Active Directory attacks: Credentialed Enumeration - from Windows

On the bottom there are pictures from bloodhound with queries, ex: Find Computers where Domain Users are Local Admin

I ran sharphound myself, and imported the file on my host machine with the newest bloodhound version (bloodhound-ce-python ) . If i use the same query, I do not get any results. Any idea why?

can anyone help me by a question i have no idea how i can come on the solution

Need some help with the web attack skill assessment, im at the last step to get the flag, but my XXE doesnt seem to be working properly. The injection works fine when I use
<!DOCTYPE email [
<!ENTITY xxe "hi there" >
]>

but when I use SYSTEM, nothing happens. I have tried on both my local machine and the HTB pwnbox.

Use sqli techniques taught in the module. I didn't see any other information in your ask to provide a better hint, lol.

Have you completed the skill assessment updated one need help regarding the path I have bypassed registered page got in but then unable to find what to do found one parameter vulnerable but it is time based so I know that is not the path to complete the skill assessment

Could I dm

I haven't completed it yet, but have been slowly working on it as I have time.

What r u doing after getting logged in

Sure

Have you found any vulnerable parameter

Enumerating

Except message=&to=

Well let me know if you find anything

Hello everyone, I'm stuck at the Skills Assessment - SQL Injection Fundamentals. What is the password hash for the user 'admin'? Can anyone help me get through this?

I am getting too many responses that timeout when performing scans. Will it be due to I'm triggering by VPN?

no it's cos you're sending too many requests -T5

bro's lowkey ddosing the target

I'll try it without setting timming, Thankyou very much.

theres no need for all the extra flags,

just do
nmap -p- 10.10.10.10
and it will take a bit

Hey y'all, I am on the LLM Output Attack module in the academy and having problems getting the first flag. I get as far as getting the cookie, however - I am unsure how to use it to get the flag. Any prods in the right direction would be kindly appreciated. <--- All Sorted. Thanks All 🙂

Hello, can someone help me with File Inclusion skill assessment?

Hopped back on the modules and stuck all over again 🤣
https://academy.hackthebox.com/module/136/section/1291

I've successfully uploaded several payloads and always get "This XML file does not appear to have any style information associated with it. The document tree is shown below."
Viewing the page source doesn't give me any results. I've tried hiding the payload in valid XML data for the SVG image and that doesn't work either.
I read somewhere that people were needing to reset the target 6-7 times to get this to work. On my second reset and same results.

I don't know if you're still having trouble but it's not only time based

I'm glad you figured it out - I'm fuckin lost lmao

Yeah I'm tapping out, I have no idea how you managed that one

Na you got it man! Just take it one step at a time. Were you able to login?

Hey Team,

I would like to start a local community chapter for Hack The Box in the city of Bangalore and I want information of how can I approach the HTB team for the same

I have tried communicating over mail but have not refresh received any information so far I would appreciate any deeds that you can help me with, and also I would like to become an SME at htb so can anybody help me of how can I apply for that as well.

Best,
Shashank

You're in the wrong channel for questions like this.
Read and follow #welcome to unlock better channels for your question.
Here are two links that will hopefully answer your questions

HTB Meetup
https://www.hackthebox.com/host-a-meetup

HTB SME
https://www.hackthebox.com/blog/become-an-htb-subject-matter-expert

Hi, I'm in Password Attacks - Pass the Certificate - I'm running:

evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local

But getting: Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Cannot find KDC for realm "INLANEFREIGHT.LOCAL"

I have 10.129.234.174 DC01.inlanefreight.local in my HOSTS file, and have configured krb5.conf.

Any help is appreciated.

Hello, struggling with the sql assessment fundamentals update. Cannot find bypass any help would be great.

(I’ve tried every payload on username and the invitation code nothing changed)

The injection I used came from PayloadsAllTheThings. I completed that on August 20th so I don't know if it's been updated since then.

@terse sedge from that error message something is wrong in your krb5.conf

I’m using the bypass wordlist from payload of all things. I’ve read in the chat the injection point is somewhere on the register page but I’m not seeing it or using the wrong injection point

This might be a silly question but the encoded_flag.zip file at the end of Encoding/Decoding module, anyone the can help me with figuring out why?

It looks like it has changed since I did it so I'm not much help in this case. Sorry!

No worries thanks for the feedback!

@fossil jacinth
I have added these lines:

`[libdefaults]
default_realm = INLANEFREIGHT.local

      INLANEFREIGHT.HTB = {
             kdc = dc01.inlanefreight.local
      }`

Does everything else need to be removed?

Why do you have both .local and .htb ? @terse sedge

Should I be concerned?

I guess I missed that. I will change it to local

In my humble opinion nah its fine. If you are downloading POCs and such your antivirus can occasionally flip out. If you feel concerned you can always spin up a vm.

I'm not downloading anything, this is just a link to an academy section

@magic silo this is not an appropriate place for making such queries.

Ohhh then its definitely fine. Its prob pricking up the injection payloads described there.

That makes sense, ty

NP! If you ever get too concerned consider it a good opportunity to practice new vm/container configs...

How far have you gotten? Have you logged in yet?

I haven’t been able to login yet

Have you intercepted your requests with burp and added your payloads that way

I think the addition of burp there is an odd choice since I don't remember it being used in the module up to that point

@fossil jacinth Now I'm getting:

`Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Invalid token was supplied
Success

Error: Exiting with code 1
malloc_consolidate(): unaligned fastbin chunk detected
zsh: IOT instruction evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local`

I suggest using nxc for this as it takes away figuring it out for u; nxc smb dcip -u user -p password --generate-krb5-file krb5

Also your hosts file isn’t correct btw and you can correct that also with nxc smb but using the --generate-hosts-file hosts.txt file that should produce the correct entry : )

Hmm ... Now perhaps that user which you are trying to impersonate isn't allowed to WinRM @terse sedge .
Or maybe try to purge all tickets and create a new one.

I re-did everything and generated a new ticket.

That was the latest.

Hmm ... maybe try what themanthemyth suggests ?
I also had issues with that module. Don't quite remember how I sorted it out, might take a look at my notes if you are still stuck after that other suggestion.

@fossil jacinth It's the only ccache file available. Not sure what else I would use.

I have this in my HOSTS file: 10.129.105.194 DC01.inlanefreight.local is this not right?

Hello

Did you use the export KRB5CCACHE to add your .ccache file ? @terse sedge
I believe it is correct, your /etc/hosts file that is.

yes

if you type klist ... does it show ?

ticket #41206963 ---> can you have a look ?

yes, but it's not jpinkman

`Ticket cache: FILE:/tmp/dc.ccache
Default principal: dc01$@INLANEFREIGHT.LOCAL

Valid starting Expires Service principal
10/06/2025 15:36:04 10/07/2025 01:36:04 krbtgt/INLANEFREIGHT.LOCAL@INLANEFREIGHT.LOCAL
10/06/2025 15:36:27 10/07/2025 01:36:04 HTTP/dc01.inlanefreight.local@INLANEFREIGHT.LOCAL`

You are using the printerbug with ntlmrelayx to get a .pfx, right ?

yes

I think in linux it's kdestroy to delete all cached tickets ... So maybe try that (check with klist that it's empty) and start over ?

I run ntlmrelayx first, and it listens, then I run the printerbug.

I still think you can't use evil-winrm with that ticket because you are targetting the Machine Account which I believe is not allowed to WinRM. (someone correct me on this one)
Instead, (and I have this in my notes) try to use impacket-secretsdump to perform DCSync and ask for the Administrator's hash ... Then you can use pass-the-hash as Administrator.

Not the server for this type of activity.

You can navigate to #welcome to verify you account and gain access to more channels. I highly recommend also reading over #rules.

@terse sedge and later, J* user is used for Shadow Cred attack, and this user can be used for evil-winrm

What is this in reference to from HTB academy modules?

Yes , what I’m not understanding is why is the assessment differs so much from the course material.

But I’ve basically tried everything from burp using repeater or sending the request via intruder. Both wordlist on pay load of all things. The prior assessment was so much easier. I’m not understanding what I’m missing.

nah that is not correct; for DCs the entry should be; 10.129.105.194 DC01.inlanefreight.local inlanefreight.local DC01

it should be ip FDQN Domain Hostname

if its a standard host(not a domain controller) then its ip FDQN hostname

the order doesn't matter

sure but either way; the above user only has their entry as IP FDQN without the domain & hostname present unless i misunderstood?

yeah

i'm just adding on that the order doesn't matter

aside from IP being first

ah i didnt realize it didnt. I mostly just delegate this to nxc as the --generate-hosts-file just does it without much rangling ahahah

i mean iit's the natural flow of how it'd resolve anyway

but in reality it looks in the hosts entry for X then reads the IP where to resolve -> repeat until all checks are done

(I hate how touchy Kerb is)

i never thought about his before; thanks for the golden nugget

you can have all 3 on separate lines like a maniac, and it'd do the same

what happens if we have multiple different hosts? how does it know which name/domain/fdqn belongs to which ip

Still haven't figured this one out 😬 its hard to tell when you just aren't doing something correctly or it's an issue in the lab

To be fair 9/10 it's a me problem

it reads top down first match

Hi all, I'm currently doing the SQL Fundamentals skill assessment. I managed to bypass the login page and access the main page, where I can send messages and search for messages. However, I'm stuck trying to find the admin's password hash. Could you guys please give me a hint on how to find the hash? I would really appreciate it.

This is the error I see

why are you trying to directly access the file?

Don't you need to browse to it to get it to render?

Oh my god....ignore me please. I see my mistake.

I've been working on this question all day 🤣 so embarrassing.

the page automatically attempts to preview it 😉

Did you find the next vulnerable parameter?

very cool : ) thank you for taking the time to share

Not yet. I’ve tried all the payloads I know, but nothing seems to show up.

in the sqli discovery section there are about 5 special characters. Put them into your parameters and see if any of them return any different application or server behavior

Thanks for your hint

Hello i have a question about : CDSA Intermediate Network traffic analysis the xss section. I did follow the Tcp stream but I couldn't figure out how to get the cookie value Am i missing something?

yeah, but none of the chat boxes / search in conversation give me anything, page source doesn't give me anything... I'm stuck

Oh then maybe I haven't found vuln param i guess can you help

Once you know the injection parameter, it's about finding a payload that works

Skills Assessment - SQL Injection Fundamentals

What is the root path of the web application? <---- I'm stuck on this which config file exactly am I supposed to check?

The one given in the module for nginx in a note doesn't have the root specified.

Well I already knew that it probably has to do something with that section yet I still don't get what conf file I am supposed to look for exactly. : c

Wait am I supposed to fuzz it

You're making it way too complicated

Ok thank you

How will vhost concept coming in sql injection fundamentals just to be clear i have already cleared the sql injection skill assessment then they have updated it on 1 oct so i m doing it again but now what i did bypassed registration page and now I’m looking for config file am i missing something here?

Just Google 'nginx root path config file'. There should be only a few possible locations which depends on the version of nginx the server is using.

@mental canopy , @worthy sorrel please do not spoil skill assessments and modules above tier 0. If you want to help take it to DMs

in this module https://academy.hackthebox.com/module/58/section/526

i'm certain i got the flag for case#5, but when i submit it, incorrect answer. in the same module for case#6 and case#7 got the flag too and had no problem when submitting it

try to force sqlmap to use a different technique, boolean injection can be innacurate, it's better to try time based or similar

tried time based blind and error based, still got the same flag and can't submit it

DM me with your commands

@dense tendon please refrain from spoiling skill assessments, simply ask for a nudge on it

Got it, I'm sorry

i restarted the machine, did the same command, and now it give me the right flag

Sometimes some lag can make the flag turn out different

it's all because of the wifi, as mark zuckerberg says

May I ask how to solve the third question of Skills Assessment in the Using Web Proxies module

Hi, asking about Osth module 5 where can I get the DEV machine IP?

Osth module, could you please elaborate

Also use —no-cast sometimes it gives wrong value and use it without threads also

I'm currently doing the SQL Fundamentals skill assessment. I cannot bypass the login page. So, any hint for me?

Focus on creating an account first

Anyone?

hello fam ily

hello! I can't find the answer of "List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file." this, who can help me pls

anyone had trouble getting AEN bloodhound data with nxc?

Guys, idk where to ask, so asking here.
How to get omni rank on htb main?
What should i do to get that? I have all free pro labs, 80 challs, all active machines, fortresses. I get, that I need to complete all challenges, but it is the only way for omni?

Only boxes and challenges count for rank, so do all of them to get omni.

another +-120 challenges will give me another 400 points, rn I have 1450, but still I need more for omni

Only machines and challs will do that?

yes

Also this channel is for modules so please read #rules and follow the instructions in #welcome to gain access to the #boxes and #challenges channels

I dont want to verify anything.
Last question.
What about fortresses? I see they give some points...

points =/= rank

Didn't get it

For Rank

(ActiveSystemOwns + (ActiveUserOwns / 2) + (ActiveChallengeOwns / 10)) / (activeMachines + (activeMachines / 2) + (activeChallenges / 10)) * 100

For Points

(userOwnPoints + systemOwnPoints + challengeOwnPoints + fortressOwnPoints + userBloodPoints + systemBloodPoints + challengeBloodPoints) * ownershipPercentage

https://help.hackthebox.com/en/articles/5185158-introduction-to-hack-the-box#h_c8dc2ec219

damn

thank you

this sqli fundamentals skill assessment is brutal

CPTS path: Active Directory Enumeration & Attacks -> ACL enumeration -> bloodhound part
Should this work with bloodhound-ce? since i seem to not have the some options, and i get different results?
What is the approach for the exam? legacy version or the updated version?

Both should have the same results depending on your ingestor, however CE is newer so I recommend it more.

If you can enumerate without it is much better though

recommended ingestor is sharphound or sharphound-ce

Ah, i will try the new sharphound, maybe that is the difference!

Yep, that was it 🙂 thanks

Hm, for one of the questions about forend, i can get his SID via Powerview, but forend doesn't exist in bloodhound? - of course i can solve it via Powerview, just curious how it can be it is not in bloodhound

sometimes bloodhound do be like that

oh yikes

thats why I prefer bloodyAD/powerview

Hi, I was asked to identify the operating system. I ran the scan and managed to identify the operating system but it tells me it is wrong. Am I doing something wrong?

It says this in the suggestions but I don't understand what it could be useful for.

I have not access unfortunately

use /verify
you will get dm to verify you account follow the steps and you will get full access to the server

thank you so much

Has anyone done the updated sql fundamentals module skill assessment? I have a way that works but i feel like there is a better way of doing it

Is there anyone I can dm about API Attacks Broken Auth section? Having some issues trying to get the code for the target email. I've tried sending a request via the website and I'm not getting hits with Ffuf

hi! can i dm someone to help me with krbrelayx? something is off and i can't relay to ldap

from which module?

there are some things which bloodhound data dont collect, it happened to me as well...i am still i am not very clear...we have other command line options but using bloodhound is whole different experiance...there are some ACL i guess which bloodhound dont collect in data maybe there is something other ...have a look on it

Not sure why, but in the Vulnerables Services module of Windows PrivEsc, I couldn't get the exploit to run a reverse shell as system. I could run one manually as my user though so it's not a network issue... and I did manage to run a command to add my user as local admin and get the flag, so it's not an issue with the exploit 🤔

I tried a few reverse shells in PowerShell too, maybe I could try calling a nc.exe

(For the Druva inSync vulnerability)

From my notes it looks like I have created a .ps1 revshell and edited the POC to execute it @frosty crescent

Could you DM me your notes if you don't mind? I would greatly appreciate it, thanks 🙂

I will help you figure it out, sure.

nevermind, I was able to figure this out

Hi, I'm doing the Web Attacks > Local File Disclosure. I cannot access the spawned target because the host was unreachable.

$ ping 10.129.4.166
PING 10.129.4.166 (10.129.4.166) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=2 Destination Host Unreachable
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
From 10.10.14.1 icmp_seq=3 Destination Host Unreachable
^C
--- 10.129.4.166 ping statistics ---
6 packets transmitted, 0 received, +3 errors, 100% packet loss, time 5072ms
pipe 4

Anyone else having the same issue? I'm already connected to the academy VPN so it should not be an issue

Happened to anyone else?
I'm a paid member

It also happened to me

Hello

Have you managed to fix that? or you've ran local vm?

Turns out I also cannot spawn the target on Using the Metasploit Framework module

:\

It took a long time to spawn for now

I use local VM for now

yes right now to me too for the last hour

hey any success?

I just done this section

I figured it out, I was fuzzing the wrong thing

Anyone did sql injection fundamentals skill assessment updated one?

Is anyone else having issues connecting to targets or launching pwnbox?

trying to work through this one now after the update

I have a way to complete it but I believe there’s a faster way

have you finished this? im stucked

No sorry - I just passed Q1

@tall fern i can help, tell me where you are stuck

Can you help me ?

The Q1 is same so I didnt had to complete it are they interconnected

Is Q1 connected to others

No idea what that means mate

question 1 I guess

hello did you finish Bloodhound module i am also stuck on the last question

second question

Are you still stuck?

Well I haven’t done anything after bypassing registration page doing Linux priv esc right now

I’m more focused on completing path but want to know the solution of it

If you can let’s discuss this in private message

I can give you some ideas based on what you were able to identify. You can DM whenever you are done doing priv esc.

Sure so I bypassed registration logged in. In chat there were params message=&to= to here vuln to sql

You can DM this stuff

Sure

P

Hello 👋🏼 please the sqlmap fundamentals skills assessment module server it's working status 400

Please can any one help 🙏🏼 me out

The support team are not responding to me

Have you reset the target?

Yes

Alot

You can try using pwnbox or switching VPN configs and regions for you VM. Otherwise, you are going to have to wait for support to get back to you.

I even used the pwnbox it just displays the same 400 code

You can DM what you are doing and receiving. Maybe something will stand out and is an easy fix.

Ok

i sent u a dm

I don't recall helping you and telling you to send me a DM. Did I help you days or weeks ago?

i just sent u a message just now haha sorry

i nedd help with sqli assesmen

What question are you stuck on?

2

q2

You can send a DM.

Hello all, IDK if this is the right section to ask or not, my query is I just got the HTB VIP+ voucher as a winner in one of the meetups, now if i play retired machines using that, does it improve my ranking and leaderboard both.... thanks

Retired machines do not give points and don't affect your rank

only seasons machines are to be played to increase your rank?

active machines, challenges , fortress etc gives you points

resdy

Can anyone help me with API Attacks Server Side Request Forgery? I've been trying to figure it out by using the hint. However, I can't seem to get it to work.

Not sure what the hint says, but focus on a role that wasn't covered in the examples. If you've been trying that and are getting nowhere you can DM.

can I DM you? I'm not really following along with what the hint says and the material.

Sure

Hi, I'm in Password Attacks - Pass the Certificate - I'm running:

evil-winrm -i dc01.inlanefreight.local -r inlanefreight.local

But getting: Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Invalid token was supplied Success

I have 10.129.234.174 DC01.inlanefreight.local DC01 in my HOSTS file, and have configured krb5.conf.

Any help is appreciated.

Hey, I am struggling a lot on the skill assesment of the Wi-Fi password cracking techniques skills assements, I managed to find the others password but not for ClyraCloud-Sec nor the ClyraCloud-Ent, any clues on that ?

What does that error tell you?

@duvel I told you yesterday - I am pretty sure you can't winrm with DC's token directly.
You can DCSync using that ccache and then use pass-the-hash as administrator if you want to evil-winrm.

It says Success, but I don't get a prompt

Yeah because the token is invalid

GSSAPI client is likely expecting a user principal ccache. If you look through the examples from the section, it will show you how to use a user ccache and machine account ccache, which looks like ForP44 has already mentioned.

That user (the machine account, DC01$) is not allowed winrm access to itself.

I must be missing something, because the DC ccache is the only one I get.

Use that ccache to perform dcsync and retrieve the administrator hash which will be used for WinRM access.

Instead of the evil-winrm, run something like impacket-secretsdump with correct syntax for DCSync attack

Ok, looks like I got the hash of the Administrator user

There you go.
Now use that for evil-winrm (-H HashValue) and you'll get shell access to the DC

guys, i've just finished windows privesc module but i cannot find "Finish" button on the page.. i've checked html and it's there but it's hidden.. anyone had similar problem with other modules?

ctrl+shift+r ?

i've tried that, still the same problem

log out - log in ?

yeah, did that too 😄
i was having some connection issues so i had to submit last question a few times, then i refreshed the page and Finish button wasn't there

Yeah, happened to me when I had connection issues.
After logging back in the last answer wasn't submitted on my end.

Try to re-enter them ... or maybe you've missed some answer somewhere.

everything is submitted already, i just cannot finish module

I get invalid hash format from evil-winrm. I'm using just the 32 chars from the end of the hash

is there a way to reset a progress on one chapter?

No idea then @stray olive.
No I don't believe you can reset progress. I guess wait for some support staff here, or create a ticket or something.

@duvel are you using the -H for hash instead of -p ?

yes - evil-winrm -H fd02e525dd676fd8ca04e200d265f20c -i dc01.inlanefreight.local -r inlanefreight.local

You are still trying to use the ccache here.
Just do: evil-winrm -u administrator -H HashValue -i dc01

Now it says: Error: Check your /etc/hosts file to ensure you can resolve DC01

The line from my HOSTS file is - 10.129.234.174 DC01.inlanefreight.local DCO1

And what happens if you try dc01.inlanefreight.local ?

Might be case sensitive - I am not sure.

Same thing

Hmm

Perform some troubleshooting then and figure out why it can't resolve correctly now.

Maybe kdestroy the ticket / certificate ... revert back the krb5 file. only put 10.129.234.174 inlanefreight.local in your /etc/hosts .... stuff like that and see what sticks.

I have tried pinging each instance from the HOSTS file, and they all work

It might have something to do with evil-winrm, don't know.
Those are some ideas I would try ... Google the error you are getting and research.
Also, maybe try to do it with the attack-box

Maybe try it with evil-winrm -i 10.129.234.174 -u administrator -H HashValue

Wow, that worked

Unbelievable

hey coders

Thanks to @fossil jacinth and @gray yacht

Heeey yes ! 😄

The big question is - do you understand what's happened here ? @duvel 🙂

I'm trying to run mimikatz and I'm part of the built in administrator group yet I run into this error mimikatz # privilege::debug ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

What's the best way to learn a programming language in an easy way, in my case it's my first time learning programming and I must learn go lang

I looked up at the error online and it means that I don't have admin but im part of the admin group

Did you open the powershell/cmd as Administrator ? @quiet halo

I dont have any passwords

i was running as runas for a user that was in the admin group

i fixed it now, I had to do a msconfig UAC bypass in order to run mimikatz

@fossil jacinth Specifically what happened with evil-winrm? No I don't

It seems like I did the same command in a different format and it worked.

Yeah, evil-winrm couldn't resolve the IP correctly.
The main take though is that you can't use the Machine Account for WinRM access hence the dcsync attack.

when trying to run msconfig as joe, it gives me uac prompt

so then I runas a mark who is part of the local admin group

I run msconfig via cli as mark and it works

ok so it means my shell is now elevated when I run as mark, right? bc now I can run msconfig

so why does it not let me move to the admin user folder?

I have to use msconfig > tools > select command > cmd.exe > launch

it pops up a new cmd shell

now I can cd to the admin folder

anyone sovled SQLI final test?

let me knolw , helop

I struggled on it bc I wansnt looking at the directory of where the flag was

so u finished? dm me then

Hey ! Currently stuck on the malware analysis module on the patch part in x64dbg
i'm getting a sandbox detection even though i patched all 3 breakpoints.
Do you have an idea where it might come from ?
My intuition tells me i messed up something in the InetSim setup

it's almost 4am down here, so ping me for later :P

Did you have the hash for this user when using Netexec or were you able to crack it?

Using wire shark i captured a web traffic like tcp ,udp , http, https etc
I want too decrypt the encrypted data of website like www.example.com so i search how to do it and i got an ans like use sslkey.log for decrypting the https encrypted data
Its working
Now the qst is there is any other way to get a decrypted data of a https website not http
Does anybody have an idea

yes

maybe

u ran

wireshark then visal studio

and attach the studio to wireshark

first have to insert wireshark github into studio

the reporistory

Hey! I'm having problems with NTLM Relay Attacks Skills Assessment. Could somebody help a brother out, please? I've compromised "BACKUP01" and I'm quite stuck on Q3 for a few days. Any assist appreciated! Thanks!!

I got a question

I'm pretty new to dis can I hack on a mini pc with windows 11

Can I ask for help with one of the modules (Password Attacks - Creating Custom Wordlists and Rules)?

Im stuck on generating the base wordlist that I'll mutate using Hashcat. I used a tool called Cupp to generate a wordlist based on the information provided, as well as tried to write my own wordlist, but neither of them was successful in cracking the password (using MD5 hash mode)

u can do like this:

1. Put the info into a local page, and then extract keyword by cewl
2. After manually removing some words that are obviously not a part of password, u can combine them cause the password is longer than keyword. I use

hashcat --stdout -a 1 word.wordlist word.wordlist > word_combine.wordlist

3. Remove the line that less than 12 characters, and then use hashcat as this section did

Wont cewl just spit out the same list of words as compared to me entering it in myself? I tried it earlier and it just returns the same info that I passed in (eg nexura, baseball) plus the redundant filler text (eg compromised)

it doesn't matter. u can use ur keywords list directly

oh ok got the answer, thx

migrate to lsass.exe or explorer.exe process will likely resolve this issue

If your banner for mimikatz shows a year below 2022, update your binary.

Hi, I need help in Footprinting module TNS section the first time I tried was using pwnbox but this time when I am trying with the vm I am getting this and it is not able to find the creds how is this possible because default list contains username and password, and also when trying with sqlplus I am able to interact with listener

Information Gathering, web edition module - Footprinting section
Hi everyone, im stuck with this error, i have already added the targets to the hosts file using sudo nano hosts and writing 10.129.11.33 app.inlanefreight.local dev.inlanefreight.local. Can anyone help me?

http instead of https

For web fuzzing skills assessment, i solved it already, but I am curious why this -recursive flag is not working?

I think you need to create a wordlist which has every word the website has

-recursive is used to subdirect a directory path

These are .ext files it won’t recuse

You sure it’s https? And not http?

So it should go into the 301 right? it doesn't have a .ext it is just like: stoxxx
from ffuf man

-recursion-strategy
                     Recursion  strategy: "default" for a redirect based, and "greedy" to recurse on all matches
                     (default: default)

Try to just ffuz that specific directory with not using -e in the command

Still the same issue.. doesn't take it.
btw; Final path was http://xxx.fuzzing_fun.htb:44749/goxxx/stoxxx/bxxx/tyxxx/ so the idea is that this is done via recursion surely

How about use dirsearch I use that for web directory fuzzing almost and it’s reliable too

yea.. This does make it work! -recursion-strategy greedy

GG’s

Kerberos attacks -> RBCD Overview & Attacking from Windows
description:
RDP to <IP> (ACADEMY-KERBATTCK-WS01) with user "htb-student" and password "<password>"
but when i try to connect with rdesktop:
rdesktop -u htb-student -p '<password>' <IP>
getting credentials are incorrect error
i am pretty sure the password is correct because i am copying it, tried to reset the machine but still getting the same error

anybody have faced the same issue?

I even tried to enter the credentials in GUI but still the same error

Hi, while doing module of password cracking, in the Credential Hunting in Windows part. I have the answer of this question but it is saying it is incorrect. What might be the issue for this to happen ?
Any solutions ?

Have you checked for leading/trailing spaces?

it is not about a specific module, its general. it started with unconstrained delegation, but i want to dig more and try all the different protocols. even tho i seem to setup it correctly, i get some errors while relaying

What specifically is this for?

• a box?
• an exam?
• a module?

unless it's HTB related we can't really help you

👀

@waxen totem do you know who i am?

Yeah I remember you

ohh

Hey guys, I'm currently doing the Recursive Fuzzing assessment from the Web Fuzzing module and I cannot find the flag, tried multiple tools, multiple wordlists, multiple file extensions but nothing except some folders. Wouldn't mind an advice

who am i ?

https://tenor.com/view/fire-gif-22380881

use feroxbuster

i also did everything but didnt find...then i used feroxbuster...you will find

Hey! I'd appreciate a little nudge regarding NTLM Relay Attacks Skills Assessment. I'm stuck on Q3. If someone could help, please. Thank you so much

can you pls share the link of the module

Already did, still nothing

ummm besure about the "." because extentions wordlist already have that

besure you are not adding it twice

https://academy.hackthebox.com/module/232/section/2508

ohh sorry man its out of my league

Np man!

Did not use extension wordlist directly, I specified lot of them via the -x flag

ummm share module link

https://academy.hackthebox.com/module/280/section/3130

ofc its related to htb!
it all started with this module: https://academy.hackthebox.com/module/253/section/2811. when i moved on to the one based on ADCS ( https://academy.hackthebox.com/module/253/section/2805 ), i wanted to try the same relay with krbrelayx rather than certipy - which worked. when out of curiosity i tried to relay also other protocols, as i said, i can't figure it out where the problems are

the erros are driving me crazy ahaha

havent done that module..but i think feroxbuster should work fine

Does the relay go across a trust? in that case TGT delegation needs to be allowed through the trust

also you said it wasn't for a specific module, technically it's for that Trust Attacks module...

Will continue to throw everything at it then

yeah you can dm me as well

if you want

Hi guys! I completed the entire Android Fundamentals module except for one question: Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test). My build number isn't being accepted, please tell me the correct answer. This is the only one left to finish the module!

Hi, i am able to solve it . The lazagne tool which was imported had an issue (i guess lol). Imported updated version and it is solved now!

I'm in the Credential Hunting in Linux module doing the task, I know the program I'm supposed to run but it requires a certain version of Python which is not installed in the target machine

so I tried moving over the needed profile over to my machine but no file tranfer method is working

im losing my mind

btw im trying to move over the entire profile directory

i solved your question

if you still need help you can dm me

everything is working fine

Yes same here... Tried few wordlists but forgot to test one apparently 😅
Thanks for your time dude !

no worries

it should be! but before relaying from child to parent, i wanted to accomplish the reflected one first
i did not want to spam here, but in this case, this is an example of the errors i get:

proxychains python3 addspn.py -u 'dc02.dev.inlanefreight.ad\MACHINE_ACCOUNT$' -p 'hash:hash' -s 'LDAP/attacker.dev.inlanefreight.ad' --additional dc02.dev.inlanefreight.ad -dc-ip 172.16.210.3
[..]
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

proxychains python3 dnstool.py -u 'dc02.dev.inlanefreight.ad\MACHINE_ACCOUNT$' -p 'hash:hash' -r attacker.dev.inlanefreight.ad -a add -t A -d MY_IP 172.16.210.3 --tcp -dns-ip 172.16.210.3
[..]
[-] Adding new record
[+] LDAP operation completed successfully

proxychains python3 krbrelayx.py -debug --target ldap://dc02.dev.inlanefreight.ad
[...]

[] Servers started, waiting for connections
[] SMBD: Received connection from 10.129.250.21
[-] No target configured that matches the hostname of the SPN in the ticket: dc02.dev.inlanefreight.ad <--- --additional dc02.dev.inlanefreight.ad
even tho...
dev\administrator@DC02 C:\Users\Administrator>ping dc02.dev.inlanefreight.ad

Pinging DC02.dev.INLANEFREIGHT.AD [fe80::3d1b:9bbf:6b34:9c19%14] with 32 bytes of data:
Reply from fe80::3d1b:9bbf:6b34:9c19%14: time<1ms
Reply from fe80::3d1b:9bbf:6b34:9c19%14: time<1ms

well yes ahaha but the attacks i want to try are not the intended way ahaha

is something extra to increase my own knowledge and experience

ngl I don't understand what you're trying to do and I haven't actually even done that module 😅

Currently doing the splunk investigating log sources module, and I'm up to the skills assessment section. Literally have no idea how to solve this question

When you either have creds for a new user or are able to authenticate as a new user via certificate or something similar, you should go back through and perform credentialed enumeration with those new creds/auth methods right?

It's working on my end with xfreerdp.

yes, maybe because i am using rdesktop, i installed xfreerdp but i am having issues with VPN right now so can't confirm

i'm back. looking at the messages, there seems to be a history of people getting stuck on this particular module.

if you know anything, please ping me 🙂 i'm trying again and again meanwhile

guys

i need help

for msfvenom module page 11 'meterpreter'

Maybe I can answer

I haven’t done the module but I might be able to help

It asks me to start a reverse shell to the windows server but I can't find a suitable exploit. I tried eternalblue but it says it's not vulnerable.

Try using search scanner in the msfconsole to pick an auxiliary module to scan, the scanning modules are separated from the exploit modules.

This is how I would go about starting this process in a real world setting

As far as the specific exploit you are meant to use for this module; I can’t say directly as I haven’t done this but I’m guessing the process should be outlined within the text part of the assignment ?

okay thx :>

Not the server for unethical behavior.

Someone's quick

That was me.

Someone’s posting illegal stuff and I missed it ?!

Dang my entertainment….

It wasn't that cool.

can i get some help regarding the malware analysis module ? pretty please ?

with sugar on top (i've been ignored 3 times now)

I wouldn't say you've been ignored, it's just that it's likely those that have done it have not been in this channel. If I had worked through that module, I would offer assistance, but I have not.

Hi guys

makes sense. ty for at least providing an answer lmao

Have you searched for related keywords using the search feature? It's possible someone else has already asked something similar and got information in here that could help you.

i did

many people posted about the same problem

same, no answer

Which module/section is this?

Bro use meterpreter/windows_tcp something x64

Not sure if this is the proper spot - but looking to find the price of exams -- where can I find that?

https://academy.hackthebox.com/module/227/section/2496

I haven't done the module, so it won't take me to the section you are working on. You can just write out the section name.

ah right mb, sure

Introduction to Malware Analysis / Debugging

there's a step of the course where it's leading me to patch sandbox checks inside a sample using x64dbg.
i still get a sandbox detection after doing the 3 patches.

my suspicion is that one of the patch concerns internet check, so we have to use inetsim from the pwnbox.
and despite seting everything up, i can't ping the c2 dns from the flarevm

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

Get an unable to connect to that ^

Try that one, then scroll down or click on the Exam Voucher Prices on the right side.

doesn't let me connect to the site lol

Ok, so the first section right?

probably that, or maybe misconfiguration inside flarevm

because there's a part where it says we need to setup dns

Not sure if you looked on reddit but there is a post there that someone asked about the Intro to Malware Analysis. Maybe it can get you going in the right direction.

i didn't find that

is there a way i can test inetsim to ensure it's this part that i messed up ?

https://www.reddit.com/r/hackthebox/comments/1bc43t5/introduction_to_malware_analysis_debugging_with/

Give that a look and hopefully it helps.

Introduction to malware analysis / Debugging
posting here and doing it to confirm if that's the official answer for InetSim issues :

So I was really struggling to get the second sandbox check resolved (might have been an issue with inetsim configuration), but I found a bit of a workaround for it. On the second sandbox check, on string 402EFE, in addition to changing je to jne, I also changed 402F09 to 402F00. In the screenshot in the instructions, it says that changing je to jne will cause it to jump to 402D00 instead. So it seems like making that additional change got it to pass the sandbox check and continue. Hope this helps anyone who's stuck like I was

Alternatively, since I'm also a monkey, i just saw the patched version of the program in the patched folder
If you want to patch it yourself though, do above.

a monkey could've made better instructions to this one,
lmao no comment

The fathers of hacking! I need help! In the "Android Fundamentals" module, there's a question: Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test). My build_number isn't being accepted, please tell me the correct answer!😢

Hello.Has anyone solved the File Inclusion-Skill Assessment? I need help with a few problems, or rather, mistakes that I'm making, but I don't understand what they are.

yo guys no more bug bounty hunter path now? what?

@glad lava https://www.hackthebox.com/blog/HTB-CWES-announcement

actually i am getting the BB badge on hackerone , it requires completing the BB path

is this still valid tho? sucks to know if i can't get the badge anymore

example like this

https://hackerone.com/aziz0x48/badges?type=user

There i cant help. Sry.

@autumn pilot may i dm you?

go for it

As far as I know, this badge has not been available for a long time.

oh really then its a waste i bought cubes and all

sucks then....zz

oh no bro , there's one in july 2025

====
Hack The Box Bounty Hunter
July 31, 2025
Completed the Bug Bounty Hunter path on Hack The Box

someone got it , very close

where's the BB path then in HTB , no more?

No idea, I passed the exam in 2022 and never received the badge.

no bro u just need to compete the modules the badge is on hackerone bro
not HTB

I know

dk about 2022 , i knew about it this year or last year 2024-2025

and then u got ppl got it in 2025 july 31 recent fresh

just got it with xfreerdp thanks!

I already don't like the Beta 2.0 version since it doesn't allow me to copy and save my solutions. I hope the legacy version of HTB academy still remains

did u connect ur htb with ur h1? it says u need to connect

https://docs.hackerone.com/en/articles/8404221-hack-the-box

the academy one not the profile

Yes, it's connected.

hello i'm stuck
in the 2nd question on Broken Object Property Level Authorization from the API attack
i can't create Items

contact h1 then , i see others got it just fine

i think we need Web Penetration Testing Process module, just like Penetration Testing Process in the CPTS, is there something like that already?

i'm not talking about Bug Bounty Hunting process, that's more soft skills... I do feel like there's gap between footprinting a website and exploitation, the vulnerability research process is missing, maximazing how to find those common vulnerabilities efficiently... Penetration Testing Process is pretty clear on how to do that in network pentest, but in bug bounty, we jump from enumeration to exploiting xss... assuming, i found the xss

Hey any professional hacker here plz i need a help?😭

this isn't a hacker for hire server

I am trying to run ReconSpider against inlanefreight.com but the result is empty

Can someone help me?

solved!!

I contacted h1 Support in February 2023 and received the following response:
„Unfortunately, based on our Docs pages, it doesn't look like HTB badge is currently available.“

Maybe it's back now, I don't know.

i contacted others it seems like its a diff story , some ppl said they did everything in 2024 but only got the badge in 2025

oh it seems like its not simple as i thought... guess my money is wasted lmao... oh welll... damnnn

i contacted both sides of suppor , lets see what they say... but i guess it wasn't that simple i think

one of them told me u need to have hackerone email registered on HTB tho i d k why , maybe change that email or smtg

like the @hackerone email domain email

hello how did you install open vas bcz I tried everything but I still can install it bcz dependencies errors

Windows Evasion - Open Source - Running Seatbelt in memory I am also stuck, AMSI bypass seems to work but get the same message as in the module material. Anyone?

guys i got error can you help me

whats wrong ??

did you try to refresh the page ? In wiich module you are I will look

yes i doit "Network Enumeration with Nmap"

Hello guys which modules will improve my skills in post exploitation the most?
Mostly for windows/Active directory

Thank you

where do you are ? in with section

Hey! I need assistance 🥹

I have been stuck on the host discovery part of the Network Enumeration with Nmap

When I look at the TTL it says 128 and this is onpar with Windows however it continues to mark my answer as incorrect and then I try look deeper into the port services but I do not get any responses even after the host was down and I forced it open

Has anyone done that cube?

hey i can't create an item for the second question of Broken Object Property Level Authorization - API Attacks

if ssomeone can help me

hii guys i am stuck at
Attacking Domain Trusts - Child -> Parent Trusts - from Linux

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

when using secretdump i am using the cred given by then but it not working

Kerberos Attacks module -> Kerberoasting exercise
I requested the same SPN, the Rubeus returend hash is not the same PowerView returned.
The one from Rubeus failed to crack, but the one PowerView returned was cracked successfully.
How is that even happening?

Ok I think I found the difference.
The one PowerView returned starts with $krb5tgs$23$*jacob.kelly$INLANEFREIGHT.LOCAL while the one from Rubeus starts with $krb5tgs$23$*USER$DOMAIN LOL

Rubeus is trolling me

Yeah with rubeus you can specify the user with /user:

..

Tried that, nothing changed.

even specified the domain with /domain:

@celest forge what have you done so far ?

That's weird @hasty mauve ... how about /user:inlanefreight\jacob.kelly ?

just like .\Rubeus.exe kerberoast /user:jacob.kelly /nowrap

closed the exercise for now, will try that later.
thanks for it

But each module teaches you how to discover the thing it's teaching you to exploit so I don't get what's missing

Anyone help me with Attacking Graphql Intection Attacks section? I'm able to get to the CONCAT part of the section, but a little lost after that. Not sure how to go forward with the injection attack with the information I got.

What for

Penetration

This isn’t hacker for hire

If you’re looking for a legit reason, https://jobs.hackthebox.com

Hey mate, it's true they explained how to discover them, I guess i meant a efficient way to do that, like how do you do a fast manual vulnerability hunt/scan, what's the stategy that would work best against big scope attack surface, you get those apps that have so many parameters being processed, bug bounty is not a ctf like environment... in network pentest, it's shown how to deal with big networks... I hope I cleared what i meant to say

Good luck

Contact the police

Hi Guys, can you please tell me where can I check about new content that is been added in Academy as well as Main platform

LLM Output Attacks should be considered hard because of its Skills Assessment, you need a next level outside the box thinking to finish that, but the experience was a solid 10

If someone is struggling with the module I can help and give you nudges

https://roadmap.hackthebox.com/changelog?labels=academy

https://roadmap.hackthebox.com/changelog?labels=labs

Just click the megaphone icon in both platform

I don’t agree lol. It was a nice and fun skill assessment but I would not call it hard enough for Hard classification

https://tenor.com/view/cat-no-nonono-noooo-cat-no-gif-13597132752790194338

I was about to ask for permission to DM you for help Sir😅

Been stuck here for 2 days

Nice one but you have it now? 😄

Yep yep, it was really hard compared to other modules

Great job 👏

hi so for the DCSync section of AD Enumeration and Attacks I try and use the hash file from the previous section to do DCSync Attack and it gives NoneType error. This is to work through the whole thing to get the answer to question 1 but I don't think this is enough on its own to answer the question its just one of the steps.

running the program on target via RDP and powershell gets me an error and so does running the other program on my local VM

after 8 hours I finally was able to move the file over with by zipping the directory with tar, then base64 encoding the archive, transferring it over with nc, unzipping the archive, and then running the program needed to decrypt the credentials

hi is anyone available for a DM?

Yep go ahead

Some feedback for the new Academy 2.0 dashboard. Why is there not a module mapping to labs on HTB. For example CWES where are all the HTB labs that pertain to each module?

It is here /academy-lab-relations but why not on main dash board and plus that mapping needs a major refresh. Also better logic

Hi everyone, I don't understand what I'm suppose to do in the the module Attacking GraphQL - Information Disclosure for the question, if anyone can explain ? I'm a bit confused

Currently working on Attacking Active Directory and NTDS.dit. I'm trying to figure out jmarston's password. Per the hint and even the show solution it states to use the fasttrack.txt file for the password. Well, even when copy and pasting the solution brings up no results. Any assistance/hints would be helpful

in module graphql, section mutations, it says "As we identified earlier, we need to provide the password as an MD5-hash. To hash our password, we can use the following command:" i dont see where it was identified earlier. Any help?

Hello.
I am trying to solve this challenge with Metasploit. After I have got a meterpreter, I can't move ahead to get the root.txt (I assume here is where the flag is )
Any help on how to solve the Nibbles using Metasploit, as I have experienced a massive failure on using the manual process, as I ended up on <er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
when using machines.

If this is the one I am thinking of, I believe there is a tool you can use to modify the script to get it working. At least that's how I approached it. There may be more than one way.

I'm working on the Web Pentester Server-side Attacks module, Exploiting SSRF, and struggling with the URL-encoding. In the module, (gopher section) only the special characters are encoded...and THEN because the URL is being sent through an HTTP POST request parameter (dataserver --> which is URL-encoded) we need to URL-encode the entire URL again to make sure the format is correct. So we start with the string below and end with the 'double-encoded?' one below that:

gopher://dateserver.htb:80/_POST%20/admin.php%20HTTP%2F1.1%0D%0AHost:%20dateserver.htb%0D%0AContent-Length:%2013%0D%0AContent-Type:%20application/x-www-form-urlencoded%0D%0A%0D%0Aadminpw%3Dadmin

to this:

dateserver=gopher%3a//dateserver.htb%3a80/_POST%2520/admin.php%2520HTTP%252F1.1%250D%250AHost%3a%2520dateserver.htb%250D%250AContent-Length%3a%252013%250D%250AContent-Type%3a%2520application/x-www-form-urlencoded%250D%250A%250D%250Aadminpw%253Dadmin&date=2024-01-01

Does anyone have any tips on learning this, or how we would learn to only double-encode certain characters? I ask because a 'space' URL encodes to %20 and if I double-encode it in Burp....it goes to %25%32%30....But I believe in the double-encoded string above, the space is %2520? You can see this looking between Content-Type: application in the two strings above.

Basic question is does everyone just use Burp for encoding or is there another method/training tool I can use where I can make the URL mostly readable besides special characters that are required to be encoded/double-encoded?

my current method is just taking the encoded URL string and running it through the Burp encoder, which works but it obviously encodes everything and not just special characters

ignore those errors, and check that your listener received the call 😉

the double encoding is doing %25 -> '%'; %32 -> '2'; %30 -> '0' double encoding can tend to break some things

Anyone available for a nudge on the final question for DACL Attacks II skills assessment?

You can DM me

hello guys I'm trying to learn bash scripting and i can't solve this question :
" Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable. "
i did exactly what the question is asking for and the echo command didn't print any output i tried everything even i tried to google it but i can't solve this puzzle

guys ?

Hello

Is there the game hacking server?

idk

Because I need someone help for hacking a online game

Not really no, although there are a few game hacking modules.

wow , good luck with that i still noob

Got it

Could you help me?

No, you have to do the modules yourself

Actually not associated with modules

Then this is not the right channel to ask.

Read the #rules and follow the instructions in #welcome to get access to a more appropriate channel. This channel is dedicated for module discussion.

But I can't type anything without there

That's why I told you how in my message... read the whole thing.

i get this result when i run my code

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40D76F8F307F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:107:

idk what's wrong
my loop
for round in $(seq 1 28)
do
encoded=$(echo -n "$encoded" | base64)
done

salt=${#encoded}

Is there anyone up to give me a nudge with NTLM Relay Attacks Skills Assessment? I've been pulling my hair on the third question for a few days. 😄

EDIT: Nvm, I managed to do the Q3. If someone else struggling with this you can DM me.

Hello guys I've been going through this Linux fundamental, and I'm stuck at this question "what is the path to htb-student's home directory?" Somebody? I need a mentor I'm so new to this.

How to specifically find a path?

Hello everyone! Im doing Shells & Payloads module, the skill assesment called The Live Engagement. There is a foothold machine you have to access first and from there you attack 3 machines. The foothold machine has no browser or is there anything I am missing? 😂

Man I'm stuck on final assessment of SQLi on CWEH path..... completed the assessments in no time.... But stuck at login

I tried to read some articles to get a hint ..... But the final assessment is updated when CBBH migrated to CWEH

You figured it out?

Nope, I mean I have to port porward or route the IP through pwnbox?

What is the alternative way of starting something in Linux

A bonus tip, this has been answered in the past here in this channel, try to find it

None of that

Terminal is thy friend

Wow yeah it was surprisingly easy

lol

I feel so stupid 😄

Happens

Thanks everyone!

hi everyone. i need a roadmap to prepare for CTF competitions. is there a good roadmap.

Hi @everyone newbie here 🙂 Im working on Operating System Fundamentals is there anyone here has a walkthrough video or documents of ANDROID FUNDAMENTALS and CRACKTHEBOX?

hello everyone, i am stuck with this question on Introduction to Threat Hunting & Hunting With Elastic module:
Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.
I think i found the process but i am confused how to format the answer correctly, can somebody help with it?

finally got it !

Don’t be spooked if my chat says “spammer” there is no harm in it

I have a major privacy concern

And I probably need some help

Is anyone available

If it is not HackTheBox (or HTB Academy) related, this channel is not intended for such questions

It don’t let me chat in general

Is that where I ask or is there some type of support channel

(base) ┌──(root㉿kali)-[~]
└─# sqlplus scott/tiger@//10.129.70.76:1521/XE

SQLPlus: Release 19.0.0.0.0 - Production on Thu Oct 9 00:19:45 2025
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

ERROR:
ORA-28547: connection to server failed, probable Oracle Net admin error

Enter user-name: scott
Enter password:
ERROR:
ORA-12162: TNS:net service name is incorrectly specified

Enter user-name:
ERROR:
ORA-12162: TNS:net service name is incorrectly specified

SP2-0157: unable to CONNECT to ORACLE after 3 attempts, exiting SQLPlus
I don't know what problem I'm facing. Can anyone help me? I'm stuck at the Oracle TNS footprinting step.

Focus on the command, you will find something that doesn't belong there

Additionally, the following error will help you:

ORA-12162: TNS:net service name is incorrectly specified

dont think this is the right channel for this but is anyone able to answer some questions about what tools are the most popular for attacking/defending websites, if you are willing to help me please send me a private message

hey in using crackmapexec skills assesment

❯ sudo chisel client 10.129.204.182:8080 socks
[sudo] password for at0m:
2025/10/09 13:16:55 client: Connecting to ws://10.129.204.182:8080
2025/10/09 13:16:55 client: tun: proxy#127.0.0.1:1080=>socks: Listening
2025/10/09 13:16:57 client: Connected (Latency 275.574544ms)

❯ proxychains4 -q nxc smb 172.16.15.0/24 --users
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

❯ cat /etc/proxychains.conf | tail
#       proxy types: http, socks4, socks5, raw
#         * raw: The traffic is simply forwarded to the proxy without modification.
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 1080

why can't i scan any hosts?

Try with sudo

doesnt work

i tried on pwn box and main machine in both doesnt seem to work

sudo proxychains and not chisel

❯ sudo proxychains -q nxc smb 172.16.15.0/24 --users
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Its same few weeks ago when i did i used to get this

❯ proxychains -q nxc smb 172.16.15.0/24 --users
SMB         172.16.15.20    445    DEV01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:DEV01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB         172.16.15.15    445    SQL01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB         172.16.15.3     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

yoo thanks

for anyone that are about to get stuck in same problem in future change /etc/proxychains.conf

# socks4 127.0.0.1 1080  # Comment this out
socks5 127.0.0.1 1080    # Add this line

and use:

proxychains4 -q -f /etc/proxychains.conf nxc smb 172.16.15.0/24

Hello everyone!!
Im stuck at DNS Zone Transfers
Ran like 10 times ffuf and gobuster to try identify ‘web’ or any other word within the ip and inlanefreight.htb form, it takes forever. Any other way faster? I feel like i miss something

I wrote:

ffuf -w dirb/common.txt / subdomains-110000.txt files -u http://ipoftarget/ -H “HOST: FUZZ”
Added -mr “web” -t 50 after few times

Hello

currently doing SQL injection fundamentals skill assessment, and im stuck after bypassing the login page and havent found an injectable parameter yet. any hint?

Does anyoe know how can I check how much time I have left for my vouchers, since they last one year? Thank you 🙂

hi im stuck on module Using Crackmapexec skill assessment question 2.
Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt

already got 2 user a* and s* but i don't know what next move.
any hint ?

When you purchased the voucher, you received an email.

I deleted it ^^'

Perhaps support can help you.

yes ill reach them, ty for your help

What channel can I use to help with any tips regarding a machine I'm stuck on? In my case, it was DarkZero.

#1424092683793727589

If have no access, read and follow #welcome

Ok, thanks

I am stuck in same now

Hi everyone, i have added 94.237.55.43 inlanefreight.htb to the /etc/hosts file but i still get this error, can anyone help me?

how i can finish task 7 of Fawn labs

Best to ask in #starting-point

Guus I jave a question

Guys*

Hello guys, i am stuck on the sql injection fundamentals skill assessment (chattr web page) i tried everything can anyone help me please

How to trace a mobile number?

We can't help you with that

Hello friend. I definitely need a tip for the module LLM Output Attacks - Skill Assessment. I sent you a DM as well as a friend request.

sure

You can dm if still stuck

Hi guys, I just solve AI Evasion - Foundations > Skill assessment, but I cant figure out how to get the flag

Since the question is about accessing the SQL server, I would revisit the MSSQL Enumeration and Attacks section.

did that part

now stuck in getting to dev01

lol

With new access enumerate what you can.

hii i need help with attacking common applications skill assessemts part 2 and 3

Attacking Common Services - Easy

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

i tried bruteforcing the port 25 but no luck , there is no anonymous login for the ftp , where do i start ?

target tomcat

u sure ? cos they did not talk anything about tomcat in the whole module ...

ohh sorry its common services..i missread with attacking common applications

bruh ... 😭😂

Continue to target the services identified. Things may not work via copy/paste from the sections, so get to learn the tools showcased a bit more, i.e., options that you can use and keep working things.

i have pass of || james || now cant move forwrd

Then you haven't tried everything taught in the module.

ig so its been abt month since i had this skill assesment left i just kept procastinating lol anyways imma try few hour

im stucked in module Web Attacks : IDOR in Insecure APIs , trying to Exploiting Insecure APIs by changing UID profile users, but the button "Update Profile" in the page http://TARGET/profile/index.php looks broken and i can't update profile and capture the PUT , i can only capture the POST

weloveiconfonts.com loading forever in academy labs

yep , now i can't spawn any target

it affects academy experience so bad, it likes loading forever

i thought it was my internet issues

got it

👍🏼

smh

I'm on Password Attack - Network Services

I cant get to bruteforce the RDP access for some reasons, keeps saying: freerdp: The connection failed to establish or it gives False Positives... Any help or hints?

Are you using hydra ?

yup, from my kali vm

try adding the -S flag there

From googling it appears that your freerdp / hydra installation is messed up.

yikes, guess I will just leave this part aside and get back to it later from a pwnbox instance

can't you use netexec ?

very same issues for some reasons tried crackpmapexec, hydra, crowbar

Interesting ... Try to update the freerdp then

can anyone help me with the DNS AXFR Zone Transfer and help me find out What is the FQDN of the host where the last octet ends with "x.x.x.203"?

Footprinting?

Hmm wasn't that just a normal dig axfr request ? @surreal goblet

ya but i don't find the host that ends with 203

I don't remember that one to be honest.
Maybe try to look deeper on the ones that you were given from your initial command.

OK thank you

Apologies in advance as I know it’s not the right place for this, but is there anywhere folks discuss active machines on HTB platform? I regularly find myself in the weeds and need a steer, but hate having to resort to walkthroughs.

#boxes but we don't usually give too much hints so we don't spoil the machines

anyone else who knows it

Great stuff! Thank you @solemn patrol I’ll give that a whirl 👍

@surreal goblet I have looked at my notes ... If you axfr, you get some subdomains, correct ?

yes

Okay ... Now, in the module itself, is there some tool mentioned for enumeration ?

wait let me take a quick look

DNSenum?

Yup

Huh. I don’t seem to have access to that channel?

check the #welcome @bleak mural

Hi — could you please help me with the bypass login? I’m stuck and would really appreciate a hint. Thanks!

Thank you 🙏

I have a problem in the using web proxies module skill assessment on the third q to fuzz the last char but when doing I get the flag on every payload no matter the length so I did get the flag but maybe did something wrong

Does anybody hack I’m being blackmailed I’m 16 and I need help

I think there is a problem with this model q cause even when using the repeater and using all the alphabet I got the flag

Tell your parents, who should then report it to the proper authorities. This server is not about performing unethical actions. And refrain from spamming the channels.

Ok

I am practiscing some SQLi and have a DB type/version question through SQL Injection. I've confirmed a form is susceptible to injection since I could dump the entire database for that form to the screen. I also did a ' UNION 1,2-- and had 1,2 display in the columns (there are two columns). Now I'm trying to determine the database type, and then on to table names. I've tried database(), v$version, and @@version, but the website doesn't populate those columns. Any suggestions?

I tried to brute fore it with dnsenum but still don't find the FQDN of the host where the last octet ends with "x.x.x.203"?

Hey guys

I just started using htb and need some pointers

Like for now I started Linux fundamentals but the questions are way too hard even after learning all the material inside the modules

How to effectively learn here

If you dont have fundemental understanding of linux i would recommend starting out on tryhackme, the rooms there are easier. And theres also ones that cover linux fundmentals.

Hi

guys how can i get my account identifier?

Account identifier can be found here: https://app.hackthebox.com/profile/settings

i love u twin i hope everything good happenes to you ❤️

Welcome 🤗

hey im stuck on LFI skill assessment

any hints?

Hello,
I try one more time.
I'm stuck on the second question of Broken Object Property Level Authorization module, we can't create item or did i miss something thx

Academy Skills assesment for Windows Lateral Movement is broken. The supplied credentials dont work for the first step.

not really sure who to tag or whatnot here

the credentials are correct according to the "Show solution" button

You can DM what you are trying and what you are experiencing.

I've completed all the rooms of Linux in tryhaxkme

I use Linux as my main os

i found a small bug in the new academy desing, how can i report it?

hey i solved it. u can DM me if u need help

I'm extremely stuck on Skills Assessment - File Upload Attacks if anyone has a moment. I know the extension that should work and have messed with the MIME type but I just can't get it through.
I was able to get /etc/passwd output but cannot get my PHP script in.
I've tried matching and non-matching MIME type/extension type etc

where you able to read the source code? also check if you are using the right button to upload and lastly note that the request that gets the /etc/passwd is different from the one that gets the flag.

Yes. I was able to read the source code. I used the right button to upload. That's how I got the POST request to alter.

I fuzzed the content type and literally every single one was blocked so that's pretty confusing as well.

Been working at this for about 4 hours now 🤣

Alright, I also missed it the first time I tried. Nice thing you know what works, try to watch the requests carefully and you'll get a different request that will lead you to the flag

I'm afraid I don't understand what you mean. I was able to exfil /etc/passwd but going to finding the flag, I can't get the script to upload. It gets caught every time.

I fuzzed 105 content types and they were all blocked. Not a single one was accepted.

The one that gets the flag will end up being something (trying to be vague so I don't spoil content) including "cmd" and the source code we got so I know where to browse. I know exactly what to do but I'm clearly doing it wrong 🙈

yeah, so I'm trying to say that if you try to use the same request you used to open the /etc/passwd/ file, it will not work.

is anyone else having troubles with academy right now? i answered all of the questions correctly, but I can't mark it as complete, and generally I get a lot of "Oops something went wrong"

Hmmm, not sure what request I would use then. I need a post request to upload the file with the script.

And my target keeps dying so I have to start from scratch 😡

It uses another request to submit the script after you upload it. That's what I'm trying to say, just pay attention to the requests Methods you are getting.

Ok, I know I can get /etc/passwd to return so I'll run that back and watch the requests.

I ended up getting there. This web app stuff is an emotional rollercoaster 🤣 . I go from feeling like Neo to feeling like a complete caveman over and over!

You get the flag?

Yeah

Nice

I'm considering switching to the Pentester path now though 😬 . I'm about halfway through Web Pentetration Tester but it's been ROUGH. Not sure if that's an awful idea or not though.

Well 50% of the Pentester Path is most of the Web Pen Tester path

CPTS focuses more on network testing, but includes web apps as well. It's not like CWES which only focuses on Web Apps

So you could complete CWES Path and then hop over to CPTS

Hello, I am also stuck on this one. Wanna chat?

I literally just finished this one. Happy to help if I can. I'm in a meeting for the next hour though.

Thanks, is ok if dm you tomorrow maybe?😄

of course

Hi, I'm stuck at the "AI Red Teamer Module - LLM Output Attacks - Skilss Assessment": I don't see any openings, the Imagebot is open for a SQL-Injektion due to vunerable function but only show insufficient information. Is there another apporach I might miss. Login within profile is not leading to anywhere. Would be happy for a short hint.

This has absolutely nothing to do with HTB Academy modules.

@gray yacht are you available for DM regarding a section in the AD Enumeration and Attacks Module I'm working on?

good day guys

never mind I think I know what to do now

hi I need help with question 2 of the DCSync section of AD Enumeration and Attacks module. I am trying to figure out how to get the cleartext password but the output file doesn't come with the hash for the specific user.

wait I think I got it now

hey so for question 2 of DCSync section of AD Enumeration and Attacks, the program it says to run isn't completing and I'm getting a connection refused error

Hello guys I'm very new here and I've been taking the Linux courses from htb, I'm stuck at this question Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer. Here's the script I tried to use to solve that : curl https://www.inlanefreight.com | grep /another/directory | wc -l 2>dev/null

That could seems lame to some of you but I am really trying to understand and get into that so if I please could get some help 🙂

hi so here's the error I'm getting:

└──╼ $secretsdump.py -outputfile inlanefreight_hash_list -just-dc INLANEFREIGHT/adunn@172.16.5.5 -use-vss
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[*] Cleaning up...
┌─[htb-student@ea-attack01]─[~]
└──╼ $secretsdump.py -outputfile inlanefreight_hash_list -just-dc INLANEFREIGHT/adunn@172.16.5.5 -use-vss
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Searching for NTDS.dit
[-] 'NoneType' object has no attribute 'request'
[*] Cleaning up...```

I tried with and without -use-vss

either way its like I have to start the whole thing over multiple times and go through the whole process again and it still won't work

I remember that he can ... But ... shouldn't you use something like proxychains ? I don't think that IP is directly accessible from Kali

I sshed into the parrot box on the network and did it

And got some hashes but it stopped and gave me that error after a while

Oh ... Well then it works ... There is an option to request only specific user - like Administrator

You don't really need all hashes here.

Did you read the error at all? It says "logon failure" and "the attempted logon is invalid. this is either due to a bad username or authentication information"

There is a second attempt there ... That was my initial thought though @cloud urchin 😄

I'm really mad that in the wireshark module in guided lab: traffic analysis workflow they don't mention that the thing we should be analyzing is the guided-lab.pcap and not the xfreerdp thing they ask us to connect to

I was not able to find a single reference to it, I only found out about it through a youtube video doing the homework, because I kept banging my head against the wall trying to analyse the network traffic in the xfreerdp connection

Attempt to utilize the concepts from the Analysis Process sections to complete an analysis of the guided-analysis.zip

anyone have a stuck target spawning

it's been like 10 minutes and it's still spinning 🤔

Yup ctrl+shift+r fixed it for me

I tried refreshing a few times and it didn't work :/

It's still spawning 😭

did you try ctrl+shift+r?

Will it allow you to start a different one ?

yes 😭

I'll try spawning a different one

Ok just making sure, because ctrl+shift+r isn't just a refresh

I tried spawning a new one and it hanged too but might've needed a bit more time, I'm trying to spawn the one I want again

ok that worked

thank you! 😄

ok now the target is unresponsive though :/

I'll try resetting it.......

still not pinging...

is the target for Windows Privilege Escalation Skills Assessment - Part I broken or something :/

I've spent half an hour trying to get it working

nevermind

Hi everyone, I want to ask about the HTB Academy lab.
I want to learn the Senior Pentest Path and I wonder what is the best plan to choose the billing plan. Actually I just want to study a part of that course (some modules).

I want to study Advanced Deserialization Attacks

Anyone else having issues with the academy VPN files?

helping out

Stuck on footprinting modules pls help

do you have a foot?

I only know how to print

ok then print

see you tomorrow

😂

Hi a discord gift pop up opened on my laptop

Why would it do that? It doesn’t make any sense

Beware discord gift scams

It was when I was in settings or whatever

Probably just discord trying to make you buy nitro

But I already have nitro

Maybe its telling you to gift to friends?

Ya

That’s normal for discord

Ok

Did it a few days ago here too

Ok cool

Hey would you be able to help with the LLM output attack assessment? I got to the admin chat, but can't get the flag. Anyone can help me for hint please.

You can dm me

I have a question about the “Attacking Windows Credential Manager” section of the Password Attacks module. The hint implies a method of getting credentials without fooling with UAC and i’m curious if someone could provide some insight on that route?