#modules

you could just reply to yourself to make it easier

you can give me the flag (:

lol flag sharing is strictly prohibited

especially for modules above tier 0

😂

i stuck on this for a week

best guess is that your shellcode is a bit too big

it says under 50 bytes

code optimization 😄

it 41

daym

yea idk shit in this

imma go do my bash

what can i do hate the monitor?

@hardy jacinth module is above tier 0; don't share code from the module please

fine

even this ?

can we not

ok

just wait for someone to offer to dm and assist you

i guess i should lock for another module

finally i thought i will kill me self for this moudule

but i got another problem I need my page for SOC Analyst Prerequisites

wait until they fix

copy ghostrider, thank you

that worked. its always the simplest things. Thank you!

Does a student subscription give me full access to the CAPE job role path? Please @ with replies

Nevermind - found it ^

hi, having an issue in the AI data attacks, evaluating the Trojan attack section. In the last cell of the notebook where the file needs to be submitted to get a flag, I keep getting the error read timeout while submitting. Have tried respawning, increasing the timeout, but still the same error - Error submitting model: HTTPConnectionPool(host='154.57.164.79', port=32104): Read timed out. (read timeout=120)

I'm working on https://academy.hackthebox.com/app/module/116/section/1165 and have a question.

When running medusa -U users.list -P passwords.list -h $IP -M ftp -n 2121 I don't get any hits but when I run hydra -L users.list -P passwords.list ftp://$IP:2121 -q -t 45 I get a hit (which is the expected outcome).

Why do they end up with different results? Aren't they essentially performing the same bruteforce?

@granite sandal @sick meteor Please take care not to reveal content or spoilers for modules above tier 0

in lxc/lxd section on linux priv escalation they ask to unzip alpine image but never tell what is alpine and where to install it from ?

https://github.com/saghul/lxd-alpine-builder

Hi all,
Can anyone please help me with this?

dm please

Can anyone help me with a Bash Script? (Can't send the code here cuz the module is above Tier 0)

you can try to explain the problem without sending code

someone plz tell me that is this HTB subscription is available in coursera ?? i am a student and cant afford this plz tell me thanks

guys also tell me whats the diff between monthly and anual subscription ?

this is not academy subscription, this is Labs subscription which only HTB can offer, monthly and annual subscription is pretty straightforward i think, monthly you pay for one month while annual you pay for whole year

yeah i knew abot that this is a lab subscriptiion

any discount for students ??

unfortunately discount for students only exist in academy

oh i think i have no choice either thanks btw can you plz tell me if a bought thiis does it unlock all the vip labs ??

yeah it basically unlocks everything in labs, not including Pro labs (except for two free ones)

those have separate subscription

so the vip labs in these are all unlock after buyinh subs???

yes

Hi, it's been saying target spawning on the Analyzing Evil With Sysmon & Event Logs module for the past 10 mins. I have tried to refresh the page numerous times. Is HTB functioning as normal or are there issues?

Question. I'm trying to connect to the spawned target, however it keeps telling me I have the wrong passkey.

I am copying and pasting the one that is there.

Any idea why it's doing that?

This is for Linux Fundamentals, section 8.

You need to use the htb-student username to SSH into the target

?

I'm an idiot. Thank you.

have you spawned shell?

I would spawn shell through meterpreter and do some enumeration

the problem asked me to print the last 20 characters of a variable that keeps getting coded in base 64 in a loop when certain conditions are met (the variable must have a string in it and its character count must be over 113450)

my bash script found the condition and printed the last 20 characters

but its somehow not the correct answer

I have the same problem any answers?

Having trouble on Windows Event logs and finding evil, the sysmon section.

I set sysmon to run with the provided config file, and perform the dll hijack, getting the text box indicating hijack was successful, however no Event ID 7s are recorded in the sysmon event logs, and I couldn't find other events related to loading dlls.

Hello everyone,
I am doing the Broken Authentication Module from Web Pentester Path and in the content Brute-Forcing 2FA Codes, I done the lab, but I am curiously, because the ffuf do not returned a token to insert, but, do the direct bypass. Its the correct?

I thinked that the code will be returned on console to insert in browser 😛

Issue solved. The config file that comes preloaded on the machine has event ID 7 disabled by default. Enabling is a one line change.Just in case this is not intended I am putting this here.

Does anyone actually prefer the new academy UI to the old one?

I do. I have a big screen and it was hard to read the text in the old UI. But while I like the design and concept I do not like that functionality got worse. (Code blocks, revisiting of modules, showing modules of the path in the small box where you only see the green checkmarks and have to scroll to visit the module you want to do next, and so on)

i stuck at the imap and pop3 module labs please help if anyone know how to do this

learn how to retrieve the body of the email, the cheatsheet commands don't include this command

@dusk holly can you please share the command i stuck for almost for 1.5 hours

maybe try this: a FETCH 1 BODY[] next time, don't forget to check HTB Forums as well

Hey, on the old UI, there was a link to the youtube video walkthrough for the course labs. Do you know if this option has been removed or moved? I can't find it anymore

Can anyone help me with this?

body[] is 1000x better than all

There was a link to videos?

Maybe for the tier 0 modules, but no video guides (should) exist for modules above tier 0

isn't it the same?

No, no it is not

if i remember well yes, there was the written walkthrough and a video (only for the labs such as "Fingerprinting lab - medium" for instance)

but nevermind

ty

Doesn't sound right, since that module is above tier 0 if im remembering correctly

oh okay

Yeah its a tier 2 module, so any video guide/walkthrough would be stricken down by copyright claims due to ToS

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Which VMs you guys use daily?
I have been using virtual box for the past few months, but I gotta figure a new one because vbox always burns CPU cycles despite being idle, like 8% of total CPU usage when vbox is open idle vs 0.5% when box is closed

what's the command syntax for this?

Sever showed the syntax;
Imap syntax goes
Prefix command arguments

You can put anything as the prefix

I use WSL at work, I've never run into any problems with it. (Except Wi-Fi hacking)

@fathom pendant

is there any way to see what changes to the new ui are being worked on based on feedback which has been submitted? i'd like to know if i need to start creating my own workarounds to make the new ui easier to use or if the bugs will be fixed sometime soon

don't ping me

Have a FAQ, here? I do not ping to anything :))

you specifically pinged me about a random question you had regarding what you're asking about. see #rules

nvm

hola

Is there any code review modules? I don’t know that much about code review but I wanna learn

https://academy.hackthebox.com/course/preview/secure-coding-101-javascript

there is web called coddy I used to learn it there it have all the computer language

it similar to duolingo

Is there a way to go back to the classic academy layout?

i really preferred it over the new one haha

which is better focus on attack or DEFENSIVE

if any one have an idea about that plz told me

depends on your goals and interests

i study right now network

nope, it's retired -- and it's far too much effort to maintain 2 versions of the same website

More jobs in defense, if that matters to you

Hello

I need help with a module; I've been trying for a long time.

Can someone help me privately or should I send my question here?

People cant help you if you dont at least say what module and section you're working on

Asking here is fine just be mindful to avoid spoilers for modules above tier 0

Help me.

Module is tier 2 please refrain from spoiling info

Help me for dm.

Don't dm people without asking. I am busy atm

Ok.

The question says "directory" check common places where an admin might tell scrapers not to look

I already tried that. It doesn't work.

I tried with several dictionaries.

List subdomains and directories. I'm not getting anything.

Neither subdomains nor directories appear. I tried with other dictionaries and they didn't work either.

how is privileged groups section diff from lxd in linux priv esc module...seems pretty much same except diff container image ?

why is it that we skipped the lxd initialization process in lxd section but we did it in privileged groups section before importing image?

im doing AEN, and i cannot RDP at all. ive tried rdesktop, xfreerdp3 and remmina and it all doesnt work. i dont want to use the pwnbox to do this. im pivoting using ligolo too so it shouldnt be that hard

any help?

because you're overthinking this, remember a common text file that exists on most web servers

without spoiling too much ||not all the machines have rdp||

so even if a bh scan says that the account can rdp, and nmap shows that the rdp port is open on that machine, there is an extra config stopping me from rdping in?

like i said i'm not gonna spoil too much about AEN as I generally advise people to do it blind, I suggest as well trying to reset the lab, changing vpn regions, etc

nvm turns out /timeout:100000 needed to be added because it took too long each time

Hello, I’m sorry if this isn’t the correct channel to ask this. May I know if it’s possible to transfer or donate a cube from one account to another?

nope

Thank you for the info.

Hi, I'm working on question about cracking hash of Mark's password. I tried multiple ways to generate wordlist, cupp only, cupp + rules, words + rsmangler, but I'm still not successful. Can anybody help me with that? Steer me into right direction?
Module: Wi-Fi Password Cracking Techniques
Section: Generating Wordlists

His Name is john https://discord.com/channels/473760315293696010/1471791336372965376

In module Introduction to Malware Analysis section Interactive windows internals, I am unable to keep RDP open; it constantly closes on its own, preventing me from working on the questions. Any help please? im using xfreerdp3, cant move forward

Any help please?

Hi all. Stuck on command injetions, section 3 (filter evasion), subsection 3 (bypassing other blacklisted characters), question 1.

The question is asking me to find the user in the / home directory, using env variables to avoid the blacklist. Not sure why me command isn't working? Also found that only ls is accepted, all other commands fail, which is whacky.

ip=127.0.0.1${LS_COLORS:10:1}%0als${PATH:0:1}home

And full BURP output:

Any help would be much apprechiated

Also tried adding another %0a between the ls and the /home

This just provides ls output for the present directory

Ah, solved my problem haha. Turns out just typing my thoughts out helped

Thanks for being an inadventant rubber ducky :3

Insne lab haha

Question on file transfer module section 2 question 2:
‘upload the attached file named “upload_win.zip” to the target with method of choice. ‘
Where is this attached file? No resource tab within the module

I think this is a bug, i looked at a walkthrough to make sure im not an idiot and there is suppose to downloadable as a resource but it is found nowhere on the page

Hi All, quick question has anyone done the skill assessment for the Advanced XSS and CSRF Exploitation? im currently 75 in the exploitation, but have a question, anyone that could help?
i dont want to spoil so DM would be prefered if anyone has completed it

The fix i did here was just specify the resource i needed to download manually in URL. Fyi

dm please

sent

Hi, can some1 assist me in the info gathering module, i cant set up the enviroment

Hello ! Is there anyone that's finished the skill assessment on linux forensics that can help me with question 4 :

What is ParentProcessId for a sh command which sends a password using echo to the sudo python3 process?

I found a log that has the exact field and matches the description to a T but the answer isn't accepted.

Hi could i get some help with skill assessment for the Advanced XSS and CSRF Exploitation?

Finally, I've solved the 'Information Gathering - Web Edition' assessment challenges hahaha

Thanks @brave field for helping me out, you rock

hi, i'm currently working on "Evil Twin Attack on WPA2". i tried using my own vm but the vpn config keeps refreshing every 5 minutes, so i tried pwnbox. But i got stucked here.

Hi! In regarding of AI Data Attacks: Execute the Attack (Section 24 / 25), the host cannot connect target:

same problem there

If you set everything up as shown in the section, I would just restart the target and give it a few minutes after it comes online before accessing it to ensure everything is configured and running correctly within that instance.

I restart everything, now after i sent deauthenticated packets there's no " WPA handshake: MAC" and the BSSID is missing

You can send me a DM.

Hello, can I ask why the rockyou.txt on HTB pwnbox doesn't automatically come as .txt instead of .txt.gzip? Like is there a particular reason it is shipped this way?

should be able to use the wordlist from the reading

Oh. I was trying to slov5 it with5 the worldlist file

Try entering the flag instead of the html page. I've deleted your post as it may contain spoilers. The question asks for the flag, not the file name.

Zipping the file reduces the file size.

Hi, all, could i get some help on the skill assessment for the Advanced XSS and CSRF Exploitation? has anyone completed it?

Who can I dm help for windows lateral movement assessment on HTB

what's your question

You can DM me

hashcat can use the zipped file without needing to unzip it

oh nice

is it better to use zipped wordlists? what is best practice?

as super said, filesize, if you need the space leaving it zipped is fine

can someone help me with logrotten on linux priv esc module ? I have heard how horrible this section is with multiple attempts requried to get a connection back and I am stuck at the same step

if you can't get a connection simply get the flag, in either situation you are tasking the root user to run a command

currently doing AD skill assessment I just finished Question 4 - Submit the contents of the flag.txt file on the Administrator desktop on MS01 however I don't think I got the answer how the question wants me to

can I DM someone?

finally got it somehow

this lab needs to be changed ffs

academy v2 bug?
my dashboard keep showing completed modules instead of the module i'm currently going trough
already tried going trough the module again by clicking "mark complete & next" and "finish" at the end

i dont have this banner ... might have closed it earlier

Module: Wi-Fi Password Cracking Techniques
Section: Skills Assessment
I'd like some hint on enterprise network. I think I have problem with getting right wordlist. Anybody for a DM?

If there are provided wordlists, start with the smallest first.

Hello, who can I dm for questions about the skill assessment for the Advanced XSS and CSRF Exploitation on HTB?

hello

somewhere I made mistake, I don't know where. Had to revert everything and do it again

First oft all get the usernameschema (first.last, f.last etc.) and the domain. And then use airhammer

yo is question 4 web archives in information gethering - web edition cooked?

im pretty sure i have the correct answer

nvm

Hello, for the Introduction to Malware Analysis module I’m having trouble accessing any of the target systems. I’m using openvpn and it’s successfully connected on my Linux vm. Any suggestions on how to remedy this?

Module:Http Attacks
Section:Log Injection
I'm not finding how to evade or bypass the filters. Maybe I'm misunderstanding the question? From what I understand I need to inject PHP code to rce to get the flag but I'm stuck. Characters like < are either stripped out or the encoding I'm attempting isn't decoded. Any hints?

Nevermind

Who from HTB team can I ask for help?

well the answer is support on the website, but it depends on your question

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

im stuck in the last part of the skill assessment for the Advanced XSS and CSRF Exploitation il DM you so i dont spoil

i haven't done that module

Can someone offer help for Comparison Operators? It is part of the "Introduction to Bash Scripting" and I'm worried that because of the recent update there is a problem with the question.

For refrence, this is the question:

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

Been banging my head on 'Attacking Common Applications -> Final 2'. Would really like some feedback if anyone has the time. I've got notes.

try the last 19 characters

any ideas on how to correct a 'no rdp scan code' error ?

i keep resetting the target but am getting that when i try to rdp to it

usually means that xfreerdp can't determine your keyboard layout

Thank you for the reply. My challenge wasn't printing the last 20 characters, but rather finding var when it contained value and was over 113450. I can send you my code if that's alright.

not avail for code review; but the question tells you what it wants. you have part 1; you just need part 2 -- getting the last 20 chars

and how do i address that

https://github.com/FreeRDP/FreeRDP/wiki/Keyboard google is your friend :)

I understand the question. However, the problem is that my code can’t find when val contains value and is long enough. Instead, nothing gets outputted. But, I’ve also tried other people’s code I found and it also didn’t work, so I’m worried there’s an issue with the page because of the ui update.

hi I'm doing the automatic modifications section of web proxies module and I have had some issues with automatic modifications. I can't tell you what I am supposed to do without spoiling because its step by step instructions that I am supposed to follow. Is anyone available today for a DM?

preferably someone who uses web proxies such as Burp Suite?

My issue is I am trying to intercept a request and responses to it but its not letting me select which request to modify

And I need to intercept a specific request automatically

hi now requests are SOMEWHAT being intercepted automatically but not really

because I forward the requests and they don't always perform commands automatically

but the user agent modification was made automatic successfully

hold on I think I got it working

now doing burp repeater section

never mind I solved the next section on my own

it took a little bit of thought

I don't need help with this after all

Is anyone free to a DM regarding the NTLM relay attacks assessment (Q2)?

hi i need a hint for the Skills Assessment - File Upload Attacks
i got the source code of upload.php
but i can't to upload the webshell even if i use the file name that can bypass the filter

you aren't looking to necessarily bypass the filter. The upload changes the name of the file by appending something to it. (note that the time may be reflective of EU time)

I think I finnaly got it

Its so confusing that Skill Assessment

How could I have found a way to actually upload it when no POST request was being made, I guess that was my most asked question there in file upload skill assessment

I misunderstood what you meant, yes bypass is the first step, second is knowing whats happening to it to be able to call it

what to do if a section is stuck on target spawning?

Ctrl+shift+r to refresh and try again, sometimes (if possible) changing vpn regions back and forth kicks it into gear

Well I m not sure there was any bypass maybe in older version of the skill assessment but this one is different I had to do post with curl manually

Its doable via burp as well

Yeah, and that took me a while to figure out lol --proxy

is there a way to see server status? none of the VPN servers im attempting to spawn targest on are working

https://status.hackthebox.com

Also I dont see any videos of this new skill assessment is it because is tier 0?

Can I create my own video but using a mock up page similar? Or is this not permitted

file inclusion yeah?

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Sorry, I meant File Upload attacks

file upload attacks is tier 2 that's why there's no writeups on it.

Why is the publickey timed so fast?

Anyone can give me a hint on AD Enum & Attack Question 6, I tried recursively searching for "password" but it gives too much information that I couldn't process them

https://tenor.com/view/jarvis-jarvis-skill-issue-skill-issue-gif-24471438

oh wait

the module didn't say search....

I read it as search for cleartext

what kind of dumbness is this

I can’t log into bash

Just ran into this same problem myself. Literally always hangs and times out.

There was only like one instance where it didn't hang and time out and in that case the remote result was radically different from local evaluation.

If there's a problem parsing a model, the server should send an error message. It shouldn't just hang.

Issues with the DC in PTPF: Port Forwarding with Netsh? Or just me

Ran test-net connection from the pivot host and it failed on 3389 and 445, I’ve restarted the lab 3 times

oh lol

i didn't realize

but did that solve the issue lmao

i got it i was using the wrong creds for wley lol

Hi guys!
I'm trying to perform RDP tunneling in pivoting module.
Firstly I downloaded SocksOverRdp.zip file into my attack host,after extracting I transferred the dll file to my target windows machine,however when I run it,I encounter this error.How can I fix it?

make sure Windows Defender is completely off

Yeah,it's completely off

Virus,Threat Protection is disabled and defender firewall is completely off for both domain and endpoint environment

i think windows defender shows it is off even only one or two options is set to off, make sure real-time protection is off too by going into details like this

okay let me check

Hello, in the kerberoasting module, it just shows this but doesn't show the creds to connect to the windows machine...

Click on the first question to reveal the creds

I solved it the problem was all about permissions
I didn't run powershell with admin privileges previously
Thanks!

you gonna get the creds from the questions

White list the folder

Thanks guys found it

How ican it be fixed ?

Hey guys, for the course Antak Webshell in the shell & payloads module, i did everything i should, but i just don't understand the format of the flag x), may someone help me pls !

The question : Establish a web shell with the target using the concepts covered in this section. Submit the name of the user on the target that the commands are being issued as. In order to get the correct answer you must navigate to the web shell you upload using the vHost name. (Format: ****\****, 1 space)

what mean the 1 space ????

maybe you should put one space after the name

I tried everything

May i just dm u to send my answer and u just tell me if the format is wrong or the all answer

alright

OK, I feel like I'm officially stuck on 'Attacking Common Applications -> Final 2'. I've foot printed and enumerated everything I can think of. I've found several vhosts. Fingerprinted what I could about them, which wasn't a lot. Attempted to brute force the password on them but I'm coming up goose eggs. Any advice?

Hello everyone. I am working on the SOC Analyst module. In the first section, Incident Handling Process. I am trying to access The Hive so that I can answer the question. As far as I know I am doing it correctly to connect. I have started the target, and I have put http://10.129.13.2:9000 in firefox and it will not connect. I was hoping to receive some guidance, am I not doing something correctly? Thanks a lot, looking forward to any advice.

Need help on wifi passwords cracking techniques, found all passwords except ClyraCloud-ORT. Ik i need to focus on netgear passwords here but generating them didn't help either and I've exhausted most of my options

ey guys I need you help please. I canno't get it the reverse shell and i don't know why

module stack-buffer overflows on windowsx86

hello im just a begginer im currently on the linux module the q was How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
but i had to exclude locals and ipv4 for the response im pretty confused about it, its not like they are asking for all of them?

finally, learn a new skill on that assessment !

you guys are very sneaky lol hats off to the creator

@mortal basin

Hello, SocksOverRDP module, the second target on the internal network is not working - not responding to any ping or any rdp connections

It doesn't look like you pivoted from your screen shot, hard to tell. what's ipconfig say?

yeah you're not on that subnet

you need to pivot

I tried many times, the host does not even respond to rdp

Ok i got it, the masks made me confused 😅

Hi team im stuck at something im in an ad enviorment i have a list of usernames i got from ldapsearch , how to i check if any of the users are valid with a list of password ? the thing is the password file is rockyou will take forever .. so is there an easy method?

Im at the ad "AD Enumeration & Attacks - Skills Assessment Part II"

Q4:-Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

bruteforcing won't be the path

perhaps try the techniques in that module to extract a weak user credential hash.

ok il try

One thing worked, but the module already provided the password. The command just uses that specific password, so it succeeds immediately. In a real scenario, we wouldn’t be given the password beforehand we would first need to discover or crack it (for example through password spraying, Kerberoasting, or other enumeration techniques) before using the command. right?

where is the integrated terminal in academy 2.0?

The pwnbox? It's just above where you spawn the target.

It won't be shown in sections that aren't interactive

I have a question concerning the 'Attacking Windows Credential Manager' module...
How do you transfer mimikatz to the windows account you're working on?

They're talking about the old jank feature where there was a terminal in the academy window when you spawned pwnbox, i never liked it

ahhhh that

dacl

does anyone know how to solve the answer to WCVS section in the http misconfigurations?

https://academy.hackthebox.com/app/module/189/section/2011

im using this command "web-cache-vulnerability-scanner -u http://154.57.164.66:31883"

The new academy GUI is so frustrating....

I really hope they revert it with so many people disliking it

Recent 0 days sudo section CVE-2019-14287 in linux priv esc module
how are we getting a root shell when we r trying to fetch id as root ?
just couldnt understand this cause the priv is that we can run id as all users

hey mate just wandering since you're also on Skill Assessment part II after rdp is it slow for you as well?

everything takes like a billion second to move

@dense pawn Please take care not to post content from modules above tier 0

ok. where could i get clarification on that question?

Here. Just ask without spoiling content or posting content. If you feel like you need to reveal more info you can ask to DM someone. Anyone who has done the module doesn't need all that context because they already know the answer.

For Question 8 of AD Enumeration & Attacks - Skills Assessment Part II, how do they retrieve the plaintext credentials? it says the "hex can be decoded", but i dont understand how, the data returned for the service account in question is a dcc2 hash.

hello since you're on question 8 can I ask when rdp is it slow for u as ell?

try another protocol

also i was having aboslutely awful labs until i switched from running openvpn on kali instead of windows, and using a tcp vpn kit instead of udp

Anyone here to help me

I am doing this SQLMAP Module https://academy.hackthebox.com/app/module/58/section/526. I got the flag5 but it's saying incorrect. I dobn't know why i am getting that error. Can anyone nudge me ..

Hey all, was wonfering if anyone could give a nunge in the right direction, been working on the Attacking Wi-Fi Protected Setup - Skills Assessment: What is the WPS PIN for the WiFi network named HackTheBox-Corp?

Ive generate a list of possible pins using wpspin, utilized the bash script with reaver, its been running for a few hours now and i dont know if ive gotten myself in a rabbit hole or not

Any help hints or tips would be appreciated! cheers

I think it is because it is time based so sonetimes when it lags it sees a character as a different one https://discord.com/channels/473760315293696010/1479127514499514500

I will check this i am stuck at this from past 1 hour. Thanks

try using switch --fresh-queries in sqlmap

I run same command like 5 times after i get correct flag .. 😪

I'm silver annual, i don't think i will study this week, will my steak be lost, there was a message before tha it will use one of the blue icons, but i don't see it anymore, not sure if something changed, anyone can give me some insight on this?

if needed: password attacks - Pass the Ticket (PtT) from Linux
Hey guys, it is not really a module related question but can someone explain to me what happens here? I understand the proxychain part, it is like to execute tools from our attacker, the packets will be send to 1080, but I don't understand the chisle part? We launch a server, the target connects to us, but when we execute a command on our attacker with proxychians, how does chisel or proxychains know that it has to go to the target? proxychains is on port 1080 and chisel 8080?

Chisel uses port 8080 to maintain the connection with the target while simultaneously opening a SOCKS proxy on port 1080 locally, so when you use proxychains, it simply sends the traffic to the 1080 "entrance" Chisel created and automatically forwards it through the established 8080 tunnel to the target.

Yah I just wantd to confirm bcaus rdp doesn’t seem to want to work…

Reversing Hybrid Apps
Android Application static analysis

please I need help I don't understand the question, do I have to actually login to the app or just find the message in the code?
I'm confused and stuck here

"Hi everyone! I'm currently stuck on the Linux Fundamentals module (Question 6 about the MTU 1500 interface).

I've run ip link | grep "mtu 1500" and my terminal shows three interfaces: ens3, lxcbr0, and tun0.

I've tried submitting all of them (ens3, tun0, lxcbr0) using copy-paste, and even tried 'eth0', but the platform keeps saying it's incorrect. I'm connected via SSH to the target.

Is there a known bug with the instance htb-hpxhpmruoz or am I missing something specific here? Thanks for your help! (Attached is the screenshot of my terminal)"

it's ip a not ip link

I thought the answer was ens3, but the platform won't accept it. Any idea why? Thanks for the help!

as what i see here it's not the right answer
try the same command with ip a instead of ip link
should give u the right answer

please 🙂

Always the same answer, ens3, eth0, lo, Nothing is being accepted by the platform.

i just tried the same command and got the right answer directly .

ip a | grep 'mtu 1500'

Hey! It's a bit hard to explain but I can't figure this out. I was trying the lab in the academy module "file upload attacks>type filters" and I got the flag. But I was wondering how are we able to execute the final file shell.jpg.phar (also shell.jpg.phtml worked) on the server if I uploaded the web shell with a different name (shell.jpg.inc)? basically how is it possible that the web shell that I uploaded with a name gets executed with another name?

Why does it have to be so confusing?

I haven't done this specific module but since it's a about static analysis, I assume you don’t actually need to run the application or log in to any live service, but instead you should decompile the APK and look for the logic inside where you will likely find the key.
But again this is just my assumption.

Anyone have the link where you can input the student ID and track his progress? , looks like it's broken in the new version .

i found the key
tried every logic for the answer, but nothing 404

some admin help please

maybe try using the obtained key to authenticate to the application and retrieve the message

done that , nothing
also the app requires username+pass in its UI , but that's something else, no user or pass in the app code

Feel free to DM me if you want to discuss it further.

Yes, it's a requirement to complete the path before you may start the exam.

yes

@admin plz

No need to try and ping admins/mods/staff.

Just be patient and maybe someone who has done the module will help.

It’s not asking you to login in, decompile it using JADX or Android studio or any other tool.

Anyone done the Bufferoverflow module? I don't understand the question "How large can our shellcode theoretically become if we count NOPS and the shellcode size together?" Can anyone help me out?

there are some details missing, please provide more context

Examine the registers and submit the address of EBP as the answer.

0xffffd598

The answer you provided is incorrect ???>???????

(gdb) info registers ebp
ebp 0xffffd598 0xffffd598

That's never been a thing aside from for institutions

Student ID

Your unique Student ID lets others view your progress in HTB Academy.

Learn more here
HTB-9ECXXXXXX

someone can't track my progress using this ID ?

Only institutions, ive had various conversations with staff regarding this

Due to my own reasons ive had this conversation

that's actually very unfortunate as would be nice to add it in my c.v as progress etc ..

You.... you can... not sure which institutions have it

instead of exporting the whole progress via a pdf it can be availalbe online using the ID

Institutions being companies and schools

Like to add the feature ?

No

About the lack of transparency overall about it

it's only there for tracking students who actually have the subscription through there Institution* if i understand

i saw something before to check the status i think it was for prolabs and i mistaken it for academy spent half an hour looking for the endpoint

I just did another section on my own. Gonna do yet another soon in like ten minutes. I'm psyched.

Maybe in a couple months I'll be helping other people with CWES modules.

This is gold.

I don't have a section I need help on today but just letting you guys know.

i have question in nmap lab ask here ?

Yes this is the right spot, just take care not to spoil content from modules above tier 0.

the medium lab

if you need to reveal more info you can ask if someone can dm you about it

of Firewall and IDS/IPS Evasion i get answer witcg is the domian server

if anyone can help dm me please

🫠

can i send my expected answer only ? and for the method to get the real answer

@verbal ivy It applies to all subscription levels of HTB. They don't want the content to be leaked, understandable. The writeup in the higher tier subscriptoin is still part of their content.

thanks for clarification 🫶 .

Can anyone give guidance on Active Directory Trust Attacks - Skills Assessment Q1: Gain access to the "Inlanefreight.ad" domain and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt"

|| Found foreign group stuff but that is about it, haven't owned the child domain yet, a little stuck ||

If you already found the foreign group relationship, check what group your user is part of in the parent domain. Use PowerView to enumerate foreign users and foreign group members. That should show you the group your account belongs to in inlanefreight.ad. After that, think about what you can do with that membership.

Hope i helped without helping so we don't get muted

Ah okay, so was on the right track, will look more into it, much appreciated!

Yes you are , just check which group your user belongs to and it should ring a 🔔

sws

am i allowed to be making writeups of skills assessments if im not including answers

It's against ToS to post anything over tier 0.

okay thank you

I’m having difficulty finding information - would you happen to know about posting reports of Sherlock’s assuming I exclude direct answers and their paths

I know you can make writeups of retired boxes but wasn’t sure if there was any flexibility with Sherlock’s

I don't know

Hi, all, has anyone completed the skill assessment for the Advanced XSS and CSRF Exploitation? im currently stuck and looking for some help

i'm doing AD enum and attack - skill assessment II question8 I got a reverse shell on metasploit and uses the "auto" PE and tried to dump sam, which got a hash but couldn't connect to any others, but in a writeup I saw they did the same except they did smth different but ultimately dumped sam as well but their hashes could be used to connect..... what am I missing?

we both did lsa_dump_sam

Anyone?

Retired sherlocks are fair game, its laid out in the streaming/writeup guidelines htb has out

im having trouble with taask 4 in pillaging from windows priv esc module

I checked the env and also history file and I found the password but htb is not taking it

I am working on the 'Host Discovery' section of the 'Network Enumeration with Nmap' #module but find the wording of the question a bit confusing. "Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result." In this context does 'the last result' refer to the previous Section or the last operation carried out in the Pwnbox? This Section is about using Nmap to discover what services are running on a server so my presumption is that the question is attempting to ascertain what operating system is running on the Pwnbox but when I enter this as the answer to the question is comes back as incorrect.

It might be asking for the OS of target

dm please

The "Last Result" refers to the last bit referenced in the section.

it gives a sample SENT/RCVD set of packets with various bits of info in them

Generally, there are many ways to transfer files to a target. I’d highly recommend going through the File Transfers module.

I will go through it again…
Thanks

Xfreerdp has the /mount: option as the simplest method

where is the flag ?
Wi-Fi Penetration Testing Basics/Connecting to Wi-Fi Networks/
Connect to the WPA Wi-Fi network named "CyberNet-Secure" with the PSK "Password123!!!!!!". Once connected, locate the flag at the IP address 192.168.1.1.

i've connected, where do i find the flag ?

Open the browser and enter 192.168.1.1

i mistakely used the browser from the pwnbox instead of the rdp one session one. vm within a vm lol... anyways, the browser on that rdp session does not work

i will try with curl

In Attacking Common Service, the "Attacking FTP" section spawns a SMB target instead of a FTP one.

As I remember some of the RDP machines did not have curl but if it works it works, as a last resort you can always use nc 😁

the module reuses the same target in a few of its sections. But if the right port doesn't show up, try respawning it a few times (this is a known thing)

Why is AI Privacy § Data Partitioning and Teacher Training causing this?

hello, im new here, im experenced with linux but i cant seem to ssh into the first machine in linux fundamentals (system information). tried both with htbs pwnbox and with my own openvpn but i get

C:\Users\(user)>ssh htb-student@10.129.16.6
htb-student@10.129.16.6's password:
Permission denied, please try again.

ip is fine, copied straight from the exercise. user is fine, password is copy pasted too. i have no clue what im doing wrong

Anyone?

Hey guys, on HTB I am currently doing a module(https://academy.hackthebox.com/app/module/77/section/726) that requires me to perform an extremely simple Nmap scan for the version of the serice running on port 8080, which should be simple. However my scan did not produce a version, in fact it was initially returned as Host down, so I have to use -Pn
Any solutions?

Works fine for me, if you're having to use -Pn then it seems like your VPN connection is messed up

sudo killall openvpn then re-run the openvpn connection

ah with the added context, then i'd double check that you're still connected to the vpn; i generally and will always advise to do things like this from a vm. It sounds like you're doing this from wsl, which is honestly more of a headache than it's worth on a good day

ahh ok ill try that

sry i didnt reply for a while

ohhhhh just saw now that a vpn file was indeed available for this excercise

that makes sense

ty

Hi, I verified my student email, but for some reason it's not giving me to the student discount for HTB academy, did I do something wrong?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

https://help.hackthebox.com/en/articles/13465244-getting-the-student-subscription

thanks I already opened a ticket

Hello guys, i work on the skill assessment for Information Gathering - Web Version. I dont know if iam running down a rabbitwhole... i found a subdomain and extracted the api token, now i need to crawl inlanefreight.htb - The page only returns the index.html, i cant find any emails.

maybe you should crawl some subdomains you find

meaning there is more then 1 subdomain?

i'm being vague on purpose so as to not spoil for others

ill get back to recon

just remember there can be multiple layers to subdomains

a.b.do.main
c.b.do.main
e.b.do.main
etc

can i dm you rq, i found the solution but still have a question i cant ask here because i think id spoil others

Where can I download the vpn for academy in the new version of the academy? 😭

can I please get a nudge on the "Dynamic Analysys" section of the "Introduction to Windows Evasion Techniques" module?

I am able to get a reverse shell but cannot read the flag. Which seems obvious to me as I am using alpha user.

this is the exact module: https://academy.hackthebox.com/app/module/254/section/2829

Anyone Who done ZAP Fuzzer - Using Web Proxies ?
I hate this tool and messing with the question

Hi guys, I'm doing the Wi-Fi Evil Twin Attacks Skill Assessment module; I am stuck on the second and third question, does anyone could help me with it?

Anyone?

can you be more specfic when you ask your question
MODULE > Section > question

you doing something wrong you should get revshell as beta user , read the question carefully. ''

I am having issues finding a username for this question, I have run some commands but they don't seem to give me the right output.
Once the command is done running I get "2026/03/17 00:47:23 > Done! Tested 21 usernames (0 valid) in 1.113 seconds"
May I DM someone so that I can show them what I did and maybe they can point me in the right direction?

Which module?

Attacking active directory and ntds.dit
https://academy.hackthebox.com/app/module/147/section/1326

lm check

Okay

which tool u used to generate the usernames?

am sure if you use username-anarchy it will be there

username-anarchy

https://github.com/urbanadventurer/username-anarchy

yes I used this tool and it generated the possible usernames but after running them through kerbrute I still didn't manage to find the right one. not sure what I did wrong

lm verify

okay

i tried

it works

can I dm you?

just run the tool directly

without anything

you get like 15 usernames

what do you mean without anything?

./username-anarchy John Marston > users.txt

ah okay

let me try it

what domain did you use for inlanefreight?

run it with crackmapexec

do password spray

is anyone have issues with the Windows Privilege Escalation Skills Assessment - Part I machines? i restarerd a few, none work. I tried other machines and they work just fine

i just spent an hour on the medium lab on the Network Enumeration with Nmap module

Turns out the same command on PwnBox gave the flag its a bit annoying anyone knows why?

guyss who know how to see password target i cant connect target because i dont know password target how to get a password target htb not provide it

Please specify the module so people can know

Linux Fundamentals I assume

yess of course from module operation system fundamental im choose linux fundamental

not your assume that exactly correct

Which section is it? I'll take a look at the module

whait

okey here is full page screenshoot

section 6 still very new basic

It gives you the password

why you have it

in my option nothing hint

owhh faakkkkkkk thnk youuu

im skip question 1

ty ty ty

Np

Glad I could help

yess because from yesterday im so confused like wtf how

thankyou @tranquil crystal finally im passed the test after 1 day im confused mwmwmwmw thank u so much may god bless u

You're welcome

In this module, Active Directory Enumeration & Attacks
the bloodhound data and enumerating using PowerView gives nothing to answer this question

Could be using custom cipher with Bloodhound help finding the answer?

I used multiple Custom cyphers that search for it and nothing matched any of them

where do i download vpn profile for academy in this new UI? 😭

💀

thanks for fixing my blindness @glacial pasture

UI updates are overwhelming

wait i am not getting anything next to pwnbox

i wasnt blind

And yea FYI i had silver sub but i am on free tier now and revisitng the completed module to do them again
incase it affects this

You could've also just looked for the Remote Management Users group on Bloodhound, assuming your ingestor collected it properly.

What could affect the Bloodhound collection efficiency (I used SharpHound.exe with -c All )? because sometime I miss some relations/attributes

Personally I'm not too familiar with what could cause missing information, however I do know that All is just a preset, it doesn't actually collect all that the ingestor can collect.

Hello all 🫡
Got a question, i'm trying to redo the skills assessments in the CWEE path and some modules that require to download the source code are missing the download button on the new UI.
Am I blind or ?
I saw the message on the dashboard concerning the fixes for errors in module completion but i wanted to be sure if that concerned this too or if i missed smth

I will share a screenshot of the SA of INTRO to WHITEBOX PENTESTING

Thanks for the help

Is there any way to get back the 1.0 UI it makes the page very very laggy for me and almost unusable

you will get used to it brh

first check what type of hash is it ? > use the magic decrypt in cyberchef
didn't do that course tbh

Hey guys, I’m stuck on AD Enumeration & Attacks - Skills Assessment Part I
the question: (Q8) Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
what im struggling at is i run runas /netonly /user:INLANEFREIGHT\tp**** powershell to open a new powershell as tp****. then i run mimikatz.exe on that powershell window but the problem is that it doesnt have administrator privilege to run mimikatz. Can some1 help me?

try :
https://crackstation.net/

CyberChef sure does SHA256.

how he gonna decrypt sha256

https://tenor.com/view/spider-man-gif-1760452691448589843

it's a one way hash not encryption

My response wasn't about it decrypting SHA256, just that CyberChef does have SHA256.

After scrolling up a bit more, I now see the initial question. Lol

Thats what I thought as well.

send me the hash

So you likely have to keep using other parts from CyberChef

can you screenshoot the question ?

or link the section of the module

link would be better

so i see the file

send me the link

which section on the module

or the name of the section you doing

i do have access to SOC path

Hey if this module is above Tier 0 you need to delete the content you posted and take it to DMs.

so i run secretsdump on kali and manage to get the admin hash. tyvm

My bad, didnt know

It's all good

you are trying to decode the wrong value , read the question carefully .
look at the logs and > decode the command.

Well I tried to decode the encoded portion of the command, still no results. There is obviously something that I am still missing. Think I am going to take a break from this one for a little while and work on something else. Thanks for the help.

it just so simple ..
|just find the command and decode it 🙂

you are obviously overthinking it

Not sure as i closed thevlab ,but please don't post them here .

Why did the gym's IP address become like this now, without the port even being opened on the gym's computer? curl -I http://10.129.234.166/phishing/index.php
curl: (7) Failed to connect to 10.129.234.166 port 80 after 21061 ms: Could not connect to server

figured it out finally...lol was trying to decode it with the wrong tool.

Thanks for the hint, was using the wrong tool.

Just had to research how to decode powershell commands a little.

Awesome!

is it a sign to skip prevention module?😆

You're not blind, I opened #1234357888114364508 and was told it's a known issue they are working on.

Okay thanks a lot for the answer 🙏

So, I just spawned a target system and I'm noticing that it gives me an IP but no port number. I know they recently changed the UI. Is there somewhere I'm supposed to be able to find the port number of the spawned system? I'm working on the AI Data Attacks module in the Pickles and Steganolgraphy section.

I am having trouble with the machine in this module - https://academy.hackthebox.com/app/module/145/section/1295.

The machine is reachable via my Parrot attack box via VPN.

└──╼ $ping 10.129.18.90
PING 10.129.18.90 (10.129.18.90) 56(84) bytes of data.
64 bytes from 10.129.18.90: icmp_seq=1 ttl=63 time=155 ms
64 bytes from 10.129.18.90: icmp_seq=2 ttl=63 time=516 ms

nmap shows a web server running on port 80

┌─[user@parrot]─[~/vpn]
└──╼ $nmap -sV 10.129.18.90 -p 80
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-17 17:37 UTC
Nmap scan report for 10.129.18.90
Host is up (0.19s latency).

PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.59
Service Info: Host: 172.17.0.2

However, i can get any data back from port 80. The browser hangs and so does wget.

└──╼ $wget 10.129.18.90
Prepended http:// to '10.129.18.90'
--2026-03-17 17:38:40-- http://10.129.18.90/
Connecting to 10.129.18.90:80... connected.
HTTP request sent, awaiting response...

I have restarted the target several times. I even read the solution which indicates it should be straightforward to access the page on port 80.

Any ideas are welcome. I am stuck.

Maann where are the vpns for academy 2.0??

sections that require you to access a 10.129.x.x target have a vpn tab next to the pwnbox

thank you. i assumed the academy regular vpn was fine since i was able to ping this box.

It is, thats the name it downloads as.
Academy-regular => regular academy usage
Academy-exam => exam usage

hmm. I was connected via the regular vpn when i posted the above message. I downloaded the vpn next to the pwnbox as you mentioned and the wget began to work.

┌─[user@parrot]─[~/vpn]
└──╼ $diff academy-regular.ovpn academy-regular2.ovpn
3,4c3,4
< proto udp
< remote edge-eu-academy-3.hackthebox.eu 1337

proto tcp
remote edge-eu-academy-3.hackthebox.eu 443
65c65
< <tls-auth>

<tls-crypt>
87c87
< </tls-auth>
\ No newline at end of file

</tls-crypt>
\ No newline at end of file

that's the standard differences between the udp and tcp files

Hi Team, can anyone help in this ques htb cape, bloodhound mudule ques "Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78)."

I divided the Total global aministrator / Total azuser * 100 but didn't find the anss

Still on Active Directory Trust Attacks - Skills Assessment Q3: Gain access to the DC04 (Mssp.ad) and submit the contents of the flag located in "C:\Users\Administrator\Desktop\flag.txt" A little stick if anyone can assist!

|| Looked at Trust Account attack, but did not work, for outbound one-way it looked like the goto technique, if anyone has more guidance! ||

Find how many people have a path to GA, and the # of AZ users. BloodHound legacy makes it relatively easy, BH CE is more annoying with that specific scenario

having some trouble on the module Web Server Pivoting with Rpivot - for some reason, my proxy is just refusing to work even though i've quadrple checked my rpivot commands on the client & server + proxychains.config

I'd work that trust account some more.

i'm struggling with Introduction to Bash Scripting, section Comparison Operators

The question is "Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer." but everytime i run my script it outputs nothing and i'm not sure where im going wrong

could you send your script?

i'll send in dms, dont think im allowed to send here

I completed another section today on my own. I'm killing it.

later today I'm gonna do two more. I'm a little tired because I need food for fuel but I'm gonna do really well with this. I am taking a break to get some food.

Does anyone know where to get the port number for spawned targets now?

Targets that have a port number will show in the same place. If they don't have a port number then it's not a public docker container and you'll need to be on the VPN or use the Pwnbox (not at the same time) to connect to the target on whatever port.

Ok, I must be missing something then. I'm on the Academy VPN. The script is supposed to connect to this target and upload the trained model but it's failing to connect. I can ping the target. The part of the script I'm supposed to replace with the target information shows an example with an IP and a port, but the module isn't giving me a port.

Always best to say which module and section you're on if asking for help

I'm working on the AI Data Attacks module in the Pickles and Steganography section.

there are a lot more parts to that section

best to say exactly which section not generic

So, the exercise is in the "Execute the Attack" section but you build the script throughout that section. The part of the script that requires the "api_url" is in the Execute the Attack section.

did you try just visiting standard website ports

80/443

or nmap

I'm running an nmap scan now but it hasn't found anything yet. 80 is the one that fails. I've also tried the 5555 that's in the example.

maybe someone who has done the module can chime in then

Thanks for trying. I'll keep scanning and trying things and hopefully I'll get it.

hi for the Burp Intruder section of Using Web Proxies module, I am fuzzing every file ending in .html and it says I don't have permission to access the resource. I tried changing my User Agent and it didn't help. Can someone give me a hint? I am searching in the /admin folder.

I'm currently trying to do DACL II - Skills Assessment. Can someone give me a nudge for Q1. I'm missing something, and unsure what.

Hey guys do you have any idea where's the resources tab located in the new UI of academy? in the said module of FOOTPRINT SMTP it said there's a wordlists needed to download to finish the task but I haven't seen where it was unlike before the previous UI it was at the bottom.

NVM, I found it.

You can DM me

DM sent

Hey guys.
I'm solving the SQLi skill assessment challenge and I'm being unable to submit the flag I found.

The challenge says:

Achieve remote code execution, and submit the contents of /flag_XXXXXX.txt below.
I did managed to achieve that RCE and extract the flag, but again, the platform says my answer is incorrect.

I also did checked for empty characters around

dm please

heey, do you remember how you've solved this question ? I'm facing the same issue

I did a reset

Anyone else having issues with targets dropping connections? Trying to finish WinPrivEsc module but any RDP session times out after a command or two…

Same, i can't spwning the target, it's loading

Hello does anyone knows why responder + smb authentication fails with ligolo ?

Comes from mssql xp_dirtree, reverse shell is working well but anything on port 445 seems to fail

Resolved.

run it with admin privs?

It's a known issue apparently: https://www.reddit.com/r/hackthebox/comments/1mwbvgq/is_it_possible_to_use_responder_over_ligolo/

You can catch smb hashes over ligolo but the pivot host that you compromised needs to be running as sudo or root or admin user to actually use ports below 1024 aka well-known or system ports. You need port 445 to bind it to the pivot's internal IP.

Yes I know that I always run the proxy as root 🙂

the target too otherwise it can't bind to that privileged port on the internal interface

My friends, I have a question: the gym's IP address now only works if you download a VPN, right?

I am surprised I am not having issues right now

Isn't that normal? Your traffic would go around the whole world if you the other servers

I guess this is the new normal with ai in our wolrd

but also really happy with the content in bth academy and how some labs are build

for example a target with ip 154.57.x.x makes it so convenient for testing

hi, i can't access to hackthebox academy with brave browser ? anyone have same trouble ?

Yes. It seems the site is not loading properly.

same

same

Same

Yep, same here

From Edge browser

the damn new design. I told them it sucks.. 😄 😄

After some time it loads

For me it loads, but its suuuppper slow

They basically forced the BETA on us to test

Not an inherent problem with the new UI

Even for it, it's unusually slow

Seems like I am not alone with the slow loading

Same.

I think the problem doesn't come from the new UI. The change in the technology stack is the problem

Ok it looks better now all of a sudden

Still looks unstable

Can someone spawn targets on the academy ?

I've been trying since last Friday, but the IP address isn't working.

Hello guys
I am on the Attacking Common Applications module in the WordPress section.
To solve the questions I need to connect to the VPN and add a VHOST to my /etc/hosts but after I do that I can't reach the VHOST. However I can reach the main domain. Sometimes the VHOST works and sometimes not, and I don't really know why.
Does someone have any fix?
Thanks.

what does your entry in /etc/hosts look like

I tried this:
10.129.19.92 inlanefreight.local
10.129.19.92 blog.inlanefreight.local

and this:
10.129.19.92 inlanefreight.local blog.inlanefreight.local

then try http://inlanefreight.local and it doesnt work?

it works

http://blog.inlanefreight.local doesn't work

add that entry to /etc/hosts too

I added it

.

I have a question about the first task from linux foundation (Working with Web Services) - https://academy.hackthebox.com/app/module/18/section/74

I noticed a lot of people also were confused about this question
As I understand the main idea - I need to google
But I googled and found the answer on stackoverflow with NPM. This answer satisfies the request "Find a way to start a simple HTTP server inside Pwnbox or your local VM using "npm""

How was I supposed to think of the answer? What's the correct thinking process ?
When I realized that the system doesn't accept the answer with npm I think only about changing arguments, but not thinking about npm

dm

Hey guys, i have an issue with burpsuite for the Module Shell & Payloads / Web Shell, it don't connect me, maybe i did something wrong, may someone help me pls ?

Or i just realized, that event when i'm off burpsuite... idk if it's the site or what

I need help for php shell, thx

Could anyone spare me assistance over Nmap Enumeration Hard Lab?

I can try, let me see if i can remember it

i dont think i can send pictures

do u mind if i dm you?

do it

sent

can i nudge someone for mssql,exchange and sccm skill assessment the first question?

hey did you figure it out..i am stuck out here as well

Hey guys, i have an issue with burpsuite for the Module Shell & Payloads / Web Shell, it don't connect me, maybe i did something wrong, may someone help me pls ?
Or i just realized, that event when i'm off burpsuite... idk if it's the site or what

Anyone experience issues with the pwnbox in academy ?
I can interact it from the lesseon section but not when clicking the full screen.

I had that problem before, I think I re-spawned the target, went to the Pwnbox, did full screen and then never tabbed out. I think tabbing out does it.

Hi, I found 3 user and total users are 13 after calculating ans is incorrect

You are miscalculating the first amount of users to GA

I tried various query and graph somewhere it's is 3 or 2

it's 4

hi for the burp intruder section of Using Web Proxies module, when I try to run the attack with the wordlist, I get results but the thing is I get an error saying "you don't have permission to access this resource" or whatever. I get a 403 error. I am doing what the assignment says I think I think its just not working. Can someone help me out here?

May be shooting this to the wind but... Has anyone found an actionable resolution to the error while loading symbols in the Intro to WinDBG Module?
Skills Assessment btw

Setting the Symbols path to C:\Symbols and reloading the session didn't resolve

hi are any moderators available for DM tonight? I need to talk to someone

best to just ask your question

I did

look above

ok you don't need a mod then

right so my issue is I think I did the section right and its still not working

Best to include the section too

Burp Intruder is the name of the section. Its a subsection of the Web Fuzzer section of the Using Web Proxies module

I think I did what the section is asking

hey everyone, for the past few days, the Pwnboxes have been ridiculously slow, and timing out, is it me or does HTB know about this?

hey!

I am doing everything correctly for metasploit module

the first part of the second section of the module, which is the modules subsection of the components section

and it's timing out

ok solved the module I needed help with

just needed to be more patient with it that was all

i was trying to solve mine for hours

still wasn't fixed

and i am pretty sure the issue isn't from me

Yeah, i fixed mine by not fixing it

i just used the pwnbox

and that

fixed it...

is there any option to get old ui back

who asked for this

Unfortunately no

Anyone else have issues with the sliver skills assessment? Everything is super slow, can't even run commands to get the last flag

@lusty terrace please don't reveal information from modules above tier 0; I understand that the module is essentially a walkthrough of it but please refrain from sharing such info.

I thought that much was not much information ...

tried to be vague and thought if someone knew they might be able to help

@fathom pendant Could I dm you and ask about it?

I generally don't help out with AEN as I always urge people to do it blind, especially if they're doing the CPTS path. If things aren't working as you think they should, then I suggest changing vpn regions and respawning the target and seeing if that fixes your issues

ahh alright I will try that

Is it by design for AEN to be quite slow?

Or sometimes js unresponsive

btw blind means not answering the questions and just focusing on trying to get to the highest domain privileges available since the questions are leading

I didn't have any stability issues when I did AEN a while back

Then its my target/region

Pinging sometimes don’t work

And takes forever to load

sounds like it's a problem on your end not on the target end tbh

but i'm not staff so I don't have access to any bit of logging that can confirm/deny what you're experiencing

Possibly? But i’ll respawn and change vpn regions to see

bruh @fathom pendant changing these helped alot

._.

it happens

Hi everyone. Can I acess the Academy Target machine using my own kali linux ?

yes

so long as you have the academy-vpn file (downloadable next to the tab that launches the pwnbox in sections that require it)

Okay, thank you! That means it is not available for all machine ?

Here for example, I don't see anything

Hi, is there a way to switch the theme on htb academy? Its a bit tiring to read white text on a black background

correct; a good shortcut to know is if the 'spawn target' button gives an ip:port to connect to, that's a public docker container, and accessible by any device with internet access

no, that's not an available feature; you can use /feedback on the discord to send it off to the HTB staff to look at and maybe implement

Thank you

most of the people that use HTB are the hackers that swear by dark mode so they built their site around the majority being darkmode users. White backgrounds tend to strain the eyes more, but everyones eyes are different so

could you pls help me on this

or anybody else on Prompt inejction Attacks module jailbreaks 2 section

nvm got it

So, I'm at Windows Privilege Escalation.

Does anyone know of any guide for compiling UACME properly on Visual Studio 2026? I've figured out how to configure things so that Akagi and Yuubari get made with what is probably their full size in the 1st compilation (1st = before also throwing in Naka, Fubuki and Akatsuki into the mix, for re-compiling Akagi and creating its "full power" version).

But when it comes to the Fubuki and Akatsuki .dll files, I can't for the life of me figure out if I'm doing things right. I keep getting a Fubuki64.dll that is 34 KB (which might be ok according to chatGPT, but not so much according to Gemini), and an Akatsuki64.dll that is at 12 KB, which is definitely wrong according to them.

Any help? I've been struggling with this for over 5 hours at this point 😭

Ok, I maaaay have been led into a bad rabbit hole by a certain different Gemini model

Play stupid games, win stupid prizes they say

It’s been a week of complete useless HTB academy. No targets for winPrivEsc assessment will even ping. Hey HTB team what is going on and when will it be resolved? There’s nothing to be found about these outages on your site and support chat is down.

i just think that as they lauch they new palrform, they are focus on smthing else

Did you reach out to support on the site? Other people aren't having problems, it's probably on your end.

Anyone experiencing consistent trouble connecting to Target Machines within the Academy even after download a fresh OVPN conf?

I had many packet loss a while ago. It was frustrating seeing blank results after a terminal command.
Switching the VPN from UDP to TCP solved that

Yeah I did the same thing and its still giving me a bad time.

Literally went and checked if my IP address on TUN0 could reach the lab IP and yeah it could via TCP, download a TCP config for OVPN, and nothing.

Even ran wget and curl too see what was what; wget got me a blank as a whiteboard HTML file and curl was just.. unresponsive after ~133000 ms

On the introduction to networking module, on the first section, it gives a small scenario of a pentester not being able to reach the domain controller through ARP because of a misconfigured subnet mask... but shouldn't ARP not care about subnet masks since its layer 2 and there is also no mentions of VLAN separation or physical separation so I'm just a little confused here... if anyone knows please lmk

The pentester can talk to the DC fine, but the DC doesn't know how to talk back because of mismatched subnet masks, so the replies go to the gateway and get lost.

The Domain Controller is on a /25 subnet (10.20.0.0–10.20.0.127), and the pentester is at 10.20.0.252, which falls outside that /25 range.

Oh gotcha so because the pentester IP is outside the subnet range of the DC, it won't know how to send back a response to it?

Exactly, the DC sees 10.20.0.252 as outside its /25 range (0-127) so it forwards the reply to its gateway instead of responding directly and that's where it dies.

Got it, thank you for that!

So the pentester should have set their subnet mask to /25 to match the DC's network, that way both sides see each other as local and replies come back directly.

Should I also assume that the pentester manually set the IP instead of getting it from DHCP ?

Yeah apparently so otherwise the DHCP would have handed them the correct subnet mask automatically, so the fact that this misconfiguration happened in the first place pretty much implies they set it manually.

Makes sense, thank you!

I would like to do this question "Check the alert with reference 67c202 (LSASS Access) in TheHive, and provide the MITRE rule ID as the answer." in the module Incident Handling Processsection Cyber Kill Chain(2/11), it 's saying it use port 9000, http://<target_ip>:9000/ and... trying to connect but every target I spawn have not this..

Hello, can you please DM me the commands you typed and their result or create a thread in #1234357888114364508

Fixed.

Have you tried a zone transfer?

I'm working on the Windows PrivEsc Module in the 'Weak Permissions' section. I've followed the steps in the module, but can't seem to elevate privileges to answer the lab question. Any help here appreciated.

Yes already did that

That didn't work aswell

i think i will try from pwnbox because sometimes it doesn't work on my machine but it works on pwnbox

Subdomains of subdomains

@severe inlet module is above tier 0, please dont reveal information like that from it. A zone transfer finds the information you're looking for.

AD Enumeration & Attacks - Skills Assessment Part II - on middle stages in Solution for some reason appears pswd *W*** which it is correct for that circumstances, but it comes from nowhere in that solution. isn't that a solution issue? i got previous cred which hold me in a dead end at the moment

I can. Sorry for the late reply.
I was going to comment here how I resolved the error but I can create a thread indeed.

Interesting thank you

And i wont do that again sorry

What's going on with RDP?

I havent been able to connect to the target since yesterday

why can we only enroll in one path at a time ?

hello guys im getting started on Cracking into Hack the Box module Web Requests 3/4 section http methods POST
and im stuck in there because i dont know why when i use the cookie that i get from the website on curl it keeps saying that the cookie is not valid

can anybody help me pls

What's the section name?

This one yeah? https://academy.hackthebox.com/app/module/35/section/224

yes, that one

POST

how are you formatting and what flag are you using; i used the -b 'PHPSESSID=<SESSID>' http://ip:port/search.php --json <json request here>

if you wanna dm me your command that's fine

ok

https://academy.hackthebox.com/app/module/147/section/1320

I am having a bit of an issue in this module. I have found some files that possibly have the password I am looking for but I am unable to transfer the files to my local account so that I can crack them and the account I am currently in doesn't have admin privileges.
Any help?

i doing attacking common services module and i stuck at my first lab i on port 21 ftp is closed and on scaning all the ports it dont get any thing can please anyone can help me

Not sure what your nmap command looks like but if you're trying to go fast slow down, iirc I had to restart that lab once or twice to get the port to show up. Also try waiting a minute after you get the ip.

ok i will try again

Use your noodle and delete the spoilers.

@shut quest what does that means

It means delete your prior two messages. And think about what you just posted.

@shut quest i deleted it

@shut quest so can u please help me ?

I did

@shut quest how

I will not spell it out for you.

It probably is on another port and NOT 21. nmap scans only the top 1000 ports when you do not tell it to do something else

@heavy sluice yes but i think there is something wrong with htb servers , can anyone know how to restart it or any solutions

Nothing wrong for me

Hi, I'm doing the "Web Server Pivoting with Rpivot" module and can't find the flag on the home page. I gave up using rpivot because of obvious reasons, so I used dynamic port forward with ssh and after that I also tried ligolo. Connected to the internal network but there's no flag on the home page

When you launch a browser for the .135 host, it should be in the red banner underneath Apache2 Ubuntu Default Page. Can be easy to miss.

My bad 😅 Thanks

I present to you the longest 1 day module in HackTheBox. I am working on it for around 5 days now the Windows Lateral Movement Techniques especially
https://academy.hackthebox.com/app/module/147

i am solving skill assessment of command injection, using command ip=127.0.0.1%0a{ls,-la}${IFS}${PATH:0:5} to get user in home directory, still not getting result.. can anybody help or tell what i am doing wrong?

dm please

I did reach out to them. Not sure how reaching a spawned target from inside their VMs could be “on my end”. Thanks though for the isolation knowledge may be just the assessment machines

some targets could be configured in a way that prevents icmp requests, which means you won't see any results by pinging them

I like the way you think. I broke down and read the “show solution” which kinda conflicts with the instructions. It says rdp in, test says to find a foothold gives no creds.

Edit: You are correct 👍 the rdp writeup was throwing me off. Thanks

No download button for Vpn on academy?

I am using phone btw

I'm working through the "Attacking Thick Clients" section in the Attacking Common Applications module on pwnbox, and am having trouble with getting PowerShell to load. It opens for a brief second, then crashes. I can get command prompt to work, and if I try to open PowerShell from command prompt I get the error "Windows PowerShell terminated with the following error: The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception."

Does anyone know a fix for this?

I ran it as Administrator and it worked for me

It does the same if I try running PowerShell as admin, unless you’re saying to run command prompt as admin and use that to run PowerShell

Hello guys

How can i fix this ? Waiting for 10 mins now

Naw I just ran as admin from the start menu I think it's a lab issue

This spawning issue is happening for quite few days now try other vpn

Thanks for the sanity check, wanted a second opinion before rebooting

@ashen nova be mindful not to share things from modules above tier 0; especially since it contains answers for several questions.

Start with a dig of the base domain (don't use automated tooling); then move on from there

Hey guys, im in the Active Directory module in the CPTS Path, in the Attacking Domain Trusts - Child -> Parent Trusts - from Linux .

I dont know what the password for the htb-student_adm is in order to use secretsdump, any help? i tried going through some previous modules but didnt find anything

I don't think you need it.

i tried using secresdump with the credentials provided and it fails, in the path it is using this command 'secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt' so probably its the htb-student_adm user, but i dont have the credentials for the user

Maybe try credentials reuse

i tried, the module is about golden ticket, the account in order to authenticate to collect the info needed is htb-student_adm, but the password is unknown

idk what to do, ive searched past modules to see if i cracked such a user but no luck

Could someone tell me why my IP address isn't working? It won't open URLs and it doesn't work in the terminal. I've been having this problem since last week.
Unable to connect

Firefox can’t establish a connection to the server at 10.129.234.166.

need some help on the RDP/SOCKS tunneling module - I've got the SocksOverRDP client/server established & proxifier running, but every time i try to run mstsc to connect to the target box, I'm getting an error that the host is unreachable

heey guys am here if ssomeone need help with some module just ping me

@verbal ivy I am stuck on something. May I DM ?

Yeah yeah go ahead just ask here

I'm on http response splitting in the http attacks module. From what I can figure out I need to get the payload to execute in the admin browser but I'm out of ideas (and knowing it's tier 3 not sure how much I can ask / explain what I tried)

Let me have a look (next time ping me as I don't get notifications)

oh that one is a tricky one