#modules

Also when you change vpn servers make sure to download a new vpn pack, and kill the old one

It's working now

Hello, I wanted to report an issue: the FTP service is not coming up in the Attacking FTP section of the Attacking Common Services module (ACADEMY-ATTCOMSVC-LIN Target: 10.129.118.228). I attempted a machine reset but the issue remains.

Follows the Nmap output:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-22 07:11 EDT
Nmap scan report for 10.129.118.228
Host is up (0.071s latency).
Not shown: 64941 closed tcp ports (reset), 590 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

If you have to run ftp through udp in my experience is better to use other tools like atftp

Instead lftp or ftp clients

I'm working through the PHP Wrappers module currently, and things are working @nova pivot

May I DM you?

Could just be the module, sorry I can't be of more help

Hello, i am on the pass the hash module of password attacks (https://academy.hackthebox.com/module/147/section/1638) i am on the final questions, i have successfully created a rev shell to the machine and connected using the invoke module with powershell, however, i do not see a folder named julio or the flag.txt, am I missing something?

Hi there, cwes channel dissapear or I'm the only one who can see it?

All cert channels seems to have been deleted

uhm ok, thank you

no, you just need to verify

Oh I already did it but ok 🙂

Will try it again

ok., how can I verify?

#welcome

https://account.hackthebox.com/security-settings -> connect with discord

should be able to see it now

expanded the perms

Yes perfect thanks

||Btw does someone had a similar issue using mssqlclient ? (Exemple from Attack Common Services - Hard)

mssqlclient.py fiona:'fake_pass'@10.129.200.36


[*] Encryption required, switching to TLS
[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Login failed for user 'fiona'
```||

And with NetExec it work just fine with same creds

Reset the lab a few times until its up

thank you Emma, yup now I'm able to see certs channels

Check out the options available with mssqlclient.py and see if there are any that are specific to the type of host you are interacting with.

Hey Everyone, is the academy modules targets are working? Switched regions as well, no luck:)

hi, I have question. this module "web penetration tester"is good for beginners in pentester? What do you recommend?

Is there a problem in the footprinting module of penetration tester path.It asks for the content of flag.txt file in the /mnt/nfsshare I can read it,but when I paste it,just says incorrect answer

nevermind, i reset the machine and got it

Can I have some noob help 🙁 nmap 10.129.246.177 -p- -oX target is literally taking 90 minutes, but I have to perform a full TCP port scan and create an HTML report. Then, submit the number of the highest port as the answer. But my target machine is going to run out before its finished. Thanks if anyone can answer

try to add --min-rate 5000 --max-retries 1

thank you so much,

sure

Guys could someone give me a hint for:
Module: process injection attacks and detection
Section: Detecting DLL Injection
Question: What is the name of the file that is created in the temporary path?
I have found the answer for the first q (with some looking around), but this on i just have no idea where to start looking.

All good, figured it out.

Try it with --local-auth flag

Looking for a little help on
https://academy.hackthebox.com/module/77/section/844

I checked Discord history and saw people with the same issue but no solution. I got the first part just fine. I'm on question 2: "Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'. "

I'm trying to use the id_rsa key but I'm getting "Permission denied (publickey)". I've confirmed I copied the correct key and it's got all the characters including BEGIN and END. The file has the correct permissions as well.

Not sure how you didnt find answers; try copy pasting it again in different text editors. Sometimes, for some reason, some things get shifted around. Its a weird thing ive seen

Alrighty. Tried vim first. I'll try something else.

You should be able to run md5sum /path/to/id_rsa on the target and md5sum id_rsa on your system to see if those numbers match

Ok. I'll try that. I just tried in 3 different text editors, then the attack box crashed so I had to start over. Ran through it and got the same public key error.

And you're passing the rsa with -i?

Yup. Hashes match too.

Found your error

You're not specifying the port

Knew it was a me thing 🤣

That'll be 5 dollars per skill issue (joking joking)

Do we use a switch for the port or just :portnumber

Needs a switch

k, found the man page

How did you connect to it previously??

Lolll

LMAO! Fair, fair

Its alright though, it happens enough where you realize you made a minor spelling mistake

Thank you very much as always! When I first started this one I wasted so much time trying to upload linpeas 😬

anyone else struggling to spawn targets? 10 minutes or so ive been clicking respawn target, just keeps going back to start

try changing vpn regions then switching back

will give it a go ty

that did the trick ty

ill be honest I did not see that banner at all, must have been down in the bottom of the section .. Doh

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

Looking for help in the module Pass the Certificate in Password Attacks. Has anyone completed this recently? I am following the steps listed using impacket-ntlmrelayx (I am trying to trigger using the printer spooler bug) I am following the guided steps but never grab the certificate (it looks like there is a partial issue when using the hosted attack box) but I have also tried from a vpn connection., Looking at other peoples write ups, it appears this should work but it just keeps cycling for me. Just wondering if something changed or what might be going on.

I remember having some trouble with impacket on some of those attacks.
What did the trick for me is start up a python virtual environment, install impacket there and run that specific python script.
I guess something was messed up with my python/impacket installation, that might be the case there.

Mind you - when trying with the attack box - there were no issues.

It was my thought as well that when using the provided attack box there should be no issues. I will try it out with the venv and see, thank you 😀

Hi there, anyone willing to discuss about the methodology to solve the question for broken auth API module?, cos after read the HTB forum and understood the API auth, I'm not able to find the OTP, anyone available to send a DM?

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

Im assuming youre using the -ntds and -system flags, though iirc you also need the sam

I cannot connect even US ones 😴 😴 😴

@fathom pendant Yes - python3 /usr/lib/python3/dist-packages/impacket/examples/secretsdump.py -ntds NTDS.dit -system system.save LOCAL >> hashes.txt

So hashes.txt is empty?

yes

Try without the redirect to hashes.txt to see what it tells you

no output, just drops me back to a prompt

Try just running secretsdump.py without specifying python3

It should be in your path by default

Doesn't work, I had to specify the full path

Also: are you sure that neither are corrupted. Also: are you running as root? (I.e. are you running around your system as the root user, this can cause unexpected issues)

I'm not running as root

On the windows machine, in powershell, run
get-filehash ntds.dit -Algorithm md5 and on your attacker system md5sum ntds.dit

Repeat for the system.save file

If they dont match, then it got corrupted in transfer

so I can find the resources for labs in the old UI, but I cant seem to find them in the new UI

does anyone know where they are?

the resources tab at the top is external stuff, so its not there 🤔

@fathom pendant They were different, so I redownloaded them, and now they're the same, but the secretsdump command is still giving nothing

If you're still stuck on this you can send me a DM and tell me what you know and have been trying.

Hello! The Citrix Breakout SA in the Windows Privesc module seems to have been down for a dozen hours, where may I report it ?
(And this machine [10.13.38.95] specifically, the four following SA machines are reachable)

I have tried switching VPN EU > US, switching back VPN US > EU, from the Pwnbox, resetting the target, nothing

10.13.38.95 isn't a typical IP for a target machine

👀

yeah that's odd, usually they're 10.129.x.x not 10.13.x.x

try terminating and resetting

otherwise reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

because that is NOT NORMAL NOR IS IT SUPPOSED TO HAPPEN afaik

I thought that maybe it was because it is a specific target, being citrix escape and stuff. I already terminated and reseted a few times, I'm gonna reach out to support then

Thanks!

spawning a fresh target to sanity check but afaik - the internal routing for the vpn doesn't allow for access to ips outside of the 10.129.0.0/16 range for spawned internal network targets

spawned a fresh target and got a 10.129 target

sounds like something messed up somewhere in the pipeline with your request; have you tried hard refreshing the page [ctrl+shift+r]?

Hey all, I am working on the challenge questions for the Password Attacks > Credential Hunting in Network Shares module of CPTS

I used Snaffler, Manspider, and nxc to gather all the data but I am having trouble "grepping" the data to find the credentials for the questions. The sheer volume of data is too much to sift through. grepping recursively for "password" returns too many results to reasonably analyze. Can someone please provide me with tips for extracting the data I need?

I have saved all the nxc Share data to my host to search, just need a more efficient way to do so. Thanks.

nxc has a built in command to filter out, snaffler also marks files in it's output; Black being the most interesting, Green being the most benign

this question is asking for a DOMAIN user yeah?

Yes

doesn't appear to be a no-route-to-host; did you try restarting your kali machine, and also making sure you aren't using the pwnbox at the same time

if you know some basics of windows/ad then you should consider the format that domain users typically come in 😉

I disconnected my vpn from kali and opened pwnbox but still same issue!

that wasn't my question; but leads to more -- is RDP the intended method to connect to the machine? it helps to know the module and section you're on

sure! I tested it using CME and NXC

Actually it's the only way to the machine!

it helps to know the module and section you're on

did you try wrapping the password in single quotes?

yes I did

https://tenor.com/view/v8-juice-smack-gif-10892007

Literally returned one result, got the users pw 🙂

getting an SSL self signed issue from HTB AEN Lateral Movement when trying to rdp

proxychains xfreerdp /v:<redacted>.50 /u:<redacted> /p:'redacted' /drive:tools,/<redacted>

[07:09:09:177] [3139:3140] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0

Was working fine yesterday but today not?

ive had to switch VPNs due to the outages/not spawning properly so hopefully not related

iirc there's an xfreerdp option to ignore the ssl

Thank you, I've just tried /cert:ignore but getting below from that too

[07:15:58:286] [3231:3232] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Success
[07:15:58:287] [3231:3232] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[07:15:58:287] [3231:3232] [ERROR][com.freerdp.core] - freerdp_post_connect failed

I can get traffic to the host via netexec (like validating creds still work) I just can't seem to remote into it, all been funky since yesterday

ive sent a message to support but leaving here in case anyone has any ideas

Hi , i just want to know how is nmap even able to get the hostname of any device through a scan

😧 how's that working behind the screen ?

reverse-DNS resolution

I would recommend researching it, few good videos if thats your learning style

Thanks , idk what that is i will search about it

But isn't DNS for websites ?

Like it's a huge book where certain domain string is assigned to some ip ?

Hello ?

not entirely

Then ?

dns just resolves a hostname to an ip

if you host an ssh server on some.server but there's no web port it's still routed

Uhmm, isn't DNS for websites ?

How is that holding the hostname of the target device on a local network (academy)

all devices have a hostname; also known as the device name. When you name your device that typically is what gives it the hostname.

https://en.wikipedia.org/wiki/Domain_Name_System

you can have a local dns that resolves things locally or when you add
ip hostname
to your /etc/hosts file you are creating a manual dns entry that your computer uses to look things up

Yeah chatgpt said router also acts like one dns , and listed these techniques as other options for getting hostnames

1. Reverse DNS (PTR)
2. NetBIOS / NBNS
3. SMB / Windows service probes
4. mDNS / DNS-SD (Avahi/Bonjour)
5. LLMNR (Link-Local Multicast Name Resolution)
6. DHCP hostname (DHCP lease table)
7. SNMP / HTTP / SSH banners
8. No advertised name (fallback — only I

i generally wouldn't solely rely on chatGPT

That's why i asked here

First

and with a quick google search i swiftly brushed your idea that dns is ONLY for web aside. it's simply linking names to ips

that's one method, it's not the only method.

but getting a hostname generally relies on other services running

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Anybody cleared this quetion, i think i got the answer right but

it's not accepting it

Is someone who fnished GraphQL path open for a short chat? I'm completlty stuck at the SQLi over the graphql-api.

mabye i fucked up the impacket-changepasswd which broke the account

Hi I am currently doing the Module "Pass the Ticket(PtT) from Linux and am on the 2nd optional question "From Windows (MS01), export Julio's ticket using Mimikatz or Rubeus. Convert the ticket to ccache and use it from Linux to connect to the C disk."

For this question, I know I need to obtain an admin account to use Mimikatz or Rubeus and David doesnt have. I can xfreerdp into MS01 using David's credentials. Do I then apply the techniques in "Extracting Passwords from Windows Systems" to obtain the password for Administrator?

Is there anything or steps I am missing?

im still having issues starting up boxes

anyone else ?

in this case im taking about the password attacks module PTH

if i switch to US wouldnt that lagg to much ?

I had to switch over to US too (thats supports recommendation too), the lag isnt noticeable that much anyway

i switched to US now lets see

make sure to redownload your vpn pack too if on your own lab

yea i did

ok on US it was possible to spawn

cool

You were on EU previously?

yea always

Thanks, noted

you are very welcome 🙂

but i saw message on top that switching to US might solve it.

and it did so far.

ah 103 ms i can live with that.

I've noted internally and the issue is being worked on

Apologies for the inconvenience

Thanks and no problem

if u want me to be more precise it was EU2

but i switched to other EU nodes yesterday and that didnt seem to help.

Thanks, yeah they're working on it

I'm morbidly curious what's up, but I don't want to disturb them.

They'll fix it 🙂

yea i bet haha

Also intersted! Let us know when you get some answers 😁

Hah, I'm not the one to communicate that out unless I'm asked to. I'm sure there will be an update as soon as possible

But progress is being made

Understandable! Were you also working on modules?

No, I'm off work today, just hanging here supporting while in bed

I sincerely appreciate that you are active here among us customers 👍 thank you goblin

i'm doing the footprinting labs and i don't have a clue what i'm doing, looking at the solution feels like cheating as well, does anyone else feel this way?

❤️ thank you too

as long as you learn from looking at the solution @fresh pagoda

and then go back and do it without

also make sure you make notes etc.

i see

did anyone else feel this way as well when they started?

not me because i've been hacking when hackthebox wasnt a thing.

so already read alot of books etc before.

and was hacking before

Yes.

does it get any better?

yes

its all about knowledge and experience

and developing your own methodology

hmm

make sure you read the modules to understand what is happening.

Kind of yes. But it will pass soon.

Yes. I'm better than yesterday

practice makes perfect

Hello : )

I am going through the "OSINT: Corporate Recon" module and I've have been stuck on "Contact Information" section for a while.
The question is asking for an enterprise support email, I found one on the current version of InlaneFreight, tried browsing around the WayBackMachine but it has been supper slow, like unusable slow. Am I on the right path here or should I go for another tool ?

Thanks in advance !

But just seeing the solution without understanding it fully, could indeed make you feel cheating.

i do it's jsut that whenever i do the labs it feels as if i'm viewing this for the first time and all of the notes i took go straight out the window

Do you carefully read the course material or just do the exercises?

When I first started, I kinda just rushed the material and didn’t fully focus and had the same effect youre describing.

When I started to carefully read every sentence and take time to understand the concepts and take detailed notes it wasn’t an issue anymore

To whoever made this question, I donno man.... I was ready to slap you after finding the email 😂

Literally hidden in plain site

Hello I need help for the "Live Engagement " of shells and playloads

@drifting knoll please check dm i have a question regarding nmap from your created module.

@sand valve please read the rules

What kind of help? Did you use the search feature to search this channel for whatever you are stuck on? Often a question or similar situation has already been asked and a hint, nudge, or relevant information might already exist.

Man there you are 🤣
The OSINT module was about to drive me crazy !!! hahahaha

yes I alredy search , can I come in dm to not spoil ?

You should be able to hop back to EU now @hushed rivet if you wish 🙂

🤞

Sure

Nice, thank you

Just worth noting - having some spawn issues in US currently - I know there was an issue in EU --> not sure if that's affecting US or something else

did u got any wiser what the issue was perse ?

I don't have anything to share, other than they're on top of it I'm afraid

(not because I don't want to share, but because I don't know)

ah i see will give europe soon a try again

already got my chain up on US haha

I'm US based, and my VPN keeps restarting, causing pretty bad box issues, VPN restarts --> breaks my box --> spend 10 minutes trying to get another session

I'd make sure you don't have multiple openvpn processes running, and that you aren't running the Pwnbox at the same time as connecting with openvpn yourself

There have been some issues ongoing with edge servers today, and the team are working on them

But those should be settling

Which VPN server are you on currently, and are you still experiencing the issues @grizzled schooner ?

vpn restarts sound like pwnbox session open and vpn at same time.

indeed

Hello, I am stucked on Whitebox Attacks - skills Assesment.

I think I did the first steps, now I am in wih a ||role=1 user Larry||, I think there should even be a ||race condition|| on ||add_user function|| but anyway I don't see a way to use it for elevating privileges since role is set to 1 statically via source code. I don't see any merge function for prototype pollution or other ways to change that role value.
Can someone help or PM me please?.

I have no idea what server - how do I check? Also worth noting I'm running Kali and don't use pwnbox

Ok, take a look in your ovpn file

There should be a host line, with a hostname like academy-us-1.hackthebox.eu or something

remote rather

It's the hostname ending in hackthebox.eu, or rather the subdomain I'm looking for

Or

You can see here lol https://academy.hackthebox.com/vpn

That's easier

I will send it here then

So long as it does not spoil a module above tier 0, please do

@grizzled schooner I'm seeing you connected, quite a high ping mind, are you still seeing your connection dropping from the VPN, or is it something like an RDP session dropping?

@drifting knoll In the Network Enumeration with Nmapmodule , i have a question regarding nmap. That in the Host Enumeration section , there's a exercise in host and port scanning chapter.

Here we are tasked to enumerate the hostname of the target system , and i even solved it.

What i really wanna know is how exactly nmap is able to get the hostname! of the target ?
The technique and working behind the curtains

Yeah from VPN

keeps restarting

Hang on

You asked earlier right?

I mean.. look at the nmap output, where can you see the hostname, in which section

nmap has many modules it can execute for discovery against targets

You could enable debug logging to see exactly what it's up to perhaps 🙂

Ok ok, I am seeing something weird, I will hit up someone in the team

Yeah i did but i wasn't exactly satisfied with the answer , i wanted a exact answer , so i thought about contacting the maker of the module.

No worries, just thought I'd mention it with the other things going on

Have you tried another US server at all?

Unsure if it will help right now

This is a weird issue that raises its head rarely

I haven't - I've been on the same one for as long as I can remember lol

Might be worth a shot, just to see

10-4, I'm at work right now, so I'm not too worried if things are buggy right now

Roger dodger, I won't be around much longer, but I've mentioned it internally all the same

@drifting knoll

omfg

@sand valve stop pinging people

I gave you a good answer above

Did you try what I suggested?

Won't be around as in leaving HTB or got shit to do for the day? lmao

I was just letting him know , where the question is i just pinged him twice

Not yet , but i will try that

Please stop pinging them

Sure , but that isn't a reason to overreact

No no as in going to sleep in a bit lol

any help?

lmaooooo

Well it kinda felt you ignored what I said

and decided to just go and ping the author again

have u tryed role=2 ?

what module is this in ?

it is skill assesment of whitebox attacks. https://enterprise.hackthebox.com/academy-lab/41028/13513/modules/205/2353

oh that links me to enterprise

ill look it up in academy

ah i havent tryed that one im working to much on CPTS

should be prototype pollution, race condition or time attack, or type juggling

I know, reading from other users my missing part should be a race condition, but I don't understand how it can change the role.

maybe it doesn't need to change the role ?

Hi there, anyone willing to discuss about the methodology to solve the question for broken auth API module?, cos after read the HTB forum and understood the API auth, I'm not able to find the OTP, anyone available to send a DM?

You can send me a DM and tell me what you know and have been trying.

sure

did you made it?

not yet

not working?

my process logic was wrong and need to retry with a different approach

I think i found the answer , thanks for the tip , i ran the same scan but in debug + verbose mode and then i asked chatgpt how it got the hostname , it says NSE scripts pulled the name because some ports were open. Thanks

To be exact it ran nbstat script which returned NETBIOS name: *******

Nice one, exactly that

SSL certs can get you domain names also

Some servers provide banners with names, like FTP or mail

And people said to me earlier nmap probably used reverse DNS (ptr) but that wasn't accurate in this case.

I mean it CAN

What Marcie said wasn't untrue

Oh , interesting

It just wasn't the case in this scenario

As i said earlier, it just depends

Yes it can , but in this case it wasn't true

nmap has hundreds of scripts for enum, testing, expoitation

The only thing I really pointed out was that DNS isn't just for web

They are rarely focused on as a feature in training

At least not tntheir full extent, because it's a whole library of use cases

Where do one learn this information , just asking ?

Networking 101 ?

-A I think is what I use as an aeg usually to run enum and discovery scripts

I'm mostly self taught through experimentation, but also HTB, VulnHub, OSCP and vulnerability research

Oh

I like to break things, and find out how they work, in order to increase visibility and security

Great.

Hey all! Just wondering if anyone is having issues spawning their targets in academy?

https://g0bl.in 🙂

In general its something you pick up. But iirc the "information gathering - web edition" module goes over cert stuff like crt.sh

(shameless plug for ancient blog)

So all i gotta do is start up my hacker mindset.

Yup

The experimenting.

Okay

Keep learning, keep building and playingh

Every day is a school day

Thanks , i will look at that.

Never underestimate yourself, or overestimate the value of learning from others

and don't judge

We all started from nowhere

If you're doing the pentester pathway, its a part of it

If you have a chance to teach someone something, take it

It's part of the path of the hacker

that's the spirit

Yeah , teaching someone also clears your own thoughts.

Alright guys thanks.

See you all later.

No worries, have a good one

😄

A good question i ask, especially if I know someone is doing something wrong, is "why are you doing it this way?"

Oh great.

Everyday i learn something new here.

What are you doing, what do you expect it to do, what is it doing

Gets them thinking while speaking to you, breaking it down themselves to communicate it

Rubber Ducky Debugging

Its why I try and teach through the Socratic method

That's really intriguing.

Noted.

Not only is it helpful to get it done, it also helps develop a better understanding

I will search that too.

Why does netexec / proxychains seem todo this only for Netexec, I could install CME and the issue doesn't exist.

proxychains netexec smb <redacted>.3 -u <redacted> -p <redacted> -M spider_plus --share "Department Shares"
ProxyChains-3.1 (http://proxychains.sf.net)
usage: nxc [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6]
[--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT]
{mssql,smb,ftp,ldap,nfs,rdp,ssh,vnc,winrm,wmi} ...
nxc: error: unrecognized arguments: Shares

(can't redact the share name as thats the context clue)

Socratic method requires a teacher and a student, generally. Asking and answering questions

tried the usual single quotes, no quotes etc, all same result

I will say NXC instead of netexec it works

proxychains nxc smb <redacted>.3 -u <redacted> -p <redacted> -M spider_plus --share "Department Shares"

silly

Is there an open quote elsewhere in your command?

nope only quotes used are on the share name in this case

Weird

but nxc abbreviated version of netexec (or least I thought) doesn't error at all 😄

Sounds like a bug report to me

I think so!

Im looking at the beta version , looks very nice , 1 thing , is there somewhere or something i've missed that can possibly point me to lab boxes to practice on once i've finished a module or revisited it, i think i saw it the old version but only at the end of a module when you finish it initially and not on the revisit

Anyone ?

try changing your vpn regions back and forth

im still in US vpns, didnt want to interupt this AEN blind session

is EU fixed then ?

It should be yes

Last I heard from the team, the EU Academy labs were operational

Speaking of,

The issue we were DM'ing about...It wasn't broken it was reacting to me trying to access the RDP port without a proper route, I was trying to access the RDP port of the MS01 host with the -D port forwarding and then proxychaining, turns out you can only get access via local port forwarding and one slightly undocumented need to have the SSH session logged in, still active while you test on another tab. The test/lab team showed me the proper way. In the module text it mentions the local port forwarding but doesn't say its needed nor does it say you need to keep the session open while you test, so lessons learned there

so user error (as most things) 😄

Hey guys i need some help in this room Exploiting Web Vulnerabilities in Thick-Client Applications
if you have done it can you help me with the part where we should download fatty-server.jar file i cant make it work properly

AaaaahhHHhhhhh

Not working for me. I'll wait it out a bit, touch grass and come back later. I thought maybe it was linked to the notification for EU VPNs. Maybe it affected US vpns also?

It isn't working for me either, seems like only some machines are affected cause I could spawn the previous one in whatever region

File Inclusion Prevention

Are we supposed to make a random entry in the php.ini file? The module doesn't really say what we're necessarily looking for to edit

Anyone who has done ”Windows Lateral Movement” that could give a hint for 3rd question? I don’t understand how to reach my SMB share through the pivot when using Impackets services.py. They use attack host IP in example but that shouldn’t work from within the network? And using pivot host IP is nono since it already uses 445…

Can I ask something where can I report an issue ? because this module : "Incident Handling Process " on the section "Analysis of Insight Nexus Breach" Is giving a "zip file" that is not a zip , and it do not contain logs .. its a json file and I cant solve the module, I dont know if its because Im stupid or something is not going well in that module .

https://tenor.com/view/midnight-the-cat-stopped-working-midnight-the-cat-cat-cat-meme-funny-cat-gif-81113296414293415

Hello fellow HTB students. I’m looking for help with the LLM Output Attacks module section Exfiltration Attacks. I’ve searched everywhere and can’t figure out the solution. I’m not even sure if the solution requires a token or string like the question requests. I’ve entered my solution to the problem which is a markdown string with the payload but the answer is rejected. It’s frustrating that there’s no official tutor to help.

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

guys i need quick help in HTB room, in Creepy Crawlies | Information Gather - Web Edition Module, i can't see the target button and on the example domain i can't open that in my browser too, so how am i supposed to ans the question?

We don't have rooms,

..just to be pedantic

i'm in the same spot right now, also I have the badge saying I completed the "Incident Handling Process module" and I don't remember this section when I got that sometime last week.

1. #1234357888114364508
2. they just updated the module

ahhh i just finished verifying and couldn't see that before (i had to unlink and relink my discord)

ty

not sure if you've already figured this out. But just search the JSON based on the various questions.

It had a bug that now is corrected, I reported It and now the file is Ok ! thank you !

oh ok awesome! I must have caught it after they fixed it.

I'm in Password Attacks - Skills Assessment - When trying to run secretsdump.py against the NTDS.dit & system.save files, I get no output at all.

have you tried other methods of finding creds?

No, I was just following the module.

I don't understand what's wrong here. Comparing the hashes from the Windows machine to what I move to my attack machine, they match.

The module provides other methods of credential dumping, like dumping lsass

Footprinting module gives 0 cubes?

no

it's a tier 2 module so it gives back 20 cubes; you get the cubes back as you complete the module, not directly at the end

not all questions give cubes

Ok

also don't share screenshots that may contain answers :)

Oops

Btw the first question is kinda weird cuz i just logged in with ftp, used status and got the version but still it was incorrect 🙃

it's expecting a whole string not just vX.Y

I answered both questions

Should i leak them😈

https://tenor.com/view/spongebob-ban-pubg-lite-banned-rainbow-gif-16212382

:)

How about a clue?

dude, if someone asks then you can hint them in the right direction

it's a tier 2 module, meaning that sharing answers and guides is against the ToS

So.. is that a no?

as long as the clue isn't 'just run this command'

Ok how about this: what is the tool known for grabbing banners?

These three sections were a nightmare to understand and comprehend

I felt like my brain wasn’t braining, like I didn’t know if it is pure theory? or am I going to use this in practice later?

And It wasn’t written anywhere that if this topic is covered better somewhere else and hopefully had practical questions

there are multiple ways to grab banners; most protocols provide the banner upon connection

they are theory, but they will come in handy in some other modules, some more than others

but their OVERALL usefulness outside of academy is important

I know but nmap pisses me off sometimes

Imagine getting ragebaited by a command line tool

nmap isn't the only tool that can grab banners. netcat can also grab the banner. A banner is just what's displayed when you connect to a service, often it provides the version information or other types of information that can help you in sniffing things out

No i mean it didn’t work, i used netcat to get the answer

nmap isn't a one-stop-shop tool ¯_(ツ)_/¯

This is the second time this happened to me

--script banner works a fair bit of the time but if there's some other stuff like latency causing the script to time out then it's not gonna spit anything out

Where using nmap to get the banner doesn’t work and i use netcat, not that i’m really complaining but just wondering why

likely due to some timeout issues

Perhaps related to the -T1-5 setting?

But i’m too lazy to test that so that’s that

Check back through the module, the tool is mentioned

You need to pay close attention sometimes, answers aren't always directly highlighted or provided on a plate 🙂

I already solved it

Oh, well done then

I missed that bit

Module: Windows CLI
Section: Skills Assessment
Anyone mind giving me a little help?
I've tried findstr, Get-ChildItem, etc, searching recursively through the directories, still to no avail, I cannot find the flag.

thank you!

maybe i am overthinking it

1. Read the channel topic
2. Remove potential spoilers
3. Hopefully someone may come and give you a nudge in DM

Please @mystic fjord

I don't want to have to ping the mods again lol

okay srry

Thank you

rephrasing the question

Module: Intro to C2 Operations with Sliver
Section: Probing the Surface
Question: Assess further the web application and submit the name of the database user
Anyone knows which user means? I extract a few ones but gets me an error

Hello Guys,

In module: Broken Authentication
section: Authentication Bypass via parameter Modification

what am i doning wrong

/code

No

Don't just paste code or attempts at answres

Remove that

Ask for someone to help in DMs

Read the freakin channel topic

Wow that an idea that i 100% didn't thought about it

Gonna make a bot that DMs everyone who speaks saying "read the channel topic"

lol

Guys if someone could help can you pls dm me

Thank you

For Module "MSSQL, Exchange, and SCCM Attacks" Section "Introduction to SCCM", I'm following the walkthrough and I keep getting "No DHCP responses recieved from MECM server 172.50.0.30. This may indicate that the wrong IP address was provided or that there are firewall restrictions blocking DHCP packets to the required ports" when I try to run pxethief.py

do anyone know how much cubes in total u get from finishing cpts path modules?

https://help.hackthebox.com/en/articles/5272936-introduction-to-htb-academy#h_6ac6f773e1

As for the total.. add it up I guess

thanks

Any idea how long are those issues going to last?

On which VPN server are you facing the behavior?

Not sure where to post this, but where can I report issue with the academy beta?
Or can someone tell me if Im just blind. In the new beta I can't find resources for a module. For example custom userlist or password list that module wants me to use...

Hi all

i need some help with Linux basics

i did find the last modified file in "/var/backups" directory? but the answer is incorrect

anyone?

are you connected to the spawned target via ssh?

yes

it also helps to know the section name you're working on

ive found the modified file using ls -lt but its not correct

it's just asking for the filename not the full path to it

Working with Files and Directories

Ive just had a look myself, https://academy.hackthebox.com/module/143/section/1262 has a resources section but on https://academy.hackthebox.com/beta/module/143/section/1262 it doesn't! So Im assuming its a UI / UX feature not brought forward in the beta yet

so file.what.ever

dpkg.status.0

?

can you help with this

have patience

sorry

you literally just responded to my question

and no, that's not the right answer

so how can i find the last modified file

try using -r with -t

thank you

it helps to pay close attention to the output and not just blindly assume what's being given to you is what you're actually looking for

😅

actually using -lt gives you the proper information

you just didn't interpret the output properly

you went with what's at the bottom of the output (which would be the oldest) not what was at the top (the newest)

https://man7.org/linux/man-pages/man1/ls.1.html; reading the man pages -t sorts (by default) by latest modification time

and somehow you missed the proper one

my bad

i still dont get it

dm me with what you did and your output

in the file upload attacks, specifically in the client side validation bypass task
there are two ways of doing the task and im performing both of them
but neither of them are working

i looked up a medium article too on this task, followed the steps it showed, still did not work for me for some reason

Hi Kratos

hello echo

medium article? that breaks the Terms of Service since it's above tier 0

oh-
it does?

You made sure that every step until that point is working?

i thought that was for active machines

yes; https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Ping the ip, service http running

that rule is for academy modules too?

I didnt know
sorry

from my knowledge, yes
also im using the pwnbox in the browser, not my own machine

give me a sec i'll try and sanity check for you, i'm bored and already have the pwnbox running

should i switch to my own VM though?

At the end of the day is up to you but I learn more using my own system

Share outputs, screenshot

to copy the first sentence of the article:

You are only permitted to upload, stream videos, and publish solutions in any format for Retired Content of Hack The Box or Free Academy Courses. In detail, this includes the following Hack The Box Content:

• Retired Machines
• Retired Challenges
• Retired Sherlocks
• Starting Point Machines
• Tier 0 Academy Modules

the HTML line highlighted, im supposed to delete the "onchange" part for me to bypass client-side validation

onchange="showImage()"

oh

this is the clientside validation section yeah?

yes

sec

also, sorry for not knowing

about the write up thing

i wasnt aware it extends to Academy too

Ok so what happens when you delete it?

i did, uploaded the php shell, but it just does not upload

Do you want to help him since you're more pro?

either it would say "images allowed only", if i add the php format in accept='.jpg,.jpeg,.png", it just wont show

Is not sarcasm, I mean it

I know different ways to do it but idk what is the academy recommending, what do they suggest?

they suggest removing the onchange thing

which i did

Easy

Do you use burp?

yea i could do it in burp too

and i did

but then the file doesnt open in the website

If you add a normal image does it open as a image?

the file is supposed to go into /profile_images/shell.php

yes

So when you say it doesn't open you mean it renders a white page or 404?

404

when i do it through burp, it gives me code 500

internal server error

That doesn't make sense

wait ill recreate it

should have used my own machine lmao

just tested it @errant harness this is a case of the examples not mirroring 1 to 1 of what you're meant to do

so what am i supposed to do in this case

Dang

cause i thought it was just broken, the burpsuite method shows file uploaded successfully
but when i try to access it, im getting a code 500

there's a couple things you can do; but the area you're MEANT to look at is still the same. so it still deals with that form area (at least on the non-burp method)

cause i tried, but it broke the uplaod

in this image i tried uploading but it didnt give any feedback

wait ill try the burp method

deleting because spoilers

but yes

alright

you may also have to toy with the accepted file formats 😉

also as a general tip each of the validation sections build off each other

ill try and get back to you

in module exercise attacking FTP exercise. I spent lots hours trying to scan the ftp service and it is not showing to me? I tried nmap, masscan, change vpn to both tcp and udp but can't find the port no. When I take a peek at the solution it show simple nmap scan. Yet the port still not showing.

keep respawning the target until it shows up

@fathom pendant i tried and got this

mind dming me with the payload? i'm thinking it may be an issue with that?

alright

Need help with: Attacking AI - Application and System - Vulnerable MCP Servers - Sensitive Information Disclosure. Have finished all the flags and the assessment in this module. If someone can pls DM me and give me a nudge.

there are several questions in the section, with which one do you need help?

Hi Guys how are you? I was wondering if someone could help me with this errore, I finally fixed the problem with internet, so now I can use internet connection while connected to the VPN, but now the problem is that, when I use wpscan, it can not figure out the version of wordpress and the theme, any suggestion?

Is there box issues currently? I've tried spawning the File Inclusions Skill assessment 4 times, and everyone of them brings me to an Unable to connect page

Ur talking about the pawnbox? Or the spawning machine?

spawning machine

Spawned for the 6th time - seem to be good now

Look the server where ur spwaning it from

Maybe it has an high ping and it can give u some problems

I also have problems

On the us server https://academy.hackthebox.com/module/280/section/3129 the machine starts but the application is not reachable
ping 94.237.121.194
PING 94.237.121.194 (94.237.121.194) 56(84) bytes of data.
64 bytes from 94.237.121.194: icmp_seq=1 ttl=54 time=21.2 ms
64 bytes from 94.237.121.194: icmp_seq=2 ttl=54 time=20.7 ms
^C
--- 94.237.121.194 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 20.652/20.936/21.221/0.284 ms

┌──(kali㉿kali)-[/mnt/hgfs/HTB/www]
└─$ nc 94.237.121.194 43851
(UNKNOWN) [94.237.121.194] 43851 (?) : Connection refused

Are you connected to the VPN correctly?

Watch the ping of the server

just restarted the vpn

I understand but sometimes, you have to download again the VPN file and use it brand new, cuz they got refreshed, especially if you changed server recently

I will try

Also is it a Lab or academy?

It is academy https://academy.hackthebox.com/module/280/section/3129

The machine is up but the port I need to use is closed 🙁

└─$ nmap -p 22,58831 94.237.60.35                                               
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-24 14:12 CEST
Nmap scan report for 94-237-60-35.uk-lon1.upcloud.host (94.237.60.35)
Host is up (0.020s latency).

PORT      STATE    SERVICE
22/tcp    open     ssh
58831/tcp filtered unknown

Which port are u looking for?

58831

try to use the stealth

add -Pn

ad -sS

before the port

After spawining multiple times, I got on a machine where the port was open 🙂

Clear 🙂

Ok try to use the source port 53

after the command type --source-port (here put the port sourcing from)

No i don't think it can work...I'm sorry but idk what it can be

I'm also facing a problem with the wpscan section...

Awsome nice

What service is it?

try to look it by using -sV

after u get the service maybe we can figure out something

can I get a bump on the File Inclusions SA? I have a parameter that allows me to read /etc/passwd but it has to be read in a burp response... That's all I have, and everything else I'm trying is failing... please @ with replies

Nevermind - apparently someone thought it was nice to put up a full walkthrough and spoiled the whole thing

there's the /spoiler hackster command you can use, it pulls up a form to submit like /feedback

sweet, done - sorry didn't know that was a thing

Guys I'm sorry but I'm struggling a lot with wpsacn that seems it love to joke me... I can not get the right version of wordpress server and I can not figure out how to do it, iI've tried everything I think

Can't you view page source to identify wordpress version ?
Also, wpscan I believe asks for update on execution. And an API key if you need thorough scan.

hi I completed 10% of CDSA in two weeks. This is going much quicker than CPTS did. I think once I get through it and maybe CCD I'll have a good foundation to get a cyber job in and then will more easily be able to learn offense, which as you know I was struggling with before.

I'm psyched.

hello

This is what I got everytime I use wpscan

wpscan -e p --url https://(IP) --disable-tls-checks --no-banner --plugins-detection passive -t 100

This is the command I use

If all you need is the version, how about some manual enumeration ? @steep helm

What you mean?

Like using nmap?

Umm ... Don't rely on tools too much.
Try browsing the web page, research on google where you might find information about the version, stuff like that.

Mmm..ok cuz I didn't see that much

I just don't understand -- can someone give me a nudge? I'm defeated at this point

File Inclusions Skill Assessment

I've found two different possible parameters for LFI, one allows me to read /etc/passwd, but that's it. The other one, I can't get anything out of. I can't get any php files from web root, I can't get shit

you can read other files, consider the location of other php files that may be on the server

In Module (Pivoting, Tunneling, and Port Forwarding) in section (RDP and SOCKS Tunneling with SocksOverRDP) the link for downloading Proxifier Portable Binary doesn't work, any solution?

I tried fuzzing for other files, and it's coming up bone dry

you don't need to fuzz

I'm not smart enough to know directories lmao ^

i'm not talking about directories

as you interact with the target website what different forms and stuff exist

Yeah, I've only found one other param that's possible and I can't get anythingout of it

did you try all methods to obfuscate? like url-encoding?

I've tried: url encoding, php wrappers, fuzzing for new files, different parameters, log poisoning, I can't get anywhere

I'm not certain if this is the right place to ask for help with this, but I'm new to the program and I can't load targets at all. Whether I use my own connection or the VPN, I get a page saying "This site can't be reached" and that it "took too long to respond." What are some ways I can troubleshoot this? It has happened between different modules and at different dates/times. I'm not sure what the issue is.

There has been some issues with EU, if you reside there

hi for the visualization example 2 section of security monitoring and SIEM fundamentals module, it is not showing anything when I try to put in the substatus code in the instructions for the users

can someone help me out?

the first visualization took me a little while to figure out yesterday so I'm guessing this one will be tricky

Looks like the incident handling mdoule got updated. I checked around, looks like some new hands on labs and a skill assessment. Might be worth to redo:

ya I saw that

but I already got the badge for the module so I'm thinking I'll just keep moving forward

but I get what your saying

hi is anyone able to help me with this?

I am gonna try again today I just need a push in the right direction

I am gonna get back to it later but this is just to get an idea of what I'm not getting here because the section clearly implies following its instructions exactly and I think I'm doing that

I have been stuck on CPTS Password Attacks > Pass the Ticket (PtT) from Linux challenge question "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio." for hours.

I have root access
I have exported the valid (not expired) ticket
When I attempt to connect to SMB I getting a NT_STATUS_LOGON_FAILURE error

guys is it normal that I can't reach to the host in footprint easy lab so i have to make better scan? or this is an issue

bcz i used pwnbox and it's working and i got the easy lab flag but i can't do it on kali linux

Hi there, anyone willing to share a hint about "Information Disclosure" on GraphQL module?, cos the question is a bit ambiguos, unless we've to create a new query with every field belong to __schema

make sure you have the vpn pack downloaded and running and aren't using the pwnbox at the same time as your kali linux machine

I did also not working

You should test all harvested credentials against the environment.

anyone here done Abusing HTTP Misconfigurations from cwee? i'm struggling with the tools & prevention section, not sure if im doing something wrong but WCVS is refusing to give me the vulnerable header.

in Information Gathering - Web Edition, Web Archives task, i can't seem to find answer for last question "According to wikipedia.com snapshot taken on February 9, 2003, how many articles were they already working on in the English version? Answer with the number they state without any commas, e.g., 100000, not 100,000.", the wayback machine website is giving me 429 Too Many Requests (tried it for 1 week) but no results and i cannot find answer on any other websites, what can i do?

i don't get a 429 error, have you tried checking on other devices?

Yeah, i tied it with my phone and laptop also

Can anyone help me with this

It's possible for subdomains to have subdomains

I tried with dev sub domain

Vpnx . Something is coming and. Is that is answer?

@carmine pivot Please take care not to spoilt content from modules above tier 0

Okay i ll take care of that

Can you tell am i guessing right?

Try another list, like a DNS wordlist from seclists

you are on the right track

you'll need a more fierce wordlist iirc

and you shouldn't be guessing at all :)

still stuck on this. the question is asking for "an HTTP header vulnerable to web cache poisoning" but i've run wcvs probably 20 odd times with different options set and none of them have returned any vulnerable headers, just parameters. don't know if it actually wants a header or wants us to exploit the vulnerable parameters somehow to find the header

I am doing sec list. But not getting it. Stuck here for about 3 hours

there's a fierce wordlist you can use; in general when trying different wordlists go from smallest to largest, ls -Sr sorts by small to large (-S sorts by size, largest first, -r reverse the order of all applied search filters)

Ok i will try that

if anyone else is stuck on this. make sure you're using wcvs 1.1.0 not the latest version

absolutely 0 clue why that worked but it did

Module: Welcome to C2 Operations with Sliver

Did anyone else have problems with Sliver? Timeouts and commands not working, etc.?

I'm using my own Kali VM.

I need some nudge with the below two flags in AI Red Teaming Track - AI Data Attacks - 1. Evaluating Trojan Attack and 2. Skill Assessment . Can someone pls DM me reagrds these two. Have done rest of the modules.

I'm doing Pass the Ticket (PtT) from Linux in Password Attacks. When I ssh to the spawn machine, it's a linux. When I rdp to the machine, it's Windows. How can the ame IP lead to two diff operating systems?

The same machine cannot possibly have two different operating systems with the same IP address.

However, you can also use SSH to access a Windows machine. Presumably, in both cases it is a Windows Machine

Are you supposed to connect by RDP or SSH in the instructions?

Could be some NAT or Docker stuff if it's actually Linux on SSH

yeah I looked at the ip of the linux machine and it's not the same

I was thinking port fowarding

working on Skills Assessment - SQL Injection Fundamentals I am stuck on getting access to the login page tried every payload along with SQLmap for login.php and register.php can someone help me???

hello in the Cross-Site Scripting (XSS) module -Phishing -after sending victim url ,i get admin login i get invalid credentials , i am stuck here could anybody kindly help?

Could anybody help me with the "Skills Assessment" of the "Using Web Proxies" Part?

Hey everyone! 👋

I'm currently working on the Finding Public Exploits section of the Pentester Path, and I'm running into an issue with the WordPress Simple Backup exploit.

What I've done:

• Found and configured auxiliary/scanner/http/wp_simple_backup_file_read in Metasploit
• Verified the plugin exists at /wp-content/plugins/simple-backup/
• Configured all required options (RHOSTS, RPORT, FILEPATH, etc.)
• Tried with the default /etc/passwd file

The problem:
When I run exploit, the module completes but shows:

msf auxiliary(scanner/http/wp_simple_backup_file_read) > exploit
####################
# Request:
####################
GET /wp-admin/tools.php?page=backup_manager&download_backup_file=../../../../../../flag.txt HTTP/1.1
Host: 94.237.63.43:55662  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0                                
####################
# Response:
####################
No response received
[-] Server did not respond in an expected way.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

No file is retrieved, and nothing appears in the loot directory.

Based on other writeups, it seems like I'm on the right track with this module, but I can't get it to actually retrieve files. Has anyone else encountered this issue? Am I missing a specific configuration step?

I'm going through the Password Attacks module, the Introduction to John The Ripper section, there's a task at the end. But I can't figure out where to get this password that needs to be cracked. Can anyone help?

Curious what made you try the path traversal payload above?

Did you set the FILEPATH to /flag.txt and the script is attempting ../../../ etc ? or is that your doing*

the path is the one used in the exploit

yes

i just used a options to get more logs in order to understand what was wrong

Share your options for us ?

redact anything you dont want us to see obvs

Module options (auxiliary/scanner/http/wp_simple_backup_file_read):                                                                                                                                                                         

   Name       Current Setting         Required  Description
   ----       ---------------         --------  -----------
   DEPTH      6                       yes       Traversal Depth (to reach the root folder)
   FILEPATH   simple-backup/flag.txt  yes       The path to the file to read
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS     94.237.63.43            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      55662                   yes       The target port (TCP)
   SSL        false                   no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                       yes       The base path to the wordpress application
   THREADS    1                       yes       The number of concurrent threads (max one per host)
   VHOST                              no        HTTP server virtual host

i change the filepath to try something

the IP of the target is 94.X ? or is that your own IP. I haven't seen a host with that IP before but covering all bases

the target

Nvm I just spawned the target got 94.X too cool

give me sec will run module

thanks

yeah its your Filepath. remove simple-backup and just have /flag.txt

then it should execute as it did my end

will delete after youve acknowledged 🙂

msf auxiliary(scanner/http/wp_simple_backup_file_read) > set FILEPATH flag.txt
FILEPATH => flag.txt
msf auxiliary(scanner/http/wp_simple_backup_file_read) > exploit
####################
# Request:
####################
GET /wp-admin/tools.php?page=backup_manager&download_backup_file=../../../../../../flag.txt HTTP/1.1
Host: 94.237.63.43:55662                                                                                                                                                                                                                    
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0                                                                                                                                                
                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
####################
# Response:
####################
No response received
[-] Server did not respond in an expected way.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```*

your options reads "FILEPATH /flag.txt" now ? instead of "simple-backup/flag.txt" ?

FILEPATH flag.txt yes The path to the file to read

ho srry

didn't understand

nah you did all good, that was what I was asking for tbf 😄

I though you asked me to try /flag.txt

Curious why yours fails and mines worked out of the box - ive not configured just spawned and run

Are you running this on the pwnbox?

what do you mean by pwnbox ?

the lab environment HTB offer to students

i will try to respawn it maybe i did something wrong

thsi thing

no

i am on my own local linux

with vpn

kk same

i'll try to respawn an instance and try

its your end im afraid I just targetd your server

got the file fine

i have an idea maybe

i deleted something form the vpn connexion

bc i couldn't go on internet anymore

it might block the download ?

Maybe I am not too skilled in that department

im going to have to go now, just wanted to see if it was a common issue you've got, seems its more your home lab issue than HTB infra issue

at least you showed me it worked

yes

thanks

id recommend spawning the pwnbox and seeing if you can get the same to work - that confirms it for you too but yeah did what I could sorry not the answer you wanted!

have a good day

it was the answer i need it was perfect thanks

Module: Footprinting
Section: DNS
Ques: Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

i tried dig command with ns, axfr, any and i got some output and i cannot fully understand how to recognize the correct FQDN, as i got multiple FQDNs ?

The hashes are provided in the section.

Yes, thanks, I've already found, it's just not very intuitive that need to take a hash from the middle of the section.

Well the paragraph underneath the hashid example, does tell you what that actual hash type is, which is the hash type you are tasked to crack in the lab. You could always send this over as feedback and it could potentially be updated so it is more concise.

Sounds good, I I'll do it

@digital pendant In the end I didn't understand why it wouldn't work , tried it form a new VPN key and also with TCP but it didn't work dont know why , did it from the thb env

tbf in the exam you may need to use both environments so not a bad lesson to learn this early!

why would I need to use both ? (for cases like this one ?)

still stuck here, if anyone can help

if your own environment / vm isn't working then you're no doubt going to try pwnbox to see if the issue is your end or the HTB infra, right ?

yes

ok right thanks have a good day ( or night )

Anyone exlse getting the 'Greyed out " screen everytime they attempt to RDP into a remote machine with a xfreerdp statement like this:

xfreerdp /v:10.129.202.99 /u:Bob /p:'HTB_@cademy_stdnt!' /dynamic-resolution /f /cert:ignore /sound /clipboard

or without the dynamic-resolution flag:

xfreerdp /v:10.129.202.99 /u:Bob /p:'HTB_@cademy_stdnt!' /size:1920x1080 /f /cert:ignore /sound /clipboard

https://academy.hackthebox.com/module/147/section/1318

how in depth do you guys recommend i take notes? do i read enough to understand and note down important things to be used/reinforced through labs/exercises? or for doing these pathways is it moreso recommended to take in depth notes

Preface this with I haven't passed HTB exams yet, I approach all exams this way though (if its open book).

Notes and methodology will differ but I find if I have a well written section on a particular topic, showing the tool (if tool related), the technique or otherwise, then I have a methodology document which is very high level - heres what you should do when in X situation and heres the links to my notes on how to achieve it (if I can't remember or need to ref back), then I feel confident that ill have all I need

hmm i see

ive been finding myself spending more time taking notes than i have spent actually using the material

ill try and go more high level like youre saying

Thats a good thing no?

at a point

id say taking too deep or extensive notes starts drowning out the important material -- i think ive been focusing on memorizing things that should/would come through experience

If your notes don't enable you to repeat the steps required to achieve a step then its probably worth re-writing so it does, eventually however you'll be good enough to remember the steps, you just need a quick skim of said notes to remind you of the things to look for/ test for etc

like memorizing port numbers or protocols without using them

I am somewhere in the middle

writing down procedures and steps extensively is definitely a good idea

yea gotta find a good middle ground

It sounds like you're being hard on yourself, and you definitely can be overprepared / take too much research with you into the exam and fold but two things, you get a free repeat and if you do the AEN blind you'll be aware of your strengths and weaknesses very quickly. If you found your notes were not good enough after AEN then (assuming you're doing CPTS) then you definitely should work on that before the exam

I found my notes were good, my methodology however didn't include all areas of credential hunting so missed out on some low-hanging findings that I would potentially miss flags in doing so, so lesson learned for me (AEN only here, not done the exam yet). Hope that helps! goodluck

OHH

you get a free repeat??

thats awesome

indeed, as far as I know you do 😄

thats great for the issue im having haha

will definitely try and go high level except for the procedures since the labs and things would require more in depth notes

like you said, the first try would show where the notes are lacking

thank you very much

Hey anyone gotta a good setup for/ project structure for obsidian.
For cheat sheets, boxes, networks etc

how is path completion percentage calculated?

is it by section? or is it by word count or some other thing

wondering if the sections with two paragraphs are worth the same amount as the sections with pages and questions

I think the number of sections in a module is crucial.

I wouldnt look at percentage ever... it really doesnt matter as long as you complete the course within your timeframe

but if you're interested, I've done a monster section in CPTS, the scroll bar was tiny even on a large screen. after completing 6 questions it gave 0.25%, 4 of those sections later I had 1% and thought I had done 2 weeks of studying

i also got 0.25% off a very very short page of just pictures and headers, so I guess it doesn't matter. But I wouldnt ever look at percentage

Can i perform double pivot using ligolo?

Yes

Triple too

The way to do it is use the agent.exe on the first host then when i have access to the deeper host i run another agent on it right?

Yes, but you need to point #2 to #1 host.

do you have a document on how to double pivot using ligolo or like a video? for me ive only done 1 level of pivoting with it

Search on google, "double pivot ligolo"

lol i just realized how silly of a question that was
Thank you

😉

Anyone

Hello is anyone currently doing the halloween competition?

#1430546976671272970

#modules I am stuck on this for a long time now need a nudge

I am working on attacking common services hard last question. I saw there is 2 possible ways to get the flag. I found one but curious about the second. Can anyone help me with that?

You mean bypass the login page? Dm.

I'm stuck here. Any tips?

Module: Attacking Common Applications
Section: Attacking GitLab

Solved ✅

Hi, i'm stuck in the the Advanced SQL Injection module skills assessment part 2, could any give me some advice? I get the second sqli but the user doesn't have the permissions necessary to create an extension or I'm checking wrong

UPDATE: I was able to solve it, if anyone needs to solve this lab, my advice is to review the documentation, read it carefully and check the permissions.

hi @cunning canopy can i DM you ?

@quartz sundial since the module is above tier 0 please refrain from sharing spoilers about the environment (spoiler text really doesn't do anything tbh)

Should I delete the screenshot?

you revealed information such as the type of attack used to gain information as well

in general wherever possible redact usernames with first_initial*

Oh, these rules. It's like someone is sitting in a chat room and watching what type of attack is being carried out on some host, which is already described in the write-up

Is there some kind of chat where we can normally discuss module issues, without these pointless restrictions?

if you need clarification on the official writeup given with an annual sub, then your best bet is to reach out to support. But the official writeups, in general, have never really explained the steps performed, just goes through and performs the steps

the writeups also have authors attributed so you can @ them and ask if they can help explain something for you.

In this case, the question is about a writing project, and the writing project itself is incomplete. The author simply takes certain information as fact, without explaining how exactly they found it.

So, should I contact support now?

Maybe you could just soften the rules of this chat? Seriously, they're too strict and sometimes pointless.

they aren't pointless. modules above tier 0 are considered paid content, and discussion here is treated similarly to the streaming/writeup guidelines overall https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

they are there so that people aren't just either accidentally spoiled or just can easily cheat their way through content with minimal effort, preserving the integrity of HTB content

if you feel the rules are too strict then you can submit /feedback. But I don't believe there's any plans to soften the rules

I understand, but rules must also be justified. I sent a screenshot of the results of a short extract from Active Directory. There are no passwords or other confidential information there, just information about AD tules. Those who don't have a subscription can't derive any practical benefit from my message and screenshot. So what's the point of your complaint?

The point is you still detailed the attack used to gain information :)

regardless of if it's from the official writeup or not

I get your frustration with feeling like you can't discuss it, but I have no real bearings on the rules in place I just help enforce them.

People who don't have a subscription don't understand that attack chain. They don't even have access to the lab. What's the point to them knowing that such-and-such an attack was carried out under the name of such-and-such a user? Please explain what practical significance this has for these people?

you don't need a subscription to access the higher tier modules

There is a rule, you're just taking it to the point of absurdity...

so that is just factually incorrect

while the gold annual sub does provide the access to the tier 3 and below modules, someone can just as easily either purchase the cubes directly themselves or save up from other subscription plans

What does that have to do with anything? Bro, I'm saying that people who don't have access to this module can't get any practical benefit from a screenshot with a couple of rules from AD

I wrote a long message with a question, and you simply deleted it, citing the mention of the name of one of the attacks in the chain. This is absurd in my opinion. The rule itself is logical, but its implementation is taken to the point of absurdity.

Thanks for your help with module

Because other people can still have access to the lab is the underlying point. From a quick google search on how linking GPOs work they update either on the next time a user logs on or during the next refresh cycle of GPOs

If users have access to the lab and you're talking about hints, I could add a spoiler to the relevant part of the message that you found suspicious. This is what moderators doing in the in the OffSec OSCP preparation chat, for example. People simply ignore the spoiler and solve the problem as they see fit. Screenshot was marked as spoiler.

As for your answer to the core of the module question, that's a different issue.

Well this isn't OffSec, I really don't know why you're fighting extremely hard on it. It sounds like your question was getting at the writeup, which can really only be resolved via support

Once again, I don't mind the rules of this chat, that's not the problem.

I wrote a long message in which I didn't reveal any confidential information about the system being tested, like passwords. The screenshot was under the spoiler. And you just deleted it, citing a problem that doesn't exist.

It contained part of the attack chain for the SKILL ASSESSMENT; that's what i was referring to

Isn't this, for example, a violation of the rules? Is this a password disclosure?

even IF the attack chain is documented in the official writeup, not EVERYONE has access to that, and the official writeup is considered CONFIDENTIAL information

No because those are the provided passwords to simply access the target machines. There's a couple of them that are the default and are the same across several modules.

if it's the password provided directly by the question to gain initial access that's completely different than part of an attack chain to access something.
Generally speaking (there are a few exceptions) if it's provided by the question -> it's not a spoiler.
If it's in the reading, it's not

thanks for bringing this to our attention, and congrats we aren't omniscient we don't monitor the chats 24/7 and there are gaps where we aren't present

if you don't like how it's being enforced; then take it up with sr mods or admins

if they want us to be more relaxed then we'll be more relaxed

@lusty trench @terse sedge please avoid spoiling modules above T0

simply ask for a nudge and someone who's willing to help will ask you to DM.

I'd be very happy to. Who should I write to?

The rule about not disclosing information about the content of the academy courses is clear (for example). The rule about not disclosing confidential information about the system (for example) is also clear to me.

But the rule "clear everything that even hints at a spoiler" is irrational.

@quartz sundial the one from dodgey is in the #1024429874246590575 which isn't monitored as frequently and posts slip through the cracks

How am I spoiling the module? If you access the module you will see all of the commands. I used tags to hide what I was asking. How am I supposed to ask for help then?

you can simply reference 'the method described by the module' and ask for a nudge that way

It's considered non-free content as it's above tier 1, in which case you're revealing information, that should be paid, for free.

anyone with the role 'sr. moderator,' or 'Discord Administrator' is whom you can reach out to

oh @quartz sundial this is just an fyi, since I see you haven't done the reverification process (just clicking the discord link button on https://account.hackthebox.com/), not sure if you can access other channels (or if you care to)

(this is completely aside, just wanted to give you the bump in case you lost access to channels you previously had, not sure if Emma extended permissions to cert holders or not)

Thanks, I have re-verified

I wrote to @urban sage , it's okay?

Okay, so I'm on the Password Attack module - Pass the Certificate, and I need a little help. As I am not allowed to divulge anything about what I am actually stuck on, if anyone has completed this module, can you DM me please?

yeah that's fine, I feel like part of it may have been a misunderstanding as well on what the issue was, and that there should have been time for correction instead of instant deletion (which is our standard procedure), if i'm understanding your feedback properly :)

You can also just ask and we can get you back the content of the deleted message (except screenshots)

If you gave me time to correct my message, it would certainly be better. I would have corrected the message right away

thanks!

Will keep this feedback in mind for myself, even if it's not implemented as a steadfast rule.

Is this normal in HTB Academy ?

https://status.hackthebox.com

@wicked citrus please avoid spoiling module content for modules above Tier 0.

**Module**: <module name>
**Section**: <section name>
**question**: <Exact question from the module>
**Issue**: <issue without spoiling module content>

ok sorry 🙏

Module: Incident Handling Process
Section: Skills Assessment (11/11)
Issue: I am facing with the hole lab , i cannot start a pwd machine , and using the VPN i cannot authenticate into the required

I am getting this error after running impacket-ntlmrelay, I seem stuck with this I've changed the ip multiple times I am triggering the nltmrelay. and it says it's connected then it shows the module problem.

this is in Pass the certificate Password attack module on question

some people suggested pwn box. But this week the academy vpns and pwn box aren't working

Looks to me like your impacket install is old and has some environment issues, recommend uninstalling and using uv to install it.

https://0xdf.gitlab.io/cheatsheets/uv

Thanks

Hey quick question, is anyone getting any errors spawning an Pwnbox instance, I keep getting the same error for quite awhile now, Im not using EU instances??

#modules message

Oh oops thank you sorry!

yo guys

long time no questions

im on LFI module

section php wrappers

im trying to get RCE using the data wrapper

the difference is in URL encoding

i used cyberchef.org for mine

but not sure why it didnt work

well like usual

i fix it as soon as i ask for help

thanks for all whom enrolled in solving my problem

@leaden island data wrapper may not be enabled

also try and post as much info as you can in one message instead of line by line

you don't need to generate anything with cyberchef btw

-# it's a Tier 0 module btw so you probably didn't have to delete

I just checked and the module is tier 0, but still try not to spoil things

it's a reflex

See... this is why people complain, cos you instantly delete gotta give em a chance.

-_- 🖕