#offensive-pentesting-path

He's the most British Brit in here

He really is

I like the british accent

He's the most British Brit in here
@final vault I do drink an unhealthy amount of tea

aii thanks
@lilac frost No worries - I am hoping to have a lot of the rooms covered by videos soon.

^

Sounds interesting

Ashu wasn't really british I don't think

Yeah, he is from Kenya:)

So you remembered correctly.

brb got dinner:)

That's interesting

Uh-oh, i've given key OSINT info about him now

@hasty sentinel delete your digital footprint quick my dude

He is a public figure now

Do you intend to have it similar to the writeup system @spark iron

People can submit videos to room owners and they can approve or decline

brb^will answer in a sec

He has tea to drink

He better have atleast 2 sugar cubes

lmao @spark iron

@alpine peak ah shucks, thanks xD

anyone can give me an hint on escalate skynet?

stuck from 3 days

@fathom rapids DM

anbody give me a hint on Steel mountain to escalate

i can onyl getting a shell for some time , can get a shell every time in Steel mountain

getting shell may be LUCK for me

LOL

anyone else having problems with kerberoasting in the powershell room/

@thorn patio https://cwe.mitre.org/data/definitions/428.html

This actually helped me gain understanding on how the escalation works on Steel Mountain.

okay thanks @fierce birch

.

hello all i am looking for a walkthrough box for active directory i was told there was one but had to be retired for some issues....is it live again ?

Alfred moves like an old man 😬

Are you subscribed?

I am 🙂 Just took a while for pages to load and for the Jenkins build to run long enough to get what I needed.

Huh. Interesting. You should have more resources if you're subscribed

It's performing better now

Alfred done...I might actually be learning something 😆

Seriously, though, good lab and it pays to take notes on all the rooms right before it b/c you definitely build on stuff covered in those.

@thorn patio hey did you figure out the hackpark task 4 question 4?

nope

that is the only i was pending from till date @rotund carbon , i have compelted all in that BOX : Hackpark

ya same here, i have looked through the logs using event_manager.rb but really not sure what i am looking for

just ordered my oscp yesterday.. ain't nothing better to do than this during the quarantine lol

Good luck with it! @dawn narwhal May as well make something productive out of it all 🙂

When do you officially start pwk? I imagine three weeks right

Anyway good luck!

Good luck @dawn narwhal

meetoo @flint tiger

hello all i am looking for a walkthrough box for active directory i was told there was one but had to be retired for some issues....is it live again ?
@honest jackal @everyone ?

Thanks guys! I start on sunday night

was surprised by how quick but not gonna complain

@keen iris do you have an answer for @honest jackal

Uh, attacktive directory is still gone

@crimson flame

leaving for Georgia soon.

desktop is coming with

it'll be worked on as soon as I have a bit

@crimson flame Less anime VR and more box dev?

possibly

no promises

hi.. wanted to sign up the oscp path... do they provide some kind of tutorial or was it just 'boxes' for you 'hack'?

at the beginning there are boxes with guided walkthrough on how to hack them, additionally every box has a write-up which can help you

if you are an absolute beginner, first do "Learn Linux" and "RP: Nmap" rooms and you'll be ready to go!

thanks swafox..appreciate your advice

u'r welcome!

@fleet wedge hey

@dawn narwhal exactly what I’m doing 😃 perfect excuse to stay at home and study

@fleet wedge did you get the task 4 question 4 on hackpark btw?

Check my PM

i will have to message you again because this account is not registeree iwith an email

registered*

so it doesnt save message conversations

tryhackme was down yesterday , so ... no , not yet

oh ok

Was working on legacy, a hack the box machine . I will shift gears towards tryhackme later today

I also got my new OSCP material so I’ve started reading it before my lab starts

got ya

thats cool, i just started going over the material

OSCP material ?

Ya, Im trying to get into pen testing .. I have a Cell and Molecular Biology degree/background; so I decided to sign up for the course, I already read over 1200 pages on the subject and bought a few more books and some udemy courses.

Cool. Welcome aboard. When does your PWK start ?

Did you order the new OffSec material or old one ?

the new i started last saturday

and thanks!

Best wishes, mine will start this Friday

I wish I've seen tryhackme before, this platform has been instrumental to me in catching new concepts

yes it has been helpful; I will continue to work on these after I do my labs.

Hi, is anyone can help me run hashcat? my machine too old cannot execute hashcat

i got the hash file

What do you mean @tough veldt

It's too old?

i think he means old and slow

oh.

old machine

You can try john

my machine old and slow

if somebody have faster speed maybe can help me crack

using rockyou.txt

We can't give you answers

ok

There are alternative tools though

Such as john

That you may be able to use instead of hashcat

I think that was the first tool I ever used way before I got really interested in pentesting

John?

yeah

Neat

I have a fondness for it

I like it better than hashcat

cracked my friend's windows password from a liveboot usb after he locked himself out of it

It was more for funsies than for any actual practical purposes

lmao gosh that gives me a flash back to when I worked before Uni. A former IT Contractor for a place who were utter shite refused to change the whole domain credentials and everything once we took over - so we had to hiren's like 40 windows machines & servers

cracked my friend's windows password from a liveboot usb after he locked himself out of it
@topaz ledge

Hirens Boot CD has tools for that

Did that exist in 2007?

Probably actually

Hirens bootcd has been around for as l can remember

if not there were other tools

i remember using trinity rescue kit back in those days

anyone working on the hackpark room?

yes, i hear it mentioned a lot

ive deployed th vm but cant ping the VM, im connected to the VPN

wondering if anyone else having same issues

you've done some other room before this, yes?

yes

just checking :p

lol

you never know, honestly. Even real clever people can have lapses of reasoning

heck, especially real clever people

i thought as its windows box maybe taking a while to boot up - but im sat here for over 10 mins now

maybe it just doesn't respond to ping?

by choice I mean

^^

cant even nmap

I haven't done that room yet :) Still got a backlog of tools to learn

hmm ok this is a clever box lol - i can telnet to port 80

so box is up

god, telnet. You will never become irrelevant.

haha

@hoary hazel use -Pn flag for nmap and try scanning again

windows machines require no ping flag in order to scan them

Windows boxes -- by default -- do not respond to ping requests. This includes Steel Mountain, Hackpark and Alfred. To get around it, use the -Pn switch in nmap.

@keen iris could you please pin that?

I'm going to learn bot dev, just to add it to the bot

I'm already adding the web server ting to it eventually

We need that "common" issues page we asked for

Then we could just use the bot to link that

!common windows ping

something like that

@chrome valve gotta say it's because of the vpn restricting it

According to some people anyway @final vault... 😁

Many penetration testers maintain

thanks @bronze zenith thats what i ended up doing

Mhm @topaz ledge. We've asked for a "Common Issues" page on the website. Hopefully we can just get a !common command into the bot that'll link to that

or even !faq

@jovial pawn

We've already got an faq

Just doesn't cover this kinda stuff 😁

but is it a bot? :D

We were after more of a Wiki kinda thing for CMs and Mods to add to

skidys actually making it

it'll be under docs.tryhackme.com

Lovely

Thank. Goodness

Likely the seconds it's ready horshark will add a command

Ugh. Node.js though

Please tell me there'll be an easier way to add issues xD

you used regex node.js - now you have two problems

@bronze zenith is it normal for hydra to return 16 pasword matches for hackpark but none of them work lol

No. That happens when the command isn't right

Usually the F: bit at the end

That's 16 threads returning false positives

thnks @chrome valve will check my command and retry

No problem!

Managed to get a password for hackpark via Hydra. But the obtained password does not work. Has someone seen that issue before?

Tried above, which I am covering to avoid spoilers, but credentials do not work.

Thank you for that

Have you ran hydra again

And confirmed that's the output

Yes sir

It's possible that it's a hydra bug

I see

do you suggest updating hydra or Kali?

Or you mistyped your hydra command

can I post my hydra command here? if you don't mind?

or will be considered a spoiler?

You can dm it to me

ok

@fleet wedge im facing the same issue on the same task lol

Honestly hydra is weird in general as well as hackparks instability

If you believe that you have the right command you should reset the box

i did rest it and this time i got 1 valid password matched but when i try to login it fails and the answer is wrong

so im stumped lol

So you've run the same command after you reset the machine and got a different result

yup

same here

Sounds like hackpark lol

could be a cookie problem?

It's hard to recommend a fix as the box is just incredibly unstable

@fleet wedge let me DM you my command and see if it matches

Hey guys stuck on hackpark #3 Ran PS and cannot figure out what the answer is, any advice?

Literally just doing that rn @fleet wedge

If no one else gets back to you, I'll give you a shout when I get it working

@chrome valve My machine keeps dying as well, least I have envything so far jotted down

and thank you

Yeah, we've just been discussing that

It's not the most stable of boxes

I reckon I might monitor a fresh one, see if cpu and memory start going weird

Nice idea

Always seem to happen near the 1 hour mark

Yep SublimeSol has same issue

we were discussing

@fleet wedge did you get Task2 hydra working? cos myself and SQLMantra are having issues 0 lol

is it possible to do task3 then without task2?

Yeah did that quite fast

and no

im sure my command is right and im getting one password match but it fails

@fleet wedge PM me, please

@hoary hazel if you're still struggling with that, DM me with the command you're using

Just been trying to show the way to find the data

I am 100% sure hackpark is broken, just tried every running service in 4.4 and none of them work

@fleet wedgeyou are 100% correct

Hackpark is incredibly unstable

Burn it

Hackpark is very unstable

pls sponsor me

Finding exactly the same thing r/ service

i need oscp

my bribe wasnt enough

I will sponser you

6 fredos

lol

no joke

i need oscp
@burnt agate Don't we all

i need a sponsor

i tried to bribe offsec with £500

apparently it wasn't enough

...

You're serious, aren't you

yes

Lmaoooooo

you know the bribe email dont you?

im not kidding

Here's half of your oscp price let me take the test

nonono

its a bribe

so i can pay them to take the course

you see?

Ah

they just wont take me

With the greatest respect, that's very interesting 😀

ill do it when im 18 if nothing works out

I'll update the hackpark write up tomorrow to make it more clear :))

Are people having issues with the privesc?

The box itself is really unstable @hasty sentinel

Just played it (mostly) through earlier

Didn't get any of the "services not starting" that others have been getting

But it does like crashing randomly

@hasty sentinel yeah it's not that the box is hard per se

It's that it often doesn't work

Which leads to constant repeated questions that no one can really answer besides telling them "just reset and try again"

Vulnerable windows boxes don't have the best stability :((

I know :((

Would have too look into it more

But this box in particular just seems extra unstable

Vulnerable windows boxes don't have the best stability :((
@hasty sentinel If that's the case how come the windows on htb don't seem to be unstable?

Not trying to sound like a dick, more interested if there's a reason

It's likely htb boxes have more resources allocated

Yeah, generally speaking Windows boxes are more stable than this

on THM, that is

Retro, for example, doesn't have the same kinda issues

But barring that hackpark is a rarity

No other box on the site seems to be as unstable

Hackpark just seems like it wants to crash

So I'm not willing to fully blame Windows

Who created it

Perhaps we could ask them to check the config and fix the vm if necessary

Is it just HackPark that seems to have loads of issues (Windows wise)?

Other windows boxes occasionally have issues

But hackpark is in a league of it's own

hackpark seems to crash just before the hour mark

hackpark is like the ill dog that should be taken out back and put down

If its just HackPark, as Ashu said, he can look into it.

Poor dog...

Yeah, it's just Hackpark

That would be great @spark iron

I think it needs putting down

But if lots of other Windows machines are being crappy

But if possible

Needs looking into

Could we private hackpark until then

Generally speaking Windows are Ok Skidy. Hackpark is just a pain though

We cant really do our jobs helping people with that box

It also seems to be what we're getting 90% of the time in rooms-help. The advice is invariably "reset it -- it's broken"

Because 99% of the time it's just that the box doesn't work

I had it crash irreparably three times on me doing it earlier

Btw are the question boxes case sensative

So I'd agree with Pars -- can we private it for the time being?

There is answer tolerance @fleet wedge

as none of the services actually come us as correct

So it's loose on case sensitivity

Ah, sorry @fleet wedge -- meant to get back to you on that one

Yeah, I think that's another bug tbh

No that's a feature

Answer tolerance is intended

Lol, I was begining to think I was going insane

The clown was a hint

@fleet wedge -- as in, the service doesn't seem to be showing up..

Like the webserver itself earlier

@chrome valve oh then that might be a bug

I can send my services if that helps

Yeah, go for it @fleet wedge

I'll compare them to mine

I thought you were talking about the physical thm questions

Ah, fair enough 😁

Yeh not quite sure what's wrong with HackPark but will investigate

That was ran from a metasploit shell

@alpine peak can you confirm if the correct one is in there?

They are all the running

I will find my enum_services

yep, I see the vulnerable service in that .txt

Well I copied and pasted everysingle one after taking a guess

.Exe stood out

Seems to be some misconception on what the intended privesc is

Wasnt I looking for *.exe

I've increased HackParks resources, it was actually had little resources

So I gave it double what it had

As @alpine peak pointed out

I have a funny feeling that might fix the problem

Thanks Skidy

@alpine peak Have I missed the point to the question

I'm not aware of the questions, I just make the machine

Shall I show you the question and hint

Yea, send it to me, because I can't see it

Q:What is the name of the abnormal service running? H:Check in the "C:\Program Files (x86)" directory and go from there. Remember, you can use meterpreter to check all running processes on the machine. Answer format: *************.

****.

Its removing my stars lol

16 start dot 3 start

****************.***

I see, I can't give out the answer to that without permission from an admin

The .txt someone sent. the vulnerable process is there

I dont need an answer. I was under the impression that it was one of them .exe as the answer to the question, but none of them work in the answer box

🙂

I'm unaware of all that you tried for the question, The answer to it could possibly be answered viewing the logs of the service rather than whats running at that specific second

okay thank you, will try later 🙂

The thing isnt listed, but somthing thats running it is right?

@fleet wedge Just be aware of what is normal to run on windows server compared to what you see, 3rd party services are more likely to not be there for no reason

Its not a easy machine, it requires good enumeration and understanding of what is happening

Okay thank you, see with Linux I am in my ballpark, windows not so much. But its all important

I completely understand, my Achilles' heel is also windows

I wouldnt mind if windows wasnt so terrible. Else where ive just about to start learning about Active Directory

What works for me is to get familiar with setting up a domain network in your own lab, and try hacking it yourself

Thats exactly what I have done gns3, windows server 2019 and enterprise windows 10

GNS3 is perfect for that

I have my own VM server but I couldnt help getting a subscribtion to this site, I love how its layed out, very good ui and boxes

It must cost alot to run tho

Have you tried gensec?

Yea, computing power will always cost money, That's why lab options are nice like THM, HTB, VHL, PWK etc

grsec?

gensec, it randomly builds ctf boxes

goes against my rules

SecGen even

What do you mean?

idk lol, I just like setting stuff up on my own because I learn more about the service like that

Fair enough, I think its more for when you want to suprise yourself. I use them with my flat mate when I do CTF nights

Yea, that's why i'm considering trying out VHL

VHL? Virtual Hack Lab?

yea

Its cheap for a month, so why not

93 euro?

99 USD

I only need a month

coronavirus prevents me from doing anything else

See im poor as hell, below th euk poverty line

Im in isolation atm

We all are pretty much

perfect time to spend time on a lab

Where you based?

USA

Its scary how its gone from nothing to everywhere locking down

Once the media gets bored, it will all be over

Just waiting for the Zombies now lol

For the UK its less then that, our health care is crippled, the extra strain will indirectly kill loads more

Its actually better in theory to get the virus early so your body can build immunity, this is the same logic that vaccines follow

Yeah definatly, tbh I bet you guys have gotten loads of signups from countries in lockdowns

I don't watch the news anymore so I have no idea

I like to read it tbh, I dont belive it all but sometimes there is interesting stuff. Can I make a request for a box btw. Something space themed would be amazing

I did that, its called spacejam

its about the great michael jordan and bugs bunny

I rember that film

That was awesome tbh

Im guessing you guys spin up on the cloud

If the box theme is ridiculous, than I probably made it haha

The Mr robot one look good

which one

Iv made 2 mr robot themed ones

OSCP one The mountain one

Steel mountain yea, it was windows which means it wasn't fun to make

Tbh I recokn windows overall is more easy to hack, just because windwos server is mostly gui and defaults. admins spamming the next button

You know when the IT guy give the printer domain he isnt qualified

Its so bad that its not easy to make a box with

Because it requires more testing and it takes more resources

I know for a fact a vulnerability works with Linux but with windows I get paranoid and I have to hack it 3 times

Are you building then exporting as a vdmk?

Yea, but with windows its not that simple because sometimes for a privesc, you have to autologin for a specific vuln to work as planned, and set service schedules with a specific permission to not allow system privs on initial

So many windows services love running with system privs, and that would make it to easy

Lol, its like windows loves being hacked

Some services really really don't like running with anything besides system

Yea, windows in theory is easier to hack once you understand lateral movement

Process to process

The NSA also pointed out a major flaw in windows that still exist today

What would that be? IPV6 flooding?

eternal blue

I thought that was leaked from them

It was, but NSA still discovered it

Tbh its always worrying, eveything is vulnerable if you look hard enough

Its sketchy that NSA would not tell anyone

They need to get in somehow

I woudlnt give up a golden key if I needed it

sniper in the closet

Samba is a mess tbh, I reckon there is so much more we dont know

Its SMB, Samba is just a linux implementation of SMB

Lol, sorry I use linux to much by the sounds of it

Its ok, now you know

So do you do this kinda thing for a living

No, i'm a young kid

nice.

Really? I would have never known tbh

Yea, everyone thinks i'm old

Explains why you dont wantch the news lol

I used to

I just don't believe anything they say

You get told only what you need to hear tbh

I just don't think media people are qualified to tell me anything

wrong chat for this

Yeah, we went way off topic

Can somebody help me on HackPark?

@kind aspen What part

Hydra bruteforcing. I seem to get a list of false positives.

Your sending the wrong info, how did you guesss what to send

What am I doing wrong?

Hydra is spitting out too many passwords.

False positives

Yes, FPs.

Do you know how to use burpsuite

Yes, I do. Well, now that you're telling me ... not 100%.

use the proxy to see what is being sent, copy that 100% replacing the username and password

and then add the :Login part afterwards

I got the "Username" and "Password" fields.

Can I PM you?

Yeah of course

Ok , morning all

Ready to take a nice breakfast and “kill” hackpark. I hope it doesn’t die on me again 🤦🏻‍♂️

better to break fast than slow and painful

gl with it @fleet wedge it's a room that requires a lot of patience, but you'll get there!!

@alpine peak I tried VHL. It’s a great platform . Sadly, I couldn’t maximize my time there to personal issues , but I would definitely give it a try and I recommend it. We have a nice VHL discord for it as well, in case you’re interested. We have been running it for a year now . I may do one more again once my PWK ends .

@fleet wedge You work for VHL?

Nope 😃

I’m a former HP DBA and Windows Admin

Getting into cyber security now .

Awsome 🙂

Does VHL have a lot of windows?

I do NOT sell VHL stuff neither I have no affiliation with them

It has a few windows but like I said , I was able to hack only 4 there. My mom is an old lady and she got sick and I had to leave US for a while

Internet in South America is slow and not common plus I was worried about her so I barely used it .

Well hopefully you get more free time 🙂

Hi folks, any pointers on #1 of Task 4 on Hackpark? Specifically uploading my file using the current netcat session.

A Google of transferring files via netcat seem to show that I have to run netcat on both systems, whereas here the connection from the target is initiated by an exploit. So not sure how to I'd run it on the target

Tried hosting a simpleHTTP server and grabbing the file using certutils and BITs but to no avail. Thanks

powershell

Hi folks, any pointers on #1 of Task 4 on Hackpark? Specifically uploading my file using the current netcat session.

A Google of transferring files via netcat seem to show that I have to run netcat on both systems, whereas here the connection from the target is initiated by an exploit. So not sure how to I'd run it on the target

Tried hosting a simpleHTTP server and grabbing the file using certutils and BITs but to no avail. Thanks
@umbral dagger you have already uploaded once, why not again 😉

@alpine peak I'll have a look. Did ponder that but didn't think it would run from that cli, thanks

powershell is powerful

@fleet wedge did try that but couldn't find where it placed it lol

Have a snoop around

I probably need new glasses lol thanks

Sorted. Thanks guys

Doing hackpark again, lets see if the increase of reources has sorted it

Machine died again at 1 hour mark

Going to move away from this machine as the constent resets are very annoying

I mean have you been extending the countdown @fleet wedge

I had 1 hour left, I always press extend at the start

it was 1 h 5 mins remaining

Machine is "online" but unresponsive and kills all shells

and it's not cause you hacked it RealGoodTM?

Nah it's prbly cuz of hackpark

You keep saying that, and yet it keeps staying up :p

will be sending an update on HackPark later today :))

just don't make it worse. That's always how my panic patches turn out >.>

anyone have any luck testing brainstorm locally?

cant even get the application to run on a windows 7 vm

just been testing hackpark

and the performance has been fairly okay for me

is anyone still have issues with the performance?

I've also seen people make comments about the privesc method on there - are people comfortable with it or do questions need to be amended to make it more clear?

I am wondering if the problem is arising with the more time options

Does it actually give more time?

If you like im free later to run a couple of runs and see if there is any problems, check the cpu and ram usage

ah do you mean extending the expiry time of the VM?

Yeah. I always extend my VMS right at the start, but hackpark always dies just before 1 hour

we'll be pushing a new fix for the expiry over the next few days (latest)

Okay 🙂

that should fix the problem 🙂

I found Hackpark dying on me a fair few times yesterday before the 1hr mark

Yoooo

@hasty sentinel introduce me to hackpart please.thanks

?

?

?

?

?

Hey, in Brainstorm, I was barely able to get nmap to run. I see the anon smb share but cannot access it for some reason?

smbclient -L \\\\10.10.117.154\\ -p 21

Connection to 10.10.117.154 failed (Error NT_STATUS_IO_TIMEOUT)

Are you able to telnet to it? @digital sonnet I haven't completed the room myself but that'd be the next thing I'd test

@terse herald no reply to ping or telnet

nmap did work though

Wait NT_STATUS that'll be a Windows box

Yes it is.

That'll explain the ping and telnet

Sorry buddy! Haven't got around to that one yet. Hopefully someone whose active has...?

Oh I got it. I'm just dumb tbh. Trying to access a ftp server as an smb share.

Ah! I was wondering why you were specifying port 21, but thought maybe the box creator put samba on that as a little trick 😂

good stuff!

HI, been doing Alfred but cant seem to find root.txt on the system. Am I missing something?

did you search for it?

Yes I did. I am NT Auth, used the meterpreter "search" and spawned a cmd.exe and tried dir /s. Restarted the machine and tried it all again but with the same result. I mean they even tell you where to look in the questions but can't find it.

@proper pond from memory you might need to migrate to a different process. Even if your current process is technically System, not all processes have the same privileges.

Hey I need some help with brainpan, I have written the exploit but can't get a shell

can I dm anyone?

the program kind of quits when I run the exploit

@chrome valve Thank you very much. I really forgot to migrate. facepalm

Np 😄

guys anyone having issues with steel moutain box? I was just about to privesc it and now although showing up on THM browser, i cant seem to do anything on the box, cant telnet into 8080 or nething, just runnning nmap again but seems like box is down
i think this time to get some lunch lol -

hi Guys, on steel mountain, Im trying to load powershell_shell but i gett getting :

Error running command powershell_shell: ArgumentError wrong number of arguments (given 4, expected 5)

how many arguments are you passing in?

@hoary hazel i think you are missing an argument

according to the example the command was powershell_shell:

for those who did mrrobot ctf , any idea why ssh port is shown with open ports on nmap results even if it's closed ?

With a connect scan ?

anyone who has completed brainstorm please give me some help...i rooted the bof box on the oscp but i still can't fuzz this thing correctly....not sure what im supposed to be doing

ok...i had to do it in a windows vm...

what a frustration

It's always a good rule of thumb to have a linux and windows vm

well i was initially trying to do it on my windows host...but firewalls and whatnot....its pretty locked down. anyways...rooted and good box once i spun up a vmware win10 instance to debug it on....

Can anyone help me on hackpark? What is the name of the abnormal service running? I can't find the solution.

||windowsscheduler.exe||

Thanks so much

How were you able to find the solution?

if you run ps and check logs you see ||Message.exe|| is being started and stopped every minute due to the scheduler

Always an interesting service to check logs for when you see it running

Exactly, I found that one, but I couldn't find the scheduler

ps shows it as WScheduler

or something similar

But how were you able to find out this name? ||windowsscheduler.exe||

program files

wscheduler is just an abbreviation

Ok, thanks so much. I always tried the abbreviation, so I got pretty frustrated

You already got an answer, mate. Please don't spam

check #room-hints i replied over there

sorry i realized i was in the wrong room last second

Hi

I want join oscp

then join it 😉

Could someone give me a DM about this one because it's bugging the hell out of me; Task 4 #3; 'What is the name of the abnormal service running?' I've gotten both user and root flags, but cannot find the answer to this question. *************.

Oh... HackPark...

@maiden mason the answer you seek is like 12 posts above your question man 🙂 look first

the answer you seek
Don't forget to stroke your beard, Wiseman :p

do u think its better to make lot of rooms before get into oscp path ?
Or is it progressive and i can take it rigth now ?

Have you done the primer path?

not yet. It's better to do it before ?

primer :)

though there are rooms related to the path that are good to take during that

with primer series, i'll be able to make hackthebox more easily ? and oscp is the next path to take ?

All learning you do here's gonna make any other target easier ;)

ok. Thank you. I'll take primer series tomorrow

Cheers

hello guys, somebody can help me doing alfred room? i was stuck on meterpreter shell. i didnt get connection back to my handler

Hi Guys, I am on the BrainStorm of this OSCP path and have stuck on it for quite long time. 1. The Nmap yielded 3 ports but I "brute-forced" the answer and the answer is some other number instead, I tried to use different scan but other than this 3 no luck. Are rest of those ports the result of the BoF part? 2. I have managed to get the executable and trying to run it on Win7 32 bit VM but noting pop up. and also on Kali using DosBox and failed to load too. Shall I jump straight to the overflow part?

@stark hornet You're overcomplicating the machine, download the exe and dll, debug using immunity debugger or whatever you want to use, and develop an exploit for it, run the exploit on the target machine after its working on your win7 VM.

ASLR and DEP is not a issue with this BOF, its made to be simple

@alpine peak thank you for your advice. I have moved to the BOF part and trying to get the script working. will check back the port after I got the first shell.

Hey guys what should be the next step after completing the oscp path before I purchase lab time?

@digital sonnet Do a lot of windows machines

How confident do you feel after completing OSCP path @digital sonnet?

Pretty confident with most tools and completed all the brainpans.

windows machines I'm not sure, still have to complete hackerpark

@digital sonnet offsec loves windows machines, so once you finish hackpark, I recommend doing tj null's HTB windows list

Yeah they get a rock on for windows

For good reason, real life pentesting is mostly windows from what i'm told

^

a lot of corporate environment use windows as it's easier to use and more common and friendlier plus the administration of it it's fairly easy

Active Directory

cloud DMZ is where linux lives

agreed

Hi all, in the game zone room, everything works fine EXCEPT the final step: metasploit says "Exploit completed, but no session was created", though authentication succeeded and payload was delivered. I've exchausted all my options - does anyone care to give me a hint? Thanks...

The same thing happened to me i just rebooted the box and it worked

check the lhost option, the same thing happened to me when i gave localhost value to that option instead of my 10.10....local address

can I post a screenshot or is that not allowed?

You can post screenshots, just no spoilers

and, erh, try not to dox yourself :p

Okay, here I go (redacted)

Well then.

Are these settings correct? I tried 'localhost' for LHOST too, but same result...

RHOST looks wrong. It's supposed to be the target -- the Remote HOST

Really? I found a write-up where RHOST was set to localhost...

And LHOST should be your listening machine, as seen by the target -- so not localhost

RPORT is localhost here, because the webmin tunneled out to the attacking machine

i would suggest you to try to change the payload

That LHOST IP is my listening machine (and is my localhost). I'm apparently getting dumber by the minute...

I assume you mean RHOST, @fleet wedge :)

If so, got it!

@topaz ledge yes you are right:)

neat

nice job!

Still the same result, tried all teh combinations...

Except the one that works :p Well, I don't know what it is then

Original settings were correct (RHOST localhost) and LHOST set to IP of localhost...

yeah, to the remote machine, your localhost won't be their localhost ;)

Anyway, thanks for all the help, I was stuck for several hours...

Sometimes it's helpful just to write it all out :)

Hey guys I'm thinking of doing the OSCP path in preparation for my OSCP exam, I'm 1 week away from finishing my lab time and I wanna keep practicing before I schedule my exam, looking for general tips and advice 😄

@icy oxide The oscp is good, but only if you ignore all of the notes about using metasploit

@icy oxide im studying for my second exam attempt for the oscp, my labs just finished and im using the learning path

definitely a good refresher, plus learned a couple of tricks

Hello!! I’m preparing to start taking the OSCP 4/18/2020. Is there any information on what is in this OSCP-path? How long will it take to work through the path?

Trying to get a little more information before deciding to subscribe.

@final vault yeah I plan on practicing without metasploit until I pass my exam

@icy oxide sorry but prob a silly q, what are the alternatives to learn without metasploit until passing the exam? Im planning to enroll for OSCP studying soon ..

@hoary hazel Learn to read and understand code instead of running it

^

@alpine peak ok thanks for the tip👍

@hoary hazel Well by writing manual exploits or using public exploits, and basically running everything manually, essentially doing what metasploit does automatically for you, but manually. So at the beginning of the course you won't learn metasploit off the bat, first they teach fundamentals before they teach you about exploit frameworks and you're not allowed to use these frameworks during the exam.

It will make your exploits take longer, and things will be far more rigorous, but you'll learn things in-depth that you would've likely not learnt otherwise.

Sorry for the late reply lol

Hi @icy oxide thanks for the reply and advice. Is that covered in the PWK? Either way, is there a resource i could learn the above prior to starting oscp? Currently im doing most exploits using metasploit and it seems from your reply, a better way to learn is manually, that way i will hv a better appreciation and knowledge of the exploits.

@icy oxide no worries about the late reply

@hoary hazel Yes it's most of what the PWK is comprised of, most of the course materials are comprised of manual methodology for specific attack vectors, along with certain fundamental theory on different computer architectures, operating systems, etc. And of course there is a focus on teaching you how to manually enumerate.

What I can say is that to really make use of the time spent on the OSCP labs is to be prepared for them, and I think the best way to do that is to practice on the low cost/free lab environments before you start the course, so you don't study under pressure and are able to take in everything and really develop your workflow, I wish I would've spent more time practicing on Hackthebox or even Tryhackme. QQ

Keep in mind though that OSCP is not about teaching you fancy exploits to run, it's about identifying and carrying out many attacks in a short amount of time. You will be tested in your ability to enumerate and research more so than your ability to (re)write exploits.

The more programming experience you have though, the easier a time you will also have in the off chance that you need to translate a metasploit module into another language.
@hoary hazel

Thanks @icy oxide & @calm brook

In vulnversity there is the second to last question what user was running the webserver. Maybe I don't understand the question right. Why is it not www-data

uid=33(www-data) gid=33(www-data) groups=33(www-data)```

@scenic glen I reported it in #site-bugs a little earlier as i'm fairly certain it is one

I managed to get the root flag but when i was logged in as root
mesg: ttyname failed: Inappropriate ioctl for device

Is this common or did I messed something up? I did not have a proper prompt

Also the reverse shell drove me mad with not able to backspace. Why is that. And is it fixable?

This was on vuulnersity

hello all anyone did hackaprk without msfcosole

?

hackparck*

I did but used it at the end, but still may be able to help @honest jackal

What are you trying to accomplish?

can i dm you ?

If you think it’s needed!

MOrning / evening all

I am redoing "vulnersity", did not take proper notes 1st time.

Now I am getting this error when using intruder in order to validate which extensions are valid or not:

"embedded browser initialization failed" < --- this is on Burp, the results tab, response>render

while I can technically validate or see response using "raw" tab, I want to understand why this is happening and how this can be solved.

@honest jackal i also completed hack park without msf

Hi, anyone here could point me to the right direction? Room: Steel Mountaint
Take a look at the other web server. What file server is running?

It doesn't accept any format

@mystic forge What input are you giving it?

doesnt help

not sure if its the right answer

Ah, yes, that one. You're not wrong, but you're also not entirely right. Give it a closer look

ok thank you will take a look

Ok, found it

Nice!

Ohh well ... I guess I’ll have to accept no responses to my above question as a possible bug on burp

Moving on , I guess ...

Have you tried OWASP ZAP? It's much easier than Burp

Hmm, not really , but I can take a look. Thanks for the advice

I hope the exam is not as hard as the hackpark room.

@scenic glen Hackpark isn't that difficult

Isn't hackpark ranked medium on THM?

As someone who is currently doing pwk in preparation for my oscp. Hackpark would be a 25 points room

I found it hard. Especially since the escalation point was not always obvious.

Kinda was tho

I assume there were other ways to elevate privileges

If you saw wschedule, you'd know to look at logs

logs would show that || Message.exe || was restarting every minute

so you could replace with shell

May give HackPark a look tomorrow

It's a really good room tbh

I assumed there was an exploit in that directly

you can replace message.exe

😂

That is the exploit. It is the scheduled service

Noted for future reference

Gonna take a long brake. o/

I'll update hackpark in the coming days to include a manual exploit

so you don't have to use meterpreter

do other people also have issues with getting that last shell from message?

it crashes after few minutes when i do that and i have to redeploy and start all over it drives me crazy

hackpark can be done without ever using metasploit

Actually, all OSCP path machines can be done without metasploit

so idk why you would add a manual exploit if its already manual

@final vault is adding new tasks to rooms, so its clear those rooms can be completed without using metasploit

The official writeup didn't even use metasploit

powershell with nishang is all anyone needs

Some did I think?

Its just dangerous to be modifying a windows machine after its been working, because it could break

Linux is different

I've done the room without metasploit however, when you developed the rooms. You seemed to include metasploit as your go to @alpine peak

Please note I'm just trying to improve it and won't be modifying any of the rooms directly just the tasks on the site

^ That was most likely me or ashu

Zayotic makes the machines + writeup, we then made it into a room

I will take the hit for that, even though I knew about the Metasploit 1 use rule, I still included it to use Metasploit as: we released rooms before making the pathway, so wanted to make it "beginner friendly".

Ok good, because Windows is so unpredictable, I thought you were actually changing the machine itself

oh no the machines are good

As someone who did them without metasploit I enjoyed them highly

The OSCP only allows metasploit to be used once, I misunderstood because I thought the goal was to prepare for the exam, so I never recommended metasploit for those machines

Yeah I wouldn't touch the machines as whenever I seem to attempt windows box dev it just falls over 😂 I'm starting to think I'm cursed

Only with Windows machines I would not recommend that, because Its so unstable

windows do be windows

https://www.youtube.com/watch?v=F_xBuLZ2WEE

I'd recommend someone hooks @final vault up with the original, msf free, writeups for the boxes then ( @spark iron )

I have them

I think

Yeah, the ones I gave you are the writeups from the boxes.

Just finished my exam I have a doubt I rooted one 25 point machine à 20 point machine and a 10 point machine and got user on the 2 others. Is that enough to pass?

you'll see in a closest future 🙂 in OSCP there's no exact passing score

They say 70 right?

Do you guys have any advices or resources for windows privilege escalation?

Do you guys have any advices or resources for windows privilege escalation?
@rotund rivet do all the boxes that are available on the internet. Experience is key. Do not rely on kernel exploits as they boxes regularly patched.

their* boxes

Even for Windows ? :o)

Even for Windows ? :o)
@sonic loom yup

@rotund rivet There's more windows privesc content coming

Can we view the "OSCP Path" content before enrolling?

@rotund rivet do all the boxes that are available on the internet. Experience is key. Do not rely on kernel exploits as they boxes regularly patched.
@honest jackal Thanks 🙂

Just sent the report fingers crossed now

Anyone here done VirtualHackingLabs as prep for PWK? I am doing VHL now and so far really like it. The people on it's discord definitely seem to think it's great prep, but I'm wondering how it really compares to something like THM's OSCP-path

THM is 10$ per month. I wouldn't pay 100 for VHL. And I did learned A LOT

@devout kite Quien es ese?

@fleet wedge Ive been doing VHL however I learn terribly from PDFs so watching walkthroughs and doing boxes like on THM/HTB is working better for me

@tiny geode gotcha, yea I've had to take pretty good notes to really remember the material

I took a ton of notes too

But at the end of the day it still didn't really go in and I struggled in the labs a bit

So I'm going back to my original plan of doing Ippsec walkthroughs for every retired HTB machine and the OSCP path here

Yeah me too

Is this path worth it?

The path is great, I'm currently in the process of adding non-metasploit/meterpreter tasks to each of the rooms

Is this path worth it?
@fleet wedge If you fancy challenging yourself try doing it without the tasks 😄

I'm really enjoying the path, I failed a while back and this is just what I need to refresh and get back into that mindset.

Has anyone done the skynet room? Burp intruder is not returning an abnormal length to indicate the correct password for milesdyson. Anyone have this problem?

@fallen herald are you trying to brute force your way into the account? You might want to try a different approach

Question: What are the downsides to using my own Kali VM on the tryhackme labs?

There aren't really any

Tryhackmes vm is just more convenient

Cool, thank you!

It's just non-persistent is all 🙂 but you don't need to connect via vpn etc

Can we install tools and use it on the web?

As in, can you download new tools and use them against real world targets?...

Bear in mind the legally dubious nature of that

I believe it’s ok to download tools that help you complete the lab with less work, right?

Correct. You can download whatever you want, provided you're using them on TryHackMe machines, for their intended purpose

That’s what I’m looking for. Thank you

Don't do anything illegal

Or the greatest ban hammer of all will come upon you

The ban hammer of the law!

😂 😂

@scenic glen yes. I have tried Hydra as well but it returns with 16 valid passwords. I couldn't find the PHP cookie in firefox which is the supposed workaround. Burp should just be showing the abnormal packet length

@scenic glen yes. I have tried Hydra as well but it returns with 16 valid passwords. I couldn't find the PHP cookie in firefox which is the supposed workaround. Burp should just be showing the abnormal packet length
@fallen herald For hydra you can display debug data to see the data returned. You can see why you get 16 valid passwords. But at which question are you?

To stream a couple OSCP path boxes

that is the question

I passed guys 😍😍😍😍😍

gzzzz

Congrats!

@honest jackal I never doubted you for a single second

@honest jackal Ey!!

Thx for the nice words I will not miss shouting out TryHackMe when I share my badge u guys rock

@fallen herald For hydra you can display debug data to see the data returned. You can see why you get 16 valid passwords. But at which question are you?
@scenic glen I'm still at the first. I just took a guess and figured the first would be his password, which worked but I want to make sure brute forcing the website actually works. IRL I wouldnt just be able to guess

@scenic glen I'm just gonna retry Burp and see if that works. Finding the PHPSESSID for hydra was too much of a headache

*trying to find

Any doing the hackpark box?

got it nvm

anyone recently completed hackpark??

I did

anyone recently completed hackpark??
@marsh current Yah

I passed guys 😍😍😍😍😍
@honest jackal Congrats!!! big respect! any tips?

@honest jackal Congrats!!! big respect! any tips?
@chrome imp break all the boxes that people call OSCP like. I think experience is key. You must exploit a lot of services and take notes. I think if you do that, getting a foothold on all the machines should be a piece of cake. As for privesc DO NOT RELY ON KERNEL EXPLOITS and scripts such as Sherlock, Watson, windows exploit suggester. You can run them sure, but don't expect the solution coming from there. Last but not least, sleep!

@honest jackal and how much time did it take to get the answer back?

3 days

Cool!! congrats this is really cool.

@honest jackal given you the OSCP role. Sorry, completely forgot last night 😄

how can i complete this room?

you don't @rotund rivet . it's a placeholder for now. it will be filled in with more info soon

Ok thanks

anytime

https://twitter.com/dievu5/status/1247303142141825025?s=19

wow gr8

I love tryhackme

because of this

I just signed up for OSCP. Can you take the exams as many times as you'd like?

i think yeah, but they probably won’t allow you to do a lot in a short period of time

and it’s better not to think about retaking at all ;) aim for the win at the first try

yeah thats true, good advice

Fail once it’s 4 weeks wait time

Twice, eight weeks

Three, 12

oh interesting.

Tldr don’t fail

lol

Study the material to a T. If you struggle understanding one part. Give it more attention

can't wait.

I just discovered discord too (man I feel like an old man), can't wait to begin this journey! 🙂

i feel like the final privesc on the skynet box was just so obscure

like i would have never got that

ever lol

had never seen it before

@celest locust - nice handle. can't wait to watch the new season

@rich ingot thank-you sir! It's a great show. New season is brill 😄

How good is the oscp path, in your opinion? does it prepare you well for what's ahead?

@celest locust A decent linux privesc script would have pointed it out

pretty sure pspy would have also

@celest locust Nah, it's a pretty common privesc.

All about enumeration and knowing what to look for

^

@grizzled spade From my experience, yes the path does reflect the OSCP related concepts that you may or may not face

Out of interest, anyone had any issues connecting to their personal clients in pwk? Can't seem to get into my windows client

@subtle verge @noble glacier for sure - ty

Hi!

I am having some trouble with steel mountain. The port it asks for in Task 2 is not open. It doesn't show up when I run nmap, and if I target the port directly it says it is closed.

use -Pn

Ah, it doesn't respond to ping

It even says so.. My bad. Thanks for the quick response

you are welcome

Wondering about the answer to a specific task, I guess I shouldn't do that here. Could someone who knows the answer question to #2 in task 2 on steel mountain, PM me? Not sure I understand the question correctly,

It asks for the file server name, but presents an answer format that doesn't match anything found.

Ok, figured it out. Really misleading and unecessary question.

Streaming the oscp path now if anyone wants to ask questions

great

Steel Mountain has been updated to include a non-metasploit task. This goes over manually exploiting the vulnerable application and also additional ways of discovering the privilege escalation path

nice 🙂 looking forward to it!

Cool, was this done today?

@final vault nice literally doing that machine now 😄

Ah, task 4. Very nice

hi anyone try lord of ring machine without sql map

hackpark - I've tried what I think is every service / exe I can see running/in program files, and none of them work - what am I missing 😄

@odd zinc I'm having the same issue!

I noticed on the forum there's a lot of people also having an issue 😦

I have tried all sorts of combinations

ah that one.

It makes sense you just have to know what to look for kinda thing

yeah you have to approach it from another view.

powershell -c "Get-Service"

so is it asking about services or processes?

Finally got it, thanks @final vault

@odd zinc Would you be able to give me a nudge in the right direction? You can DM me if you want.

@odd zinc Thank you! The question is very misleading...

Hey hi

can i get help in Steelmountain , i have founded the exploit and changed all socks information , but i cant get a shell , and in the exploit itself it tells to try

Have you setup a local webserver with nc.exe in it's root path?

hmnn yes

the file is not getting and receving from me

Anyone know when Alfred will get the non-metasploit approach?

Also, having the task there as a placeholder is somewhat annoying as you are unable to get 100% progress.

Hey everyone! Is someone available that could nudge me a bit on the non-Metasploit, powershell exploitation on Steel Mountain please? I have access to the machine manually, just struggling to figure out the Powershell stuff. Thanks!

🙂 it's frustrating that it's not showing as ticked off huh

hi

i solved lord of the root machine but i can not find task2x6 answer

i got root flag but i can not find task 2x6's answer

could anyone help me?

HackPark. Is the password found in rockyou? I am not finding it, and wondering if I am running hydra with the wrong parameters.

You're running wrong params

if you haven't hit it

Got it right this time, thanks

hi how can i complete this , task in https://tryhackme.com/room/alfred

@thorn patio you can't yet. It is being updated.

but not yet updated still now

@thorn patio No. He is updating all of the oscp rooms to use both with and without metasploit.

Oh , nice to hear that

Great that was my suggestion before

Now they listen

When this expect to finish ?

@thin walrus He's working on them now..some have been updated if I'm not mistaken.

@thorn patio you can't it's been updated 🙂

oh okay @jagged stirrup

hi

i solvedhackpark machine and i got root flag but i can not find Task4x3(What is the name of the abnormal service running?)'s answer

if you got the answers you should know, try ending the service name with .exe or .svc

any oscp (2020) holder? please share your exam experience ( blog post/ video)

@odd zinc i feel like stuppid, still can't find.which cmd command should i use?

i found it!

eh god one day i will get to that path

Hello, I have a question about of Intro to x86-64 room questions. I'm trying analyse if2 executable(ELF) file with r2. When I want see rbp-0x8 value before popq opcode. R2 returned 60 but I was type 60 in input tcm system doesn't accept that. Where I mistake?

@gritty jungle chances are that it's in hex

ov sh.. 😄

When I tried,I'm encounter an same error.

Oh. Okey. I understood.

Ty. @chrome valve

Np

Hi i need a help in skynet i have found the perfect password but not working

@thorn patio Maybe the password is for another service?

nope i hope it is same

can i pm u , beacuse it may reveal

more things

@scenic glen

@thorn patio you can pm me

Hey there guys... Christian Gabriel here!

hi @steep lotus

So here's the deal...I'm struggling a bit on linux and windows priv esc in general. I've looked at both the linenum script...tried running it but I just don't understand which vectors are used for privilege escalation... anyone got any learning advice or techniques?

@steep lotus you can do this room: https://tryhackme.com/room/commonlinuxprivesc

It gives a good insight on linux priv escalation

Awesome. Thank you. Got any rooms for windows priv esc??

They're in the making 🙂

So I finished Kenobi last night. Can someone explain what exactly we did on the privesc? I'm a little fuzzy on what exactly when changed with curl and $PATH to make ../menu do something different
Feel free to dm me if anyone wants to

@fleet wedge From memory that's a path manipulation

So there'll have been a binary that was executing something using a relative path (presumably the menu binary, calling curl from what you were saying)?

Hi I have just started Mr.Robot machine. I am struggling with question 2 in task 2 section. I couldn't find other running file server. Feel free to dm me if anyone helps to me

Edit: I solved 🙂

Batu naber @cobalt turret

Hmm. Why did I find brainpan1 room so easy?

Possibly there was nothing new in there. But I don't find it hard. I would say medium

I would also put a flag in there 😄

@scenic glen Most people skip the 2nd privesc method

hello. in vulnversity room when i upload the phtml file and call it from web i get WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

has anybody seen or a solution?

@alpine peak I elevated via the custom user script. What is the second one ? 😄

hey OSCP have Reverse Eng. also? in OSCP path there are 2 machines brainstorm and Brainpan1

I think so 🙂

https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

It's in the curriculum

Oscp doesn’t include any reverse engineering unless you deem buffer overflow re

yea that's what am thinking

my weakness is reverse eng. that's why am thinking

The path is to help people prepare for oscp

As oscp doesn’t include it. It’s very unlikely it will ever have any

yes path is very useful I really feel I have some more knowledge, I do HTB before and trying something new and it is great )

I thought reverese engineering means bof

So it't another thing

sorry

hey hi

can anybody help me in the skynet R*I

Anyone working on oscp labs

am working on oscp path

ye mee to working in OSCP Labs

can anyone suggest any material for buffer overflow tutorial?

Me three 🙂

I started with Penetration Testing A hands on intro book.

Is there anybody who finished Steel Mountain room? If anyone, could contact me via dm. I have a question.

how do i solve daily bugle

the python exploit is not working

can i get some help

anybody online?

check the writeup

ya i checked it

te exploit isnt working

okay let me check

sure

i did it recently

https://github.com/Tuhinshubhra/CMSeeK
this one works fine

with python3 and sudo though

this works

but the sqli one

doesnt

joomblah one

i used sqlmap there :)

thats y

and everyone in writeups used it

ya but its oscp

u cant use sqlmap

https://github.com/JohnDoeDC/dailybugle/blob/master/README.md
i think this one gives you the OSCP approach

i am telling u

the exploit doesnt work

ya that too

maybe its just me iguess

but the password is showing 'n'

when i use that

hi, guys.. I have a question about steelmountain

[Task3-3] Why make a file naming A****ed.exe and How to know that File name on the script?
How to replace the original service binary?
Does anyone know?

Oh, I found the answer. ...I will share this
https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae

Currently looking at HackPark. In task #4 it says you can upload the payload using the current netcat session. How does that work? I thought you had to have netcat for windows installed on the machine and explicitly start it.

I might be reading it wrong. Maybe the tip isn't hinting at using netcat itself, but utilizing any method of transferring files possible.

Busy with HackPark - anyone available to check something for me on my hydra brute force as I think I am not seeing the obvious?

@coral snow have you managed to get the file uploaded?

am I crazy or does the hackpark cve question not match the cve that applies to the exercise?

@gritty hollow Yes, after a couple of tries. Thanks. A bit hard when the shell gives no feedback.

HackPark.. How would I go about finding the abnormal service? Not sure what to look for. Then again, I am confirming my finds by pasting them into the answers boxes on the hackpark website.

Which seems unreliable.

From the OSCP path, https://tryhackme.com/room/steelmountain Task4 ........... ( access target without MSF ) . Managed to get a shell back listener by doing exploit on rejetto HFS , python <target IP> port:8080 getting a shell in C:\Users\bill . Then according to the task we have to find the service that we can restart which is AdvancedSystemCareService9 , path ...............\Advanced SystemCare\ASCService.exe we have to do payload with msfvenom which I did and gave it the name ASCService.exe in order to restart the AdvancedSystemCareService9 and then this .exe would be running according to me . when I copied the .exe file to the current folder and restarted the service I got a message saying : The file or Directory is corrupted and unreadable .. I then tried to change my .exe file as per Task#3 we can see the TryHackMe named the file Advanced.exe , which I don't really understand because the .exe specify from the path from the windows machine ends up by ASCService.exe Anyway I did another payload anyway with that name and even if the service restarts properly, im not getting any higher privilege. I'm still the same user bill I was thinking then maybe I should put a listener on my port# that I specified in my msfvenom payload but still no answer. I feel kinda stuck here .. any help ?

anyone have issues with Blue/Windows machine?

@hazy ruin you don’t understand the exploit

It’s unquoted path meaning the exploit has to be advanced.exe

rebooted a few times but every time exploit wont run

@final vault okay I see, but I did with Advanced.exe . when I restart the service I get nothing

Guess I'll try again then

hey, i'm unable to connect to the vulnversity webserver on my browser, using mozilla.

i can ping it with nmap though

i can't find port 80 in my nmap scan, however

@opal mortar You need to figure out [Task 2] Question #7. don't post the answer here

thanks

@lament osprey Sometimes it works if you type exploit -j and then wait.