#modules

I tried checking the schema at /graphql and I can only see two things that looks interesting SecretObject and UserObject

if i remember what I did, well that host you want to extract the lsass can only connect to the ubuntu host (webAdmin) , so first you can set up a dynamic port forwarding using ssh, onto that host using the -D <port> switch and then set up your proxychains.conf, and after that now you can forward the traffic now to that isolated windows host.

From there you should have credentials from the user you got, and you can connect to it through an rdp session using xfreerdp on your attack box, since it would redirect that traffic to the ubuntu host which would then redirect that traffic to that isolated windows host

The magic comes now, your issue is how would i get the lsass file to my attack box? Why dont you just use the mimikatz.exe script on that windows host, and it would view all of that for you on there. Your issue is "How would i transfer that script into that host?" heres the magic from xfreerdp, you can use the /drive:<name-of-drive> <absolute-path-of-dir-to-share> and then just access that shared folder from that windows which should contain the script, extract onto the windows host, and its BBQ chicken from there

It is a bit of a work-around but really nice if you handle it

@weary crow the module is above tier 0; please don't share things like that. also if you want to paste formatted code blocks you'll need to link your htb account to the discord following #welcome instructions. I haven't done that module so I can't exactly tell you what you are or aren't doing wrong

Oh 😔 so sorry am that

I suggest exploring what you've already discovered

I have tried exploring it but it's all type: null

are you exploring via the web gui or via curl?

The both ways

HI, I recently posted about my shell giving up in the gettingstarted box after tried to move in /usr/bin/php, I got a hint that it is a php shell so that's why it doesn't react to any commands beside php, now I tried php commands even commands from gtfobins, but it's the same issue, no output from php commands.

@mwinyi29 dude I appreciate the help , in fact I figured that out and did the same thing and got the hash .. rn cracking it

look for supported queries

@weary crow https://graphql.org/learn/introspection/ 😉 this will be invaluable (it's linked in the reading)

Thanks very much 🙏🏼😀

you're one step closer to the answer; but the query types may provide useful info for what to look for combined with what you've already found

if it helps there's also the documentation explorer in the top-right of the web app

Okay thanks a bunch 💯

after that it's as simple as using the query [type] {parameters} (the [type] isn't in square brackets)

Hello Guys

They should mention it in the Logrotate section of Linux Privilege Escalation that the race condition is extremely tight and can take dozens of tries for it to finally work.

hey @weary crow don't dm without asking; as far as the issue goes it works on my machine, maybe try on another device

okay but i have tried on other devices

I suggest using the document explorer then in the top-right to get an idea of how to move forward

okay i'll check it out

Already done. Wasn’t helpful

thanks 🙂

Ok

Yeah, I tried seclists wordlist and then manually using gpt as well, but it took a lot of guess work to finally get the color. hope the exam is not like this, not a big fan of guess work but at a point I was doubting if this was the path.

It is a content issue, not necessarily lab.

It won't execute due to a specific PHP function being used. Try to read source code of the pages and see what interesting information you can find.

Like

Hey

I need some help

What help if I may ask

If I could help

@obtuse bramble

@obtuse bramble

Can we talk in dm

I can't because I can't message u back

Why

Or I can use my second account to send u a dm if that fine

Just my policy

Ok

On this account

Bro can youu provide me free pentesting videos resources link beginner to advanced level because I am new in cyber

don't dm them @obtuse bramble

they're one of those fake support scammers

Yo

Can I get role for chatting in general

anyway @obtuse bramble no one is really gonna do a lot of the legwork for you

Nobody talk about support team here

it's in your bio dawg

Okk

Then is that a issues secondly I never said I was a support team

Sorry for that I can't know your rules

they've been yeeted

Lund la lo bhosdi valoo

but anyway @obtuse bramble the other reason that people can't give you those resources because "beginner cybersecurity" is extremely vague

and "beginner" pentester is subjective

also this isn't #general if you want to access more of the server you'll need to link your hackthebox account to the server following the instructions in #welcome ; also @ivory mesa @obtuse bramble

Bs bs shant bhai what do you want let me know

I’ll try to help but as a beginner i should know how much you already know on the basis of that i can suggest something

Bhai dm ma bat ker sektaa ha

Sure buddy

Does anyone have a second to maybe lend a hand in explaining part of sqlmap essentials a little better? I'm just a bit confused on how to use the --csrf-token flag, please @ with responses

Keep it English #rules

Nicee happy i could help

If you have a csrf token, you supply it there

Where is the best place to start study cybersecurity

Believe it or not google [one sec]

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

That's what I did, I captured the burp request, saved it and then tried... But it keeps doing

--csrf-token is a regular expression [y/N] N which is stopping it I think? It's saying it can't find a valid token... Not sure if I'm doing this wrong though

Thank kyo very much is there any specific language for cybersecurity

Specific language meaning what? English? Sweedish? Kali Linux? C++?

Nope

Ah yeah, in the place of where the csrf token would be in the request, you replace it with a * and supply the csrf param via cmd line

i.e --csrf-token=*

Its been a minute, but whatever the module is telling you is correct

Because this is dealing with using a request file yeah?

Yeah I'm just having trouble applying it, but no worries

The * is in the request file, not in the commandline

Yeah it's the Bypassing Web Application Protections module - just don't want to post revealing content is all

Ah I may have to specify with --data let me try quick

Edit: that didn't work either lol

Edit again: Just super picky about phrasing, I'm good now

@fathom pendant can i get help on i need a suggestion on this -this is reg new-Web Fuzzing-Validating Findings. for given lab i tried this command -ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ
-u 'http://IP:PORT/recursive_fuzz/FUZZ'
-recursion -recursion-depth 3 -e .php -t 50 -rate 200 -mc 200,301,302,403
-o ffuf_recursive.json -of json -v . no idea if it is right

Don't ask me questions if you haven't tried the the thing

If it doesnt work: then its likely not right. I haven't touched that module in ages

i tried and stuck up for few days can i share what iam in to or can i DM?

Im not available for private help atm

#1234357888114364508

fine ,

You should be able to use the wordlist mentioned by the reading

Hello everyone can someone help me with this Pass the Certificate
lession in Password attacks moudle , im stuck at the last question What are the contents of flag.txt on Administrator's desktop?

Did you ever figure this out?

How can I figure out the injection attack on the attacking graphql module group concat

Group concat is really not my strong suit

Yeah you need to proxy the traffic

I tried group concat( table name order by col name) from the mariadb page writeup

Can someone give some clues on how to view Fields with group concat

Trying to complete the Writing custom wordlists and rules section in the password cracking module but i'm not getting any hits is there something im missing? I've done some research but couldnt find anything

Attacking Windows Credentials…..Can someone help me understand how we get minkatz onto the target system???

It's mentioned several times in "OSINT: Corporate Recon"; will there actually ever be a module "OSINT: Staff Investigation"?

Okay @silent basin

Hi all

Can anyone help me out

depends entirely on your question

having the same problem while trying to get on splunk interface for 5 days. tried changing servers (eu and us), redownloading vpn file over and over again. help please

What do you need help with?

To expose a scammer

Can you check out dm

Contact the local police department.

and please don't send out friend requests to everyone on this server?

Okie sir

I'm no sir

Ok boi

https://tenor.com/view/éowyn-i-am-no-man-no-man-lord-of-the-rings-lotr-gif-11834502

Please read the #rules

Sry

this server is not to support your illegal activity, as per #rules

As mentioned, contact the local police.

no

Its a python code

get lost

Bruh

hi

hi

Hey 👋🏼

Can I get some assistance on the attacking graphql module

• 1 Perform MIC cracking using the attached .cap file.

Can someone help me ?

guys, why companies post vacancies on HTB and list all certificates, but not HTB ones(CPTS, CWEE etc)?
https://app.hackthebox.com/careers/job/775

hello i am looking for a ctf team blueteam

#1318239802931286066 is the place to look I believe

i didn't have access sorry

Hello please can someone help with this little issue I am having

have you read and completed #welcome ?

what would that be about?

#modules message ?

maybe just ask your question here so several people could give it a shot

How can I figure out the injection attack on the attacking graphql module group concat I tried group concat( table name order by col name) from the mariadb page writeup

Yeah

it's okay now thanks

Hey would anyone be able to dm me a hint for the Password Attacks skill assessment? I'm having a hard time getting to the other internal IPs and I'd like to ask someone if I'm close and if not if they could nudge me in the right direction.

Please anyone could help me with this module?

https://academy.hackthebox.com/beta/module/214/section/2287

Introduction to Threat Hunting & Hunting With Elastic

The skills assessment section?

nm I actually ended up figuring it out lol

Hope a mod sees this: isn't it weird how the three accounts above have such strange names, all joined both Discord and this server the same day, and post pseudo relevant comments that are just quotes from other users?

I was wondering if you still needed help for this, its a rather broken question/answer combo.

yeah. and all women in the pfp's.

i'm sure they're bots

2 of them directly parroted something I said previously Oh god am i being farmed for AI training data?????

Similar accounts were popping up on the OffSec server I was told

lol

https://tenor.com/view/robot-killed-you-have-to-do-it-yourself-do-it-yourself-kristen-bell-eleanor-shellstrop-gif-10580983

Hello. Can anyone help me with some (pentest role paths) ?

https://dontasktoask.com

Hey I'm a bit stuck on the maintenance mode attacking graphQL assessment I am able to find the injectable parameter/query and even get sql errors + the right amount of columns however my queries seem to not reflect.

ah nvm HAHA FOUND THE ANSWER RIGHT AFTER

hi guys , i'm stuck at Skills Assessment - SQL Injection Fundamentals in first step , can't login , tried every possible payload still can't get it ,even sqlmap can't 🥲

anyone done "Applications of AI in InfoSec" skills assessment, i keep getting 0% accuracy

...

10.129.2.219

nah

@vestal wing @upper haven

sorry for the ping but so many people had this same issue but no solution can be found

dont overthink it @candid lily

im in cli fundamentals module for windows stuck on something can anybody help me?

search for the file named 'waldo.txt'. ?

i know the command i typed is right but the cmd is not returning anything, DM me so that i can explain

Hello everyone,sorry to bother you.
In this module:"Attacking Common Applications"
section :"Attacking Tomcat"
question:"Obtain remote code execution on the http://web01.inlanefreight.local:8180/ Tomcat instance. Find and submit the contents of tomcat_flag.txt"
I already got flag via used msfvenom achieve reverser tcp.
but there is a sentence in the text:The multi/http/tomcat_mgr_upload Metasploit module can be used to automate the process shown above, but we'll leave this as an exercise for the reader.
I tried it,but don't get result.

@eager spindle from Rapid7's explanation about this module:
NOTE: The compatible payload sets vary based on the selected target. For
example, you must select the Windows target to use native Windows payloads.

Does this mean that there is something wrong with the payload I'm using?

I noticed exploit target is "java universal" there in your pictures. Maybe it needs to be changed

https://academy.hackthebox.com/module/23/section/513
Skills Assessment - File Inclusion

Skills Assessment - SQL Injection Fundamentals
https://academy.hackthebox.com/module/33/section/518

https://academy.hackthebox.com/module/147/section/1334
Credential Hunting in Network Shares

Anyone can help me on those?

Shoot

anyone else having troubles spawning targets?

hi everyone, i'm on module 'attacking common services - attacking smb'. based on nmap scan how can i say that the target os is linux? i don't get it.

@olive fjord how did you glitch urself to number 1 global

SERIOUSLY? HACK THE BOX SERVER?

No comment

leave me alone and DO NOT ping me

I'm doing password attacks - pass the ticket from Linux. In this image, why is David cached Kerberos ticket the same file as Carlos? Shouldn't they be different?

hi everyone, I need help with windows evasion sa2, I have a working script that if I manualy execute it gives me a rev shell without been blocked by av or amsi but some how it goes in timeout when the bot runs

Samba smbd 4.6.2 as a strong clue

i think i need a break 🤦‍♂️🤦‍♂️ thank you

nvm, the file name is the same but the contents changed from David's tickets to Carlos's tickets . Now any Kerberos-authenticated operations using this ticket file will run as carlos

I think because you ran both kinit commands from the same user/session without specifying a different credential cache, the second kinit overwrote the default Kerberos ccache file so both principals show the same cache path.

yes exactly

i need help

anybody can help?

Please can someone help me out with the attacking API section broken authentication

Can anyone know my ip address(real ip) I used VPN

ur getting banned lil bro

Even if you use a VPN, your IP address can still be leaked.

However, this channel is about questions relating to the modules in the Academy.

Read and follow #welcome to gain access to better channels for questions about VPNs.

I have been working through the Windows file transfer module (Module 24), and as I was completing the second task, I kept getting an error message stating that my answer was incorrect. I have searched through many forums and also gone through walkthroughs on YouTube, and it turns out that the answer I get is the same as that of other people!
What could be the issue?

The zip file question?

Hello do you have any little hint for the Password Attack Skill Assessment after compromising bdavid and stom credentials ? (Btw stom credentials doesnt work idk if it's normal)

I am not sure about not-working creds ... However, having some working creds, what else have you obtained ? Extra access or anything.
Have you enumerated anything ?

Yup found multiple pcap file(Pcredz did not found anything and manual search either)

Ah ... I remember those.
Keep on enumerating

When you first gain access to some endpoint, what is your methodology for initial enumeration ? @hidden ledge

Well since stom creds did not work, I began with hwilliam. I quickly found pcap files so I looked into it. Then I looked on my home and shares manually and with some tools (Manspider). But I was pretty sure that the pcap files were not useless since we saw it in the modules but I maybe spent to much time on it. (Or maybe not)

Okay, so from one user you got to another.
There you found something, searched it and haven't found anything or maybe missed something inside.
What next ?

Keep looking on pcap because it's a big one and try to understand why stom creds fails for every services and machines. Maybe also enumerate shares again. (AH I also found a file with Administrator password in plaintext but did not work either)

So it's highly likely that those credentials you've found are not valid.
You have spent a lot of time on pcap.
What's next ?

Hello guys i need help with questions in attack common application attack tomcat there is question say you should get rce to get the flag i did everything and get the rce but i couldnt find the directory of the flag

My only idea for now is enumerating shares

hm

That's okay. Keep on enumerating.

Hello please can I get some help on the attacking API section 4 don't the limit of the otp

Hello 👋🏼

I haven't done that module.
Be patient, someone might be available.

Hey - anyone have a second to lend a hand for sqlmap essentials skill assessment? I've found the attack vector. Saved a request from burp, but everything from just --current-db to --dump -T <table name> is failing and I'm not sure why

Restricted to verified only

Follow guide in /verify

(Unlink and relink if you don’t have the role)

dump will need dbs if not yet there

yeah can't get it to work, have dump and batch, have ran through different bypasses i.e. random agent but not working. Can't even get it to return a database name

You have dbs in there?

yeah I have --||dbms=mysql||

And you’re sure is mysql ignoring that you might have misspelled dbs?

yeah, the info it's returning in the output is mysql

Ok drop the question in dms

FIXED: Added --skip-ssl

Hello please can I get some help on the attacking API section 4 don't the limit of the otp

Anyone having problems starting targets?

currently no issue on my end

Can't anyone help me 😔

Personally I don't even understand your question. "don't the limit of the otp"?

also, what's "section 4"?

you in "API Attacks"?

I'm trying to get the otp

Can you share a link to the section, the title, the exact question or something? I'm not feeling like browsing the entire module to find out what you're talking about

I've used the suggested words list but I had no luck

Alright

https://academy.hackthebox.com/module/268/section/3062

anyone doign the Windows Attacks & Defense?
stuck at PKI - ESC1
i am copy, pasting the commands provided but still getting this error with certify
[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP

It's broken authentication and in it I'm trying to rest the password of a customer but I don't know the right words list for guessing the otp

I tried using seq -w 0 9999 but I didn't get any output true just false

hm

yeah looks like 4 digit otp, wordlist seems fine

not sure if it matters here, but make sure it's all actually 4 digits perhaps? even the ones below 1000, so 0023 etc

Yeah it's exactly four digits

I checked it myself

So I should try it again

yeah, maybe just expired?

Mark those as spoilers please

Hi!! Quick question, in the Skills Assessment of Password Attacks, am I supposed to know the Master Password for the Password Safe?

The file you find can be cracked without modification in hashcat

Thank you... your eye is very good.

i don't think it's even send an OTP

cuz i have a screenshot of the server response

Hello!
I could use a hand on

Active Directory Enumeration & Attacks
Attacking Domain Trusts - Child -> Parent Trusts - from Linux

I think I'm supposed to get the NT hash of user "bross" using "secretsdump" but I just cant get it to work. So clearly I'm misunderstanding something....

an it says :

Server response
Code Details
Undocumented

TypeError: NetworkError when attempting to fetch resource.
Responses
Code Description Links

I'm wondering if it's how the response

the sever is not responding curl: (7) Failed to connect to 94.237.49.23 port 52205 after 192 ms: Could not connect to server

I have been stuck in this module for 3 days, if someone has time id like to discuss it, maybe he can point out my mistakes.

AI Data Attacks -> Pickles and Stenography

Did you solve the task because I couldn't solve it?

Can I dm someone regarding the Cracking Wireless (WPA/WPA2) Handshakes with Hashcat section from the Cracking Passwords with Hashcat module?

No

What a cruel world 🙁

haha

Anyone? I think there is a mistake in the module...

The server's not responding or the request being sent are not connecting 😕

Hello — I have a question about the module “Android Application Static Analysis — Reversing Hybrid Apps.”
I completed all the steps to obtain the debug keys and configured the curl command in every variation, but I always get a 401 Unauthorized / “Invalid credentials” response. I set everything up exactly as shown in the module. I also tested the POST request with Burp and installed the app on an emulator in Android Studio, but nothing works. It feels like I must have missed something — could someone please give me a hint? Or might there be a problem with the target machine? Thank you.

Hi please I want to know if only happens to me but I noticed that there are some modules where when i use my VPN as usual I have difficulties performing the task if not able to perform at all but when I use the pwxn box I perform the task with the same command is it normal ?

Do you ever have the pwnbox spawned at the same time as being on the vpn?

yeah some times but i only spawn it up when I have some difficulties with vpn

well it uses the same connection as the VPN so that'll cause connectivity issues

you want to use one or the other

as for the vpn connection, try another server or region see if it clears it up, if not there are some great tips here https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

A'ight thanks

Hi All, any other way to access the victim machine other than using evil-winrm if you have kerberos ticket?

how to share screenshot here?

You need to be hacker rank or above in labs or have a certification, I believe

if other authentication services are running, sure

can you please give an example than I can check?

Is this error normal?

xfreerdp /v:targetIP /u:htb-student /p:Academy_student! /dynamic-resolution
[23:45:44:716] [119494:119495] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[23:45:44:716] [119494:119495] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[23:45:44:730] [119494:119495] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[23:45:44:730] [119494:119495] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[23:45:44:730] [119494:119495] [ERROR][com.freerdp.core] - freerdp_post_connect failed

I'm using ParrotOS Pwnbox.

Try adjusting the MTU on the VPN configuration. This can help sometimes with RDP issues

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_ccf26ec237

Just above that section on the article are also recommendations for using xfreerdp 🙂

Could anyone help with nosql skill assessment II?

so i am working on the API Attacks model Broken Authentication Section
an im stuck at the Question

Exploit another Broken Authentication vulnerability to gain unauthorized access to the customer with the email 'MasonJenkins@ymail.com'. Retrieve their payment options data and submit the flag.

and this is the payload that im using

ffuf -w SecLists/Passwords/Common-Credentials/xato-net-10-million-passwords-10000.txt:PASS -u http://94.237.49.23:33237/api/v1/authentication/customers/sign-in -X POST -H 'Content-Type: application/json' -d '{"Email": "MasonJenkins@ymail.com", "Password": "PASS"}' -t 100 -fr "Invalid Credentials"

but i cant find the right credentials
what i am doing wrong?

Hello everyone, please can someone help me out on the target machine for the API attacks broken authentication I think the server not getting requests

rdp; smb; ssh are all potentials

This is exactly what I'm talking about

Anybody out there? I would still have an open question

i solved it

first use the /api/v1/authentication/customers/passwords/resets/email-otps to generate the code and then fuzz for it with a list from 0 to 9999
the password should change to the one you set

@weary crow

yes i did

really

Am i the only one experiences extreme slow responses from the machines in the "Web Attacks" Module

It takes ages for them to respond to anything

reset the machine i experienced it to

already reset > 10 times

but imma try again

i have the feeling the website doesnt render, because the GET request to weloveiconfonts.com fails. I reset another 10 times and each of the machines has the same issue. When i proxy through burp and just drop these requests, then the website renders fine

Targets don't have access to the internet which is probably why they fail, carry on even if the site doesn't render properly

I mean i will, just wanted to mention...this is a huge pain in this module

/feedback or make a post in #1234357888114364508

im stunned on NoSQLi Skills Assestments || please someone help

How can i stop the connections? I have already run sudo killall -9 openvpn

Hello 👋🏼 please can I get some help on the mass assessment on the API module

I created and an order but don't know what to do next

How are you all connecting to the RDP machines in the CAPE path labs? I cannot connect to most of them

For example, rn I'm in the ADCS section. I can't connect to either of them.

[!] https://10.10.14.181:8443 handling request from 10.129.43.13; (UUID: 6d8l7kje) Without a database connected that payload UUID tracking will not work!
[*] https://10.10.14.181:8443 handling request from 10.129.43.13; (UUID: 6d8l7kje) Staging x64 payload (204892 bytes) ...
[!] https://10.10.14.181:8443 handling request from 10.129.43.13; (UUID: 6d8l7kje) Without a database connected that payload UUID tracking will not work!
[*] Meterpreter session 1 opened (10.10.14.181:8443 -> 10.129.43.13:49679) at 2025-10-18 07:29:47 -0500

(Meterpreter 1)(C:\Windows\system32) > getuid
[-] Send timed out. Timeout currently 15 seconds, you can configure this with sessions --interact <id> --timeout <value>
(Meterpreter 1)(C:\Windows\system32) > 
'```


How can i solve this problem of meterpreter session timing out? I tried changing to 60s but to no avail as well. Any inputs will be appreciate.d

For windows fundamentals how do I do them without the pwn box?
With the Remote Desktop Protocol?

Yeah you can, you just have to use the vpn

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Ty man

Web Attacks Module --> HTTP Verb Tampering. Cannot view allowed methods with curl -i -X OPTIONS http://SERVER_IP:PORT/ I get the response: HTTP/1.1 200 OK
Date: Sat, 18 Oct 2025 13:01:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8
No Allowed:...

this is intentional, you can feel free to drop /feedback or #1234357888114364508 but the target is behaving as it usually does. This isn't a 'problem' with the lab, it's just designed this way

#prolabs-dante

Once you have started the target, wait a few minutes before connecting to it.

What was this fix? I'm having the same problem

Hello there. Just me again, was just curious if anybody would have some inputs regarding my question from yesterday

I reset it enough times that it detected my frustration

Hahahaha. Ok I'll keep trying

I keep getting an error about privileges for the sniffer. Do you remember if that was happening to you?

you might need to use a tool like cap2hashcat to get it to be usable by hashcat

Ah, okay, I just thought it's weird that the command to check for HTTP verbs is in that section and in the end we have to do it manually

this is a general thing for all modules; not EVERYTHING you see will be replicable, and you may need to think outside the box or do some research around it. In this case you already knew about the different verbs (from the content) but it's good to know that not EVERY server is set up to give you options

Can you dm

This I have done. To briefly sum it up. I wanted to solve the first Challenge which is to crack the MIC. As described in the module there are two possibilities to get the hash from the packet capture.
1: cap2hashcat online Module
2: hashcat-utils

I used both tools and received a file with two hashes (if allowed I can post it here, or give a screenshot, but not sure regarding policies).

This hash I tried to crack using the corresponding module hashcat -a 0 -m 22000 myhashes.hccapx /blabla/rockyou.txt. But hashcat is never able to actually read the hashes...

So at this point I can't see my mistake and rather assume, that something is off with the pcap.
(btw, same result for the offline version with hashcat-utils -> Furthermore when using this tool I get the message, that this tool is deprecated and is fully removed anyways by the hcxtools)

to verify the issue isn't on your end, i suggest attempting this with the in-browser pwnbox

Sure, give me 5 min to try it out

Alright.... I was able to solve it on the machine. Seems that this is working fine with hashcat version v6.2.6 but its not working when using hashcat version v7.1.2. Thanks for the hint

if you're curious why i suggested the pwnbox test => it's because there was a segfault error, which GENERALLY isn't an error produced by you doing something wrong with hashcat, or the format of the file provided

Aaaaah thank you very much for the elaboration 🙏

It did not work

If anyone could help with this Pwnbox ParrotOS issue that would be great:

[09:20:40:537] [11249:11250] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:20:40:537] [11249:11250] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:20:40:549] [11249:11250] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:20:40:549] [11249:11250] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:20:40:549] [11249:11250] [ERROR][com.freerdp.core] - freerdp_post_connect failed

I'm using a fresh spawn of Pwnbox ParrotOS

I'm at the Windows Fundamental Module.
Trying to create a share as instructed in the module but getting timeout error whenever trying to connect with smbclient

I tried checking on windows if the server is really started using Get-Service -Name LanmanServer (ChatGPT)
And yes it is running

But still I get the timeout error, and I also tried Set-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Enabled True but don't have permission to do so.

Anyone went through similar problem?

run powershell as admin

Stack-Based Buffer Overflows on Windows x86 Skills Assessment

This might be broken. The other labs in the module work perfectly fine as is.

Please can anyone help me 🙏🏼

Best to always say which module/section/question you're on, how can anyone help if they don't know

Hello — I have a question about the module “Android Application Static Analysis — Reversing Hybrid Apps.”
I completed all the steps to obtain the debug keys and configured the curl command in every variation, but I always get a 401 Unauthorized / “Invalid credentials” response. I set everything up exactly as shown in the module. I also tested the POST request with Burp and installed the app on an emulator in Android Studio, but nothing works. It feels like I must have missed something — could someone please give me a hint? Or might there be a problem with the target machine? Thank you.

https://academy.hackthebox.com/module/268/section/3063

i'm having issues with the 2nd question

Hey everyone I have a small doubt
When the subscription ends I'm i able to access the completed model and labs

Yes, any module you complete will be unlocked for you forever

What about the labs in the module

yes

Great thank you 👍

Stack-Based Buffer Overflows on Windows x86 Skills Assessment

This might be broken. The other labs in the module work perfectly fine as is.

Hello all!

I'm working the API Attacks module, Section 3/13, Broken Object Level Authorization. https://academy.hackthebox.com/beta/module/268/section/3061.
I can confirm that I'm connected to the box, and the the box is up. I'm not seeing the site. I'm seeing a different previous conversation from @weary crow and others about this module.

Please roast me if I'm missing something, or let me know if there is an issue at the moment.

I'm in 5/13 section I'm just looking for more help on it

Hey, regarding (Active Directory Enum & Attack) module.
I am on the skill assessment II and noticed PowerView is not loading, I mean I transfer it with certutil and import it, but no functions work as if they don't exist.

Tried deleting and starting over but no luck. Is this by design or am I doing something wrong here ?

Gotcha

Can I get some assistance on this section

mess with orders

Alright, FYI it's evil-winrm causing the problem

I've moved onto a different one for now. I think you are also further than I was 🙂

Nvm me, please continue 😂

winrm itself is a problem (it's just a pain in the ass protocol)

it's like just above telnet but way below ssh

So I should like, put random dates on the post order endpoint

maybe not dates

but mess with everything you can regarding that

Okay try and get back to you on it

Matter of fact even with Meterpreter I can't run PowerView

I can't, how am I going to abuse ACL now ? T_T

Pffff..... I've been here all day lol

I can't use the pwnbox on academy it says I have one open when I don't how do I download the VPN so I can use my Kali system for the module

You can do so via https://academy.hackthebox.com/vpn (top right menu, where your username is, VPN Settings)

If you have a Pwnbox that's stuck or something, support can help with that

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Me no help ?

If I knew how to help, I would

I don't know everything

Thank you

If you're having an issue @humble hemlock, I'd recommend describing what you are facing in more detail, rather than just "I can't run PowerView". Any errors? Is this on a personal VM or Pwnbox? What are you trying?

That'll help others help you

Oh we can go in A Lot of details trust me, just kept breef to see who's interested first 😂

Well yeah.. like I said.. details help others to help you, and sometimes people get tired of drawing blood from a stone. Go in to some more details if you can, and maybe someone will recognise the issue you're facing and be able to help 🙂

Not suggesting you're the stone

Just saying, it happens more frequently than you'd think

Yea dw about it haha

@ocean night can you help me on this or do you have an idea where I could ask for some hint?

Original Question:

Hello — I have a question about the module “Android Application Static Analysis — Reversing Hybrid Apps.”
I completed all the steps to obtain the debug keys and configured the curl command in every variation, but I always get a 401 Unauthorized / “Invalid credentials” response. I set everything up exactly as shown in the module. I also tested the POST request with Burp and installed the app on an emulator in Android Studio, but nothing works. It feels like I must have missed something — could someone please give me a hint? Or might there be a problem with the target machine? Thank you.

Many thanks in advance

I cannot help with active content, sorry.

Okay thank you very much anyway😊

hey guys
should i freak out because i can't answer this question?

i've also struggeled with the others but this one when i searched for the answers i found it was so complex and too many different answers can work

That's a tough one

I messed with everything it just said invalid format 400 bad request

Can someone help me with this question? It won’t accept “Fibre Optic Cables” or “Optic Cables.”

The question is: What type of network cable is used to transmit data over long distances with minimal signal loss?

I think it's firstword-secondword format

Thanks It worked

hello to all

idk if somewone can help me wiith this problem im having on intro to windows module

Best to include the module/section/question you're on, and maybe a bit about what you're having trouble with.

hello in the Pivoting, Tunneling, and Port Forwarding Web Server Pivoting with Rpivot exercice after launching the rpivot server and client and trying to connect to the webserver using proxychains it won't connect can someone help with that please

CWEE path - Advanced SQL Injections - Skills Assessment, part 2. I'm stuck. ||Been trying to apply the PostgreSQL Extensions method. Compiled on the student testing VM Replaced single quotes with $$. Switched to lo_put with offset=pageno*2048. Not sure what else I could be missing.||

Anyone completed Cross Site Scripting Module? Need to check my flag for phishing section as it is not accepted, feel free to dm. Editing this because after 5 mins then spamming the same flag it accepted it after a few attemps..

You had a whitespace at the end of your answer for some reason

Glad you got it sorted anyway.

Can someone help me with Windows Priv Esc/Pillaging/task2.? I've got stuck at this task

i also looked at the hint, and it is pointed at http service (according to my understanding so far).

Its not http service.

Theres another service running that may require some ids/ips evasion to see (maybe something to do with a source port)

ahhh ohk ohk

thanks for the hint

Deleting bc spoilers

Hey Guys, I've an issue on Trust Attacks module. I can't run SpoolSample.exe for some reason. It's the same command that's given in the example. What am I doing wrong?

NVM, it's working as intended after terminating the target and spawning new one... :))

Module: Pivoting, Tunneling, and Port Forwarding
Section: Skills Assessment
Link: https://academy.hackthebox.com/module/158/section/1441

Hey, I have doubt regarding scanning ports on remote/internal hosts

• I set up a Dynamic SSH SOCKS proxy as usual through the pivot host (9050 as proxy)
• Found internal hosts by probing with the pivot host
• However, when I scan with

proxychains nmap -A --top-ports 100 -oN scan <internal-host>
I get no open ports and when use --reason it shows no response

• I tried guessing and gained access and checked the listening ports within the internal host
  then went back to my attack host and tried using nc to grab banners and that worked
• After researching I tried to use -sT for TCP connect scan using nmap still did not work giving reason no-response
• I tried changing proxy to 1080 and did not work either

you can dm me if you still need help

Have you made sure (and tripple checked) your proxychains conf file? socks5 127.0.0.1 9050 ?

For AD Trust Skills Assessment - I’ve been stuck on the first question - any good hints to this? Feel that I’ve been going in circles, ran the bloody dog and can’t find a path- to the point that I’m now questioning my output.

you could also put NMAP static binary onto the pivot you have achieved and scan internally that way

during AEN its mentioned so I think thatd be one way.

nvm was burp proxy on browser being a pain

Module: Footprinting
Section: DNS
Question: Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain

I connected to HTB through VPN, and added the target IP to etc/hosts with associated to inlanefreight.htb, then run the dig command (output on the picture). There are two FQDN:

• root.inlanefreight.htb.
• ns.inlanefreight.htb.
  But none of them seems to be the answer, am I doing something wrong?

try without the "." at the end

it worked with the ns one, is there a reason to skip the .?

I wish I knew too 😛

understandable xd, thank you

Hi all, need help for Advanced SQL Injections SA, i already enumerated the email but i can't enumerate the password column. any help or guidance on this? thank you very much

Having issues with this question Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer. numbered 3 in Junior cybersecurity module workflow section 5 last question please anyone

You should have i directory found somewhere i don't know specifically, but use that directory as the /directory . So dont try to curl https://www.inlanefreight.com/directory but https://www.inlanefreight.com/'name of directory'

Anyone that can help me with AD Trust Attack Skills Assessment Q1? ||I've gotten a password, attempted password spraying on the list of users - no idea on who this belongs to... possibly something to use in the future? Also was thinking a path via foreign group I may be a part of, but it also looks like a dead end?||

Any help for this?

Is it just me or public instances are really slow?

IIRC I think it might be have been blocking that word in pArtICulAr?

Sure, just owned it earlier

Web Attacks --> Bypassing Encoded References (IDOR). I get a completely different Burp request when I intercept for contracts. I get google host request instead of post to download.php when I clicked on contracts...

Dm ? Or do we answer here ? Not familiar with the process here 😅

Me?

The AD guy

Please this anyone

thanks but I'm currently self learning and this seems kinda complex to me

We can go via DM, that's fine!

Thank you very much for your HINT!

Apparently, I misunderstood the module here. If anyone pwned AD trust attack module feel free to drop a DM

What helped me troubleshoot was applying the filter to my payload within the java shell.

You mean the password was filtered at the backend right?

seems like the SQLMAP flag5 in attack tuning is off. the show solution gets different results than my query.

||there's a replaceall filter applying to your payload. I'm assuming you bypassed it to get the email column. I think you've figured out how to get the password now but my more general suggestion is to open up a jshell, and do "your payload".replaceall(...) on each of your payloads||

Hello, every lab i spawn for sql injections labs crashed

you can dm me i just looked at the module and know how to find the directories

Hello, sorry for the late reply. That worked out!

@cedar bridge

1. That module is above tier 0; don't post screenshots of spoilers
2. Use the literal word "PORT"

so http://sub.do.main:PORT/path/to/whatever

Thanks @fathom pendant . I will keep this is in mind going forward. However i tried to submit with the right format you posted but for some reason this is not getting accepted.

basically copy/paste the URL and replace the :31313 with :PORT

i just used placeholders to avoid spoilers

So it shouldnt be the actual port but the keyword. 👍 . Done it accepted . Thanks @fathom pendant

yeah I personally thing it should be a regex accepted number between 1-65535 or PORT but idk how simple that is to actually implement into the answer key

Question stated actual URL which would work only with the port number assigned for the target machine. Anyways thanks for the help.

yeah, like i said it should accept http://sub.do.main:[[:digit:]]{,5}/path/to/something or something like that

but it doesn't, and we complain

not just you, same here too, 100 000ms for the Australian server/instance

2AM in Australia but people are avid to learn

@fathom pendant I have a general question. When it comes to fuzzing directories or pages wordlist. We are unable to determine which wordlist actually works. The path file seems to contrary with the one in 2025 kali machine wordlist. Will this be a major issue when it comes to exam?

generally speaking, the wordlists that HTB use are gonna be in SecLists

anyone around for a poke on AEN - I want to move from the linux host to the windows host - it briefly mentions how to do it on the module text but I'm getting no where with the current output and seemingly no connections to my python server on the local host.

CertUtil: -URLCache command FAILED: 0x80072ee4 (WinHttp: 12004 ERROR_WINHTTP_INTERNAL_ERROR)
CertUtil: An internal error occurred in the Microsoft Windows HTTP Services

These are the errors I get too.

nvm fixed it. Need http:// for it to treat it as a request to the python server

@upper haven
Module: Attacking AI - Application and System
Section: Rogue Actions

I can successfully ||claim admin|| and the chatbot says ||SQLQuery plugin is available||, but I can't get it to actually execute queries.

Is there a specific format/syntax needed to trigger plugin execution, or should I be looking at a different attack vector entirely?

(I've tried ||username injection||, ||direct SQL after admin claim||, and various payload formats)

I'm currently stuck on the Identifying SSRF challenge in the Server-Side attacks module. I've identified some ports but can't access anything

Provide more info please so I can try to help

Hi guys, I'm trying to complete a module but I don't know why I do the right command but it doesn't work at all

Can u post screenshot here?

Ok I'll help

Don't take my job

I don't even have it yet

Lets start from the beginning

If you run

ip a

Basically I'm here but the command doesn't go well and keeps telling me aborted

In your machine connected to the vpn you should see an ip starting with 10.10.

Yes I have it why?

I've also pinged the machine for the lab and replies

No packet loss

It's important to check that the previous steps to running the command work

from this everything is ok

If you run nmap you see the port 80 too right?

Yes

If you access from the browser you see the wordpress website?

If so share a screenshot of the command you are running and the output

If I access from the browser I don't see the wordpress I see error 404

Ok first problem there

Can I see a screenshot of that?

Nope sorry my bad I forgot to use https I see the wordpress site

Perfect

My bad😵

That means it runs in port 443 not really 80

yup

Also open

Ok also does it redirect you to a domain ending with .htb on the browser?

Let me check

No

I dm'd you

ok so when you run the wpscan with https what's the output

I'll send you a screenshot

did you ennumerate all the ports 1-65535 on that ip?

I did yes and found two ports

all of those with ftp protocol? did you tried http also?

3306 is mysql

What do you mean with "with ftp protocol"? I ran an ffuf scan and port 3306 and 34208 were found in addition to port 80

in the picture you shared in dm the payload starts with ftp://

that is the protocol

oh sry yeah no i had http there before just tried something chatgpt told me to do

didn't help though

dw that is how url works look https://bytebytego.com/guides/do-you-know-all-the-components-of-a-url/

so there is 2 things to check here

yeah I know that but when i try to use the port in my request it says couldn't connect to server

yeah so SSRF means that you send a http request and that parameter inside the server makes another request

with the request that the server makes

did you fuzz ports?

yes

and if you did, with ftp you can't get certain things

try for example http://

to the other port that is not mysql

yes

I was talking to him, to help you I need you to share with me the output of the failed command

yeah this is my request but it still gives me an error

it's another error right?

can I see it

HTTP/1.1 200 OK
Date: Sun, 19 Oct 2025 17:50:59 GMT
Server: Apache/2.4.59 (Debian)
Vary: Accept-Encoding
Content-Length: 91
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Error (7): Failed to connect to 127.0.0.1 port 34208 after 0 ms: Couldn't connect to server

Sorry that's the out

bro you don't have internet in that machine you're in the pwnbox right?

How? I mean I can search on Internet

the scan is trying to update the database and it can't that is why it aborts

then u have internet connection

update the database manually first

then try it

Oh I see, how can I fix it?

try what he suggested

wpscan --update

i think this was it

do you have mysql creds?

my memory play with me sometimes

no

can u set a netcat for ur port?

but what happens on port 3306

oh i see what hes doing

is this for ssrf?

yes

ah right yeah

another error something with HTTP\0.9 not allowed

on the body or the whole response?

body

Ok I try now

can I see

Imagine HTB does a networking certificate i would take it

I did earlier and did get a request. Then did port fuzzing with ffuf and now i'm stuck

holdon im rly busy atm trying to work for a networking cert if im free i can try it aswell wiuth you

Not changed

nice let it finish

Is it normal that it take so long

just wait for it

?

Ok perfect

did it work?

do this and share the output

ping -c 4 8.8.8.8

from the pwnbox

ok maybe the whole approach should different, I don't have enough context but maybe if it fetches something from that ip you're supposed to put your ip and upload a rev shell or something?

@steep helm maybe try with --no-update parameter

the ping command is to confirm if you have internet access from the pwnbox I believe may not have but just to be sure the ping confirms

Hello everyone. in brutus lab while i am opening wtmp file, i am getting a problem, any help?

in #sherlocks

yes

Bump - if anyone has owned the AD Trust Attacks Skills Assessment and could help me out?

yes

that question that you asked you should ask it in that channel

since it belongs to a sherlock

not a module in the academy

got it. Thank You.

good luck

No...

umm, restart vm

rq

reset everything

Ok

do a fresh boot n stuff

I'll try

ight

it's defo network related

it's timing out

i had issue with vm network restarted the whole vm and it worked again

look at the messages I sent you

from here, ignore my reply to iicii but read the message below that too

hello please can someone help me out with the Unrestricted Resource Consumption vulnerability on https://academy.hackthebox.com/module/268/section/3064

there's a hint saying that i should focus on api/v1/authentication/customers/passwords/resets/sms-otps endpoint it has no rate limiting but i still can figure out what to do next

Every packet sent lost...

How...

because you have no internet

then you can't update

then it freezes

try with --no-update

the pwnbox I believe it has no internet access

mmmm...

But then how it is possible that I can access internet?

with your machine is one thing, the pwnbox runs inside the htb vpn

I use a VM with Oracle VirtualBox

Maybe I misconfigured the network adapter?

but you're using the pwnmachine of htb?

yes

No wait, I'm using a virtual machine connected to the VPN of HTB

With the HTB target spwaned

well, wherever you ran the ping doesn't reach outside the vpn for some reason

That's strange...

if is the same place you run wpscan you can see the problem that got you stuck

I tried now for fun to ping google.com

It says destination unreachble

no route

Could it be the configuratiuon of the VPN wrong?

yeah that is why you have to troubleshoot everything from the beginning sometimes

ah that happened to me I remember

I had this problem multiple times

for some reason while I am connected to the vpn after running nmap with certain arguments my whole internet access is blocked

only solution I found is to reset my router to get assigned another public ip

even after closing my vpn connection

But did it affect the whole internet? So even using another device it was down?

no, with other devices everything is fine only in my machine

but I use baremetal arch

Ah ok

Hello 👋🏼

hi

Check /etc/resolv and put something like nameserver 8.8.8.8 in there @steep helm

So I don't really know because I don't have that module but I imagine that maybe the goal is to somehow bruteforce the reset code? since it has no rate limit

I don't know why and how, I don't have the resolv...

maybe here /etc/resolv.conf

yeah i tried it but its not giving any results

Found it

It says another bame server

what if you write a script that sends a hardcoded code like 1234 or whatever length it may have and you keep asking for a reset code again and again until it matches?

Not that one

well that is if the code is not too large

otherwise could be unpractical

Have you ever had internet connection on that vm ?

Yes

No he probably downloaded udp instead of tcp for vpn

I don't know why now it does this

i'll try that now and get back to you on it thanks

show what openvpn protocol ur using

is it TCP or UDP download?

It's not vpn related from what I have seen...He can't even ping google.com from what I have seen, right ?

wait he cant?

wtf

did this happen after an nmap scan?

Yes not route says

it happens to me sometimes

yeah it USED to happent o me

i had to restart the vm 24/7

it annoyed me

worst in my case that I don't use a VM

oh my LOpl

restarting the computer won't fix it

how did u fix it

only this

oh right

What is in your /etc/resolv.conf ? Is there some nameserver line ?

└─▶ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.1.1

how long does it take to get to "pro hacker" role

Damn... Tomorrow I'll try now I have to go

To me it was doing all the active linux machines (except one) and some challenges

oh i see how many have u done?

i really need to do some ctf's i havent done it in a month i feel rusty probably

I don't remember but you can see it in my profile in htb website

ah yes

ok

I think I have about 50 or so

lemme see how much i got

let keep this convo in #general

Thank you very much guys

for non module related

did it work?

@steep helm try messing with systemctl network things next time. Read some online guides

im probably gonna do pro labs

First thing I would do though ... Comment out that line in your resolv.conf and add a new one with google's - nameserver 8.8.8.8 .. Or just change from 192.168.1.1 to the 8.8.8.8

Awsome thanks

Still stuck if someone has a solution https://academy.hackthebox.com/module/145/section/1295

dm

the ports

solved it thanks a lot bro

Brrr gimme a respects in htb labs website if you like

how do i do that

And send me a ping around here in the future if you need help with something else

In the htb website you go to labs and search user echoesofwhoami on the top right of the profile there is a button that says respect

You don't need to do that really only if you want

i'll totally do it 🤘

🫡 🫡

Thanks

https://academy.hackthebox.com/module/34/section/306#questionsDiv
Im so lost on this entire subnetting thing

use chatgpt

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

watch youtube vid on how to do subnetting

it can be confusing at first, sometimes an actual video helps

hey, does anyone here have resolved Advanced SQL Injections skill assessment? im stuck on question 2

same. stuck on qns 2 too. i think one of the parameter id is vulnerable to sqli.

can i dm you?

exploiting thick client applications been following the steps mentioned for 4 days but the final jar file doesn't open. Please help

watch ippsec's video on fatty or read 0xdf's writeup on it

after seeing the duration of the video got lazy and instead used AI now working lol.

i mean the thick client part is ripped straight from the INSANE machine fatty

I tried fuzzing for the OTP too, but for some reason it didn't work the first time, thanks!

Edit the code and to alert build number. and check the hint.

Module: Vulnerability assessment
Should i calculate a cvss score based on the finding alone
Or should I consider the entire attack chain and rate the finding itself?

||Say prob a privesc exploit via seimpersonate that only occurs after 2~3 dacl privilege abuse ||

Oh I had it as socks4 will try with socks5
Thanks!

Yeah but I wanted to understand why the packets aren’t received on my attack host

nmap and socks proxy famously don't get along too well

@mighty harness don't reveal information for skill assessments

ookayy but can you help me plz im still stuck and cannot bypass the login form

registration is your break in

try just injecting a ' until it breaks

So what’s the workaround to that?

In: Active Directory Enumeration & Attacks : Kerberoasting - from Linux
Section: Listing SPN Accounts with GetUserSPNs.py

the wording says that valid credentials are needed to pull SPNs in the domain. in the lab exercise, running the command with no username or password still pulls the same list of usernames as with credentials. is this something unique to the lab or part of how this attack works?

this
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/

does the same as this
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend

Probably there are credentials / tickets used in memory on the box where you execute these commands and so the DC can verify even if you don't specify those credentials

Tbf it should work with vs 4 too, i was just seeing if anything obvious was missing

Can’t seem to get it working, got no clue why, tried chisel, sshuttle none seem to work
Just gonna move on and learn about it in detail later
Thanks for the help !

All good, given aen the last cpts module teaches you to use the static binary in events like this, id say get comfortable with file transfers and tunnelling and it shouldn't present much issue as marcie said above, proxychains and nmap usually shit the bed so its not unusual to see this, long as you have an approach around it should be ok

use ligolo-ng

The dot (.) at the end marks the DNS root — it’s part of the full canonical name, not just a style choice. The dot tells the resolver “this is the absolute end — don’t append anything else."

Yeah I’m good with rest, had already finished the skill assessment. Just wanted to be thorough with all the ways to do it

Will try thanks

That command is just recursively checking all files within that directory and checking for the pattern pass. It’s pretty useful. It’s just throwing errors away if patterns don’t match or access issues

bash_history is like a text file with the history of commands used. So you can grep it. “.bash_history” hidden file under user’s home directory

you can do

grep 'pass' -Rni /home/ 2>/dev/null

it should show you the file name and line number

Ah as I said .bash_history usually lives in the user’s home directory.

If you do “ls -la” it’ll show it and use -n with grep to show line number

for example if user “test” exists under /home

cd /home/test
grep -ni “pass” ~/.bash_history

n=> should show line number that matches

i=> case-insensitive

You can also add -C 3

To show 3 lines above and below the matched line

👍 thanks.

la la like sing? 😆

😂😂 typo

Hello. I have a minor user experience issue I encounted which related to the beta outlook of academy.
Should I just post it at here, or someone could tell me where should I go.
Thanks.

Support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hey
Can anyone tackle this
I'm using eternal romance and it says service start timed out, OK if running a command or non service executable...
Then exploit complete but no session was created

On which module and section are you working

❤️

hello, I am kinda stuck on Attacking windows credential manager lab. I have bypassed UAC and ran mimikatz but the password is not the right one?? Where am I supposed to look?

Hello! I am new here and starting my journy, but unfortunatly hit a wall... I am currently in the segment Domain Name System (DNS) of Network foundations. I have awnsered all questions exept one:
What is checked first in the DNS resolution process when you enter a domain name into a browser? (Format: Two words)
That might be stupid, but i can not figure out what the correct awnser/format is. Could someone please enlighten me.

There is a table with steps in the section, one of the steps has the answer

Yes you are righ, i read throug it all and my guess as well as the guess of other sources, the awnser should be local cach or local DNS. However, it seems that either its the wrong format, or i am really that stupid!^^

Issue solved! There has to be a very specific way how to write the awnser....

Hello, on Active Directory Enumeration & Attacks -> LLMNR/NBT-NS Poisoning - from Windows i can not manage to make work the creds for the RDP . How can i get support for this?

I have just tested the credentials for that section and target, and they are working as expected.

If you are using the built-in Remote Desktop Connection app in Windows (which apparently you are) you might need to specify the domain

Additionally, I would advise using a virtual machine or the provided workstation, if you are using your host OS to do the modules

yah, i'll just use remina then. thanks

thanks, creds works fine from remina (and native RDP client of Windows using domain INLANEFREIGHT) 🖐️

I managed to pass Advanced SQL Injections Skills Assessment

If anyone reading this and struggling, dm me

yaah Footprinting modul is 100% done! https://academy.hackthebox.com/achievement/badge/9c3a3986-adac-11f0-9254-bea50ffe6cb4

module Active Directory Enumeration & Attacks in section Privileged Access at question What host can this user access via WinRM? (just the computer name) this gives the wrong answer? can someone pls help me out

Hi, there is a problem in Attacking Thick Client Applications in Attacking Common Applications module. I can't open powershell inside the machine that I connected with rdp which is required to open powershell as it shows in tutorial.
C:\Users\cybervaca\AppData\Local>powershell.exe
Windows PowerShell terminated with the following error:
The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
this is error

nver mind found the ansewer. you need to pass in the cypher and scroll down in bloodhund. got stuck on this one for way to long

I found how to solve

In https://academy.hackthebox.com/module/158/section/1434 are the credentials missing to connect to the spawned system.

3rd q has creds, the first 2 qs are just reading comprehension questions

Hello team

I am. Currently working on password attacks: pass the Hash module I am trying to get a rev shell I have followed through and I am still not getting the reverse shell what am I missing here my payload is good to go

Are you sure that all the information for the payload is correct.

You got a min lemme share my screen

I don't do private dms like that, as I dont believe you have screenshare permissions in the other vcs

Okay lemme share a screenshot

Ah I see the issur

Are you running nc.exe on the target?

yea

its in the MS01 Box /tools dir

And the payload uses all the relevant ip information in order to connect back

yea

The 172.x.x.x ips, none of the ips should be 10.x.x.x

I see your problem

its nc.exe

Don't encode in base64

ok

lemme try that

Boom

It worked thanks @fathom pendant

. nvm

I don't know why guys, but I'm still having the same problem eve using the Pawnbox....

Hey There
Brief question in Module "Attacking Web Applications with Ffuf"... In the skills Assessment Question 3.... Is this expected that instead of the proper port you have to write "PORT"? Took me like 30 min to figure this out

Yes, this is expected

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

guys am i going insane?:

ive been using ctrl b % all my life XD

ohh forgot the shift lol because you need to press shift for %

Im just getting to the SQL Injection Fundamentals assessment, and when I go to visit the webpage I get a 400 bad request

Same error through my default browser, firefox, pwnbox, and burpsuite's browser

I cant find a thread of this happening historically but I'd love for this to be a simple issue

is 'Junior Cybersecurity Analyst' the 'Penetration Tester' of blue team?

or is it 'SOC analyst'

could be an AWS issue?

that issue has long since been resolved, but i believe HTB uses Digital Ocean droplets for their public:port targets

Is this issue due to the http vs https part that is mentioned in the scenario?

Can I get some help for API Attacks - Broken Authentication? I am trying to change the password for the htbpentester3@hackthebox.com using OTP, but I cannot get a successful change.

erm, yes. I really hope that I'm having a "did you not read it" issue right now, I skipped a lot once I saw it was talking about burp because I have my certificates and whatnot configured

I'm not at desktop, but I do remember reading about the http vs https but then it started talking about the CA Certs and foxyproxy and i'm like "psh I got this"

So for this one, I was trying to get a proof of concept by doing it on the HTB account provided before doing it on the target. I guess the OTP is not setup to work on the account provided, because when I switched my command from the HTB account to the target account, the command worked and I got the OTP to go through

I am just working on the module "Attacking Enterprise Networks" (section Internal Information Gathering) and have a problem while using nmap over proxychains. The same issue seems to be in other modules and in more discord postings, but I didn't find a solution. Everytime I use nmap to scan internal networks via proxychains it says "0 hosts up" and all ports are listed as filtered. Even within pwnbox and the official solution it doesn't work. The only difference I can see is, that the solution used proxychains 3.1 and I use 4. Any help for this problem? Btw.: With ligolo it works fine, but I also want to get it work via proxychains.

Have you tried running it with sudo

Guys why are the machines not spawning?

Yes. I tried: proxychains nmap -sT -Pn -p 21,22,23,3389 IP , proxychains sudo nmap ... , sudo proxychains nmap ... and even sudo proxychains sudo nmap .... The result is: Nmap done: 1 IP address (0 hosts up) scanned in 3.07 seconds

Use ligolo xD and your problems finish

command injection skills assessment. I feel i'm at the final step but can't find the answer

/ is blacklisted but any substitutions are not working either

can anyone help

Provide more context some of us could help you but we didn't go through the modules so we need more context

Hello,
What is the flag in the first task in the web Requests module? It says I should curl inlanefreight.com/download.php for the flag but when I curl there is no flag

It's forbidden to share flags

Ok then how can I acces the flag