#modules

Great! yeah probably a lot of people hitting that one or server issue, who knows. Happy hacking

could be

what are you doing

its down again

I'm working on Web Fuzzing. No issues on that module.

what shittty thing its just getting down i couldnt upload atleast

somwhow at last lol

Sometimes pwn box is slow, sometimes it's best to use your own machine if you have the power. Or it could be the target idk. Sometimes that's part of the process is dealing with speed.

i never pwn box

used this kind of first time only for this one

can u imagine

If that's splunk, use https instead of http

ended btw thanks for the suggestion it would help me later

Is anyone else experiencing this error in the API Attacks module?

Looks like de public instances are not responding

I have an enterprise account with private instances, but I cannot spawn any machines on the NTLM Relay Attacks module, is there a downage with HTB servers ?

Did you attempt to go to the Swagger UI that it mentions in the Swagger API User Interface paragraph (near the bottom of the Introduction to Lab section)?

my bad then hehe, thx

All good, it's easy to miss.

Hello, I'm doing some modules and I have a doubt not related to the modules it self but more why some attacks don't work properly if we don't pass all the parameters directly like http://someip/reset.php?uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=xxxxx.
I have tried with burp to pass the parameters like this but it never worked.

POST /reset.php HTTP/1.1
Host: 94.237.49.209:58900
Content-Length: 129
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.49.209:58900
Referer: http://94.237.49.209:58900/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=prmls4umqft5eqpsm1p0q62qin; uid=52
Connection: keep-alive

uid=52&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=xxxxxx

But then it worked like this.

GET /reset.php?uid=52&token=e51a85fa-17ac-11ec-8e51-e78234eb7b0c&password=xxxxx! HTTP/1.1
Host: 94.237.49.209:58900
Content-Length: 0
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.49.209:58900
Referer: http://94.237.49.209:58900/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=prmls4umqft5eqpsm1p0q62qin; uid=52
Connection: keep-alive

Could someone explain why one works and the other not, and a quick way of identifying if any because I have lost a little bit of time figuring this out. 😀
Well the error was always saying missing parameters, this can be the tip, but nonetheless I have tried other parameters about the user and always receiving the same error.

Thanks in advance.

I need help in one question "According to wikipedia.com snapshot taken on February 9, 2003, how many articles were they already working on in the English version? Answer with the number they state without any commas, e.g., 100000, not 100,000." somehow my answer is not correct. Anyone can help out?

what was the status code for the first one?

hello guys, i'm at the Windows Services & Processes module and to be honest i cannot find the non standard service, i tried to run the get-service with status running but only bring standard services to me, anyone could give me some hint?/

Hi guys. Can anyone give me a hint on the skills assessment of the Injection Attacks module ;-; ? I have found the xpath injection point but I can't guess what the xpath query might be to escape with the correct syntax. Your help is crucial because I am hard stuck on this for a whole week now 🙁

Hi Team, im doing module Active Directory Enumeration & Attacks,

in Kerberoasting - from Linux,

im told to do kerberoast attack via getuserspn, yet i don't have the password for forend???? why? how am i supose to get password????

this is not ok!

I'm pretty sure that you've seen his password in past sections

ok, but it should've been in the section!

It is the same environment, taking notes is crucial

sometimes the environment changes, and there isn't much of an indicator to know when it does. i just find that it would be simpler to put it in the section itself instead of 'taking notes', but hey thatsj ust em

Well the module is one of the biggest out there, so note taking is quite important

The very least for the exercises, so you can come back and revisit your path of exploitation

And, either replicate it in the future or find other methods to do the same

With POST 200 OK - Access Denied
With GET 200 OK - Missing Parameters

Request:
POST /reset.php HTTP/1.1
Host: 94.237.122.188:55919
Content-Length: 56
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.122.188:55919
Referer: http://94.237.122.188:55919/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=30jehh0i2ll2ernt49fnomuclq; uid=52
Connection: keep-alive

uid=52&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=xxxxxxx

Response:
HTTP/1.1 200 OK
Date: Thu, 21 Jan 2026 09:55:33 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 13
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Access Denied

Request:
GET /reset.php HTTP/1.1
Host: 94.237.122.188:55919
Content-Length: 56
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.122.188:55919
Referer: http://94.237.122.188:55919/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=30jehh0i2ll2ernt49fnomuclq; uid=52
Connection: keep-alive

uid=52&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=xxxxxxx

Response:
HTTP/1.1 200 OK
Date: Thu, 21 Jan 2026 10:14:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 18
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

Missing parameters

I thought you were getting 405 for the POST. Looks strange to me. Maybe it's hardcoded that way.

I didn't notice xd, but I solved it ty

Can somebody help me with ntlm relay attacks skill assessment Question 3? I finished Q2 and downloaded ||ShareSQL.zip|| but cannot decrypt it (cleartext password not working). I have SMB session as DOB, but cannot find the attack path...

I'm not really sure what was the next step but have you tried rockyou on the zip file?

did you type it in correctly?

copy and paste from the log

dm what you tried

stupid mistake -got it now, thx!

Hi, can someone help me clarify something regarding one of the taught content in the Web Attacks module ? I'm on Advanced File Disclosure section and can't seem to find any documentation or source that agrees with the following content :

After that, if we reference the &joined; entity, it should contain our escaped data. However, this will not work, since XML prevents joining internal and external entities, so we will have to find a better way to do so.

The mentioned payload for some more context is

<!DOCTYPE email [
  <!ENTITY begin "<![CDATA[">
  <!ENTITY file SYSTEM "file:///var/www/html/submitDetails.php">
  <!ENTITY end "]]>">
  <!ENTITY joined "&begin;&file;&end;">
]>

Ok I think I figured it out in the w3.org documentation, I don't know if it's relevant to keep the message there but here is the given explanation if anyone is curious to know :

Validity constraint: Proper Declaration/PE Nesting

Parameter-entity replacement text MUST be properly nested with markup declarations. That is to say, if either the first character or the last character of a markup declaration (markupdecl above) is contained in the replacement text for a parameter-entity reference, both MUST be contained in the same replacement text.

Well-formedness constraint: PEs in Internal Subset

In the internal DTD subset, parameter-entity references MUST NOT occur within markup declarations; they may occur where markup declarations can occur. (This does not apply to references that occur in external parameter entities or to the external subset.)

https://www.w3.org/TR/xml/#sec-cdata-sect:~:text=element.-,Validity,subset.)

I got some trouble with the Password Attacks module, specifically "Pass the Ticket (PtT) from Linux" section
anyone did the last two optional tasks successfully?

Yes, that is the reason why I'm asking because even when you do it normally those parameters doesn't appear directly on the bowser or burp request like http://someIP:PORT/reset.php?parameters.
We have to pass it manually with this format /reset.php?parameters

Or is like you said something hardcoded in the code.
Hopefully someone can explain.

Thanks for your input.

have you tried in burpsuite to scan with paraminer for guess query parameters? the purpose could for example be that in normal cases some parameters are not disclosed because they are only supposed to work from example an admin view

I think an answer for ||"Based on the contents of test000002.ptr.err, which line of the intermediate language (IL) file assembly.ll does the vulnerability appear on? Provide only an integer, eg 123. "|| in the "Introduction to binary fuzzing" is incorrect. Can some one help me please?

You can DM if you are still having trouble with this, but I am going to delete the screenshots because of the content being above Tier 0.

@gray yacht apologies.

It's all good.

Doing the intro to digital forensics module, I am stuck trying to pull the correct data from Velociraptor does this look correct? I am not getting the 'scheduled task' thanks

About: Attacking AI - Application and System module assessment.
I did the enumeration of the MCP, calling resources and tooling, browsing for vulns but I got nothing.
I had a look on the solution (Yea it is bad). However, nop! I do not have the vulnerability. I can not exploit anything.
I restarted the box and so on nothing.

Any one got that kind of issue?

Is this the skill assessment? Im just starting it so I can't help haha

Hey are there any modules that are intros to docker and kubernetes? And have labs ?

No, theres no modules specific to those.

Ok thank you. Do you by any chance know any sources that may have labs on this?

Google; it all depends on what exactly you want out of it

I believe k8 has their own set of courses and even certifications

Ok thanks

Hi. I would like to make use of your help on the crackmapexec assessment. I am stuck on question 3. the password "We****1" I got from the database does not match any use i got from the rid brute force or the user enumeration with Atul account, nor the new users found as jas. Can you help me to know where i got it wrong?

Information Gathering - Web Edition > Virtual Hosts
I did successfully fuzz vhosts to answer questions 2-5, but question number 1 - the vhost prefixed with 'web' I cannot answer. I tried multiple wordlists, including subdomains-top1million-110000.txt, but there seems to be no vhost starting with 'web' on the target machine 🙁 Any hints?

Maybe try more things with what you identified in that database.

I tried bruteforcing with all the possible protocols. Just a hint to put me in the right direction. I don't know what to try again

That was a hint, lol

You can DM.

Hi I'm facing a minor bug happening on API Attacks module in security configuration section. I was following the steps and when I make a request with SQL injection as per example I get a TypeError: NetworkError when attempting to fetch resource I switched to another computer and tried it there and it worked. Anyone has any clue why this happens?

hey i am doing Pass the Certificat of the** module password attache** but i am blocked at this ** What are the contents of flag.txt on Administrator's desktop?**

on hard skills assessment for attacking common services why is it that nmap doesnt detect mssql running on the target?

Hey guys so i was doing broken authentication skills assesement and for some reason ffuf just wasn't working, when i saw a write up and figured the correct extension i literally tested that in ffuf also didnt work yet when i use curl to same extension it works fine , i did use -request-proto http fyi and still didnt work. Any idea why as it really annoyed me, i got a picture to give an idea if anyone could help .

Because its running internally from what I recall

hello there,
quick question on the module Attacking Common Applications - PRTG Network Monitor.
I kinda obtained reverse shell but idk why I can't interact with it (cannot execute any commands)
Any idea what could have went wrong? (not providing the PS payload for reverse shell just in case it's too much of a spoiler)

Likely the output isnt being sent to stream

any idea how to do it correctly?

I mean the section is telling us to try to obtain a reverse shell so I assume it is possible, right?

didnt quite get u

Its possible, im just saying something likely went wrong with your payload

As in its not visible and running from the outside.

yea... got it now

thanks, I wanted to give up and just use winrm haha

i cant rdp
Dynamic Port Forwarding with SSH and SOCKS Tunneling
second question on the exercise
proxychains xfreerdp3 /v:172.16.5.19 /u:victor /p:'pass@123'

Quick question on the AD enumeration & attack module…. Is dehashed not a paid service

Yea, I'm pretty sure it is.

Pivoting, tunneling and port forwarding module -> RDP and SOCKS Tunneling with SocksOverRDP
trying to laod DLL file using regsvr32.exe but i keep getting error, i am pretty sure my DLL file exist, and just right after this error the DLL file is disappearing i don't know why thoug, any one faced the same error

Defender quarantined the file.

Disable defender or add an exclusion.

alright, thank you

it looks like anti virus protection is off, but i still can see the quarantined SocksOverRDP file history

nevermind, real-time protection was on

yeah RTP is a pain in the ass LOL i'm at least glad that windows made it run even if you disable defender itself

kerberos-1.mit.edu
perhaps your krb-conf file is broken 😉

yeah i was wondering like where to fuck my file go, the defender didn't even notify me about it, so i was kinda shocked

yeah RTP doesn't generally notify you

it just disappears

only if defender quarantines it

that's how you get disappearing notes

used local port forwarding for now

What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x)
this ques on remote port forwarding
i couldnt understand why we set lhost to 0.0.0.0 in the msf handler

lhost - listening host; 0.0.0.0 is wildcard for all interfaces

so it's listening on localhost, tun0, whateveryourdefaultadapteris

you can set the lhost to tun0

when you use port forwarding or tunneling, the DNS resolution is performed by the pivot machine i guess so in normal connections your krb5.conf file does not matter but when pivoting machines it matters, that is how i understood it.

and is generally going to be preferred

it depends; the main thing is domain joined, since kerberos is really only used in AD

pivoting, tunneling, and port forwarding -> RDP and SOCKS Tunneling with SocksOverRDP
for anyone who is facing this issue, it is just access denied error, use administrator to load the DLL file, i wonder why it can't just say access denied instead of some fancy shit

how should i fix this btw

file corrupted maybe

right, the pivot machine wasn't joined to the domain in the lab i think, that is why it didn't work you mean

but it worked with administrator

also searching the error just said access denied so

.

i don't recall needing kerberos at all for this

oh

not sure what is wrong then

i also thought it was DNS error because it keep giving DNS resolution failed in pivot machine shell

DNS error would likely be because of the whole - krb.mit.edu thing 😅

i don't know how to demonstrate configuring krb5.conf in text but you can search it up how to configure it

you don't need to configure it

it's not required

it worked for me after configuring though

dude it's from the same module you're on, an earlier section even

i know, i am saying what i can remember and what worked for me, sometimes i trust AI too much i guess, but the krb5.conf really fixed the issue for me

but i can state for a fact that configuring krb5 isn't required

maybe it was one of the solution i guess

because it shouldn't need to interact with it

after i finish my dinner can either of u get on a quick call and help me wth the rdp connection for dynamic port forwarding lel

you can still try my option thogh, it won't take long

just did a fresh spawn

and it worked just fine

ssh -D 9050 ubuntu@targetIP -> proxychains xfreerdp /v:172.16.5.19 /u:victor /p:'pass@123'; works exactly as intended

do you still use xfreerdp instead of xfreerdp3

xfreerdp3 isn't installed on pwnbox and i'm getting ready for bed

alright, sleep well

https://tenor.com/view/good-night-gn-晚安-buenas-noches-bonne-nuit-gif-16475290021408405446

did it worked with fresh target

ah still having dinner..i will get back to u

alright, take your time

<@&861185840277487616> this looks like scam so

I’m in the Linux privilege escalation module

Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.?
After spawning the shell by ncdu I’m not able to find the flag?

maybe try configuring krb5.conf if that does not work then i don't know any other options

hmm

this is my krb5.conf for example

yeah idk if i should make changes for now..I'll see what happens in next few sections then decide

i think there is a section where they teach how to change this configuration

also you can try pwnbox for this

Look for the custom DNS server version! 😏

Guide to ask a great question: #modules message

Thx for your help

Are there any plans in the future for modules discussing source code auditing, SSDLC, CI/CD pipelines, assessing software design and the like?

Future content plans, especially for academy, aren't released for a variety of reasons

I'm currently doing the Intermediate Network Traffic Analysis Module, where the author shared this wireshark display filter to find failed authentications:

(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type == 00) and (wlan.fc.type_subtype == 0) or (wlan.fc.type_subtype == 1) or (wlan.fc.type_subtype == 11)

The problem i see with it is that it filters for Association Requests (00) recieved by the specified AP (F8:14:FE:4D:E6:F1), but filters for Association Response (1) and Authentication (11) from any and all APs in the vicinity.

I belieive this is an error that is present due to oeprator precedence, which cna be simply solved by using parantheses like this:
(wlan.bssid == F8:14:FE:4D:E6:F1) and (wlan.fc.type_subtype == 0 or wlan.fc.type_subtype == 1 or wlan.fc.type_subtype == 11)

Now the 802.11 management frames only for the specified bssid will be filtered.

Am I correct? Or did i misunderstand what the author's intention with the filter was in the first place?

Yes it is the skill assessment...

in windows 2008 server /windows escalate privlegies i only get the task scheduler to work of that sherlock report maybe vulnerable tried the logon2 that was reported maybe vulnerable i get it to report spawned systemshell but it cant spawn a reverseshell so maybe im just doing somethig wrong

Need help, might lose my streak if I can't figure out why this keeps happening. I have my bitdefender turned off (he and Kali don't like each other) as well as my NordVPN (since I am using the academy vpn). I am working on DNS Zone Transfer and every time I do the dig request, I get this:

dig axfr @10.129.4.44 inlanefreight.htb
;; Connection to 10.129.4.44#53(10.129.4.44) for inlanefreight.htb failed: host unreachable.
;; no servers could be reached
;; Connection to 10.129.4.44#53(10.129.4.44) for inlanefreight.htb failed: host unreachable.
;; no servers could be reached
;; Connection to 10.129.4.44#53(10.129.4.44) for inlanefreight.htb failed: host unreachable.
;; no servers could be reached

Any ideas why? I use Kali not Parrot, my Bitdefender and NordVPN are paused. I have no clue and I really don't need to lose my streak. Any help will be great and you may DM me. Please no answers, just some ideas and help.

try without the domain name

Hello, i need help.

Firewall and IDS/IPS Evasion - Hard Lab
With our second test's help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems. As our client told us, the training would last one week. Now the administrator has taken all the necessary precautions and wants us to test this again because specific services must be changed, and the communication for the provided software had to be modified.

(champadm㉿SRVKALI)-[~]
└─$ nmap -sT -Pn -n -sV --version-intensity 2 --max-retries 1 --scan-delay 3s -p 22,80 10.129.4.227

Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-23 11:20 CET
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 11:20 (0:00:06 remaining)
Stats: 0:00:17 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 11:20 (0:00:11 remaining)
Nmap scan report for 10.129.4.227
Host is up (0.076s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.94 seconds

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
Ubuntu 4ubuntu0.7

Submit
The answer you provided is incorrect

any can help with write target?

Well that ain't a service that's an OS...

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
OpenSSH 7.6p1

Submit
The answer you provided is incorrect

sorry im new at HTB

OpenSSH 7.6

Submit
The answer you provided is incorrect

Apache httpd2.4.29

Submit
The answer you provided is incorrect

Apache 2.4.29

Submit
The answer you provided is incorrect

“a service that plays a vital role … because they require large amounts of data”

SSH PROTOCOL 2.0

Submit
The answer you provided is incorrect

Hey guys! So I am currently stuck on a question in linux fundamentals "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths (https://www.inlanefreight.com/directory" or "/another/directory") of that domain. Submit the number of these paths as the answer.". My current answer is 7 altough I am pretty sure this is supposed to be right. I used commands 1. curl https://www.inlanefreight.com | grep "https://www.inlanefreight.com/\"\|https://www.inlanefreight.com/'" | tr " " "\n" > inlane.txt and 2. cat inlane.txt | grep ""https://www.inlanefreight.com/\"\|'https://www.inlanefreight.com/'" | wc -l . And I am not sure what I am doing wrong

SOLVED-

Thanx!

been asked so many times so just check pinned

I haven't done that because the parameters being used are the same without tampering them, meaning if I try to change the user password that is logged in with the correct cookie, the parameters work without putting them directly in front of the POST verb, meaning.

POST /reset.php HTTP/1.1
Host: 94.237.122.188:55919
Content-Length: 56
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://94.237.122.188:55919
Referer: http://94.237.122.188:55919/settings.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=30jehh0i2ll2ernt49fnomuclq; uid=74
Connection: keep-alive

uid=74&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=xxxxxx

If you don't tampering it, it gives 200 OK without any error messages but if you tried to tampering the user id lets say uid=110 you will receive the previous errors messages on my previous post's.
Now if you use the correct verb to be able to change the password of the uid the only way I found it was to be like this on burp or directly on the browser /reset.php?uid=74&token=e51a8a14-17ac-11ec-8e67-a3c050fe0c26&password=xxxxxx

This is the reason I'm struggling to understand.

might just be cause of the code instead of using $_REQUEST it might just be using $_GET which doesn't get POST parameters

e.g. if I write the following reverse shell:

<?php system($_GET["cmd"])?>

it only works with:

GET /shell.php?cmd=id

but not:

POST /shell.php

...
cmd=id

i try to think like get/post delete are different endpoints and they can have implementation flaws that you must test

if it's the same file it's the same endpoint

well in a way they are same endpoints but from the output they are different

they're just triggering different parts of the code

so in a QA you would need to run diffrent test cases to prove the code do same stuff depending if it is a post or get since it should just reset a password

well not exactly, since you don't really want the user to control which request methods are being used

also usually POSTrequests are the standard since with GET requests you could theoretically just send a person a link to reset their password

well since the design was to allow both get and post and you exposes them they should do the same stuff

hi

well you could have a page like: upload.php and the default behavior for GET requests is just to display the upload page but the default behavior for POST requests could be to upload the file. You have a valid reason to use both requests on the same endpoint but ensure different functionality and isolation between the functionalities.

well they are built to test our ability to find flaws in this case so we should find some disrepancy in some way, and teach ous to be inovative

Well yeah the discrepancy with that endpoint that he pointed out was that it only accepted parameters from the GET request.

The examples are vulnerable on purpose but could be flawed in a way that isn't intended

oh nvm, it worked after some retries

other times it is simple because they forgot to incorporate some middleware that should have ensure authentication

I wonder, if someone might be able to give me some guidance. I'm working through "Cracking Miscellaneous Files and Hashes" there is a .7z downloaded. I've tried installing john multiple times, as well as resetting the box, but I can never find the 7z2john.py module. I know it's supposed to be on /opt/7z2john.py on the pwnbox, but it doesn't exist and using a locate and find command turns nothing up either. Is anyone able to give some guidance on this please?

well thats the difficult to build CTF vulnerable stuff that pepole some times found another way to solve it

once you install john on kali it should be installed as 7z2john

otherwise just download from the github

Thank you very much

I have a question in Module "Windows Privilege Escalation " > "Server Operators". How does one can identify that this "AppReadiness" service is vulnerable out of all the services running on that machine

well the short answer is research

the long answer: also research

nice

generally though i believe the reading walks you through finding things

In "Windows Privilege Escalation " >"User Account Control". I wasn't able to produce the result desired from the section's lesson. Funny enough the solution guide just outright give the "flag.txt" as the answer. Seems like who ever creates this section give up and provide the flag instead 🤦‍♂️

i think you can leave it in #1234357888114364508 hopefully they will fix it

The walkthroughs always provide answers, its known

I don't gety it

Im just referring to the latter half of your message, that the flags/answers are in the annual walkthroughs

I've brought it up before

Yeah, there's the answer.. but the walkthrough just give the flag.txt less the steps how to get it.

Ahhh ok then #1234357888114364508 for that bit. I misunderstood what you meant

To me, I find it extremely frustrating for someone exerting effort to understand the lesson then you finally decide to hit the "show solution" button but find out your not getting any.. lols 😢

Yeah, i def get that

I'm reviewing the Windows file transfer methods section of the file transfers module. On the 2nd exercise, we have to upload a file to the target and do some stuff. I decided to try uploading it by firing up a WebDAV server on my Kali VM and grabbing it from there. But, following the example provided in the module, I cannot access the share from the terminal (not even dir or mount the share). I can access it via the browser, but I want to know if there's a reason I can't via the terminal.

I've done a bit of research and set up HTTPS to be used for the share and tried a few different options but I can't get it to work as shown in the module. Is it a security measure blocking my attempts or something else?

are you using something like this:

dir \\192.168.49.128\DavWWWRoot

@worldly tapir @worldly tapir @worldly tapir @worldly tapir @worldly tapir

is there a reason for you pinging another user like this? because general behavior like this isn't tolerated

Yes

need him to come online, we got a bit of a deadline, sorry didnt know this was not allowed

this is little info from my notes, maybe try to connect to your share directly:

info: DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server.

You can avoid using this keyword if you specify a folder that exists on your server when connecting to the server. For example: \192.168.49.128\sharefolder

I was doing an Nmap scan on a target and got these results. It’s not accepting any of the OS answers I provide.
here is the result :

Aggressive OS guesses: Linux 4.15 - 5.19 (98%), Linux 3.2 - 4.14 (96%), Linux 5.0 - 5.14 (95%), Linux 4.15 (95%), Linux 6.0 (95%), Linux 2.6.32 - 3.10 (95%), OpenWrt 21.02 (Linux 5.4) (94%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (94%), Linux 2.6.32 (93%), Linux 5.10 - 5.15 (93%)
No exact OS matches for host (test conditions non-ideal).

Yeah yeah, that's the text from the module. I tried a bunch of different ways and can't connect via the terminal. Only the browser

maybe check forums on that section

Did that to... no one seems to have tried or complained about this method.

@fathom pendant how can I further continue on htb if some boxes are unreachable ? I tried to use a different server, kill vpn sessions, refresh, donwload new ovpn key, start target and still unreachable ?

I am on htb academy pentest path

Did you manage to figure out the issue?

I will try that method and notify you on that later

Appreciated!

In order to find a config file created after 2020-03-03 smaller than 28k but larger than 25k I ran this command find / -type f -name *.conf -size -28k -size +25k -newermt 2020-03-03 -exec ls -al {} ; but I kept getting hit with output like "find: ‘/run/cryptsetup’: Permission denied" for everything. I attempted running as it with sudo but htb-student(The user I am) is not part of the sudeors group. Some help? I'm doing Linux fundamentals module.

The permission denied error is irrelevant. Not all configuration files end in .conf

1. add 2> /dev/null; this will throw errors to the void
2. make sure you're running it on the target system

Thanks for the help

you aren't going to be required to be root to perform the task

it exists in a place readable by your user

Good evening guys

I need help with the module

pentest in a nutsshell

guys, it is normal almost all of the sections in a module give 0 cubes?isnt to give the cubes where under the module when we buy it?

i cannot escalete privileges with administrator in powershell

Not all questions give cubes, youll receive the 20% cubes as/when you complete a module. I believe the beta view demonstrates the cube amount better

thx!!

I don't have port listening in python 3 🙁

guys, are thereother way to find the cmdlet for a specific .exe? i found with findstr, but i think isnt the "correct" way in the context

what do you mean

a cmdlet is a powershell command, an .exe is a binary

Findstr is a windows executable, under powershell its an alias for "select-string"

i got it now, i misunderstood the concept, thx
so, in the section, says that we could find the alias from an cmdlet using Get-Alias, in question there is an executable how i suppose to get the cmdlet from a .exe without using the findstr?

pls

I need help

with thas

that

You can probably get help if you provide a bit more detail, not having a port listening in python is a bit vague. What exactly are you trying to do?

I’m on the SOC Path and I need the access “TheHive” to answer a question. The instructions state navigate to http://TARGET_IP:9000
but when I put this into the browser I get nothing. Also am I using the IP of my PwnBox because I don’t have a target specified. Any help would be greatly appreciated. Thank you in advance.

hi folks. For Bypassing Wi-Fi Captive Portals: Client Hijacking through Malware Portal

anyone managed to complete the 1st question to grab the flag.txt? My reverse shell never connected back to me.

Apache logs shows 200 OK - so it does manage to grab my ELF file, but no reverse shell established

a lot of times with powershell aliases are just the common name of an executable; if you want to use the executable you have to specify .exe at the end

random question guys . Is someone allowed to share the solution for skills assessment of a module ??

No it is not allowed if it is above tier 0

unfortunately, it didn't work in my case too, i think there has been some changes to this project since the module is pretty old

sorry for late reply

No rush, thanks for taking the time to try it out

I figured things have changed. If I have some time some day I'll try it out with my windows vm. I have an idea that it's due to some default security config 🤷‍♂️

it won't worth time i guess, we already have faster and better options out here we can use

Password attack ?

password attacks module will give cubes

according to the measured tier

I’m having trouble too. "curl https://www.inlanefreight.com/" (or using its IP) does not work at all on my Pwnbox.

PRTG Network Monitor cant get a code execution to work i think

AEN - Exploitation & Privilege Escalation Section

I found the credentials, but can't even log in on the website because it's not loading after clicking "Log in". My Ligolo Tunnel is also crashing all the time when doing this.
Did I miss something or is it the machine?

iirc, the free version of PwnBox does not have internet access. Use your own VM instead.

can someone help me. It's from PRTG Network Monitor module

Not many no

what do you mean

I my module not all exercices give you cube like juste 2 or 3 question

Other give you 0

yeah but same modules tiers give the same amount of cubes, even though the sections give different amount, the total number of cubes are the same

When I try to log in it crashes the tunnel

Great

where is that wordlist form?!

i've never seen the ephar extention

sql injection fundamentals
section database enumaration

i cant seem to find the users table i need for the question

Module : Intermediate Network Traffic Analysis
Section : IP Source & Destination Spoofing Attacks

The author says : The Source IP Address should always be from our subnet - If we notice that an incoming packet has an IP source from outside of our local area network, this can be an indicator of packet crafting.

This doesn't make sense to me. A packet incoming will always have an IP souce from outside of network, well because it has arrived form outside.

Or is the author exclusively talking about LAN networks, where devices outside network are not supposed to talk to devices inside network?

There's likely context surrounding that paragraph that places it; but yes LAN

This is the entire context:

There are many cases where we might see irregular traffic for IPv4 and IPv6 packets. In many such cases, this might be done through the source and destination IP fields. We should always consider the following when analyzing these fields for our traffic analysis efforts.

• The Source IP Address should always be from our subnet - If we notice that an incoming packet has an IP source from outside of our local area network, this can be an indicator of packet crafting.

• The Source IP for outgoing traffic should always be from our subnet - If the source IP is from a different IP range than our own local area network, this can be an indicator of malicious traffic that is originating from inside our network.

Actually both points do not make sense at first glance.

Point 1 makes sense in case of LAN, as source and destination IPs need to belong to the network. But how come the source IP being from outside the network implies "packet crafting"?

Point 2 makes no sense to me at all.

Point 2 - this is saying that source ip should be from local network
Local -> NAT -> outside world

I.e. if the source is 192.168, but your network is 10.0 then its crafted. Simple as that

The expected traffic should follow the expected subnet

can you help me too?

But by default any outgoing traffic (whether organic or tampered/malicious) will have the source IP of the host that belongs to the network.
I cant imagine a situation where the attacker will make an (dumb) effort to change the source IP to an IP that doesnt belong to subnet.

EDIT - The attacker would craft packets with external Source IP on a LAN to go undetected. Eg: A SOC analyst filters based on subnet 10.0.0.0/24 but the tampered source ip is 1.1.1.1. As a result, the malicous packets are invisible to the analyst

Page #s are useless, just say the section name

database enumeration

ey guys I need your help. I'm module pentest nutshell and I cannot listening port with powershell and I don't know why. I'm completely stuck. 🙁 pls

🙁

if you try your obfuscated command in your own terminal you maybe get an answer where it is malformed

what is the point of hiding the IP?

the virtual Machine

what virtual machine

my

mein

alright

pls I need help

access is denied
Try placing the file somewhere like temp, or a place then user can write to

Reading the error explains the error

C:/users/ is like /home/ you generally can't just write there

The problem is that when I run the script on John's account, I don't have permission to do so. I can only access it as John or as a guest.

Winpeas.ps1 doesnt exist... you executed it in memory and saved the output to winpeas.txt...

You're running Invoke-Expression (IEX) to run it directly from the net object

Your own dir command shows its not there

so

mmm

i guess that , should be there

winpeas.ps1 was executed, you saved the output to winpeas.txt

That file exists...

Will it be another route?

For the Introduction to Sliver module:

Did anyone else experience regular session timeouts while on their own VM/ connecting via VPN?

I've never before experienced any connectivity issues in any capacity, but don't want to blame it on the module environment either.

Read winpeas.txt that's right there

okey

@cobalt quest spoilers do nothing; short answer is just enumeration

wow great connected through rdp https://academy.hackthebox.com/module/24/section/161 and mounted my a folder with some notes and boom threat detected, maybe it would be fricking good to warn defender it turned on

Generally assume defender is on until you confirm otherwise

it would be great if i could become administrator to get my files back..

this is t he real test to become administrator 😉

Take it as a lesson learned to not mount important files

and this?

You added a " at the end there... thats why it broke

But for the backupprep it says exactly; your user doesnt have the access to view the c:\healthcheck.log

exactly but i don't know why

Because your user isn't part of the access group(s) for it

but how can i doing that?

Why do you need to run that script?

for do the next exercise

Question about ACL enumeration

Using the skills learned in this section, enumerate the ActiveDirectoryRights that the user forend has over the user dpayne (Dagmar Payne).

Why am I unable to see/search the user forend in bloodhound by name? If i search by his SID in bloodhound I am able to find him. Just trying to understand why this happens. Used -c all with sharphound versions 2.7.2

for i can open the File of privilege Scalation

Escalation

Is this a place to get help for any academy modules? prob a dumb question but i thought id ask anyway.

yes

thanks 👍

I have a question for Attacking FTP. I've been scanning the target with different nmap scans and I'm not getting any open FTP ports.

Try scanning all the ports

I have. still no FTP. Tried running --min-rate 1000 for a faster scan and nothing. Also tried running the scan without min-rate but the estimated time for the scan to finish is up to 3 hrs.

Best to mention the module/section/question you're stuck on so there's more context. Otherwise a port scan should show the FTP server if there is one. Maybe check your network stuff, make sure you can reach target, don't have VPN + Pnwbox on at the same time, etc.

I havent tried using Pwnbox instead of my vm. I'll try that instead incase its a netconfig issue on my end. for clarification its https://academy.hackthebox.com/module/116/section/1165

You should be able to find it with a scan, it shouldn't take to long at all. Make sure you're using the right arguments.

will do. thanks for the quick reply.

Tried the scan via pwnbox and got the same results. I decided to change the VPN server location and try again that way. I now see the open FTP port. VPN was set to EU.

i cannot get it the file winpill en target windows 🙁

already i finded four days for that oh my good xD

Thanks Marcielere for alll

Hey anybody run into all users from user2 ranging to user10 in the Skills Assessment for "Introduction to Windows Command Line" lacks a password? If you wanted to ask a person to acquire them... why not explicitly say so instead of assuming

the password will always be the answer to the previous question

Thank you, I tried that a few times just going to metaphorically slam my head against it until either it drives me insane so I meet the definition or It solves itself.. hopefully it solves itself

as a protip always use single quotes for wrapping passwords

Hi iam not able to connect to windows fundamentals ip address ive tried changing my vpn from EU to US and from udp to tcp, tried changing my mtu but nothing has worked please help me

I couldnt understand socat bind shell at all like how is the redirection happening

I did understand socat reverse shell..Pivoting, Tunneling, and Port Forwarding module

it works just like any other port forwarding techniques, but you are just using it directly in pivot machine

SOCAT takes in 2 arguments where the first one is always an input and the second one is always an output.

$ socat tcp-listen:12345,reuseaddr,fork exec:/bin/sh,pty,stderr,setsid,sigint,sane
#       |-------------input-----------| |-----------------output-----------------|

so essentially it's listening on a port, when it receives a connection it makes sure the port is reusable and the connection is forked. It then sends whatever we put into that connection into /bin/sh passing pty, stderr, stdsid, sigint, and calling sane on the stty back through the connection.

Hi guys, is the RDP having issues? it keeps ending the connection when I try to use it

I am on the windows event logs module on the SOC analyst path. Is it okay if I skip this module for now and go to the next module and come back to it again later in the future? (are the modules dependent on the ones prior?)

it is working fine for me with TCP VPN

okay thanks, I may try that. but is it okay if I skip this particular module for the time being?

modules usually related to each other in paths, but if you believe you have good understanding of a concept, you can skip it for now

okay thanks I'll just try finish it off for now I guess 😅 its just stressing me out with the rdp

Any help please? I am trying to use sysmon on the rdp (for windows event logs and finding evil module)

managed to execute the dll hijack as shown in the module, however it's not showing in the filtered logs in event viewer?

Hi everyone, I'm studying AD enumeration and attacks. I'm struggling to understand and identify the main attack vectors. Would anyone like to work through a live box together?

Hey, I'm on the module : KERBEROS ATTACKS - Unconstrained Delegation - Users

I've got some issues with the final part can I dm someone ?

You can send a DM.

Hello, can someone help me with a reverse shell without vpn ? The system cant connect to my listener

Wdym without vpn?

Any target that is public won't be able to connect to your system. Reverse shells are out of scope for those

Heyy guys ..im back for another statement ..ummm..did anyone feel like the answer for the IPS/IDS Evasion - Hard Lab didnt add up or didnt make sense? ..or its just me ..if it is ..can someone explain it to me privately

It makes sense to me. I can pull up my notes in a sec but it makes plenty of sense, especially if you refer to the reading

<@&861185840277487616>

Hi, strugling on LLM Output attacks Skills Assessment for sometime.
What I've done so far:
SQL injection but nothing leads to sensitive/useful information.
Jailbreak as DAN but only limited to function request.
Can someone give some nudge?

Hi man @lean bronze , can I dm you for some nudge in LLM Output attack skill assessment?

Finished all modules for CJCA preparation, didnt think i would come nearly this far when i started, but here we are. Now on to learning and mastering all topics to get my cert this year. Thanks to everyone in this great community for making this possible.
If anyone has suggestions for modules that are most valuable if i want to work as a SOC Analyst Tier2, hit me up.

Sure, what part are you struggling?

Attacking Common Applications
Page 21
Attacking Thick Client Applications

anyone can help me wiht this one

?

i can fined the mz

hello

??

hi all,
i am facing issues since almost an hour at this exercise in the module "Introduction to bash scripting".
does anyone know why my script could constantly fail? i checked every line of my script and i still dont find anything.. if i'm allowed, i could send a screenshot my script so youll find an issue smth i didnt find, it would be easier.
thanks in advance.

Hello, i'm not sure you can share the script here neither.
If you want, DM me and we'll check it out.

//.

i can t

Hej There, I am doing the Windows fundamentals module and I need to connect with RDP to a IP. Well... I use Remmina and I am not very successfull. I cannot ping the spawend machine nor can I access anything with nmap. With nnmap I use the port nr 3389. pinging doesnt get an answer. nmap neither. connecting with remmina either. I tried it on my own VM and with the parot one. Can somebody help me here?

hey guys any idea why i cannot connect zith guest with rpcclient but I can with smbclient?

Try respawning the target machine since pinging it doesn't work.
Also the module teaches to use xfreerdp to connect to an rdp session

make sure that you do it as shown 😉 the module is above tier 0 so sharing the script here is against the rules. But i can almost guarantee what the issue is. ||it's the last 19 characters, it's counting the newline as one character||

i respawned it multiple times and nothing worked. however, I respawned again as you said. And this time, I used xfreerdp. worked... no idea why

Oh okay that's interesting 🤔

Glad it works. Happy hacking ✌️

windows machines don't always respond to pings

try changing vpn regions

Is there anyone can help me in "Exploitation of PDF Generation Vulnerabilities" module.

That sounds like a section of a module, not a module

There is anyway to make the rdp machines faster?

There are tips here https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

also use tcp vpn, maybe switch servers or regions

Sure, i'll take a look, thanks

3 more weeks

what is special with 104?:)

is there some badge?

yeah a badge

i thought i should have forge my ticket first then get in with rdp... wasted 1 whole day...

just finished the logrotten section on the Linux Privilege Escalation under logroate. i could never get the callback to work so instead of just trying to get a reverse shell i just cat'd the flag to my netcat listener. it took about 15 seconds but i did end up with the flag but anyone else have issues with the shell or anything im doing thats horribly wrong?

yeah logrotate is really sensitive, i think i could only get the command to work once before i had to reboot. and the shell only lasted a few seconds. i had to pre-setup the command to cat the flag.

cool well good to know not just me and extra finicky. thanks for the sanity check

so, this means you've majority of the course? maybe a lot more.

I've completed a couple courses, and some modules from others.

I have a question in Windows Privilege Escalation module - Skill assessment 1. I was thinking what kind of thought process in able to understand how to attack this type box. Because I feel like the solution is beyond what can enumeration can do. I've done manual enumeration checking users, vulnerable services, writable paths, etc. I did use automated tools such winpeas, powerup, sharpup, etc. Heck, I even use Metasploit just to look if local exploit suggester can give some hint.

I feel like the solution is like a hail mary attack because the efforts of doing enumeration didn't yield result that this box is vulnerable on that specific kind of CVE.?? Just wondering.

Your enumeration should have caught it. Basically you want to always check what non-default permissions your user has, or the groups that your user is a part of. also check what access they give to shares, etc. You should maybe make a check list of everything to check for when you get user access, then reiterate through the checklist again if you get another set of credentials.

Looking for assistance on bash scripting, for loops. Trying to echo a variable 28 times into base64 to enocode the number of characters into a salt. But i mess up somewhere, i have tried many ways of including / excluding newline characters, and subtracting 1 and 2, to no avail. Pointers?

I’m working through the SMTP Enumeration lab in the Academy path and believe I’ve completed the technical requirements, but I’m unable to submit an accepted answer, which is blocking module completion. I’m not asking for the answer — just clarification on where I may be going wrong or what the lab expects.

Link: https://academy.hackthebox.com/module/112/section/1072

Screenshots: https://imgur.com/a/OVw316q

Summary of what I’ve done:

Identified SMTP on port 25 (InFreight ESMTP v2.11) via Nmap; supports EHLO, VRFY, STARTTLS, etc.

Successfully interacted manually via Telnet (EHLO, MAIL FROM, RCPT TO).

All RCPT TO attempts (valid and invalid users) returned 250 OK, indicating catch-all / open relay behavior.

Confirmed open relay using smtp-open-relay Nmap script.

smtp-enum-users with VRFY initially returned no results (252 responses).

Running smtp-enum-users without restricting method returned multiple usernames (root, admin, administrator, webadmin, sysadmin, guest, user, etc.).

At this point, it appears user enumeration succeeded via tooling, but none of the enumerated usernames or hostnames are being accepted as the lab answer.

I’m trying to confirm whether:

A specific enumerated username is expected,

The intended takeaway is that enumeration is unreliable due to open relay / catch-all behavior,

Or if there may be an issue with answer validation for this lab instance.

Appreciate any guidance or confirmation on the intended outcome. Thanks!

— FuegoTier

Use the provided wordlist in the resources of the module

need assitence to coreect the answer module .information security foundation sub mudle - windows fundamentals and sub part - Windows Management Instrumentation (WMI) Q= Use WMI to find the serial number of the system. Answer - VMware-42 30 fd d0 9d d5 b8 90-09 c7 c1 05 f1 33 52 c4 not working

tied eleiminating spaves deleting the "VMwere - "

not worked

Think if you need to focus on VMware instead of something else

apologies , i understand now thanks sir

Hi all! I'm doing skills assessment of Advanced SQL Injections module . I've been stuck on the last question for days and need a little push. It seems I know the injection vector, but i'm having trouble with confirmation and enumeration. I see what roles exist in db, but fail to confirm if the user inherits from them. User priv enumeration gives me select, update, insert and that's it. Anyone can give me a little push?

can anyone reccomend me a module that would teach me all the basics of afew kali linux tools? or speicfically gobuster and burpsuite?

Linux fundamentals, Web fuzzing, Web proxies

thanks! could i also get suggestions on what modules i could do that would improve my ctf skills?

Hello i just finished the SQLMap Essentials Skills assessment and i wanted to ask based on what did we choose the || between scrip? || ?

Any specific topics?

currently I’m going for web exploitation specific stuff or forensics but anything broad would also be great.

to use it instead of filtered operators like <, >

How did you know they were filtered tho?

I used the -v 6 for SQLMap but couldn't tell if anything was filtered it just said that my sql queries were wrong SQL Error output

I know it straight from your question as it implies you have completed the SA, which means that tamper script did help you. And BETWEEN itself Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND #.

Hey guys has anyone solved the lab called Browsed ? can anyone drop a hint in the beggining of the lab ?

Active Directory (AD) Enumeration & Attacks modules -> Credentialed Enumeration - from Windows, in the first question of this section, we are asked:
Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. (Submit the number as the answer)
i run the SharpHound, and transferred the zip file to my local host to analyze it locally, but the result my BloodHound CE showed is different from actual answer, i know the answer because i solved it before, iirc i used BloodHound Legacy to solve it, anyone faced the same issue, i also tried this from HTB provided bloodhound which is legacy, and it showed correct answer.

Yes yes it did help since i got the flag

But my question is how would i choose it directly? since for me i used multiple scripts till this one worked

Was there a way to make sure this specific one would work so i don't waste time during the exam?

my guess is just look at the output of sqlmap keeping in mind --technique and other flags you started it with. -v6 is not always neccessary. Sometimes -v 3 would give you messages of what might be the problem. I think there is no "one shot" way of doing that, but that's just my opinion

basically if you have SQL Error in sqlmap output than that error is specifying what went wrong, i.e. syntax error at ..... At that point you analyze what sqli was attempted and based on that judge what the filters might be. I hope it helps

@scenic parcel Thank you so much will try that next time

I thought i did something wrong by trying each script till between

You can navigate to sqlmap source code dir and take a look at those scripts, and write your own if needed

Hey guys! I'm really, really stuck on DACL Attacks II Skill's Assessment. If someone could give a little nudge I'd highly appreciate! Thanks in advance!

Ad enum & attacks is above tier 0. Don't share things from the labs

thank you for your help :))

Np; its a bit dumb with expectations at times

yes sometimes its harder

Like having you do echo | wc (which adds a char) instead of just ${#var}

Off-by-one errors :))))

Is that only me, or password attacks module is ass😭
How the hell it supposed to be done in 1 day(8 hours session)?

What section is tripping you up?

Also the time estimates are usually safe to ignore

Shares took some time but manageable, lateral movement is seems so off here

It's like patience lesson

Mainly because of slow/laggy rdp

Lateral movement is basically just pillaging info to move to the next machine, treat each as a blank slate for discovery

Try using the tcp vpn and changing vpn regions

Didn't think of that, tcp connection may stabilise the situation

Thanks in advance

Np

I forget the command but in the help article related to connecting to the vpn, it recommends a command for xfreerdp

xfreerdp /u:username /p:password /v:TargetIP /cert-ignore /bpp:8 /network:modem /compression -themes -wallpaper /clipboard /audio-mode:1 /auto-reconnect -glyph-cache /dynamic-resolution

@molten swallow 👆 🙂 Also, some found reducing the mtu on tun0 to 1200 helped in certain situations

sudo ip link set dev tun0 mtu 1200

Thank you guys

Password attack modules are so long and now I am on stuck in Skill Assessment. Can’t get it where to go now

Treat each host as a blank slate

Enumerate from 0

If you're still stuck you can DM.

Okay, yeh that’s what I did last night after ssh and proxychains I thought of using same creds again 🤔

I believe i have notes on the new SA; are you on the foothold? I need to get back to revamping notes

Yes I am on the start of it 😭

I made notes but maybe I missed somewhere

are academy Subscriptions seperate from the labs ones?

Yes

what was that 💀

You might be missing some history

A scam bot

https://tenor.com/view/the-penguins-of-madagascar-madagascar-movies-animation-cartoons-gif-16596826

Ohkkk hmm 🧐

even the stuedent one ?

you can DM me if you are still stuck

Yes, they are separate platforms

Hello guys. i need help. I'm stuck on the footprinting module easy lab. I've done some enumeration but i haven't made much progress. can someone please point me in the right direction? 🙇‍♂️

Hi I am unable to setup webdav server to upload files using SMB via HTTP. Currently on Windows File Transfer Module

me and one of the user also had this problem, this is probably because the tool has changed since the module is written

I can access the same via browser

but not in the way we access SMB shares

yeah we also experienced this

oh so you found any workarounds?

unfortunately no, if you find, let me know

Do we need to ssh into the ip and port before entering curl cmds in the command prompt from inside the box?

I would say, it's likely that BH CE did provide the information, but it doesn't display it in a way to make it easy to identify the missing account.

that is probably it, because i didn't really looked at it carefully and it is my first time using CE, it looks like better than Legacy

It isn't bad, just takes a minute to adjust to things. Let me know if you aren't tracking on what I was getting at.

For that specific target, you can either just directly access it from spawning the Pwnbox above, or through your own browser / terminal. You do not need to SSH into it.

Have another read over above where the question is asked, in the section content @night vortex - that will help you to bypass the requirement you have come up against with that command.

Hello again, am I wrong in thinking that pass-the-something attacks are only present in the password attacks module?
Or the AD module going in-depth about this attacks?

You have pass-the-something in AD modules, but there is nothing difficult here: instead of passing passwd to command, you pass a hash...

So i think i should stay a bit longer at pass attacks, thanks😀

Any chance someone can help with this? I would like to find out

PTH is prevalent in AD

But they're explained a bit when you come across it

I just redoing all my notes and this module goes almost into every stage of assessment. Enum , cracking , spraying, lateral etc. So i definitely should stay here a bit longer within pass-the attacks to note them properly

You dont need to stick too long tbh

I already tired as hell of this module tbh xdd

The underlying thing is that the auth mechanism accepts the hash of the password and succeeds the login

I'd check the SharpHound output to see if you can identify any errors that might have contributed to this, check the version of Bloodhound you are running (new SharpHound, old Bloodhound, etc.), etc. I just ran it using the provided version of SharpHound in the C:\Tools directory and used a version I recently compiled (2.7.0) and both showed what you are missing with BH CE (v7.3.1).

Yep, but there are some interesting techniques like popping a reverse shell to DC via rdp->pth->powershell because of connection restrictions. Indeed was a interesting solution. Or a possible rdp connection after editing the registry of admin restrictions. There's a lot, but i think it definitely will shoot and play it's own role some day.

Hey guys, i've a little problem, i'm doing de PentesterModule, i'm in the nmap course, i need to find the name of an OS, i'm 99% sure i have it, but it doesn't word for submit my answer, do someone can help me mp ? thx guys

Are you scanning from your own machine or pwnbox? If it's yours - try to scan it the same way with pwnbox.

What's the section?
Also its the pentester pathway, nmap is the module

Nono, I think i have it, just i try to write it in the academy and it's not that, but when it doesn't work, i've a message like "too much noise, hehe no OS" and now i've it

This one

I can show my nmap mp if u want but i don't want to spoil if anyone is working this same thing

Its extremely simple. Its asking for the name, like windows, kali, parrot, etc. Its not asking for a version

Yeah i saw that

And with my nmap i've the ligne OS detail ...

ok i've try the most famous os so the question is validate, but it wasn't the same that on this line wtf, i'll try to search how was the good method

Sometimes a version scan can reveal more details

If you're absolutely certain, refresh the page and try again

I'm trying to find the good command to see the *** OS

ok i think i'm fine

Thx for your time

i have a question about the Broken Authentication skills assessment. i am kind of stuck at the ||otp|| part. i cannot find any difference in ouput and no format i should follow. anybody got a small hint?

May u help me with the fact of being quiet please ?

?

If brute forcing isn't working, maybe you can check for potential ways to bypass and other things that were taught that are relevant to what you are working on in the skills assessment.

WIth Nmap, i'm stuck in these 3 last courses

Hey all. So I have tried installing Python 2.7 on the Pwnbox, and have had no luck. I tried the install steps they recommended in the Rpivot module, but I can't get it to work. I tried Kalis documentation in installing as well but it doesn't work in Kali either. Been trying all day yesterday and I am getting annoyed because I don't know how else to convert kirbi files to hashes for cracking. Is there an easier way to do this?

Here is the steps they gave that doesn't work:

Alternative Installation of Python2.7

Remove pyenv.run's directory first before installing
'''
Criminal0fPurp0se@htb[/htb]$ curl https://pyenv.run | bash
Criminal0fPurp0se@htb[/htb]$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
Criminal0fPurp0se@htb[/htb]$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
Criminal0fPurp0se@htb[/htb]$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
Criminal0fPurp0se@htb[/htb]$ source ~/.bashrc
Criminal0fPurp0se@htb[/htb]$ pyenv install 2.7
Criminal0fPurp0se@htb[/htb]$ pyenv shell 2.7 '''

Use ``` to wrap code blocks

```
Like this
```

thank you

Not sure how this relates to you saying "be quiet"

When you say codeblocks, do you mean in the install steps they provided?

Isn't it like that already or am I missing something?

it's about IDS / IPS bypass, i have to use the less frame possible as far as i ve understood

Yes, its just for formatting on discord

Each assessment is independent of each other. But im not sure i understand what exactly youre asking

Criminal => Criminal

Theses are cod blocks

Oh!

Last I remember it was already setup for use on pwnbox.

May i send u my nmap in private message ?

It isn't. When was the last time you used it?

Fuck it. Sure.

Give me a second, but it was the last time I helped someone with the rpivot section, which wasn't super long ago.

Done

I ended up skipping Rpivot and got the flags another way, I am on the AD section with Kerberoasting and I hit a wall with this cause I need the kirbi2john.py script for converting the hashes.

When you spawn a terminal, go ahead run ls -la and you should see .pyenv.

I see it

Good now?

he's probably dead in his virtual env x)

When I try running the script, I get this error:

 python2.7 kirbi2john.py
pyenv: python2.7: command not found

The `python2.7' command exists in these Python versions:
  2.7.18

Note: See 'pyenv help global' for tips on allowing both
      python2 and python3 to be found.

theses one x) : ``

not theses ''

x)

fml

Check that pyenv versions

its at 2.7.18

try that pyenv global 2.7.18

i think if you are using kali linux, kirbi2john command will do the work

I ran that command, and then got this error python2.7 kirbi2john.py Traceback (most recent call last): File "kirbi2john.py", line 18, in <module> from pyasn1.codec.ber import encoder, decoder ImportError: No module named pyasn1.codec.ber

look at your log

this error telling you that it could not find module named pyans1.codec.ber which is used in the script you are trying to use, you can install it somehow i guess but it is better to use kirbi2john anyways there should be one in python3 version

Thank you, I will investigate this

oh yeah this is way better lmao immediately works

Heres the link in case anyone wants it or searches for it in the future: https://github.com/openwall/john/blob/bleeding-jumbo/run/kirbi2john.py

yep, trying to work with different programming language versions is pain in the ass

Sever, may i ask u a question with Nmap ?

yes

can we private 5m, easier

you mean DM

yeah

i will DM you

Everything is explain 🙂

<@&861185840277487616>

Ah gotcha, well you should be able to just run kirbi2john instead of going down the path of using the pyenv and python2.

And it looks like someone already got that information to you.

same problem here

Hello, I am doing the module on infiltrating Windows and have a problem with meterpreter. See screenshot, I am trying to follow along but the 'getuid', 'shell', 'ps', etc. commands do not work. Trying to load stdapi does not work. Nothing I could find on Google works... I am using my own Parrot VM. Any ideas?

Thanks anyways buddy, appreciate it all the same

Hi, thank you for the tip. I was running the sharphound version (2.7.2) that I downloaded via Bloodhound (so it is the correct version). I now tried the sharphound in C:\Tools and it indeed worked (with the same bloodhoud). I then updated my sharphound and bloodhound to the newest version (running via docker), and tried it again with the updated sharphound, and again it worked. Seems like something is broken in sharphound 2.7.2 somehow. Thanks for the help!.

Hi
Anyone please can help me in "Exploitation of PDF Generation Vulnerabilities"?

yo guys
i need help in attacking tomcat CGI
i cant find any path to any CGI script by brute forcing
i found the same wordlist being used in the section, however, its 4614 lines, while mine, which i just pulled from the dirb repo, is only 1437.
not sure if the wordlist is the problem or not, because i tried other ones and i did not succeed

i tried other extensions as well

What have you tried until now

Hi all, working on the vhost section of 'Information Gathering - Web Edition' currently. My FFUF scan is picking up 6 subdomains, but it's missing the one starting with 'web' when using the common.txt and subdomain-top1million-110000 wordlists. I started by filtering by the size, then moved onto a regex filter of the text on the fallback webpage with the same result. The box has been restarted multiple times. Any nudge/sanity check would be appreciated :)

Thank you @autumn pilot I will run the RCPT TO:name@inlanefreight.htb for each name from the wordlist to see if they're any variances/distinctions.

Don't use rcpt

Also there's tools to automate this task

im having trouble with this question also ive spent hours and days on it lol

Its in the subdomain list

Can anyone help me with the windows attack and defense PKI-ESC1 question about finding the flag. ive tried for days cannot get the credentials ive done everything up to making the cert.pfx on WS001 and then running the rubues command but i cant get into dc1$\scripts

Thanks Marcie! Am I able to flick you my command (or allowed to put it here)? I've grepped the subdomain 110k list for 'web' (~400 words) and rerun it, but still no luck.

Give me a sec and ill pull the md5sum and the wc for it

tyty

e6114766582484501fae472253777171 the md5sum

md5sum /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt 
8865007ef82bbad5e6544ec75a49dac9  /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

and the sum of the whole list itself

my default grep is egrep which is regex grep

ah ty, seems the list on github has had an update

i've had this list for a hot minute

as of a couple weeks ago

its down to 216 when grepping ^web

interesting let me pull the list itself and see

ill go swipe an older version

huh, you're absolutely right it has far fewer; maybe an #1234357888114364508 is needed to change to one of those 216 words

curl -s https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/DNS/subdomains-top1million-110000.txt | grep ^web | wc -l
216

^ the command i used to check

dope, ill write one up. thanks for your help!

np and i double checked the first 2 characters after web... and the expected one isn't in there

just in case the expected was in there and it was just being dumb

yk

@agile torrent for giggles and shits try the combined_subdomains.txt from the updated repo

yep it's in the combined list

though that has over 600,000

so maybe trim from ^web

that drops it down to a measely 12,477

i'm using curl to check the length and wordlist; so i'm not downloading anything new

ah yeah that makes sense

combined list hasn't been updated for almost a year so thats chilling

i'm just doing curl -s <raw link> | grep ^web | wc -l

the other one it appears in in the old repos is the italian one 💀

but i didn't check the raw

whadda the hella 🤌 🤌 🤌

but i'll update my brain notes to recommend people trim from the combined list and work off that

i believe with grep you can do a multi selection via grep "^blahblah\|abc\|d" i believe it requires the \| and not just |

yep you can chain OR statements (the \| is an or statement with grep)

so you can generate a list for all the questions chaining grep "^web\|^vm\|^br\|^a\|^su"

the ^ is the anchor for start of line

if you know the end of line, it's $ so if you know it ends with 123 grep 123$ and if you need to grep for the special characters you just need to escape it

oh thats clever

prob gaming the question system a little bit, but good if you know a pattern

random list with the prefixes; and utilizing the grep filter

just as a proof of concept :)

yeah def, ill add it to the cheatsheet

honestly i forget when/where I learned about the OR bit with grep

it's just part of the mindset, you have known info, so use it.

its just a regex right? i wonder if it can do capturing expressions

imagine if they set it up with a bunch of different vhosts that responded for you to sift through 💀 that'd be evil

gits n shiggles

yep it's regex, if you want to use regex to capture more specifically you can use brackets to signify ranges of things i.e. ^[a-zA-Z]{1,7} <- looks for only things that start with the letters a-z or A-Z up to 7 of them. (but matches anything below that, you do need to use the -E argument for extended regex/bracketing

{min,max}

if you don't specify a max, it doesn't set one

so say you know something is a minimum of 8 characters -> {8,} is a valid range

seems it understands the syntax but just ignores it

yeah the range stuff is good

yeah your syntax looks for web anywhere

had to figure out a bunch of regex stuff for the vscode search a while ago

the ^ anchors it

regex is SUPER powerful

yeah thats alright, i was more meaning the brackets. if it respected them i would have expected the output to be mail, disk, etc

ah fair enough

can prob do that sort of thing with sed

might need to use -E for extended RegEx

sometimes it's a bit silly :)

extended adds the classifiers and stuff

otherwise you're limited to some basic stuff

that's the command i showed a sec ago without the -E

:)

oh dope

turns out pcregrep can do the thing i was trying to do here

or two runs of grep, pick your poison type of thing ig

oh nvm the perl variant does it

grep 'web\K(.*)' subdomains-top1million-110000.txt -oP

I am doing Login Brute Forcing - Brute Force Attacks the question for the pin... its from 0000-9999 im at like 0333

could I possibly just get the answer without waiting ....

no lmao

have you tried upping the request rate?

Im using what the module taught

so nope...

what tool does that one use again?

just a simple python script lmao

ridicously slow

well part of what the module teaches is that these tools can be slow so you'll just have to wait unless you wanna do your own research and multithread the application

or do the poor mans one, change the range in the script they gave you to each do a quarter of the search space and run four at the same time

would def be a great learning experience to setup multithreading properly, but would prob take longer than just waiting for the script to finish

I have no idea if the ffuf I learnt from last module would help but testing it rn

oh yeah that'd be good

yeah... I should've just used ffuf

already done

anybody ever have issues rdping into a windows server, pwnbox is not loading for me either

I don't think that's the correct password

with ))

remove the )) and for passwords use single quotes

Oh wow! Okay. I'm excited to see what's possible! Thank you @fathom pendant

Guys I can’t understand the use of IP Spoofing for firewall evasion : When u try it it never works :

YOu just need the target IP address. you don't need -e tun0. you have other flags to use for evasion.

I would revise you going back through the course

No bro this is the exact course command been used but it seems to me that ip spoofing is kinda useless

Well it can't seem to determine a route to your target, it isn't useless it just can't find you

No it is useless because if I spoof the ip of the sender then I can’t receive data back , so what’s the point of it ?

Well even if the packets don't come back they still create logs against the target which can serve a few things like:

• a smokescreen
• frame someone
• just create a lot of noise

Like what?

also can work if you're using proxies

Can anyone please help me? I am stuck at question number 3 of the skill assessment of the 'Using Crackmapexec' module. I have got credentials for sql***, sq***, local administrator on SQL01$, Jul***, and A****. Thankyou

// Section 10 - 15 // Using the Metasploit Framework // Question 1

The target has a specific web application running that we can find by looking into the HTML source code. What is the name of that web application?

nmap -sV 10.129.203.52
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

msf auxiliary(scanner/http/dir_listing) > use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set RHOSTS 10.129.203.52
RHOSTS => 10.129.203.52
msf auxiliary(scanner/http/dir_scanner) > set PATH /
PATH => /
msf auxiliary(scanner/http/dir_scanner) > run
[] Detecting error code
[] Using code '404' as not found for 10.129.203.52

[+] Found http://10.129.203.52:80/files/ 200 (10.129.203.52)
[+] Found http://10.129.203.52:80/icons/ 404 (10.129.203.52)

im blocked here, any can tell me a hint?

all auxiliary im using not found any info and searching on the html nothing

Have you tried: simply using the application as normal?

anybody pls

try grabbing the one from SECLISTS

Thanx !!!

please don't spoil module answers in the chat btw.

sorry !!

yup, this worked

youre a G

A SQL user have access to very useful tables and features on sql01.

Hello, I can't seem to connect to the Linux Fundamentals HTB student SSH IP. It just keeps me in a 'waiting' state. I've tried disconnecting from the OpenVPN config, running it with --daemon --config and then connecting to the SSH, changing the location, and redownloading the config. I am currently running a full port scan to see which ports are open to try those instead. Could anyone help?

also, im able to ping the ip and receive a response. ^

^^^^^^^ Never mind, I fixed it! It was a Maximum Transmission Unit (MTU) issue. The SSH handshake message was too large for my VPN tunnel to handle without fragmentation. To fix it, I manually lowered the MTU of my VPN interface by running: sudo ip link set dev tun0 mtu 1200

Hello guys, i have a question about ptt and over-pass attacks. Are Mimikatz and Rubeus mostly interchangable and its preferable to use Rubeus , cause its not communicating with LSASS that aggressively and much stealthy to the edr, etc.?

This part of pass attacks is heavily loaded and i can't comprehend it's clearly.

@inner canyon Brother i dumped all sql tables still i havent found any way to DEV01. Can you please guide me a little bit more

You got juicy information, what can you access with it? Just got to enumerate a bit more.

Hey be sure not to provide attack paths for skills assesments or labs.

@left needle that module is above tier 0; refrain from sharing screenshots from enumeration in the module

I'm doing the "Spraying, Stuffing, and Default Credentials" section in the Password Attack Module. I got the answer for the challenge question but I don't see why we were given creds to ssh to another box? It seems unnecessary?

I seem unable to spawn the target system, is it just me? What could I do?

to check if the credentials are valid or not, instead of brute forcing the answer

man it helps to know the module name and section so people can be more helpful

ssh in and use credentials until they work. there's an sql server running internally

module/143/section/1422
Active Directory Enum & Attacks: Internal Password Spraying - from Windows

Thank you. I searched around and saw we're supposed to check with mysql -u <username> -p and see if the login works. I appreciate it.

it was working fine for me recently, maybe try refreshing the page, you can also wait a bit to spawn it later

Hello i wanted to ask what is the meaning of chaining exploits?

Does it mean i exploit A then Exploit B to reach C

or i mix both A and B Exploits at once to reach C?

Or both?

chaining exploits is basically combining exploits to reach a goal;
Say you need exploit B to get to C, but that requires exploit A to be achieved, so you chain A and B to get C

@severe inlet

An example on that would be:

A: You exploit a SQLi to get a password from the database
B: Use the found password to login to dashboard, which has a feature that is vulnerable to directory traversal
C: You Abuse directory traversal to read SSH private key of a user and gain a shell

So here, you chained SQLi with directory traversal to read a private SSH key and get a shell.
This is what chaining means.

this wouldn't be a chain

imho

but it is, so my opinion is moot lol

did you found a solution?

can i dm you as well?

help

try to switch to US vpn (if you are using EU) then try to respawn again

yeah it worked thanks

I Tried both US and EU both fails launch the VM

no worry

i am currently on US 1 and fixed for me

so we can use the vpn server which doesn't mention "recommended"?

ofc

Hello
I am having issues today spawning targets. The target is not deploying. What is the solution?

try to switch US vpns (if you are using EU ones), it fixed for me

also support team is working on it atm

I am supposed to be on EU

m2 but EU and a few of US ones having technical issue rn, try US 1 like me

ok thank you mate. I will switch to US!

nw

sure

are vms down?

they don't spawn

EU vpns having technical issue rn, switch to US 1 (worked for me)

Which VPN server were you having trouble with please?

I will pass it on to the team

i meant the vm itself doesn't spawn, i haven't tried to connect yet

does changing the vpn fixes this?

Yeah I understand, but that may well be due to an issue with the VPN server.

i think all EU VPNs and a few US ones (not sure which ones), already talk with support team

Which VPN server are you assigned to at the moment?

eu

(if it's failing)

Which one?

There are 6 EU Academy VPNs

eu academy 3

the machine getting spawned but failed to work like rdp is not working

Yep I am getting same

Please do raise with support also

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

i used almost all the vpn server experiencing the same in all the servers

I am raising internally too.

alright i will do so, thanks.

Which module / section target were you trying to spawn?

attacking common services module, attacking rdp section

ty

my module was different to which it was down cannot remember name but I think I already sent amessage to support

ahhh my next module after password attacks

eu-academy-1 and 3 comfirmed as impacted. Checking the rest.

Yeah.. team are already investigating it seems https://status.hackthebox.com

Switching to US region for now is the workaround, as you already found

The issues with the EU academy VPNs and spawning has been resolved.

if only there was a tool to help you quick switch between them 👀

there is a tool that lets you switch vpns in web, downloads the file and connects for you ?

it doesn't connect but it downloads it :3

#community-content message

Oh so mostly all modules train us for this right?

I remember like the footprinting module had multiple chains if thats the case

Where you get information from ftp then use it to ssh or go to something else

how the holy that bypasses the cloudflare

But the idea of chaining 2 things together seems really complicated to me so idk about it

Like combining 2 web vulnerabilities at the same time to exploit something

Do you have any examples for this?
I cant think of any except for vulnerabilities with http verb tampering

it's not as complicated as you think

it doesn't bypass cloudflare

that's why it requires a context session

oh

still pretty good

I hope you are correct lol

yeah lol I thought it was like this too when I first heard the term exploit chaining.
I heard that you'll have to chain multiple vulnerabilities in CPTS and I was terrified of that lol.

But turns out, it's simpler than I thought

Yall think doing the web application path after doing the penetration testing path is overkill for CPTS and OSCP? I know the CPTS covers only what is in its path, but figure its good practice. And seems like alot of the pentesting path covers its modules

i'd say it's overkill

Hi I am unable to upload files using Powershell UploadFile cmdlet and a ftp server with write mode enabled. Currently doing File upload module in academy.

yeah thank u guys

not sure why you're using 192... the academy targets don't spawn in that subnet

that is my kali vm ip