#modules

nono i wrote the text and used AI to get informations

It's why I linked it back to being RunAs

Because if youre familiar enough with windows

Runas does basically the same thing

not enough, im a newbie everywhere

Then relate it to something outside of tech

¯_(ツ)_/¯

You want to be able to look at your notes some time down the line and still be able to actually understand it

Def can attest to this^ I like to copy exact quotes from what I read then hand write with my surface pen in the margins what I relate it too

unpopular opinion I also love OneNote becasue you can search hand writing, and screenshot text

Can someone help with a module? Trying to learn and review the Linux directories

I've got a hour to spare

I can try to help!

Care if I voice call

Whats the question my friend also working on modules so I can give hints and guidance as you need

Can you join General Chit Chat

Im running on Hotspot lol

Basically, it's about the directories

is setting up a vps required for academy modules or can i work through without setup

setting up a vpn while inside a virtualbox/vmware machine is advised

its too easy to do..so you might as well do it

vps not vpn

but yes i think i have a subscription to airvpn i might throw it on my vm seeing i havent yet

i dont use a vps and im done with the cpts path

When do you plan on taking it?

when should i setup a vps and proxmax

what and what?

whoever told you you need those for CPTS are super wrong

i can use that to download tools and my github repositories over new machines i have to deploy right

nah im reading the getting started skillset right now

just load the tools in a kali/parrot vm

yes i can apt install but i think with a vps i can make it install abunch at once? not too sure

the notes, just dump em on your desktop. use obsidian to read/edit them just like you would on a browser

yuh i write my notes from lessons in notepad and categorize

just use kali via virtualbox, download your tools as you need them, no need for those wannabe tools.. no one does that

i guess i can look through the getting started path again to setup custom things and servers after to test on my own vm and such

a text file....you need a serious upgrade like obsidian or joplin

why

okay then... just go on with your journey and figure out why im telling you all this by youself

well you mentioned it whats a benefit of obsidian

obsidian, for me, the BEST note taking app EVER

seems so complicated

how did you dump all them into it by writing or download the sheet

thats from my desktop

thats the beauty of obsidian... you can dump pages as if it was the notes themselves from the modules

Obsidian allows you to use markdown and tagging to enhance your searching for content

i had to delete lol i saw some nasty stuff

so im outdated essentially

Eh

Use whatever works best for you

i believe in tech-memory loss

so writing it down as i go helps lol

Some mad lads have used excel

yeah idk how that would work lol

Setting up a vps isnt required btw

from my perspective, i dont how you would make it work with that..

yeah i mean these are notes from the getting started module so it has basic commands , nibbles walk through, theory i can scroll through

just like how an excell file would work haha

i guess drop downs would be nice to see the organization better

maybe ill give it a shot

thats the key point: scrolling...

a note taking app would let you search REALLY fast

im gonna go down cpts path too once i finish this

i use a 2024 m3 macbook lol

i run vbox kali whenever i wanna practice

?

Is there anyone I can get a second opinion for AD enum SA part II

where i can ask questions about retired machines ?

#boxes. You'll need to follow the instructions in #welcome to gain access.

@cloud urchin Thanks 1 year here on discord and first time gain access... a true hacker .-.

any one able to help walk through or just chat while doing a HTB module

I wonder if a hacker from hackthebox academy ever hacked hackthebox
a true movie plottwist

i need to lock in on htb

https://academy.hackthebox.com/module/147/section/3714 How to bypass the UAC in this section?

I searched the website and found "reg add" to no avail

What you guys think is the best way

1. Doing skill path after skill path
   Or
2. Tier 0 Fundamental -> Easy -> Medium -> ….
   Tier 1 Fundamental -> …..
   Etc.

@kindred cipher if you're after a specific "job path" - it might just be best to follow those modules in order

start with the fundamentals and then work from there

The skill paths and job paths are curated in a specific order to do them in

A large German cybersecurity company has offered me the opportunity to train as a junior penetration tester after completing my current IT specialist training. However, they require good Linux knowledge. I'd also like to learn more beforehand.
That’s why I’m asking

What defines "good Linux knowledge"? Theres a Linux fundamentals course that goes through the basics

I think the fundamentals are enough. Just wanna be more than enough, you know what I meant?

If they required good knowledge in Linux, You should try with Linux Administrator. This Linux Admin makes my brain so tired that HBT modules

Please

@cosmic sequoia That's not what this server is about, please read #rules

Hello I m enrol in the "Android Fundamentals" Module, but I m stuck at 'Android Emulators
' second question that ask for the build number for (Pixel 3a API 34 Google APIs') device, I launch the device from android studio then settings -> about -> build number, but didn't work. do I missing something ???

help me with linux fundamentals

files and directories

section

https://status.hackthebox.com/

same

and i just found some name of config files

excellent certificate there

pivoting, tunneling and port forwading stuck on icmp tunneling with SOCKS. ./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory This error when ruunning ptunnel on pivot

maintenance ?

Hi

In advanced deserialization skills assessment, im struggling to find the load() function within the app, I know how to exploit it just can't find it, any ideas on how I can go about finding it?

yeah eta 1 hour in the site

i just use the autoroute feature in the newer versions of ligolo

¯_(ツ)_/¯

i don't recall having connection problems ¯_(ツ)_/¯

I hope that for the most part you were working on AEN blind, and only looked into it when you got stuck with some pivoting

it isn't relevant to the situation

just hoping that you're working on it blind, to help further your methodology and test your notes

Is it possible to not SSH into a machine properly?

?

you either succeed or don't in ssh

any tips

can someone tell me the ligolo-ng command to access RDP port (of internal IP 172.16.8.*) on my host

hi, on AD Enumeration & Attacks - Skills Assessment Part I, I can't have a revshell using the webshell I just have "Unable to connect to the remote server" when I try to download the revshell from my python webserver, I also tried to start an smb but it still doesnt work, anyone have an idea ?

hi does anyone have Credential Hunting in Network Shares guide for pentesting module i am really stuck can anyone help

can i dm? its not working for rdp

if you're using a VPN on your host, that can sometimes trip it up as well

learned that the hard way

Hey sorry im new and wanted to ask how to find the path to the htb student mail. does anyone have a clue???

#modules

hey you were muted by the bot automatically 🙂

Yo Bros

whats up @latent garnet

please read #welcome and #rules

Hey! Just checked both channels. Got it — I’ll make sure to follow everything mentioned there. Let me know if there’s anything specific you need me to do. 🙌

If you wanna chat about random stuff, you'd need to follow the three steps of #welcome and identify your account 🙂 other than that, if you have module related questions, this is the place to be

Got it, thanks for the heads-up! I’ll go through the steps in #welcome and get my account identified. Appreciate the help! 😊

@storm elk Hey, how can I get access to chat in the general channel?

I litterally told you buddy

the instructions are in #welcome

3 steps

yeah... i figured that out... i live in a place where slurs are funny

yeah, the bot here doesn't like it

we should have a drink me and the bot

"hey! relax!" (south park reference)

new episode tomo.

back to hacking the exam !!!

good luck

Need help still?

Hello, cannot connect to xfreerdp3 in Password Attacks --> PtT (Linux) after configuring the krb5.conf and proxychains as shown in the module. I get connection certificate auth failure

Nvm despite the certificate failure it takes a bit long to load... With rdp. Why is it always when I write in this chat, I find the solution myself 5 seconds later... ONLY when I type here bro wtf 🙁

could someone help me with a command which is gettign an error

im following along with the junior cyber modules

im on wokring with web services

and im trying to enter this command

put it in a code block @quartz ravine

i cant post it

with

the backticks

sorry where?

like this

select text after typing then there will be something like this <> select it

says content blocked by server

why are you adding square brackets?

says to

https://academy.hackthebox.com/module/18/section/74

tried on my kali vm and it says file unrecognised and on pwnbox it wont even let me do the command

I think its an error to be honest

just do curl -I http://localhost:8080

will post in #1234357888114364508

just said couldnt connect to server

when i type it in kali vm

i get zsh: unknwon file attribute: h

help me the module linux fundamentals

files and directories

i had scanned them but all saying incorrect answer

@storm elk

finished the AD module on the cpts path. I'm not very happy with that module. while the basic methodology was good, there were too many contemporary CVEs from 2014-2021 introduced as bleeding edge, and the focus wasn't well enough on covering the basics. Also the labs were slightly messy requiring information from previous steps etc. I think that module should be cleaned up and partially reimplemented, but that's just me. as a side note I did learn quite a bit.

in windows fundamental module there is a question : What system user has full control over the c:\users directory? and i used the command icacls c:/users and the output was : Everyone:(OI)(CI)(RX) NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) WS01\bob.smith:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) what is the right answer ?

it seems the entire section on that command isnt correctly done

found more luck removing all brackets and "-I"

so just curl followed by the localhost address

no brackets no -I

the I seemed to be interfering with my kali VM

i'd suggest posting saying to ignore that entire section tbh

unless im missing something.

yh

@storm elk @cunning canopy help me the module first question of linux fundamentals section files and directories

is there no mod

We're not obligated to help you @eternal saffron

ask your question here and someone will help]

I'm trying to complete the section Introduction of Android Application Static Analysis Module. But the button "Install App" doesn't work, what am I doing wrong?

they need to assign

use this grep -R "HTB{" /

where sir

What do i do if for some reason it doesnt let me input the password when connecting to the target?

why do you mean where it should instantly show you the file

after find cmd

you said first question of linux privilege escalation right ?

no sir of find files and directories section

of linux fundamentals

sorry my mistake

Hello, i have the same error like yesterday, i want to send my .zip file (in the xfreepbx session) to my local machine. So i started an temporary smb server authentified by user and password 'test' but my copy file doesn't work... Someone could help me ?

it does allow you to input; linux doesn't show the password field by default

Does 'performance' also include not registering the right answer.

i did not completed this section but it looks pretty simple, there is filters they mentioned if not enough you can search

if you believe an error in the exam environment reach out to website support

i tried them but a got output but ain't matching the answer

I wrote 'Hybrid' as an answer, it refused almost thrice, refreshed the websitea nd turned off caps lock, and it worked again.

did you ssh to the target machine ip that shows up when you click `Click Here To Spawn Target!'?

it helps to know what module and section you're on to sanity check

'Network foundations' module

and the section?

yes i connected

Internet Architecture

Hi, I’m currently working on the “Windows Attacks & Defense” module on HTB Academy.
I’m trying to connect via RDP to [ip] (ACADEMY-WINATTKDEF-WS01) with user "bob" and password "Slavi123", as instructed in the module.
However, I keep getting an “invalid credentials” error when attempting to log in.
The instance is running, I’m connected to the HTB VPN, and the IP address is correct.
Could someone help me figure out what’s going wrong?

if it says connection closed it means i failed with the password ,no?

make sure you don't have any spaces, i'm assuming you already tried Upper and lowercase, refresh the page and try again

didn't know that thank you !

could be that the target died

i tend to use /dynamic-resolution instead of /w /h

but it says that it still has 90 min left

i also throw in /cert:ignore and sometimes (for paranoia sake) +clipboard

i believe you can also pass in an argument to define the keyboard layout

https://github.com/FreeRDP/FreeRDP/wiki/Keyboard

@dusk holly we don't share answers around here, even if the module is t0.

you can try this command
find / -type f -name "*.conf" -newermt 2020-03-03 -size +25k -size -28k 2>/dev/null

yes i typed the exact cmd

reconnect to the spawned 10.129.x.x ip; as a note- Spawn instance is NOT connecting to the target

it give me only one file and it was correct

let me try again

do not give full path

only file name

Spawn instance -> starts the in-browser virtual machine that connects to the vpn, this is notably not the target

if your commandline/terminal starts with htb-ac-[some numbers]@somestring -> you're not ssh into the target, iirc they have you ssh with the username htb-student and some credentials

i need help on the question + 0 Find a way to start a simple HTTP server inside Pwnbox or your local VM using "php". Submit the command that starts the web server on the localhost (127.0.0.1) on port 8080.

You're on the right track. Look at the format.

why is "php -S 127.0.0.1:8080"

not right

please ignore me

it didn't worked i ain't got any output

i am stupid

i found issue as typing it

i've been typing it wrong from the start and ive been looking ofr help for nearly half an hour

im gonna lose my mind.

can i dm you

sure

Installing Apps from Third-Party App Stores requires the Unknown Sources option to be enabled on the device. In Android versions older than 7.1 (Nougat), this can be done by navigating to Settings -> Security -> Unknown sources.

Can anyone please help with the Information Gathering - Web edition, Virtual hosts module please? As you can see in the image, I modify the /etc/hosts file to include the provided domain, then try the gobuster command, verifying that inlanefreight.htb:55969 does indeed work with curl, and that I do have connection with the machine with ping, but for some reason gobuster is unable to connect?

Thank you so much!

can someone help on https://academy.hackthebox.com/module/147/section/1335

i cant seem to get connections or whatever always this error impacket-ntlmrelayx -t http://10.129.28.237/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[] Protocol Client MSSQL loaded..
[] Protocol Client SMTP loaded..
[] Protocol Client LDAPS loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client DCSYNC loaded..
[] Protocol Client IMAPS loaded..
[] Protocol Client IMAP loaded..
[] Protocol Client RPC loaded..
[] Protocol Client SMB loaded..
[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Running in relay mode to single host
[] Setting up SMB Server on port 445
[] Setting up HTTP Server on port 80
[] Setting up WCF Server on port 9389
[] Setting up RAW Server on port 6666
[*] Multirelay disabled

[] Servers started, waiting for connections
[] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.28.237, attacking target http://10.129.28.237
[-] Authenticating against http://10.129.28.237 as INLANEFREIGHT/CA01$ FAILED
[] All targets processed!
[] SMBD-Thread-6 (process_request_thread): Connection from 10.129.28.237 controlled, but there are no more targets left!
[] All targets processed!
[] SMBD-Thread-7 (process_request_thread): Connection from 10.129.28.237 controlled, but there are no more targets left!
[] All targets processed!
[] SMBD-Thread-8 (process_request_thread): Connection from 10.129.28.237 controlled, but there are no more targets left!
[] All targets processed!
[] SMBD-Thread-9 (process_request_thread): Connection from 10.129.28.237 controlled, but there are no more targets left!

can someone just point me is it the correct way even or i should do it from jpinkman credentials and find administrators ones from there

I tried this, but the app doesn't respond when I click on Install App, any alert or nothing

give it a --domain to append

also try resetting the target and adjusting your /etc/hosts file to match

the administrator flag is retrieved with the dc ccache

The appended domain is the domain in -u, I also tried resetting and adjusting the /etc/hosts file before posting here

I just can't figure it out

The syntax looks correct. Can you try reseting the target machine and run the command again?

Yeah I'll try

with newer versions of gobuster you have to also include the --domain, it also just doesn't hurt to be absolutely sure

What is the google API version of this AVD ?

Gotcha, I'll try that as well

Didn't work ._.

Tried with a different machine as well

It's a public address so ya'll could try I guess lol

94.237.49.23:59688

up

i do exact steps as in module but get the same error all the time

try doing it with ffuf and use -H "HOST: FUZZ.inlanefreight.htb"

I also did try that before but got zero results, I'll try it again though

You're using a VPN right?

Tried it with and without

VPN isn't required to access the public ip:port combination

Yeah thank you. Didn't pay attention to the ip.

they'll still need the port after the <IPv4>:port

Running it now

36.0

Try creating a new AVD with lower API version. It should work.

I try it!

@robust ledge careful sharing screenshots

as they may be spoilers

Oh, mb, the reason I was sharing was because there were literally thousands of those results, but I can see why

Yeah that's what I'll do, it just seems weird for there to be so many

Thank you

Thank you again 🙂

Ahh I hate that it translated to that automatically

The smiley

:)

Well it's late for me so ima head out but thank you for the help @cunning canopy @fathom pendant ! See ya guys

Now it worked! Thank you so much!

Hi everyone, i have just captured the first flag on privilege escalation section of getting started module, can someone help me with the second one?

i think to use linpeas.sh on the compromised host, is it correct?

Skills Assessment - File Upload Attacks
I cannot seem to find where the upload directory is, I tried everything; looked at source code including soruce code of scripts, the 2 php files and dirb direcotry busting but cannot figure it out.

look closer at the source code of the upload.php; it directly reveals a location

That one doesn't even have a source code, just instantly says "only something something file allowed" on the page.

think of ways you can leak source code

there are ways detailed in the module

Hello, I have a question for server side attacks, its a general query, when i Inject {{77}} --> 49 means twig template engine, also in same input field i inject {{7'7'}} --> 7777777 which means jinja2 engine tempalte is used, so which one is correct. and more perfect, how to identify.

wrap text in ` so that they don't get markdown messed with

or alternatively, escape the * with a backslash \ so \* for every *

Hello, I have a question for server side attacks, its a general query, when i Inject {{7\7}} --> 49 means twig template engine, also in same input field i inject {{7\ '7'}} --> 7777777 which means jinja2 engine tempalte is used, so which one is correct. and more perfect, how to identify.

If you get 77777777 after you do the ssti command it's jinja

Follow the ssti chart

but i also get 49

so ignore the 49

if getting 777777

If it was twig it would still produce 49

If you've done the twig module try the code for jinja and it should come back as 49

In Jinja, the result will be 7777777, while in Twig, the result will be 49. Im using both the payloads given in module and I'm getting both the answers

Which module is it

Server Side Attacks -> Exploiting Jinja2

I need some assistance in setting up droopescan can some help?

Traceback (most recent call last):
  File "/opt/cpts/attackingCommonApplication/droopscan/droopescan/.droopescan/bin/droopescan", line 3, in <module>
    from dscan import droopescan
  File "/opt/cpts/attackingCommonApplication/droopscan/droopescan/.droopescan/lib/python3.13/site-packages/dscan/droopescan.py", line 4, in <module>                                                                                                      
    from cement.core import backend, foundation, controller, handler
  File "/opt/cpts/attackingCommonApplication/droopscan/droopescan/.droopescan/lib/python3.13/site-packages/cement/core/foundation.py", line 8, in <module>                                                                                                
    from ..core import output, extension, arg, controller, meta, cache, mail
  File "/opt/cpts/attackingCommonApplication/droopscan/droopescan/.droopescan/lib/python3.13/site-packages/cement/core/extension.py", line 8, in <module>                                                                                                 
    from imp import reload  # pragma: no cover
    ^^^^^^^^^^^^^^^^^^^^^^
ModuleNotFoundError: No module named 'imp'

Exploiting Jinja2

module not found means you need to install it when referring to python

I'm getting both the 49 and 7777777 using both the given payloads

pip install imp

@fathom pendant I tried it:

┌──(.droopescan)─(kali㉿kali)-[/opt/cpts/attackingCommonApplication/droopscan/droopescan]
└─$ pip install imp
ERROR: Could not find a version that satisfies the requirement imp (from versions: none)
ERROR: No matching distribution found for imp

If you get 49 and then use the jinja command after. It's jinja if it comes up 7777777

yes after getting 49 i get 7777777, Alright so its Jinja2

Okay 👍

Oopsie

@silver ocean

use importlib instead

droopescan is an old tool; so many things likely changed as well

can you help me how....Im completely clueless

indeed, but since it's in the module im helpless so I have to use it

module: https://academy.hackthebox.com/module/113/section/1095

you'd have to edit the droopescan code

what

idk however if there's a droopescan available in your distribution's repositories

yup

¯_(ツ)_/¯

ask chatgpt to do it tbh

or get an updated version if any

the alternative is using a venv to run it in a downgraded environment

I tried it but no solution

last update to droopescan was 4y ago

oh

do this instead ^

aside from the readme which was last year

its depricated and 3.11 is no longer available

venvs allow you to run downgraded versions of python

you can still run python 3.11 in venv or docker

in venv is better and less complicated

also did you run pip install droopescan or install from source

this is an important distinction

they tried using pip

tried both

to install droopescan, not imp

oh

my bad, sleepy as usual lol

according to the README there's also a docker container https://github.com/SamJoan/droopescan with instructions on how to run it

this version (From pip) is exactly 4 years old today LMAO

python3.11 -m venv myenv is a better option, idk if that's the right syntax but something along those lines

syntax is either that or pyenv or something to run a downgraded interpreter

view the webpage http://ip:port; if you want to know how it's a webpage -- scan with
sudo nmap <ip> -p <port>

Getting started - Privilege escalation
I captured the first flag, can anyone help me with the second one? 🙏

did you already get to u*2 ? if so look around the file system for something hidden

yes i already get to him, but now i dont know how to became root, can linpeas.sh help for this?

linpeas is a nightmare for noobs; it outputs a LOT of useless junk

i suggest just looking around; trying different things

hidden is the keyword here, linux files are 'hidden' if they're prefixed with a . these are also known as dot-files

you can see them if you list all items with ls

How to access htb cloud pro lab cyclone and what's the price

ok got it, the only way the section talks about is to use enumeration scripts like linpeas

cyclone is an enterprise lab, you'd have to reach out to the enterprise team via the website in order to purchase the enterprise seats [min 3 iirc]

so i can run ls when i am in u*2?

why wouldn't you be able to run ls? it's a basic binary

Ok

Price

i'm not staff so i don't have the price on hand

i have run ls but the only file is the file with captured flag

Ok

https://help.hackthebox.com/en/articles/5192346-enterprise-offerings-plans

ls has multiple options you can use to see more things

I run linpeas when everything fails lmao. Otherwise its just

https://tenor.com/bSdk0.gif

ls --help

Thank @fathom pendant

i have tried to use the hint, and it says to use chmode, another thing that get me to think about linpeas

the hint is for after you find a certain file

what is the type of the service of the "dconf.service"

linux fundamentals

you can likely google to discover this; i think it's bugged (and requires an #1234357888114364508 post) that when you look up the Type it's empty. But it's a well known service that has plenty of documented information

so now i ask it in erratum

not asking in #1234357888114364508

posting in #1234357888114364508 means pointing out an error in the module so that it can get fixed

yeah posted

Yall, I lost my tab, how do I do this again? I’m so sorry yall😭

.

i looked into it; for whatever reason systemctl show dconf.service doesn't find the Type for some reason

so i leave it for now

i gave you a hint on how to figure it out without google in your #1234357888114364508 post

but it still should be fixed imho

Wasn't sure which config file needed the default realm specified

oh thank god

the windows machine they have linked on the Windows section is a pain to work with

keep trying to edit my host machine and VM to enable WSL2 but it keeps failing

@wheat silo, try not to spoil things. And as far as kerberos is concerned: krb5.conf is the file

My bad, Thanks

Hello, im currently solving the Skill Assessment from Password Attacks (https://academy.hackthebox.com/module/147/section/1356) and i gained a foothold on the DMZ01, but im unsure what can be my next step. I only have ping to the DC01. I also use linPeas to look for a way to escalate privileges.

Can anyone give a some hint about how to proceed? ill hide the username to avoid any spoiler:

history is a powerful teacher

also: sometimes windows doesn't respond to pings'

Any help In NoSQL Injection SA II?

Ive been taking notes for each section of this module, but im unsure which seection can help me remind how to procee. Im currently trying to enumerate valid domain usernames using kerbrute. Is there any particular section that you could recommend me to take a look at?

Hello. I am new to htb, and attempting to do the active directory fundamentals guided lab part 1. I cant even get through
the first step 😂🤦🏾‍♀️

I am working on the Bypassing Captive Portals module and am stuck on the lab for MAC address spoofing. I did some initial recon and mapped out MAC addresses to IP address mappings for connected clients. Initially I showed no connecting clients, but performed a broadcast deauthentication against the AP to force the clients to reconnect. After building out my list, I have tried spoofing my MAC address to any of the MAC addresses of the clients. After spoofing I updated my IP address to the IP address associated with the MAC address and adding the default route (sudo route add default gw <IP> wlan1) I can no longer connect to the captive portal. I did some monitoring of the network and see lots of dropped packets for the MAC address I am spoofing. The other clients show that their frame counts aren't increasing, so I swapped my spoofed MAC with one of the other MAC addresses with similar results. As soon as I spoof and change my IP I note lots of lost frames and the inability to connect to the captive portal.

I've tried using the automated tool, but that just tries to spoof the MAC address of the AP so doesn't work at all. Any help is appreciated!

introduction to active directory

the guided lab part 1

i started the instance, it's the step of accessing the AD that im struggling with. Im attempting to follow the instructions to to open the ADUC on the MMC, or even the GUI, but im not finding it within the instance. I may just be looking in the wrong place

Yes I spawned that as well

history is useful; searching for patterns is also useful

Howd you get to server manager? I even did a search for it, and nothing came up

I dont have the option to attach media to my message in here. I clicked the + and it only says "use apps". So i cant upload the screenshot i took

Can you help me with the Active Directory Enumeration & Attacks Privileged Access module I cant for the life of me figure it out the question is: What other user in the domain has CanPSRemote rights to a host?

I only get one user that is incorrect

bloodhound is helpful

if you don't find the data initially, running sharphound a second time may yield the info

Is there any way to do it without bloodhound?

yes, but it's a bit more involved, and does utilize PowerView/PowerSploit

Thanks 🙂

is certipy supposed to give vulnerable certificate template to ESC8 on password attacks, pass the certificate module?

No

is there anyone i can dm to ask something about Web Service & API Attacks / Local File Inclusion (LFI)
I already solved it but just wondering why something worked and something didn't

Hey guys, I am having a problem trying to RDP into a target from the pwnbox. It is about AD Administration: Guided Lab Part I. I googled and found 2 posts (reddit and hack the box forum), but neither could provide answeres. Maybe somebody here can help or nudge me into helpful resources. The Problem is that the RDP window is a blackscreen.

This is Academy

Have you tried pressing the enter button?

Where I can ask question about billing

just dm me yo credit card info its no biggy g

😂

Are there any other newcomers to HTBA who have to look up the solutions to almost every single question? 😆
I've started at the lowest of the lowest modules for the basics, but I'm still not even close to how they complete the tasks in Solutions.
Is the idea that I should be understanding how to complete tasks from the course material? Or am I expected to do a lot of research external to HTB?

Im getting off the bus soon. So, I was going to ask anyone if they were able to help me or walk me through the actual commands on the Linux fundemental

shoot me a message and I will be at the place soon it would be reallly helpful

Getting started - Privilege escalation
Hi everyone, i dont really find a way to capture the second flag, can anyone guide me?

Website support

I told you earlier; look for hidden files; root around the file system

i have found the root directory, but i havent the permission

8 hour estimate for Password Attacks module is insane imo

i dont know where to search

Theres a hidden folder in root

Think about the protocol you used to connect

Has anyone had trouble with the Web Archiving part of the information gathering - web edition module? I looked in the forums and found that HTB started as an .eu website, so that helped with the first question, but the second question has me in a chokehold. lol

When I go to find it, it just shows redirects and no actual archived pages.

apparently, I wasn't using the /en. lol! Thank you! It's the little things, huh? 🙂

A question if i use the virtual machine provided by HTB do I have do a procedure where I link it to my own setup?

French ?

https://tenor.com/view/cat-no-nonono-noooo-cat-no-gif-13597132752790194338

Ah okay plus aide me hacker

read #rules and #welcome

are you connected to the vpn

no , I am using PWN box

is the machine on, and its the right IP?

this is the IP correct "Target(s): 10.129.229.244 (ACADEMY-LTMOV-SRV01)" ?

try without grep maybe, your limiting what you see

nothing going on

and this is my user list

I am sorry I did not know

where should I seek assistance then and how ?

got it

Dang now Im having issues, Permission Denied after entering ssh creds into lab machine for Password Attacks (Pass the Ticket (PtT) from Linux) IP is correct, domain added to hosts, password is correct, username is correct, what am i missing ?

I need help in Q3 , windows lateral movement : RDP ? I am spraying passwords is not working ?

Can anyone tell me if I have to download the configuration file to use the virtual machine or can I just spawn it and start attacking or do a whole procedure to do it in my own setup

Hey guys, I could use some help in the knowledge check section of the getting started module. I've gotten into the admin page, and was trying to find a way to execute a reverse shell like previously in the module. The only thing I've found that would work is that admins can edit the html of each page in the portal and update them to go live, but the reverse shell provided in the module doesn't quite work and searching for something that would work online isn't getting the job done either unfortunately. Could someone point me in the direction of some resources that would help me find the html I need to execute the shell?

I did that but it said there was no route to connect

Ok

I wonder if the maintenance window is an issue rn

3 peaople having connection issues at the same time

Ye that is true

I managed to log in so probably luck on my side today 😁

What does it mean when the question says name of the network interface that MTU is set to 1500

Network interface would be something like eth0, wlan0, ens123, etc

MTU is the Maximum Transmission Unit (aka how fast it can send/receieve data per packet)

so it's asking for the network interface that has the MTU value of 1500

breaking down the question into it's core components is useful in answering them. :)

Marcie is there a command to find the network interface i think thats the bit thats confusing me

ip a <-- (this used to be ifconfig, but has been replaced by the ip command suite)

Ty

I did yay

Ir

Ty for the help marcie

iirc the module provides a list of commands and a brief description

i'd first take a look into that list whenever you run into something you don't quite get yet before jumping to the discord.

I looked at the list but I dont think ip a is on the list

ip might be

This was linux fundamental

but also quick google searches can be your friend

"how do I do X in linux" was and still is a generally frequent google query of mine

True I did that but it was saying I should do ip link and the network interface

Problem was that I didn't know the network interface

ip is the underlying command

everything after that is the arguments

some commands follow a simple command some_verb some_options_related_to_verb

where the some_verb always follows the command

there's also the robust man pages

man <command> will typically bring up a manual page that you can scroll through and look for what you may need in the command options

and if you need a quick (usually common) command reference, <command> --help (or -h) will get you in the right direction

can i get a sanity check on literally just logging into the spawned target with given creds https://academy.hackthebox.com/module/147/section/1657

I see ok thank for the help marcie

🙂

should be ssh "david@inlanefreight.htb"@ip

two @s?

yes; the username itself is a literal username

yeah

domain joined linux

ssh "user@domain"@ip/hostname

oh my

I feel so dumb

it's also in the reading :)

subheading: Linux auth via port forward

Thanks Marcie

i wasn't sure so i did a double check

Hello, could you please help me with this:

How may I get the ip??

click the button that says "Click here to spawn target!"

ahhh

ajajajajjajaj my mistake

thanks!

huh? lol

they didn't get banned lol

they got automodded and silenced for 2 hours

oh lol just saw this

because slurs aren't accepted, no matter the context

professional and poignant

idk what poignant means but i heard it before

looked up poignant, thats not the correct word for the phrase..

2 - b

oh i stand corrected then

very nice

Who can help with “Outbound”?😭 It seems like an easy level, but I’m stuck. Can someone give me a hint for the user flag?

poigant is derived from poignard... which means dagger

read and follow #welcome; and ask in #boxes

was training a new kid at work today just graduated already knows how to do some things and has his own tools

i use other peoples tools LOL

this isn't #general

:)

this is sparta

good night my friends.

slowly taking my time with this fundamentals module

Can Eny help me hack my phone

that's not what this server is about even if we believed you on your word that it's your phone

i suggest reading the #rules and #welcome channel of servers you join to learn what they're about

It’s mine I just want to hack screen time

unless you're a child and under strict rules, screen time really doesn't matter

and even then: not what this server is about

Hello

Hey

I'm new and I'm here to learn

This goku is incredible

I miss watching anime

I didn't think this place would be this active. It's very nice.

Hi everyone, I'm trying to complete the Documentation & Reporting module. When doing the Documentation & Reporting Practice Lab questions, I can't for the life of me load the bloodhound files from the parrot box into bloodhound. I tried with bloodhounce-ce from the latest kali version, and on the pwnbox but I get errors on both. If someone is able to help me out that would be great. Is it something with the parrot box's version of bloodhound-python?

I would like to help but I don't know

This isnt #general @rapid skiff ; I suggest reading the #rules and #welcome channels. This server revolves around https://hackthebox.com and its various services

I am very sorry

i also tried pivoting through the parrot box with chisel and ssh -D to run bloodhound-ce-python from kali, but i couldn't send any data with proxychains so idk if thats getting blocked or something

I used the sharphound from the ad enum module and the legacy bloodhound to ingest

Legacy being the non-ce

so u got it on one of the machines and used evil-winrm or something to execute it?

Yep

ok i'll give that a try, thanks

the bloodhound ecosystem is wack

Evil-winrm has an upload/download feature

Nxc also has a collector built in

Do you have a recommended way to have bloodhound-legacy and ce installed on kali at the same time? I guess the answer would be docker or something?

Well ce is docker now

When I say legacy, im referring specifically to the pre-docker ce version

interesting. I have bhce installed without docker/with apt because i heard that the newest kali release ships an updated version. I guess the solution is to just install legacy and have ce in a container.

just curious are you trying to get legacy bloodhound for pre-built queries? cus ce has it too but kind of hidden?

nah I've found the ce pre-built queries. I'm just trying to ingest files generated by bloodhound-python because the provided parrot box doesn't have bloodhound-ce-python

Oh okie.

im in nmap labs in the first lab we have to find a service which we tell abt os or should we get the os in the nmap result

Dm me the ss of the question

Y

Is this the right place to provide small english fixes / recommendations to academy questions?

no, that would be #1234357888114364508

My Academy target (IP: 10.129.17.143) is accepting connections on port 22, but SSH hangs at expecting SSH2_MSG_KEX_ECDH_REPLY. I’ve tried multiple IPs and confirmed my local system is fine. Please check if the instance is broken or overloaded.

hello, i'm trying to pass the skills assessment of WIN lateral movements but i can't find the entry breach; i've tried both rdp,wmi,smb,winrm,ssh but i can't figure out where i'm going wrong or what i'm not seeing. any help?

You can dm me

Have you tried pining that machine?

any idea?

is there anyone i can dm to ask something about Web Service & API Attacks / Local File Inclusion (LFI)
I already solved it but just wondering why something worked and something didn't

@digital pendant Please take care not to spoil content from modules above tier 0

RDP != WinRM

Hard to ask for help isn't it without specifying what is the problem, how would you ask for help so I can understand the protocol

the discrepancy that I mentioned in my comment, is that a bug or a feature? I wasn't talking about RDP there either it was winrm. Remote Management Users group not Remote Desktop Users Group

Anyone who has done the content knows it already and doesn't need an explanation. If you feel like you need to reveal a little more you should ask to take it to DM's.

You can't connect to the file share because it's not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747 Please help me how to solve this problem

Need a DM for this pls.

chat where is the "Check my Work" button mentioned in the section?
https://academy.hackthebox.com/module/306/section/3584

I cant sub to the academy, i have sub on labs already

contact support

Hello, in the Documentation & Reporting module they mention that changing the color for the command and output to be a nice addition. Any ideas on how to do that on Sysreptor?

issue resovled thanks @opal shuttle

hello, i'm trying to pass the skills assessment Q1 of CAPE module WIN lateral movements but i can't find the entry breach; i've tried both rdp,wmi,smb,winrm,ssh but i can't figure out where i'm going wrong or what i'm not seeing. any help?

Morning guys, i have a bit of a problem. So i cant install packages and apps with "apt" its crazy and there are a lot of dependencies that are either being withheld or just not upgraded. is it a me problem or is something wrong with the PWNbox?

Can you send as of the error you are getting

screenshot?

sudo apt install discord
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
E: Unable to locate package discord

can u see this, isnt it meant to fetch all the dependencies for discird and then download?

yes

but you are entering wrong name

that's y

in apt record there is nothing named discord...

download discord from their official site for linux

it will give you .deb file

apt install ./thatdebFile ...chatgpt will help you

Has been asked several times. see here #cpts message

and official sysreptor docs where you will find what you need 🙂

Thanks!

If anybody could help me with the exercise in module 144, section 3079 of academy, I'd really appreciate it

I just can't get the ReconSpider script to run properly

Always fails to crawl anything at inlanefreight.com

Based on a search, others have encountered similar problems it seems

But even their fixes don't work for me

yeah..you need to get manually

there is an error in that thing

try downloading and exploring manually

Alright, thank you

I have been struggling hard with the Androud fundamentals course, but only the model number question at the end. I am sure you all know the one... my laptop usually freezes and crashes when trying to run all of the processes. Please someone just dm me to answer. just the one time. I have had no problems with any other module and, coupled with all of the Reddit threads on this, I feel that not nearly enough info or something is given to solve this one question...

What to do if the input is exactly as you have written and WITH the format provided matching and the solution also saying the same (well answer hidden but underlines the two CVEs expected)

idk what else to do.

written in YYYY-12345

You can dm me

I also faced this problem

thank you have dmd 🙂

resolved ;- was a copy paste issue, typing each number back out worked

Hello,

Module: Broken Authentication
Submodule: Brute-Forcing Password
Question: What is the password of the user 'admin'?

I am trying to generate a wordlist with the following regex command, but I get no password from this list that matches the answer. Can someone give me a help, please?
grep '[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:lower:]]' | grep '[[:digit:]]' | grep -E '^.{0,12}$'

Then I am sending this command to brute-force:
||ffuf -w wordlis -u http://94.237.50.221:55698/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=admin&password=FUZZ" -fr "Invalid username or password."||

the module is : PASSWORD ATTACKS
Network Services
the command :
netexec winrm 10.129.99.133 -u garbage/network-services/username.list -p garbage/network-services/password.list

and im not getting any op , no error no credentials

Any hints ?

hey would you mind sending the code how you used that? coz i am hella confused

Password attacks
sec : pass the cert
ntlmrelayx doesnt creating dc01 file instead giving a b64 content of certificate

Sup people, is it just me or scanning through pivoting ssh -D and proxychains using nmap on AD machines is giga slow? Password attacks skills assessment

it is slow when you pivot

and use ligolo-ng for pivoting its best

scan estimated time 4 hours 💀

nice ty

the problem is that it hasn't been shown in the module, only the slow version

yup its a bit outdated ig u can watch john hammond's video or i can send u some article to learn it

Tryna complete the shells and payloads module but my AV keeps blocking the payload oneliners, all my notes got destroyed - times are tough rn

i'd appreciate something with a basic setup for this tool

sending the link as its so easy to use

where can i get a list of UAC bypasses in https://github.com/hfiref0x/UACME it seems it isnt there anymore?

"The UACME project maintains a list of UAC bypasses, including information on the affected Windows build number, the technique used,"

I have been struggling hard with the Androud fundamentals course, but only the model number question at the end. I am sure you all know the one... my laptop usually freezes and crashes when trying to run all of the processes. Please someone just dm me to answer. just the one time. I have had no problems with any other module and, coupled with all of the Reddit threads on this, I feel that not nearly enough info or something is given to solve this one question...

I remember the same task was so hard, at the end I managed to solve it. Triple check you're running the correct device, I thought I was but I wasn't

I am.... 🙁

Guys on prompt injection i have successfully banned the CEO on skill assessment, but there is no flag shown.

Guys can help me on Module 307: LLM Output Attacks, Section 3590? Specifically question 2 Im strunggling. Tried to do .html markdown and host it and use a python webserver to host the file for uploading but failing 😐 to get the history chat

Which question the one in which we are asked to do something related to pets ? And ban someone

just wanted to ask a small question, im on bash modules in junior cybersecurity analyst. I'm on the category Arithmetic. I'm a little confused on one of the demos and would appreciate some clarification.

#!/bin/bash

increase=1
decrease=1

echo "Addition: 10 + 10 = $((10 + 10))"
echo "Subtraction: 10 - 10 = $((10 - 10))"
echo "Multiplication: 10 * 10 = $((10 * 10))"
echo "Division: 10 / 10 = $((10 / 10))"
echo "Modulus: 10 % 4 = $((10 % 4))"

((increase++))
echo "Increase Variable: $increase"

((decrease--))
echo "Decrease Variable: $decrease"

it says this, however would i be right by saying i wouldnt need the words, for example:

echo $((10 + 10))

? The assessment says banned CEO and the flag will shown, i make the bot banned the CEO

If you are still stuck, I recommend performing an nmap scan of the target first, then checking out the results.

could someone confirm or deny? were the words just as like an explanantion for them or would i actually have to put the whole thing "echo "Addition: 10 + 10 = $((10 + 10))"" and not just "echo $((10 + 10))"

never mind i get it

brackets just do the mathmatical equation, the sentence before that would be displayed as text

Hello all, i need help

Module: ADCS attacks
Session: esc4
Question: Abuse the ESC4 misconfiguration to impersonate the Administrator account. What is the value of the flag file at C:\Users\molly\Desktop\flag.txt?

My Problem:

İ have Molly NTLM hash but i cant connect server i already try evilw-winrm, xfreerdp3, wmiexec, and i use ccache file but i cant connect how can i fix this

Thank you for help

With this Bash Script:

#!/bin/bash

increase=1
decrease=1

echo "Addition: 10 + 10 = $((10 + 10))"
echo "Subtraction: 10 - 10 = $((10 - 10))"
echo "Multiplication: 10 * 10 = $((10 * 10))"
echo "Division: 10 / 10 = $((10 / 10))"
echo "Modulus: 10 % 4 = $((10 % 4))"

((increase++))
echo "Increase Variable: $increase"

((decrease--))
echo "Decrease Variable: $decrease"

why do i get displayed

Increase Variable: 2
Decrease Variable: 0

is it because the ++ means +1+1 so prints 2, then -- means -1-1 so prints 0?

Hello,
I got a reverse shell in the Editor Machine. But after that, i stucked! There are two users, oliver & root. I stucked finding creds or escalate to oliver.
Anyone give me hint for this ?

guys, I need help

Navigate to the bottom of this section and click on Click here to spawn the target system!
Now, navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Discover". Then, click on the calendar icon, specify "last 15 years", and click on "Apply".
Hunt 1: Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public. Enter the content of the user.name field in the document that is related to a transferred tool that starts with "r" as your answer.

Just How???

yes, post here https://discord.com/channels/473760315293696010/1401229864647921734

I don't remember it well , anyways, if nobody helps DM me

im doing the skill assessment of shells and payloads module, but when i connect with rdb i cant find any browser to interact with the targets (maybe it is in front of me but i need to sleep)

Has anyone come across an issue with rdp not loading?

Just press enter @teal arrow

I think I remember which part you're talking about. You might be able to run firefox from the terminal on the target

No access bro

Read and follow #welcome

yea it worked lol

i need to stop using gui fr

HAHAHAAHAHA

Yeah I had the same issue doing that one

Thanks! I'm noob, lol.

All good

Does anyone know why creds that work with netexec are giving me an error when trying to view a share with smbclient, I copy-pasted the password into the prompt and keep getting the error session setup failed: NT_STATUS_LOGON_FAILURE

module:shells and payload module
submodule:the live engagement section
it seem that i cannot find a browser to access the tomcat server(ip address of first host) and add the credential to look what is inside the website. i have enumerate the host. can i get a hint please.

on first host

did you try port scan? on the foorthold machine?

i rdp into the foothold machine and started enumeration for host 1. i have not done on that for foothold machine

Might need to add a domain during auth process.

i got the answer in forum thank you

Module: Broken Authentication
Submodule: Authentication Bypass via Parameter Modification

I sent the request to intruder and I tested from 1 to 200 but I dont get en id that has admin privileges

Some have more ideas to test?

Hi everyone, searchsploit is for vulnerability or exploits research?

Yeah it can help with finding metasploit modules and other scripts that might work based on the service and version you're searching for

You can also use google and a lot of those results will be on exploit-db as well

ok but theorycally i have to find vulnerabilities on google and the exploit them using metasploit?

With searchsploit and exploit db the scripts that are there aren't always .rb files which is what metasploit takes. If you find one but don't see it in msfconsole you can import it manually or update the database. But sometimes you might just have to read the scripts that come up because they're a proof of concept and might not work in your instance.

when i run search exploit command on metasploit, have i to pass to it the name of vulnerability or the name of the exploit i have found in internet for istance?

hello
RDP and SOCKS Tunneling with SocksOverRDP

on this can i do the pivoting using ligolo

you can either look up by the vulnerability, or the exact module if you already know it. There's a lot of options to refine your search that the metasploit framework module covers

on the example in the dedicated section there is search exploit eternalblue, is this a vulnerability or something else?

nmap module - service enumeration, I have the flag but its not working

eternalblue is an exploit, so there's a module in msfconsole that you can use with search eternalblue

ok so i can search for vulnerabilities or exploits when i run search exploit on metasploit?

"Once we have Metasploit running, we can search for our target application with the search exploit command. For example, we can search for the SMB vulnerability we identified previously: msf6 > search exploit eternalblue" this is the text about that command, it says that eternalblue is a vulnerability

Hello! Module: Windows Lateral Movement - Skills Assessment Q1: i can have any hit!!! 😭

nmap

Yeah eternalblue is an smb vulnerability that the module in msfconsole exploits, sorry if I misunderstood your question

dont worry, so in metasploit i go to search the vulnerability and it gives me the module to exploit that vulnerability?

Yeah so if you type search exploit eternalblue it will return any module that exploits that vulnerability. There are usually more than one

perfect, thank you

no problem

you can dm me

its alright I managed to find it. There were 2 flags, I just happened to find the wrong flag out of the two

RDP no standard port but i cant Connect; ssh no have my know host and i cant Connect. Smb can read ipc$ but no interessant file… probaly i can Connect in rdp but my command wrong

No other ports identified?

I'd enumerate all of them. I also deleted that because spoiler tags do nothing and that content is over Tier 0.

try with nmap -sU if not done yet

Hey some help grasping this concept:
When using an LDAP filter this comes userAccountControl:1.2.840.113556.1.4.803:=32
How are LDAP OID's relative to UserAccountControl flags? I'm seeing the list for both but I'm not seeing the correlation.

which module/section are you reffering to?

Active Directory Enumeration Attacks - Living off the land

What was the command? and what was it for?

anyone solved this module ? https://academy.hackthebox.com/module/147/section/1335 i cant get the relay attack to work it fails due to library or whatver

File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 61, in _run
response = self.client.getresponse()
File "/usr/lib/python3.13/http/client.py", line 1430, in getresponse
response.begin()
~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/client.py", line 331, in begin
version, status, reason = self._read_status()
~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/client.py", line 292, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
File "/usr/lib/python3.13/socket.py", line 719, in readinto
return self._sock.recv_into(b)
~~~~~~~~~~~~~~~~~~~~^^^
ConnectionResetError: [Errno 104] Connection reset by peer

@plain charm

pls remove this...dont spoil content above tier 0

i hope ||NimExec|| can be good friend...

hello
RDP and SOCKS Tunneling with SocksOverRDP

on this can i do the pivoting using ligolo

you can DM

Yes. if you are comfortable with the tool

can anyone help me with 'Bypassing Other Blacklisted Characters' and the question: Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?. its been kicking my arse for weeks

yeah solved all with this tool but in this sction it was not working tried a lot resatring and other way

Hm. I remember doing with the SocksOverRDP tool. didn't faced any issues

I wasn't aware of the ligolo-ng and finished the module with the mentioned tools. was painful though.

for some reason when i use burp and i set the proxy in firefox, i then go to the target ip address but the page doesnt load. i am using the HTB academy vpn

can someone help with question 5 on Windows Privilege Escalation - Pillaging? I got the latest SAM SECURITY and SYSTEM files but secretsdump.py is giving me an error when I try to extract the hashes from them

Its best practice but be mindful of that -sU scans take the longest time. can use other tools like rustscan for speed if you like

What errors? what did you tried?

retrying now to pull the exact error message. I tried both samdump and secretsdump.py

if didn't solved, try with impacket-secretsdump

or pull the latest version from github

Maybe changing VPN server region might solve? I also faced it with burp, without any VPN. So, switched to Caido

its working now - last night it just kept giving me an error about -1 or something similar. Resetting the boxes probably resolved it. Thanks for the help but so frustrating

The answer is always "blow on the cartridge and reboot" 🤣

i have changed the region and still getting the same problem. i have checked the proxy and reimported the certificate. i used the curl command to the webpage and that works but the page doesnt load. however, burp does see the get request from firefox

well, sometimes, as you will see in next modules, this answer will also not enough to move ahead. but glad u solved it

anyone solved this ? https://academy.hackthebox.com/module/147/section/1335

you called it... is xfreerdp not working for anyone else?

[11:48:28:600] [7139:7140] [INFO][com.freerdp.crypto] - creating directory [/home/htb-ac-79581/.config/freerdp/certs]
[11:48:28:600] [7139:7140] [INFO][com.freerdp.crypto] - created directory [/home/htb-ac-79581/.config/freerdp/server]
[11:48:28:610] [7139:7140] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

TLS issues are connected with VPN. try with a UDP VPN

adding /cert:ignore /dynamic-resolution /log-level:DEBUG did not work either.

I'm using the parrotbox

always best to include the module and section you're on.

module is Windows Privilege Escalation - Windows Server

what's the command you used

i'm guessing you didn't wrap the password in quotes or something

Hi guys

I need a help who can

What do you need help with?

Can anyone help me with the Abusing HTTP Misconfigurations hard skills assessment? I can't make the admin trigger my XSS payload..I suppose that the issue might be related to the Host header, but I am struggling to find a solution..

you can DM me

With what?

@median warren Please take care to not post content from modules above tier 0

If it's module related, just post it here

Active Directory Enumeration - Kerberos from Linux
Question: Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer.
After I log in to through ssh
I seem to be needing some kind of password to execute:
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend (Provided in the module)

Can I get a little nudge as to where to find these credentials.

Gotcha, genuine question though, why would it not be mentioned in the section, is there something that I need to run in order to obtain them? Or was the purpose to reference the old section? I was thinking maybe I overlooked something.

thanks!

when i run dirtypip exploit i got this error

./exploit-1: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./exploit-1)

AEN last box last flag

MGMT01 hostname

did you compile the exploit on the target or imported the compiled binary to the target machine?

compiling the binary IN the target may resolve the conflicting library version. happened with me though

i compiled in my machin

gotcha. that must be the case

compile the binary in VICTIM and execute there should solve

i will try it thanks

Anyone recognize this error, the hash won't print:
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

it works thanks alot @plain charm

ntpdate can change the time sync with the DC

hey guys im working on shell and payloads module in cpts path, and for the question asking version of powershell by using $Psversiontable under the section Anatomy of the shell, for some reason it keeps saying the version is wrong, although its the correct one listed using the cmd.

can someone help me with this or am i missing something?

I didnt even notice he wanted the edition not the version

💔 oh well, thanks 🙏

reading takes another victim 🥀 (many people misread the question, it's ok, it's a very common mistake)

Hello, im currently doing the skill assessment from the module Passwords Attacks, but i need some help. I dont want to write spoiler so i can say that i found some credentials from a Safe Database. But im unsure on how to proceed with this account since i dont have connection to the DC01 from my attackbox even when im using proxychains and it worked great to get the prevoiusly mentioned crdentials.

pivot

i used ligolo-ng as my pivoting tool of choice, but the underlying commands should still work no matter the pivot

Anyone experiencing some issues? My lab has been spawning for 5 minutes

please confront your husband, would genuinely give you a better outcome, and you cant request illegal stuff here

@fathom pendant

This isn’t hacker for hire

next time ping the serious rule break role

gotcha

Hello everyone, I have been working on the Logrotate reverse shell for the last few hours. I have found the writeable log, copied over and complied logrotten and it just sits there. I dont get anything on my nc. what could I be doing wrong? Ive even forced a log to be written

hello. someone to help . SQLMAp essential module . Flag8 and flag 10 !!

What exactly

why does these things always work after I post my question?! lol

The power of the mind , its a cannon event for every tech student 💔 🥀

back at it now and still getting the same error:

[15:04:22:191] [7800:7801] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]```

didn't even get the chance to enter the password so (no) quotes isnt the issue

use /sec:tls

my command xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:$ip /d:inlanefreight /dynamic-resolution /drive:/home/saulgoodman/htb/,share /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache /sec:tls

You probably don't need the audio, themes,and wallpaper options

working when I use rdesktop -u htb-student -p HTB_@cademy_stdnt! 10.129.85.56:3389 so I believe the old version of windows I'm trying to connect to in the module has compatibility issues

appreciate the help!

rdesktop is depricated but still works

use /cert:ignore

this should be okay

also use xfreerdp

/cert:ignore didn't work with xfreerdp

no way..

nor did tls-seclevel:0

one sec

try /sec:tls

in the Windows Privilege Escalation - Windows Server module

xfreerdp /v:[ip_address] /u:[username] /p:[password] /cert:ignore

you did type like this?
it doesnt matter the module.. the command remains the same

check man for cert ignore..in xfreerdp
that could also be of some help..since it could also mean that the syntax might have changed.

exactly like that

didnt work

did you do a sudo?

^^

did /sec:tls work?

sudo isn't required for xfreerdp

also no - same error

weird

will just use rdesktop to finish this module out. Sometimes the VMs don't cooperate with me 🙁

try restarting the machine..

should work with any of the above commands

i mean the windows

I am into thick client pentesting...how do I modify .class code?

xfeerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.151.78 /cert:ignore
this is what i use and it works..

same here

thought you were asking about a live pentest lol

Is there a reason the academy targets go down every minute for like 3 minutes? It's almost impossible to complete with this lag.

no no it was for a module.... do you have any idea?
https://academy.hackthebox.com/module/113/section/2164

hi, im currently doing the junior cybersecurity analyst modules. MY end goal is to be a pentester. Would going onto the penetration tester modules after this be okay? Or jumping too fast. Also would doing boxes be good thing to start doing or should I gain more knowledge first? Thanks.

Sorry, I deleted my posts and I do not unfortunately.

relax..its alright

not a big deal

would say u dont need to do blue team first if u want to be a pentester just hop on the pentester path ig

Look up the walkthrough for the retired insane machine "fatty"

yes, i guess CBBH or CPTS is very well aligned with your goals..
while you're at it you'd would be forced to learn a lot of stuff..

Change vpn regions

so do junior cyber then go onto pen tester? do boxes on the side too?

okay cool, do boxes too yeah?

This isn't the server for that

once you're done with path then sure..but before that, maybe just stick to the path itself

@hoary cloud not what the server is about

cpts job role path has like 60% of the stuff thath is in bugbounty path, so i would stick with it if i were u, everything is said from 0 to hero

so do jr cybersecurity path, then do pentester path and boxes?

u will have decent fundamentals to go to boxes after that

Nothing , just I want a group of some people to leran

idk what is in new cert path so cannot tell but from what i have heard it is a fundamental to select between blue or red if im not mistaken

Tried with 3 other VPN's. This is very discouraging and frankly next to impossible to complete. I'm spending way more time waiting for target to receive a ping than actually working

Well this server is dedicated to learning hacking in a legal fashion, no need for illegal WhatsApp conversations

Reach out to support then

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

All else fails. Try using the in-browser vm

hacking fb account vibes ^^

It's a fundamental 'purple' cert, #cjca has a link pinned to the cert page that details the expectations

That's whoe I mean, but in WhatsApp, now forget that's

Well theres no official HTB WhatsApp groups. So we don't have links for them

Okey , thanks

but is doing the jr cybersec analyst then doing pen tester path okay?

im doijg the first path for fundamental knowledge

If you still want to learn ethical (legal) hacking; you can sign up for an HTB account and look into https://academy.hackthebox.com, theres plenty of free modules to teach you the basics

Hi, I am currently working on AEN Lateral Movement & Privilege Escalation Post-Exploitation.

I am using ligolo to pivot and whenever I create a double pivot so that I can connect to the next target, DC01 keeps crashing.

Ohhokay thank you

everything's okay whe u r learning and from what Marcie said I guess doing it in this manner is a good idea since u will know what suit u most

go for intro to cyber security too then

Manually route with /24 instead of autoroute with /23

after that either CPTS or CBBH

but for sure would do cpts first path not cbbh

To clarify:
CBBH -> web and bug bounty, system exploitation is generally out of scope
CPTS -> Penetration Testing, generally focusing on Windows and basic AD

They're independent of each other, really

The web modules are just coincidental, not really a measure of the differences

Penetration testing , you mean web and networks , system ?

well done both, cpts first and it was like 60% cbbh completed, so there were just a bit more web vulns and like technical/reports manner for bb

Penetration testing is typically system/networks

so i would say cpts path is just wider scope

Web isnt the main focus of cpts

and cbbh traets as u said about webpart

thats what im saying

It all depends on what the individual is more interested in

Ethical hacker must know penetration testing and bug bounty ?

bro 😄

Must is a heavy word here.

Hahaha just a beigenner