

so instead, it just was not giving any results, no revshell no nothing

Dear Guys,

Need your help with Login Brute Force Skill assessment section 2 , I am stuck at the FTP user identification there are so many username in username anarchy can you plesae help me with the right username file .txt so i can save some time

though, I have the guest access enabled, when I tried to connect with smbclient to my smbshare, it did connect as guest

They provide the credentials to use

no, I guess the best option is to brute-force it and do something all along, better start getting used to it

Try what they show in the section

yes, you do change in configs the binpath successfully for ALG service, and when its trying to get the file(revshell file) its just showing the error file not found, though the file is there

what? Windows Lateral Movement, Server Message Block (SMB) section. you don't need to upload anything and use the creds provided.

Please take care not to spoil content from modules above tier 0

oh, alright, my bad

so you basically, hosting the SMB share, where you provide the destination file of your revshell that is in the SMB

I'd suggest going back over the commands to ensure you're running the correct command and correct syntax in the order it shows

order should not matter, except the SMB that needs to be hosted as share before the service is being started, but alright, thank you!

you were missing a lot of steps

if the section is broken you can report it in #1234357888114364508

oh yeah, I see now where I did the mistake, will try later and let you know

@everyone
I am just gettin started and am in the setting up module. I was downloaded parrotos image and got it on vm. and then setted up debian.
the academy said:

"""The operating system will now begin installing, and when it completes, the virtual machine will automatically restart. Upon reboot, we’ll be prompted to enter the encryption passphrase we created earlier to unlock the encrypted system and proceed with booting."""

However, I wasn't asked for the passphrase, or asked me to log in anywhere. (I did create one, and the system did reboot). and now I dont know what to do. Help please

Hey guys, im doing Error-Based SQL Injection in Advanced SQL Injections and i got the password link but htb sais its not correct. Would appreciate if someone can check whats wrong 🙂

Please don't ping everyone like that, nor random people. just post your question.

@brittle bridge This server isn't for you to advertise in like that. This channel is specifically for discussion of the various modules on Academy. Please familiarize yourself with the #rules and follow the instructions in #welcome to gain access to more appropriate channels like #ai-ml-llms.

Oh sorry I won’t repeat

Hi everyone,
I have added the ip and subdomains and domain to the /etc/hosts file but, not able to access it via my kali. but, its accessible via pwnbox. idk why is that

(I had to add them to /etc/hosts in pwnbox too)

Are you using the pwnbox and your VPN at the same time?

If so, don't. They use the same IP and it will cause network conflicts and is likely the reason you're having issues (if you use both at the same time that is.)

Hey, I have very limited webshell on windows machine but I am not able to make any connection like download file, make reverse shell. Any ideas why? What could cause that?

Is this for a certain module? If not wrong channel

Its so borring and have to wait ...wait ...wait...wait : it not gona help , this is not a CTF its a academy the idea should be clear the concept and 1 or 2 files is enough but this is a huge set

If you create the correct list it shouldn't take too long, it can also be beneficial to increase the threads, most people say that 48 is a good number

The list is itself inside the server, i even joined the list and did a maximum of 48 to 64 threads .. but still its going on hence I switch the tool to hydra from medusa

why vpn servers so laggy

A slight of the help to which folder to look for the username that will be a great great help

Wait, you're on the server already? which question you doing?

I am on the server I am at the Flag section trying to crack the FTP username @waxen totem

Wait so you're not brute forcing from your own machine?

you're on the part when you already have access is what I'm asking?

I am at this section , I have the username and password for the SSH Account, now i am trying for the FTP

The Flag is kept at the FTP server as the server is open , I am trying via medusa and Hydra , O M Lord its too much time consuming specifically for the working professional-- I don't know why HTB did this a list of 10 was also good but they kept tons of list

@waxen totem ,

Wait I'm confused, you're at the skill assessment section right?

is there some sort of event on, these servers are cooked. when does it finish

Yes Brother , I am at the skill assessment section

Nope, it depends on your internet

Oh I was looking at the first one

I am at the second section , I need a folder to specifically look in too , .. I cant sit the whole day ..the tool is not a super thing which can do 10000 request in 1 go

Hello all, in the module Active Directory Enumeration - Visualizing Data - Nodes, there is a question regarding Sarah being a local admin somewhere. Has anyone run bloodhound community and got the actual result? I know I could use the provided zip file but I wanted to get the result from SharpHound and visualize it in bloodhound-ce

this has been running for 20+ minutes now wtff

Information Gathering - Web Edition
Skill Assessment

nothing found w fuzzing either

hello everyone
can anyone help me getting correct format of answer of below question?
"Use WMI to find the serial number of the system."
i got the answer but it is not submitting.
I'm in windows fundamental module of course information security

PS Got it, just keep fuzzing lol

Hi

can anyone help?

Guys, I can't type in general catalog. Is it happening with everyone ?

Read #welcome, #rules and #faq , there's instructions that can get you identified

ok thanks

Hi everyone

@clever geyser hi

am i doing something wrong its stopping due to errors?:
module:Password attacks

reduced tasks to the lowest and still get errors

nxc worked for me

yea it worked now i had to reset the targetr

#modules : I cleared the Login Brute Force , If any one need help drop me a DM

Hello all!
I am currently doing the FFUF module, and I am having issues making FFUF work (from Exegol), as it is quite slow. Does anyone know how to fix that ?
Additionally, I ran 2 fuzzing to the same endpoint with the same wordlist, and had different output. How can I fix these inconsistencies ?
Thank you

Command used was ffuf -w <wordlist>:FUFF http://<domain>:<port>/FUZZ

You can see the errors count is 27606, which means almost the service is down or connection is not stable at all.

Ok thx, I assumed it was all 404 not found pages, but how can I fix this & improve the request rate

File Upload Attacks: Blacklist Filters

I am able to upload the shell but, its not getting executed. someone pls help

I tried using the -t to increase the number of threads but that didn't do much

(I tried both web shells and reverse shells)

none is getting executed

try to find a better extension , I don't think that web application does actually run .php8

I tried intruder and its allowed

Getting status code = 200, means it's allowed by the filter, not allowed by the server

Try restarting the instance, and allow it some time, and don't run too many threads against it at the same time, maybe changing the region of the VPN can help as well

yeahh got it finally, tried different extension

turns out, server wasnt executing reverse shell + I was choosing the wrong extension

(web shell >>)

I'll try, 'cause it's really weird as I have this issue on almost all spawned instances

Demonstration of the WTF:

If the website is working, then try change the VPN location

I'll try thanks

should we mention @ SERIOUS RULE BREAK in this case

Hi there!
Have recently started this, "Detecting Windows Attacks with Splunk"
After completing, "Detecting Password Spraying", I realized what might be a good way to detect Password BruteForce (which is different from Password Spraying)
Any idea on it ?
Or help/suggestion ?

Basically you define a threshold of failed attempts for a single username and alert if more than that are seen within a specific time frame.

hey guys hows it going? I'm stuck on the Footprinting IPMI room
I found the username but cannot crack the hash as they recommended

it says the hash is the wrong format

But that is what metasploit gave me. Any help?

its not letting me paste the images here

basically metasploit finds the hash and saves it to a txt, but hashcat says the format is wrong

i tried it with the rockyou.txt wordlist also

I'm having an issue with the socksoverrdp room, have been stuck on this for hours.
When i go into the first pivot and run the SocksoverRdpserver.exe it does not actually open the connection. The proxifier does not allow me to pick up anything and 3389 tcp connection is not found using netstat.

$hashcat -m 7300 ipmihash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread--0x000, 1435/2935 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'ipmihash.txt' on line 1 (10.129...af3b990f28939926054451ad4a7ce337): Token length exception

• Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

Started: Sun Jul 13 16:20:30 2025
Stopped: Sun Jul 13 16:20:31 2025

$hashcat -m 7300 ipmihash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread--0x000, 1435/2935 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'ipmihash.txt' on line 1 (10.129...af3b990f28939926054451ad4a7ce337): Token length exception

• Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

Started: Sun Jul 13 16:21:23 2025
Stopped: Sun Jul 13 16:21:23 2025
┌─[✗]─[user@parrot]─[~/Documents]
└──╼ $cat ipmihash.txt
10.129.202.5 admin:d5a308ce82250000739e28fedfa17c4ec322de043a20d16671d30c3ea5f68341d1d33a98394386a9a123456789abcdefa123456789abcdef140561646d696e:125f1c9daf3b990f28939926054451ad4a7ce337

These are the two I tried with hashcat that returned an error

hashcat expects one hash per line. You are providing an IP on line 1. The format can be seen here: https://hashcat.net/wiki/doku.php?id=example_hashes

Thx for the reply. i changed it but gives me the same error

└──╼ $hashcat -m 7300 ipmihash.txt -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread--0x000, 1435/2935 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'ipmihash.txt' on line 1 (admin:...af3b990f28939926054451ad4a7ce337): Token length exception

• Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

Started: Sun Jul 13 16:32:11 2025
Stopped: Sun Jul 13 16:32:12 2025

$cat ipmihash.txt
admin:d5a308ce82250000739e28fedfa17c4ec322de043a20d16671d30c3ea5f68341d1d33a98394386a9a123456789abcdefa123456789abcdef140561646d696e:125f1c9daf3b990f28939926054451ad4a7ce337
┌─[user@parrot]─[~/Documents]
└──╼ $hashcat -m 7300 ipmihash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread--0x000, 1435/2935 MB (512 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'ipmihash.txt' on line 1 (admin:...af3b990f28939926054451ad4a7ce337): Token length exception

• Token length exception: 1/1 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

No hashes loaded.

As expected, you are still providing more than just the hash. Compare it with the example on their page

ok i'll take a look

i feel dumb

thx for the help

I see....
If the threshold is 5, let's say...
Then if it exceeds that then becomes beuteforce else password spray...

Hey! currently on WEB ATTACKS > Bypassing Basic Authentication

the explanation states $ curl -i -X OPTIONS http://SERVER_IP:PORT/ should give a response with the Allow: header

however, when I try this I get a response identical to what I get when I do a normal GET request. no Allow: header.

Anyone know why? 😅

also, manually just trying all the HTTP methods in the way that should solve the challenge is... not working

(through burp ofc)

top is with -X OPTIONS, bottom is -X GET

A password spray is still a (specific type of) brute force - no matter if you hit your threshold
Regular brute force is just not as successful in a domain because there should be a lockout policy defined, so you'll lock a single account rather quickly.

sometimes OPTIONS just doesn't work

yes. having trouble installing the 2 dependencies libfuse3-4 and libruby3.3 for the dislocker portion of the cracking password protected archives

I am aware, but the challenge at the bottom states " Try to use what you learned in this section to access the 'reset.php' page and delete all files. Once all files are deleted, you should get the flag. "

anyway, I've tried the methods listed in the section (need change a method to bypass auth, as demonstrated earlier in the section) and none of them yield a result. not sure what else there was to be learned from the section...

'try' doesn't mean it will succeed

but you're likely overlooking something; i.e. if you change from POST to GET you have to change the request

i.e. GET uses /endpoint.php?key1=value1&key2=value2

POST uses the data portion to assign the values

Module name..?

from the section:

"Once we change POST to HEAD and forward the request, we will see that we no longer get a login prompt or a 401 Unauthorized page and get an empty output instead, as expected with a HEAD request. If we go back to the File Manager web application, we will see that all files have indeed been deleted, meaning that we successfully triggered the Reset functionality without having admin access or any credentials: "

The entire solution offered was essentially just demonstrating insecure web server configs allowing for HTTP verb tampering because of something like:
<Limit GET POST> Require valid-user </Limit>

after trying the same thing demonstrated in the section (on, at least visually, the same webpage as the section), with all the mentioned methods, none of them had any effect. so I'm kinda lost on what to do, the solution is not what was discussed in the section, at least I don't think so

WEB ATTACKS > Bypassing Basic Authentication

there is no mention in the section about values etc as I don't think those are what this is about

for the dislocker portion of the Cracking Protected Archives module, has anybody found a fix for this?

try adding --fix-broken

it literally tells you what to try

I tried that but no change. I was having trouble trying to manually install the dependencies too.

is your system up-to-date?

yea

I ran apt-get update and apt-get upgrade and rebooted

apt-get is also a deprecated method, it's all been condensed down to apt (this doesn't change functionality)

you can also try sudo apt install aptitude
sudo aptitude install dislocker

ahh okay I didn't know that, thanks. I'll try this now

no dice...

tried --fix-broken install without any packages specified too with no luck

for the exam is there a recommended OS to use? I'm just using a kali VM with all the extra tools we need added but there have been times I needed to go back and use the pwnbox instead

Can i get some help on the socksoverRDP pivot section

pwnbox worked for the dislocker part

||socksoverrdp didnt work for me (the dll would delete itself for some dumb reason and i couldnt use regsvr32.exe against it), u can use netsh and chain proxies to get to the dc lol||

Ig it’s issue with your system you have stopped upgrade in the middle that’s why it is giving you issue

Just do one thing normally update it apt update then apt —full-upgrade

Then try installing dislocker

bruhh

||funny stuff when u see it work just lmk if it does work for u cuz it did for me||

I will do it later and let you know how it goes

can someone help me? i can't find the password for the second question.

i try

C:\Users\mendres> notepad .\resultados.txt
PS C:\Users\mendres> $shares = "C:\Company", "C:\Finance", "C:\HR", "C:\IT", "C:\Marketing", "C:\Sales"
$results = foreach ($share in $shares) {Get-ChildItem -Path $share -Recurse -Include .txt,.log,.ini,.cfg,.ps1,.bat -ErrorAction SilentlyContinue |

Select-String -Pattern 'domain', 'admin', 'password', 'cred' Encoding UTF8}
$results | Tee-Object -FilePath resultados.txt

and spiderman

is there a reason anytime I left click the instance thinks I'm right clicking

Just finished the sql injection module!

Hello, on the "Linux Priviledge Escalation" First page where we have to enumerate and find the flag.
I greped for the flag format and got it, but before that was hours trying to find it, and nothing.

What is the approach we are meant to have for this? Because i couldn't find any "Interesting files" or it would of taken me days and days

how far into the pentester curriculum should i start to try doing active and retired boxes on htb main

fyi i'm 32% in

Depends on your goal. If you want the certification, just continue doing the path until it's complete.

Yoo

@astral bear This isn't the channel for such discussion. Please read the #rules and follow the instructions in #welcome to gain access to more appropriate channels.

i'm planning on getting some practice doing active and retired boxes for the cpts...do you recommend waiting until i finish the entire thing?

The path can take a long time to complete. Boxes aren't always going to have things in the scope of the path so you may find yourself spending more time researching other things you won't see in the exam. The path is all you need. I'd recommend going through the path and ensuring you have a strong understanding of everything in it. Do AEN blind at the end as a capstone. After completing the path if you really want to practice Ippsec has an unofficial playlist of boxes you can do.

This is just my opinion and you may be better off doing it your way, so don't take what I say as gospel.

appreciate the input

How do I gain access to other channels

Read the #rules and follow the instructions in #welcome.

Sorry daddy nuts lemme go read

Do You recomend to do prolabs as dante for training?

Would anyone be able to provide some guidance?
Module: HTTPS/TLS Attacks
Chapter: POODLE & BEAST
Question: Construct a valid SSL 3.0 padding of the plaintext bytes "AABBCCDDEEFF". Use the byte 00 for any byte that can be an arbitrary value. Provide the padded plaintext without spaces. Assume the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is used.

I'm just a little bit lost on what the actual quesiton is wanting you to do. I've tried following the examples, but I'm not getting the vulnerable and not-vulnerable responses. Is there a specific host I'm meant to be testing against?

Best to ask in #general, this channel is dedicated for module discussion.

Ok

When i go to general it says done reading check out modules

Follow the instructions in #welcome

the certification channels are probably better to ask in for your question i guess

this channel is for talk about the modules themselves

Proxying Tools
https://academy.hackthebox.com/module/110/section/1053
I'm here

hey im sorta stuck. the Mass IDOR enum in the web attacks module I cant seem to get working. when i go to the employee documents, click documents and click either invoice or report, the PDF file is blank (not sure if this is supposed to be the case). Im trying to follow the example adding uid=2 but nothing shows under documents like its supposed to. when I run the curl examples i get nothing returned so im a tad confused

i tweeked the bash script and got no downloads

any ideas?

its also REALLY slow

wait nvm had my regex wrong

module = footprinting lab hard

i have been trying to find the 1st credentials and i tried every thing that came to mind . any hints ?

did you check UDP?

ya ...

are you sure?

sounds right

:) don't assume versioning may be correct

you were taught everything you need to know

deleting bc spoiler 😉

man...

Hello, im relatively new to cyber and im trying to learn the linux fundamentals module however im stuck on this question ( How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only) ) I have tried so many commands and I don't seem to get the right answer is there any guidance anyone could give me?

It'd help if you showed the commands you were using and the logic you use as well

cat /etc/services | grep -v "localhost" | grep "IPv4" | wc -l. cat /etc/services | wc -l . cat /etc/services | grep -v "localhost" | grep "listen" | wc -l. those are the ones I tried (and more variations) and then there are more complicated ones that chatgpt came up with ss -ltn4 | awk '$4 !~ /127.0.0.1/ {print $4}' | sort -u | wc -l. but idk what to do

Your second command is close but misses that 127.0.0.1 is not the only thing on local host

Thank you for your help.

is this intentional not to allow time extensions to skills assessment labs?

on SQLi Fundamentals in CPTS Skills Assessment section.

not a flaw, yeah it's intentional it's just a docker container that spins up publicly

ah okay thanks

they die after a certain amount of time but you can just respawn it

it's not like it affects progress or anything

maybe im just lazy but I like to keep extending till im done in my session, which in this case included some scripts pointing at the IP

Lots of effort changing one line.... sigh /s

yea but a better discussion for #general

Oh am really sorry I thought I was in general

can someone please help me withe Q3 of "Wi-Fi Basic Pentesting" final assesment? I found the password for BSSID D8:D6:3D:EB:29:D5. But I cannot connect using the 3 letters SSID that is being shown .

I believe is due the SSID. But I can't find it using the given tools.

I even inspected the pcap and still nothing.

If you have the password maybe there's some other kind of protection preventing you from connecting.

I know the protection you are talking about.

I reverse engineer (found a spoiler) that let me connect. But I am not able to find that.

so you're connected?

I am starting to believe, there's an issue with the exercise

Yes I solved it

But I could not find or understand the "why"

I cannot find the correct SSID via tools

how did you connect to the SSID if you can't find the SSID

I've spent two days for far on this exercise.

DM me

can I DM?

Appreciate the help . Thanks again.

can anyone help me with this?

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i did cp the ccache and export as KRB5CCNAME = <filename>

and when i did klist it showed that ticket is correct.

when i am doing smbclient it is giving me - Connection to dc01 failed (Error NT_STATUS_NOT_FOUND)

I tride 2 tickets. same issue

kerberos attacks require the kdc, typicall the dc, to be resolvable

i used dc01 . no successss

add the domain name, the dc, and the dc + domain suffix, to the /etc/hosts

If you don't, the tools may give you weird errors due DNS name resolution issues, like SuperNuts said

trying, thanks

something like this

test with ping, using the name

where can i learn more about working with dns name resolution? why it gives wierd errors? i had same issue with one module which required to add all ip's i found to the etc hosts. still confused what is matter to add to hosts ? Sorry if it is simple thing.

Academy has a basic Module for active directory

I suggest doing that before

If you don't fully understand these simple things, you will struggle with any AD attack

DNS resolution is vital for AD

i am doing the CPTS modules by order it showed me and i did not reach to AD module yet. Is learning that way confuses?

CPTS assumes some basic knowledge

do this one

then return to CPTS once done

thanksss

np, best wishes

Whenever a module says to use crackmapexec would I be wrong to rather use netexec instead

nope

a fair bit of the modules were written prior to netexec being a thing and crackmap being sunset

Ok that's what I assumed

@fathom pendant can i DM you?

hello

regarding?

password attack module

did add the IP and domain to hosts and when i try to smb , its just processing without showing any success.

can i share screenshots here?

Yes, that's what it means

But I wouldn't rely on these times. Sometimes you need more time, sometimes less.

To post screenshots here, you need to verify your account.
Read and follow #welcome

okayy

done

here

At first glance, I would say that your ticket has expired.

just noticed

Are there any ways to gain cubes aside from purchasing them? Money is tight this week, but id love to do some modules.

Guys who know a good smtp

referrals?

for waht

Hi. I have trouble finding an answer for Advanced Command Obfuscation.
Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1.
I have tried reversing turing to basee64, changed the special characters with printenv's. Can somebody please help

Would anyone be able to provide some guidance?
Module: HTTPS/TLS Attacks
Chapter: POODLE & BEAST
Question: Construct a valid SSL 3.0 padding of the plaintext bytes "AABBCCDDEEFF". Use the byte 00 for any byte that can be an arbitrary value. Provide the padded plaintext without spaces. Assume the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA is used.

I'm just a little bit lost on what the actual quesiton is wanting you to do. I've tried following the examples, but I'm not getting the vulnerable and not-vulnerable responses. Is there a specific host I'm meant to be testing against?

hello all, I am currently on the SCCM Auditing module in the CAPE path, the lab machines are not showing the output they are supposed to show via sccmhunter
is anyone else currently doing the same module?

yo dudes! I'm currently working on the Active Directory Trust Attacks - Skills Assessment, and I'm stuck on Question 2. I think I’ve figured out the attack path, but I just can’t get it to work as expected. Is anyone available for a quick chat so I can explain what I’ve tried and maybe get some guidance? Appreciate any help, thanks!

can anyone help me run bloodhound via crackmap i cant get it work from pwn box

You can DM me if you still need help

Hello guys, i am with the OSINT module and i have to answer the next question: Investigate the website and find the bucket name of AWS that the company used and submit it as the answer. (Format: sub.domain.tld); with "the website" i understand that is inlanefreight but i was searching around an hour and i cannot find anything, can you help me? thanks!

Hello guys am at LLM OUTPUT ATTACKS module i am currently stuck on Cross side scripting 2 i can exploit, but i can only retreave the chat cookie i decode but nothing that can resemble an admin cookie any help?

Hi

someone help me with File Upload Attacks - Skill Assessment

I got the initial XXE but, unable to upload shell...

I am using :.phtm.jpg with image/png mime type and also the file type signature of a png file

but it still says "Only images are allowed"

Ohyeah, that one was pretty difficult for me. Try to see if theres any other Content Types that can be used

You can DM if you are still stuck.

Hi has anyone managed to complete the optional challenges for PtT from linux ?

i followed the steps but i can't get the final command to run

damn i just discovered reflective C# loading in powershell my life just changed

module: Introduction to Digital Forensics/Introduction to Digital Forensics/Analyzing with Timeline Explorer what file is being ingested there ? there's bit of disconnect. not sure how we arrived at having that file being ingested

i can drop a mini procdump in memory now, thats so cool like wtff

hello, im working on a skill assesment on DACL1 module from active directory, im not sure and i cannot connect to RDP on port 13389, had someone this issue ? https://academy.hackthebox.com/module/219/section/2335 Thanks

If you have the credentials it shouldn't be an issue.

i have credentials of ||mathew, i saw that mathew has WriteOwner over Netowork Admins, but i cannot connect to windows to use powerview||

Have you verified RDP auth with netexec?

if anyone has experience with it pls dm me thanks

yes, with user ||mathew ||and user ||carlos||, in /24 couldn`t find something

on port 13389

You can DM what you are trying and the output you are receiving.

thanks

finally solved it.. the issue was: many a times the server wasnt accepting the file type and was throwing errors. The exact extension worked in the end idk how

Hmmm!
Makes sense...
Thnaks a lot @bright coral 😄 ile

Good morning,

Wondering if someone could DM me for help with SQLMap Essentials, Attack Tuning Case 6

I've attempted various levels and risks, here's the core command but I'm doing something wrong ||sqlmap -u 'http://94.237.54.127:34013/case6.php?col=1*' --dbms=mysql --prefix='`)' --batch||

So on the SocksOverRDP room on the pivoting module, i got the pivot set up, it lets me rdp into the 2nd pivot but it cancels the connection due to either connectivity issues or "data encryption"

I have tried spamming the reconnect to the RDP session and i can get to the login screen but it keeps dropping.

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

guys , i need help with this question.

i have found keytab which belong to LINUX01$

also i switched to root from svc_workstations user.

when i tried to
root@linux01:~# kinit LINUX01$@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab
kinit: Keytab contains no suitable keys for LINUX01INLANEFREIGHT.HTB@INLANEFREIGHT.HTB while getting initial credentials

any help?

EDIT: in the interest of not spoiling things, had problems with popping a reverse shell and figured it out.

There's other file types that will work for this outside of keytab

hi

Hi, welcome. Please make sure to read the #rules and follow the instructions in #welcome to gain access to other channels like #general which is more appropriate for greetings. This channel is dedicated to discuss the various modules on HTB's Academy platform.

ty

Looking for some help with Attacking Common Services | Attacking DNS

Trying to use subbrute for DNS info and I get the following output

``└─$ ./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt
/home/aria/Desktop/HTB Tools/subbrute/./subbrute.py:462: SyntaxWarning: invalid escape sequence '.'
permute_filter = re.compile("^[a-zA-Z0-9]{" + str(self.permute_len) + "}.")
/home/aria/Desktop/HTB Tools/subbrute/dnslib/lex.py:148: SyntaxWarning: invalid escape sequence '.'

l = WordLexer(r'abc "def\100\x3d. ghi" jkl')
^Czsh: killed ./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt``

Its funny how many people don't read rule #8.

If someone bothers you, let me know

I've got myself set to no messages without being friends, and I ignore people who I dont know adding me. I feel a little guilty as they are looking for help, but they should post in here first. 😦

How did you get a Serious Rule Break? lol

You don't have to feel guilty. You've helped a lot of people.

Haha, the role is like an emergency call system, if you ping the role, all mods are pinged.

ah

I thought it was that you had done it 😄

Hi everyone!
I am currently stuck at the Pasword Attacks Skill Assessment from CPTS - just like many more before me as I saw when checking this channel 😅
I had a look at MarciLee's hints, though they didnt quit get me there yet. Currently at b*.
Someone up for a dm?

did u get it same problem here

bro same problem here with build number did you crack it

Windows Lateral Movement - Skill assessment - Q2 - What's the content of the flag located at C:\Users\Arturo\Desktop\flag.txt there is no flag on Arturo's desktop. Is the box messed up?

any one completed android fundamentals kind of ran into trouble with AVD build number problem

uff finally

Do not share direct answers @lament estuary

It is on one of the hosts.

I suppose you are on android fundamentals right? which section of the module remind me please

Hey everyone. I just joined this server. I’ve been curious about cybersecurity lately and wanted to know more about it.

hi @rain palm this isn't #general ; i suggest reading and following #welcome instructions to gain access to more of the server

Okay. Thank you.

Hey MarcieLee. I am starting Live engagement in Shells and Payloads but I am having trouble spawning target. It just won't spawn. When I try to spawn a target, it goes back to "click here to spawn the target system" after a few seconds. Any suggestions on what I should do? I tried refreshing the page and logging out and logging back in.

1. i'm not staff
2. reach out to support

Ohk. Thank you for the clarification

Hi, I'm stuck in the "Reading and Writing Files" section of the "Advanced SQL Injections" module. I managed to generate the file in the path /var/lib/postgresql/proof.txt by exploiting the SQLi vulnerability in the account registration function. According to the lab's statement, to retrieve the flag I must run the "serverInfo.sh" script located on the server where the vulnerable web application and PostgreSQL are running. However, when I run the script, I can't get the content of the flag because the flag is located in a file within the "root" directory. However, the user I'm connecting to the server with doesn't have the privileges to run this script with elevated privileges, and the script's content doesn't seem to contain any vulnerability that could be exploited to perform a vertical escalation of privileges. Could anyone give me a clue, please?

Ive just got done with the pentest path AD module, safe to say my brain is fried any my notes are massive. Does anyone have any recommendations for a 'best practice' methodology when approaching an AD box? really looking to condense everything down

quick question guys for the FTP module in attacking common services
do you get the port on port 21 or 2121 ?

because i dont get either of those even with diffferent flags

am i doing something wrong or

Hello i am new in hacking can someone help me

Give me a challenge on hack the box or try hack me to try as a beginner

Hi, welcome. If your request is related to the various modules on HTB's academy platform then this is the right place to ask questions related to that. Otherwise you'll need to follow the instructions in #welcome to gain access to other channels like #boxes.

Ty

This file transfers module is killing my attention span

hi

did anyone face an issue in privilege escalation module

Where they got access to user 2 but it’s asking for a password to run Sudo -l, and it says NOPASS?

you mean "sudo -l" right?

Sorry yes

did u face this issue in the module ? When I was at user 1 going to user 2 it said no pass but now I’m in user 2 writing sudo -l it says it needs a password

😵‍💫?

I haven't gone through that module yet, still in file transfers, but in my experience the labs in HTB Academy are usually not at fault, I would verify that you are doing what they are asking for!

Its only NOPASS on a certain command not all commands and different users can have different sudo settings

sudo allows you to specify a user to run commands as

Hello there, I am studying for CWEE and I'm stuck on the 'Introduction to NoSQL Injection' module, Skill Assessment 2. Do you have any advice or hints? I've really put a lot of effort into this, and I want to understand and solve what I'm missing in this part.

sorry random person for the ping but why does this work and the other completely crashes the server?

$_GET and $_REQUEST are just 2 fundamentally different things

You can DM me

I'm doing the Password Attacks module and I'm having trouble completing the Pass the Certificate section. Having a hard time getting the CSR with the provided tools specifically. Let me know if you think you can help so I can DM and not risk any spoilers here.

I’m stuck on the ARTIFICIAL lab when I try running the reverse shell can anyone help me in DMs I don’t wanna spoil it for people who haven’t done it yet in here

Read and follow #welcome to gain access to #boxes

Won’t let me on my phone

What specifically is giving you an issue? you should be able to visit the HTB site and copy your identifier on your phone

i had a heck of a time verifying my cert on mobile

i ended up using a computer

Very bad layout on phone just says use your laptop or computer to play htb no code

Use your phone in landscape mode when trying to identify

There should be a request desktop site button on your phone's browser, but yeah it's recommended to use a computer for this

guys im currently completing Information Security Foundations module

Im at VPS task

could somehere explain if i need to buy that VPS service or no?

You do not need to buy one, just treat that section as a source of information

Outside of the Mac modules(because you'd need a Mac), no module will ask you to spend money for tools

Thank you

Sorry I’m new to this

One last question

I will doing this modules and eventually getting a certification on hack the box land me a job

Unfortunately that even with certifications there is no guarantee in landing a job, that's a whole other skill in itself which noone really teaches, there are places that can help you get a job but will you get a job from a certification alone? probably not

I have a degree in computer security too

That probably helps but like I said: there is no guarantee that you'll get a job based on achievements alone, you'd have to be able to prove your skills to an employer and they'd have to like you

Hi, i'm stuck in the module "Abusing Foreign Groups & ACL Principals" with the sentinal user, can somebody help?

Cool cool will these atleast help get an interview

What do these security interviews look like

I have never gotten one

Cheat sheet in file upload attacks module has a broken link for Web Content-Types

Fixed. Next time, report it to #1234357888114364508 as we could have missed this message.

Can I get a nudge on SQLMap Skills Assessment please, don't want to spoil the fun for others nor do I want to hit see solution, but ive spent a good few hours returning to my notes, running payloads, comparing results.

Am I wasting my time with the|| SQL Error from the 500~|| I didn't see anything injectable in rest of the site so I'm back to this

Hi, I'm stuck in the "Reading and Writing Files" section of the "Advanced SQL Injections" module. I managed to generate the file in the path /var/lib/postgresql/proof.txt by exploiting the SQLi vulnerability in the account registration function. According to the lab's statement, to retrieve the flag I must run the "serverInfo.sh" script located on the server where the vulnerable web application and PostgreSQL are running. However, when I run the script, I can't get the content of the flag because the flag is located in a file within the "root" directory. However, the user I'm connecting to the server with doesn't have the privileges to run this script with elevated privileges, and the script's content doesn't seem to contain any vulnerability that could be exploited to perform a vertical escalation of privileges. Could anyone give me a clue, please?

hello, does anyone has issues with the labs ? im on DACL 2 , but doesnt works RDP..

Hello, anyone available to help in dms on the Subdomain Bruteforcing module? I can't find the right subdomain for the life of me

still cannot figue it out, how to finish this section help needed

Im having a problem with https://academy.hackthebox.com/module/144/section/1257 i already added the ip to the etc/hosts and ran the gobuster gobuster vhost -u http://94.237.54.192:34146 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain inlanefreight.htb
still got no subdomains :/

--domain inlanefreight.htb

Alongside the --append-domain option