#modules

It's related to the last question in SQL Injections Fundamentals - Skills Assessment

I need to redo that one, since it updated

Ok no issues. Thanks.

Can anyone share where can we find tools in the spawned box

in HTB Academy interactive exercises

generally if there's tools provided on a windows host it's C:/tools/

A little confused here...

Doing the attacking common applications module, and in it, there is mention of using the updated Aquatone - which I've done, however I don't believe its format is the same as the original; I even went into page source to double check I wasn't being smoothbrain.

As far as I can tell, the header is Aquatone Report; so I'm not sure what the three words its asking for here are.

I've tried a ton of variations of the words I see here but...nothing seems to stick?

Anyone knows how to use
nxc smb -M spider_plus -o DOWNLOAD_FLAG=true towards a specific share only?

nvm. I think i need --spider <share> for specifics

For Module "MSSQL, Exchange, and SCCM Attacks" Section "Introduction to SCCM", I'm following the academy material and walkthrough and I keep getting "No DHCP responses recieved from MECM server 172.50.0.30. This may indicate that the wrong IP address was provided or that there are firewall restrictions blocking DHCP packets to the required ports" when I try to run pxethief.py. I'm tried both pwnbox and my own Kali machine using OpenVpn to RDP into the Windows target and the problem still occurs. I'm currently on VPN server US Academy 5. Can anyone help? Thanks!

Doing windows priv and in the second interactive exercise. trying to solve: Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?
I am typing NT as the answer but it doesnt accept. How else should I approach the solution. Any hints

I executed the command: .\accesschk.exe /accepteula \Pipe\SQLLocal\SQLEXPRESS01 -v

Anyone plz help
im on windows privesc last question of pillaging section:

Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.

I've tried to backup C:\Windows\system32\config with restic.exe but it keeps getting access denied even when using elevated powershell sessions

I have the same issue too. The pwnbox is not enough space for the AI modules when it comes to install modules on Jupiter Lab

Mine is Evaluating the Trojan Attack section in AI Data Attacks

can someone help me im new and i dont get it

im so confuse :[

grep will help a lot with this

i try that but i cannot pass i feel dump lol

curl https://www.inlanefreight.com/ | grep -Po "https://www.inlanefreight.com/[^'\"]*" | sort -u | wc -l this command can help me past but i dont understand lol

Even removed packages but still need more space

FootPrinting -> SMB
we know that RPC Mapper works on port 135 which helps us find pipe names which we can then use over SMB 139 & 445, but in this section we saw that only port 139 & 445 is open meaning that the RPC Mapper is closed, then how we can use RPC service over SMB, i thought we need to have both: RPC Mapper and Transport of choice like SMB or HTTP

You can still use RPC over SMB if you know well-known pipe names. You don’t always need the mapper; named pipes on SMB (139/445) are enough for many attacks/exploits.

Thank you for answer
So in that case, we are using 135 port only to discover high port if RPC is used directly instead of SMB or HTTP?

because there are already well-known pipe names which is documented

Exactly, you’ve got it right.

I really appreciate your answer, thank you!

AI was confusing me a lot

we do not need port 135 when the RPC service is accessible via SMB named pipes (over ports 139/445), and the pipe names:

are well-known, are static and are already documented by Microsoft

The mapper is mainly for discovery when you don’t know where the RPC service is.

yeah, got it can we use it if administrator created dynamic pipe for some process

Ok figured had to mention everything after NT in the answer.
This is for anyone who gets stuck here in future.

Yes but only if port 135 is open, because dynamic pipes require the RPC mapper to discover them

yes, just as i thought thank you

try using the manual or the --help for grep to get more insight of what you are doing, the [%5E'/"]* is Regex which lets you use a certain search pattern

Can anyone check if web attacks - Mass IDOR Enumeration excercise works for you? I am waiting since yesterday to try to do this exercise but the page continues to load weloveiconfonts.com and doesn't complete... it's really annoying..

same issue here, just add an entry in your /etc/hosts for 127.0.0.1 weloveiconfonts.com

might wanna report something in #1234357888114364508

Anyone who's done the Evil Twins module can give me a lil sanity check on Q3? Been stuck on it for a while. Would appreciate a little nudge

thanks mate, will try it right away. I already opened a ticket for it

Hey everyone,

Is anyone else having trouble with the SQL Injection Fundamentals skills assessment?
I think the task might have been improperly updated because the write-ups for this module cover a completely different scenario.
I only managed to solve the first question using SQLMap, which isn't covered until the next module. I'm completely stuck on questions two and three, and I'm trying to solve them using only the manual techniques taught here.
Has anyone found a manual solution for Q2 and Q3?

You're adding steps

need some serious help everyone

?

i have been doing the backdoor.htb lab for hours and horus

cant figure it out

keep getting this

#boxes with the box name

Or if its a #starting-point machine, there

is backdoor apart of starting point?

Is it under https://app.hackthebox.com/starting-point?

im so confused😭 I removed the line that did the salt wc -c at the bottom but im adding steps. I showed two different things that I tried in the message above, its not all one thing.

Dm me, since the module is above tier 0

in any case I have to go, but need help later

dm please

I just need someone to help please

This isnt the appropriate chat to get help for your problem, I already directed you to the right one

Can someone help me with this please? Thanks

172.50? That doesnt look right from the jump

172.50.x.x is a public ip

Give me a second and I'll check

It's correct

but if they're in a machine on the 10.129.x.x network... how does it connect to... ykwhat

It's been a minute since I worked through this one, but what user did you use to establish your PS session?

Actually for that one, the host likely has a dual interface.

I'll spin it up on my end in a few and check things out on my end.

I am following through in the nmap module and am confused about the command examples. Either on my virtualized htb-supplied workstation or my own kali (connected to ovpn), neither of these can reach the host listed in the nmap commands; thus I can not replicate the outputs shown in the module.

This matters because the question itself at the bottom can't be solved without the capacity to reach the host, which appears to be outside of the range of ip's reachable from the interfaces in both workstation as well as my own vm.

The particular module I am working on is nmap host discovery; I know all that's required is to merely pass the appropriate flag to ascertain which OS may be running on the host 10.128.2.18; however my tun0 interface on 10.10.15.85/23 can't reach it. Can anyone help with this?

Hi! There is a way to get the CWEE exam without finish the entire path, just bought exam voucher ?

How long do the Attacking Common Services Skill Assessment Machines need to be fully started?

I always get no route to host when trying to connect via FTP

Any luck on this? So far this has got to be the worst module I've ever experienced

hello 🙂

why

Returning to Legacy displayed a different Machine IP

Thats the reason

Academy 2.0 showed a wrong ip

Ok guys, Im a bit stumped with the Firewall and IDS/IPS Evasion - Hard Lab section from the Network Enumeration with Nmap module. For those that dont remember, I need to use nmap to enumerate the target IP, to find the version of a service which is not disclosed in the question or writeup above the question. The catch is I need to do this quietly. Theres a status page at <target>/status.php which displays a counter out of 75 representing the number of alerts generated for the "system admin". I cant seem to manage to finish a scan without "triggering" the max alerts.

Here is the command im running now (takes a while to compelte so I thought id start it anyway):
||sudo nmap -sV -g 53 -T 2 <target ip> -p- -n -Pn --disable-arp-ping -script safe --stats-every=10s||

Previously I used this:
||sudo nmap -sV -g 20 -T 2 <target ip> -n -Pn --disable-arp-ping -script safe --stats-every=10s||
and the alert counter seemed fine (around the 30s out of the max of 75) until the very end where I refreshed it and it suddenly said ive been "banned" for 3 minutes because I was detected.

Further, these scans take a loooong time to complete. Around 30 minutes, which given the life time of the target is limited is not ideal.

I dont think I could decrease the -T value even more to 1 because then my target's life time would run out before the scan completes, so what direction should I start exploring to get to the correct nmap arguments to solve this wihtout getting detected?

Thanks!

Limit it to most important Ports
And only after u got the ports run version detection

You can dm if you want

so you mean, find open ports, then only run the heavy version checking part on those few ports?

Yea

has anyone completed Skills Assessment - Linux Incident Analysis? struggling on one of the questions

Is there a way to see the recommended machines after completing a module again after closing the tab?

You can refer to Academy x HTB Labs (https://academy.hackthebox.com/academy-lab-relations). What I will recommend is to pick a machine and look up the modules it recommends as it is much easier to understand what knowledge will be required from which modules to eventually solve the machine

nevermind i got it, if anyone struggles here too lmk one of the questions is kind ahard

Hello! Somone has completed Rogue Actions from Attacking AI - Application and System. I am having issues locating the flag

Dmd you rn

I definitely might be missing something here - but if anyone knows the answer to this, I'd greatly appreciate it; I'm a few sections past this part now, but its the only question I havent gotten hah

Sry for the ping, but should I be resetting the target after each attempt I make to clear the IDS/IPS systems knowledge of my IP before attempting a new form of the scan command? Im just asking because Ive noticed at around the 20% done mark, it reaaally slows down so I assume the targets defensive systems detect im being naughty and start blocking my packets

If the ports stay the same you can do that
If the ports are randomized and Change then you cant

No they stay the same. But weas my way of thinking correct? Is that how the IDS system works, in that once it thinks it detects some kind of scan being performed it starts limiting the offending IP?

I am not 100% sure but i think so

Make sure to check for ports as hidden as possible, then maybe reset and then only for the discoverd ports check the Version

hmmm ok, ill give it a shot. im looking at a video:

Firewall and IDS Evasion with NMAP | Practical Scenario

on youtube which seems to go beyond what is written in the htb module, but ill give it a try and then check back here if what i did is actually the intended way of solving this question

yep thats what i plan to do 🙂

👍

Thanks. I'm using user "test" password "Labtest01"

how about if i just want to prep for CPSA

then what to do

Hey sorry I got bogged down at work.

Actually the answer is already in your screenshots

Ive used just about every combination of words I can think of here, for the three words required; so, I remain confused unfortunately.

Did you make sure to check the case-sensitivity?

I believe I have; I seem to be missing something that should be glaringly obvious - but I cant quite figure it.

Hello guys someone is available to give me a nudge about the Skills Assessment of "DACL Attacks II" - Question 3: "Compromise DC04 and read the flag located at C:\Users\Administrator\Desktop\flag.txt"? I'm really stuck on this one. I have NTLM hash of user ||tangui|| and pretty much all other users, however, I can't find the attack path to DC from this user.

I managed to get foothold on DMZ01. Scrubbed through || FILE01 || and found creds to || RDP TO JUMP01 || . The problem is I can't seem to exfil dumps for offline cracking. I only learned how to exfil from Target to Host directly on the module. I don't know how to exfil since there is a DMZ01. From what I understand, I should be able to reach || Internal networks such as JUMP01 from my Kali ||. I would appreciate any correction. Any tips on what resource to look for about this?

You can DM me

I am working on a Password Attacks Module and the target machines say their online but every command I try to run says "Host is offline"

I am specifically trying to use printerbug.py but nmap doesn't work either, i have already tried restarting them

Did you login to the website already?

Yeah I am logged in, one my deskop and a kali linux vm

Did you run || ntlmrelayx before printerbug || ? Nvm, this is wrong. You should use printerbug which you did.

is anybody have same thing with linpeas.sh when you are in an AWS environment it takes 2 years to enumerate it?

Is the pwnbox susposed to not be able to connect to the internet? I am trying to down a pywhisker.py file and it won't load

It depends

I believe it's limited to websites HTB owns/authorized and if you pay or have a subscription or something you get unlimited access.

something like that, not entirely sure exactly what it is, but yes it can be limited

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox

On the HTB Labs:

Free Users have a single two hour session of Pwnbox available for the life of their account, as a way to test out it's features. Free users also have limited internet access, with only our own target systems and GitHub being allowed.

VIP users have a limit of 24 hours per month to use their Pwnbox. This limit gets renewed with each month that you renew your VIP Subscription

VIP+ users have unlimited use of Pwnbox.

but that's labs, not academy

I think there is a similar limit though

Yeah I am kind of stuck because I can't connect to the host machines with my VM and when I launch the pwnbox I can't use wget to download the python files I need from github

Should be able to use your VM to connect to targets, but you can't use your VM and the pwnbox at the same time. They share the same IP and it will cause network issues if you use them at the same time.

Depending on how large the python file is you could also maybe just paste it into the pwnbox

Careful not to post content from modules abover tier 0 please

That's only part of what you're supposed to be doing anyway

Oh shoot my bad apologies for that

did you at one point have the pwnbox and vm connected at the same time?

I did at some point have them both connected. for some reason it keeps saying the hosts are offline. I know exactly what I need to do and have studying the module and complete all other sections for this module but just can't get this one.

ok, terminate the target. terminate your VPN connection. select another VPN region (ie. us/eu) and TCP, download it. connect to the newly downloaded vpn file. spawn the target, wait ~5 mins, then send me a DM.

I'm having an issue with the module "Supply Chain Attacks" & Section "Testing the Tester"

Whenever I try to restart sonarqube in order to catch the reverse shell, it won't succeed. I'm also getting the Proxy Error when trying to visit the web application. I've resetted the target thrice with no success. Any help?

I have seen quite a few writeups on Tier1+ modules..are these allowed if we hide the flags and all?

Hello, I'm currently trying to do the linux fundamentals but my pwnbox can't connect to the target website using curl - I'm not sure where to ask for support in this matter - but i do need help!

Hello, in the network introduction module, it says that WEP-104 has an 80-bit secret key. Shouldn't it be 104 bits ?

Hello. Does anyone know how to fix this error in xfreerdp3?

inveigh failed on pwnbox - active directory module

I didn't really understand what am I supposed to do to run the tool correctly... I lunched pwnbox, connected via via rdp to the windows machine, opened powershell and navigated to the tools directory and typed -
./inveigh.exe
and this is the result. what did I do wrong?

do you have an NEXURA.HTB entry mapped to its ip in your hosts file?

In Broken authentication, brute-forcing password reset tokens I have gotten the token number but can't get that to work on the actual browser to reset the password however, doing it in repeater works but as you know in the repeater i can't access the interactive feature like in browser. Can somebody give me a nudge please? I also tried changing request method from GET to POST but still no.

use elevated powershell

yes. friend said it could be the vpn

imma switch to udp

can anyone help with this

API Attacks

• 0 Exploit another Unrestricted Resource Consumption vulnerability and submit the flag.

thanks

Hi, in the module introduction to windows command line, in this exercise: What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account. I have wrotten this script: Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4625} |
Group-Object -Property @{Expression = {$_.Properties[5].Value}} |
Sort-Object Count -Descending |
Select-Object -First 1; The solution is Administrator but when i write it in the exercise it says me error, i was checking in internet and the code is good, anyone else could help me please. thank you in advance

dm

Can anyone help, I am trying to finish up the DCSync module and am unable to log in to the Linux Attack Host.

footprinting medium lab

rdp not working

can some one help

your password is incorrect check again

thank you

it is getting disconnected

It is not working with Android 15. The counter resets when rotating the device. With Android 13 it does not reset. Also, 86 steps were not enough for me

Hello, i need help for 'Web Attacks' XEE injection , someone could help me ?pls

No

Hi guys, can someone help me to understand DNS? I am not new in cyber but I really struggle to understand some basic topics. Can you explain me for example when I send a mail to hr@google.com, how are steps from my client computer to hr's computer? I wanna know what is role of MX record in this process. I have asked to ChatGPT but it doesn't make logical answers. it confuses itself.

The mail client (e.g. outlook or any other) queries DNS for google.com's MX records, resolves the chosen MX server to an IP, and then connects to that IP via SMTP to deliver the email. The MX record simply tells where to send the mail.

That means your mail client opens a TCP connection to port 25 on the MX server’s IP address and sends the email using the SMTP protocol.

Update -- I had connected to too many VPN's at one point and even after running killall openvpn I still had tun connections up so restarting my VM worked

Thank you so much.

Hello, just starting the Using Web Proxies module. I am having issues getting ZAP HUD working, just wanted to play around with it. I launched an instance of Pwnbox -> Open ZAP -> Manual Explore -> URL=www.google.com, Enable HUD checked, Launch Browser: Firefox. The HUD does not load. Am I missing any steps? I am been searching online but can't find any answers.

Hello guys! Quick question, in the "AD Enumeration & Attacks - Skills Assessment Part II", I am currently in the MS01 with the PtH of the Admin, but when I try to Import-Module PowerView.ps1, I get no Exported Commands on the "Get-Module", why does that happen?

I just went through that module, that part was a little tricky. After you Import-Module, you can run a Get-DomainUser command. I got a bunch of errors while running it, but it still worked for me.

Hi all, Trying to do the Attacking Common Services - Attacking Email Services lab but the port state changes from open to filtered within a couple of minutes. Any tips? I have reset the box as I noticed the first spawn was filtered then the 2nd spawn went to filtered again

are you able to interact with it? be mindful that using a bruteforcing tool might result in a state change if you're trying to bruteforce and scan at the same time

I didn't even scan this time connected via telnet on port 25 to access smtp it worked then did the brute force scan got no results and then repeat the telnet and it doesn't work

try changing vpn regions

Ok, I'll try that now.

Ah thank you seems switching the region did the trick.

hey can someone help me with this? is introduction to sql

mysql -u root -h goowritenip -P 37448 -p
Enter password: password
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

its literally first one exercise lol

Hey guys! I'm having a issue trying to spawn the target system in the instance. I had try various things like changing regions, reset the instance and the IP spawn...

--skip-ssl iirc

Enter password:
ERROR 1049 (42000): Unknown database 'iirc'

What would you recommend?

iirc isn't part of the command

just dnt mind

im smoken lol

reach out to support

just tought after written it

lol

haha thanks

it's my bad i should have made it clearer

naahhhh hahaha np ty bruuuuuuuuuuuu

how do i contact support?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

^

Hi, how did you find that password? I'm stuck in this lab

anybody done all WiFi modules?

Ok, Im tring it again, but this time I looked at a couple writeups, and they all seem to assume that you already know the "hidden" port and can thus target their scans at specific ports. But since Im trying to approach this from the perspective of someone who doesnt already have that information, I want to first do a full scan of all ports. The problem is that no matter what stealthy options I use (fragmentation, decoys, setting source port to 53, -T2, etc) I get detected, banned, and my scanning slows down to less than a crawl.

Ive read and re-read this: https://academy.hackthebox.com/module/19/section/106 and tried a bunch of various combinations of the things taught in that, but to no avail.

Am I right in thinking if this was a black-box scenario and I just knew there was IDS/IPS I would first need to do a scan of all ports, or should I have prior knowledge about likely ports based on the hint indicating large data storage capabilities and adjust accordingly? Thanks

You shouldnt scan every port i think but only those which are common for the services which probably run (like file Sharing, remote desktop and so on) because Things which get u banned are a full range scan, Script, scanning version on too many ports

Hey not sure if you are still dealing with this, but I received the same error at first. It did eventually work.

ahhh ok i see. so some prior knowledge/research is required, based on the hint. what about it if someone wants to complete this without looking at the hint though? in the main writup of the lab it doesnt mention any info about the target service being run, so you would need to go to the hint for it

when we get Cloud Modules,is the day to be back to HTB.Does anyone has any info?

?

Anyone finished with the Attacking AI - Application and System Skills Assessment? I could really use a nudge...

I can't tell if im just missing something in plain sight but im so confused, I am working through the Windows Attack & Defense module, this question in particular "After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user?"
I've filtered for Event 4769 and have ran Rubeus multiple times but nothing for the webservice or svc-iam user is appearing

Has anyone tried to upgrade from Silver Annual sub into the golden sub
if yes how does it work
Do i pay the full difference or the difference for the left over duration ..

For Ref. i got a silver sub back in aug. and would like to upgrade to the golden Annual sub.

reach out to support for full answers, but i believe it's just pay the difference in full, but i could be wrong.

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-14973267

Anyone getting that machinery simple isn't spawning?

Hello everyone I am having an issue with the skill assessment for windows lateral movement, getting the vnc password, i can’t get a reverse shell to spawn when running sharpwsus. I have tried using chisel and a reverse shell and just having netcat listen and having the reverse shell going to the wsus server, also i have tried using psexec running a powershell one liner and completely stumped on why i can’t get the backup server to connect to listener. If you have completed this can you dm me?

I also even tried making a firewall rule to open up port 43389 and 5555 as well and tried to enable rdp as well.

Hi guys, recently I cant find a way to access HTB Machine (Instances). Does anyone know why?

which module?

yo guys, im on file upload -> skill assesment

im half way there but been stuck for days
anybody i can DM ?

dm please

i do it understand it but whatever i type is wrong, whats the answer can u help me word by word?

The difference between 5 and 10 is 5. Its just doing math, open up a calculator and find out

OH U MEAN I HAVE TO SUBTRACT IT?

OMG THANK SO U MUCH

Unfortunately...I still havent been able to pass this question even though I'm halfway through the rest of the main module now hah; any tips? I've tried more since positing this, and still...I just cant seem to parse it and figure out what the three words its asking for are.

dm please

any one can help Wi-Fi Evil Twin skill assessment question 2? i alway no rce, and i try again and again... i very ensure all my step are correct

If anyone from the official team sees this, please help me out. I’ve gone through many past comments, and a lot of people haven’t been able to solve this issue. I’m sure it’s not a coincidence, and it seems like everyone’s problems have been left unresolved. It doesn’t feel very good

RCE works if everything is configured correctly, so you're probably missing something

I am having the same issue - tried commenting out proxy_dns in proxychains and just specifying IP address but always errors- then suddenly I remembered use sudo

hey mate shoot me a dm if you still need help

Hey, can anyone help mi with Insecure Library Load Through Deep Linking (Android Application Dynamic Analysis)? The app seems no to update to version 2.0? Doeas anyone have similar issue?

im trying to do this question i used this command: adb shell ls -l /data/data/com.hackthebox.myapp/files/flag.txt
But i get a permission denied error
am i doing it wrong?

adb root;
[Then your command]

Whats more it looks like: android.permission.MANAGE_EXTERNAL_STORAGE: granted=false, flags=[ USER_SET] so the permission is not set properly but I grant it when the windows whows, can anyone help?

i found the path using adb shell pm path com.hackthebox.myapp
But when i put the path in, it shows wrong answer... im pretty sure the command is correct tho

Hey guys has anyone done the "Lateral Movement Post-Exploitation/Pillaging" part in the AEN lab ?

yep

the privilege::debug and the lsadump::secrets does not work ..

i even did "runas /user:ilfserveradm "cmd.exe"" and ran mimi still no luck xd

blind sql injection   - Skills Assessment
Anybody i can DM ?

me

And android appliaction dynamic analysis?

If you have changed permissions, you must log in again with the user so that the permissions are applied.

so ill have to relogin via rdp agaiin ?

Yes, that should work.

i tried this but it doesnt work

nvm got it 🙏

Abusing HTTP Misconfigurations - Skills Assessment - Hard
Anybody i can DM ?

@fathom pendant Howdy Marcie, might I dm for a question about something that may very well be incredibly obvious and take two seconds to point out?

Related to a webpentest path module, of course.

Hello, just checking if I am the only one. I am currently doing the lab in Wi-Fi Penetration Testing Basics > Wi-Fi Interfaces. When I connect to the RDP, it keeps on kicking me out. I've tried both VPN and Lab Instance. I use xfreerdp to connect. Any suggestions?

https://academy.hackthebox.com/module/18/section/81
hello, I am having trouble with the first question on this module. I believe I wrote all the code correctly and received the right answer, but when i put in my result it says its wrong

You can try switching regions and/or VPN protocols.

HAs anyone completed the Skills Assessment in the Attacking AI - Application and System module. Been struggling for a couple days now and could use a nudge...

In the Skills Assessment for Attacking Common Applications for WebPentest, on Skills Assmnt 2, the first question seems to be refusing my answer for the WordPress url, even though its the only wordpress install I seemed to be able to find; I've finished every other question aside from this one.

Hello, Password Attacks Module, section Pass the Certificate. I am doing the command impacket-ntlmrelayx and doing the printbug.py command but when i go back to ntmrelayx nothing comes trough... Any help ? Anyone i can dm ?

You can dm me if you still need help 🙂

this worked. Thank you!

Figured it out, after overthinking it, and crawling the forum; doesnt like the trailing slash, it turns out.

Firewall and IDS/IPS evasion - Hard lab i just find the flag it was pretty clear but still maybe its due to my internet speed where i am now isnt so good but this port with e.g sudo nmap <ip_address> -sS -Pn --disable-arp-ping -p- takes ages is this normal ?

because i couldnt see the port that i supposed to -sV but with a hint i did.Did i have to know which port is for that purpose that they mention on hint or my nmap scan wasnt good to detect this port?

also the status.php in site alerts was increasing without even doing something is that a bug or ?

hello

I have a problem with this section https://academy.hackthebox.com/module/136/section/1290

when I upload a file to the server that has a PHP payload the server consider it as a picture and does not execute PHP code

The easiest way to not fail the MIME magic byte check is to upload a legitimate png file and replace the content of the image. The magic bytes will be set for you.

Try with GIF8

they consider it as a Picture and the code won't execute..

Also, the problem is with your file extension in the end

Extension whitelist is blocking it

Try something else

If it says "picture cannot be shown cause it contains error" means whitelist is blocking it

no

if it from the Extension the server will say "Extension is not allowed"

I know I know

It would sometimes show "file uploaded" but won't execute it

Its a false positive

The whitelist would still block it

Try some other extension

so the problem is from the signature.. I got a signature from the a website and paste it in.. still the same error

You can try any MIME type
If the whitelist is giving a false positive but still not executing the code, you would have to change the extension

they don't say there is a error.. they just show a black Picture.. that has the code.. that's it

Show a screenshot

but this one with a GIF8 signature

when I use PNG signature they don't allow it

Try a different extension

It's a hit and trial

Also don't use $_GET
Use $_REQUEST

just a picture..

Probably best to take this to DM's as the module is above tier 0

DM who?

You can ask if you can DM someone about it

who should I DM?

just a lot being spoiled here

the support team say that you should ask in discord🥀

Yes, this is the place to ask. But you don't need to reveal details like that. If you feel like you need to reveal more you can ask someone to take it to DM's.

then can I DM you?

I'm busy rn sorry, but I would advise trying more combinations built off the previous knowledge you learned in the other sections

any one can help?

You can DM me if you want

Hi Everyone, I've been working through the Attacking Common Services Medium Lab and have hit a wall. I did brute force a few subdomains, but after enumerating them they seem to be a dead end. I've tried to brute force FTP, SSH, pop3 with no success and using anonymous login, so looking for a little direction.

Hello all,

I am currently going through the HTB Academy File Upload Attacks Module and am currently at the Upload Exploitation section.

I am trying to get the reverse shell with the Pentestmonkey PHP Reverse Shell Code and provided my VPN IP from tun0 interface and the port my Netcat is listening to.

But it isn't working. I am using Kali Linux inside a VM. Maybe someone else did encounter a similar issue in the past and might be able to point me in the right direction?

The OpenVPN Connection is working as I am able to reach the web application and was able to at least get the web shell.

I am pretty sure there must be something I am overlooking, that the application machine isn't able to reach my machine via the VPN connection, even though I can ping it.

Any help ist appreciated.

Are you checking for non-default ports? 😉

I have not taken that approach yet

I'll give that a go

Thank you

There are likely rules in place to prevent outbound shells. The IP you're dealing with isn't internal, it's a real docker container spawned that's reachable from the clearnet, no need for a VPN. Try another way that isn't a reveshell to gain code execution.

@dreamy oyster Please do not post content from modules above tier 0. Just because it's showcased in the module doesn't mean you can or have to do it. Sometimes it just shows you what's possible. I am not 100%, and it may be possible, but I think there are egress rules in place to prevent a revshell from the public docker containers it spawns. Your VPN doesn't mean anything here because again, it's a publicly accessible IP from the Internet, no VPN is required to reach the target.

@cloud urchin Thank you for your help, I just got the flag!

The section even says it may not work due to firewall rules, etc

Time to start the hard one 🙂

Ok I get that and undestand that now after your explanation. But gotta be honest. It's kind of confusing that there are literal instructions provided and written in a way that seem like we should be following them to learn it.

But still thank you very much. Your second explanation helped a lot.

I'm stuck on Q4 of the NTLM Relay Skills Assessment - would really appreciate a nudge.

Password Attacks - Pass the certificate section : Sumbit the flag of the Administrator , ive got a ps session for jpinkman and i found the admin password but for the life of me i cannot find a way to either execute a single command as an administrator or switch users , the Enter-PSSession command doesnt work , can anyone help me out?

Please remove the spoiler for where you found the password. That's a Tier 1 module.

ty

Apologies

Hello everyone I am having an issue with the skill assessment for windows lateral movement, getting the vnc password, i can’t get a reverse shell to spawn when running sharpwsus. I have tried using chisel and a reverse shell and just having netcat listen and having the reverse shell going to the wsus server, also i have tried using psexec running a powershell one liner and completely stumped on why i can’t get the backup server to connect to listener. If you have completed this can you dm me?

hi does anyone have the issue where droopescan just hangs when it is executed? it shows something like this:

modules [ ================         ] 1228/4000 (30%)

I have been pulling my hair for hours

I'm pretty sure you don't need ligolo, chisel, etc., to catch a reverse shell on your VM or whatever you're using. Did your patch get applied?

Can i dm you?

Yeah go ahead.

I never had an issue viewing all ingested data from numerous domains.

Very weird then, most of this stupid vm is weird tbf

Is this from a lab?

If you are using the most up to date version of BH-CE, maybe it would be worth it to pull down and compile the most recent compatible version of SharpHound. I'd also give netexec a shot to see if that ingested data makes any difference.

I didnt give netexec a go! Woopsie. No its regarding the exam so didnt want to give anymore context than that

Meant to be in cpts chat sorry aboit that

Def worth having a few tools to do the same thing, as the old "2 is one, 1 is none" helps out immensely when something fails or doesn't work.

Ive deleted now, realise even having that is context

Definitely fell into that trap few times now! Thank you

Well it looks like you are between attempts?

I am indeed

Was hoping to prepare some better screenshot and sort the tooling out better

It was a mess during my attempt

Well take the time to work through the things that didn't work, i.e., BH. Spin up labs and see if you can get the tools to work there.

Definitely on tomorrow's agenda, tonight was more seeing if this is a common issue or just my end, usually the latter but never know

dont always rely on bloodhound

One point i mangled my etc hosts so much i couldnt get to the target, somr tools worked and some had a big fart 😅

manual enumeration is very important

Yeah when you bugger up the basics tho, even manual renumeration failed, which pointed me at etc hosts tbf

Enumeration*

Yeah man, it happens. I also had issues with my BH, but was able to rely on PowerView and dacledit. Just like Vege is talking about manual enum is important to be able to perform. BH does a great job, but may not always get everything that can be necessary to know.

Its precisely the lesson I learned going into cpts the way I did. Bulldozed in thinking wrongly that BH was the first and foremost solution to AD pentesting. Suffice to say mistakes and assumptions,lessons have been learned. Ty both! Gonna sleep now, see you all around

hello everyone I'm sorry this question isnt related to the academy but I had a question about pro-labs and when someone should start experimenting with them I've done 100+ machine on active/retired labs I would just like to get opinions thank you!

bloodhound is so broken for me it doesnt load anymore i dont know why

anyways my VM was unmable to boot accidentally deleted files and lost good tools

bloodhound can do a lot of the work but nothing beats manual enumeration, even if it is more time consuming

bloodyAD and PowerView are great supplements

In the module Pentest in a Nutshell, lab Linux Information Gathering, I log in as anonymous but don't have access to download file. In the lab it is supposed to download as anonymous for further recon

are you certain the file exists in the current working directory in ftp?

Yes, I do check it before

try using PASV mode and RETR I guess

Oh sorry my bad, I know why I get this error 😄

I am using FTP command on the directory I don't have write permission lol (/usr/share/seclists/Discovery/Web-Content)

Back to my previous example, id love to have used bloodyAD only that i buggered up my vm to point tools of that nature wouldn't connect to the target.. lots of trial and error and local renumeration ofc youve assumed ive not used any of these tools before

attacking graphql skills assessment section need some nudge ...did the second half part but can't figure out the first part(i.e. foothold or logging in)🥲

Hey guys I can’t run privilege::debug because my RDP i believe the session is using a filtered (medium‑integrity) admin token. Even though my user is in the Administrators group, Windows applies UAC remote restrictions to RDP logins, which removes all admin‑level privileges from the active token.

whoami /priv shows that SeDebugPrivilege isn’t in the token at all, so Mimikatz can’t enable it and fails with RtlAdjustPrivilege(20) c0000061. Tools like PowerView or Enable-AllTokenPrivs.ps1 can’t fix it because they can only enable privileges that already exist. runas also doesn’t elevate.

https://academy.hackthebox.com/module/163/section/1549

advance xss warmup session, the admin won't trigger the xss. i test it myself and manage to steal cookie, but can't steal the admin cookie. any help would be greatly appreicated

I am stuck on Linux local privilege escalation skill assessment . I figured out that the flag is related to tomcat so I guess I must acquire access as the tomcat user . However I don’t know how to do so . I search for credentials but nothing

info gathering - web edition
why is it that we didnt add ||port in etc/hosts/file|| and ended up adding it ahead of ||inlanefreight.htb:<port> in gobuster||?

Update : I found tomcatsdm password but it won’t work for tomcat user

Update : I got a shell as tomcat user but I can’t priv esc to run . I used sudo -l but the binary that can be run as root can’t be exploited

Hello all. I try to pass the skill assessment of the web attacks module for the cwes. The thing is that the htb server is really slow (90 seconds to respond). I tried with different wifi connection and the result is the same. Is this normal ?

Hey guys any idea why this don't work?

awk default delimiter is space not ","

You don't need to use tr either btw, awk -F and then indicate what delimiter you want to use

yeah but t was a little exercise where i need usernam, UID and shell sperated by a ",", but do you now how to display the ,?

i mean idk if there is an easier way to do it but i'll just do this :

cat /etc/passwd | tr ":" "," | awk -F "," '{print $1, $3, $NF}'|tr " " ","

Run it through 'tr' again and replace " " with ","

Easy peasy

You don't need the first tr actually

since you can specify which delimiter you wanna use with awk

Nice Guys ty ◡̈

awk -F ":" '{print $1, $3, $NF}' /etc/passwd|tr " " ","

You don't even need cat really.

(cut -d: -f1,3,7 | tr : ,)</etc/passwd

Just thought I'd join in

Golf anyone? 🤣

awk -F: '{print$1","$3","$NF}' /etc/passwd Don't need tr even

Hah! Out of curiosity I asked GPT for the shortest solution and it spat out the very answer I gave above as the shortest possible, minus the spaces before and after the pipe

It's the little wins

Makes me want to go play regex golf.. but that feeling was fleeting

I'm curious if there are plans to update the DACL Attacks II module to add a BadSuccessor section. Just completed a standalone box with BadSuccessor on it and can confirm that it's definitely an ACL misconfiguration.

Not something I can comment on I'm afraid, feel free to hit us up in #1234357888114364508

Done

Thanks!

Hello, Password Attacks Module, section Pass the Certificate. I am doing the command impacket-ntlmrelayx and doing the printbug.py command but when i go back to ntmrelayx nothing comes trough... Any help ? Anyone i can dm ?

Make sure the printerbug.py IPs are in the correct order. The whole point of authentication coercion is tricking the target into sending its authentication back to you, not the other way around.

May i dm you ? i feel like i am doing it in the right order.

Absolutely.

Just sent you a DM; waiting for a response

Hey. I'm wondering whether i've just observed a security incident on the VM in the module i'm working on. Working my way through the local file inclusion module and was running a python web server for the remote file inclusion and i've seen some unexpected traffic against it.

should i paste the traffic here? who should i go to to double check?

It's possible another user sent traffic to your target machine that you're working on

its attempting to connect to a russian domain URL

Which module / section is this for?

Local File Inclusion module - Remote File Inclision section

and its not hitting the target machine - rather the vm i'm using / working from

I see.. do you want to hit me up in DM?

(I've sent a friend request)

Just a quick question that I wanted to ask about the estimated time for modules, when a module says 2 days does that refer to 48 hours, or 2 working days? (e.g. 9-5, so 16 hours)

2 working days

Awesome thank you Marcie.

I recommend ignoring it though

Because the time estimate doesn't account for note taking or difficulties implementing techniques

So err on the side of it taking longer than recommended basically?

Yep, and if you take shorter pat yourself on the back.

Fair enough.

Hello everyone.
I'm going through Skills Assessment - SQL Injection Fundamentals and I can't figure out how to pass the first question, I got the hash, but it doesn't accept it, I think I'm doing something wrong, can you push me to put me on the right path?
Thank you in advance

up: They helped me, thank you.

Copy paste the whole line

And don't copy space on sides by mistake

It should work

I have myself a problem:
In the Advanced Command Obfuscation section of Command Injection attack I got the output of the command but it does not work when I submit the solution I'm I missing something?

Maybe try manually typing, you're probbaly catching a whitespace character or something

I tried :/

Got it !

Hey there, I'm doing "Shells & Payloads" module, section "Reverse Shells". I was getting errors after errors from powershell from the compromised host side:

powershell.exe : ScriptBlock should only be specified as a value of the Command parameter.
At line:1 char:1
+ powershell -nop -Command "$client = New-Object System.Net.Sockets.TCP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], ParameterBindingException
    + FullyQualifiedErrorId : IncorrectValueForCommandParameter

whatever using the pwsh one liner from the course material, from online cheat-sheet or payloadallthething cheat-sheet. I tried some variant but still getting errors from powershell.

I did turn off Defender just in case ( eventhough the error wasn't related to that) but still having issues. I ended up uploading a quick ps1 reverse shell file and it worked at the end but this is not the intented method, any suggestions ?

Edit: I made sure to launch pwsh as admin

PowerShell thinks your payload string is being passed as a scriptblock instead of a normal string. Probably because of quoting or special characters. Try wrapping your payload in single quotes.

Thank you I'll try that

https://prnt.sc/AJ0Z0jWObl7-

I am stuck on the file upload "whitelist" section. I have uploaded a successful powershell extension... however, when I go to the url profile_images/phpbash.min....?cmd=id

Its an error... I am not sure what to do. I have been stuck on this for a long time now. Looking for any hints possible!! Thank you

Your php code is wrong. Also maybe try a simpler extension.

ahhh I see I was missing parenthesis in the php code. I tried the wordlist that HTB provided from github. This is the only extension that provided the "File successfully uploaded" message

If it doesn't work, which I don't think it will, probably go over the section that shows how to bypass the extension filters again and try all the methods.

but yeah first correct the php

Awesome. Thank you for the help!! I will keep at it!

Hello There,

I am actually in the Section Privilege Escalation of the Module [Intro to C2 Operations with Sliver].

I am facing some issue to get my beacon work I followed all the step of the course like :

1. Create the http beacon port 9002
2. Upload the beacon on temp folder
3. Open listener on 9002
4. use donut to obfuscate the binary with the right command name '-cmd c:\temp\http-beacon.exe'
5. Use rubeus to spawn notepad
6. use this pid to execute the bin generated by donut

But i still doesn't get the beacon connexion back. I tried multiple of time but i am stuck on that I have the same output for each steps from the course but i check the right info like ip, ports everything seem good

hi

Hello! i have a question! in the skill assesment of password attacks! i have open a ssh connection with the D flag and then i run proxychains nmap to scan the internal ip but i get All 1000 scanned ports on 172.16.119.10 are in ignored states. any hints or possible mistakes ?

Hello, anyone that have done ADCS attacks that can help me? im at the last question on the skill assessment, just wanna check if its a problem on my side or the server(s)

You still having an issue?

yeah 🙁

You can shoot me a DM.

Ive got a question about the DNS section from the Footprinting module. For the last challenge I need to find the FQDN of the host ending in 203, and while I run dnsenum with all the lists in /usr/share/seclists/Discovery/DNS/ I dont get any found which end in 203. Im running the bug-bounty-program-subdomains-trickest-inventory.txt and n0kovo_subdomains.txt ones right now but since they're quite large its really taking a long time. n0kovo does seem to give me more results than the other lists which all seem to give the same 3 subdomains (ns, app, and mail1) so it looks promising if it finished any time tonight.

My question is, is this the right approach to tackle this question, or should I be using a different method to try to find the mysterious missing host? Ive searched in this channel as well but havent come up with anything thats shedding much light on the situation. The post im replying to is the only one I found, which does mention that it can be a subdomain of a subdomain, but Im not sure how to search for those

did some1 manage to finish the section SAE downgrade attack in the 'Attacking WPA3 -wifi-networks' module?

I would recommend starting with the smallest list and working up. Also don't forget that subdomains can also have subdomains.

alright, im going through them again with the -r flag and --threads 10 to hopefully speed things up a bit, and a couple of the lists im seeing errors like this:

Thread 5 terminated abnormally: empty label in "nomoney...noserver...nowebpage..inlanefreight.htb" at /usr/share/perl5/Net/DNS/Question.pm line 79 thread 5.

Ive looked around a bit and it seems the github for dnsenum has been abandoned, so im wondering if this is a problem, or if i should just ignore these errors and move on to the next list. E.g. the shubs-stackoverflow.txt list was all errors, no results

Hey guys, how would you find this one? I have the awnser but don't remember how i did it

There's more ways to find it other than dnsenum.. lots of tools can do it. Idk about that specific error, looks like your connection died or something

hey guys, im doing "Firewall and IDS/IPS Evasion - Hard Lab".
I need some guidance please.
I have tried various different techniques to retrieve the dns version info i.e techniques include evasion, ip spoofing, traverse through open ports, disabling arp ping, icmp ping, tried NSE script dns-nsid.nse and can't get a breakthrough. I also enumerated open ports in case of data leaks that might help but i can't find anything.
Any guidance please, and if I'm on the right track?

I actually had this issue yesterday, so you might be able to go a bit back in this channel and find what others replied to me

but in the meantime, ill tell you what I ended up doing to solve it

If you look at the hint, it tells you they have a specific use case for the mystery service. If you then search online for something like "most common X technologies and their network ports" (where X is the use case) you might end up with a list of ports to scan

I assume youre trying to avoid getting "detected" and banned, but youre performing a full scan using the -p- flag?

hey guys?

I didn't think of using -p-, because of the IPS detecting 75 alerts before being banned. I will try to use -p- and set some timing setting i.e T2 to avoid IPS detecting too much activity.

Im running the nmap scan, and im 54/75 alerts already, and scan is only 2.60% done, this seems like it will take a long time.

I dont think that will work tbh. I played around a lot with the -T flag, with decoys, with source ports, etc... and i was getting detected constantly. Try to target specific ports based on what you know about the service that the question is directing you towards

yeah I stopped the scan. I will try to use the hint and what you mentioned previously and see where it takes me

yeap. good luck! 🙂

lmk if you get stuck again and ill try to help you without giving too much away

Has anybody done the machine certified?

Please ask in #boxes

Hello Everone I need Help in the Login Brute Forcing (Custom Wordlists) lab https://academy.hackthebox.com/module/57/section/3209
I tried all the tools and it took too much time and finall not working to get the flag

Sent a DM happy to give some pointers :).

Why the tool is Stoping in this area ?

You can use Wireshark to observe the traffic and deduce if the tool is working or not

turn verbosity on -V

Hey guys, I've been stuck in the Login bruteforcing Skills assessment part 1 (https://academy.hackthebox.com/module/57/section/515). I've tried restarting the machine multiple times but nothing seems to work

hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt 83.136.250.108 http-get / -s 38340

The wordlist just gets run out everytime

Hey, I'm doing the Web Attack Skills Assessment module, and I'm really at the end of the exam as I can read most of the files on the system. Problem is I do not know how I can execute command or find the flag file's name as ||allow_url_include|| and ||expect|| are disabled on the server could somebody give me a hint ?

Try proxying the request through burp as it will help you see if your request is properly formatted when sent

or use the -V as advised above

Does it need to be chained with another type of vuln ?

Right... I just don't know how to read a question, the flag was just located somewhere simple to be reached

Hi all, I am trying to set up tmux logging via the guide, but keep getting this error.

Hi guys trying to solve Online PIN Brute-Forcing using Reaver, i already waiting 20 mins and still dont get a result for question: "What is the WPA PSK for the WIFI Network named Corp-VPN". My progress is on 4%, does anyone knows am i solving it correctly?

Founded... Try to use all methods that was written in article.

You can try : pkill -USR1 tmux

hello is this the right channel to ask for some help or guidance regarding the skill assessment on SQLi

Hi,
Working on the last question in "Skills Assessment - Web Fuzzing".

" Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag? "

I have the parameters that need to be fuzzed and it seems ||the main issue is the wordlist you need to use||. Given the nature of one of the relevant parameters it's fairly clear what we're looking for but I have tried all of the relevant|| Seclist lists one of which is several million entries long (I also have tried those used in the module itself - which are not of the sort one would think are needed for this particular value) || and I'm still getting no hits. So, what to do?

Postscript. Got it. I had mis-named a crucial parameter in my fuzzing which led to a bunch of empty cycles. Silly typo!

Is it only me or do we have a problem starting Pwnboxes ?

maybe It went wrong for me cuz I tried getting more time after the timer hit 0 and since it kind of gave it more time but was in a weird state it didn't kill the vm properly and thus didn't drop my instance count ?

yes we do

I tried thrice nd it worked somehow

Hi
I'm trying to answer the last question in "Enumerating & Retrieving Password Policies" in the active directory module

I need to retrieve the password policy but I am not given any credentials and smb null session didn't work (tried enum4linux -P <IP>

what can I do?

tried multiple time, even logging off, didn't work out

Maybe try a different region

I did, it didn't work either unfortunately

You should be able to use the user credentials used in the first example underneath the very first paragraph section.

guys I got the smb creds in password attacks Network Services and i can list the folders but I can't get access to any of them

i'm just wasting my time without doing any thing

also I can't connect to rdp

Are you talking about the Password Attacks - Credential Hunting in Network Shares section?

yes

Have you tried using any of the techniques shown in the section?

yep

all of them

And you didn't get anywhere with netexec?

smbclient -U user \\10.129.42.197\SHARENAME

not working

I got the creds only

and listed the shares

using smbclient

but I can't access to any share

Ok, so you have credentials. Are you saying they didn't authenticate when you used them with netexec?

with smbclient

It works in listing mode only

Probably need to add the domain for smbclient to work.

anyone facing issues with launching pwnbox?

No issues on my end accessing via RDP for this one.

I'm getting "There are no available instances. Please again later"

do u mean -U "WORKGROUP\USER"

for me it works

I tried with pwnbox and my kali it's not working aswell

Use smbclient -? to view the various ways to use the tool and how can authenticate or smbclient --usage to get a short view on how to use the tool. I am not trying to be difficult, but being able to self identify issues and troubleshoot is also an important piece to problem solving.

You can try switching regions to see if instances are available for use elsewhere.

Make sure you are only connected to one at a time, i.e., not both at the same time.

Try adjusting your MTU, using the recommended xfreerdp flags or switching to TCP VPN https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_480d492483

MTU specifically has helped others with weird RDP issues in the past

Heyo

is it just me or are all of my modules don't allow me to start a workstation

?

[-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] I think u mean this but also not working and I appreciate that but I have been trying for more than hour just to login🥲

alr ty

If you're having issues with the platform, your best bet is to reach out to support @quaint raft

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

You can shoot me a DM and I'll take a look at what you have going on.

Appreciete it, thanks!

Hey there , the chat window mentioned didn't pop up for me

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Here's how you can solve this problem ^

anyone having any issue with the Password Attacks -Pass the Certificate module? i cant seems to capture the credentials using the printerbug , ive tried every template and still not working , anyone plese help

and its not any syntax issue or anything the priterbug is getting triggered but im not been able to capture the certificate via ntlmrelayx

Tried with the default one , domaincontroller, web server etc (all possible template which i go after scanning using certify)

i tried will both of the ips too (initially tried with the ca one ) so basically nothing left to try

@gray yacht could you please help bro?

Please don't just ping people randomly.

As soon as someone who can help you is online, he or she will answer your question.

sure

Sorry for bothering, but has anyone else had an issue with the footprinting module and getting the FQDN for the .203

when I run DNSENUM, i only get 4 options, am I missing something?

which one is that? from footpriniting skill assessment ?

or DNS?

yes in academy, under host based enumeration for DNS

one minute

ok so far what did you do tell me ill guide you

I ran dnsenum with the spawned IP and used subdomains-top1million

I was able to do the first three questions with no issues

I did try fierce as well, but that only gave two

ok have you tried a different word list ? Tried Dig?

dig any inlanefreight.htb @<ip>

the one the academy gives is mostly an example it wont hurt to try some other wordlist which might contain your answer , always remember that in some cases you might have to adjust the response time too so have that mind set while approaching the academy modules imo .

Roger that, im trying bitquark seclist rf

i've tried subdomain-top1million-110000 and fierce-hostlist but no dice :\

dig any inlanefreight.htb @<ip> this will give you wat your looking for btw

'any' ver batem? or any like 'ns' 'ptr' etc

any as in anything , no specifics just grabbing everything

at least the ones with the visable IPs that is

your answer is there

check the loopback

ok, maybe im missing something but what do you mean loopback

info gathering skills assessment, host is showing down ..I already added entry to etc/hosts

Btw thank you Ge0 for helping, I do appreciate it

The loopback address means an ip adress which points out to yourself ie (127.0.0.1) in this case since we are not part of that domain or something like that it just gave that address in the loopback (which is a default ) im guessing either way any subdomains we get we use those latyer on for different attack vectors.

Np dude

inlanefreight.htb
This line is a public ip, and there should be a port they give you

Subdomains of subdomains, dnsenum misses a key domain that you should be able to start from

Also the module is above tier 0, refrain from sharing screenshots/spoilers

gave -Pn flag and it worked

One of these wordlists is right

Nmap wont get you far on a public ip

my apologies

@violet grove Oh sry the the last question yeah so when you find a subdomain try to brute force that with the same or different wordlist , try using ferox buster which will do things like that easier .

Dnsenum works just fine

so it sounds like my current search is only skimming the top?

yes

From your first attempt if u got xx.balbla.com now again try with that domain so you will get aa.xx.blabla.com

there is a correction in this feroxbuster Works on HTTP/HTTPS URLs thats after you find the domain , i thought it had the option to enumerate domains too but luckily no just checked , yes use dnsenum

Hello! i have stuck in password attacks skill assesment! I have foothold in DMZ01 and trying to find a way to nmap inside the private network i tries to proxychain nmap but all port seem to be in igonore state! then i tryed to scp a statick binary to the dmz01 but no luck! any help or hints?

Did you complete that "pass the certificate " module?

-Pn is a helpful flag, proxychains doesnt generally like ICMP packets

i didnt solve the last question...

in the pass the certificate...

yeah thats bugged i guess..

You should probably do that before the skill assessment- just saying

should i revisit it ?

ok ok

thanks!

If you think its bugged, reach out to support/submit in #1234357888114364508; I had no issues when I revisted this module after its update

I scanned and got a list of templates tried with all the templates , the printer bug is getting triggered but im getting a "Authenticating against http://10.129.156.227 as INLANEFREIGHT/CA01$ FAILED"

Tried this on DC01 too btw (all templates , domain controller ,webserver etc)

Make sure youre requesting the right servers for the tasks, I think it can be clearer with which server they want you to send which requests to

Im not available to dm its a family week for me due to US holidays

yes ive visisted that webpage and that endpoint exists

You're alternating between DC and CA

Have a wonderful trip

I hope you have a good time with your family~

So the first thing ive checked inoorder to see what's wrong is to visit that endpint ie http://10.129.126.6/certsrv/certfns.asp (which exits on the CA ) then i tried all the necessary steps, every time its an error

Np ill rasie it there you enjoy

With what? Pass the Cert from Password Attacks?

That'd be it

If you are still stuck, I have some time. Likely just a small issue.

Hey, did you manage to figure it out?

Are you stuck on the 3rd question for this section?

yes

Are you on the host?

uuum, not yet..however from the other section i had a shell on the host

Check remote access auth using the provided credentials to see if you can easily get on that host and then reference host based techniques covered in the section.

okay..let me do that

hey, i mentioned this in #1441240631862235166 message but when attacking applications like PRTG with brute force protections, what approach is typically recommended in real-world scenarios? this was not discussed at all in the module

i know from my own attempts that it's possible to slightly push the rate limiting but too much will end up with false negatives. is there a module that discusses different methods of soft brute force rate limiting and ways to approach them?

So I finished Pass the Ticket (PtT) from Windows but am trying to understand something.
Using rubeus or mimikatz to inject a ticket works fine with PS Remote on windows, but if I attempt to use portforwarding via Metasploit with proxychains it is not possible to connect directly to DC01.
For example,
sudo proxychains impacket-wmiexec INLANEFREIGHT.HTB/john@DC01.INLANEFREIGHT.HTB -k -no-pass
fails even after using export KRB5CCNAME=john.ccache

I also tried various other impacket-exec scripts like psexec but nothing works.

@fathom pendant @fresh moth after playing around more with the enum prompt I was able to get it, thank you for your help ❤️

Did you try evil-winrm?

for burp pro I am not able to increase crawl depth to more than 30 as a result I wasnt able to complete the skills assessment - info gathering web edition
can anyone confirm if this is the same limit for all ?

Yeah, so there is no issue when using the NTLM hash for both domains, but it fails when using impacket tools with kerberos.
I can use kerberos to login as julio, but not john.

With winrm or wmi?

Which confuses me, because I am able to use an injected ticket from windows MS01 to DC01, but not directly from linux to DC01 with proxychains

evil-winrm

You can DM what you are trying.

Sure, appreciate it

Hello all. I try to pass the skill assessment of the file inclusion module. I'm a the very begining and I struggle. I think that I have to check on the php file that give the src for images. That is the only thing I can see for now. Am I right ? Do I miss something ?

I can upload a shell with a pdf but I cant access it yet. I have found the directory /upload but nothing more

Dm me!

Anyone I can DM for Windows Lateral Movement? I am Stuck on the 3rd question

Which section?

Sorry, on WinRM

I know it is a double hop problem, but I am stuck on the correct order of my commands i think

Or you can create a credential object for PowerView

get-domainuser -spn -credential $Cred | select samaccountname

Thanks for your replay, but that did not solve my problem

I figured it out 😄

@boreal karma Please take care not to post content from modules above tier 0

Was there any resolution to this? I'm having the exact issue - wmiexec doesnt find the flag, smbexec does

Probably permissions on the file

Wmi will auth as the user in your ticket to the wmi service

Psexec/smbexec creates a service that runs under SYSTEM account with your ticket, and you get the shell from that

Huh, makes sense
Cheers

which tier of module should i stop doing everything

and focus on 1 path only

cuz i know tier 0, im supposed to do everything since its just fundamentals and basics

but where do i stop doing every module in a tier?

Away from my notes so cant confirm but is there AV on AEN?

Prob better to delete the spoiler alert since they will most likely tell you to.

You can dm if you want

Oh ok. DMing you

Thanks!

Guys can someone help me with Attacking WI-FI Protected Setup - Skills assessment.

So i found PIN for the first question, but what should i do with the second (HackTheBox-Corp)? Im getting locked AP every time im trying to guess the PIN and mdk4 is not working on virtual Machine, any ideas how to find solution?

The PINs from wpspin, also doesn't work either. Any hints?

Hi! I am currently studying API Attacks Module & I am stuck on Broken Object Property Level Authorization. Can anybody help me out? Please DM me if you can.

hi i am solving skill assessment 1 in AD enumeration and in the third question it ask me to crack the password of the account i have loaded the model then tried to request the ticket but it's telling me the module isn't loaded what i am doing wrong here
PS> ||Add-Type -AssemblyName System.IdentityModel||

PS> ||New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"||
New-Object : Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]: verify that the assembly
containing this type is loaded.
At line:1 char:1

• New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ...

•   + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand||

I'm not sure what happened. This is the 3rd system spawn. It was working fine yesterday. Any solutions? I tried UDP, TCP vpns

check whether you are having multiple tun interfaces, you must have only tun0 and not tun1, tun2 and so on

hmmm.. i restarted my machine. Now I only have tun0 and still same.

Got a new vpn again and yep. No route to host

even pwnbox. KEKW

make sure not to run the vpn and the pwnbox at the same time

I tried on my laptop.. target still can't be reached. they have different vpn files.

Did you try default credentials ?

It is way easier than you think, keep it simple

The module section is about using "Default credential sheet"

Guys I've been stuck in ICMP Pivoting sections for so long now. Everything is set up, I can access the host using my localhost but for the love of god nmap just doesn't scan using proxychains

Why is it like this?

I clearly have ssh running with dynamic port forwarding

Can someone check on target machines on this module? (attacking common service Attacking SQL)? It really can't be reached.

Using PwnBox can reach it... but logging in using mssqlclient just hangs after password input

Are you still stuck on this section?

Add -Pn, and sudo, also proxychains doesn't like ICMP

Hi, since yesterday I’ve been having trouble connecting via RDP in the academy (namely https://academy.hackthebox.com/module/67/section/913). I’m connected through VPN, but from my VM I cannot connect. Specifically, I’m using this command: xfreerdp3 /v:10.129.216.102 /u:htb-student /p:HTB_@cademy_stdnt! What can I do about this? I’ve also tried: rdesktop -u htb-student -p 'HTB_@cademy_stdnt!' 10.129.216.102 With the second command I can sometimes connect, but it’s so laggy that it’s unusable. Does anyone know what’s going on? Thanks.

As a habit wrap passwords in single quotes, also try changing vpn regions

Thank you for the reply. I tried it several times. Now I specifically tried US Academy 6, UDP 1337, and I terminated the target and started it again. I can connect to the VPN without any problem, but I cannot connect via RDP. I just tried this command:
xfreerdp3 /v:10.129.210.142 /u:htb-student /p:'HTB_@cademy_stdn!' Any other ideas please, how to solve this?

Try using tcp vpn if you can

any idea how to work through anything requiring droopescan? It doesn't work lol, please @ with replies

Idk if this is the right place to write this, but it seems theres an issue with nmap that others have encountered as well, where certain scripts throw errors. Im in the Footprinting module on the mssql section, and trying to follow allow with the example commands but am getting errors.

$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 <my_target_ip>

And i keep getting erros such as these:

NSE: [ms-sql-ntlm-info <my_target_ip>:1433] brandedVersion: 2019, #lookup: 29
NSE: Starting ms-sql-ntlm-info against <my_target_ip>:1433.
NSE: Starting ms-sql-info against <my_target_ip>:1433.
NSE: Starting ms-sql-empty-password against <my_target_ip>:1433.
NSE: Starting ms-sql-dac against <my_target_ip>:1433.
NSE: ms-sql-ntlm-info against <my_target_ip>:1433 threw an error!
attempt to index a nil value
stack traceback:
    [C]: in for iterator 'for iterator'
    /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>
    (...tail calls...)

NSE: ms-sql-info against <my_target_ip>:1433 threw an error!
attempt to index a nil value
stack traceback:
    [C]: in for iterator 'for iterator'
    /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327>
    (...tail calls...)

Anyone have any idea how to fix this so i can try along with the examples in this section?

No, unfortunately it still doesn’t work… I’m new to this, is there a way to deal with it with someone from the support team or something like that? It seems to me that the problem isn’t on my side… I tried the following commands as well:
xfreerdp3 /v:10.129.210.142 /u:htb-student /p:'HTB_@cademy_stdnt!' /sec:rdp /cert:ignore I restarted my VM as well..

I Will try one more time can,
someone help me with the Attacking Thick Client Applications module, I'm stuck on a error and can't find any help in the previous messages thx

"Aside from Kerberos and LDAP, Active Directory uses several other authentication methods which can be used"

Hi everyone, can someone tell me if this text from AD module is correct? I understood that AD just uses Kerberos and NTLM for authentication, and LDAP for queries

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

See above

Read the 'Fatty' writeup

i'm on the first module not the second one releated to fatty

Ah, not sure what to tell ya. Im not at my computer so im not sure the errors youre getting

And cant ts

Hello guys

I have an issue in the skill assessments in general

the websites does not fully work

some indpoints does not work with me

But the module specifically asked me to do this. If ICMP was an issue why would they ask me to do it though?

Add -Pn and see if it works

Sometimes what the module gives can be incorrect

#1234357888114364508 exists for people to help correct errors

Just pinging this again for visibility - don't know if anyone has any ideas or not though

I did. It didn't work

Nothing changed

Yeah

Can I dm you regarding it?

Yeah go ahead I have some time.

guys.. the functions are not working

I can not click on anything

For Firewall and IDS/IPS Evasion - Medium,
I am trying to ascertain the version of the DNS server.
When I run the following sudo nmap $TARGET -p53 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 -sV -sU, I do see a version is captured via 53/tcp & udp. However, the version listed is NLnet Labs NSD, and this is not a satisfactory answer. What's the trick to this question??

how should I solve this exactly if it is not working

Ah, I'm an idiot. I used the wrong ovpn config proto

I do this all the time lol

Man these labs are hard..

The questions themselves are worded really strange. The "Hard" question for Firewall IDS/IPS Evasion I'm not even sure what it's asking for. The version of ssh? The version of Apache?

So in the Enumerating and Attackin Active Directory module there is a LLMNR/NBT-NS Step at the very start from the outside (gathering a user NetNTLMv2). Very late in that Skill Assessment there is the same but from inside a machine via Inveigh. I am quite confused, why responder didnt catch the other hash aswell? the parrot vm is on the exakt same subnet as the dc and got the other one.

Is there some scripting in place to only trigger when user is starting inveigh from inside a machine?

I wondered this myself. In general though if theres alternative solution that does work, its worth while noting that you might encounter that again. Would like to know if its intentional too 🙂

Is this the right place to ask a question about an academy module?

well sure, but i have the feeling there was a script doing something, because we shouldnt be able to catch that user straight away

Working on SQL Injection Fundamentals: Writing Files challenge. I am on the right path but can't quite get it. I understand that ||system() allows me to run cml args. I tried running ls which worked but found no further down directories (hint is dir related). I also tried to move vertically with cd .. to no avail (http 500 error). Also tried cat'ing out the config file which also didnt work||

Any tips or deeper explanation for errors are appreciated

Anyone able to get a revshell or add user to LA for Windows Lateral Movement skills assessment - || Have access to WSUS via rossy RDP; can't figure out what update to push out/syntax to get it to work to access backup for "What is the password for VNC?" || SOLVED

Where is the app located

I’m using the PWNBOX and having connecting timed out issues. No websites are loading.
Anyone have this problem before? How to fix?

Can anyone give a nudge on Windows Lateral Movement Skills Assessment "What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt?" || Have the password for VNC, I see meshcentral is also set up, not sure how to get there||

@proud yacht you might not have write permissions everywhere

Also spoiler tags dont really do anything

anyone here solved whitebox attack module?

I have a problem in the race condition in :

User Enumeration via Response Timing

yo, I want to report a typo in the module "Login Brute Forcing with Medusa" https://academy.hackthebox.com/module/57/section/512
the http basic auth command has a typo:
medusa -H web_servers.txt -U usernames.txt -P passwords.txt -M http -m GET
the parameter -m should be -m METHOD:GET also the related cheat sheet has the same typo

Best to report in #1234357888114364508

will do thanks!

So are the WiFi Penetration Tester and AI Red Teamer paths fully complete? As in there won't be any more modules added to them.

Yeah they're complete, but that doesn't mean they won't change in the future. HTB updates their paths with new content when things change. For example they just changed the CWES module to include newer attacks.

Understood, more so just wanting to start the path knowing it has all currently intended modules. Thanks for the follow-up!

Hello, sorry to bother, I am stuck in the SQL Injection Fundamentals module Skill Assessment and was wondering if someone could give me some pointers.
I can't figure out what the web root is. I tried dumping the nginx conf file (like the hint says) but after this I could not figure out what the root was... I also tried fuzzing it with seclists default-webroot-directory-linux.txt to no avail.

hey , any specific chat for AI-ML module related discussions/questions?

Dm me!

I just want to understand that the alternative method suggested in the course solution if doable. I'm on "AD Enumeration & Attacks - Skills Assessment Part II". There's an alternative method there to dump LSA secrets using "nxc smb <creds> --local-auth --lsa. The suggestion is that the hex string can be decoded to reveal the password INLANEFREIGHT\SQL01$:plain_password_hex:. I did try several word list and I wasn't able to crack this.. The actual password is not there.

Anyone can give me a nudge?

You can dm me if you still need help

someone?

It is correct, there are other auth methods

ok thank you. Another question, can u tell me the role of API gateway? Is a component of AD enviroment?

Not always, it's usually used by apps/services that handle ldap comms, like okta for example

you can query ldap directly

Thank you, i will skip this image for this moment

Another question about LDAP, is it a protocol for authentication or a way to transport credentials?

It's mainly for directory access, and querying for directory information (users, groups)

there is this text in the section: "LDAP is set up to authenticate credentials against AD using a "BIND" operation to set the authentication state for an LDAP session. There are two types of LDAP authentication"

I think maybe what I say might not necessarily line up with what the module is trying to teach you, LDAP verifies credentials but auth is performed by AD using NTLM/Kerberos etc. When you query LDAP you send a BIND reques with creds, the DC receives the request and validates the creds, if they're valid, a session is established and you can then query or modify the directory (depending on permissions). There are two types of BIND requests, simple and SASL

So LDAP is the Auth Server in Kerberos auth process?

I think you are getting too bogged down in the finer details too early

LDAP is NOT the auth server, it is just a protocol to access the directory

Kerberos is an authentication protocol

Ok but you said that LDAP verifies credentials, what did you mean?

sorry, a bit of confusion

Dont worry

ldap bind is auth to the directory service itself, its seperate from kerberos which auths you to access domain resources like file shares. if you do an SASL bind with ldap it uses kerberos as the auth mechanism to establish the session (i think). but i really think we are getting too deep in the weeds here and beyond what the module requires

the auth server for kerberos is the KDC, the key distribution center that runs on the dc

SASL might also use NTLM, im not sure

Hey, can anyone give a direction for "abusing HTTP Misconfiguration - skill assessment easy"? I have tried everything taught in the module and nothing works.

Im getting this error, any solution?
*nevermind solved using india server

It's been some hours since I started the skills assessment of the SQL Injection Fundamentals. I have tried different injection methods covered in the module but to no avail. It seems they recently updated the exercise's section. Please any hint would be helpful and highly appreciated!

I am busy doing the "Introduction to Windows Evasion Techniques" module and I am getting stuck on "Static Analysis."

I cannot disable Real-time Monitoring because I do not have the administrator password. I can't find C:\Tools in file explorer. The module also says to use "Console App (.NET Framework)" in Visual Studio Code, but this is not an available option to select.

I create the shellcode, use Cyberchef to AES encrypt the shellcode, place the outcome into the C# code and create the executable on the linux machine. When I copy the executable over to the target machine and place it in "C:\Alpha\Static", I cannot run the executable because it is blocked and I don't get a callback but "flag.txt" appears.

Can anyone help me with this?
Any help would be appreciated

I can't really help you with all the first queries because I developed locally, but it looks like you might be trying to use the target vm as the dev vm? there are two you need to use if you aren't going to do the dev locally, the dev machine can be accessed on one of the first pages.
As for your last query, you aren't supposed to run it, there is a script that runs every minute (i think) and if you've achieved the objective the flag appears. i think there is also a .txt log file in the directory

Is your goal to get a cleartext password or move forward with the skills assessment?

I suggest either using the netexec module to leverage the printerbug.py script you are referencing or grab printerbug.py from GitHub and use that instead.

Ty i will try that. || I also have access now to the user jpinkman. But i think thats not the right path right? Cause he has no administrative rights ||

Good deal. If it still isn't working, just respond to this and when I have some time, I can check things out on your end.

You get this sorted out?

I did for "Static Analysis" but I am struggling for dynamic analysis as I can't access "C:\Users\beta"

Ok, I'm going to delete this as it contains content above Tier 0. Go ahead and send me a DM so I can see what you got going on.

Hello, I was reading about "Network Communication" and I just would like to simulate the "The Windows GETMAC command will return the MAC address of every network interface card on the host." in the hack the box workstation, but I don't know where click to test it. Could you help me?

I'm still stuck on the last lab for network enumeration with Nmap.
"Now our client wants to know if it is possible to find out the version of the running services. Identify the version of the service our client was talking about and submit the flag as the answer. "

When checking version, there is only so much the answer could be; but neither are correct:
nmap --packet-trace -p22,80 -sS -sV $TARGET

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Well... as it says its a WINDOWS command, the workstations are linux...

the ip a or ifconfig commands do the same

Hey. I'm in the XXE section in the Web Attacks module.

I can't seem to understand why only *sometimes* my htb vm gets hit from my xxe injection? (To send my xxe.dtd file)

When I'm running this curl from my machine on burpe, I don't get any GET request on the http.server hosted on my VM.

When I'm running this curl from the HTB VM , I see a GET request, but still not getting the contents of the required file.

I'm following 1:1 the injection they mentioned in the section and I can't figure out what I'm doing wrong. - I'm not getting the file contents of /flag.php as requested in the question. ( I also tried the same payload on /index.php)

Question: Use either method from this section to read the flag at '/flag.php'. (You may use the CDATA method at '/index.php', or the error-based method at '/error').

Hey guys, working on the Pass the Ticket from Linux module right now. I'm at the step where you need to pivot from carlos to svc_workstations.

I grabbed the keytab and ran KeyTabExtract, but it only gave me the AES-256 hash (no NTLM/RC4 to crack). I tried using the ticket locally with kinit + smbclient -k -no-pass against the DC, but I keep getting NT_STATUS_CONNECTION_RESET no matter what I try (even forcing SMB3).

SSH with GSSAPI also fails. Is the intended path to proxychain impacket from the attack box using the AES key? My tunnel was acting up so I couldn't verify. Just wondering if there's a local way to solve this that I missed.

try to remove a / in file:///flag.php

i believe the whole premise of putting the % entities is to prevent mixing internal and external entities, but 3 slashes is used for local files iirc

if that doesn't work please let me know!

Nope.

It's file://<file-path>

But anyway it doesn't even query my xxe.dtd

? it seems like you're getting GET requests on your python http server tho?

anyone having issue with Password attacks -Pass the certificate module last question?

you mean when you write &joined; ?

As I said in the original message, only when running this as a curl on the VM for some reason..

mb

there is more than one cache i think

No worries, appreciate any help

the right one has an NTLM hash try looking that directory manually

ty i am going to check it right now :)

Np 🙂

Go it, ty!

Aye

I did not have any issues executing it from my VM.

the hint says we can point to the flag inside of the .dtd file, have you tried that?

you used the kerberos authentication template along with impackets ntlm relay and used the printer bug right? nothing new?

I used that template, I didn't use impacket-ntlmrelayx, I used ntlmrelayx.py and I've used the standalone printerbug script, along with the coerce_plus module from netexec.

Are the answers to most of these lab questions always int eh same format? e.g. HTB{imAn1D10T}

I don't understand which version of which service I need to provide the 'version' for

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http        Apache httpd 2.4.29 ((Ubuntu))
110/tcp   open  pop3        Dovecot pop3d
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        Dovecot imapd (Ubuntu)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
50000/tcp open  tcpwrapped
Service Info: Host: NIX-NMAP-HARD; OS: Linux; CPE: cpe:/o:linux:linux_kernel

can you show the request line of your HTTP request please?

maybe you're getting blocked cause you're self-referencing or something

i dont know what else it could be though

The curl you mean?

the line above

it should be a POST request to somewhere

change this Connection: keep-alive to Connection: close maybe?

let's try everything until someone more experienced shines light on this lol

Huh??

Can anyone help me with the XXE section in the Web Attacks module?

Why do you think that might work?

when using burp repeater if the server is acting weird, sometimes immediately killing the connection made things go smoother, but here if you really wanna get unstuck just do what the hint says and place the location of your file in the .dtd ig

tho i'm still curious why your request isn't working

lol i just did it the "normal way" and it went through, maybe restarting the server will fix things

For the Writing Custom Wordlists and Rules module where you need to find Mark's password, the walkthrough is not correct. For those who struggled like me, know that for hashcat rules, you should NOT put backslashes into the custom.rule file.
The actual password is in the format of Password123! using Mark's info from the exercise.

Hm. Definitely an interesting view though. Because that definitely might be the difference between using burp and the client

I’m actually very certain the issue is server related since it makes no sense

Also the server was very laggy the whole time

yeah i reread your request 10 times lmao i'm pretty sure we got the same thing so it should be working

Can I DM you about this?

sure!

for the Analyzing Evil and Sysmon Event Logs section of Windows Event Logs & Finding Evil module, I found the hash it told me to find but its still saying wrong answer

I know its the right hash

this is for question 1

section 2

Hello all, I'm new to anything related to cybersecurity, what's the best place to start in academy at the tier 0 level?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Anyone have the problem in the PWNBOX that it always says “THE CONNECTION HAS TIMED OUT”?

I’m using the free cubes to see if I like the lessons and if this is what happens I would like to know so that I save my money and choose another website

fantastic, thank you

No problems here. Connection timed out to what, what are you trying to do?

Part of the module for Cyber Kill Chain

Going to need a lot more detail. Best to say which module/section/question you're on. Also what you're trying to connect to. I assume the Pwnbox spawns in your browser and you're trying to connect to something else using it? You gave like zero details whatsoever. I've never had issues with pwnbox ever. VPN is a better experience anyway.

I don’t know man. I’m on the very first module “Incident Handling Process” for SOC ANALYST path. It’s like the second page titled Cyber Kill Chain. I’m new to this. I’m using the free cubes it gave me. I think that’s why. But that’s lame because I’m testing it out before I drop 5 bills on a subscription

Yeah the pwnbox is limited if you haven't spent money. I think the VPN option is free, and like I said, it's a better experience on VPN anyway. I'd recommend that.

You don't have to use the pwnbox