#modules

took less than a minute to do what it says to do in the reading

not grabbing the whole screen since it contains the answer

just cuz you did it before

not even remotely

you have notes

I literally only did what it said to do in the last paragraph of the reading

the parapraph starting with; Attempting to log in

the only thing my notes have is just what the page says paraphrased

I got it in my way

I always do

that's not always gonna be feasible

especially if you're on an actual engagement and not a training site

you're not gonna be able to spam guesses on an actual engagement

you are not helping at all btw

You just refuse to accept the fact that you massively overcomplicated the problem

the only two modules I found talk about LDAP are TEIR 3

those are modules explicitly named LDAP and such

even so you are not helping

it's talked about in Windows Fundamentals, and even Intro to active directory

I don't like you

https://academy.hackthebox.com/module/details/74;

you can not like me, don't care. I'm not gonna coddle you.

Since you bruteforced the answer do you want me to dm you what it expected you to do?

sorry I don't understand you anymore

for some reason

oh

if you are going to be rude don't DM me

it means i'm not gonna 'be gentle' with you for failing to do the bare minimum of reading the page.

I'm not gonna be rude, unless you count me messaging you the paragraph that explicitly gives instructions as rude

The reason I declined the DM earlier is because I had a feeling you just wanted the answer instead of the way to reach it

I was shocked

XD

OOHHHH I see now

Hi guys, Can someone give me a hint for the last question for the Windows lateral movement SA's last question What's the content of the flag located at DC C:\Users\Administrator\Desktop\flag.txt? I tried a lot of things with the VNC from backup but i could not do anything with it...

it is not fair to test someone about thing he did not hear before anyway

without even teaching him

as was explained before, the reading does teach you about LDAP and everything you need to know to complete the task

Can I DM anyone to ask a question about the official solution of Attacking common services - Medium assessment? There's something that doesn't make sense at all to me in the solution. Thanks

Sounds like you are on the right track. You can DM me if you want.

they don't

they just talk about ldapsearch

On my way :D

they quite literally do talk about LDAP

in the first paragraph I fear

and they explain how LDAP injection works

not true

this does not make any since

oh God

you don't have to think too deeply about it

now I feel bad because of you

not my problem i fear. I am not the cause of this, it's yourself to blame

maybe

LDAP Injection
is a part of the reading btw

but I still feel bad

the goal of the question was also clear: "After bypassing the login"

@fathom pendant can I DM you? I don't want to ask for solutions/hints but I think there's something wrong in the official solution of an assessment..

that heavily depends on the module, as

1. I'm not staff
2. I'm not staff
3. I haven't done all the modules

@coarse pine did you solved ?

I always do

Nice btw i think i found a solution for your problem

But i wasn't sharing cuz didn't wanted to ruin ur learning

She just bruteforced it

instead of actually doing the thing that's simple

Just tell her

funny thing is I PASTED THE EXACT MODULE TEXT lol

she just got hung up on something irrelevant to the goal

@coarse pine

@coarse pine

already resolved

with many such caps lock from me LOL

whether or not lessons were actually learned are tbd

@coarse pine keep it relevant to the channel

I saw that @coarse pine

Htb socks huh

hello, i am on LLMNR/NBT-NS Poisoning - from Windows - for some reasone i just cant connect to the windows machine via rdp. its always says faild to connect . any one have this problem too ?

there's usually more to the error than 'failed to connect'

xfreerdp /u:htb-student /v:10.129.248.50 /p:Academy_student_AD!
[21:48:51:267] [4391:4392] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[21:48:51:267] [4391:4392] [ERROR][com.freerdp.core] - failed to connect to 10.129.248.50

this what i get

reset the vm

also wrap the password in single quotes just to be on the safe side

got you , thanks i will do it

i reset the vm and wrap the password now all get is black screen, any solution ?

press enter

:)

Now i understand how marcilee feels , helping in modules

Respect.

my bad hhhh ,thank you

no problem; the explanation is that for whatever reason xfreerdp doesn't draw the Acceptable Use Policy Screen (you can sometimes get it to do so if you use /dynamic-resolution and resize the screen)

Hi,

I’m stuck on the Web Fuzzing Skill Assessment and I believe the instance might be broken.

I’ve reset the target several times and followed the module step by step.
Using ffuf with SecLists (common.txt), the only endpoints I consistently find are:

• .hta → 403
• .htaccess → 403
• .htpasswd → 403
• /admin → 301
• /server-status → 403

There are no endpoints returning 200 or any response size deviation that could lead to the flag.
I’ve been testing different filters and wordlists with the same result.

Could you please confirm if this instance is working as expected or if there’s something else I should test?

Thanks.

Try gobuster

sorry

Attacking graphql, Information Disclosure
https://academy.hackthebox.com/module/271/section/3152
'After executing an introspection query, what is the flag you can exfiltrate?'

can anyone help?

Skill Assessment container is broken.
robots.txt returns default Apache 404,
no accessible endpoints found,
discovered files return 404,
admin always Access Denied.
Please reset instance.

Hi guys, I need some help with the Skill Assessment.

I’ve been stuck on this for many days and I believe the instance may be broken.

What I already tried:

Directory fuzzing with ffuf using common.txt

Directory brute-force with gobuster

Manual testing with curl (GET, POST, PUT, OPTIONS)

Parameter fuzzing (param=FUZZ)

Header bypass attempts (X-Forwarded-For, X-Original-IP, User-Agent, etc.)

Results so far:

/admin always redirects (301) and then returns Access Denied

All other discovered paths return 404 or the same response

robots.txt returns a default Apache 404 page

No endpoint returns different content or exposes a flag

At this point, I can’t find any accessible page that leads to the HTB{...} flag.

Am I missing something obvious, or could this Skill Assessment instance be broken?
Any guidance would be really appreciated. Thanks 🙏

Modules are private instances, it's more likely you're not doing something right

always best to say which module, section, and question you're on, otherwise no one knows.

Thanks

Module: Web Fuzzing
Section: Skill Assessment

Description from the page:
To complete this Skill Assessment, we need to apply the tools and techniques covered in the Web Fuzzing module. All fuzzing should be done using the SecLists common.txt wordlist located at /usr/share/seclists/Discovery/Web-Content.

Question:
After completing all steps of the assessment, a page should be displayed containing a flag in the format HTB{...}. What is that flag?

What I’ve tried so far:

• Directory fuzzing with ffuf and gobuster using common.txt
• Parameter fuzzing on discovered endpoints
• Manual testing with curl (GET, POST, OPTIONS, PUT)
• Header manipulation (X-Forwarded-For, X-Original-IP, User-Agent, etc.)

Results:

• Most paths return 301, 403, or identical 200 responses with “Access Denied”
• Admin endpoint always redirects or denies access
• No unique response or page displaying a flag has appeared

At this point I feel I may be missing a specific technique or detail from the module.
If anyone could provide a hint or point me in the right direction, I’d really appreciate it.

?

Dig around to find and expose secrets

ip isnt pinging and I am connected to the vpn

you don't provide enough info to be given help

there could be a million reasons as to why that is happening

for example, did you spawn the target? is that the right ip?

maybe it just doesn't respond to pings and you're not supposed to rdp anyway

could be your routing, etc

Yeah it is the right IP, I reset the IP as well and it says to RDP to that IP. The module name is Windows Event Logs and I have re downloaded the vpn file too

did you use the pwnbox at the same time, or recently?

yeah I did

recently

but I didnt use it for this exercise/module

try killing the vpn, kill the target, re-download the vpn file and use the new one to reconnect. then re-spawn the target and try again.

thanks. I basically did that. Had to use another locations vpn too

did it work?

when you switch vpn locations the target spawns in another location so you probably need to hard refresh the site

it did work. Suddenly I connected to rdp and just as I wass about to start doing things it closed and now I cant even ping the IP 🤦

Hi, I am stuck on this question the first section of windows event logs any tips/advice on how to approach it would be nice

Still need help?

it just happened to me as well. weird. Came here to check if it's not a maintenance thing. I changed the vpn location without success already. Not a big deal

Yes please

Yeah, dunno what it was. Anyways it worked, although it was a big hassle

If u could dm me some tips for it that'd be awesome. Module literally didnt cover any ways of making XML queries in event viewer

Ok

For Intro Intro to C2 Operations with Sliver - the "Kerberos Delegation & Enumeration", anyone else having issues using psexec like shown in the module. Hangs on file upload for me

What Type of Naive Bayes Classifiers are you using?

Look closely to how the http request is constructed.

DM me

Password Attacks - Attacking Windows Credential Manager

How come ||mimikatz|| didn't work but ||LaZagne worked||? Also what was the hint for that section, I already submitted the answer so I can't see it anymore.

I am needing some help on this Windows Event Logs but not able to post a picture or screenshot.

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

I have tried injecting the unmanaged Powershell-like Dll into another process as shown earlier in the module but cant seem to find the .exe I am looking for in the logs. I changed the sysmonconfig.xml as well but not sure where to look next.

Nevermind, I was able to use a Get-WinEvent command to find my answer.

One hooks into different libraries. Also if you refresh the page it'll allow you to click the hint

Does anyone have RDP connection in LDAP Overview section like me? I can't sign in with provided credential.

Shouldn't need to specify domain as ws01

It's not working too 🙁

Have you tried to get an RDP connection using the workstation provided (e.g., pwnbox)?

I just tried it 😄

Switch to the EU VPN servers and if it still doesn't work reach out to support

Module: Active Directory Trust Attacks
Section: Skills Assessment
Question: Gain access to the DC05 (Fabricorp.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt"

I'm stuck at this question, which is the last one, can anyone help please?

Might not be a reason but for sake of future encounters with special chars in passwords, wrap them in single quotes using xfreerdp

dm me

why doesnt the linux priv esc teach linpeas? or have i not gotten to that part?

It’s either you haven’t gotten to that part or it’s the fact that linpeas is easy to understand and execute

Hello for the web proxying module, is this the best place to discuss bugs found or do I reach out to the chat window on the site?

This is a good place

In the File Upload Attacks Skills Assessment: How do you guys capture the Post request when uploading something?

I only see the GET

#1234357888114364508 is where module specific bugs are often discussed, create a thread, show the bug and the owners/staff will/may act after

It's seem like you have to put INLANEFREIGHT.LOCAL in username

weird tho shouldn't the machines be locally connected anyways

Thank you @fathom pendant @autumn pilot @digital pendant, I figured it out

Yeah. I noticed this warning about certificate, so I tried add that domain name

I mean, the warnings are safe to ignore anyway

Depends on how the lab is set up

Yeah, just my luck to use that domain name and success

Sometimes settings, especially domain joined, require a domain name. Like inlanefreight.local

With htb the common domains you'll see are like "inlanefreight.local" and "freightlogistics.local"

dm me

Hello, can I confirm if I get the gold monthly subscription for HTB academy I will get 500 cubes every month added to my account?

Yes, you get exactly what it says on the tin. Every time it renews you get 500 cubes

Thank you very much

Hey guys, AD LDAP Skill assessment, last question... The htb-student just don't have non default privilege or am i dumb ?

Hey! I am stuck on the "Using Web Proxies" Skill assessment on the first question "The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.". I tried using ZAP HUD and Burpsuite but it just doesn't want to work, anyone who can help me out?

Were you able to enable the button?

No

I've tried it with the ZAP HUD, but it doesn't seem to find a disabled button

Also tried it within Burpsuite but same issue there

Look at the response and see what you may be able to change to enable it

Well i'm using ZAP for the first time so i'm probably doing something wrong, but I can't seem to edit the Response?

I would remove the "disabled" part

idk i don't really use zap a whole lot. BS was a lot easier. instead of removing 'disabled' think about how you may be able to 'enable' the button.

Well within BS I enabled Response interception and turned on "Enable disabled form fields", which is what the module tells me to do, but the button still doesn't work

look at the code in the response, the button is controlled client side. think about how you may be able to turn a disabled button into an enabled button.

... how can you turn 'disabled' into 'enabled'.... that's the best hint i can give you

Ahhh got it to work, ||had to turn off intercept after editing the response and spam the button a few times||

If someone could give me a hint, i feel a bit lost for such a simple question

I'm doing linux fundamentals but each time i try to ssh my spawned target the server keeps closing my connection , i don't even get to put the password, any help on this ?

Are you connected via OpenVPN or the PwnBox?

via Open vpn , i pinged the targer and it responded

is port 22 open?

which section specifically

because if i recall correctly there's like one or two sections that use an alt port for ssh

yes its open

can you show me what command you're trying?

system information and navigation

ok that one should be default

are you using the pwnbox or your own vm

(pwnbox being the in-browser vm)

that's the command

i'm using my own vm

sudo ip a | grep 'tun' how many tun connections do you have?

3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500

the response

so only one tun; and you tried resetting the target then waiting a few minutes i assume

did you try changing vpn regions?

yeah i tried resetting and changing vpn locations, funny i even used my kali on vmware and did the same thing on my virtualbox kali as well

and to be clear you're only running one vm with one vpn

yes only one vm and one vpn

not able to replicate on my end

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

^ reach out to support

but it worked on HTB pwnbox when i used it some hours ago

(using pwnbox bc i'm too lazy to spin up my vm)

alright thanks

if it works on pwnbox then there's something with your vm/system that's causing the issue, and it's not on HTB end

even when i use different vms?

something would be wrong either:

• in your vm config somewhere
• in your router somewhere

if your router assigns a 10.x.x.x ip to your devices, you could be facing a weird conflict issue

Did anyone solve the "RDP and SOCKS Tunneling with SocksOverRDP" Section in the "Pivoting, Tunneling, and Port Forwarding" Module with ligolo-ng?

wait could having wrong regional time be the cause ?

don't believe so

i just notice my machine has the correct time but the vm's are both show 6jan and wrong time

ayt

yeah, it's super simple; you might need to run execution-policy bypass -scope process first on the windows machine if it's giving you trouble

Alright. How do I get the agent on the 2nd Host? Is there an easy way either from kali or Host 1?

scp?

not sure if thats possible, been a while since I did that module

Ahh since its RDP I just used /drive

Okay I find myself stuck on the seemingly simple question in the chapter "Generating Shellcode" of module Stack-Based Buffer Overflows on Linux x86. The question is: Submit the size of the stack space after overwriting the EIP as the answer. (Format: 0x00000) From my understanding, this means the space from the instruction pointer to the end of the stack, pointed to by the stack pointer, thus the answer should be address of EIP - address of ESP.
Using gdb I found the addresses of the registers:

 eip = 0x56555551 in bowfunc; saved eip = 0x565555af

(gdb) x/x $esp
0xffffd184:     0xd4

That should be 0x00008 bytes. But its wrong. I dont understand what im missing

Documenting and Reporting Practice Lab --> Can't seem to get RDP working to get to the host:

xfreerdp /v:'10.129.87.41' /u:'htb-student' /p:'HTB_@cademy_stdnt!' /drive:/home/aria/Desktop /dynamic-resolution

[15:20:12:221] [18033:18038] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[15:20:12:221] [18033:18038] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[15:20:15:356] [18033:18038] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[15:20:15:356] [18033:18038] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[15:20:15:356] [18033:18038] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Anyone know what's happening here?

I'm fighting with the imagebot on the LLM Output Attacks skill assessment. I haven't been able to obtain the admin key, so far. I've gotten a few formatting errors and DB errors and I even got it to hallucinate a key (I think). Would anyone be so kind as to give me a nudge in the right direction?

xfreerdp has the /drive: option

Module: Active Directory Trust Attacks
Section: Skills Assessment

Would like to check if anyone could help me at the first flag?. I cant find a way to privesc to the child domain.

DM me what you tried so far 🙂

Thanks. Message sent.

Bumping this. Even after machine reset, fails to work. Tried running this without dynamic resolution, as well as drive sharing. Cannot seem to RDP to this box

Hello! i'm figuring out how to get a flag for a module using pwnbox. anyone is available to help?:

I connected to the box in the browser, copied the file over. running the provided python script, it looks like it's using port 8000 on this pwnbox to validate. but nothing is running on it. (I'm not using the VPN)

I'm trying to get a flag for the "Model Evaluation (Spam Detection)" module of the Applications of AI in InfoSec course

ok, I figured it out. There is an option to spawn a pwnbox and a target VM. I started both and access the target vm from the pwnbox. worked, got the flag...

Module: Getting started
Section: Type of shells

Sorry if a bit unrelated. But I am doing some of my note taking in obsidian and I am copying some of the powershell or python commands to take note of them but they keep running and triggering my antivirus. Does anyone have any recommendations or what they do to take note of commands that may be "malicious"? Or should I not bother with making not of the reverse shells/binding shells?

Make an exception to that folder

In Obsidian or on my actual computer

ah nevermind, I got it. Thank you for the help

add your vault to exceptions, that way any new file in the vault won't get scanned

That was the fix I was searching for, thank you!

np

a software i was using when I started, thankfully, still had it in a buffer so it didn't wipe the page. just told me it was deleted

Hi guys, can I dm someone based off some questions from CPTS and hackthebox machines?

wdym 'from cpts' do you mean based on the cpts path?

yeaaa

Looking for some assistance on Windows Event Logs & Finding Evi - Skills Assessment.
I'm assuming one or two .dlls are the source of the injection, but I can't figure out how to find the process that did it.
It has to be the parent process, but I'm not sure how to get to that next layer of information with what I have.

I need a study session with you

Hello everyone.
I'm new in this forum, so forgive me please if I'm making a mistake asking for help here for a module.
I'm on this module: https://academy.hackthebox.com/module/49/section/1017 , the one about "NTFS vs. Share Permissions".
I have xfreerdp to the Windows client machine, I shared a folder as the example said, but I'm not able to use smbclient. It says Error NT_STATUS_IO_TIMEOUT.
I tried with my own Parrot machine and with the Pwnbox, but both do the same...
I also tried to recreate the target machine and the VPN, but still cannot connect.
Is there something I'm doing wrong? If you need me IPs from target or Pwnbox, tell me.
Thanks in advanced for your time

Mmm... I thought that, but netstat sais that 139 and 445 are listening, and both are ports for SMB, aren't it?

PS C:\Windows\System32\drivers\etc> netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 WS01:0 LISTENING
TCP 0.0.0.0:445 WS01:0 LISTENING
TCP 0.0.0.0:3389 WS01:0 LISTENING
TCP 0.0.0.0:5040 WS01:0 LISTENING
TCP 0.0.0.0:7680 WS01:0 LISTENING
TCP 0.0.0.0:49664 WS01:0 LISTENING
TCP 0.0.0.0:49665 WS01:0 LISTENING
TCP 0.0.0.0:49666 WS01:0 LISTENING
TCP 0.0.0.0:49667 WS01:0 LISTENING
TCP 0.0.0.0:49668 WS01:0 LISTENING
TCP 0.0.0.0:49669 WS01:0 LISTENING
TCP 0.0.0.0:65416 WS01:0 LISTENING
TCP target_ip:139 WS01:0 LISTENING
TCP target_ip:3389 mi_parrot_is_here:58924 ESTABLISHED

And I don't know... It feels like a following practice, it is strange that the machines won't allow you to try the lesson, don't you think?

Or maybe firewall is blocking the access

run nmap scan on port 445

uhu, trying 🙂 (firewall was my other suspect)

if it shows filtered then it's the firewall blocking the access

Firewall. The target was not answering even ping.
After disable FW, now seems that it should work
┌─[cheshire@parrot]─[~]
└──╼ $nmap target_ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 07:42 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.10 seconds
┌─[cheshire@parrot]─[~]
└──╼ $
┌─[cheshire@parrot]─[~]
└──╼ $
┌─[cheshire@parrot]─[~]
└──╼ $nmap target_ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-06 07:43 CET
Nmap scan report for target_ip
Host is up (0.26s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 19.90 seconds

Thanks for the idea 😄

windows targets by default don't respond to ICMP echo; it's a default feature of windows

if you would have scanned with -Pn you would have gotten results without needing to disable fw

and in-general a client/employer would be unhappy with you disabling the firewall on a system

Yes, that is true, but it wasn't allowing me even do the SMB practice.. Firewall was in the middle.
What does -Pn? I didn't reach nmap lesson yet.
And yep, I know that is a brute solution, but I only was trying to follow the lesson 🙂

especially for something that would be a routine administrative task, like setting up a fileshare

-Pn -> don't send ICMP echo request (ping) to test if the host is up, you're essentially telling NMAP 'trust me bro, it's up'

Interesting, thank you 🙂

https://nmap.org/book/man.html <the RTFM pages for nmap

Since SMB (445) is not accessible externally, you can’t enumerate shares from your machine using smbclient. However, once connected via RDP, you can access the shares directly from the Windows system.

actually nothing in that netstat shows only available locally

i see the wildcard 0.0.0.0 which is a stand-in for 'all-interfaces' but nothing that indicated localhost

the error was a timeout, which generally is when the system times out making a request. Nothing to do with it being open or not.

if it was a firewall issue or it not being accessible -> NT_STATUS_CONNECTION_REFUSED

In this case, the firewall is silently dropping (filtering) SMB traffic rather than rejecting it, which results in the NT_STATUS_IO_TIMEOUT error.

no, what they've only shown is that they were able to get an nmap scan through. Not that the smbclient timeout issue was resolved

These labs aren't set up in a way to silently drop packets, that'd be cruel and unusual punishment for beginners

So if one has an annual Silver plan couldn't they just use the walkthrough answers if they wanted to stack cubes? There is a module I want to buy but its 1000 cubes, lol

sure but they'd really only be hurting themselves

Not if they go back and actually do the exercises, haha

but do you really expect them to do that?

also it'd be leagues cheaper to just buy plat monthly then cancel for the cubes

Why did the CWES get rid off the FFUF module?
Is it not maintained anymore or something?

There is a newer module that covers more than just ffuf

Module: “Attacking AI – Application and System”, section: skills assessment (RootLocker MCP server).
​
I am kind of stuck on this module, is it possible to give a hint or a a way out?
Note that tools/list only shows store_file and store_password, resources/list only shows the five simple resources, and repeated resets never expose additional tools.

Then how do you explain this - before disabling Windows Defender Firewall, Nmap showed 445 filtered, the packet trace had no SYN-ACKs, and smbclient timed out (NT_STATUS_IO_TIMEOUT). After disabling it, Nmap saw the port open, SYN-ACKs were received, and smbclient returned NT_STATUS_ACCESS_DENIED. This proves the timeout was caused by the firewall silently dropping packets, not the SMB service itself.

Im not seeing where that was said unless you dmed them to troubleshoot

Good morning everyone. Please I need you assistance in the Incident Handling Process sill assessment last question. I’m finding it very difficult to input the format.

Wym

try one slash in between

as the example showed

I appreciate your response. I’m still finding it difficult

you mean it is not working

Yes

maybe check forums on this topic, and see what others have tried

Guys any help here, im really confused

I already have the silver plan tho, haha. I want to do the CJCA, but also want to do one of the other 3, but also really want to do the OSINT course but it's 1000 cubes 😭

Some phenomenal content so far

I need help with this question. Iv tried but no success.

In the same file (i.e., logs-wazuh.zip), identify the user who executed the suspicious PowerShell
command. The format is domain \user.

Hi I'm having trouble spawning my target on acl at AD enumeration and attacks

It wasn't said anywhere, I did it myself. You can test it yourself if you'd like.

Hey, I’m stuck on the LFI skill assessment. I can’t get the file to execute, I’m on the last step. Could someone give me a hint? I’d really appreciate it!

"RDP and SOCKS Tunneling with SocksOverRDP" Section in the "Pivoting, Tunneling, and Port Forwarding" Module:

I have my ligolo-agents running on Host 1 (10.129.42.198/172.16.5.150) and Host 2 (172.16.5.19), with Host 2 being connected via Listener to Host 1. Why can't I access Host 3 (172.16.6.155)?

You can come dm to avoid spoiling

Because I'm not sure which file you are talking about

I can reach it, but the RDP client says "Failed to connect"

I mean I wanted to study together. Anyways here’s some help maybe? I’m learning.

So the question maybe asking how much space exists after the saved return address and not the instruction pointer register.

Find where saved EIP is on the stack and calculate how many bytes exist after the stack frame.

Hope this helps.

Oh My bad, yes for sure id like that

Oh I understand now

I think i confused the save return address with the IP register

Well that was stupid

It’s all good 👍

Module: Windows Privesc
Section: Interacting with Users

The hint tells to check for writable file share but they are either READ ONLY or NO ACCESS, what i'm I missing here ?

Might be subdirectories

Yup in fact thanks. How do I know when the subfolder is writable or not ? Looks like icacls always gives me (RX)

I need assistance on the assembling and disassembling module. The lab wants me to download the disasm.zip file (which I did) inside the pwnbox but when I go to extract it and it's completed, nothing happens and wont let me open anything

How can I fix this error when connecting with xfreerdp?

Nevermind! I just extracted the file to the desktop and used cat to find the flag

maybe a config error in /etc/krb5.conf

I downloaded a newer version of freerdp and the command is xfreerdp3, try that

I use xfreerdp3

I had a quick question about this weird issue I'm having for the File Upload Attacks - Skills Assessment - File Upload Attacks section where I was not getting a web shell in one Burp repeater tab and then I created a new repeater request and it worked? I was trying to figure out why this is the case so I tried copying and pasting the request that was working to the repeater tab that failed, and this still failed for some reason while it works on the other tab? anyone know why this happens so i can avoid this in the future?

Any possible nudge for Injection attacks - Skills assessment ?
I have generated a PDF, found the injection point for it, found the internal web page with the search function. I am aware that there should be an XPATH injection now, in that search parameter, but I'm unsure on how to proceed with it

I feel genuinely stupid - I can't seem to get anywhere for the Documenting & Reporting lab. I've used a tool to capture hashes, none of which seem to get me anywhere. I used one of them to pull the SAM and SYSTEM hives. The Admin hash it gives doesn't get me anywhere. Can I get a nudge or something? Please @ with responses

you can dm

Module: attacking corporate WiFi - abusing the guest network. The default browser and chrome both fail to open in the rdp session. Anyone else do this module? Any help appreciated

Hello!

Do I get to keep access to modules I entered with the annual subscription when the subscription expires?

Only if you complete the module

All modules that you have completed within the subscription are yours to keep.

I am currently in the skill assessment for Kerberos attacks section and i am on the last question viewing the secret share however i have tried coercing isn’t spoolersample and i have tired printer bug and none have worked i tried renewing the tickets, i have tried passing the ticket. I tried server01 and Jake.kirk user however still nothing i tried kerbrelayx but i couldn’t do that either. If you can reach out to me that would be great.

How can I enter the skill assessment's target?
it keeps showing me 400 bad request
https://academy.hackthebox.com/module/33/section/518
SQLi fundamentals

I have CA portswigger certification

what is the issue

module/21/section/128 -> introduction to bash scripting (section 7/10), the last question

I'm not getting the question, or what it's asking..and even when I solve the script, I believe in the intended way, it doesn't work

I'm guessing the answer is either the number of characters in the 28th result or just the 28th result itself.

it doesn't work, and the 28th result is too big to provide it as an answer, i think..and then, the script I'm supposed to edit, is using the value produced to decrypt a flag, and I'm thinking i should be submitting the flag, though it doesn't decrypt

ok wait dm me so I can see the script and help further (I haven't done this module yet)

anyone?

be careful how you echo

Hey peeps. hoping someone can point me in the direction of what im doin wrong. im in android fundamentals assessments last question. ive downloaded the new zip file, opened it, build, Generate signed app bundle or apk. i then open the app and still get Hello Android! flag, which isnt working. any pointers?

please cn anyone help me with smtp here please?

what academy module is this related to?

email campaign

that's not an academy module

that means am not getting it right

but do you undrstand what i need?

Yes, and no; you're not gonna find anything like that here. No one is going to help you with your shit, we're going to operate under the assumption what you need it for is illegal

pls dm me

nop its not illlegal

could someone help me as well please?

no

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

haha im in android fundamentals last part last question. i import the new file on a fresh pixel 3, sign it and reload it and the words i get dont seem to be the flag

ok what is the task please?

Sign the application myapp.apk and install it by either dragging and dropping it onto the device or using ADB. Make sure to first uninstall any previous versions of the app. After installation, tap on the app to start it. What is the message printed on the screen?

on it

on andriod?

yep

am using rdp

Password attacks -> Attacking Windows Credential Manager
in this module, we were supposed to exploit credential manager, and we have to use UAC bypass to get admin privileges , i did and using mimikatz didn't give me password for mcharles , but other users were able to extract it using the same technique as mine, i wanted to leave it here if there are not more techniques should be performed, i have done this module before

@silk lagoon

maybe you guys can rewrite that question?..feels like it's not structured very well

but i got it, thanks

the example is in the exercise code, no?

the 'intended' way to do this challenge, based on what has been covered in the previous sections, doesn't work, the issue being the consideration of newlines

ah yeah sorry brain mixed up examples

Any chance a mod has a min to check this module out?

unfortunately mods are not responsible for this, but if you think this is issue from HTB, then contact support

That’s what I thought I was doing- thanks

Is it just me or is the Windows Event Logs & Finding Evil module quite difficult as compared to the rest of the modules in CJCA

I had no issues if you want you can dm me so I don’t spoil the command

Even now looking back at my notes I followed everything in the reading section and was able to get mcharles

yeah, it was probably because i spent too much time on the target i guess, i don't really remember the module being hard af, so i just skipped but thank you for clarification

yeah the module shows how we can enumerate the credentials that are stored, then we can use a command to impersonate that stored user. Then here you would bypass UAC and use mimikatz.

yep, exactly like that, some environmental issues didn't showed it i guess

on then prob the command inside mimikatz.exe; because I had that same issue, it was't the typical sekurlsa..

i used the one shown in the course, starting with sekurlsa

yeah then that is why

HTB doing HTB things, making things interesting by making you think differently there and there

Hey everyone, got a question about the Information Gathering - Web Edition module specifically the Subdomain Bruteforcing section, in the question i suppose to enumerate the domain using dnsenum/fierce or any of the other tools, i scanned it several times with each of the tools but im stilll not getting much, here is the domain i got form each of the commands:
dnsenum:
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:
www.inlanefreight.com. 30 IN A 134.209.24.248
ns1.inlanefreight.com. 95 IN A 178.128.39.165
ns2.inlanefreight.com. 95 IN A 206.189.119.186
ns3.inlanefreight.com. 30 IN A 134.209.24.248

fierce:
fierce --domain inlanefreight.com --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
NS: failure
SOA: a.gtld-servers.net. (192.5.6.30)
Zone: failure
Wildcard: failure
Found: www.inlanefreight.com. (134.209.24.248)
Nearby:
{'134.209.24.245': '1266637.cloudwaysapps.com.',
'134.209.24.248': 'inlanefreight.com.',
'134.209.24.252': '1322472.cloudwaysapps.com.'}
Found: ns1.inlanefreight.com. (178.128.39.165)
Nearby:
{'178.128.39.168': 'fdcb359d-fe9f-47d8-ae22-95ee8b233a63.fs.lucidlink.com.'}
Found: ns2.inlanefreight.com. (206.189.119.186)
Nearby:
{'206.189.119.185': '344738.cloudwaysapps.com.'}
Found: ns3.inlanefreight.com. (134.209.24.248)
Found: customer.inlanefreight.com. (134.209.24.248)

For some reason i didn't even found the support subdomain, any idea what im doing wrong?

@dusk holly imma dm you

What question is it?

"
Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com.
"

in the "Subdomain Bruteforcing" section, it's the only quesiont at the bottom of the page

im using the same command as in the example: "
Adam369@htb[/htb]$ dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

dnsenum VERSION:1.2.6

----- inlanefreight.com -----

Host's addresses:

inlanefreight.com. 300 IN A 134.209.24.248

[...]

Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:

www.inlanefreight.com. 300 IN A 134.209.24.248
support.inlanefreight.com. 300 IN A 134.209.24.248
[...]

done.
"

And im not finding the support subdomain like in the example

But you got the answer?

no because the answer is a subdomain i should find and it's not any one of these

I’m checking, it’s been a while..

thanks

I am getting the right results

you run the same command and getting more subdomains?

Yeah

"dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt "

just to be sure

Yessir

i even connected via VPN to HTB academy and still same result

any idea what im doing wrong?

inlanefreight.com is accessible outside of VPN

Can you access it?

We i go the website via browser it's just a blank white page

Then that’s the problem

You have access to internet lol?

Get off the VPN

Yes i tried without the vpn and i can access other websites without a problem

And that one you can’t?

I can even access it outside machine

I'll check that in a bit and let you know

I’ve been stuck in the Incident Handling Process module, trying to answer the question;

During recovery, IOCs are still observed intermittently. Should recovery proceed, or should the case be escalated back to the investigation phase? Answer Format: Recovery/Investigation

anyone have any hints or tips could give me?

Hi! I found the flag for the SQLMap Essentials' skills assessment. However, wheneverI supplied the flag, it keeps saying wrong answer. Please, what am I doing wrong?

Make sure that there aren't any spaces before and after the text

Also that it's in format HTB{FLAG}

There are no spaces and also it is in the HTB{FLAG} format!

You can DM me if you want

Alright. Thanks!

Checked it again in the machine and outside of it the website loads up, im scanning it again to see if i get a different result

still same result found only the customer subdomain

Hi
Doing the skills assessment for the CLI PS and got stuck on this Use the tasklist command to print running processes and then sort them in reverse order by name. The name of the process that begins with "vm" is the flag for this user.
Used tasklist | sort / R got 3 exes that start with vm but no matter how or which I try it won't accept it

yo guys

why it doesn't accept answer: DHCP Request , for question: What type of message does a client send to accept an IP address from a DHCP server?

this should be it

im on attacking web applications -> attacking splunk
im configuring the splunk reverse shell as a splunk base application, that i should upload to get a reverse shell.
the module says:

We need the .bat file, which will run when the application is deployed and execute the PowerShell one-liner.
Attacking Splunk

@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit

the reverse shell, powershell script is named run.ps1, as the module packages the application folder here:

splunk_shell/
splunk_shell/bin/
splunk_shell/bin/rev.py
splunk_shell/bin/run.bat
splunk_shell/bin/run.ps1
splunk_shell/default/
splunk_shell/default/inputs.conf

what exactly was the -Command "& '%~dpn0.ps1'" part above ?

shouldnt it be named run.ps1 ?

try DHCPREQUEST

it doesn't work

mind the gap maybe

tried it as well, not accepting it. DHCP REQUEST

I am currently in the skill assessment for Kerberos attacks section and i am on the last question viewing the secret share however i have tried coercing isn’t spoolersample and i have tired printer bug and none have worked i tried renewing the tickets, i have tried passing the ticket. I tried server01 and Jake.kirk user however still nothing i tried kerbrelayx but i couldn’t do that either. If you can reach out to me that would be great.

You can send me a DM on what you have tried.

Hi! im currently working on the network enumeration porton on HTB academy and its wanting me to " Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.". I identified all the ports, found port 31337/tcp STATE:OPEN SERVICE:Elite. I said hmm sus. so tried to grab the banner with --script banner,default which returned the banner with what i believe to be the flag its formatted like this HTB{leetspeek string} but when i submit its saying the answer is incorrect? am I looking in the wrong place here?

check that there are no trailing spaces

when u copy/paste

no dice

do they put fake flags in the learning modules?

No

im at a loss then am I allowed to show you guys what im looking at here?

You can ask to DM someone if you feel like you need to reveal more info, but I can't do that myself right now I'm working

i found it. the flag was in fact a different one from the one i was looking at

you probably found the flag for a different question then

in teh file upload attacks client side validation i cannotclick the upload button, it does not react and gives no options to upload a file. i have tried different browsers. anybody got an idea how to fix it?

i think you click the picture or something

no way it is indeed just clicking the picture

yeah i think you first select which pic you want to upload, then you can click the upload button after. but i forget exactly.

yes, thank you. took a long time to find it

can someone please help, i think the Oracle TNS section within Footprinting is broken. Or if so can someone help me install odat and sqlplus. I mentioned this already a week ago and got some silence :/ I have completed every other section in Footprinting and really want to get it done today. If anyone can help I would REALLY appreciate it.

i am using the web based parrot linux

nvm i fixed it but boy is it a lot of hastle
thank god chat gpt exists because deadass if i tried this 5 years ago id give up

I am currently working on the File Inclusion module and focusing on the Basic Bypasses challenge. This web application has several filters to prevent Local File Inclusion (LFI) attacks. My goal is to bypass these filters and read the file /flag.txt.

I have already found the flag, but I think I wasn't supposed to do it like that.

Do I have to find other directories and then path traverse to the flag with this command:

ffuf -u "http://94.237.61.202:47604/index.php?language=./languages/FUZZ" -w /usr/share/seclists/Discovery/Web-Content/common.txt

sign the app, install it and open it

make sure you are using the app from question 4

questions guys

can i skip around cpts

the path? you can but it's not recommended, that being said if I were to jump around I'd be prioritizing the theory modules, then the web, then the AD, then the networking(pivoting), and finally the privilege escalation and documenting

this is rn

vulnerability assessment is genuine helll bro

its so boring

genuinely falling asleep

While I agree that it's a bit of a boring module, it is rather important for you to understand how to use these tools as they're pretty standard

idk the extensive reading in cpts is like insane

im mainly doing cpts just for the sake of it im still in high school dont ban me ive already done the form and stuff and had to go thru a mod to be here

So, I'm working on the "Weak Permissions" section of Windows Privilege Escalation, and it's not letting me change the service binary path for WindscribeService. I'm not sure why. There's no instruction for opening the PS in administrative mode and there's no way to do it anyway because I don't have the admin pass here.

im mainly a coder but i thought pen testing would be a good skill to have bc i havent had goals in years so im trying to like do something and the boringness and extensive reading is making it so unmotivating

and im not at the point where i can just spam machines and learn from that

Thanks. Im sure ive done that, but not getting the right flag.

i have the student thing so i can particpate in all paths is cpts as interactive as it gets with pen testing

honestly spamming machines isn't going to get you anywhere without the right mindset and resources, truth be told unless you're reading writeups you'll still be reading a lot, only this time it'll be from various sources without a provided methodology unlike the modules

yeah so i havent really tried that

idk im on the vulnerability testing and even with previous modules the amount of reading is genuinely ridiculous and the lack of interactivity is insane

im not sure what to do tbh

I mean you can follow along with that module, a pwnbox and a target running the vulnerability scanners is provided

does the interactivity increase from this point on

like idk i js want it to get funner

I got a flag, but it didn't work.
The flag starts with "7h15" Please provide me some hint?

Module: JAVASCRIPT DEOBFUSCATION
Section: Decoding
URL: https://academy.hackthebox.com/module/41/section/445

like not even trying to be immature or impatient but like for example with coding right im pretty good like i was able to code a fully functional graphics windows animations and mouse and keyboar and eveyrthing for a game and that was super interesting

like im js trying to look for that interest again

never been excited to code 6k lines you know what i mean

That is not what the flag starts with. It starts with HTB{

Does anyone know why this path is locked? I've searched for the path and it doesn't show up, is it something that only a subscription or certain certification unlocks?

So if you intend on doing the CPTS exam, I recommend reading as it will explain quite of useful information for when its time to document your findings in a report. If this is just for personal enjoyment, then just read whatever you would like! 🙂

https://academy.hackthebox.com/paths/jobrole path is at the bottom here

well i really want to do the exam and get the cert

You're the best! Thanks SuperNuts!

but im asking if its as painstakingly boring as vulnerability assessment or such like rly reading modules and not as interactive idk if id be super interested

The exam consist in producing a report. If you do not produce a report up to HTBs standards, then you will not get a passing grade

im not concerned with writing a report

i mean of the actual course like learning

is it this boring all the way through or does it get more interactive

Thank you for you reply.

I just realized what this means.
"serial=YOUR_DECODED_OUTPUT".

I had to replace YOUR_DECODED_OUTPUT with the decoded string.

The course in general or just this module?

general

like foward from here

because this is by far the worst ive seen in terms of like just text

ah yes, I would say the vuln assessment module is more formal than the other. But the formal work is required at some point in the work of a pen tester.

we know based on your roles ;)

ok so with this, I tried going backwards and replacing the SecurityService.exe with a msfvenom package, but my listener isn't picking up on it after I sc start SecurityService

and then when I try to do the sc config on WindscribeService I get this error

Hi

It doesn't work because when you type sc in PowerShell, you are using the alias for the Set-Content command. Therefore, you would not be using the sc.exe binary. Try use cmd

use sc.exe instead of sc

as Daemon said, it's an alias

Anyone can help me in the LFI assessment?

Ask your question directly, more people tend to help in that way

what module is this from?

this is \SOC Analyst path\ Windows Event Logs & Finding Evil\ Tapping Into ETW

thanks lol because searching silkETW and seatbelt threw up a bunch of diff stuff

i deleted the message because the module is tier 2 but i'll check what you may be missing gimme a sec

sure

There's another Get; did you run ETW and replicate the attack.

Got the solution thanks bro!

Haven't done this model but here's a list of headers, might be helpful

HTB, regarding the "Abusing HTTP Misconfigurations" module. I'm curious how we were supposed to know the vhost httpattacks.htb ? The vhost was needed for completing the content.

As "httpattacks" is not a part of any known wordlist, it's impossible to fuzz the domain.

The vhost was given in the Annual Subscription "Walkthrough" feature and luckily someone nudged it from there. The module content has no mention of the vhost whatsoever... Not through hints either.

hi any one here?

Feels like im missing something but not sure what

is it important to actually know how to subnet a CIDR to be successful in Career apart from exam? I mean I know how to understand that, like Network address, subnet mask, broadcast address, usable address, etc. But I don't know how to subnet that mathematically like if 192.168.32.0/23 is given, Do I really need to know that or I can just use some online website or AI if i want to subnet that ?

how to subnet is generally only gonna be network admin; however understanding how they work is generally gonna be universal

Cool, I understand how it works but I hate the math part where I want to actually get ( Network address, broadcast address, no of host) from the CIDR.

well there's several bits to understand regarding cidr notation; the two major bits are the network and the subnet mask

there was actually a whole thing about this like yesterday in the chat

subnet masks are always filled left to right, and will never have gaps.
11111111.11101110.11111111.00000000 will be an invalid mask.
The notation isip/B where /B represents the number of left-justified (filled left to right) bits the subnet mask has (max of 32 for IPv4)

the ip is generally gonna be the host ip

i'm just waiting to see if you respond or have a question lol

actually the convo happened in #general

yeah, I am just processing the info you conveyed.

This wouldn't the first time i've broken this down LMAO; there's probably several different instances of me breaking it down

Yeah, I know you are obsessed with this networking/subnetting part lol. I saw several times that you mentioned you are revising some subnetting parts from your old notes and explaining those to individuals.

someone had a similar question re subnets and stuff yesterday; #general message you can read from there :)

Thank you 👍

File upload attacks whitelist filters. Has anybody done it trough character injection i wanna know how you got it to work. I only have done it the other way

heloo brother i have an issue in one of the module s

can any one help

hard stuck at the final question of footprinting dns module
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
|| dnsenum --dnsserver 10.129.172.166 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb ||
above is the 1st scan that i've performed
i'll send the 2nd one in dm only cause it'll be a spoiler
pls confirm if i'm doing it right T~T

if you need help, dont ask to ask and ask a specific question and tell people the module and section you're on

subdomains of subdomains; focus on a subdomain you haven't before; start small go big with wordlists

just saying "i need help" wont get any response

did that

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

can i dm you regarding that ?

#modules message

👆 how to ask a question

i was just going over vague nudges; you can dm

my apologise, forgive me for my inconvenience

information security foundation is the module
setting up is the section in that
and VPS Hardening is sub section
i am stuck on this question mention below
Q What does the acronym Linux PAM stand for?
i have used every possible answer to this question but it won't budge plz help i have written Linux

Pluggable
Authentication
Modules

just the PAM part, not Linux

Pluggable Authentication Modules tried this did not worked

Make sure you don't have additional spaces anywhere

Go to sleep

you're not my real mom

ok thanks it worked

can anyone help with booting Android_Forensics_AVD on linux? other avd image works, but provided by the course not working

How much cubes is this exactly?

It does not state how many cubes you get for buying this gift card

because the gift card can be used for more than cubes

https://academy.hackthebox.com/billing

though it'd be smarter to buy a monthly sub instead; far cheaper/better value

Oh yeah, but my work might find it easier to buy the gift card themselves and then send the code to my email, rather than me buying it then submitting a form to get it expensed back.

I mean either works but the gift card option just makes it easier for my work

yeah

you can use a gift card to buy subs :)

the gift card option does not really say how much £100 is but I assumed its like 1000 cubes

i'm just stating that rather than buying cubes outright you'll get better mileage out of monthly subs

more cubes for same price over an increased period of time

if you need all 1000 cubes right away, that's a different story

for instance these are the 2 higher tier monthly subs; (note that the discount is the comparison to it's cube equivalent, not that it gives you that discount for purchasing cubes while the sub is active)

Thank you very much for your hlep

Hi everybody!

In Active Directory Module in the Domain Trusts Primer section (https://academy.hackthebox.com/module/143/section/1488) there's a PowerView function which allows listing domain users. Within the section an example of that function is shown Get-DomainUser -Domain CHILD_DOMAIN. After I connected to the target via RDP, imported PowerView and ran that command to list domain users of the child's domain, I got an error. The trust between domains is bidirectional, which means that I should be able to list users within the child's domain?

Is there any chance someone can give me a hint in the direction to understand why I can't list users in the child's domain?

I think that is just setup to provide an example and doesn't have the other hosts available in that lab. Try it again on later labs where those hosts are actually up.

Hey y'all! A little doubt here. I was doing the Introduction to Threat Hunting & Hunting With Elastic module and in the part of Hunting for stuxbot at the moment of seeking the file download I notice that there's another event from the file.io domain like 1 sec after, but, I do not know why it appears as www.file.io and the resolved ips are different. Could anyone light me up ? Thanks in advance.

thank you very much🙌

any one can give a little tip for Wi-Fi Evil Twin Attacks - Skills Assessment second question?

I think i am doing eberything correct but cannot get the reverse

I have finished 2 modules for js deobfuscsion (js debfuscation & secure code:101)
But I can't see any info about VM decompilation since it's the top obfuscation technique used by malwares specially with js and a browser .. also the modules haven't cover anti-debugging techniques and how to get around them .. the module are not covering real world scenarios it's just for basics and i can admit they helped me a lot getting better understanding but unfortunately not covering the most disgusting parts this made me stuck a lot when facing an anti-debug codes or VM based execution

because they are not advanced modules, this is what they are made for

hi

i need some help

im tryingto install parrot os security vm

but after I start the installation , its stuck at 34 % and says that disk space is full

although I've allocated 25 gb to the vm and the base is 20 gb

so how

what do i do

maybe ask AI

I juiced deepseek and chatgpt

bruh I can't get it to work

hi so i recently started the cwes and im at Using Web Proxies more specifically Using Web Proxies and everything's good i get the fuzzed admin directory but when i try to view it in my browser it shows a blank page im not sure what the issue is ive done this box 5 times now with different tools/methods but always get stuck at the browser thanks for any help 🙂

English is not my first language sorry if i made a mistake

You can shoot me a DM with what you are seeing and trying.

Thanks 🙏🏼🙏🏼 I'll do this later if that's ok I'm at work

Not a problem

does the screen being black here

indicates anything ( it should be a parrot light blue background )

and are these errors a problem

yo guys, im on attacking common applications, PRTG network monitor section
it is vulnerable to the command injection being told about in the section
however its not working for me, no matter what payload i use

i also copied and pasted the section's command to create a user on the system, didnt work

a PoC from metasploit worked, however, i still cant do it manually

dm me

hi so i dont seem to have the footprinting wordlist and i cant move forward
what can i do

i dont have the resources tab

or button

I've created an erratum post about this, as another user has the same issue and after checking my notes, this wordlist was provided when I went through the module. For the time being, I would either move on or try small username wordlists to see if they might work.

it was provided in the afternoon but i had to attend a meeting and closed the laptop and now i have opened it and it disappeared

i left metasploit running so it should have giving the answer

is the post have a solution in it?

Have you done the Attacking Common Services module?

found a solution like i can change any ending to the resources so i added the foorprinting and thats it

https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip

this only works if the name is stored that way on the server

I am a bit stuck of getting a phpcmd shell, i see when i did burpsuite sniper attack for successful upload but cant seem to get the web page to execute the code to then read the /flag.txt 🙁
https://academy.hackthebox.com/module/136/section/1289

Hi, I've been having a couple of issues with finding the answers in the Windows Privilege Escalation - Further Credential Theft module. I've managed to find the first question's answer, but I couldnt find the answers for the next 3 questions. I've exhausted all the techniques taught in this module, as well as the previous modules. Can I get a hint on how to continue? found the issue 🤦

Well those 3 rely on each other so you need to answer question 2 before being able to use the techniques to find the answers for questions 3 and 4. I suggest thinking dumber, the question is asking "Which user has credentials stored for RDP access to the WEB01 host". What often happens when credentials are stored?

I know that stored credentials for RDP can be accessed using ||cmdkey /list||, but I tried that while on the jordan user and didnt see anything

Think even dumber than that. Think down to the purpose of stored credentials

I guess, to make it easier to login to a service or computer without having to enter credentials multiple times?

Good, now go from there.

Did you end up figuring this one out?? I thought I knew the path for sure but nothing has worked. I tried giving it a fresh set of eyes and trying some different attacks but nothing is working for me

Well, I've tried to check in the PuTTY and RDC applications, to hopefully find maybe a prompt asking to provide the password for a user, but unfortunately I couldnt find anything (I dont think there is a WEB01 host either on the network, but that might just be me). I've also tried poking around the Firefox and Chrome browsers to see if any stored credentials have been saved there, but to no avail. Currently the only stored credentials I've discovered are in DbVisualizer, which was the answer for part 1

Well check again, sometimes stored credentials don't show up unless you specify a target to connect to

yes I've tried specifying WEB01, WINLPE-WEB01 and WEB01.inlanefreight.local, all of which returned an error that there is no such host

Yes, just simply double check the Domain SID you're providing.
Get-DomainSID was giving me the SID of the child domain for some reason.
I tried Get-Domain "inlanefreigh.ad" and got the correct one.

DM me

Thanks! I just checked my notes and it's definitely the wrong domain SID. Thanks a lot!

For those having the same issue with Windows Privilege Escalation - Further Credential theft:

• ensure you are using the right credentials shown above the questions. they may have changed.

hi im having rdp issues on windows priv esc. instructions were to rdp to even begin but i cant do that.
both remmina and xfreerdp are not working for me

nvm, switched academy servers, and remmina worked

hey friends currently at attacking common services module. Question I am working on is "what's the password for the username "jason" " I ran nxc smb but it did not return anything, why is that? I also tried hydra and it found 0 valid password. also already reset the target

iirc you may need to add -local-auth to nxc

~~is there a way to background the msfconsole multi handler waiting for a connection? ~~(exploit -j works)

Hi
Anyone can help me for "XPath - Blind Exploitation" module?

Sorry, i'm doing https://academy.hackthebox.com/module/67/section/2502 but i can't spwan the target. What's up with htb academy? Where can i contact the support?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thank you

stuck a bit on the skill asessment

Anyone doing android dynamic analysis module?

I am using frida version 17.4.1.
I am getting error "TypeError: not a function at onEnter" when I run the script provided in Hooking Native Methods section.

I was also getting error at findBaseAddress function but I replaced it with process.enumerateModules to get the base address of the module.

can i dm anyone who has done NTLM Relay Attacks ?

hi please i got a question
I can successfully access the HTB target web page using the machine ip and when The page loads normally for about 1 second, then my browser automatically redirects me to an unrelated public website (money/currency–type site)...
why.

I was looking for course on the DuckyScript, or something similar, but I couldn't find it. Is there course like that, or in not is there a chance it would be created?

What module/section is this occurring?

You can DM

can i DM you for password attacks skills assessment

Sure

Does HTB have a status page so that we can check for service statuses and outages? I'm working on the Kerberos attacks module and the powershell over RDP is so unresponsive it's barely functional at all - assuming i even get a conection.

A little Google Fu https://status.hackthebox.com/

You might need to play with using a different VPN config.

This article has some troubleshooting steps you can try that might help with the lab env
https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

Strange. The page says no issues. No connection. I've refreshed a few times... new VPN server, refreshed, deleted the vpn file, reconnected and it either won't connect or when it does... it is so maddeningly slow as to be unusable. Good luck copying and pasting tickets from Rubeus witht that kind of unresponsiveness.

I've been using these kinds of fora and platforms for years. .....

Which Kerberos Atacks section are you working on? I can check my end and if it seems solid pass along what I am using.

Unconstrained Delegation - Computers

I finished the module yesterday but am going over some stuff to check my execution/ workflow. Worked sort of OK but was also really slow

I have a slight lag on US Academy 5 (medium load) using UDP, but definitely able to run Rubeus and copy/paste output.

have also just switched to a US server with supposed low load and it only connected after 4 tries. Will check the latency, if not to standard I'll wait a day or 2 and try later.

same here

Hi I've started the SOC Analyst and keep getting this message in my virtual machine everytime I try to connect to the hive

Unable to connect

Firefox can’t establish a connection to the server at 10.129.238.130.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

VPN is up ?

how do you do that

im new

https://help.hackthebox.com/en/articles/8602725-understanding-the-hack-the-box-vpn

You have to download a vpn config file to access the HTB network. But everything is well explained in the link above

Do I have to install open vpn connect

im on windows

not the file you mentioned

hi can i ask for help when answering a module question here

yes

#careers-and-certs

I am having some trouble on the skills assessment for the Intro to x86 assembly module. I believe I have successfully disassembled and decoded the provided shellcode. But I can't seem to get the key. Decoded shellcode is sitting on the stack at $rsp.

sometimes you have to give it a few minutes after spawn; it can take up to like 5 minutes from what i've seen

Quick question since I'm kinda lost in the Intro to assembly language skill assessment, what exactly do I have to put as the answer on the first question?

https://academy.hackthebox.com/module/85/section/875 this section?

if so there's a flag within it that's in the format HTB{..}

The skill assesment one Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'.

Ah I didnt do that one, but the answer will be the output of it

I see, thank you

@vague dome, Im on the same one. Can’t get the decoded shellcode to run.

Can someone please give me a hint for the File Inclusion/Automated Scanning module? I started by typing the following command but I'm getting tones of 200's:

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

Its backticks, not quotes

got it

``` at the top and bottom

Anyway gimme a sec to pull it up and see if I can figure it out

sure, ty

Your filter size is wrong

hmm

why is it wrong?

because it is.... LOL

hmm

you're getting a bunch of 200 requests... yeah? and what size do THOSE requests have in common

(don't answer that, just getting you to think logically)

gonna look at the output again

the example filter size is just that an example, based off the example results

They are all 2309 in size ...

so that may mean

that's the thread to follow 😉

i'm also deleting it so that others can't just cheat their way through (ik it's a tier 0, just rather push the way than have someone tell them)

yeah yeah no problem

tbh though, it's so much info I'm ingesting that I wasn't even sure what -fs was doing

the LFI lists from the reading should get you the rest of the way

so ffuf has two parallel filtering types -f[type] and -m[type]; -f[type] filters out the [type] based on what you specify; so -fc 404 (which is the default iirc) will filter OUT (so it excludes) any responses with code 404 (not found) from the output. the -m[type] filters IN what's specified, and only includes results with your matched filters

you can do ffuf --help to see all the options; or man ffuf to see what all you can do

I thought it was for "filter size"

hence when I did -fs 2309 it excluded all of them

-fs -> filter OUT size

I aggree I should've read the ffuf man

got it

meaning that if the result contains the size you specified, it doesn't get shown in your output

-fs: filters out by size and -fc: filters out by code

yup :)

oh you can match them accordingly

so neat!

yep

though in MOST cases, you're not gonna know what you want to match

makes sense

but you do know what a response you don't want looks like :D

so you just go for it and then filter it out according to what you need

yup

The examples and lab are a way to build up the thought process; because you WILL get 200 codes... because index.php does, in fact, exist

yeah

it's also a way to make you think that a response code doesn't necesssarily mean it's what you want

even 403 (forbidden) errors can be useful to look at sometimes

pretty cool

these kinda moments is when I realize that I still have a few more years before AI can do it like people like you can today

I think the thing that people often overlook when doing the modules (in general) is that they're attempting to teach you a way to think about the problem, just because the lab doesn't follow the examples perfectly doesn't mean you shouldn't be learning something from it. IMHO the labs that follow 1to1 don't teach too much if there isn't a decent enough explanation as to why.

speaking of which, I'm struggling with Attacking Common Applications -> Attacking OSTicket. I've confirmed the vulnerability mentioned in the writing and I understand and have figured out how to leverage the technique they introduced. There must be something I'm not understanding because I'm not seeing a way forward. It occurs to me that this module is less of a "code" vulnerability and more of a vulnerability in logic, which is definitely a weak spot for me.

Feel free to dm me, I can provide more in-depth explanation, I just don't want to give out spoilers.

i'm assuming you logged in to the portal? (this is one of my least favorite ones, as the credentials were given in an example they labeled 'not real' or something like that)

at least I think that's the one

I remember trying those creds on the off chance they were valid and nothing landed on OSTicket for me....

<checking notes>

I don't think I tried it on those on anything else, though...

I'm going to try that now.

I'm going to go back and check myself on those, just to make sure that I've done it.

may I dm you a screenshot to verify?

I'm not at my notes right now to verify myself 😅

OH! 🫢 no worries! I'm sure I can manage this part on my own.

Thank you, anyway.

Hello i have a question regarding the "Gold Annual"
For the following since one of the features is "Exam voucher switching (applies to unused exam vouchers)" Can i change the HTB CJCA to any other exam voucher?

As far as I'm aware no, as it's not the same tier/cheaper than the other 2. but it's best to reach out to website support for confirmation

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Figured it out. Thank you! ❤️

could anyone help me with the NTLM relay attacks skill assessment? i have creds so from my understanding petitpotam should work. i do not understand why it only works the way the solutions describe by creating a computer account

Ill be at my computer in an hour to check my notes if you wanna dm to remind me to check.

okay dm'ing you in an hour, thank you

same problem. Any hints?

I figured it out. and the reason is honestly hilarious

just dm'ed you

Yup just a sec

the connection between my target and my attacker is rll slow like so slow it taked multiple seconds for a single ping! when i do an nmap scan it says host is down i can only scan with -Pn and the scan will take 3,5 hours

my pwnbox is on the lowest delay of 21 ms is there any fix ?

maybe try changing regions, but also depending on the type of scan it can take a long time

nothing in acadmey should take that long though, so you may be doing something wrong like the wrong kind of scan, or scanning ports that don't matter

but if i use ping (ip) i still got no response after 17236 ms

not all devices respond to pings; unless you're saying it replies after that long

it responded after that

it also helps to say what module you're working on so others can verify if it's the lab or just you

module/77/section/726

we don't have that stuff memorized

the numbers are borderline useless, it helps to provide the names

penetration tester getting started

should i change vpn region ? because it does not work in my vm and in the pwnbox

If you've launched the VPN at the same time as using the Pwnbox that is a problem. They share the same IP and it could be the cause of your problems.

Terminate everything, then re-start the target and pick only one. Yes changing regions can help.

ahh okay ill try that

i mean i can ping the target now but nmap -p- (ip) is still really slow 2 min elapsed 0.94% done

does it matter what protocol i have on the vpn ?

which section? do you really need to scan every single port?

Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.
the hint was use -p-

imma change regions and see if that helps

i do see a LOT of authenticate/decrypt packet error: packet HMAC authentication failed in the vpn logs

can you just name the section

service scanning

it probably won't take that long to get it, but yeah you're supposed to use -p- there. make sure you're not using unnecessary stuff like scripts.

im not but authenticate/decrypt packet error: packet HMAC authentication failed this keeps on popping up when i start the nmap scan

just skip this question ?

(in htb)

idk that sounds like an issue with the vpn connection

if you switch regions you have to re-download the VPN file for that region

killall -9 openvpn

re-download for your region, then try opening the vpn connection again

ohw killing it broke the file

hmm yea ive reactivated the vpn now on us server but still the scan is so slow

or not even working

it just says host is down

i was able to answer the SMB question

the normal nmap scan takes about 3 mins so is it the -p- that makes it take 3 hours ?

that makes it scan every port, but there are more factors such as if you're scanning udp, tcp, if you're running scripts, etc.

my command is nmap (ip) -p-

now it takes 38 mins

that seems more reasonable

ill just wait it out

tysm for ur help !

yeah it won't take that long, you should find the port much faster than that, just let it rip

np

hey guys I'm getting close to the end of the Wifi Pentesting Basics module, and I"m trying to connect to the WEP device, HackTheBox-WEP. But, I can't ping or wget or anything from the IP they tell me to get the flag from.

Nevermind. I forgot to run the dhclient command

I am doing The live engagement for Shells and Payload but there is no browsers in the RDPed machine besides tor which it says I can't use it because there is no internet

firefox in the terminal

thank you and lol that was very stupid .....

:)

also

for your future reference, look at the desktop :D

(this is unrelateed to firefox)

oooo some creds

Seem the cheatsheet was wrong

what's wrong about the cheatsheet, also #1234357888114364508 to report errors

ah checked the docs. but yeah #1234357888114364508 is where you should post

extension specified should be using -x instead of e

sorry I post it there

and the status code is -C

-e is extract links from response

If anyone has any hints for the LFI Skill Assessment I'm all ears, I've hit a brick wall trying to get any RCE.

can i get a nudge on the Type Filters module? ||I've successfully bypassed the filters and uploaded the file but for some reason I couldn't get the code to execute? it just displays the script as is ||

Please don't reveal content from modules above tier 0, like attack paths/vectors etc

Hi everyone ,

I’m stuck on the SSL/TLS Certificate Pinning Bypass lab and would appreciate guidance from anyone who has solved it, i have been try'n for 2 days and tried all configurations/steps with no clue.
Section: Android Application Dynamic Analysis
Lab: SSL/TLS Certificate Pinning Bypass
Current problem: Burp still does NOT show any ChatApp traffic after rebuilt, re-signed, and reinstalled the modified APK multiple times

Verified Burp CA replacement and network_security_config.xml
Any help or nudge in the right direction would be greatly appreciated

Sounds like the file type youve gone with isnt being detected as scripts to be executed. Revisit the material and make sure it matches (or in some cases it may want you to try something different) it might talk about .php.jpg but instead .phtml.jpg is expected to work.

Im not near my notes to actually check but that may help

Hello, I'm working on the "Password Attacks" - "Credential Hunting in Network Shares" module, and I'm having some difficulty understanding why Snaffler is unable to pickup on the second set of credentials needed. I'm curious if I'm using it incorrectly, I've run .\snaffler.exe -s -o snaffler.log and .\snaffler.exe -s -i C:\ -o snafflerlocal.log and even pointed it directly at the folder the second set of credentials are in and it doesn't seem to find them even though it seems like it should. The file is a text document and has the word "Password" in it, which I would think would match. Any tips are appreciated. I am OK using other tools, but this one seems a bit stealthier considering you can turn off the network discovery and run it on the local file system.

in the Shells & Payloads i cant connect to the target I tried with booth openvpn and The pwnbox I cant even ping it.
exactly in the Reverse Shells tab

HI all! I'm doing the "Intro to Threat Hunting & Hunting With Elastic" lab, and I'm stuck on a question for "Hunting for Stuxbot". It asks me for the process arguments for mimikatz, and I think I've found the correct arguments, but it's not accepting it. I suspect it may be a formatting problem.. Can anyone help me verify?

EDIT: UGH, got it. If anyone ends up reading this and running into the same thing, be mindful of commas

I’m currently working on the Login Brute Forcing module, specifically the Dictionary Attacks section, and I’ve run into something I don’t understand.
I was able to get the flag using the provided Python script, so I know the correct password and that the service is working.
However, when I try to replicate the same attack using ffuf (cuz it's just faster), it doesn’t work at all.
This approach did work for me in the previous section (Brute Force Attacks - PIN brute force), but for this dictionary attack it fails.
What I tried:

• Using ffuf with a POST request to /dictionary
• Filtering out responses that contain the incorrect password error message
• Various combinations of headers and filters
  After ffuf didn’t return anything, I tried to manually reproduce the request with curl, but even that fails when using the correct password:
  curl http://<IP>:<PORT>/dictionary -X POST -d "password=<REDACTED>" (also tried providing content-type for json and urlencoded)
  So my questions are:
• Is the endpoint expecting some specific cotent type or body format I didnt test out?
• Is the python script sending the request differently?

Anyone for a nudge on footprinting Hard assessment.
Not able to figure out the starting point

did you also check UDP ports

Yep got that one. IDK why -sU -p- did not reveal that

guys im like

losing connectoin every 30 seconds doing machines

Hello, I was trying to complete the Firewall and IDS/IPS Evasion – Hard Lab, but I got stuck there. I searched online for help and saw that many people managed to solve it thanks to hints. If there were no hints, how would I be able to find the port I need? The port is a xxxxx five-digit number and it does not appear when scanning all ports. When performing a “healthy” (safe) scan, it takes a very, very long time. Is there anyone who could help me with the appropriate command?

@hoary cloak

You kind of answered your own question

the "correct" scan would take a long long time

This is just the nature of IDS/IPS and how they can punish based on Time vs "Volume"

I am not sure, but I assume the "correct" scan would look something like this:
nmap -sS -p49152–65535 -T2 -f --source-port 53 -Pn -n

maybe it would need to be more granular, maybe even slower, maybe SYN scan is not enough. But that's a good starting seed I guess.

I thought I would obtain the answer by doing a slow and safe scan. It’s just that this is a lab, and I assumed it wouldn’t take an excessive amount of time to scan, so I wondered if there might be some additional method. Because finding the answer only through a hint doesn’t really make sense. Thank you.\

Hi everyone! I'm trying to solve the questions section of "IMAP/POP3" footprinting section, but I'm stuck to connect to POP3 and IMAP services of the target machine.
I have executed "openssl s_client -connect 10.129.114.49:110 -starttls pop3 -msg" to connect to POP3 service but the server does not complete the TLS handshake, there is no server hello.
The same trying to connect to IMAP "openssl s_client -connect 10.129.114.49:143 -starttls imap -msg". I have encountered the same behaviour also on ports 995 and 993 - I'm using these commands : "openssl s_client -connect 10.129.114.49:995 -msg" "openssl s_client -connect 10.129.114.49:993 -msg".
Can you please help me to understand what is wrong ?

any1?

anyone can help pls ?

Anyone finish the ai red team path specifically the ai data attacks and the one after the application one. If so please feel free to dm me. Looking for some advice or tips. I’m more so stuck on the pickle module and the attack assessment.

Hello everyone
I'm trying to do kerberosting from linux module of penetration tester path
I used GetUserSpn.py module but it needs valid password to list available information but I can't see any cleartext password in lab guide itself
What am I doing wrong here?

could someone help me with https://academy.hackthebox.com/module/113/section/2139 thanks i cant find the MAP with -RW-- permissions ............. never mind i figured it out 🙂