Could somebody please help me for a minute with one part of the Salma essentials module?

i tried, took me 4 hours but i got nothing

so i cam ehere for help

there's plenty of hints in this channel related to that one; but i'll give you one now: source ports

maybe some shortcut

no shortcuts

ok

i gave you enough info to figure out where to look in the reading to figure it out on your own

let me try

thanks

solved got the flag

thanks bro

I’m attempting the sqlmap essentials final assessment. I’ve found the entry point on the website but I just can not get the databases, tables or the flag. I’m totally stuck. Can anyone help please?

for the skills assessment for the Using Web Proxies module, for the first question with lucky.php web page, I intercepted the response to the request but my modification of the response won't enable me to click the button to get the flag

I know I am supposed to enable the button by removing the "disabled" part but I did that and it still won't work. I also tried changing it from a post request to a get request

both in form method and in method

what is my issue here?

Sqlmap should give a tip in the output to use a certain script when it finds out its vulnerable

Can anyone help with the PHP Webshell module on the Pentester job path?

I can't seem to get the webshell up and running despite following the isntructions. For example, it already shows a vendor named NetVen with a torn piece of paper as its logo.

I have connected to the vpn server but I get "Unable to connect" when i try to visit the target ip

Hi everyone, I'm having troubles with the skill assessment SQL injection fundamentals. Could anyone give me a hint?

DM, If you haven't solve it

Hey all, I feel like I found the solution some time ago for this phishing lab (https://academy.hackthebox.com/app/module/103/section/984), but none of the payloads I'm trying are causing the simulated user to submit their username/password. When rendered the page looks right, and if I manually enter my username and password my listener definitely sees it. Is the user just being picky about how it submits URLS? Any help appreciated.

Note: The user will directly navigate to my page if I send them THAT url, and that works, it's just not working for my payload URL.

Can I get some help on the Bypassing Captive Portals - MAC Spoofing. I'm following along, and I can't seem to get the flag. If someone has done the module, i'd like to know where I'm going wrong.

Someone DMed me and helped

But thank you

It was a minor thing I wasn’t getting

You should use /spoiler

@mossy bay be mindful not to share flags from the module; and that module reuses targets a fair bit so you might have found a flag for a different section

Hey guys, I can't rdp in the lab "Windows Priv Esc> Windows User Privileges>SeImpersonate "

ok hi, i currently need help, im doing ssh right now and im connected to ssh not with VM but my own pc witht the vpn, but i need help to find the path for the htb-student mail

env

Hi, anyone having issues with starting Pwnbox? I'm currently doing my CWES labs on HTB Academy.

if this persists contact support

have you tried doing that?

general question being is did you try changing pwnbox regions

Anyone? Please?

I tried chaging the regions, but the result stays the same. What is the official way to "contact support" ? I never had issues on the HTB platform, so reaching for help is totally new to me.

https://help.hackthebox.com/en/articles/13645526-contacting-academy-support

am I able to change my payment method for academy in the future?

yes, here: https://academy.hackthebox.com/app/settings

Hey, can i dm u about this ?

can anyone explain why, my macOS can not using HTB VPN

while my linux can @@

more than likely firewall settings

i am turn on the firewall but i can not curl -v https://38.46.226.31 ....

my linux can 🙁

Hi. Do you need help in this?

Yep

dm please

well... for one that's a public IP not sure i've seen that particular one in the pool for academy modules

i saww the problem, it's HTB issue, change server fix it

Can i dm someone on WiFi Penetration Testing Tools and Techniques - Skills Assessment?

hello guys, actually i wanted to know how you guys use htb academy, i recently enrolled in cpts path, i am ejpt certified and thinking of go for cpts next but the information on htb academy is overwhelming, maybe because until now i learn mostly from video lectures that i found modules little overwhelming but i found it difficult to make notes out of it. so i would really appreciate to know how you are using htb academy?

Hey! My old Academy VPN file stopped working today. I wanted to download a fresh .ovpn, but the VPN tab next to the Pwnbox button is completely gone. Did they move it in the new UI? Where can I find it now?

hello , you friend is new here , i just want to know , from your experience , how much "2 days" takes to comlete a module ?

take as many notes as you need and mess around with the tools/techniques in the module. you learn by actually trying and failing and trying again

1 day = 8 hours

in my experience

I made myself a Book of cheat sheets in Obsidian on what to check when testing a service, common vulnerabilities, tools etc.
When I read a module I add that to my book if I think that it might be a good addition but I keep the structure my own. for example I structure my notes on Services like this:
Enumeration & Reconnaissance
Initial Access & Brute Force
Attacking & Exploitation
Post-Exploitation
References

If you are still stuck you can DM.

i cannot connect to htb vpn, what happen?

AI Module 4 task 5 (Malware image classification) any help?

anyone having issues spawning targets?

me too

yes

on AD module?

win priv esc. i actually managed to get one to spawn shortly after sending that message but it's been like 2+ hours of constantly clicking "spawn" and nothing happening

i've got this problem since monday

it'll frequently take a few tries for me to get a target to spawn but today has been unusable

hey all. I'm having an issue with the PtH section of Password Attacks. I'm trying to establish the reverse shell in question 6, and I have all the correct parameters in my command... but it just doesn't work. Does anyone else have serious issues with trying to work with the Windows VMs on htb, or is it just me?

I honestly have given up on completing win priv esc because I can't get stuff to spawn correctly or work correctly. I'm about to run into the same issue with password attacks too, because these windows RDP sessions just don't like me for whatever reason.

Hi i need a help in AD Enumeration & Attacks - Skills Assessment Part II
Q:Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
i dumped the hashes using meterpreter but i can't do pth with evil winrm

i dumped the amdministrator hash

Ok, well why would it most likely not work?

Hi, i think there are some connection problems for the CPTS Password Attacks Module : section Network Services.
The 4 questions ask to bruteforce login credentials given their username and password lists.
But the machines keep crashing after some careful bruteforcing and multiple machine resets, also tried the others questions with different protocols (rdp, ...) all crash at one point.

hydra -t 2 -L username.list -P password.list ssh://10.129.43.185

[STATUS] 44.00 tries/min, 44 tries in 00:01h, 21068 to do in 07:59h, 4 active
[STATUS] 28.00 tries/min, 84 tries in 00:03h, 21028 to do in 12:32h, 4 active
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found ```

Then trying to restore the session:
`hydra  -t 2 -L username.list -P password.list ssh://10.129.43.185 -R`
```[DATA] attacking ssh://10.129.41.15:22/
[ERROR] could not connect to ssh://10.129.41.15:22 - Timeout connecting to 10.129.41.15

Have you any tip so that it can work properly ? I'm already making the bruteforce from the PwnBox with US vpn
Thanks
edit: I'm gonna try switching the machines and the pwnbox on europe server , will see

Hi Guys, please advise in v2.0 were i can download the VPN file

Basically, US servers have a problem on this Module/Section at least because no problem on EU servers. Also use netexec for rdp connection instead of hydra which is really too fast for the server it seems

I found the vpn academy file download https://academy.hackthebox.com/app/module/19/section/102

so for Using Web Proxies module's skills assessment question 3, I am trying to fuzz the MD5 hash to get the completed hash and then try to decrypt each result automatically. The thing is I want to add the two payloads together (the incomplete hash + the last character to complete the hash) to make a third payload and then decrypt the third payload each time. The problem is I am not able to figure out how to do that.

can someone help me out here?

I tried making two payloads: one for the incomplete hash and one for the remaining single character at the end. I wanted to combine the two payloads but I don't think there's a way to do that. I fuzzed it and got a bunch of 200 OK HTTP status codes. however, I don't think that's the right way to do it.

Yo can do it all at once using burp

Hint: you can add a prefix to your payload

Has anyone recently done the 'Abusing HTTP Misconfiguration' https://academy.hackthebox.com/app/module/189/section/2022 module ? I'm stuck on the 'Common Session Variables (account takeover). Managed to reset the admin password to a known value but now its asking for MFA. Is the expectation to brute-force / fuzz the MFA value? Any nudge or direction would be appreciated

Just the hint I needed. Thanks.

Good evening everyone, today I posted about 6 screenshots divided into 2 parts and I was muted. Is that normal?

Yes because of scammerz, we have to have strict rules with multi-image sharing

I’m sorry, I clearly hadn’t read the rules carefully. I was excited because I managed to get a rev on a fully patched Windows system, and I kind of lost my head..

Its not in the rules explicitly

Ah okay… now I know anyway! I’ll look for opinions on what I achieved without sharing too many screenshots 😂

Be mindful of sharing things though from modules, especially those above tier 0

There wasn’t anything sensitive, just the Sliver session, my Windows OS build, and proof that all Defender protections were enabled.

I mean, I carried out the procedure on my own machine.

So... it doesnt really involve academy modules 😉

I think I fried my brain a bit today 🤣

I mean, I didn’t think it was normal to bypass the latest version of Windows. I sent a vulnerability disclosure to Microsoft. Maybe they’ll make fun of me..

my target machines are not spawning with the port number what should I do?

Very normal if you have a little bit of Windows and Coding knowledge.

(In the maldev sense of things)

Can even do it without Sliver.

It wasn’t that simple, it required a few extra steps. Like 1/10 in C skills 😅

I do want to learn, but first I need to master my skills with Linux boxes and Windows AD. Then in a few years I’ll start down that path… assuming I still have a brain left…

you will still have a brain (im pretty sure)

can anyone help with getting the CEO banned exersice in COAE, ive done everything asked and still not getting the flag, to the point his data is off the system

Ah yes if you don't know a bit of C and how Windows works, yes I totally understand

Hi, I have a question about the XSS Session Hijacking question - I am going through PayloadsAllTheThings and using the different remote script XSS provided, updating my IP and including the /<field> in there to identify which blind XSS triggers. I can't seem to find the right payload to use. Would anyone be able to point me in the right direction?

Any help for me https://academy.hackthebox.com/app/module/292/section/3312
AI application for infosec
the skill asssesments got 0.0 accuracy although local it got 0.9x

RDP and SOCKS Tunneling with SocksOverRDP
https://academy.hackthebox.com/app/module/158/section/1439

when I unzip SocksOverRdp on the pivot machine the .dll dissapears? I tried copying out separately, looks like its there then I run regsvr32 and its gone again? is this Defender, I assume AV bypass is out of scope for this module

You can stop Defender

I know but I wasn't sure if it was meant to be completed with defender running or not

definitely meant to stop defender first I guess

Heartbleed Bug
https://academy.hackthebox.com/app/module/184/section/1950
I am trying to complete the exercise section in the Heartbleed Bug module. To do this, I first start the machine. After waiting for a while, when I run the scans as described in the module, I receive a message stating that this server does not contain the Heartbleed vulnerability. Unless I have done something wrong, I think there is a problem with the system.

it’s not that bad, maybe one day I’ll write them by hand 😇

Giving a nudge on my quest for a bit of help

Did you ever figure this out? I'm currently having the same issue.

Nvm

Restarting both target and pwnbox fixed it 🚶‍♂️

Yes - so looks like msfvenom now supports sliver stagers so you don’t need to perform this additional task anymore.

Instead, when creating the payload via msfvenom, use windows/x64/custom/reverse_tcp as a payload. It should then generate a payload Sliver will recognise. Just have the listener ready, and you should get a session

Target spawning issues anyone?

The issue persists - EU Servers

is there still a network issue? spawning targets and interacting on ssh sessons is really janky for me (connected to the us servers)

same problem here

now it's working on EU2

its not working...

yo guys, im on linux privesc, skill assesement
im having a strange issue, is there anybody i can dm ?

You can DM.

Hey all, with the intro to C2 with sliver, using my own sliver server I am finding a problem with generate stager it is stating that --lhost is not a recognised command and also when I save to txt it is not a txt file

any thoughts?

Are you using the version used in the module or a different one?

That might be the problem I am using the latest

Hi, I just checked and the attack works fine on my end. Please reset the lab and try again. Make sure you are using the correct Java version 🙂

im new to the htb

can anyone explain me what it does ?

Module: Using CrackMapExec
Section: Skills Assessment
Question 1: What's the password of the account you found?

hello everyone, need a little bit of help , i already got the list of users , but when i try to find password policy i get nothing

command used:

proxychains nxc smb 172.16.15.3 -u '' -p '' --pass-pol

output:

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:135-<><>-OK
|DNS-request| INLANEFREIGHT.LOCAL 
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<--timeout
|S-chain|-<>-127.0.0.1:1080-<><>-4.2.2.2:53-<--timeout
|DNS-response|: INLANEFREIGHT.LOCAL does not exist
SMB         172.16.15.3     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:445-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:445-<><>-OK
SMB         172.16.15.3     445    DC01             [+] INLANEFREIGHT.LOCAL\: 
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:139-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.15.3:445-<><>-OK

dm please

Vpn allows you to use your own machine/vm instead of the in-browser pwnbox

hi so for question 3 of the skills assessment for Using Web Proxies, I am fuzzing it and trying each combination with the prefix and the wordlist, and then I try every combination from the wordlist and encode the result but the problem is I don't get any 20X HTTP status codes in the result, or ANY status codes whatsoever.

so how do I know which one is the answer or when I've gotten the answer?

I'm doing it in Burp. Should I use ZAP instead?

Burp will work

You're on the question that has you decode then re-encode yeah?

The wordlist attack has a 'prefix' option that you select before having it run through the payload

I know I'm doing that

but its still not working

I'm gonna use the bathroom but @fathom pendant can I DM you?

when I get out of bathroom?

Im not at my computer rn but sure

ok I'll DM you now and we'll probably solve it when your at your computer

hey guys, im pretty new to HTB, so my doubt is probably very beginner level but i would appreciate any help i recieve T_T

Module: Linux Fundamentals
Section: 6 System Information
Question 6, What is the name of the network interface that MTU is set to 1500?

i tried ifconfig and ip and i noticed there were three interfaces with MTU 1500 (no idea what that is) and all three answers i input into the answer box were wrong. (also took help from ai, didnt work.)

Ssh into the target first

I did.

So the username says htb-student@nixfund?

yeah it does

do ip a

MTU is the speed of transmission for the interface

but there should only be one interface with 1500

thank you, i think already tried ip a but ill try it again.

Can someone help with LLM Output skills assessment? I found a vulnerability, but there is nothing there :D. I already had a similar issue when the LLM was hallucinating I guess

i see! It worked, btw. Thanks a bunch! why ip a specifically though?

¯_(ツ)_/¯

it's just the standard way to list interfaces

ifconfig has long since been deprecated but i'd have to see the output it's giving you to tell you where you went wrong

@fathom pendant Any chance you can help me ? "Has anyone recently done the 'Abusing HTTP Misconfiguration' https://academy.hackthebox.com/app/module/189/section/2022 module ? I'm stuck on the 'Common Session Variables (account takeover). Managed to reset the admin password to a known value but now its asking for MFA. Is the expectation to brute-force / fuzz the MFA value? Any nudge or direction would be appreciated"

haven't done that module

i think it was a mess up on my side, i ssh-ed into the target, but i had to reload the pwnbox again, so probably it reset? ifconfig worked the same though, just a little more information (packets and stuff)

Do you know anyone i could direct it to? I've tried approaching others who've previously asked similar question but not had any responses

if you reset the pwnbox then you'd have to reconnect to the target via ssh; the pwnbox doesn't automatically ssh for you

i got it, thank you :)

just ask here and wait... that's really all there is. I believe you can use the discord search feature to find if people asked similar questions here. But I believe there have been a few responses in the past regarding this

yeah - I spent an hour last night trawling through previous ones but didn't see any responses on it so far. thanks anyway

i will say discord's search feature is lackluster

Indeed - there doesn't seem to be a way to search for responses to specific posts

I spent an hour fighting with LLM and the problem was that for some reason needed table for sql injection wasnt generated lmao. After reset its with the same payload its just magically there

I'm connected to the vpn server with openvpn and can ping the target ip in the terminal, but when I try to visit it in the browser I get "unable to connect"

can someone give my any hint ? i tried ASREPRoast but still , password sparying with with example password from the module and still nothing

You can DM if you're still stuck.

Is anyone else having issues with pwnbox?

Hi. Is anyone use sliver v1.7? I have problem with Intro to C2 Operations with Sliver. Stager didnt work. Msfvenom payload is knocking to stager-listner but session wasnt created

Is anyone having issues with can't connect to target? I can't connect to target on both my vm and pwnbox

Module HTTP Attacks, Section HTTP/2 Downgrading

Hmm nevermind, it use HTTPS insdead of HTTP, I can access now

in the skills assessment for PTPF, can ligolo be used to double pivot? I assume its cabable just trying to wrap my head around how exactly I would do it

Not sure what PTPF is, but Ligolo can double pviot yes

pivoting, tunneling, port forwarding

just 2 proxies ? simple as that?

each network hop needs a new proxy right?

You can use whatever tools you want

It's great for practicing ligolo

yeah I knew we arent restricted but just checking my thinking

so just add a proxy to my original agent to double pivot?

You need to setup a listener on your agent but that isn't really covered in the module. May be better to ask in another channel for Ligolo help.

I over complicated it I dont think I even need a double pivot

Am I 1337 yet? 😂

Hi guys I need help in the module “Introduction to NoSQL injection” skill assessment 2, I’m trying to get the reset token but I can’t seem to get the script to work

I've just completed the SID Filter Bypass (CVE-2020-0665) section in the Trust module on CAPE. I ended up having to use mimikatz and kekeo for forging the inter realm tickets like shown in the course as I didn't manage to do it from Linux with ticketer.py and getftST.py from Dirkjamn's forest-trust-tools repo 😕.
Curious if anyone has done this from Linux before to help me troubleshoot what I'm doing wrong, I can't figure it out...

Currently I am doing ADCS Attacks (CAPE Path), can I dm someone regarding question one?

Applications of AI in InfoSec- the spam data sheet is not available to download.... is there a different link? i assume i need this to complete the last part where i evaluate my model ? https://academy.hackthebox.com/app/module/292/section/3297

Hey, I have a glitched module https://academy.hackthebox.com/app/module/144/section/1256. All the answers were pre-filled, accepted and obviously wrong. Is there any way to reset the module?

No, once the questions have been answered, they cannot be reset. Not even if the question has been changed.

I just found that the annoying next button is removed from showing all the time while reading the sections, its now at the end of the page. 🤗

Then I guess this is a bug that needs fixing

Also does anyone know why do I sometimes see the option to use VPN in academy and sometimes just the pwnbox?

If the target is a Docker container (PublicIP:Port), you don't need a VPN. In that case, it won't be displayed.

You can use /feedback to send this to the right place. But it has already been reported many times.

Hi guys I need help in the module “Introduction to NoSQL injection” skill assessment 2, I’m trying to get the reset token but I can’t seem to get the script to work

Has anyone recently done the 'Abusing HTTP Misconfiguration' https://academy.hackthebox.com/app/module/189/section/2022 module ? I'm stuck on the 'Common Session Variables (account takeover). Managed to reset the admin password to a known value but now its asking for MFA. Is the expectation to brute-force / fuzz the MFA value? Any nudge or direction would be appreciated

Going through the spam dataset module : https://academy.hackthebox.com/app/module/292/section/3297

The link you are using to the study is dead - https://archive.ics.uci.edu/dataset/228/sms+spam+collection

sooo..... what should i do here 🙁

Its been around a while, and has been brought up

download it yourself from kaggle

%pip install kagglehub
import kagglehub
path = kagglehub.dataset_download("uciml/sms-spam-collection-dataset")
print("Path to dataset files:", path)

Im having problems connecting to the HTB VPN via openVPN from my Kali Linux VM on my Windows 10 computer

Change the VPN server/region and then try again

Already changed it from Aus-Eu1-Eu2-Us1-Us3 including UDP and TCP, openVPN never gets past and constantly restarts

In that case, please contact HTB Support

https://help.hackthebox.com/en/articles/13645526-contacting-academy-support

impressive to connect to Aus server since i don't believe there's an Aus vpn server for academy lol <3

Oh no for Labs I tried academy and labs VPNs

well for all intents and purposes: academy vpn servers and lab vpn servers are separate

hello, still stuck -> still nothing , i used the hint , but when i tried the commands i get no results.
i dont know what i am doing wrong

finally after lot of errors and trials found it , thanks a lot

Hey guys, is this feature gone in Academy 2.0? I remember that after each module, you used to get a lot of machines related to those specific modules

Hello guys i need help

Module :Linux Privilege Escalation
Section:Service-based Privilege Escalation, logrotate

I run payload and make the necessary settings, but it doesn't work.

It's very inconsistent, took me 20 reruns to get it to work

It doesn't teach much technically since you're just escalating privileges through a vulnerable version, but I've been grinding on it for 24 hours straight. I’d really appreciate any help

the reason it's inconsistent is because it's a race condition

Is there something I missed?

generally i wouldn't recommend trying to get a revshell out of it

Hey guys in the module Attacking Common Applications:Exploiting Web Vulnerabilities in Thick-Client Applications i am not able to compile the Java code from souce and getting alot of errors even though the required files and paths exists.

Go on youtube and search:
ippsec fatty htb

aight thankyou

anyone knows why can't i access the target?
https://academy.hackthebox.com/app/module/170/section/1674
module: Attacking authentication mechanism
section: SAML lab setup

is it because the target doesnt have port or smth

hii

i cannot do the target from Getting Started

is it skill issue??, im with the vpn

@frozen hinge can u check dms? i wanna ask u abt smth

okay i forgot vpn exists

it was skill issue i didnt download the academy vpn

https://tenor.com/view/patrick-drooling-patrick-star-spongebob-movie-drooling-slime-gif-525340425450564005

We both fall for it

type shi

Working through the HTB Academy Footprinting module (Section 9 - DNS). Question 4 asks for the FQDN of a host where the last octet ends in 203.
My approach:

Ran dig any against the target to get initial records
Ran dig axfr against the root domain and discovered subdomains: app, dev, internal, mail1, ns
Successfully zone transferred internal.inlanefreight.htb which gave me dc1, dc2, vpn, workstations etc
dev.inlanefreight.htb zone transfer failed so I fell back to brute forcing
Ran dnsenum with subdomains-top1million-110000.txt against every discovered zone — nothing ending in 203
Tried dns-Jhaddix.txt — threw thread errors and returned nothing useful

My question is around methodology — is there a logical process for determining which wordlist to use against which zone, or is this genuinely trial and error? In a real engagement would you just systematically run every available wordlist against every discovered zone until something appears? Is there a smarter approach I'm missing that the module doesn't make explicit?

@tough blade that module is above tier 0 be careful with spoilers

hi, i have a question and id like to upload an image but theres no option to when i click the '+'

ill ask my question anyways:
I'm working through the Linux Fundamentals module and Im trying to spawn my VM. I'm on Windows 11 so I downloaded openvpn and launched my vpn through it. I pinged the IP address from target and I got the 'apache2 ubuntu default page' (it works! this is the default welcome page used to test the correct operation of the apache2 server installation on ubuntu systems...). Does this mean I launched the VM correctly? I'm not sure what to do next, how can I open the terminal and run commands

Hey guys, I'm currently stuck on the Exploitation of PDF Generation Vulnerabilities
section.
I managed to find the exact flag path via SSRF, but when I try to read the .txt file using the file:// wrapper, it's still not working for me. Could anyone give me a small nudge?

Hi everyone
I'm currently in the login brute forcing module and I want to ask about the difference between hydra and medusa.
which is better and when to use each ?

Hi guys I need help in the module “Introduction to NoSQL injection” skill assessment 2, I’m trying to get the reset token but I can’t seem to get the script to work

anyone who can answer to a q on the topic of SCF from WindowsPriv Esc module?

Yo guys, i came across this in the windows privilege eecilation:

I confirmed that I had the SelmpersonatePrivilege, which can be leveraged for local privilege escalation. I downloaded a custom compiled version of Juicy Potato to the host to assist with privilege escalation, and was able to add a local admin user. Adding a user was not ideal, but my attempts to obtain a beacon/reverse shell did not work.

If i understood, that is a case where he did get command execution through the mssqlclient.py using the xp_cmdshell

Actually at this point you can spin an http server hosting a reverse shell, ans download it from the mssqlclient with wget, and run it from there, you will get a reverse shell

Without the need to add a new user

Dunno if the above case had constrains behind this not working

That's not a vm... a vm is a virtual machine on your computer. The target is a system thats designed for whatever you're doing. The apache page is expected for the module. I suggest looking through the 'setting up' module for a rough idea of how to set things up

can someone help with the skills assessment for Applications of AI in InfoSec, my model keeps coming back with 0 percent in the red teamer AI path?

hi for the Digging DNS Section of Information Gathering - Web Edition module, I am trying to do a reverse domain lookup for the IP address or to find the PTR record of it, which is supposed to map back to the original address that was the answer to the previous question but its not doing that. Here's some of my terminal output:

greg@Windows:~$ dig  @134.209.24.248 inlanefreight.com
;; communications error to 134.209.24.248#53: timed out
^Cgreg@Windows:~$ dig 134.209.24.248 NS

; <<>> DiG 9.18.39-0ubuntu0.24.04.3-Ubuntu <<>> 134.209.24.248 NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19923
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;134.209.24.248.                        IN      NS

;; AUTHORITY SECTION:
.                       30      IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2026041101 1800 900 604800 86400

;; Query time: 93 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Apr 11 15:30:50 PDT 2026
;; MSG SIZE  rcvd: 118

greg@Windows:~$ dig +x 134.209.24.248
Invalid option: +x
Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}
            {global-d-opt} host [@local-server] {local-d-opt}
            [ host [@local-server] {local-d-opt} [...]]

Can someone help me out? I know how to do the next question. So that's not a problem. I'm sure this is some stupid minor detail I'm not getting.

I also think for the next question when I do it right it gives me a different answer actually.

So if I could talk with someone about this soon that would be great.

They were talking about getting a reverse shell using the escalation to get an Administrator shell, not that they didn't already have a reverse shell from mssql. There could've been a myriad of reasons why their reverse shell didn't work through JuicyPotato ngl though.

can i get help on a module from CWEE? its called "Introduction to NoSQL Injection" the skills assesment part 2, no one seems to be helping me

What exactly isn't working? You can send me a DM

Hi can anyone help me with this tonight? Just following up.

you can DM me

Hmm makes sense

For some reason I can't write in general and machines channels, can you check?

Module: https://academy.hackthebox.com/app/module/296/section/3401 (Pentest in a Nutshel)

I don't understand why it doesn't work. Neither xfreerdp nor mfscocnole exploit for Gitea
I'm connected to HTB VPN

I've been trying to solve it for 2 hours and I just have no any ideas how to fix it

It displays 'filtered'. But why if the article tells me to connect via rdp ...

nmap -Pn -p 3389 10.129.36.73
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-12 12:12 EEST
Nmap scan report for 10.129.36.73
Host is up.

PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

Do you have with student subscription access to AI path?

No I don't

I've tried to change HTB VPN server, reset remote machine
I've successfully connected the first time, After that I disconnected and tried one more time - get an error again

I've found the problem! Multiple openVPN. I though If I click Ctrl+C I stop VPN. But it doesn't work like that Just needed to killall

Hi can someone help me with this module: https://academy.hackthebox.com/app/module/80/section/772
The first exercise for Broken Authentication Vulnerabilities in the Web Penetration tester Job Role Path. I tried to fuzz for a correct username based on the difference in the size of the response when a username is correct or not.
The command: ffuf -u "http://154.57.164.68:32683/index.php" -w SecLists/Usernames/xato-net-10-million-usernames.txt -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "Username=FUZZ&Password=invalid" -fs 3264 -ms 3271

What are you stuck on?

I tried all kinds of fuzzing based on the response and the response sizes. Also tried other wordlists, yet nothing successful

want to dm?

Sent you a text!

Hello, in cwee module 7 skill assessment, i cannot receive the email, even copypasting the solution, may anyone be able to help?

best to just name the module no one knows what 7 is

Apologies, http attacks

hi so for the DNS Zone Transfer section of Information Gathering - Web Edition module, I am trying to get the zone transfer for the IP address and tried to do a reverse lookup on the IP and it didn't give me a domain name. I then tried axfr on it it but the transfer failed:

┌──(kali㉿kali)-[~]
└─$ dig axfr 172.20.10.1 zonetransfer.me

; <<>> DiG 9.20.20-1-Debian <<>> axfr 172.20.10.1 zonetransfer.me
;; global options: +cmd
; Transfer failed.
; Transfer failed.
                                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ dig axfr @10.129.42.195 zonetransfer.me
;; Connection to 10.129.42.195#53(10.129.42.195) for zonetransfer.me failed: timed out.
;; no servers could be reached
^C                                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ dig axfr 10.129.42.195 zonetransfer.me 

; <<>> DiG 9.20.20-1-Debian <<>> axfr 10.129.42.195 zonetransfer.me
;; global options: +cmd
; Transfer failed.
; Transfer failed.
                                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ dig -x 10.129.42.195                  

; <<>> DiG 9.20.20-1-Debian <<>> -x 10.129.42.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11849
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;195.42.129.10.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.        3542    IN      SOA     prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800

;; Query time: 11 msec
;; SERVER: 172.20.10.1#53(172.20.10.1) (UDP)
;; WHEN: Sun Apr 12 16:20:55 EDT 2026
;; MSG SIZE  rcvd: 132

What do I do here?

You can only request a zone transfer for a zone, not for an IP address.

ok but this doesn't work either

┌──(kali㉿kali)-[~]
└─$ dig axfr inlanefreight.htb zonetransfer.me

; <<>> DiG 9.20.20-1-Debian <<>> axfr inlanefreight.htb zonetransfer.me
;; global options: +cmd
; Transfer failed.
; Transfer failed.

or anything like that

and I am assuming that's what the section wants me to do?

I know this works:

┌──(kali㉿kali)-[~]
└─$ dig inlanefreight.htb                      

; <<>> DiG 9.20.20-1-Debian <<>> inlanefreight.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26437
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;inlanefreight.htb.             IN      A

;; AUTHORITY SECTION:
.                       3226    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2026041201 1800 900 604800 86400

;; Query time: 12 msec
;; SERVER: 172.20.10.1#53(172.20.10.1) (UDP)
;; WHEN: Sun Apr 12 16:26:06 EDT 2026
;; MSG SIZE  rcvd: 121

That won't work.
htb isn't an official TLD. So you'll definitely need to specify a valid nameserver.
What exactly do you plan to do with zontetransfer.me?

ok so it mentioned zonetransfer.me in the section. when I dig -x the IP given from the host I had started, it showed this:

┌──(kali㉿kali)-[~]
└─$ dig -x 10.129.42.195                    

; <<>> DiG 9.20.20-1-Debian <<>> -x 10.129.42.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4093
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;195.42.129.10.in-addr.arpa.    IN      PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.        3542    IN      SOA     prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800

;; Query time: 11 msec
;; SERVER: 172.20.10.1#53(172.20.10.1) (UDP)
;; WHEN: Sun Apr 12 16:31:56 EDT 2026
;; MSG SIZE  rcvd: 132

yet this doesn't work:

                                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ dig axfr inlanefreight.htb prisoner.iana.org

; <<>> DiG 9.20.20-1-Debian <<>> axfr inlanefreight.htb prisoner.iana.org
;; global options: +cmd
; Transfer failed.
; Transfer failed.
                                                                                                                                                                              
┌──(kali㉿kali)-[~]
└─$ dig axfr inlanefreight.htb hostmaster.root-servers.org

; <<>> DiG 9.20.20-1-Debian <<>> axfr inlanefreight.htb hostmaster.root-servers.org
;; global options: +cmd
; Transfer failed.
; Transfer failed.

it said in the section zonetransfer.me is used to test transfers unless I'm misinterpreting the section

Read through the entire chapter again and try to understand how DNS works. You're mixing up a lot of things here.

ok I'll reread

thanks

https://www.cloudflare.com/learning/dns/what-is-dns/

Yes, zonetransfer.me is configured to allow zone transfers to anyone. This means you can test your tools there.

then why wouldn't it work?

dig AXFR zonetransfer.me

ok I am gonna YouTube it I know CloudFlare is credible but I want to practice finding my own sources

ah ok

I'm about to watch 30 minute YouTube video on DNS

since that's probably the smarter move here

I'll talk to you in 30 minutes

Wifi Pentesting Basics

Why is the answer for interface modes "5" when as you can see in the image there are "9" modes

Hi ok so there are issues connecting to HTB VPN. It won’t download VPN file in my Kali box. When I download, the file won’t run in host OS.

Which is one issue.

Can someone help with that?

Hey, working through Linux Fundamentals module. The curl exercise for inlanefreight.com is timing out from the Pwnbox. Site is up but curl returns empty. Anyone else hit this and know a workaround?

I have completed the course work for the cwes: What's the best way to start preparing for the test?

The P2P modes are wi-fi direct. They do not count to the 5 modes you learned about in the module, I think technically they count to ad hoc (IBSS)

Hey, im doing the AD enumeration and attacks skills assessment 2.
i managed to log into the SQL01 machine and dump the administrator hash as shown. after many attempts trying to rdp/winrm into the MS01 machine with the administrator hash i decided to find a guide...

the guide posted a hash and i decided to try that hash instead and it worked. but the hash on SQL01 is different?

is there an explanation?

Probably because when you dump SAM you're getting the Local Administrator hash which wouldn't be valid in the domain, you want to get the Domain Administrator Hash or the hash of a user who is part of the Remote Management Users group.

that module is above tier 0 btw so any guide you use that isn't the one provided with the annual sub is cheating/against ToS

I neither see that in the writeup guidelines (https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines) or in the User Agreement (https://resources.hackthebox.com/hubfs/Legal/UA.pdf?_gl=1*tgpo7n*_gcl_au*MTkwNzAyNTE0NC4xNzczNjQ1NzYx) so where did you get that from?

I only mean reading, not posting obviously

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines; by proxy reading something that is against ToS would also be against ToS

similar to the fact that buying stolen goods is still illegal, even though you weren't the one that stole it

okay, than I would assume it is a guide written by his pentesting team which is encouraged

"i decided to find a guide" doesn't sound like a guide by their team

Maybe their file share is messy haha

if it was a private guide made by their team, then perhaps they would have said "a guide i followed written by a team member" or something like that

I get you're trying to play the devil's advocate, but come on dude

Anyone around here completed the android pentesting path? It seems to have good reviews on the platform, but no review/article on it so far.

did not complete but the modules I did were fun, I think I missed flutter tho (but idk anymore)

Nice would you say it was applicable to modern android pentesting, like bypassing root detection, ssl pinning, android specific vulns etc?

It was part of it for example in Dynamic Analysis there was a section on cert pinning, but like always other apps could be more obfuscated or do it completely different so it shows you the concept, but does not mean you are instantly able to do it on every app out there

Yeah for sure, in engagements typically an APK without protections is also provided, in case root detection bypass is not possible for example.
Thanks for the info though, seems much more in depth than other offerings on the market
I have a feeling the Android half is done, with the iOS one being in development

i looked at the first modules, there are not worth the tiers 3 and so I consider them at tiers 2 ; they are better options out there for android pentesting . Maybe the path is in dev/extend but i don't know

Many Tier3 Modules are not worth the Tier 3 (Looking at you PowerView, LDAP and Bloodhound modules). But if you have a subscription they are still worth it

hey!

excuse me

for the password attacks skll assessment

i have gotten the hash

however the website is saying it's incorrect

Hey guys !
If anyone require help with any module please let me know 🙂

Yes

I want please!

which one ?

password attacks

skill assessment

not particularly a help, i finished it

however for some reason

my answer is

wrong?

what ur ntlm hash start with ?

and end with

31cc1-------------------0cceb

wrong hash

hmmmmm

but i am pretty sure

that's the Administrator hash

of Nexura

not the local

keep looking it should start with 36exxxx6d23

Thank you very much!

hmmmmmmmm

thing is i don't know what to look for more

You welcome !

i dumped the NTDS

the system

sam

and security

i ll nudge u a bit let me look at my notes

everything is done now

Sure thing :)

i appreciate you!

u suppose u doing this from the DC01?

correct

u logged in with rdp ?

yes

after editting the registry

DisableRestrictedAdmin

u probably looking at the wrong NTDIS

maybe think where the AD NTDIS is stored

ehh? those are topics i have not yet encountered

we haven't gone in depth in

password attacks

we learnt the method of vssadmin

then copy NTDS/NTDS.dit

that's what i did

send me in dm what u got

Sure!

sent!

What would be those other options in your opinion?

Anyone else having issues running Powerview?
I've downloaded the latest I can find in powersploit, but unable to import it and run it from a windows host where rather sure it should work from?

@pseudo kiln it depend on what you are looking for : practical training or certification or pure theory

I still got VPN problems tho I switched to bridged but it's still not working

udp vpn? make sure to not run pwnbox in parallel as they have the same ip. if you did all those already, the issue is probably on your side

Not really concerned with a cert/paper, only the knowledge

Have you got AV enabled on that host?

no disabled it

the problem is more of importing the module

I'm missing functions

try this version and if it does not work an error message would be helpful to help you
https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1

I'll try. to problem isn't that I get any error message

the problem is more that that the function just isnt there

what commands do you try?

Get-DomainObjectACL

Hello everyone

I need serious help with ADCS attack module I promise I do not take long time

PS C:\Users\bh> Import-Module .\PowerView.ps1
PS C:\Users\bh> Get-DomainObjectAcl [parameters]
works for me with the version I provided to you

Ok, I'll try

I'm new to this journey, I'm getting certified by the national cybersecurity association but I want to deepen my knowledge, and I decided to do the academy and then the labs. However, in the academy I'm in the Linux module, as shown in the attached image, and I can't find it, even though I've already done a lot. Can someone help me solve this, please, and explain how they did it so I can learn and master this technique?

Regards

thx, now this works for me!

Hi, I have an issue with "Android Application Static Analysis - Reversing Hybrid Apps" exercises. I found debug key in both apps (also decompiled Hermes), but when I try using it with curl as a debug_key parameter, I always get "Invalid credentials!". Am I missing something? Thanks 🙂

which is a good command

Hey brook I have questions about wifi pentesting can I DM u

damn

yeah academy is not usable any more no more slide bar terminal

thats rough

i uses the way back machine, HTB admins idea 🙂

Hi, to do kerberos relay with RBCD attack we need service account with an SPN, the ability to add computer accounts, and a target with no LDAP signing and find a coerce method ?

@knotty gulch dont dm people without asking

I just got the student subscription for the academy, should i jump right into a certification track like CPTS, or should I start off with the modules in CJCA?

i'm like pretty brand new to practical cyber security, however, I do have some basic knowledge about like attacks and stuff

nevermind, found the prereqs for CPTS, not there yet at all lmao

lock in on CJCA time

you can dm me.

you can dm me if you're still stuck

You're almost there. Look at the hint and change the way how folder is represented in Windows

Did you get the path yet?

Hello all! Trying to do the 'attacking windows credential manager' section of password attacks. I've used runas to impersonate the other user and moved mimikatz onto the machine. When running privilege::debug I get the RtlAdjustPrivilege error, which I'm pretty sure means I don't have the right perms.

I managed to solve the challenge by doing token::elevate then vault::cred, but I don't think that's the method they were trying to teach.

Any ideas why the privilege::debug command is failing? tyty

u need to be administrator.

gotcha, i guess my question then is how would I get to an admin shell from the mcharles user?

rdp as sadams -> impersonate mcharles w interactive creds/token -> ? -> run mimikatz from admin shell

Please, can anyone help me? Lateral Movement lab in Attacking Enterpise Networks.

you need to bypass UAC to become administrator.

then dump the credential manager.

thats how htb wants you to solve the lab

ohh gotcha, i don't think i've stumbled onto that yet. will do some research, thanks 🫡

and read the hint carefully because if you are following the pentest path then you havent done UAC yet.

that's not the only way

btw

a baked pasta will also do the trick

ah im silly, forgot there was a hint lmao. that definitely clears it up

:)

ik but htb wants you to solve it like that

not entirely

oh

they want you to solve it in whatever way works

i forget what the solution guide has you do, but i don't recall if it does the bypass

Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer.

i resetted his password😭

i've seen you mention that a few times but im very dense. is it a reference to 'pass the hash' or am i off the mark?

lazagne

if im right

ripp

ahh capisce that makes sense

@fathom pendant do u mean the tool LaZagne????

well i was trying to say it without saying it

hmmmmmm i hear u

Hi guys, has anyone finished the Lateral Movement lab in Attacking Enterprise Networks yet?

Is anyone experiencing problem spawning target machines?

Yes

anyone need some nudgies?

Which kernel release is installed on the system?
It’s showing error with this answer 6.12.32, I used command “uname -r” for getting kernel release pls help

Ensure you are connected to the provided target when performing this lab. The version (6.12.32), is likely the version being used by your VM or pwnbox. Credentials to SSH into the target should have been provided at the end of the section - username is likely htb-student, along with a means to start the target, which is usually a button that says Spawn the target system.

Hello guys , the targets failed to spawn and even the pwnbox don't launch . Is it just me or is the site down ?

Same here

Hello. does anyone did the "Application of AI in infosec" module? they provide us at some point with a function to check for invalid ip adress, but it returns an error " expected string or bytes-like object, got 'float'". Which is strange since the column type is "str", and there is a method to enforce the type in the function

ok in the given function, there is no case for the "Nan" value, creting the error, just make an if statement to handle the case

@drifting heron Please take care not to post content from modules above tier 0, like attack paths etc

@cloud urchin where should I ask?

You can ask here, just don't reveal details of the modules above tier 0

If you feel like you need to reveal more info you can ask someone to DM

Anyone who has completed the module doesn't need the extra info like attack paths etc though

cracking WPA02 hash with hashcat in SAE Downgrade Attack module takes ages. Any help?

Don't attempt it on the lab attack box. Transfer it to your VM or pwnbox and attempt to crack it there. Mine took a minute to crack that way.

this horror story is NOT from VM

hi guys why cant i see VPN like in the screenshot next to it ?

It likely doesn't require a VPN connection.

VPN is only available on sections that require you to interact with private targets; if you spawn target you should see that it gives an IP:port

thanks

Session..........: hashcat
Status...........: Exhausted
😩

It might not have captured everything necessary to crack it. You can DM if you'd like me to review the data you collected for this attack.

Is the "NetworkFoundations" SkillAssessement completable without the pwnbox?

yes

Thanks i was thinking some data might be different

why would it be?

The Keep me in the Loop part states that it will be showcasing the pwnbox

yeah, but it's still doable on your own machine

showcasing just means that they're using it, doesn't mean it's absolutelly only doable with pwnbox -- that'd be silly

Has anyone had an issue with this part in android application static analysis? link(https://academy.hackthebox.com/app/module/221/section/2365) I am not sure if it's vpn configuration issues, but I am not able to click on install app after I put in the IP configurations. I am using android studio.

Do u guys have issue spawning machines

Hello, i would like to point to a misleading sentences in two modules, which channel is the most suitable for it ?

yes

#1234357888114364508

thx

why do I keep getting this

No. On my windows laptop I can able to ping the target address without the openvpn turned on.

Skills Assessment - Web Fuzzing

Stuck at Q3:
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

Generally the methodology for this module is simple, but can anybody tell me if I'm able to complete this module by using wordlists from this dir?

/opt/useful/seclists/Discovery/DNS

Or i need some other dir? Going through all of them would be a waste of life.

Thank you.

the answer to figure it out is in the q

Seclists should work for wordlists. Pay close attention to what you are being asked to identify as this can help you determine what type of wordlist to use.

you need to filter and match a page that says "You don't have access!"

Update: i have tried 10 more times including 2 times asking ai to assist me at every step (which i really do not want to do as i dont really learn anything from using ai) still connection refused

AI can steer you in the wrong direction

Idk how but apearently i was typing something wrong and i got it to work so i am deleting prev messages

Well the unansered ones

Stil have the problem of the passive ftp command closing itself after a few minutes tho ):

Stack-Based Buffer Overflows on Linux x86

How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)

Hello, I have a question about this question.

Personally, I feel like there are many misleading things in the stack-based buffer overflow and assembly module. I've done just a little programming in assembly, so I could be wrong; that's why I'm writing a question.

For example (img1), which is the question in the stack-based buffer module: I believe there is no exact number. (That said, I figured out the answer for the section, but I feel like it's wrong). If I can overwrite the last thing on the current stack, which on RET becomes the EIP, then I control the address. Since the stack (based on this question) has to be executable, then there's no limit to the shellcode size. I could write the shellcode after the ESP -> after the EIP that was popped, and then there's an unknown limit.

Or I can just overwrite the stack before the EIP, as shown in the picture, and then there's only a limit from the start of the buffer to the "future EIP," which would make the answer to the module incorrect.

could someone explain if i missed something or is my deduction wrong ?

hi for the virtual hosts section of the Information Gathering - Web Edition module, I am trying to enumerate the subdomains of inlanefreight.htb, using the IP address but I don't think I am getting the answers to the current flags.

Is this the wrong wordlist?

Here is my output:

┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster vhost -u http://154.57.164.73:30583 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://154.57.164.73:30583
[+] Method:                    GET
[+] Threads:                   10
[+] Wordlist:                  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8.2
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
#www.154.57.164.73:30583 Status: 400 [Size: 157]
#mail.154.57.164.73:30583 Status: 400 [Size: 157]
#smtp.154.57.164.73:30583 Status: 400 [Size: 157]
#pop3.154.57.164.73:30583 Status: 400 [Size: 157]
Progress: 114442 / 114442 (100.00%)
===============================================================
Finished
===============================================================

Why not use the domain name instead

use the domain name and add that entry to /etc/hosts, everything else in the command is fine.

Hey so on the "introduction to threat hunting & hunting eith elastic" module, I'm on section 5/6, the bit about Stuxbot.

For question 2 I'm really stuck.

The question is "Stuxbot uploaded and executed mimikatz. Provide the process arguments."

I'm 90% sure the answer is ||"lsadump::dcsync /domain:eagle.local /all /csv" exit ||, but every which way i try to format the answer it says I'm wrong, but i really can't find another possible answer. When you search for mimikatz there's only one log entry that mentions a command line input with process arguments. Am i doing something really wrong here?

good ok I did this its working. I'm psyched.

the progress bar is at like 33%

or would it be recommended for me to wait for gobuster to finish anyways?

this is for the virtual hosts section of information gathering web edition module

@quasi wave Please take care not to post content from modules above tier 0

you can always run it with more threads

Sorry my bad

Guys im stuck at broken authentication skills assessment to the point that I think the lab is broken🫤

all im getting is id is not injectable... i have tried level 5 aswell

@chilly night Please do not post content from modules above tier 0, especially skill assessments. Anyone who has completed it doesn't need the details to help, and if you feel like you need to reveal more info you can take it to DM's.

im stuck on the sqlmap skills assessment all i get is paramater not injectable

can someone dm me pls

hello guys
I'm currently working on "Attacking Thick Client Applications" and I can't find the memory I'm looking for in the tutorial. Please help me.

I don't think you have missed anything, I'm assuming it is just that they want to keep the initial introduction to buffer overflows simple and familiarize the student with the general concept of figuring out how much space you have available at your initial entry point, which is a typical task during exploit development. For sure, there are techniques for finding additional space on the stack etc., but as I recall, in this module they demonstrate a basic exploit development workflow, which may require certain things to be "oversimplified" a bit

Hi there, can I get help on the path CWEE, module “Introduction to NoSQL Injection”, section skill assessment part 2, I can’t seem to be getting the reset token with the payload/script im using

I think your breakpoint is on the wrong spot, did you set the breakpoint settings right?

You might be right... I saw in the tutorial that the memory map was opened without specifically setting breakpoints.

Thank you. I think I found this memory-mapped file. I really appreciate it

Hi, could someone help me with the skills assessment of File inclusion module ? Can't find the page and param where LFI work

is there any issue with password attacks skills assesment lab? i keep getting target spawning and zilch also pwnbox give error There are no available instances. Please try again later.

hii guys

I'm trying to start an Pwnbox but it's saying that there is no instance available every time that i tried, anyone with the same issue?

Might be a server issue, guess we have to wait

Experiencing issue in spinning PWNBOX for EU and DE in Academy. Any one else having the same issue?

thx mate

https://tenor.com/view/shrek-pitchfork-kill-burn-stake-gif-11227021

dm please

You can try switching regions to see if there are available pwnboxes in other regions. You also have the option of using a VM.

PWNBOX is working now.

spawning box in academy not working for the past 30-40 mins , anyone else ? tried switching regions, not working

I'm struggling launching the target of Attacking Enterprise Networks, I clicked on "Spawn the target machine", I waited and got the button again
Is it ok for you now ?

I just tried as i was having really bad connectivity errors with the academy ftp client in a module yesterday so maybe the pwnbox?

Nope there goes my singular free spawn ):

Atleast i have a live usb with htb parrot os but this must be really annoying for all those paid users and free users relying on their 1 spawn per day

Same here with the AD related modules

im trying this ftp connection 1 more time and if it does not work i will send a screenshot

IT WORKS!!! after trying the same thing for a 40th time

why did it work this time

and other times when i connect to the dynamic port it refuses conenction for no reason at all?????

(deleted the screenshot because possible spoilers)

Maybe there was a temporary issue with their infra
Kept on re-spawning/resetting the AD skill assessments machines as some machines in the env were not getting spawned at all

Hi there, can I get help on the path CWEE, module “Introduction to NoSQL Injection”, section skill assessment part 2, I can’t seem to be getting the reset token with the payload/script im using

Anyone having trouble to spawn targets? I'm currently doing the AEN module, but the target do not spawn. I'm trying the button "Spawn the target system" from about an hour, with no success. HELP

EU Servers are not spawning targets - US Servers are, for me at least.

yep got fixed 10 mins after sent the message, but it was like 1 hour downtime for me

same for me

Please just skim past the past 10-20 posts as you will see multiple people having this problem

I'm in Vietnam and every night I have problems with HacktheBox VPN, slow connection or even no connection at all

hey guys I can't spawn machines it says:
Ooops! Something went wrong. Please try again later!

seems like they are having problems like often the last weeks

okay

you can use US vpn btw. I am doing the same right now

I confirm EU academy labs are currently broken.

That worked, thanks

@rare condor what do you mean its down?

did you hit spawn?

(re: your feedback)

can't spawn target AGAIN !!!

Hello friends, I just signed up with the student plan after completing CS101 on THM, didn't really love it over there. I am fairly new to everything networking related, halfway through CCNA studies and been doing CTFs for about 4 weeks.
So my question; Should I start with the Basic Toolset module and run through some of the skill paths and then jump over to job role paths? Or is there a better starting point for academy?
Appreciate any help/input, thanks

Hope this is the right room for this question btw, otherwise lemme know where to ask instead

targets are not working, is it the same for you guys ?

Yep Currently doing Threat Hunting Fundamentals and I cant spawn the targets

change to US vpn

Damn, it worked

Thanks!

guys don't read further than 5 messages..

?

#modules message
#modules message

Anyone completed Broken Authentication Skills Assessment DM me please!

yeah I did for now its working'

yeah bro same I already report it and Emmax0 is talking about it

Yeah if your having troubles with EU vpns switch to US

theres been some issues as of late

thanks appreciated

Android Penetration Testing Automation > MobSF
So last I checked, Im pretty sure this is not "India"? LOL

#1234357888114364508

Thats where im suppose to raise it? Right ?

yes

On the pwnbox, can anyone get ldapsearch -h | less to work? For some odd reason, the less doesn't show the beginning of the help output and whenever I try to jump to the start by pressing gg, it just shows blank lines and I can't do G or anything. Is this just on my pwnbox or something user-wide? I'm just curious why less wouldn't work properly for ldapsearch unless I'm missing something...

does ldapsearch -h work? if i remember properly it's an old flag that was used for "host"

try with the -H flag too

ah thanks for the reply & info. I did some digging and it seems like the -h is not a valid flag thus printing the output to stderr and because | less takes stdout (which is empty from my command) to less, it resulted in an empty less output (which is expected). I tinkered a bit to see the available options using less by running ldapsearch -h 2>&1 | less but at that point I'm just gonna run man ldapsearch haha. Thanks for the info anyway 🙂

you're welcome! there's also a great article on ldapsearch
https://linux.die.net/man/1/ldapsearch

it should be the same as the man command, just easier to read

hi so for the fingerprinting section of Enumeration Gathering - Wed Edition Module, I am doing the questions but I don't think it is working. I am like 99% sure I am doing this right. I try to use Nikto but its not working. I pinged it first to confirm I can connect to the server. The questions are asking me to use Nikto to get web app fingerprint information about inlanefreight.local's subdomains: app.inlanefreight.local and dev.inlanefreight.local, respectively. Here's my evidence of what I have tried.

┌──(kali㉿kali)-[~]
└─$ ping inlanefreight.local 
PING inlanefreight.local (10.129.64.187) 56(84) bytes of data.
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=1 ttl=54 time=35.2 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=2 ttl=54 time=36.1 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=3 ttl=54 time=33.1 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=4 ttl=54 time=33.4 ms
^C
--- inlanefreight.local ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 33.124/34.454/36.082/1.234 ms
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ sudo vi /etc/hosts          
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ping app.inlanefreight.local
PING app.inlanefreight.local (10.129.64.187) 56(84) bytes of data.
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=1 ttl=54 time=37.2 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=2 ttl=54 time=28.2 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=3 ttl=54 time=32.7 ms
^C
--- app.inlanefreight.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2009ms
rtt min/avg/max/mdev = 28.244/32.744/37.246/3.675 ms
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ ping dev.inlanefreight.local
PING dev.inlanefreight.local (10.129.64.187) 56(84) bytes of data.
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=1 ttl=54 time=42.2 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=2 ttl=54 time=42.2 ms
64 bytes from inlanefreight.local (10.129.64.187): icmp_seq=3 ttl=54 time=35.6 ms
^C
--- dev.inlanefreight.local ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2011ms
rtt min/avg/max/mdev = 35.641/39.987/42.169/3.073 ms
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ 
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ nikto -h app.inlanefreight.local -Tuning b
- Nikto v2.6.0
---------------------------------------------------------------------------
+ Your Nikto installation is out of date.
+ [FAIL] Unable to connect to app.inlanefreight.local:80.
                                                                                                                                                                             
┌──(kali㉿kali)-[~]
└─$ nikto -h https://app.inlanefreight.local -Tuning b           
- Nikto v2.6.0
---------------------------------------------------------------------------
+ Your Nikto installation is out of date.
+ [FAIL] Unable to connect to app.inlanefreight.local:443.

I know I can ping those services so my connection is working. I tried upgrading and updating Kali but haven't restarted. Otherwise, what else can I do here?

Its defaulting to https...

Ah nvm

I dont recall having issues with nikto

But pinging doesnt mean anything

ok I nmapped it and port 53 is open

Because its the same ip

so I'm trying http but over port 53

seeing if that works

That's not how that works

53 is dns

Which is where im assuming you got the subdomains from

ya but you can run HTTP on any port technically the port is the default port number for that service, no? and the instructions gave me the subdomains

Try restarting the lab and/or changing vpn regions

wait nope didn't work tho and ya I respawned target maybe a different VPN will do it

You cant have 2 services listening on the same port

ok thank you gotcha

The reason pinging doesnt matter btw is because its not reaching out to a port

I tried modifying /etc/hosts file it didn't do anything either

like to add app.inlanefreight.local or dev.inlanefreight.local and it made zero difference

Its just asking the ip if its up, and because of the nature of vhosts - pinging a different subdomain of a vhost doesnt change anything

ah ok

is it possible the lab could be faulty?

I mean I completed the module a long time ago anyways and this is a redo so tell me am I actually doing it right?

I just changed the VPN and spawned a new target it didn't work

wait hold on a sec

Mullvad was on may have gotten in the way

trying with Mullvad turned off

YES

I MADE IT WORK

had to configure a bunch of stuff

but figured it out

do you do these modules with Mullvad off? I'm just curious if VPNs get a lot in the way in doing these modules

(external) VPNs can cause some issues, it's one of the first suggestions that'll be given to disable it when doing labs

cool, good to know. What other stuff is suggested to disable?

just use the academy vpn and don't run the pwnbox at the same time, you will be good 99% of the time

great info, thanks!

they do. I promise you they do.

Hi there, can I get help on the path CWEE, module “Introduction to NoSQL Injection”, section skill assessment part 2, I can’t seem to be getting the reset token with the payload/script im using

ok got all the flags finished my work for the day thanks @fathom pendant

I'm psyched

Hi anybody have the VPN Academy section? or only me bugged?

if you spawn target and it's an ip:port, that'll be your answer

means vpn not required, it's a public container

ready, that was because that lab are in docker container

just this

thanks!

Hi guys, could you give me a few advices ? I don’t know, maybe I’m just too stupid, but I’m stuck on the topic of filtering in the Linux module. Are there any ways I can practise this? Or to learn it faster?

In everyday usage I don’t use any filtering commands (only grep “…”, mb here is a key 🥲

see the pinned messages

Thx, but I just solved this tasks a hour ago u think.

I meant the entire understanding the topic of filtering

Idk how to improve it

just move to the next section and use RegEx instead

I’ll try, thx 🫡

anyone still having problems spawning targets?

yes, do you find a solution?

nope

i think there nothing we can really except waiting :/

it works

Hi, im currently on the section "Creating Our Own CME Module" in the "UsingCrackMapExec" module
But as i'm using nxc instead of cme, i'm looking for information on building custom modules on nxc.
I found one article, but does not seem to work

i wouldn't worry too much about it unless you absolutely need to do the thing

https://lorenzomeacci.com/creating-a-netexec-module

still not working for me

its starting to get annoying 🙁

maybe is it a problem with the 'Password Attacks' module ?

it needs some time. some boxes are broken.

im on paswords attacks seems to be a problem spawning one time it spawned but it dident respond

yeah me too

it says target spawning for like 10-15 minutes and then it shows the button to spawn a target again

yeah it is proably some real issue have not experienced anything quite like this before

Ehi, if i post my script in here can some of you guys explain to me what is wrong with my code or is it aginst the rules? I'm stuck at the loops modules for bash script

it's against the rules

because the module is above tier 0

Oh, sorry

Got it

which section is it?

Flow control loops

I'm freaking losing my mind

you're likely off by one

the module expects echo $var | wc -m not using ${#var}

Nope doesn't work, I'm trying to solve this for over a month

you can shoot me a dm

just include the question and what you have so far

you can dm me i've reviewed lots of peoples codes it's likely that you've overlooked a simple thing

i am doing the network enumeration with nmap module. Trying to solve the "Nmap Scripting Engine". The question at the end is: Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
How should I know, that I need to specifically scan Port 80? If i scan everything, I have various Ports open. According to the solution, I need to dig deeper into the Port 80. How should I know that?

In general, TCP 80 is a good port to go further into. However, nothing says you need to only focus on that one port. NMAP is a powerful tool that can be used to enumerate all the ports with a single command and run scripts on them. Then sift through the results that way.

did you get the Skills Assessment 2 solved?

ok got it... so port 80 is always nice to look into. gona put that to my "first things to do with nmap" list. thhanks for the help

port 80 is http, meaning there is almost always an accessible web server hosted on this machine. web server is interesting because it's often full of information and possibly vulnerabilities

I tried posting a module question yesterday but it timed me out. are there any flagged characters that can cause this? it was just a specific error message thats in the question in a NTLM Relay attacks subsection

can anyone helpme in response splitting http attacks been stuck since 24 hours not able to get it work

can someone help me with module hacking wordpress, directory indexing part?

i cannot access any other folders except wp-content, and it doesnt contain the flag

If you post a link in the format []-() it hits you

can u help me marcie 🙁

i got stuck for 3 hours

You realize i cant help you if you dont say what your problem is

this is my problem right now

i cant find the flag.txt file anywhere

i have tried everything

wp-content, wp-includes, wp-admin

I’m having trouble with a question from Network Foundations Module. I’m on section 7/12 Domain Name System. I’ve tried every answer for question 4, which is, “What type of DNS server is typically provided by an Internet Service Procider?” I believe it is Recursive, but it won’t accept any answer. Does anybody know if I’m right?

haven't done that module

the answer is in the reading ctrl+f for either ISP or Service Provider

Can u try that part for me pls

Wont take u too long

I just doubt that something happened to the server

no

Hey everyone!

• Module Name - Pentest in a nutshell
• Section Name - Windows Vulnerability Assessment
• Question you're struggling with -
  Only question in the section
• Generally what you've tried (while avoiding spoilers, i.e. logged in as j* and couldn't find anything) - I found the file it’s referring to, and copy pasted the asked for line from my powershell window, when it didn’t work I went through the windows gui and opened the file, and copy pasted from there. Still saying it’s not right

I figured it out. Usually it explicitly states whether it’s a 2 or 3 word answer. It didn’t say anything about the number of words, so I assumed it was just one. The answer is “recursive DNS server” for those who may get stuck like me.

yeah, that's one of my only issues with that module is the inconsistencies in how it expects answers; sometimes it wants just the type (such as Ethernet or fiber-optic) other times it wants the full thing (Recursive DNS server)

You need to keep going. There are more directories inside of your directories. You need to keep going until you find the flag.txt file

So there’s two log files with the same name. I was looking at the wrong one. 😅

There is also a tool that can help you find the different directories out there.

can someone help me in AD enumeration & attacks in module 9 privileged access.

i have solved it but i had a weird problem. i could do this query in bloodhound on the windows attackhost from hackthebox. but on my machine it didnt work.

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

You can legitimately pick up at the last example in that section and work curl a bit to enumerate some more, which should get you to the flag.

Hi there, can I get help on the path CWEE, module “Introduction to NoSQL Injection”, section skill assessment part 2, I can’t seem to be getting the reset token with the payload/script im using

You can send me a DM

it depends if you have legacy bloodhound installed or not

the new query system seems abit hard to learn

Excuse me, in the medium skill assessment for common services attack

because first time i saw it

next time i spawned a machine

there was no FTP

so i wonder if i should restart it

okay, there is actually

it was glitched

Please don't reveal details from modules above tier 0, especially skill assessments

hmmm i apolgoize! that was no reveal at all tho!

just an nmap

it was a reveal

Hello everyone. I have been trying to do LLM Output Attacks Skill Assessment but am stuck. I confirmed it is SQL Injection with the bot, but struggling with actually performing it. I would get operational error or invalid syntax. Any help please?

goodmorning from japan

hello admin i am a hack the box begninner , i have been stuck on academy labs for a long time, i can connect to windows host and create file share but i am not able to connect to the smb server through smbclient , what is the issue i tried using pwn box and i also tried to connect using my own kali vm. please help me resolve ths and move ahead

note: i did not try both pwn box and my kali vm at same time i tried them seperately one at a time once the first did not work i tried my vm the next day

smbclient //ip/sharename -U domain/user -L //ip to just list what shares are available @opal crater

i think this is a baiter

botpandaa

and if you anyway connect with xfreerdp u can aswell mount the files directly with /drive: path,sharename

so the insturction on the course is outdated

shoot

i don't think so

the command you used is wrong

like the syntax

you mean this

this is wrong or

my command

?

what will the begennier understand with this

?

if we were pro why would we take the course

to learn searching :>

so the course provided steps might be wrong please search

i think this would be a apropriate note to be sticked then

why promote you teach better and put wrong steps there

its not that i cant search i can but i am just worried about why put wrong steps and dont notify user what might be wrong

did it work with -L //ip ?

smbclient //10.129.72.79/"Company Data" -U htb-student
do_connect: Connection to 10.129.72.79 failed (Error NT_STATUS_IO_TIMEOUT)

💀

are you connected to the VPN?

i think academy labs is not ment to be accessed by smbclient i guess

if i were not i would never reach the server i guess

what am i doing wrong here on the skills assessment box in network foundations? i am following the instructions on the box step by step, and its not doing what it should be doing

also please pardon my not using a screenshot tool, i’m stuck on my computer i use for school, and I don’t have discord on it

i had this thing earlier

it's pasive mode

passive off to remove it

ahh gotcha

Yosh!

anyone for a nudge on Windows Lateral Movement Skill Assessment WSUS part ?

Try smbclient \\10.129.72.79\Company\ Data -U username

4 times \ and space should be escaped with \

Or just use single quotes around the whole thing

'//10.129.72.79/Company Data'

Is it / or \ ?

Doesn't matter actually

I have been using \ lol 😅

As long as you know that \ need to be escaped

Can I DM someone regarding the Kerberos Attacks skills assessment ?

sure

Hello guys. I'm stuck on the live engagement of the shells and payloads module. If anyone could help 🙇‍♂️

It would be easier for others to help you if you specified which question exactly are you stuck on, and what are the things that you have already tried?

question 2. I'm trying to gain shell access to host 1

I tried msfconsole but didn't work and now i'm trying the script in the laudanum folder. I created a new war file (i remembered to change the ip address) and then uploaded it with the manager app. i feel like this should work but it's not. It's almost like the file isn't really being uploaded but I can't tell even with burpsuite and don't have any other ideas.

If the file uploaded you should be able to see it within manager. You can send me a DM with a screenshot of that if you are still stuck.

Hey there, the entire module on Objection in the Android Penetration Testing Automation seems to be broken, the app doesn't trigger the same way the lesson explains, I get a flag and it doesn't get validated. Has anybody finished it?

How to find the mail of an user?

the module is telling me to find the path to the mail of htb-student over ssh but I don't see any useful information?

module: NTLM Relay Attacks - Authentication coercion - Q2: Use Coercer in 'coerce' mode against 172.16.117.60 and submit the name of the first RPC call resulting in the message ERROR_BAD_NETPATH for the SMB named pipe '\PIPE\lsass'.

I ran the tool but I wouldn't get the error message, I am obviously doing something obviously wrong but I have been stuck a while

thank you

figured it out

Regarding module OWE Evil Twin Attack:
I think there is a flaw in either the theory, or the target (or in my understanding 😇 of the subject).
The idea is to spin up a 'cloned' fake AP, and do an evil portal attack with nagaw.
The theory clearly states to duplicate essid, bssid, and channel
However, when duplicating the channel as well, this leads to a DoS condition with the legit AP due to all the collisions, and the attack will not succeed.
Switching the fake AP to broadcast on a different CH will lead to instant success.
Can anyone with more experience share their PoV?

Well the whole point of the evil-twin is to completely convince the target that they're on the same exact network, the entire idea is to stop them from connecting to the real one, you'd compete for the channel with a higher power level so that you're essentially guaranteed to DoS the real network.

Of course it'd be very difficult to simulate the exact network especially if there were network services that were in use other than the portal but one good thing to have would be forwarding rules so that your targets could access the internet through your evil-ap (and of course DHCP).

I only got a series of these when broadcasting on the same CH.

and after like 6-7mins successful connection

Well if you're actively Deauthing then yes you'll deauth your own network several times

but indeed, the fakeAP shows -29 power in airmon, the legit one -47. This explains migration.

can i send a DM?

I haven't done that module so I can't really help in DMs but in my limited experience, you can vary at least one of the parameters such as the *bssid *to avoid getting deauthed.

Thanks for sharing your info! I'll duplicate the situation in my homelab and see how it behaves (or doesn't). Best regards!

hey guys

how'd you fix it mate?

i can't netcat

on vpn it says this

and this on the box

I had to do something with dnsmasq to allow port 53 to be free/unused, then run the same command. it’s not part of the module, but it worked

I am kind of stuck in linux fundamentals, it says what is the path of htb-student's mail, but NO ONE HAS A MAIL ADDRESS except root, which I cannot use..!

What is the path to the htb-student's mail?

But no one has email addresses saved except root (not sure as I don't have priviledge)

Can you tell me what is it? Im trynna find anything abt dnsmasq but cant find

DM me

Linux Fundamentals

Introduction to Information Security

Network Foundations

Introduction to Networking

Windows Fundamentals

Web Requests

Introduction to Web Applications

Setting Up

Introduction to Penetration Testing

Pentest in a Nutshell

Vulnerability Assessment

Introduction to Active Directory

Web Fuzzing

Attacking Web Applications with Ffuf

JavaScript Deobfuscation

Using the Metasploit Framework

File Transfers

Getting Started

Intro to Network Traffic Analysis

Android Fundamentals

MacOS Fundamentals

Stack-Based Buffer Overflows on Linux x86

Stack-Based Buffer Overflows on Windows x86

Fundamentals of AI

Applications of AI in InfoSec

Brief Intro to Hardware Attacks

Intro to Academy's Purple Modules

that is a right order to finish tier 0 ?

it's the lab in AD > Stacking the deck > Privileged Access

Please refrain from posting content above Tier 0. Reading your question, can the user you have credentials for enable xp_cmdshell or is it by chance already enabled?

Why there are no new modules ?

That's something to ask in a Cube Talk, just know there is only so much information that can be shared before something does drop.

hello guys, is the "File Upload Attacks" (web pentester path) working for you?

for me the upload button isnt doing anything

Are you talking about in the Skills Assessment?

no the whole module

Ok, which section are you currently working on?

if i click on the upload file button nothing opens

3 Section 1

Client-Side Validation

Ok, let me check it out on my end.

thank you

I have a green upload button on my end. That isn't the button for adding the file. Click on the grey person in the circle above it. That should launch a pop-up to select a file. Then use the upload button.

ill check and give you feedback

works, seems like i was just stupid when i last tried

Nah, not stupid. That kind of thing just happens.

Login Brute Forcing : Web Services
Can someone help me with this please , I am trying to get the user password with medusa with this command " medusa -h <IP> -n <PORT> -u ftpuser -P ./Desktop/rockyou.txt -M ssh -t 30 " but the proccess toke al long time and still cant ind the passwood is this usual ?

So I suggest starting this lab at the Kick-off paragraph within the section and basically follow along with the section.

Bro, that's exactly what I did, so I don't understand what the problem is.

I have a few minutes, go ahead and DM so I can see what you have tried.

dang why do u wanna finish all that

No.. start with information security foundations: 12 Modules and you can add with them network foundations, introduction to information security and getting started.. then from there do the Modules you need... before taking any module you find the perquisites you need written down just follow from there..

Good luck friend from hacker association 🫡

So what I dont get it. It's just a lot of fields

It's better to learn the basics then dive into the paths

it is not about the difficulty

it is just a lot of fields. Would you actually take all those fields?

AI, web, binary (if im not mistaken), etc

https://academy.hackthebox.com/app/module/84/section/816
Use Crackmapexec - Popular Modules

Spawn Machine

Attempting to authenticate with module provided credentials julio:Password1 produces the following errors:

Take a look at the questions. You can probably answer all of them using SMB.

Okay not helpful - the error was a file called julio that contained a private key and so nxc interpreted -u julio as the file contents instead of the username. I posted that thinking there was an error in the machine.

that's intended behavior... it first looks for a file with the argument, then tries the name as a word, to get around this use quotes

hey guys, where can I ask questions about the AD module?

In this channel, you can ask questions about any module.

I was told to refain from posting content above tier 0

^^

Ask your question in a way that doesn't reveal any content from the module

For example:
I'm working in Module X, Section Y. I'm stuck on the first question. I was able to log in as user Z, but I can't figure out what to do next. Can anyone help me?

all right. I'm working in Module https://academy.hackthebox.com/app/module/143/section/1508 , performed the ExtraSids attack to compromise the parent domain but without Mimikatz I cant retrieve the ntlm requested. I tried to use secretsdump.py but failed. any suggestions?

dm please

Is someone able to sanity check for Model Evaluation (Network Anomaly Detection) - Applications of AI in InfoSec.

Whenever I upload the model I'm getting an 'Internal Server Error'. I've tried both the Pwnbox and my local machine and haven't had any luck. I've been able to upload the other models fine for the other sections, but this one appears to just be giving me a server error.

Hi

Hello everyone, I would like a reminder if the principal is still valid - ANY pdf (including not complete report) is considered valid for a second attempt, correct?