#modules

yeah it has been like this for a long time, it is known thing, so have to deal with it

Is there any known way to deal with it?

Besides praying it'll work eventually, I mean

i think @green mulch just mentioned how to make the RDP connection better, i don't think there is better option

😔

Alright then, I'll just leave it be and try again in a few hours perhaps

Dangit, and I was able to work it without issues on that other PC yesterday, and solved the 1st question!

Should have gone all the way I guess lol

Reverse enginner and find a zero day then exploiit it and do unintended xD

Jk

Hello all, I have a small problem at the skill assessment of Active Directory LDAP because of the user's creds don't works actually :

htb-student:Acad_ad_enum_skillz!

Who knows why ?

Ok i rebooted the instance and it worked nvm

Ehi, I'm currently doing the "Introduction to bash scripting" course, and I can't figure out the answer to the first exercise, the question is: "Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer." Now I've tried many different scripts for hours and none of them works, can you explain to me why my script doesn't work?

it's not spawning. I'm waiting for 10 minutes =/
Tried to clean cache but it doesn't help

@narrow ledge module is above tier 0; dont post code and things like that from it

Change vpn regions back and forth

Ok sorry, didn't know that rule,but what should I do? I tried to research online but I couldn't find anything useful... nor on the htb forum, seems that almost no one has found a solution

Was the Golden gMSA section on the AD Trust Attacks module ever fixed? I noticed there was an issue that was reported on January, but it seems still there.

Modules above tier 0 wont have public solutions.
They're expecting using echo and wc
Try breaking the problem down to what its asking individually.

• 35th value
• character count

thanks

Hi there, can I get some help on the skill assessment of password attacks please

What's the problem

I need help with pivoting I guess you could say, cause it I haven’t done that module

Man I need help with everything at this freaking point

Aright dm me

I went back and used this Credentialed Enumeration - from Linux

Module: Firewall and IDS/IPS Evasion — Hard Lab
Question: Identify the version of the service the client added for large data transfer. Submit as the flag.
What I know:

Target IP: 10.129.19.59
Full TCP scan -p- returned only port 22 (OpenSSH 7.6p1) and port 80 (Apache 2.4.29) — nothing else on TCP
UDP top-200 scan returned 69/udp open|filtered tftp and 137/udp open netbios-ns among others — but states change inconsistently between VM resets
Hint says "large amounts of data" and "vital role for customers"
TFTP on 69 seemed like the right service but I cannot get a version string from it

What I have tried:

-sU -sV --script dns-nsid on port 53 — closed
-sU -sC -sV -p 69 — returns closed after every VM reset
-sU -sC -sV across all top-200 UDP ports — everything closed except 137 netbios
Full -p- TCP scan — only ports 22 and 80

What the walkthrough says:

For the DNS question in this same module, the walkthrough explicitly states to use -sU -sC -Pn --disable-arp-ping -p 53 and that -sC default scripts will return the version
I applied the same methodology to this question using -sU -sC -sV against the suspected port — still returning no version
The walkthrough does not explicitly address this specific question about the file transfer service

Questions:

Is the file transfer service on UDP or did I miss something on TCP?
Is TFTP on 69 the correct service or is it something else entirely?
Is VM instability between resets a known issue on this specific lab — ports showing open|filtered on one scan and closed on the next?
What is the correct port and command to get the version string for this question?

Vm instability is a known issue

However,

Since this is also a lab about evading IDS/IPS different results could be because of how fast/hard you are communicating

You may not be getting results because the server notices you're scanning it and shuts you out.

Well, not the server but the IDS/IPS appliance

im not sure how to be any stealthier. i ran the exact script in the walkthrough and im only targeting one port at a time

What I ran:

sudo nmap -sS -sU -Pn -n --disable-arp-ping --top-ports 200 10.129.19.59 — returned 69/udp open|filtered tftp among others
sudo nmap -sU -sC -sV -T1 -Pn -n --disable-arp-ping -p 69 10.129.19.59 — returned 69/udp closed tftp
sudo nmap -sU -sC -sV -T1 -Pn -n --disable-arp-ping -p 69,68,138 10.129.19.59 — 69 closed, others open|filtered with no version
sudo nmap -sU -sC -sV -T1 -Pn -n --disable-arp-ping -p 161,53 10.129.19.59 — both closed
Full TCP -p- scan — only ports 22 and 80

Additional context:

Spawned a fresh VM and immediately ran against port 69 before any other traffic — still closed
Used -T1 which is slower and stealthier than the official walkthrough recommends for similar questions in this module
Port 69 shows open|filtered on wider scans but closed when targeted directly

can you use a port as source port maybe?

yes... thats the answer. claude ai helped with that. i dont even remember reading we can do that or why that would matter

that was a good 4 hours gone. appreciate the support im tired now lol

could anyone help me with Q4 and Q5 of the MSSQL, Exchange, and SCCM Attacks skills assessment please? I've tried a lot of the ways to exploit in the modules but I feel like Ive hit a wall for some time now. DMs me if you would like 🙂

Is anyone else having issues with the pwnbox being offline?

I have tried 2 different web browsers and neither are working

Start cape learn path

cpae learn path?

I can't even get through the introduction

Try a different pwnbox region. Bear in mind free accounts only get 1 spawn per day

okie dokie I will give that a go

brilliant it worked

has anyone had this issue?

i re intalled burpsuite and tried diff java version, same result

i have a problem where the attack ip addreses stop working

the ping packets drop to 100%

Hh, I made a small spelling mistake.

Hope to complete the exam this year.

Hello community,
I'm currently at the CPAE path at Windows Lateral Movement (Server Message Block). I made my way throught the labs and escalated my privs to nt authority\system in different ways. (atexec.py and abusing a service with services.py and a customized payload, as described). All went fine but I'm not able to read the serviceflag.txt at C:\Flags\ on SRV02.

I'm getting a blank line at the atexec-shell (but i guess this is a bug) and a "Cannot access file" at the impacket-way-shell with netcat.

Did I overlooked something?

me too , did you manage to solve it ?

As I'm going through the Windows Privilege escalation module I have a question that in most cases when we get a reverse shell as a user and it's not in an elevated context so there are UAC restrictions to the token it doesn't show the full privleges of the user some showed as disabled and some desn't show at all. My question is that if a prvilage isn't showed at all but it can be gained in elevated session or a differnt logon type how do we query that properly ?

Hello there! I have just finished the Introduction to Windows Command Line 😄 I have a question regarding the last question of the skills assessment but I don´t want to spoiler it. How can I ask it?

If the user is in the Administrators group and running at Medium integrity, you know the missing privileges exist but are inaccessible until UAC elevation. Tools like whoami /priv are not reliable here precisely because they only reflect what's available in the current token, not what would be granted in a high-integrity context.

Yeah and that's my question that is there a reliable way apart from whoam /priv cz one is to infer through the Group membership but what if a user is explicitly given a privilege through GPO

How do I find the serial number of a Windows System in the Windows Fundamentals module?
|| I've tried wmic bios get serialnumber but that apparently isn't the right answer||

Hi, can someone tell me why smbmap close the connection without showing me any shares? Im trying to paste here the screenshot but it doesn't work

can someone help me I am on the using the metasploit framework module and I am at the sessions & jobs and i am running into the error that my architecture is x86 and not x64 and I can not find a way around it to exploit the old version of sudo running

wdym ? you running x86 os ?

why are you trying to exploit sudo?

wait nvm forgot that's part of the 3rd q

that sounds pretty improbable since most OS if not all are x64... there's likely more that you're missing or you're misinterpreting what's being given to you

I think he got confused with payload and OS architecture

seeing the message that got caught by automod @gleaming summit ; you didn't set the LHOST properly

ok

thank you so much for your help

i will try it and get back to you all

as a note automod blocks 'masked links' []() as many scammers use that format to get people to think it's a legit website i.e. google.com

oh gotcha ok thank you

Can I dm someone regarding the documentation and reporting module?

it is still saying incompatible session architecture: x86 and I set my LHOST to my pawnbx 10.10.14.125. am I missing a step or something?

then you're likely using the wrong payload

ok im a bit confused on that

the one they expect is baron

ok yeah its #0 and i put that in

How do I see owned modules new ui

did you also set a different LPORT and set the session to 1

or whatever session your initial session is numbered

my session is 1 and i did not set a different LPORT than 4444

And search the new ui see the difference between purchased and not purchased module

https://academy.hackthebox.com/app/library/modules
there's a status filter:
Available
In Progress
Completed

Available - not purchased
In Progress - purchased
Completed - Completed

Hey there! Sorry to resend it, it´s just that I did it this morning and I´m really curious 😅 If anyone could help me I´d be very glad!

thanks

you need to set a different port for your secondary exploit

i changed it to port 4445 and it wont let me change the LHOST of 85.9.194.90 to 10.10.14.125
and it is still saying incompatible

metasploit allows you to shortcut things like using tun0 for the interface name instead of specifying the ip

oh

you can also use setg to set a global variable on things so you don't have to set it every time

thank you

setg <varname> <value>

thank you tun0 is what I needed

But when I put available all are shown

Even purchased module

And search filtering is also not present

¯_(ツ)_/¯

you can use /feedback in the discord to provide feedback to the dev team

Thanks

I am now on the meterpreter module and is the existing exploit the one used in the sessions and jobs module?

?

there are 2 exploits to do

the initial one, then the privesc one

it says find the existing exploit in MSF and use it to get a shell on the target

correct; the existing exploit for the answer to question 1

when it says 'existing exploit in msf' it means the exploit exists in msf, not that it's referencing something from the module

sounds like you were trying to use the psexec exploit (from the reading) instead of the other exploit related to the actual target

correct shoul I have used the exploit suggester?

you don't need the exploit suggester; it gives you a hint about sudo Version. figuring that out should give you a stepping stone to research what you need

always keep in context of the machine; in general: sudo = linux, smb (which is the psexec exploit) = windows. So there's an automatic mismatch in OS there

ok thank you

Hi there, can someone help me with how a documentation should at least look like based of documentation and reporting

The module includes a sample report

Sysreptor is allowed too correct?

yeah sure

Also for CPTS?

yes

Okokkkk

https://docs.sysreptor.com/htb-reporting-with-sysreptor/

need a hand on the socksoverrdp module - I've been able to successfully connect to the target box, but when I do connect to it it just gets stuck on a black/blue screen. did anyone else run into this issue?

patience is a virtue, it literally connected within 5s of me sending this 🗿

Hi guys, I'm doing the Wi-Fi Evil Twin Attacks Skill Assessment module; I am stuck on the first, does anyone could help me with it?

I've tried all the possible ways (Manual Phishing via Python Web Server, Karma / Mana attack (the most promising and return more informations) Wiphisher etc...)

I've got few WPA Hashes but can't crack any of the with hashcat (with /opt/wordlist.txt & rockyou.txt) i'm very stuck..

Hi guys. Another lost soul here. I am working on the module for Linux PrivEsc. I was wondering if anybody was able to compile the logrotten gitproject required for the section about logrotate?

Did you solve it?

I face the same Issue

Evening all

are there issues with the target servers in the modules?

Figured it out on my own

dont see the openvpn download anywhere in academy. how do i get to it?

By the end of each section there is a Connect to HTB thing just before the questions with both the pwnbox and Vpn option

Btw just press enter when it does this. Its usually getting stuck drawing the AUP screen

Hey guys I'm a little confused abut something, i'm learning pivotting,... and when I do a nmap wuith proxychain in full tcp connect I cant get any open ports, for example the rdp port is in filtered state why is that?

I tried to dig a little bit and here I am, why with sudo -sT it works, but without sudo and stil full tcp connect scan it is filtered?

oh word thanks

Hi guys, I'm expericing RDP connection issue, it connected initially but after seconds or 1 minut, it will say "connection has been lost, trying to reconnect...' and never succeed. Then, I reconnect manually again, and the same thing will happen, connect lost connect lost. What is going on?

I could swear i saw a bug bounty hunter path a while ago and when i tried searching it today I couldn’t find it, am i crazy?

Try with this
xfreerdp3 /v:ip /u:user /p:'pass!' /dynamic-resolution /rf x /gfx:avc444 /timeout:30000 /cert:ignore

It's name has been changed to Web penetration tester

But it’s the same path right?

finished 3 interactive sections and 2 theoretical ones today. Is that good?

Doesn't matter how many you finish, just matters that you understood and are able to apply what you learned in various situations

I’ve been noting down the stuff i learn with cherry tree. But I don’t memorise most of them. I just keep in mind the general ideas of the sections and whenever i need something i go back to the notes i made. Is that good?

Sorry forgot to mention, I'm using Windows RDP client, and have openvpn connected. Not connect from linux.

There is a network option in advanced tab where you can set the preset according to the needs and the lowest you can go is modem i guess though I don't remember exactly you need to dig urself

on the AI red teaming path why do all sections say theory even though its actually interactive

gravity is just a theory

Hi, I am doing the Windows Fundamentals module, I am trying to use sysinternal tools to solve the challenge. However, I can't seem to run sysinternal tools on my Pwnbox for some reason. I started the WebClient service and turned on network sharing on my profile and it still shows an error "The network path was not found". Any help?

You running it on the Linux pwnbox? cos sysinternal tools are Windows executables

No, I am connecting to a Windows VM via the linux pwnbox using xfreerdp

Can you share a screenshot of the issue?

I can't send a screenshot here, I don't think I have perms

DM me the screenshot then

Alright

Resolved

Hello. I finished Windows Fundamental module in HTB Academy. But module is not completed

This is a known issue

Is this issue solve?

What Must I do?

Nothing, the devs are working on a fix for it

Ok. Thank you

can anyone help me in injection skill assessment? cant exfiltrate data with xpath

Any idea?

Can anyone help in the WEP Attacks module - KoreK attack section. I've ran the section many times, and can't seem to crack the WEP. I've already finished SA but need this section done.

This is from my notes on that one (Of note, this took multiple resets to get this to finally obtain a packet that was suitable). You can DM if you want to chat a bit more about it.

i am at the last section of android attacks module and i just wanna know how to configure server , if anyone could that would be nice

thanks., ive found that with a few of the sections. spent many hours to come back and things immediately work after 1 more reset lol. i think i've done KoreK 3 times now.

ill try again tomorrow. may need to DM you for a sanity check tbh.

I've got some time now, but will likely be away soon until Monday.

am back to academy

How did you all install EyeWitness in the Pwnbox?

To anyone running into problems with Proxifier not routing traffic at all, in the RDP and SOCKS Tunneling with SocksOverRDP section of the Pivoting, Tunneling, and Port Forwardingmodule:
DO NOT use the latest version of their website. Instead, go to Legacy Downloads and download version 3.42 ProxifierPE342.zip.
You may need to restart the environment or else the 3.42 exe will still launch the lastest version.
It's not about SOCKS5 or SOCKS4, not about launching mstsc.exe from command line or C:\Windows\System32 or not, not about any Proxification Rules.

Did you find it?

Nah bro, any hint?

Still trying.
Maybe a pass that you can see many times in the file that got you INT plays the role of noun+number.

That should work. I ended up creating the entire wordlist on my cracker as doing it on my vm or their attack box wouldn't have worked. If you're just letting the script to create the wordlist run for a bit you likely just need to let it run a little bit longer. If you let it run through it's entirety it turns into a large wordlist.

Hello. I think there is an issue with the skills assement for Sheels & payloads part
From what it says I should be able to acces to the host from blog.inlanefreight.local, 172.16.1.13 and 172.16.1.11.

I was not able to reach for 172.16.1.11 so i tried a scan of the network and I got :

Starting Nmap 7.92 ( https://nmap.org ) at 2026-03-25 17:17 EDT
Nmap scan report for 172.16.1.5
Host is up (0.0094s latency).
Nmap scan report for blog.inlanefreight.local (172.16.1.12)
Host is up (0.021s latency).
Nmap scan report for 172.16.1.13
Host is up (0.0023s latency).
Nmap done: 512 IP addresses (3 hosts up) scanned in 19.37 seconds

Seems like there is an issue with the screenshot that indicate the differents IPs.

also how I am suppose to work with the wenshell when there is no browser ( I only tried tor rn maybe another tool work but if someone know i'll take it

and actualy 172.16.1.5 is my own machine

so what happen to 172.16.1.11 ?

show i relanch the target ?

hi all, n00b here, i'm doing the LFI skill assessment, i've checked the multiple endpoints and also the ones that have parameters but i cannot seem to pull the source code or bypass filters when either using a GIF upload or a php/zip upload i've also found the contact page and the hidden parameter but that seems to be filtering all special characters. I've tried uploading files as md5 hashes as well, any pointers?

Have a look at the API call that loads images.

Hello Everyone. I am currently working on the Linux PrivEsc Module. Right now stuck at the "sudo" module.
I found the required exploit, but I think there is no gcc installed on the target machine, so I can't compile the exploit. Anyone having the same issue?

Thanks I've been working on that end point for a while I'll keep at it and try different things thanks

shout if you want to bounce ideas

awesome, could i DM you?

hello everyone, newbie here. I have an issue with Section 4 in Module "Web Requests" (link is https://academy.hackthebox.com/app/module/35/section/223 ): the question 1 for Browser DevTools does not recognize the correct answer. The solution is quite simple: the student must find the request url which contains the flag by looking for it in the DevTools Network tab. Despite trying multiple times and resetting the Pwnbox, the answer is not accepted by the Module. Has anyone experienced the same issue? Who should I contact to have this issue solved? Many thanks in advance!

Is anyone else having problem with targets in module Attacking common applications? They spawn but I can't communicate with them.

update: there is no issue with the Module - it was not clear from the question that the solution is the flag value, not the request link.

hi yall got a question. pentesting in a nutshell/Windows Initial Access. What is the hostname of the file server that you discovered in the PowerShell script? I ran the only powershell script it shows whoami yet the answer is incorrect. i'm confused

Might be you can open powershell script in notepad and go through the code?

yea i have the winpill code and am looking at it but getting it into the windows machine it had me RDP into is proving difficult

hi all, I'm trying to finish up the linux stack overflow module, but the question seems vague, and my answers are returned "incorrect" even though I can already control the program control flow. it is asking me "Submit the size of the stack space after overwriting the EIP as the answer. (Format: 0x00000)" I have verified my answer in gdb and using ghidra on the pwnbox machine

my thing is stuck on target spawning wtf do i do?

change regions back and forth usually gets it unstuck

i think it might just be my wifi cause wtf is this lol

CTRL+R

i did

sorry CTRL+SHIFT+R

i closed the targets instead

oh ok

I was about to msg you as I had already restarted it a few times lol. But on the last attempt, I appeared to get a good capture for the KoreK xor guessing. It looked more complete compared to other attempts. Unsure if that was the determining factor, but honestly had to just keep resetting and redoing things as you suggested.

https://academy.hackthebox.com/achievement/1346583/185

hiii!!! i stuck on errors ||"Please specify a customer ID" and "Something went wrong"|| from Advanced XSS and CSRF Exploitation Skills Assessment. can anyone give me a hint or an idea?

anyone figured out the WordPress theme question on Linux Info Gathering in the Pentesting in a Nutshell module?

On nmaps scan with http-wordpress-enum NSE or using wp-scan you should get it, you tried it?

the nmap scan gave nothing nor did the wpscan

Gonna check.

alr

been waiting for over 20 mins on the password attacks module on network services for the rdp password..

I tried the "default" way to enumerate themes:

 curl -s -X GET http://<ip> | sed 's/href=/\n/g' | sed 's/src=/\n/g' | grep 'themes' | cut -d"'" -f2

No output

Then tried the wp-scan, using their commands (they give the writeup) and "The main theme could not be detected.".

So idk... don't remember how I found it.

Maybe reset the target.

yea that happened to me also

4 times

Erm.

what do i do now 💀

they used wpscan in the writeup?

Yep.

💀

can i get the command from the writeup?

And I used the command they gave inside of it, btw you should always do the automatic & "defailt" enum :).

oh lol

wpscan -e p --url https://<ip> --disable-tls-checks --no-banner --plugins-detection aggressive -t 100

I used wpscan -e p --url https://10.129.233.210 --disable-tls-checks --no-banner --plugins-detection aggressive -t 100

it's the same damn thing

it was in the module only

could you just give me the flag (it's a tier 0 module. you can share the flag ig)

sharing flags is against the rules, regardless of the tier. At least publicly

oh bleh

What is the name of the theme used by WordPress on this target?it's not a flag and it's not allowed.

Just look at the module, there is the answer.

YOU'VE GOTTA BE KIDDING ME

THAT'S THE ANSWER?!!?

Yes?

i got it

but why won't it even work in the damn wpscan?

Just do you know why using the same commands / other tests we don't get same results?

haven't done the module so can't tell you why it's not giving you the answer

i suggest raising a ticket with support if changing vpn regions doesn't resolve

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

I have maybe an idea, @coral lion try to add your api token.

You can login to wpscan website & get a free api key.

api token is more for some automated stuff with wpscan to perform vuln checks

Yeah, but idk, when we don't give an api token, wpscan is not happy :>.

hm ill try that

Hey doesn’t academy offer the same kind of persistent configuration in vms like pwnbox in good ol’ htb does ?

Because zsh has the same banner talking about my_data but the directory is neither automatically created nor is it transferred across instances

no

I see, I've tried it so many times without success and I thought I was doing something wrong but ill give it another try thank you

Hello there 😄 I'm actually doing the Evil Twin Skill Assessement And few modules talked about "fake login page" and "firmawre update" but in the Skill Assessement machine, there's no apache2 servers installed and no /var/www/html.. So i guess i need to find another way to catch the flags ?

And i'm stuck for few days now

Hey ! I'm stuck in the same module.. Can i ask you few questions about it ?

Hi everyone, I'm not sure if this is the right place to ask.
I'm taking the skills assessment for the "Wi-Fi Password Cracking Techniques" module and I'm stuck on the first question (I've already got the second and third of four answers).
Any suggestions or advice? The first one seemed the most easier, but it's driving me crazy

I'm on the attacking common applications module and the "exploiting web vulnerabilities in thick client applications" lesson. I've been here for a while and have successfully done what it says I need to but I keep getting connection error on the jar file. Can someone help I'm utterly lost at this point

Hey there, im preparing for the CPTS doing the AEN, im trying to setup a double hop with Ligolo mp, the second hop never connects bacl even though I have a correct agent on both my hosts and a redicretors and all setup properly. I'm at "Attacking Enterprise Networks > Exploitation & Privilege Escalation" I wonder if it's because this module is just not made for this yet? Or Am i doing something wrong?

check the vendor using the bssid and determine what you learned in the module regarding that specific vendor

Can anyone help me understand what this is. I am looking within these and I just don't understand. This is Native Code section 7 on Android fundamentals.

Can anyone help with the 'Attacking WPA/WPA2 ' SA, final question. I've been trying to do PEAP relay, but I'm getting issues with hostapd.

Someone with the same issue or completed the module?

I tried now a different approach, with dumping SAM and try to read the file as Administrator user. But even this didn't work out.

I wasted so many hours on this tried every tool every command ..it is so misleading to put this as the second question when it can be comfortably answered after last question

introduction to networking module, there's no way to scroll right and see the far right of the table..i'm using firefox, and even the other tables are like that

Hi guys, if target machine keep showing "Target spawning." and forever, what should we do?

Try refreshing

i refreshed, clear cache, unfortunately doesn't work

Then skip to next section, you gonna come back on that later, should have some problem in HTB side

Ya, I thought the same, next sections the target (s) section just showing target spawning

Report the problem to support, mention section name and the VPN server you are using

i'm trying to reach for the live chat, how to start a new conversation? I saw home, messages and help. When I click those, none of those can start a chat.

What do you mean live chat

help (?) > contact support

You can tell the bot, connect me to an agent

can someone help me?

Okay I already did this but I was wrong using command, thanks dude

Hello, I am working on the Active Directory Skill Assessment II.
Every time I try to run on MS01 SharpHound,exe, I get a zip file, then transfer it to the attack VM. After that, when I click on “Upload Data,” the JSON files start loading in BloodHound but freeze at 0%.
Probably i am getting in some Legacy / CE Issues with sharphound Data for BH.
I also tried to use older version of sharphound at the Data collection phase, where some Data works some not (0% stucking).

I have tried it again and again, but I have no full success with BloodHound.
Is there a way to solve this Part with the given HTB Ressources or do i really need to install Bloodhound CE ?

I used the sharphound provided by the module in some of the C:/tools

Hey guys, I'm starting to go crazy. I'm stuck at the Credential Hunting in Linux. I found the history and transfered the program, but it seems I get the following message, and others don't. Has the module been updated, and if so, what am I doing wrong?: Master Password for profile /home/kira/xxx/xxx/xxx (I'm trying not to give spoilers for others)

Done now?

Actually i'm creating wordlists and trying

For answering you I created myself and completed 2nd time 😂. Just run the script for 20 seconds and the generated passwords will be enough

I just discovered that doing the same thing on my computer that is much faster, didn't work, while doing it directly in the wifi machine works

i don't know if it makes too much sense

I stuck on a different module now. I'm doing the Wifi Password Cracking Techniques, Skills Assessment. I'm stuck on the last question. I've got the username format, and tried the techniques for username + no hash, but can't seem to finish the final question.

Hi All,
Working through the Privilege Escalation section in Intro to C2 Operations with Sliver.
Unable to upload http-beacon.exe to the target using Sliver.
The current user is service related, not sure how to proceed.
Any hints will be appreciated, thanks.

there will be 2 possible formats for the username. have you checked both? also if you are doing correctly, it will take more than 2 minutes to crack

I got the identity package, and used the format in that. i can't see 2 possible formats?

there are 2 formats. check again from the tool's switch which outputs formats for username generation

I'm not sure what you mean. The identity is ||CLYRA\m.morris||. What other format than ||f.last|| is there?

send me the username format you are using in dm

look like execute file doesn't exit

Hi Please help,
Module Active Directory Enumeration and Attack. Attacking Domain trust section.
Whenever I try to RDP to (ACADEMY-EA-ATTACK01) machine, it gives an error saying Login failed for display 0.

anything wrong which this machine? AD Enumeration & Attacks - Skills Assessment Part II im not being able to ssh to it multiple tiomes i have rest the machine still nothing its been like this since 3 days

Hi all, are you also facing issues in spawning targets for modules? or is it just me?

Basically getting this every time.

{"message":"Failed to spawn container. Please try again.","code":45006}

Thx #MarcieLee i used de CE version of BH. Little bit tricky with the C:/tools because they are on other VMs, but this struggle is good for the methology to understand data structure.
Do we (studends) have a pawnbox during the exam? If yes, does it works well... what is your opinion ?

I used my own vm, and as far as the c:/tools thing, I literally transferred them to my vm then over to the target

You are supplied with a pwnbox for the exam

Im havving an issue with the machine under AD Enumeration & Attacks - Skills Assessment Part II whnever i ssh into it with creds it get stcuk (can type anything) and gets diconnected (i have reset the target multiple times already )

Did you try xfreerdp to it?

you can do SSH and RDP 😉

Did anyone manage to complete the Windows Target part of the module Pentesting in a Nutshell?

Getting stuck on the skills assessment of android fundamentals. I have the app signed with jarsign and used adb to move the file onto the emulated device, however it won't actually install and run for the answer.

rdp is asking for credentials and i have tried the given one the htb-student one and its not working

hello is there a problem with pwnbox??

it is incredibly slow and laggy

im feeling way too much slow and laggy and it was like this since more than maybe 15 days

i was working with it just now it was fine, but suddenly i cant do anything

ive been trying to access my machine back in 16th of march .. slow af

can we report this i have mailed them they are not responding'

Hello, maybe i am overlooking something but i have been having a lot of trouble doing exfil labs. Labs like the advanced XSS and CSRF labs & CORS labs, where you are supposed to exfil an admin page to your server by base64 encoding it.

I have tried both IP-adresses given by the openvpn tunnel (10.10.x and 10.5.x) remade the HTTP server a couple of times, but even running a simple exploit that visits my server doesn't seem to work. Has anybody else had this issue with the VPN? I also verified the issue isn't specifically my exploit code, as the solution script also doesn't reach my host.

Hey! I’m trying to buy the HTB Academy student subscription and everything goes fine until the payment part. When I enter my card, it asks me to confirm a €0 transaction with my bank, but I’m not receiving anything at all (no notification, no charge).
I already contacted my bank and they said nothing is coming through from their side.
Has anyone had this issue before or knows how to fix it? Thanks!

Unfortunately no one on Discord can provide help with that, you'll have to reach out to support on the website or email.

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Okay, thanks. I tried this way because technical support won't be available until Monday.

Yeah, completed 2 days ago

How did you get the hostname in the Windows Module?

Just give me a nudge please

I can't seem to figure out where th to find it

It's simple port scanning

I did do that

Which section of module?

Windows Initial Access

You mean the hostname of a file server in a PowerShell script question?

yea

Winpeas will show the PowerShell script in output.

Otherwise it is related to cron but of windows.

Can you understand this hint?

Kinda

dm if still need help

sure

can anyone help me with this the machine is slow and cand do any task on "AD Enumeration & Attacks - Skills Assessment Part II" if i ssh to the attcker machine (linux machine ) its slow cant even type , if i rdp it keeps diconnecting

I have a question regarding the Wireless pentest path

Do virtual network cards work just as fine as physical ones ?

For example, let's say I only have 1 interface. I then go and create 1 more based on that physical. Is it possible to perform evil twin attacks (1 interface for Deauth, 1 interface for fake AP)

Regarding "Attacking Common Applications -> Exploiting Web Vulnerabilities in Thick-Client Applications". Should I be able to move the fatty-client.jar file to my computer and be able to run it or do I have to execute it from the server? https://academy.hackthebox.com/app/module/113

Hi, has the bugbounty path been removed from HTB Academy? It's not showing up as available for me.

It is is changed to CWES certification path

Web Penetration Tester and Senior Web Penetration Tester??

To the Web Pentesting one.

okay thanks!!

I downloaded the fatty-client.java onto Kali, set up a ligolo proxy through their server, then did the entire section from Kali. I had way too many issues getting the java client to work when I had tried running it on their server. On Kali it worked great.

hello everyone. I am newbie with Hackthebox, I find the spawn target in academy is too long, it take me more than 30 min and now it does not spawn. Do you have any advice for me? Thanh you

Bruh

it just reverts back to spawn button

same

hahha

I moved over to academy because the Seasonal box wouldn't load, I complete one module then Academy breaks too

I am also facing issues...takes a lot of time to spawn

I can't spawn a target bro.

I spawn a target in Kerberos module succeed 15 minutes ago, then the target drops into void soon after I finish the section

now my vpn wont connect

it is stuck here

Same

mine is working

Mine was working for a bit but connection was really slow to the target

I restarted my VM and now the vpn won't even start

Nvm, UDP 1337 closed

dont disconnect then ..u might not be able to reconnect

F

I just slept about 3 hours to keep pushing my progress, know I think I can get back to sleep

BTW, seems prolabs disconnect too, HTB labs are still running

Is there sth wronf w the service today? I can't seem to spawn my targets

Yeah I can't spawn them as well

I dont mind the new UI/UX anymore ...looks like we got bigger issues xD

Oh, I thought it is my bad. Tks you all

Time to touch some grass guys.

ok bro

is spawning boxes and target still an issue ? can't spawn or ping any target right now

How many people have come here to complain about the new HTB UI?

I certainly do

I've been leaving feedback everday begging for them to switch back.

Module: Intro to C2 Operations with Sliver
Section: Probing the Surface

The syntax to create a stager from the lesson is:
generate stager --lhost 10.10.14.62 --lport 4443 --format csharp --save staged.txt
That output is then used to amend the msfvenom aspx payload.

However the above syntax only works on the older version of sliver.
I would like to try and perform the same but on the newer version of sliver, but when I run the following command shown below, it keeps generating a full compiled payload and not just a source/text export:
generate stager --http 10.10.14.62:4443 --format csharp --save staged.txt
It actually only accepts formats of exe, shared, service, shellcode, so csharp just defaults to creating an exe.

Anyone know how to solve with newer versions of Sliver? Or is this where I have to use an older version?

Did you solve this? I'm working on it currently and am having a problem with the script. Mind giving me a nudge?

Frankly if anyone has solved my above question. i would love if you would reach out to me. Thank you.

Windows Privilege Escalation Skills Assessment - Part I

Juicy potato fails with:
53375 COM -> recv failed with error: 10038

I tried to launch it directly on the target machine via shell, and via command injection.

No luck.

I managed to find the right PIN using the walkthrough from the module. I'm not sure where the problem might be in your case.

I did this skills assessment 2 days ago. U need to mention clsid based on the target OS..they didnt teach this in the module..look at github page of juicypotato or ask claude what it is

And u might need double quotes outside curly braces...

In windows skills assessment 2 did anyone trying dumping sam and lsa secrets remotely using the creds found for ques 1 ? It didnt work for some reason

Can someone help me with LLM Output Attacks Function calling section flag1 - insecure implementation of function calling

see the version of the application

Is there any ongoing issue on academy with targets not spawing by any chance?

There is on some VPNs

dmed

Bump

something is wrong with the function calling exercise on LLM Output attacks...I got the column and table name but it just wont fetch the data?!

Thank you sir! I tried other CLSIDs no lunck. Maybe it's the double quotes problem. Will try.

Any issues with target spawning today?

Did he work with you?

Nope, have been loading for 15 minutes already

Try the page event, if it won't work for you, try again and check vpn

Partial Outage at HTB academy labs and academy

However it seems at US, I'm using UE

Switching between them with a change of port, sometimes this succeeds, and sometimes not, maybe an unstable connection

I'm using pwnbox right now. It timed out after 20 minutes and I'm able to respawn it now

working fine

Excellent, well, since everything is working

module completions is working? because yesterday i completed various sections and today they all unmarked

i dont understand the change i liked the other academy...

https://status.hackthebox.com/

Could use a nudge on Wi-Fi Evil Twin Attacks Skill Assessment specifically Q2. I setup the WPA3 jammer and the plugin phisher. I see clients connect to phisher, they make GET HTTP requests. But never a shell

Any suggestions how to start with the modules o_o confused asf

Never mind, I didn't know I had to connect to my own router to get a shell for the Evil Twin Assessment

It also breaks every second or so

Managed to get the flag, but feels unintended

Yeah sounds like you may have taken a different path. Everything is self contained within the target.

Would love it if you can share your path assuming you completed the assesment of course

I think the payload is intended to die based on the scripts I found on the box, not sure tho

What path have you completed?

Hey i'm stuck at Wi-Fi Evil Twin Skill Assesment can i ask you few questions ? 😭 You could be my savior

Yeah for sure, I'll ping you later. A bit busy rn

Ho nice thank you !

Module: Wi-Fi Evil Twin Attacks - Skills Assessment
Question: What credentials are obtained from the Wi-Fi network "PulseGrid-ENT" (format: username:password)?

I've tried quite a few things here, however I'm not seeing any clients connected to the network to actually go forward with the attack. Is this intended, or is the lab maybe broken or something?

i'm glad to see i'm not the only one who struggled with this module 😭

it's weird because they teach us how to setup a fake captive portal but we can't make one (from scratch i mean)

Have you tried to deauth ? i guess you did but just to be sure

Yep

No clients appear before or after

With wifiphisher ? weird

Oh this is the third question. I'm past the one you're thinking of

This one is the one I'm on

i talked about this one : 😄

oh haha, let me give wifiphisher a go then

It might help

Have you found the answer for the question 1 ?

Yep!

I need your help 😭 i'm stuck for days

If i can speak in DM

go for it!

Hey, How I can unlink my account from entreprise (meetup) so I can join new ones in future. Anyone has idea about it ?

probably reach out to support on the site

I've been waiting 20 minutes for it to spawn and nothing's happening XD

How have you managed to get a shell ? i can't figured out 😭

US?

ye

Same issue for me, both US and EU VPN

Same issue!!! ; D

yeah i just tried EU no luck either

kinda annoying to pay 1k and not be able to learn when I have the time.

At least I'm not the only one jejeje

it worked for me ealier and now its buggin

holy shit I got an IP

Nice

I'll check as well

oh shit I got one

noice

holy moly it loaded

I think he gave it to us at the same time hahaha

hey now, thats my IP hands off XD

I had to cheat to realise that the .war webshell is in the jsp folder in Laudanum. How the hell was I supposed to know that?

I feel like i remember being frustrated by something similar

Anyone experianced have a minute to talk through using ptunnel-ng?

More the theory behind using it, no actual technical guidance

I bet you were.

This is the skills assessment in the shells & payloads module, i spent many hours just to get a webshell on the FIRST host i have to attack💔

and the fact that the creds are in the foothold hosts desktop makes it even worse. It was literally in front of my eyes but I didn’t notice it. I thought they would be at the first host’s web applications and spent hours looking for them

And to make it even worse, I didn’t know that the foothold host has firefox. i was browsing in LINKS!!!

And it was slow and so outdated

Can anyone help with the 'Attacking WPA/WPA2 ' SA, final question.

Hi all, I'm stuck at this part as there is no rule=92153 in theHive
"In TheHive, check the alert with rule=92153 related to the VaultCli.dll module. What is the MD5 hash value mentioned in the alert?"

Detection & Analysis (Part 2) - Incident Handling Process

Any guidance on how to past it when there is no rule=92153 nor do i find anything with VaultCli.dll

Take this knowledge with you. It’s a very important lesson! Sometimes things are right under your nose. Enumeration is key

nevermind. got it.

hi, question, on the new Academy UI, are the streak removed? sorry I just saw the new UI now.

No

where can I find it?

oh, saw it now, its literally on the dashboard

If you enter and don't find the Streak on the home page, don't worry, it's not deleted. Just click on your profile menu at the top, and you'll find it there next to the number of Cubes.

yes

cool cool, I just did logged in after a long time.

I missed academy. lol

You may not have entered for a while

i have been finding academy vpn page

this new ui is just messy

where can i download

Hi everyone. I'm stuck in The live engagement section of the shells and payloads module. Can anyone help?

Sure, where are you stuck on?

Go to the lab, you will find the two options Pwnbox and vpn

Well maybe it isn't the right solution 🙂 Many of the ready-made exploits in Metasploit require specific versions to work, and may even have more requirements beyond that

But at this point, you've already acquired access to the Tomcat admin dashboard, which is a pretty solid foothold to have

Try to navigate it and see what you can do with it

Needless to say, it's mentioned in the module

Thank you! I'll go over the module and see what i can find on the dashboard.

Yo, did you get it done ?

Is anyone experiencing Target Spawn failed in EU right now ?

Do you use vpn or Pwnbox?

EU Academy VPN, seems only https://academy.hackthebox.com/app/module/68/section/609 encounter the issue
I'll save this section for later

Issue fixed after multiple VPN/different module target restart

Help is appreciated

Try a UDP scan and look for common UDP-only services

Yeah ! With a lot of sweat and patience but yeah

Great !

does anyone have the tools folder tools from the ad section with you ?

C:\Tools

Boot a VM from Academy module and grab the folder

Have you solved this? I think this machine is so buggy, everytime i reset it i get different number of hosts with ettercap.

Yea the entire skills assessment is rather buggy. I was able to complete it, I’d wait for at least more than 1 client to connect then try going through with the rest of the attack

Man, I've been having sooo many problems with modules lately.

Here's the latest.

Attacking Common Services/ Attacking Email Services.

https://academy.hackthebox.com/app/module/116/section/1173

Question 1.

I did

smtp-user-enum -t <IP ADDRESS> -M RCPT -U users.list -D inlanefreight.htb

I got no results.

Then I tried the command directly from the solution.

smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t <IP ADDRESS>

Checked my user.list and the username is in there.

After respawning the target everything is now fine.

Good evening! I'm going to give feedback on the "AI Evasion module - Sparsity Attacks."

The walkthrough for "ElasticNet Attack Challenge," "Jacobian-based Saliency Map Attack Challenge," and "Skills Assessment" is not working correctly. I had to ask Gemini to fix the code to complete the exercises.

Hey everyone! I just finished the Junior Cybersecurity Analyst path and I’m looking forward to taking the exam. Before I do, I’d like to know if there are any specific labs or documentation that could help me prepare (aside from the coursework, of course)?

just do a bunch of easy boxes on htb labs... read reports, read PoCs, read writeups

What can I do if a target machine doesn't spawn?

Hi all - do we know what the best labs are after completing the nmap modules?

well, the Nmap focuses on enumerating ports and every lab can fall under that scope

can anyone help me been on this part of the module and unsure how to get the bob_adm flag
https://academy.hackthebox.com/app/module/67/section/639

Hi does anyone know about ajax.php and how to send custom requests to it?

Using burpsuite

Cuz i wonder if host 2 in the skills assessment in Shells & Payloads can be exploited manually without using the metasploit module that exploits the upload vulnerability by sending a request to ajax.php (i think)

Hi, I've got an issue with spawning target systems in https://academy.hackthebox.com/app/module/143/section/1276

This is displaying Target spawning since a few hours, loading indefinitely and I can't do anything about it as the termination button is not available when the target is shown as spawning 🙁
Already tried to change browser and signing out-then in again

Visit a different module where the target is a virtual machine and spawn it, let it run for a few minutes, and then return to that section 1276 and try to spawn the target.

Note, this must be done in one tab and not in multiple.

hi, i am having trouble with the flag from Introduction to Windows Evasion Techniques, the Static one. I created the AES-encrypted shellcode runner, checked it with ThreatCheck, ran it (giving a meterpreter session), log.txt says OK - Undetected by Microsoft Defender Antivirus, but the flag is still not appearing

hmm, it worked after i compiled with visual studio, initially i compiled with csc.exe since i was too lazy to open up VS but idk what the checks do

Broken authentication/ skill assessment

Q)Combine the attacks you have learned in this module to obtain the flag.

I brute forced usernames and found (g*****) but idk y I can't get the password, I tried multiple wordlists , but no luck I need help with this

I don't know where to put this, so I am going to leave the feedback here. The new UI removed the ability to see CPE credits that would be sent to ISC(2). Previously, you could see how many credits you had earned in total as well as new credits for the month. Now you can't see anything. Please return that feature. Thank you for your attention to this matter

/feed back (written together)

yoo bro malayali here

Yo! We are walking through a ton of stuff in the AI Red Teamer pathway: https://www.twitch.tv/garr_7

@dapper peak I sent you a DM cause I have the same issue.

Also anyone else that can help solve this (Sliver - Kerberos Delegations):

[server] sliver (psexec-pivot) > inline-execute-assembly /home/x7331/SpoolSample.exe '172.16.1.15 172.16.1.12'

[*] Successfully executed inline-execute-assembly (coff-loader)
[*] Got output:
[+] Success - Wrote 32 bytes to memory
[+] Using arguments: 172.16.1.15 172.16.1.12
[-] Process refusing to get runtime of v2.0.50727 CLR version.  Try running an assembly that requires a differnt CLR version.

I'm having trouble loading modules in my HTB. I'm stuck on machine loading but it never does

I have an academy gift card... But how long is it valid for? Is there any expiry date?

I'm pretty sure I used execute-assembly instead.

[server] sliver (psexec-pivot) > execute-assembly /home/x7331/SpoolSample.exe '172.16.1.15 172.16.1.12'
[*] Output:

[server] sliver (psexec-pivot) > execute-assembly /home/x7331/SpoolSample.exe -- '172.16.1.15 172.16.1.12'
[*] Output:

You can send me a DM. Maybe we can sort it out.

Thanks, mate. I think I am done with this module for now. I will just move on and come back to it at the end. I have spent more time troubleshooting what's wrong in the tool rather than actually progressing with anything 😄

All good. I'm going to spin it up and mess with it for funsies just to have more documentation for those that have issues. Just hit me up when you are back at it.

Hi, I'm having an issue with https://academy.hackthebox.com/app/module/35/section/227

When I spawn the target and try to go to the target site in either my own VM or the Pwnbox nothing shows up. I've terminated the box and spawned new targets as well as refreshing and waiting but I don't really know what else to do.

have you tried interacting with the api as shown by the module :)

You know what, I took a few days break between the previous section and today's. Let me go read it properly. 😅

My bad, I assumed it worked exactly like the previous sections, live and learn 🙂 thank you btw

I'm running into the same issue. Was there a resolution here, by any chance?

hello

no idea

Hi, I'm doing the Windows Attacks & Defense module (Kerberoasting section). I cannot RDP/SSH to the target machines using credentials bob:Slavi123. Ping works fine but login fails. Already tried resetting the instance. Can anyone help?

Did you try the other target?

Hey! excuse me, in password attacks, windows part, attacking active dir, i am getting this:

KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting.

domain used: inlanefreight.local

i ensured it's the correct one with nmap -p88 -sV -A $ip

why am i still getting it

I already tried both targets (Kali and Windows) with credentials bob:Slavi123 but both failed. For Windows I get 'credentials did not work' and for Kali I get 'permission denied'. Did you use the same credentials or different ones?

I think I recall it may be Slavi1234

what do you think about my problem!

if you don't mind!

What command is getting this error anyway?

simply this:

~/hackTools/usernames/usernameEnumeration/windowsBased/kerbrute/dist/kerbrute_linux_amd64 userenum --dc 10.129.17.202 --domain inlanefreight.local possible12.txt

i tried this command on both my own machine and the pwnbox

both giving this message

Did you set up the krb5.conf file properly?

hmmmmm, nothing about krb5 was mentioned in the module

did you also setup your /etc/hosts file properly?

hmmmm, well i tried to check the error online, and i saw an THM tutorial talking about this exact error being related to /etc/hosts. so i did, i added inlanefreight.local to /etc/hosts with the ip i received

Show me the file pls

sure!

there you go!

might have to add the DC or DC01 FQDN before the TLD

do you know what the DC's FQDN is?

FQDN is fully qualified domain name

DC is domain controller

yes I know what they both mean, I'm asking if you have the DC's FQDN...

ahhh, i thought you asked me. hmmmmmm, as for the module, i only got those. nothing else

i was given nothing else, and nothing to enumerate the FQDN

the module never also mentioned anything related to /etc/hosts

I mean LDAP usually gives it away if it's running

hmmm, i never used ldap too

Well it assumes you have a base knowledge of AD

hmmm, actually the AD module still

after this

this is merely password attacks

and i am following modules step by step

Yes but you should also have foundational knowledge from the Information Security Foundations path, i.e: Introduction to Active Directory

ohh, i didn't do that, i thought they were exclusive

i just jumped with my knowledge i got earlier from THM to pentesting, so

mmaybe i should do that then?

i mean i know what /etc/hosts is, it allow me to place the ip of a localhost for vhosts and so

but for this particularly, AD wise, nope, i haven't learnt that!

i will try later

i tried using Slavi1234 but it failed

Attempting to connect to 10.129.46.44/phishing in the Cross-Site Scripting (XSS) module and it is getting timed out. Is there a problem with it?

Targets not spawning?

For me

Target spawned, well IP shows up, but I hit it with a curl and it says failed to connect. <whinny inner me> But Why??</whinny inner me>.

what has been going on lately, either the target doesn't spawn and now it does but cant ping/connect to it..

Are you using EU server ?

That happened to me before I changed to US

I am

me too

hi, can i dm you?

You can

thanks

I see this error on my dashboard? Are you seeing it too? What should I do?

We’re experiencing an issue where some modules may appear incomplete after completion.
This issue affects some users! The team is working on a fix. Thank you for your patience!

Yes and I have two modules I completed still showing not completed. Currently I can't get my XSS phishing exercise done and Diablo was helping me and now I am going to have to see if I can complete int through the ingame Parrot. I would if snorgles or grumpkins are starting to manifest on the web. Please no snipes, they are mortally aggrevating.

Leaving this here in case anyone fell into the same loop as me. Attacking WPA3 Wi-Fi Networks.
In the SA for WPA3 Attacks, you will need a wordlist. Now, the wordlist provided by HTB (/opt/wordlist.txt) is almost identical to the classic rockyou.txt. HTB wordlist has 14344393 words and the classic one has 14344392 words. I was using the classic one and never got the flag. To save time and find this word, just use diff /usr/share/wordlist/rockyou.txt /Path/To/HTB-wordlists.txt.

Cheers.

Hello, I'm working on the Skills Assessment - File Upload Attacks chapter (https://academy.hackthebox.com/app/module/136/section/1310).

When I upload a real image (jpg, jpeg, or png), I always get a "Only images are allowed" message from the back end.

I don't think this is normal. Are you experiencing this issue as well?

Hi, I am working on the exactly same topic and I actually had a doubt that when you first visit /contact you are actually visiting /contact/index.php and after you fill the form and click submit you get the "Thank you for submitting your feedback" message on the same page. I mean you are never redirected to /contact/upload.php and that is supposed to be the starting point towards the solution of this lab. I even tried fuzzing the site but still got no success. It was only when i manually searched for /contact/upload.php I encountered that page. So how are we supposed to find that page?

Do not submit the form, only upload the file (green button).

I created an image using the Windows Snipping Tool and it worked. Images from the internet weren't working; it was probably some kind of file header check that wasn't working. Anyway, it works now, I can move on to the next step 🙂

Good luck!

Your magic byte didn't look like an image's magic byte

Is anyone available for the last question of the Windows Lateral Movement skill assessment? I have the VNC password, but do not see VNC running anywhere

Yes it actually inspects much deeper than just the few bytes at the start of the image data

https://academy.hackthebox.com/app/module/67/section/927

can someone help me with this question?

its asking me to find the binaries that are blocked by the applocker other than the cmd.exe

anyone here?

https://learn.microsoft.com/en-us/powershell/module/applocker/get-applockerpolicy?view=windowsserver2019-ps

yo guys, im on logrotate abuse in linux privilege escalation. logrotate binary appears to exist however, theres no logrotate.conf in /etc/logrotate.conf as described in the module

this file is in /root that's why you don't see it

i guess the flag.txt is in /root no ?

the module tells you where it is if i'm not mistaken

it is too but i was stuck where you are and someone told me that this config file is in /root

Hello there, Can I ask someone regarding the Module "Linux Privilege Escalation" -> Recent 0-Days Section "Sudo"

Alright. I solved the sudo thing, but struggling hard since a few days with the logrotate...

Anyone online here usually? 😅

Saying "can someone help me" won't get you anywhere.
Just post your issue with clear details regarding the module, section, and specific issue you have.
People are more likely to help when they can simply respond to your question instead of having to ask you for details.

Include stuff like screenshots/command & command outputs of stuff you tried and why it didn't work

Is there meant to be no coursework for Exfiltration Attacks in LLM Output Attacks besides the challenges?

@hasty mauve Thank you very much for the hint.

Here a more detailed approach.

**Issue: **
Related to Module: Linux Privilege Escalation; Section Service-Based PrivEsc; Article Logrotate.

Done So Far:
Logged into the machine and transfered over the logrotten repository, I downloaded from Github (based on the link in the module). After that I compiled it using gcc logrotten.c -o logrotten. When looking for a writtable logfile I discovered the writtable logffile /home/htb-student/backups/access.log. So I wanted to use this one to execute logrotten. I crafted the payload using echo "cat /root/flag.txt > /home/htb-user/flag.txt" > payload. Then with this payload I tried to first add something to the logfile and then execute the logrotten as following echo "blablablabla" > /home/htb-student/backups/access.log; /home/htb-user/backups/logrotten -p /home/htb-user/backups/payload /home/htb-user/backups/access.log

I feel, that something is executed, but there is never the flag.txt written to the desired directory. Anyone knows, what I am doing wrong?

Screenshot

Hi , I finished the Information security Foundation module, but I didn’t receive my 100 cube? Should I wait , or will I receive it at a meter time?

Hello 👋
I've been going through the Introduction to Deserialization attacks module and I can't get the lab to load properly. Are there any steps I can take to troubleshoot this?

The lab gives very weird behaviour - it seems to not work on broadband but would work via mobile hotspot - now it doesn't load via mobile hotspot as well

I need some help with EvilTwin Skills Assessment. I have done Q3. I have a hash for Q1 but it won't crack. and i'm unsure about Q2. Any help for Q1 and Q2 would be much appreciated.

what happened to the academy's lab, i tried to start 2 times, it keep hanging and when it runs-there is no IP address.

I contacted support regarding spawning issue using chat, is there way to contact them again? I don't see the option "send message" anymore, only recent ones

two of my friends also encountered the same issue

issue with spawning or issue with chat?

issue with spawning

looks like it works now

thx for your response

Can anyone explain to me why I'm no 100% but the course isn't "completed"?

By contrast these are my "completed" modules:

Known bug/issue I believe

You can report in #1234357888114364508

Cool, thanks!

I figured out Q2. A reset helped. But I'm still stuck with Q1. Still have a hash but not getting anywhere

because the UI was updated lel

Any way to fix it?

Love you guys.

hii! can someone help me with "HTTP Attacks" module "TE.CL" section? can i dm someone?

Shouldn't have to Crack any hashes here.

yea, not for that flag. but it was the only thing i could get for PulseGrid-INT. and after it wouldn't crack even on my own machine with rockyou ... i kinda figured it was a deadend hahaha

ettercap didn't find anything, so its not TLS interception. any hostapd-mana or karma seems to get a response, but the attacks i thought would work require apache or wifipumpkin, which isn't installed. so i'm a little lost on what i'm meant to do for that Q.

I'd try ettercap again

thanks. i had reset a few times, and tried gui and cli. but i assumed i had done something wrong.

thx for the confirmation !

If it still isn't working you can DM what you're trying just to see if you're missing something.

thanks mate!

I'm on linux section 'Firewall Setup' it asks me about "1. Launch a web server on TCP/8080 port on your target and use iptables to block incoming traffic on that port." I launched a webserver with python3 -m http.server and added the rule; sudo iptables -A INPUT -p tcp --dport 8000 -j DROP; Now I'm trying to overwrite that firewall rulle with; ACCEPT, but I still can't access the website. Does anyone what I might be doing wrong here?

hi! i stuck at the same moment, can you give any hints?

Can you pm me and i’ll answer a bit later, currently at work

Stuck in indirect prompt injection module 1st question
Tried different payload from the same section
Has anyone solved? Can anyone direct me to the right path?

Nvm too dumb i was

Can anyone help me with a question from the metasplsoit framework module?

Hi there !

In Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows section there is a sub-section Accessing DC03 Using Enter-PSSession

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

I dont recall we had the admin pass, Does any one recall how we got it

yo guys, im on linux privesc, logrotate abuse. i tried all versions for the exploit but still not getting a shell

Try thinking outside the box, instead of a shell, try moving a file

Yeah, mv .xxx.1 to .xxx, no shell either

That's not what I mean

Also xxx.1 is just how logrotate works for file preservation

Set suid on bash ?

No

Think absolutely bare minimum of what you actually need to accomplish

Reading the flag file

Flag itself ?

:)

Didnt think about this ngl

The section gets a revshell though

Don't concern yourself too much with what the reading accomplished

Also sometimes flags be flag_xxxxxxxx.txt

The question tells you explicitly where the file is, no?

Also wildcards exist

Yeah, ive been into modules that say read the flag.txt but turns out later its not actual flag.txt

This is a thing

Reading flag payload also not working

I worded my hint in a specific way

You can also try reading the flag and outputting to a file

Hmm, i dont think that the payload is the problem at this point

I tried enough that are should have worked

Ive had worse time with this section than i did with the thick client broken java app section

Logrotate is just tricky

Iirc its because its a race condition

Hello everyone. I'm new to HTB, as well as to the IT world in general, and I'm very happy to be among you – people who are interested in the same things as me.

But besides the overwhelming joy, I'm also feeling a bit irritated by some of the tasks in the Academy modules. See the photo for an example. I've tried 1,000 attempts, different approaches, tried it myself, neural networks, and Google... all to no avail. Maybe someone can explain what exactly is meant here?

Login Brute Forcing - Custom Wordlists - 11/13
https://academy.hackthebox.com/app/module/57/section/3209
im running the attack with hydra, iam only able to run 1 thread, more than that it doesnt work (closes due to connection), ive tried to reset the module, still same behaviour, this attack would take about 10hrs to run... is someone kind enough to test it on their machine if its the same speed (115 req/min)

hydra -I -t 1 -L jane_smith_usernames.txt -P jane-unfiltered.txt IP -s PORT http-post-form "/:username=^USER^&password=^PASS^:Invalid credentials"

Is there anyone I can dm about HTTP Misconfigurations - Skills Assessment - Hard?
https://academy.hackthebox.com/app/module/189/section/2025

I've managed to elevate myself, but I'm stuck at the 2nd stage of the assessment.

NVM, solved

Module: Wi-Fi Penetration Testing Tools and Techniques
Section: MITM - Bettercap

Question: Perform the 4-way handshake capture as demonstrated in this section to compromise the Wi-Fi network named "Inlane-Internal". What is the discovered value of the WPA PSK?

i'm basically just supposed to perform a deauthentication attack against the target AP, but the problem is no client ever connects to the target AP. i follow the walkthrough verbatim, but no client ever shows up, so i can't perform the attack and capture the handshake. i've reset the target to see if it's a lab problem, and i've also ran the wifi.recon on command for much longer than the lab mentions, but again, no client ever connects. i've also waited after running the deauthentication command for quite some time and nothing changes.

You can DM what you are trying.

Its not looking for that number. Its looking for the output of the decrypt function

can do, i'll reach out when i get home later. thanks!

Is anybody else having issues starting the Pwnbox and target machines for a module? It doesn't seem to start on my end after several tries

yeah mine aren't spawning either

ok that's not good, I guess I'll wait until it comes back up

lab started now, had to try a couple of times tho

nice, it's up again for me too

i tried it on the skill assessment part after getting a webshell but i wasnt able to get a revshell. tell me if you do tho

Basically, in the module "Understanding Log Sources & Investigating with Splunk", in section 2, we need to install an app for Splunk — specifically the ** Sysmon App for Splunk **.

However, when I go to the Splunk App Store, I simply can't find it.

Trying to spawn the target system and erroring every time (at least 7-8 tries so far)

https://splunkbase.splunk.com/app/5709

(or do you need the opposite--Sysmon app for Splunk...)

im trying to find the same that is used in the module

"In this segment, we'll be leveraging the Sysmon App for Splunk developed by Mike Haag."

Gotcha; wondering if it might be outdated...some are getting a little long in the tooth

yeah might be , the soc module itself last change was 3 years ago

Yeah, it's archived in Splunkbase: https://splunkbase.splunk.com/app/3544

Github repo is 8yrs old: https://github.com/MHaggis/sysmon-splunk-app

ty

Getting 504 Gateway Time-Out errors on spawn attempts 🙁

when it started?

try changing vpn regions, that sometimes fixes this issue

I was just trying to knock out a module so it's the only one I've tried tonight, but I see others mentioning issues over the past several hours.

I'm just trying to launch the target spawn via the web UI (no VPN)

stranger things have happened

:)

i`m trying to extend mine time and isnt going so maybe is something general?

Yeah, seems a broader backend system issue

maybe

there's a max time limit for labs; unless this is your first time extension

if the extension was out of the rules , idk how to say it otherwise , the error would say it

You can see the issue reported 5hrs ago here: https://discordapp.com/channels/473760315293696010/774040263278592041/1489742150735237140

as i remenber is if your target time is less then 60 min or smth

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

if you want to be sure that it's actually reported to support, as they don't regularly check/monitor the discord

https://status.hackthebox.com

i am not able to see the ovpn file download location in new ui

it should be here

holy moly new ui should be easier not difficult 😭

Idk why i cant start any machine on Academy, i waited a few hours but the issue isnt fix if it's just for me then what couldve went wrong it just says:
"Ooops! Something went wrong. Please try again later!"

I checked Response of spawn req it shows:

<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>

Any idea what should i do? And how long to wait before reaching out.

from my side , website is not even opening the pages , it taking 1-2 min to even load the page

I'm also unable to spawn any targets

seems like vpn isn't required for this section

so is it permanent thing or temp ?

now i had to use the pwnbox where ovpn is not available?

no

yes; it's permanent
no; you don't have to use pwnbox when ovpn is not available -- you're still free to use your own machine for targets that aren't on the 10.129.x.x subnet, those are public containers

i don't see even pwnbox now for https://academy.hackthebox.com/app/module/109/section/1033 if there is target ip how would i interact with it when i don't see pwnbox or ovpn file

that's a public container, so you can visit it in any browser or however the module expects you to interact with it

oh

also that looks like mobile view, which fucks up a LOT of the page formatting as HTB isn't meant for mobile

omg from split screen to full screen i see the pwnbox option

yeah, HTB academy does NOT like being less than full screen

pretty sure there's a issue with spawning targets rn

that's not the issue they were having

lol unless you're talking about something else

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

^

also page loading is also slow for me

refresh of page should be approx 1-4 second but its 10 seconds

HTB staff don't regularly check/monitor the discord for issues; as stated reach out to support

i am NOT staff

i remember staff saying if the target machines don't spawn, we're allowed to target real-life organizations in the meantime

Might just be me, but I get a "page doesn't exist" message when I click this.

looks like this is fixed now

came here just to check this. at least its not just me.

i cannot spawn targets too 🥲

too, i cant spawn target, what happen?

i think they have issues in academy

yah, when they fixed it?

i tried it now, the target is accessible

this is not a bug, it's a feature 🐧

it's work

Gng is getting tired of being confused for staff

Hey, can anyone help me with this xfreerdp3 connection?

xfreerdp3 /v:10.129.51.203 /u:htb-student /p:'HTB_@cademy_stdnt!'

It is showing black screen

click enter or any button i think it should work

press enter

so i just started the linux fundamentals and it gave me a question to find the kernel release

which i did uname -r

and it gave me 6.12.32amd64

here is the question

yet it said i was getting an incorrect answer. Am i doing something wrong?

For me the answer was 4.15.0

Have you connected to the ssh?

i think i did

ill have to check, my pawnbox time is closed

Hi friends, having some troiuble on Pass The Certificate via Pentesting role path

when i run impacket-secretsdump -k -no-pass -dc-ip 10.129.234.174 -just-dc-user Administrator 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL

i get
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
[-] 'NoneType' object has no attribute 'getRemoteHost'
[] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

when i try using -use-vss instead, the prompt says just-dfc-user switch is not supported in VSS mode

OK DISREGARD i needed to an entry in /etc/hosts

Hello all, I am currently at the Oracle TNS module within the "Footprinting" of CPTS path. I am following the guidance of the module and am getting no luck even following the commands. Not 100% sure what I am doing wrong :/

https://academy.hackthebox.com/app/module/221/section/2666

Need Help
Android Static Analysis modules.

Question 1 Deobfuscate the source code of the APK found inside the "myapp_deobfuscate_1.zip" archive. What is the API key value?

i followed and rebuilt the app however the api_key=" " is empty

i did multiple double checks and even verified it with solution somehow the apk does not show the key

If someone has completed the WEP Attacks module, specifically (ARP Request Replay Attack) I need some help. Im not getting the expected results. Can someone DM me, I dont want to get in trouble for leaking the answers again

Hi can I send you a pm, I'm also having issues with this Lab

Hey guys, I'm having trouble with the Firewall and IDS/IPS Evasion - Hard Lab.
I found the port, however when I enter the ncat command to find the service version, it says my source port (53) is already in use and times out. I'm doing exactly what's in the lesson verbatim, see below:

$ sudo ncat -nv --source-port 53 10.129.29.224 50000
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Address already in use (98)
Ncat: TIMEOUT.

This means that port 53 is in use, usually dnsmasq is the culprit

Hi i'm at module pivoting, tunneling and portfarwding i'm doing ICMP section and i have a question which might be stupid, instead of doing what HTB explained using ssh -d with proxychains i thought i can use ptunnel-ng to reach the internal DC directly by running from my attackbox as such

sudo ./ptunnel-ng -p PIVOT_IP -l2222 -r DC_IP -R3389 <<<<<< AttackBox

sudo ./ptunnel-ng -r pivot_ip -R3389 <<<<< pivot host

and it kinda worked, but not really i got through but i got this output

[inf]: Starting new session to 172.16.5.19:3389 with ID 44777 [inf]: Destination administratively prohibited! [inf]: Incoming tunnel request from 10.10.14.34. [inf]: Starting new session to 172.16.5.19:3389 with ID 44777 [inf]: Destination administratively prohibited! [inf]: Incoming tunnel request from 10.10.14.34. [inf]: Starting new session to 172.16.5.19:3389 with ID 44777 [inf]: Destination administratively prohibited!

of course i did it the way HTB explained and everything worked i'm just curious as to why this didnt work like what happend here

I need help with llm output attacks skills assessment

Hello, i'm seeing that the new ui mostly has the ovpn file download removed. Is there a way for me to access the ovpn file or will this affect certain labs only? Will i need to entirely rely on Pwnbox for any of the htb exams?

i'm also have same issue but i can be solve with the last letter 😄

I got the admi_key but idk how to exploit the admin chatbot ??

So the Paranoid Decoder is the main issue. It does the job but later remove the API string.

Why the hell did I get banned from #general

@fathom pendant I uploaded some screenshots of this guy asking me fishy shit in general and it autobanned me?

I am stuck on the last SA question of Kerberos attacks, can I dm someone to know if I am on the correct track ?

nvm ; )

hi everyone, can I have a hint for this one plz (Command Injection module). The question says:-
Use what you learned in this section to find name of the user in the '/home' folder. What user did you find?

I tried multiple times but all my tries seem wrong, I think I'm missing smth.

dm please

Okay

Is anyone available for a DM regarding the MSSQL, Exchange, and SCCM assessment Q3?

For sure I will mate.

@cloud urchin can you check and ban @merry siren ?

Thanks (I tried to use the @moderators tag, but it does not seem to work)!

BTW you can DM any mod/admin for discord moderation related issues, don't need to ask

Oh fair enough. I thought since I haven't anyone in Discord's fl, you will never see a DM.

depends on the user's settings

Regarding the ETA days to complete a full path, for example its 23d 5h. The 23days is estimate 24hours, or 8-9hours a day to study on average?

They mean 8 hours when the say a day. I find those numbers to swing based on the individual though, so I wouldn't put too much stock into them. The main thing is learning and absorbing the material taught.

Can I get some help on the File Inclusions - Skills Assessment?

Been grappling with it for around 7 hours now...

And most of that has felt like I'm at the final step

I've found like, 2 supposed final steps, but neither is working for me

Wise words, just need some basic calculation what i can do until my annual plan expires 😔

Btw you didnt get "banned" just timed out. Learn the difference

I think I missed an announcement. With the new Academy dashboard, it seems to have taken away the point system. Now I don't know how to keep my streak going.

I looked through all the modules and I now don't see the +10 points, etc on individual pages or modules.

Ok, I got through it