HTB site down for me

u means server is down? but mine is okay since 10am till now..

hackthebox.com is down for me now

AD Enumeration & Attacks - Skills Assessment Part II
--> Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

is it normal that i get no results while using
||sudo crackmapexec smb 172.16.7.50 -u A... -p w*** --users||
i get no users or anything at all, just confirming im logging with the right credentials, used kerbrute and got users but nothing was useful

restart your computer

site is working fine for me

hey everybody! i have a question concerning the Advanced deserialization module

because of reasons i had to change laptop and i have some problems while adding breakpoints in dnspy

is somebody able to give me some advice?

worked lol maybe something wrong with my DNS

guys how do i gain user flag in soulmate

its been 7 days and i haven't been able to get even user flag

at this point its discouraging

NVM , it looks like executing Enable-IISAssemblyDebugging for 20 times while been angry has worked

Understanding Log Sources & Investigating with Splunk / Using Splunk Applications

Sysmon App for Splunk doesn't exist in the target machine.

Needed to Log in to Splunk Enterprise and Download it myself

qwer1234

i am back again everybody! can anybody help me with the advanced deserialization module?

Hey

Why I can't speak in modules?

I want to ask something

This is modules

hey did you figure this out? can't seem to run commands through SharpNoPSExec either...

i mean general

why i can't speak in general

Read #rules and follow the instructions in #welcome

i'm leaving

Then leave, no need for that

👋

hello in the Active Directory Enumeration & Attacks on the Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux section

i can't crack the hash of the user in the question #1

I want WiFi penetration testing and network basics lessons in PDF format

@frank bloom - there's modules in academy

no need to cross post

try passing the hash

The flag is the clear text password xD

lmao

there should be something they should have mentioned in the module

read that seciton carefully

try using john

You shouldn't have any issue cracking this hash with the wordlist you are using.

yeah i am also thinking the same

maybe hashtype is wrong

This module is over Tier 0, so I am deleting your screenshot. You can ask your question and for sharing specifics, take it to DMs when someone agrees to take it to DMs.

I'm deleting your screenshot as this content is above Tier 0.

you can dm me

I think that the problem is my wordlist 😂

rockyou.txt works fine brother

that's not the problem

Ok, if you are still unable to get it working you can DM.

how you doing man...long time no see

Has anyone else had trouble with getting WSUS to work in the Windows Lateral Movement skills assessment? ||I can get a shell when from SUPPORT when I force it to check for updates but nothing happens when I let it sit, the gui shows that the update will be at 100% but nothing gets executed it seems||

I need help learning OSINT for a specific project task can anyone please dm me if they can help or know someone who can help me.

I'm doing the footprinting medium lab and I found the NFS server, but I get a permission denied error when I try to cd into the mounted folder. Any idea why that is? I can't even change permissions with sudo chmod

Not sure exactly what you are talking about, but you can DM if you are still unable to progress.

Anyone had issues with the "Attacking AI - Application and System" module and specifically the challenge for section "Rogue actions" ?

just swap to root user using su

Thanks, that helped!

https://academy.hackthebox.com/module/87/section/901
https://academy.hackthebox.com/module/87/section/904

Is this a must?

To follow? not really, to know, definitely.

For me who is in the "Setting up" module... to follow/download it isnt necessary, right?

Just follow along for the VM & Tools part of that module really.

Alright, got it

Thank you for the help

I don't think that's what this channel is for. This is for asking questions related to specific HTB modules. Also, pinging everyone is not the way to get your question answered.

w h a t

just where is that server

tell me

no one knows and even if they do they won't tell you, i suggest to stop bothering everyone for nothing

lol

Is there someone that have finished the module "Attacking AI - Application and System" i need a bit of assistance on one of the sections if possible

Hey guys did any one solve dusty Alles challenge I'm stuck on the part where is the key

Guys

Is there a way to get free modules?

All Tier 0 modules are free. Activation costs 10 cubes, but you will receive 10 cubes back upon completion of the module.

Hi, I have a big issue solving the Prompt Injection Attacks Skill Assessment. Nothing seems to work within the chat. I was able to get the system leak the admin key and could login into the admin pannel (where there is just a report of the chatbot that analyzed the chats). But to get the CEOs out deleted or banned wont work. I cant find hints to it or something. Can the flag be archieved to the chatbot or do i need to attack another part?

@cunning canopy thx

hello guys, anyone here can help me with Windows Privilege Escalation Citrix Breakout?

I have found the flag using paint dialog box, but i am not able to see my share from my attack box, like how htb shows me to do.

any ideas?

Hey i cant connect to #general

I'm trying to enumerate a host name but I don't understand which nmap option I need to find out the host name

Read and follow #welcome

Oh thanks

Module: Windows Lateral Movement
Section: Skills Assessment
Question: What is the password for VNC?

I used the user || rossy to create a malicious update to add myself to the administrators group ||, I was able to force that on the || SUPPORT ||, but the || BACKUP || device seems to be unreachable.
The || WSUS || shows that it did not report status back in a long time.
I'm stuck and have no idea what should I do.
I already have an admin account on SUPPORT but have no idea how to go from there.

Hello, i'm stuck in the Session Hijacking module, it's said that my url is invalid but it's working in firefox ...
Can someone come DM pls §

yo

Hello i am doing hackthebox Login brute force skills assessment 2 and it is kinda strange, i dont understand what to bruteforce with the skills assessment 1 username i mean it asks the username of ftp and how do i use last username that i got for that can anyone help?'

Try it from the WSUS host.

Does the weekly streak have any rewards? I have a 17 week streak and don't know what is the point of it

try what? pinging the || BACKUP || machine?

You can shoot me a DM

i would guess the latter

oh sorry i did not see this message

okay thanks delete it i am doing it rn if i have some problems i will dm you

I sent someone a dm today to ask something, but I forgot the question. Two minutes later, he mentioned my name in the channel… I felt so shy. Now I’m scared to dm anyone again.

Hola Amigos,

I'm trying to understand the Pivoting & Tunneling module but there is this PROXYCHAINS which always causing the problems for every chapter.
I can't nmap, ping etc... even after following step by step process. I tried sudo, but it still doesn't solve the problem. Am i missing something from basics...? I don't know.
Please help me(DM is also appreciated)

You can DM what you are trying, along with the output.

don't be shy asking questions is important part of learning

worth mentioning #rules does say don't DM anyone without prior permission, but yeah asking questions in the relevant channel is encouraged

I'm in the same boat .. stuck with Rogue actions & Model Deployment Tampering ...
Been working on the Skills Assessment but also stuck, found platform and password but no flag yet

I'm stuck at Rogue actions .. cannot get to the the admin portal

Same ... did you find the solution?

I'm also stuck at that part

Did you find a solution?

Me too, did you find a solution?

Is anyone available to answer a question about the Skills Assessment of the Attacking AI - Application and System module? I found an LFI - but cant find a flag location + a possible SQL injection (which always crashes the server) and am therefore stuck. - Is there someone that can give me a nudge please?

I am also stuck, found the platform (rootlocker.htb) and password but that was not flag related...

In module web proxies skills assessment, I dont get the flag taking out the disabled

No inside the XSS module, the session hijacking, i have this issue

Any tutorial about how to configure HTB's OpenVPN on OPNsense so I can share the connection with multiple virtual machines?
Is that good to post it here? I can't post anywhere else since I have no permission

Hi I have a question about this module Academy: Attacking Common Services | Attacking DNS
i found some subdomain with gobuster but the one i need doesn't seems to be found . i know in the module they talk about subbrute but is it possible to find it without subbrute ?

i reiterate my question because i'm still stuck on the session hijacking from the XSS module and i can't get the flag even if it'sworking from my browser

Well same as everyone i guess "Rogue Actions"...

Session Hijacking or Phishing section? Cause that looks like the phishing section

Yes try with metasploit

Is the new module red or blue team

Hello everyone

Script kiddie Wsp

@fathom pendant Hey quick question, during the exam with the document is the "report date" when you started the report? or when it ends?

not staff; follow the sample reports given

Okay

where can i check for that?

i believe sysreptor allows for a start - end date for the assessment

theres a pentest start and end but theres a report date

umm... guys im confused does skills assessments medium level on attacking common application modules supposed to be this easy??? i just finished it like in 2 steps which is ironic because i spent hours on the easy level

it means u understood it

aint no way im that smart 😭

Anyone able to help with **Exploitation of PDF Generation Vulnerabilities
**. Please pm

for the dns one attacking DNS did you use subbrute ? i'm not talking in those skill assessments since i'm only at the DNS part

Hi peeps, I'm doing the Footprinting section, and I'm stuck on the last question in the DNS module. What is the FQDN of the host where the last octet ends with "x.x.x.203"? I've been stuck on this for 3 days. I ran the command for sub in $(cat /usr/share/seclists/Discovery/DNS/combined_subdomains.txt);do dig $sub.inlanefreight.htb @10.129.1.80 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done but all I get are 3 zones, and they all point to the local 127.0.0.1 and not the IP address ending with .203. Can someone please be kind, and give me a hint that actually helps? The forum on this was not helpful at all.

subdomains of subdomains

is it better to use bloodhound ce or bloodhound legacy

Was able to get the flag for **Exploitation of PDF Generation Vulnerabilities
**
But want to know initially why I kept getting errors, way around that was just going straight to the target, without spoiling too much. If anyone can dm, would be highly appreciated.

Anyone know the indented path for the WIndows lateral Movement SA. I finished it but I dont think the path taken was indented one. DM if you have input.

@void valley please try not to reveal module content. but also try a more fierce wordlist, the i* subdomain isn't the only one you can dig through. But a tool in the module can do the work for you

@void valley the spoiler tags don't work too well. But i gave you a hint to the proper wordlist

if you're gonna use spoiler tags; still redact information

i guess i do really need to use subbrute. for the DNS seems to be the only one that give the one needed

API Attacks
Broken Authentication
Exploit another Broken Authentication vulnerability to gain unauthorized access to the customer with the email 'MasonJenkins@ymail.com'. Retrieve their payment options data and submit the flag.

||I think the logic is that I have to try to figure out the correct OTP and set a new password, which I tried with:
ffuf -w /opt/useful/seclists/Passwords/xato-net-10-million-passwords-10000.txt:PASS -w customerEmails.txt:EMAIL -u http://94.237.57.1:50993/api/v1/authentication/customers/passwords/resets -X POST -H "Content-Type: application/json" -d '{"Email": "EMAIL", "OTP": "PASS", "NewPassword":"supersafe1234"}' -t 100 -fs 23||

i do not gain any results, so is my logic right, but the command is still wrong, or is also my logic wrog?

where is the FUZZ placeholder for ffuf?

EMAIL and PASS

like in the provided command from the module:
@htb[/htb]$ ffuf -w /opt/useful/seclists/Passwords/xato-net-10-million-passwords-10000.txt:PASS -w customerEmails.txt:EMAIL -u http://94.237.59.63:31874/api/v1/authentication/customers/sign-in -X POST -H "Content-Type: application/json" -d '{"Email": "EMAIL", "Password": "PASS"}' -fr "Invalid Credentials" -t 100

Probably just change it with FUZZ, but the question is already giving you an email so no need to FUZZ for that.

well the OTP you're passing through is from a password list... not an OTP list

i.e. 0000 -> 9999

ah, alright. tried now also with rockyou, but than i am looking for an otp list

thanks 🙂

makes sense

Hi guys

Why locked this module ??

no clue there @quartz ridge - are you on a plan? or do you buy modules with cubes?

I was buy bug bounty hunter path

With cubes

And I solved 2 modules

You need to have 100 cubes in your account to unlock the module

Next step is close like that

Then yes, its normal that its locked. If you use cubes, you will have to buy each module separately

Try looking into a plan as thats mostly more cost effective

Okay I know . Thank you for replying

Sorry, I'm doing the "Using Splunk Applications" and have followed every single step right so far. However with the question: Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local. Well, I've reached the command part but there are no domains or anything like that. Can u guys tell me what my problem is?

I am new at hack the box, from where should I should, please help me, Friends

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

The 'Index' is missing, I guess ? Like index=* for example ?

Are there multiple ways to get foothold in AEN or just one?

I'm in blind just wondering, please no spoiler 😄

I also want to know this

I'm doing the nmap pattern and there's a query that tells me to enumerate the host name and I can't find the name

I tried DNS resolution but it doesn't say anything in the output.

Why can’t i chat in general

Read #rules and follow the instructions in #welcome

Hey guys currently tryna solve the AEN lab needed help with an IDOR vuln on the careers subdomain but stuck on what to do next. Any tips on exploiting the profile ID parameter?

i mean the idor worked by chaning the "id=9" param by creating other accounts yet i cant find the flag nor do i know what im doing wrong

hi guys, can you help me for this challenge "Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer." im stuck in here, if you can give me a clue or another step?

You can DM.

Try to identify the source for bypassing FW/IDS.

Did u find a solution?

I don’t know anymore hahah

I search this channel, and I found this:

.

And it run

In Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux I'm trying to run the first command displayed:

GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley

but I'm always getting [-] [Errno 113] No route to host ? What am I missing here

tried fiddling with the /etc/resolv.conf (which comes later in the section) to no avail

Are you running this from the provided attack box or your own VM?

Oh yeah ofc from the provided linux attack host htb-student@ea-attack01. should have specified that

interfaces look correct to me

Have you reset the target?

not yet. this would have been my last resort

Since you are SSH'd into the attack host, you shouldn't have any issues with a route, so I would simply reset the target and after it spawns give it a couple of minutes before you access the attack host, just to make sure things are finished configuring within the environment.

If that doesn't fix it, you can DM.

Yep, but not very straightforward. You can search for messages from me on this channel.

Hello, im stuck in the "filter contents" part with the question:
  Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.
I have first tried to get the source code with curl https://www.inlanefreight.com > source-code.txt , but I get the error:
curl: (28) Failed to connect to www.inlanefreight.com port 443 after 133767 ms: Couldn't connect to server

yes, i think

yeah i tried a few way without subbrute and yeah it is the only one that was giving the one needed .thank you

Hi, this answer comes a little late, but I found the issue. They released version 2.0.0 which does not find the Header. Use the previous Version of WCVS: 1.43 It's even called "Header Poisoning Bug Fix" lol. Seems like they pulled a previous bug back into the current version.
https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner/releases/tag/1.4.3

#modules message

ok thank you

anyone complete or working on the wifi attack module? im stuck on the last mask question attaack. apparently its gonna take me 3 years to crack the wpa hash.....help

nvm figured it out

hey ! i cannot write in the general field.. anyone know why ?

Read and follow #welcome

can i dm you for further questions?

Sure

can someone help me with the report sample of inlanefreight.local at the module "Documentation and Reporting"?

I tried to download and extract the content of the zip folder but both the files keep getting the same error message: 0x80004005

that error is just a generic "Access Denied" error, iirc the archive is password protected

so how should I proceed? It doesn't ask for a password or anything, it just don't get extracted out of the zip file

It is as marcie says, its password encrypted. Look at the first page of reporting module the password is in the text. I didn't see it first time either

It wont ask for password with zip on windows, use 7zip instead. Password prompt then

That's the problem then, I'll try 7zip instead, thank you

At least it never did for me! Maybe we have something disabled

https://learn.microsoft.com/en-us/answers/questions/4139006/password-requiring-dialogue-doesnt-appear-when-ope

Looks more like the source of how it was encrypted is not readable by the windows zip utility.

<@&861185840277487616> probably not a serious one but not worth the spam

@red fossil this isn't the server for that

In the malware analysis module, skill assessment, I am trying to match the address of an arbitrary instruction from IDA to x64dbg but I always get a mismatch. According to the debugging session, I am expected to do that. What is going on?

I'm currently re-reading the Login Brute Forcing module, and realized that I don't really understand how Content-Length in the http header is dealt with when using Hydra and Medusa.
Honestly I don't recall ever really messing with this (meaning I wouldn't manually include it in the command, it is however included in some of the examples), but it doesn't look like it gets dynamically adjusted, does it? Wouldn't that mess with the request if there's a mismatch or the parameter is missing?

You don't have to add it for either, but as far as I understand you can

hello

Thanks, yeah, that's kind of where my question came from. Neither have I ever bothered.
But isn't that parameter required for a proper request?

I'd think the server might reject it with "malformed" etc. otherwise...or trunk the data sent if the announced length is too short.
I guess I'm wondering if Hydra or Medusa calculate it dynamically somehow...or if the target servers are configured in a way that they ignore it

Why not play around with it to figure things out or just use an Internet search? This is from content over Tier 0 so I am going to delete this screenshot. If you are still truly lost after just messing with it or using an Internet search, you can DM.

Attacking Enterprise Networks Post-Exploitation
After running sudo ip route add 172.16.9.0/24 dev ligolo
and tunneling on proxy, I was not able to ping 172.16.9.25 on my machine while I am able to ping 172.16.8.120 on my machine (sudo ip route add 172.16.8.0/24 dev ligolo)

what kind of server is this and what is hack the box

info can be found in #faq and #welcome @normal vigil

ty

Hi, can somebody give me a hand with parameter logic bugs SA, if somebody can just give me a hint or something im stuck

Hi all!

I'm working on the question for Attacking common services -> Attacking DNS (https://academy.hackthebox.com/module/116/section/1512)

My /etc/hosts and resolvers.txt looks like this:

 ~/Desktop/commonattacks/subbrute  master !1 ?2  cat /etc/hosts                                                                          ✔  14:26:04 
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters
10.129.75.19 inlanefreight.htb
10.129.75.19 ns1.inlanefreight.htb

 ~/Desktop/commonattacks/subbrute  master !1 ?2  cat resolvers.txt                                                                       ✔  14:26:07 
10.129.75.19
ns1.inlanefreight.htb

Then, running subbrute does not yield results, though it returns a number of errors, which are supposed to be fixed by adding the STMIP to /etc/hosts and resolvers.txt.

./subbrute.py http://inlanefreight.htb -s /usr/share/seclists/Discovery/DNS/namelist.txt -r resolvers.txt
/home/kali/Desktop/commonattacks/subbrute/./subbrute.py:462: SyntaxWarning: invalid escape sequence '\.'
  permute_filter = re.compile("^[a-zA-Z0-9]{" + str(self.permute_len) + "}\.")
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
Warning: No nameservers found, trying fallback list.
Process lookup-3:
Traceback (most recent call last):
  File "/usr/lib/python3.13/multiprocessing/process.py", line 313, in _bootstrap
    self.run()
    ~~~~~~~~^^
  File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 422, in run
    response = self.check(hostname, query_type, timeout_retries)
  File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 342, in check
    resp = self.resolver.query(host)
  File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 57, in query
    name_server = self.get_ns()
  File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 107, in get_ns
    ret = self.nameservers[self.pos]
          ~~~~~~~~~~~~~~~~^^^^^^^^^^
IndexError: list index out of range

Can anyone help?

I've tried including the default resolvers.txt entries below my own, the result remains the same

try not specifying http

can anyone help with web service and api attack module. Where does the SQLi injection located within the SOAP Request

Does "ip a" work the same as ifconfig?

Because I can't use ifconfig on my parrot

Try sudo?

Ok it worked with sudo

Thank you

https://tenor.com/view/neon-sign-neon-thumbs-up-yes-great-gif-12713365844438780765

Good evening all. I have an "issue". Doing the Password Attacks Module, Section "Cracking Protected Archives" (https://academy.hackthebox.com/module/147/section/1323). Whun running Hashcat on the Bitlocker hash (for the downloaded VHD file), it cannot find the pwd in the Rockyou list. So whats wrong with this?

you can DM if you want, should be something with your query most likely

Tried that, didnt work

I ended up switching vpn servers & files due to the high load

That seemed to have fixed it

<@&861185840277487616>

GO AWAY!!!

Try more general chat @hallow dust this is for htb academy module discussions

Oh sorry about that.

It's cool im not a mod or anything, just using the channels how they were intended

Guys i am on module siem use case visualization pt 1. and everytime I use my virtualbox it squishes the screen and I can't see anything

It fixes after I move the tab I am on but then squishes down again

If the tab is getting smaller and smaller just full screen and minimize

Dude you're awesome it worked thank you

Yuppers

Do we have a mod or admin available? I need an intervention to get my HTB account linked to Discord.

Is there some way to check history of module purchases?

because i see some modules which i don't remember getting for cubes (or i just have a dementia)

Helping users with modules if they would like in DMs

You can DM me if you still need help

sent

Hi guys im in the web attacks skills assessment and wasn't able to escalate privilege. I have found IDORs and see there are some interesting endpoints to make use of but don't know how to approach it 🙁

need some nudge.

Keep enumerating, use intruder if needed makes it faster.

i have enumerated deeply found neccessary info but when i try to change passwd it throws error on the front end you know. I'm doing sth dumb i know but i can't put my finger on it lol

Make sure you are using the “necessary info” that you found.

Dm if you still can’t wrap your head around it

Hey, I am also stuck on this one. I was able to get the admin_key but I can't get command injection

Hey would you be able to help with the LLM output attack assessment? I got to the admin chat, but ca't get the flag.

Did you figure it out?

Hey, I managed to get admin_key and now attempting to get the flag via admin bot.

How did you solve the second question I been stuck for days

Anyone able to help with Injection Attacks Skills Assessment? Please dm

Did you find the credentials? Stuck here

can we get rid of the middleman clipboard? I just want to reduce that one step of copy-paste between pwnbox and host lol

Check the permissions in your browser, the copy-pasting should mostly work without needing to use the middleman-feature

Use the creds of the user forend. They were found in the LLMNR/NBT-NS Poisoning (Linux) section.

No wayyyy
Thanks
🤦‍♂️ 😅

./subbrute.py http://inlanefreight.htb -s /usr/share/seclists/Discovery/DNS/namelist.txt -r resolvers.txt
/home/kali/Desktop/commonattacks/subbrute/./subbrute.py:462: SyntaxWarning: invalid escape sequence '.'
permute_filter = re.compile("^[a-zA-Z0-9]{" + str(self.permute_len) + "}.")
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
Warning: No nameservers found, trying fallback list.
Process lookup-3:
Traceback (most recent call last):
File "/usr/lib/python3.13/multiprocessing/process.py", line 313, in _bootstrap
self.run()
~~~~~~~~^^
File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 422, in run
response = self.check(hostname, query_type, timeout_retries)
File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 342, in check
resp = self.resolver.query(host)
File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 57, in query
name_server = self.get_ns()
File "/home/kali/Desktop/commonattacks/subbrute/./subbrute.py", line 107, in get_ns
ret = self.nameservers[self.pos]
~~~~~~~~~~~~~~~~^^^^^^^^^^
IndexError: list index out of range

You can dm me

What is in resolver.txt?

password attack , pth for linux
Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

i cant crack this hash , tried hashcat (-m 1400) any hint ? and wordlist was rockyou

He's just copied this from yoC. The issue had been already resolved.

Attacking AI - Application and System > Model Deployment Tampering
Receiving that 500 error when attempting to exploit for module. I did my own research, formed my own POCs, ran into issues, defaulted to what the module itself says, same issues. I ran line for line what the walkthrough says to, same issue. I contacted support and they claim it works, can anyone spot what I did wrong here?

Appears that people have asked the same question in this channel and received no help, so I guess it's just gg's until it's accepted that there's an issue with this box? 🤷‍♂️

I am also having issues with that lab. Completed the skills assessment and all other labs with mostly no issues.

Looking at your error message, I have also been receiving 500 errors back as well. I am also trying to figure it out.

I have just tested the exercise following the steps in the walkthrough, and it is working as expected. Also, please obfuscate some of the payload in the screenshot phlebas to avoid spoiling the exercise for others

It just makes no sense to me because I can copy-paste directly from the walkthrough, change the variables to what they need to be, and it gives issues

As you can see in the screenshot I have a reverse shell connection

And I count 7 others in this chat that have had the same/similar issues

9 including us two

Reset the target and try to follow the steps again, if it doesn't work feel free to DM me

Ok, it worked this time around... Gonna try to figure out what I did differently, if anything 🤔

Hi, in Intro to Whitebox Pentesting, Skills Assessment challenge it says: There are at least 2 different ways to obtain remote code execution on the target.
I found only one of them, can anyone give a hint about the second vector?

do u get the correct hash? compared to cmd in this section, only the value of hash changes

hi guys!

I'm new

nice meeting y'all

Hello

Same here

module: Web Attacks
section: Bypassing Encoded References
I used the parameter to get the flag as shown in the image. But doubt is how do i get the file with the filename?? coz it's mentioned in the question that we can also do it with filename. And yes is tried /download.php as well as /contracts.php with filename and it's not working
@rustic sage

I'm in need of some help on https://academy.hackthebox.com/module/143/section/1278
I can't get the msfconsole socks proxy to work. I've copy pasted the commands from the answer but it still won't connect

Everything looks correct, I'm just lost as to what is causing the problem

I'm also having the same issue with the 500 Invalidworkflow error, how did anyone bypass the error? going crazy, already tried a lot of times

out of interest have you got #proxy_dns uncommented in /etc/proxychains.conf ?

I had some issues with getting this section to work and commenting that out solved issues I was having. I can't recall if it was this specific issue though

and your msfconsole socks_proxy module options reads socks5 instead of socks4 right?

Ooh, I'll try that. I've tested both socks 4/4a and 5

Verified they match both times

understood, hopefully the proxy_dns is the issue then and solved by commenting it out

give me a sec i'll launch module and do it with you

and provide a hint

It's commented out and the values in socks_proxy read 5 :/

recommend jumping onto the pwnbox then. Remove the environment as a factor by using a known good build. Then attempt it with the exact way module reads. Thats how I troubleshoot anyway

Sounds like a good idea ^-^

module : password attack , ptt for linux
Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i cant get into the smb for some reason ,

Can someone help me with Wi-Fi Password Cracking Techniques - Skills Assessment?
I don't understand how to crack the 1st, 2nd and 4th wpa handshake

just wanted to ask everybody whats the best way to learn fuzzing from scratch

https://academy.hackthebox.com/module/details/280 ?

thanks

any books or material besides this

??

Google will show you lots of resources 🙂 this module is a free one btw, you get the cubes back on completion

cool thanks and if i specifically want to do it in context of OS so any reccomendations on this bro

can't help you there, sorry

I'm more of a web guy

cool

thanks

what are some good HTB labs for intermidiate ctf questions related to binary and that stuff

for google ctf

specifically

Might wanna read #welcome and then ask in another channel as this channel is specifically for Academy modules

thanks

I am still stuck on getting the flag. If you solve it, I would appreciate a hint or a pointer

DM me.

Same issue on the pwnbox, Either I'm blind and doing something wrong or the module has some issue

It seems the webserver also randomly crashes or I loose conenction to it when using pwnbox

This is for one of the AD enum and attacks SA?

Yes

The first SA in the AD attack end enum
https://academy.hackthebox.com/module/143/section/1278

Are you hard set on using Metasploit and proxychains? I get wanting to do it multiple ways, so just curious.

No but I've used the others before and want to learn how msf is used for this

When it works it also looks like a nice experience so would be nice to get it to work 😄

I haven't used MSF with SOCKS in a while, but if you'd like to DM what you have going on maybe something will standout.

That would be awesome! 😄

has anyone done the wifi password attacks? im stuck on generating default creds

Hi all, completed all modules from the Red Teaming AI but I am stuck for many many days at the Model Deployment Tampering section.

I tried everything I could from following the HTB guidelines to MetaSploit CVE-2023-43654 but no luck so far. Added screenprint of MetaSploit where I am stuck ... hope someone has some tips or guidelines.

MetaSploit output:
[] Started reverse TCP handler on 127.0.0.1:9000
[] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
[] Using URL: http://127.0.0.1:8080/Cw299gS5f3/
[] Registering the model archive...
[] Server stopped.
[] Exploit completed, but no session was created.

dm if you need help

hello i have a tech issues on the AD Enumeration & Attacks - Skills Assessment Part I

The target goes down every time

within 3min (max) after spawning

i tried more than 5 times

The successful exploit also has the 500 error. The section (which is not a skills assessment) doesn’t say it anywhere but they expect you to get a revshell, so if you’re not doing that you’ll want to, and re-read the parts of the section that briefly mention particulars on setup for that. Feel free to dm if need

Yeah I had that happen... you just have to kind of get lucky lol

@noble spire please don't post flags in chat, have you checked whether there are leading or trailing spaces?

Um guys is the bash scripting module with enough weight as learning python??

yes

Please simply post the following here without spoiling any module content:

• Module
• Section
• Exact question

Repeating Requests 2- Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.

can someone help me with this

module: Network Enumeration with Nmap
section: Nmap Scripting Engine
which nmap wildcard would work with scripts?

Um guys?

hello, i need a help - on module -Information Gathering - Web Edition > Fingerprinting-i tried everything i can think off, can anyone who able to guide me a little to understand how to get cms ?

Web Proxies 2- Repeating Requests 3- Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.

Did you try all tickets?

ya , there are 2 in total right , both in temp

one is expired and other is alive

You can DM what you have on your end.

what was it in the end?

sorry couldnt help further

Basically a network issue with the target environment

It started working on the pwnbox and 3 seconds later stopped, then 15 seconds later it worked and so on

yes

oh 🙁 restart of the lab I take it fixed then

No XD

I gave up, read the answers to understand the attack path and then went on to the next SA

#1234357888114364508 maybe worth putting it into here then if its a known bug / issue with the environment, even effecting pwnbox

ah okay all good

yes, Thank you

did you change something? it was 1080 port before. Just curious

I messed around with using port 1080 and 9050 as well as socks 4 and 5

Nothing changed in between those 2 commands

i found the solution thank you

strange, especially on pwnbox too

Yeah, I thought it would be an issue with my attack host or something

I want to learn how to hack

Who's gonna teach me?@cunning canopy

You were previously given guidance in a different channel, do not randomly ping members of this server.

and private messages too.. jeez

really committed to their learning

Hey you just sent me something?

In Attacking Common Applications - Attacking Tomcat, I'm running the Ghostcat exploit and all I get are 404s, even though the files exists backend from what I can see through the RCE obtained earlier...

I tried other PoC code and it gave me the same errors....

All good, just wanted to make sure it was intentional.

yes , sent DM

Hi guys

For anyone stuck on AI: Model Deployment Tampering: IT ONLY WORKS ON PARROT, not Kali, due to version of TorchServe Workflows

Hero 🙏🏻

Is normal for me to get disconnected in seconds after using xfreerdp in the "Documenting & Reporting" module?

I don't have anything like that annotated in my notes, so if you are having issues and it is not common, try to reset the target and if it persists you can try changing VPN config or regions to see if that helps to fix your issues.

Okay I'll try that

I noticed that I get disconnected everytime I open the bash terminal inside the Target Machine

If I use xfreerdp and don't open the bash terminal, I don't get disconnected, but as soon as I open the bash terminal it goes off

Are you on the practice lab?

Yes, and I'm using the spawned pwnbox to do it

I noticed a lot of problems when trying to use Kali

You can DM what you are talking about and perhaps I can identify the issue.

Okay

xfreerdp3?

I had to fiddle with some packages on my own Kali to get RDP to work right

I only use xfreerdp3 in Kali, this time I'm using xfreerdp at the pwnbox

As well as doing stuff like cert:ignore

Then you're doing the right things afaik

Hello and welcome. I suggest going to #welcome so you can access more channels, that include general chat, as this is a channel for HTB Academy modules. Also worth reading over the #rules

Hello, i am doing Broken Authentication module, i am on Brute-Forcing 2FA Codes and the ffuf command does not work? can i send it to this module? can anyone help?

Skills Assessment
Setup
You are tasked with executing a security assessment of a customer's MCP server. The customer is RootLocker, a platform that provides cloud storage of documents as well as a password management service. Your goal is to identify security issues in the server implementation and obtain the flag. Anyone who achive this ?

Submit a 5D float vector (comma-separated) to unlock the flag.
Input vector: Expected 5 comma-separated float values.
WTF is this ?

Say a module is completed, but then updated. Do you still "own it"?

Like what if Intro to C2 Operations with Sliver got updated after I completed it AND my subscription is over. Would I still own it?

Yes

@proper dune yes

Hello, has anyone here solved the Identifying Unkeyed Parameters lab? I can successfully poison the cache and retrieve my cached payload when I visit the page, but the bot doesn’t seem to trigger it.

Did you end up solving this? Same issue here, I even tried PoC code and it doesn't work either for some reason...

hey I did yeah, dm me maybe I can help

wait actually the rev shell never popped for me. I added the user and went about my business - tried all sorts according to my notes (feels like ages ago)

I put the user add code after my rev shell code, and the user was still added so I know my rev shell clearly was janky but used multiple examples, pshell nops, you name it.

I cant get a revshell for some reason either but I did the add user code but cant get a shell

Ill dm you

I feel like its intentional ya know?

I can't prove that but feels like persistence was intended with that move into the back-end

Anyone able to help with Injection Attacks Skills Assessment? Please dm

Hello guys just having issue setting up proxychains for ADCS attacks module for ESC5

I followed the sections reading for setting up proxy

sshpass -p 'HTB_@cademy_stdnt!' ssh -N -f -D 127.0.0.1:9050 htb-student@10.129.205.205 -oStrictHostKeyChecking=accept-new

Then commented out proxy_dns
sudo sed -i "s/proxy_dns/#proxy_dns/" /etc/proxychains.conf

Then when I try to enumerate it doesnt work
proxychains -q cme smb 172.16.19.3-5 -u cken -p Superman001 --verbose
[19:52:56] INFO Socket info: host=172.16.19.3, connection.py:160
hostname=172.16.19.3, kerberos=False,
ipv6=False, link-local ipv6=False
INFO Socket info: host=172.16.19.4, connection.py:160
hostname=172.16.19.4, kerberos=False,
ipv6=False, link-local ipv6=False
INFO Socket info: host=172.16.19.5, connection.py:160
hostname=172.16.19.5, kerberos=False,
ipv6=False, link-local ipv6=False
[19:53:01] INFO Failed to create connection object for connection.py:219
target 172.16.19.3, exiting...
INFO Failed to create connection object for connection.py:219
target 172.16.19.5, exiting...
INFO Failed to create connection object for connection.py:219
target 172.16.19.4, exiting...
Running nxc against 3 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Could anyone help?

Thank you!

Gm

nevermind figured it out using ligolo-ng

@civic inlet

File Upload Attacks Client-Side Validation
After running the targetip:targetport in browser, the upload button doesn't work.

?

Hi all,

Please I cannot connect to the attack machine for NTLM Relay attacks.

I want to do free CTF on HTB

Can anyone help me? i can't found free machine

tired fluffy, editor, outbound

and soulmate

start with academy 🙂

I have already done them 🙂

all of them? 🙂

You are saying meow ? and that type of machines?

there should be a module available where you actually learn how to play your first machines, including the free ones

okay let me try

Wait i want to do some CTF

They are blue teaming...

HTB is confusing...

ngl

"Getting Started with Hack The Box (HTB)"
https://academy.hackthebox.com/module/details/77

Everything hard will seem that way at first sight

I am still stuck on that AEN module connection problem, initially I was on UDP but it kept dropping even though the HTB website shows "Low Load" for US Academy 4, the HTB support suggested me to switch to TCP, the conenction was stable but for some reason ligolo wasn't working with TCP (specifically unable to RDP to an internal network machine 172.x.x.x), now I am trying back UDP (to test if TCP is the problem) but it is dropping like some 2nd grade ctf platform

you can dm me if you still need help

I messaged you

hey im working on SIEM and SOC fundamentals, and I can't find the answer for SIEM Visualization example 4 section's question. Anyone able to help me?

Please ask in the #challenges channel
If you don't have access read #rules and follow the instructions in #welcome

nvm it took well over 5 minutes to load ... ignore me

Hi

I am new here

hiii, quick question about Password Attacks modules precisely the Attacking LSASS and attacking SAM...
in the previous module we use └─$ netexec smb 10.129.XX.XX --local-auth -u Bob -p 'HTB_@cademy_stdnt!' --lsa to dump lsa secrets, but in section Attacking LSASS we can't do the same? isn(t lsa and lsass the same?

Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.

yes

How did you figure out the second question

Can someone please help me on dacl attacks II skills assessment question 2 , I can create a gpo but have no way to the user who can link it 😭

Have anyone know how to finish the Applications of AI in InfoSec(Model Evaluation (Malware Image Classification)), because I follow the instruction source code, but i don't know why I upload the the model file is invalid

I’m working on exploiting web vulnerabilities in thick client applications. I followed all the steps in the reading but I’m still getting connection errors. Wireshark also doesn’t seem to be detecting any DNS traffic. Can anyone help solve this issue?

LSA ≠ LSASS.
LSA Secrets live in the registry; LSASS is the process in memory.
netexec --lsa is for LSA secrets, not LSASS process dumps.
For LSASS, you need a process-memory dump technique (procdump, Mimikatz, etc.).

Hi everyone, someone is facing problems with the module Intro to C2 Operation with Sliver ? because all the labs are very slow and most of the commands in the sliver sessions do not works. I tried to switch VPN multiple times

Hello

Is there someone who can check why my flag not working ?

Attacking AI - Application and System

hi, what is vip? im confused, I just paid for student plan and there is another thing I can pay for monthly? Is it useful for studying and completing cpts certification?

It's not letting me message on general chat

Oh I'll have to verify right?

vip is for the main platform (https://app.hackthebox.com)

correct; the instructions are in #welcome

Anyone have a second? I think this module may be bugged?

Using Web Proxies | Repeating Requests

My module is also buged

I can't remember if I've registered but is labs or academy better? I've moved from THM cos they're using user data for some AI startup.

I put the answer in last night, got it correct... Logged on today, answer disappeared, ran back through it. Answer is now wrong?

Is HTB Labs or academy better

Depends what you're trying to do

More learn at the moment

whichever one you feel is best for you to learn and how you learn

Than most likely academy will be better

Academy: lots of reading and practice
Labs: Lots of research and more blind

I'll start with academy and go to labs lol

I'm on mobile right now can someone say how much it is for both

Marcie, can you sanity check this answer for me? It was right last night... answer disappeared this morning, and it's now apparently wrong? lol?

Found the right answer by using my intrusive thought, I still don't get it why that is the right answer and how💀

@grizzled schooner

1b83fe2e0985ca20a9ef8b942da9a437  -
ddba986c7a8b1ef6debc4828af09b099  -

1st is echo -n "flag" | md5sum
2nd is echo "flag" | md5sum

Academy: Lots of reading and occasional wrong information

for repeating requests?

yes

wtf? I have words, not md5 hashes

or did you pipe to md5 to not spoil answer

i piped to md5 to not spoil answers

10-4

first is using echo -n to not send the new line, the other is just echo with the newline

... my answer doesn't relate to either hash lol

Hello 👋

then you hallucinated it accepting your answer

HTB{qu...75}

I mean there's two answers... the first flag is obvious... I found the second directory by searching... I can give you the path for this flag if that would help? I don't want to spoil though

I have 1n73r....

read in l337sp34k

Wat lol

the flag you have is for the intercept section

1 = i, 7 = T...

a fair bit of the flags are l33tsp34k (leetspeak)

Please accept my Hi 😀

so I think that this module is a little busted then... the answer for this module is where the answer for intercepting req should be, and the repeating reqs was where intercepting should be lol

nevermind, this answer isn't right either lol... I've checked both flags, somethings not adding up

pls can you check my flag

it's at the root of your issues; dm me the flag/location

what module and section are you working on?

Attacking AI - Application and System /Skills Assessment

haven't done that module, can't help ya

Do you know someone who can help

just ask your question here (without spoiling information) and someone that's done it may be able to help you

Can somebody check my flag? Attacking AI - Application and System /Skills Assessment It is not working

Is this from Application and System skills assessment? The one with MCP?

Yep

Yep, This flag not working

I don't think your flag is correct either... It's way easier to get the flag...

Then wtf is this 🙂

I'm not 100% positive of what happened here, but the flag you have there is not the correct one. I think some kind of hallucination, if I had to guess.

depends on your script, maybe check what you wrote when it outputs the flag

I am 100% sure it is halucinated

Correct answer is 32 hex characters wrapped in HTB{}

i will dm my flag

I have seen it

I've been doing the 'Web Attacks' module and it seems like almost not working. I must wait 5 min to load the page, 10 min to get Burpsuite make a Forward and so on. It just happens with this module. I had no problems with the rest. Am I the only one?

I'm working on the Exploiting Web Vulnerabilities in Thick-Client Applications section in Attacking Common Applications, I've edited all the files that I need to change like it does in the reading but when I run the updated JAR app and try to log in I'm still getting a connection error. When modifying the hosts file I used the same command that was used in the reading echo 10.10.10.174 server.fatty.htb >> C:\Windows\System32\drivers\etc\hosts . Is the IP supposed to be same as the command in the example? I'm not getting any other way to get this one working

try this workstation

Can someone help me in Linux fundamentals module

what is the problem

Hey, anyone manage to perform this WSUS Update attack using an account that belongs to the WSUS admin group but not local admin in the Windows Lateral Movement module?
It fails for me with this error when I try to approve the malicious update, a little research and I discovered WSUS approval via SharpWSUS relies on directly querying the SUSDB SQL database.
and it appears this account doesn’t have SQL EXECUTE permissions on certain stored procedures (like fnGetComputerTargetID) in the WSUS database. Just curious if anybody was able to perform this successfully

Whatever written in module to teach is not enough to solve questions

what question exactly do you have a problem with?

There are many

I get you lool, try reading it over again section by section and then if you still have a problem start by asking for help with questions one after the other after putting considerable effort yourself.

How I can figure out which command should I apply in for the question: "How many total packages are installed on the target system?"

why I'm not able to share photo here

i have to ask with photo

@coarse leaf @faint rampart tell me

have you tried dpkg -l?

you could pipe the output to another command such as awk to retrieve the number of installed packages
I havent really done this module so I cant tell the way for sure

read and follow #welcome

Idk if this is a good place to ask about general question

Ok nvm figure it out

If you can see worflow section Find Files and Directories chapter in linux module whatever they have written for learning is not enough to solve questions from that part

hi chat, I'm confused in the Code Analysis > Reverse Engineering & Code Analysis > Recognizing the Main Function in IDA, the author says "*Based on the overall structure of this function, we can conjecture that this is the possible main function. *" but I don't understand what are the criteria ? is it because its has 3 call instructions ? it it because it checks for the registry key ? is it because it imports an external function from a DLL ? all of that ? what makes this specfic function/block likely to be a main() rather than any other ? I would have expected a main() to be something massive with a lot of functions and instructions

Hey everybody. I'm doing the path to CPTS right now and i was wondering, when I should try my first machine from the labs. also what machine is suggested first for someone who is a total beginner

Hey I just took a look at it, I'd advice you read it through again, all the challenges have clear hints towards how to solve them in the content, just try to read through again to understand and have a go at it again.

I am working on the Identifying Unkeyed Parameters lab and am very stuck. Could someone DM me? I found two Unkeyed inputs that can poison the cache with XSS, but I can’t seem to get the flag.

Hey , Im doing the linux privesc module , NFS export question from misc techniques

whenever i use this command my terminal gets stuck , tried resetting machine twice. Any advice ?

sudo mount -t nfs 10.129.182.211:/tmp /mnt

Hey guys i am preparing for the CPTS current doing the prerequisite for penetration tester pathway infoSec foundation doing Linux module ahh can anyone say how you approached the remote desktop protocol in linux

for the second question of Kerberoasting from Windows section of AD Enumeration and Attacks module, I am trying to crack the hash and I get "separator unmached." I tried both hash modes in the section.

and tried using two different versions of the hash file

can someone help me out?

Sounds like the hash isn't valid, I've seen that error when there's a mistake in the format.

I am trying numerous variations on the hash. can I DM you?

I am using the right hash like I'm 99% sure

Idk I don't have the hash in my notes

right but I just want to know if its a hash formatting problem

because I copied the exact hash that's why

oops

don’t email me

@compact atlas can I DM you?

wait cracked it

I just use xrdp/xfreerdp seems to do the trick for any target so far. If internal network im pivoting to then over proxychains.

HTB Academy has a few great modules on this - pivoting and tunelling one is highly recommended to get use to this

or if you have valid creds for RDP its likely SSH is available (if its not then oh well, least you're aware of how), so you could use that too

Thank you dude

I tried many times to connect to the inlanefreight.com and get download.php but it keeps on saying failed. This was done with the parrot os vm provided. Then i used my own Kali Linux vm to try it and it worked but this is what the file said: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.41 (Ubuntu) Server at inlanefreight.com Port 443</address> </body></html>. I am very confused and even tried asking ChatGPT so any help would be much appreciated.

was redirected here and told it would be helpful to give module and section name

not sure how to see those tho

name of the module would be something like "Getting Started" and the Section name would be at the top of the page

WEB REQUESTS > HyperText Transfer Protocol (HTTP)

the question isn't asking you to curl inlanefreight.com/download.php

?

where in the question does it state inlanefreight.com 😉 there's also a button "Click here to spawn target system!"

omd im stupid

Guys does anyone playing in the season 9

https://academy.hackthebox.com/module/details/15 explains how to interact with academy

this isn't #general; read and follow instructions in #welcome to access it

thank you very much

How long have you learned to be a Red Teamer?

Hi

@graceful jay

يسطا 😢

english only in the server #rules

Struggling with Windows Lateral movement Skills Assessment question 2. Explored the hints even and I'm sure I have the proper users access on the machine, looking for the flag where the question refers and I'm not finding it, anyone who's done it able to guide a little bit?

yellow yard yeah trans yeah ghoul yeah mars

?

im talking english

yeah meat neck

yeah bin ill whisker

can you actually make sense?

read #welcome

If anyone could give me a little nudge on Module's 'DACL Attacks II' Skills Assessment, I'd highly appreciate. Been stuck for a while. Thanks in advance!

The SA is an environment, not a solo box.

has anybody done the Advanced Deserialisation attacks module? need some help

In attacking drupal got the RCE and exploring the folder don’t seem to find the flag.is it only visible after doing drupalgeddon?

password attack , ptt for linux

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

the only step remaining is running the Linikatz.sh , but to do that i gotta access the linux machine and rn im in windows inlanefreight\julio , how do i get into the linux ,?

or do i run it in svc_workstations ?

Hi Everyone,

If I subscribe to the monthly student plan on HTB Academy, will it include access to the Android Application Pentesting path?

The student subscription includes all modules up to Tier II. The modules from Android Application Pentesting are all Tier III ( except Android Fundamentals) and are therefore not included.

https://academy.hackthebox.com/module/116/section/1165 I'm working on this lab but after scanning ports using nmap multiple times the FTP port is not open

you can DM me

Hi. I’m stuck on the “Attacking common applications” module, in the attacking gitlab section. Anyone could give a nudge, please? 🙂

Use a method taught in the File Transfers module?

You may need to reset the target a few times. I recommend after the target spawns to let it sit for at least 2-3 extra minutes just to ensure things start.

Still stuck?

Hi anyone

I presume you mean for me to do to a different host within the AF. I'll check it out thanks

Have anyone help me??

Hi ! I'm doing Attacking Thick Client Applications lab. But when I connect with RDP, there is no user Matt. Moreover, the file C:/programdata/restart-service.exe is not present. So I can't retrieve the flag. Already try to reset lab (CPTS path) nvm i just failed copy paste lol

nvm i got it

Does anyone have connectivity and latency problems with module Intro to C2 Operations with Sliver ?

I tried to change vpn region and reset target multiple times but its tremendously slow and laggy

Hi currently at Intro to WhiteBox pentesting at Blind Exploitation, was wondering if anyone managed to get boolean-based exfiltration to work via status codes?
This was the closest i got but i'm still struggling to set the status code to what i want
|| ```
malicious = f"'+(require('fs').readFileSync('./flag.txt','utf8')[0]==='{char_guess}'?(function(){{throw({{statusCode:403,message:'match'}})()}}):(function(){{throw({{statusCode:500,message:'nomatch'}})()}}))}})//"

Hello, i'm currently on Public exploit part, and there is task related to Wordpress simple backup plugin, i've got output from this file but not sure what to do with it
root❌0:0:root:/root:/bin/bash
daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin❌2:2:bin:/bin:/usr/sbin/nologin
sys❌3:3:sys:/dev:/usr/sbin/nologin
sync❌4:65534:sync:/bin:/bin/sync
games❌5:60:games:/usr/games:/usr/sbin/nologin
man❌6:12👨/var/cache/man:/usr/sbin/nologin
lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin

?

i'm looking for some advice

Hello,

Doing the wayback machine / Web archives / Information gathering - Web edition, trying to answer questions about hackthebox.eu itself.
In all cases the stats section in waybacked website is zeroed (all stats are zeroes), independly really of the date chosen.

Yes, suffix is as in screenshot and tried alternative machines.

EDIT: It's not about this section in the website. Look in the text 🙂

Pentesting basics

Job Role Paths > Penetration Tester https://academy.hackthebox.com/module/77/section/843

this was previous one i think , this one is related to wordpress simple backup plugin, i used msf to get output from /etc/psswd

and than i'm stuck

i think it is Getting Started > Public Exploits

Questions
Answer the question(s) below to complete this Section and earn cubes!

Target(s): 94.237.57.211:54628

Life Left: 24 minute(s)

• 1 Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

wow, that was simple... thanks a lot 😅

i though it is only accepting folders

oh yeah, you are right

https://tenor.com/view/puppy-dog-eyes-sad-saint-innocent-shrek-gif-5956398

https://academy.hackthebox.com/module/144/section/1256

URI wasn't the issue but got the answers now. Thx

What are hard links?
I even googled it and still I don't understand..

Hey guys! I'm really, really stuck on DACL Attacks II Skill's Assessment. If someone could give a little nudge I'd highly appreciate! Thanks in advance!

Sup everyone! Need help.
Components of a Network: (Question)
What type of network cable is used to transmit data over long distances with minimal signal loss?
(I tried fiber optic cable), it's dosn't count

Hi, I have a question. I was stuck with question about the Port in the Splunk Module. I think my query is correct however both the ports (80 and 443) are not correct answers.

You can DM where you are stuck.

How can I use responder to capture hashes while pivoting?

Hey all I am trying to complete this lab located with this link (https://academy.hackthebox.com/module/289/section/3246). I'm doing netcat to get FTP connection when doing the lab and before I get to the next step I get a connection error. I am not sure how to resolve this, but I was currently using the Parrot OS that HTB provides. I also tried it out on my own linux environment using the openvpn and I still get that issue. I am not sure how I'm supposed to troubleshoot when there's no directions on what to do.

Does the junior cybersecurity analyst path still work? I wanted to try it today but for some reason it wouldn't open

Hi. In module "OSINT Corporate Recon" in Technologies in Use, question: Which version of WordPress is used on the Inlanefreight domain page? I dont see the problem...any hint in this?

Send me a dm 🙂

Looks like you found the right thing. You're reading a file on the server, you need to change it to read the file that contains the flag.

Hi there can i learn complete bug bounty on htb site????

Some1 reply

yep

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Can i get roadmap of bugbounty

Have a look around the platform

If you wanna do bug bounty, you’ll have to go through content and do some educated guesses 🙂

Ok . M new to htb btw i gotit

https://academy.hackthebox.com/preview/certifications/htb-certified-bug-bounty-hunter

Hello. Very new here. Not a complete noob, but running through the Academy stuff so I know that I know what I'm expected to know. I'm in Getting Started - Basic Tools (/module/77/section/847). I was having issues netcating my target (because I'm an idiot and left the generated port number on the address) so I revealed the answer and submitted it because I know how to use netcat. Right after that I realized my mistake and issued the command successfully in my terminal and got back a different SSH banner than what the module told me the answer was. Is it normal for this kind of question to have multiple right answers?

i'm stuck in this question active directory , privileged access ,first question
any hint please?

Yes it is not uncommon for different tools to also reveal what you're looking for. Sometimes one tool won't work but another will.

Makes sense. Thanks!

Thanks .
Is this enough to learn bounty full perfect??? Plz ans m beginner

any help?

In attacking drupal got the RCE and exploring the folder don’t seem to find the flag.is it only visible after doing drupalgeddon?

You don't learn "full perfect." It teaches you the basics to intermediate level and how to approach bounty hunting. You will never know everything, there is too much to know. It's a never ending learning process.

Can we upgrade from Silver to Gold monthly plan while in middle of finishing the pen test job path? We started with Silver then once we get through module 2 we wanted to upgrade to Gold.

what module are you doing?

For those who have the silver or gold membership what is your daily route like for competing the modules

Anybody doing the Advanced Deserialisation Attacks?

I need help with the binary example

Thanks!

what do you mean?

I mean do you do at least one module everyday?

I guess it depends on what module if its quite easy and I know the content well I might be able to get through 2-3 but If I don't really know it well then I would probably just do 1 a day

I would also try to balance it out with machines aswell

I am working through the Pentest in a Nutshell module and I have a question about sudo. Does NOPASSWD actually require a password to elevate? Is this just because I authenticated via SSH and the private key? I was caught off guard by being prompted for the password here, what might I not be understanding?

john@ubuntu:~$ sudo -l
Matching Defaults entries for john on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User john may run the following commands on ubuntu:
    (root) NOPASSWD: /usr/bin/nano
    (ALL : ALL) ALL
john@ubuntu:~$ sudo /usr/bin/nano
[sudo] password for john: 

Is it because (ALL : ALL) ALL applies later in sudoers for that user (due to group membership)?

When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).

in this case you can refer to GTFObins and look at exploits for nano

Yeah, thats all good. I'm hanging out as root already. What I'm asking though is it feels like this excercise was set up in a way via the focus on sudo -l at a certain stage that I expected to be able to use the ^R^X tricks from GTFOBins to get a root shell without a password. Like ... why bother adding john ALL=(root) NOPASSWD: /usr/bin/nano to sudoers at all if the rule for %sudo ALL=(ALL:ALL) ALL seems to apply. For example, I am also able to do exactly the same (root shell) with vim.

I made an #1234357888114364508 post for it. https://meta.wikimedia.org/wiki/Cunningham's_Law

Anyone knows how to unzip a hidden file on kali linux

Have been trying to solve a problem for hours

But not getting there

Always best to say which module and section you're on

unzip or gunzip usually works

It prompts for a password. This may lay it out better: https://discord.com/channels/473760315293696010/1419501195688415363

Does anyone know why when I want to use nc on a port it stays listening and never receives the reverse shell? For example, it listens to the LDAP correctly, but when I use nc it always stays listening.

You mentioned it's a hidden file. Make sure you include the . in the path as it is part of the file name.

Sounds like the shell never made it to your listener.

Pay close attention to the header required when constructing http request.

How do I fix that?

Too broad of a question. You'll have to check everything in the chain. Make sure you can reach the target, it can reach you, make sure all the command syntax is correct.

ookai tysm!

I am getting an identification error

DM me

Hi - I' currrent working on DC Sync section in Active Directory Enumeration and Attacks module. Need help since i'm stuck

I'm getting the following error after trying DC sync attack using impacket-secretsdump. I realise that this is due to adunn not having write permission on ADMIN$ share.

Would appreciate help or suggestion from users who have completed this module.

What i have done till now:

1. Verified that user adunn has DS-Replication-Get-Changes-All and DS-Replication-Get-Changes rights via PowerView.ps1
2. Verified that i am using correct password via crackmapexec
3. Reset the lab several times.

Error:
┌─[htb-student@ea-attack01]─[/opt/impacket/examples]
└──╼ $./secretsdump.py -just-dc INLANEFREIGHT/adunn@172.16.5.5
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Cannot create "sessionresume_NZacLtlf" resume session file: [Errno 13] Permission denied: 'sessionresume_NZacLtlf'
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter

I'm currently doing AD Enumeration & Attacks - Skills Assessment Part I. I'm close to the end (2nd last question) ,

I thought about running Sharphound.exe on MS01 and ingest it in bloodhound. This brings me to 2 questions:

1. On my kali box there's bloodhound CE 8.1.0 and I'm completely stumped on how to use it to answer the question
2. On pwnbox there's an older version but once started with bloodhound and trying to upload the data i'ts just stuck at 0%

Is there any other way to answer the Q: What attack can this user perform? ?

Bloodhound has changed a lot with the release of Bloodhound CE, so you'll pretty much have to familiarize yourself with a whole new application if you want to use that. Also, it's very picky about the version of Sharphound used to collect the data, if there is too much gap between the version of Sharphound and Bloodhound, it's going to complain or not work at all.

For 1. To use the bloodhound CE, you will need new collector which wont be available on MS01. Use the available collector on MS01. Export the files to your local kali VM.
Clone the bloodhound-legacy from github and use it. I spent too many hours figuring this one out when i first came across bloodhound.

Do you know of a good legacy <-> bloodhound CE blog or tutorial or similar?
Being picky with the sharphound data makes matters worse. Def did not use one of the latest releases form their github

the collector is not a problem as we can just move it there. I'll check the legacy repo thanks

If you open your bloodhound instance you should be able to find links compatible ingestors

Not really, I'd just look for a version of Sharphound released around the same time as the version of Bloodhound I was using

Maybe use nxc dacl module or use powerview inside the compromised host.

only seen the link to the quickstart guide that tells me to e.g. download sharphound from their github releases. will test some more

yeah I ended up using powerview to figure out what I need but I'd really like to get bloodhound working too as its in theory such a powerful tool if it works 😄

Update: using the latest sharphound.exe worked for me, so the hint with the version incompatabilities was spot on!

I prefer bloody-AD to read ACLs thank you very much

never used it, i'll try to remember for the next AD session

hey guys how do you get rid of middleman clipboard in pwnbox?

Gday folks, new here and enjoying myself so far but for the life of me I can't get passed this last question. Any help would be very appreciated!

New to HTB Academy , and i have been enjoying it for a while i really wanna make Ethical Hacking my life 😊. Any tips ??

add space

no..way.. i tried 100s of combinations including that and now it workasfdjkasdfasdf prob did a space 2 many last time

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-14973267

Has anyone here completed the Android Fundamentals course on Hackthebox?

Would you mind passing on any tips here? I am in the same position.... have been for a day or so.

Have fun! 😄 Beeeest tip, read the "Task" one extra time before going at it, amount of time I could have saved. 🤣🙄

Alrighty 😆 i will .

Delete any and all distractions, focus on the goal

Else feel free to reach out if you want more in-depth tips 😄

Great tip imo 🙏🏼 , i assigned like atleast two hours a day , and i deleted social media.

delete discord it's also a distraction

Sure, thank you so much never knew HTB community would be so helpful 😆 😊

You'll go in the rabbit hole, be ready 🤣 Soooo much in my personal live had to change

How else i am going to ask for help 🤣

google and chatGPT

and support on the site for any site problems

We are a bunch of programmers and hackers, we are better online. 😄

HexStrike is also a fuuuun tool, but learn your tools first the old way.

😈 as i said , i will make hacking my life.

please don't, you'll just burn out

learn to balance

Damnn, new tool discovered , see that's what i am saying having cool people on discord makes you involved and motivated and more

Yeah i know 😁

Usually the more vivid chats are in the private DM's 😄

Hi guys im new here what should i start from the basic?

Yeahh , cuz of the chat guidelines lol , in the dms is where we talk how to hack NASA

Basic Toolset Path 🙂 a good starting point

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hacking is my passion.

Nooot in my DM's (Nothing to find here FBI). 🙃🙃🙃

😈 sure

https://tenor.com/view/bye-felicia-hiding-humiliated-leave-me-alone-girl-bye-gif-21567771

I'm a student in IT having some fundamental, but i should also start from the basic to sharpen the skill?

Can anyone help me with sqlmap skills assessment. I can't find any potential attack vectors。Only find one POST request

so use sqlmap on that

I used,it return no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1')

so provide the parameter from the post request

I don't know which one to submit

those are headers, not parameters

you don't really need to add them

also that looks like the wrong post endpoint, that's for a maps API

keep looking

I only find this POST request

keep looking 😉

ok,thank you

you can DM me

Unless it's IT SEC skills, do the basic toolset 😄

I started as a Senior Developer, and I still learned a lot.

sheeesh

Plus it's cheap 😄

Always feel free to hit my DM 🙂

Hello, is there someone who finished module Using CrackMapExec, i have a question about skills assessment because i connected through chisel changed port to 1080 and still cannot scan for any host using CME (e.g. proxychains cme smb <IP range>). Is there someone that can help?

try ligolo-ng I think its most reliable tbh

I know ligolo but chisel is the only way in this skills assessment, it is required as 'connecting to the internal network' on the first step of the skills assessment

Are you using pwnbox or your own VM?

Thanks Rick

2025-09-22 19:02:24 TLS Error: local/remote TLS keys are out of sync: [AF_INET]154.57.164.103:1337 (received key id: 0, known key ids:  [key#0 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=2 sid=31b19e60 ed532014] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=1 sid=31b19e60 ed532014] [key#2 state=S_UNDEF auth=KS_AUTH_FALSE id=0 sid=00000000 00000000])```

does this mean ur vpn is doomed

hello, i see module -Attacking Web Applications with Ffuf is to be phased out with Web Fuzzing , so here should i work in this (never worked with fuff before) or wait for new module , kindly suggest.

okay , thank you and DM'd you

Have anyone finish Application of AI in InfoSec, if yes please dm me

pwnbox

You can DM your command and output, unless you got it working.

Unfortunately I couldn't find a way to use ligolo on this one. This is one of the few exercises where I believe there's no avoiding proxychains, because you're expected to connect to the agent that's already running on the pivot machine. Two things that tripped me up were the socks version and the proxychains command defaulting to a different config file than I was expecting. What worked for me was using socks5 (comment out socks4 config line if present) and explicitly specifying my intended config file every time I used the proxychains4 command.

Anyone able to help with Injection Attacks Skills Assessment? Please dm

this not be chdir ?

no that's correct

i would have thought pwd

This is for windows

intro to networking is this not correct ?

Nope. The format tells you xxx-xxx xxx

two words one of which

still it meant two words right ?

Yes a hyphenated word is one word, not two

mb

English is a terrible language ik

yep

Hi all, is anyone else having trouble spawning targets?

Im on the Windows Privilege Escalation - Windows Server section, and the box refuses to spawn.

Hi All, anyone who know why instanses not working ?

Same, cannot start any instance

can someone help me with the cracking wifi password assessments? i feel like im on the right track just missing a hint or clue

use xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:10.129.88.205 +clipboard /dynamic-resolution -cert:ignore /sec:rdp this will work 😉

Is there a way to DM a mod? I have funds in my account, but it won't let me purchase cubes.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support