#offensive-pentesting-path

so in "real life" we'd have to wait for the backup job to happen

Yep! In the box too you have to wait for the job to happen

ok thank you, it's clear now

Any time 🙂

So in this Lord of the root box, after i got the "hidden service" port, it's supposed to have some "user credentials" on there

https://pastebin.com/ywVFUVz4

this is what i've enumerated so far, and i'm running a nikto scan

i've looked into /images directory and downloaded and ran steghide with no passphrase on them

anything else im missing?

have you gone out to the website and tried visiting some other directories?

the index is blank with a single image on it

did you look anywhere else besides the index?

in the /images

anywhere else?

the /server-status returns 403 forbidden

how about a common directory that maybe has a login page or something

well i only know the directories

that gobuster returned and there are only 3

mmk, so maybe try one that gobuster didnt return?

gobuster isnt omniscient

okay imma run /usr/share/dirb/wordlists/big.txt then come back

you dont need to directory bust more

just do some manual enumeration

on random directories

how should i do that

type /admin /login /stuff?

that's what you mean?

try it and see what happens

it is a lord of the rings theme

maybe try something LOTR related

well

there's a picture that shows insted of a 404 error

in the source code there's a flag

or something

sounds like progress to me 🙂

yea it's base64 and after decoding that

haha

you know how the base64 has the == at the end

they used it to make it look like this = closer! and that's also a flag

thats funny

brb

okay pwned

@dense root can you explain me what this is talking about "what's the method to exploit the system for privilege escalation"

i've exploited the kernel since it was outdate

but this is looking for a specific answer like Kernel explotigin or stuff like that isn't right

It’s more of general term for the type of exploit

if you actually look at the source code you can tell what it is

^, i think they also actually intended people to exploit it a different way through ||those binaries|| @wet sierra

yea

they have also a buffer overflow

in there

let me check that see if that works

lmao

😄

that was the answer

yea, i think that was the intended path

yea

i don't know buffer overflow

i need to study that

im so affraid of it tho

lol nothing to be afraid of

god i hate oracle virtualbox so much

it blocks when i click stuff

it starts to bug after 2h of using

Maybe it’s your install. Nothing occurred for me and I use it for hours at a time.

my virtualbox is working very fine

Anyone in mood to help?

If you have access to a sysadmin (sa) account on mssql but realize it's running as "nt service\mssqlserver". Is there a way to elevate the privs if bind/reverse shelling is not an option?

@haughty isle Have you tried something like xp_cmdshell? Maybe create a new user through it 🤔

Enumerate the db using msf too while you're at it

Yes, however the nt service\mssqlserver account runs in lower privs at the system level

Enumerate the db using msf

I have full access to sysadmin(sa) account already

Still, make sure to enum the db

Through, may I ask what machine this is? I don't believe this is a THM machine? Is it one from HTB?

No mate, am on a live client engagement

Gained access via fortissl vpn. There is limited traffic on the internal LAN and both bind/reverse shell can't work. The MSSQL server is my only foothold ATM. However it's very restricted since it's running as nt service\mssqlserver and not nt system

why the name change from OSCP to Offensive Pentesting?

Because it doesn't focus on oscp

Because there are more certs

Hello, is there anyone on Learning Path following the web fundamentals Path that could give me a hand on an issue I’m facing with the Authenticate Room Task 4? Is this the right room for help 1st of all?

This is for the offensive pentesting path

You can ask over in room help/hints 🙂

got you, thank you sir

Hello all, I’m in the openvpn room, from access page it’s showing that I’m connecting to the network but I’m not able to access the machine that I have deployed in task 6
any idea what’s the issue?

#site-support you're not actually connected properly

@keen iris it’s showing connected and I get response when I ping the this IP

That's pinging your machine from your machine

Which tends to work

Move to #site-support

Don't trust the access page

Ever.

okay then, thanks @keen iris

Is there a way i recursively download file via xp_cmdshell in mssql?

Google knows

Coming here is a sign that can't find anything from him

https://stackoverflow.com/questions/9624600/sql-code-to-download-a-file-from-an-ftp

That's from an ftp server.......what am looking for is via xp_cmdshell local to remote with no option for running a webserver from the mssql server

🤷

i got nothin else then

sorry

Upload nc.exe and transfer files using it? 🤔

What room does this pertain to?

It's not a room, I don't think any of the rooms have something like xp_cmdshell,
Yeah, they told me earlier it was a pentest engagement 🤷

Yes.... it's a pentest engagement

We don't offer advice on items outside of TryHackMe, let alone pentest engagements. You can ask elsewhere for that

@haughty isle

Noted

If i get the time i would love to build a box with similar challenges. If anyone is to apply knowledge from THM in real life engagements they will quickly notice that a lot changes. However the knowledge one gains from such is invaluable.

which one i should choose to improve network pentest skills?

I really don't think you need to take a networking certification for your pen testing needs

he’s not talking about certs I think he’s either talking about rooms or paths and Id have to disagree with that statement as a lot of networking certs can be very useful for penetration testing

I thought this was career channel and yeah they are useful but not necessary to get started at the beginner stage

sorry I didn't say it clearly. I'm looking for rooms in tryhackme that focuses more on network pentest

Im connecting to VPN but i cant seem to ping Jenkins in the offensive path

any idea why?

Did you read the description for the machine?

https://i.imgur.com/3B231J4.png

So is that the reason why i cant even nmap?

No you should still be able to use nmap

nmap tells you what you need to do if the machine doesn't respond to pings

If you haven't figured it out yet, try using the -Pn flag.

evening all 🙂

Can anyone answer a question regarding the Brainpan-1 room? There's a note on the "Offensive Pentesting" path which says "This room has been locked until flags are implemented." It doesn't seem like the room is locked, because I was able to join it and deploy a box and get pretty far into it, but based on my results (it's true there don't seem to be any flags), I'm wondering if the room can actually be completed? I guess my confusion stems from there seeming to be more challenges/stages in the actual box than there are associated tasks on the room's page.

@midnight birch that’s correct you can still do the box it just doesn’t have flags

Just pretend it does and you’ll be fine 🙂

Great, thanks. It seemed to be going in a confusing direction and I got worried I was putting my efforts into a WIP kind of situation. 🙂

if you ask some questions, i can help you if you want

the box still has the normal foothold/privesc type deal, it just is lacking flags to prove youve done it

I don't feel stymied yet. I hadn't been paying close enough attention so what I thought was going to be a privesc to root was instead to a non-root account, I assume there's just more steps from there that I need to take

so you already successfully completed the BoF, right?

yeah and then similar BoF on the setuid binary

or maybe that's not even the direction to go in, idk. it stuck out to me so I went for it 😄

you dont need to do a BoF on the binary

just look at what it does

do you mind if I PM you

sure

how do I update my level manually?

!verify dm to the bot

is the intro x86 room helpful for learning buffer overflow techniques?

It's designed for RE IIRC

RE is a part of BoF, learning assembly and how functions work

Calling conventions etc

Yeah, it helps a lot to understand Assembly/how machines work if you want to learn BOF

Technically introx86 could teach you assembly, but only as far as you're willing to research into it

Just know though, RE and Assembly is not for the faint of heart.

You probably will give up- and that's kinda normal. Don't be afraid to ask questions if you get stuck or become clueless!

@fleet wedge funny u mention that cus i just gave up on the if statements task lol. ill have to revist when i have some more patience to research 😞 still pretty ignorant with assembly

Haha, told ya

Feel free to ask questions in #room-help if you need a bit of pushing

My internet was out today what did I miss I am not sure which room I should have signed up for

??

For the bootcamp?

Yes that’s correct

@chrome valve can you follow that up?

@crimson jungle Do you have a link to the TryHackCIT discord server?

The resources that were used are all in there

(Including a full recording)

Also, if you go to the TryHackCIT twitch, the VOD of today's broadcast is still there

I think I am on the sever right now if I’m not mistaken

You're in the TryHackMe discord server

There's a separate one for the event

Where would I find it

I can message you a link if you'd like?

That would be nice

There you go 🙂

I can’t see the link

I think I found it

Hi,

I am on my second attempt to gain root on Kenobi and either missing a step or the box isn't playing ball!

I have identified the SUID as /usr/bin/menu

Used echo, chmod, and exported the PATH:

echo /bin/sh > curl | chmod 777 curl | export PATH=/tmp:$PATH

Now this should give me root? Instead this does not escalate my privs.

I think may be I am not understanding the $PATH correctly should this be something personal to my machine? (like kenobi's ip)

No, the /tmp:$PATH appends /tmp to the rest of the original $PATH

so /tmp will be a part of $PATH

I'm not familiar with Kenobi but you probably have to do something with the menu file

Ok thanks, so the export PATH=/tmp:$PATH is adding /bin/sh to the path of the user (kenobi not root) allowing root privs?

Currently:

This is the stage I believe it should be escalated

Look at where you put curl and then look at what you’re adding to the path

Is your curl on the path you’ve added?

@elfin lagoon

ill fire it up again, so should the be something like PATH=/kenobi:$PATH

Great thank you manage to see where i was going wrong, as i suspected didnt fully understand the PATH=/<PWD>:$PATH

Thank you both for replies 🙂 wont ping you as not sure if that will annoy you ha

Question on retro box , can t login with xfreerdp /u:wade /p:farzaval /v:10.10.16.176 ( gives cert error, and does not work when click Yes , on msrdp i gat similar error

@elfin lagoon you can always ping me. Glad you got it figured out, do you understand what’s going on better now?

@fierce kettle double check your credentials

http://10.10.38.234/retro/wp-admin/theme-editor.php?file=404.php&theme=twentyseventeen reverse shell is working fine on retro ( the credentials i use are wade / parzival and working there fine )

Look at your rdp command now. Specifically the password you tried to use

Try using something like remmina 🤔

I think so, earlier in the walkthrough i made a dir called kenobiNFS and not /mnt/kenobiNFS so this confused me a little.

But for this section by exporting the path of /bin/sh to kenobi PWD then running the command /usr/bin/menu they system uses /usr/bin/menu privileges? Prob not a good description but ball parkish

Yes, it basically uses the privileges given to menu. Which I’m this case menu has the SUID bit set so it’s running as root. And since menu is calling curl, menu runs curl as root

But it’s not calling the absolute path and so you prepended that path with your own curl

So then it ran your curl from menu with the SUID, so it ran as root

@elfin lagoon

ah ok, which explains why it wasnt working originally as i was pretending to be someone without root privs

No it wasn’t working originally because the path you were prepending didn’t have your curl in it

So it was still calling the original curl

You made curl in the users home directory and then you add /tmp to the path

So it looked in tmp, found nothing and moved on to the regular path

right im with you, hmm on the successful attempt i used
echo /bin/sh > curl chmod 777 curl export PATH=/home/kenobi:$PATH

So now curl can be found in kenobi's path?

It depends where you executed that echo command

If you did it in /home/kenobi then yes

Great makes more sense now, thanks again!

Any time

I am redoing VulnUniversity and getting a weird result on the burp fuzzing part

It says "success" for .phtml extension but also says "not allowed". Any ideas?

What does the request look like?

It looks like you've set up multiple payload positions

so the first one of "Not Allowed" probably put the .phtml in the wrong place.

hmm, YOu may be right

let me try again

It helps to clear all payload positions, then just manually add in the weird looking $ symbols where the file-name is

That did the trick!

Thanks for the quick reply and for the advice.

No problem!

can someone please give me a nudge with Vulnversity priv escalation?

I don't really know what should I do with the SUID

Have you done the common Linux privesc room?

was looking for a more straight answer about this particular box

No, I can take a look later, but would like to get a nudge on this one 1st

Have you looked at a writeup for the room?

Thanks for reply. I watched the video and it was not clear. He basically uses the exploit to read the flag but does not escalate priv to root

https://gtfobins.github.io/gtfobins/systemctl/

Might check that out as well.

@dense root can you confirm that parzival is the wrong rdp password for wade at retro, because i still can wp-login.php as that user, but rdp,xfreerdp and remmina all fail on connecting with a credssp error.

Unless the room broke in last couple weeks, that password is right

Can you show the exact command you’re using

@fierce kettle

@dense root i think the problem is on box https://support.microsoft.com/en-us/help/4295591/credssp-encryption-oracle-remediation-error-when-to-rdp-to-azure-vm , this is the error

Can you try xfreerdp and show the exact syntax you’re using please?

i have solved it thanks for trying to help .. the solution is at https://www.netwoven.com/2018/05/15/solved-credssp-encryption-oracle-remediation/

@fierce kettle it worked for me anyway

i think you were using the wrong credentials

Nope credssp-encryption-oracle-remediation/ was the solution for me on retro

That’s a local VM problem then is all I’m saying

The box is working fine

anyone done Lord of the root?

Yes

just ask your question 🙂

okay cool : D

well

need a little push for root

i see this file script, it doesnt give me any output whatsoever apart from:

./file <input strings> if you run it by itself

but giviing it /etc/passwd or any gibberish gives blank outputs

ran ltrace and strace to see if i see anything but it just looks like the actual "file" binary

@noble glacier doesnt that take a little RE if you choose to go down that path?

Pwn to be precise.

oh if theres multiple ways and this one is RE - im definitely looking for the other method lool

If you are just starting out with pwn I don't recommend doing it.

I will never touch RE for many years to come

you should give it a shot

il look for another route, this one stuck out like a sore thumb due to the SECRET folder

not on that box, but just in general

RE and pwn are very important

lol nah true you're right - definitely want to learn it at a basic level at least but not anytime soon 🙂

thank u guys for clarification

did new OSCP get rid of bonus from completing lab report

No

does any1 know if lord of the root got locked indefinitely or is just down for some kind of maintenance?

It's been removed, at least for now, probably forever. Rooms don't have maintenance, you don't share instances so there's nothing to do maintenance on

oh ok, I though maybe the kernel vuln is getting patched that RE is the only way to root it

at least i downloaded the binaries yesterday and can further try to exploit them

It's been removed, at least for now, probably forever. Rooms don't have maintenance, you don't share instances so there's nothing to do maintenance on
whaaaaat. I was just about it start is sometime soon

It's still available on VulnHub afaik

https://www.vulnhub.com/entry/lord-of-the-root-101,129/

awesome

Is that before or after mordor?

Hello can anyone please tell me what does 38 hours signify in offensive pentesting learning path and is this path for OSCP preparation?

38 hours is the approximate time that the path will take

And no, it's not specifically for OSCP preparation. It's designed to be versatile and apply to a number of different certs.

Ohkay thank you very much👍:thumbsup:

Hello everyone

I'm new here

Hi! Head on over to #general if you just wanna talk 🙂

If you have a specific room related question then for a hint head over to #room-hints for help #room-help

Or if the box is on this path then feel free to ask here

Um following this guides after doing fg

when i press enter twice it shows ^M^M

I’m presuming this it to stabilise your shell?

Yes

The shell gets borken and i gotta open new one everytime

Possibly you can stabilise that way

Have you tried any other stabilisation methods to see if they work?

um i see ippsec and many other doing in this way tried but happens 😶

I always have bad luck with those.

Just usually go with as much functionality as I can get with a regular command shell.

yeah but i tend to control c 😅

There’s actually tons of ways to stabilise

Because sometimes you’re unable to

If I can't get SSH I usually just go with whatever I have.

um can you link me some because if i see most of the people doing this way

if there's a better way

Okay so

yeah i m waiting 🙃

You’ll have to give me a few minutes can’t remember the link for the life of me 😂

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Might try stty raw -echo rather than -ech0 like in your notes.

i followed this only

used that-echoonly

There are only so many ways to do it.

I've never had much luck with them in a way that wasn't completely annoying in my terminal.

me too

now after fg is bork again

Yeah I literally can’t find the link 😂

^M^M again on pressing enter twice as said in article

Give me an hour once I’m home I’ll @ you and link it

👍

This took forever to find, I couldn’t remember which website it was haha.

https://netsec.ws/?p=337

All of these are ways to get that initial /bin/bash shell. To follow it up, background the session with CTRL + Z type stty raw -echo then foreground the session and type export TERM=xterm which will then get you all the functionality. As you may have written down

@dire robin

(Make sure when foregrounding the session you hit enter a few times to get the prompt back)

yea, the full commands to run as @covert scarab said. @dire robin

You foregrounded 2x?

you have to

No??

si

I only foreground once then you hit enter twice and the prompt will load

oh i guess the second foreground is me just hitting enter then haha

Haha

fg
Enter
Enter
Enter(one more for good measure)

Unless you’re me and you press it about 8 times

unless you're me and don't stabilize it at all

Depends on how the day is

Lately I’m too lazy to stabilise I just do with what I got

Sometimes i avoid that whole thing because once session is dead, that window becomes a headache if stty -echoed

Lol

I mean, you can just close that session and open another one

its well worth it imo, cuz you get a fully interactive shell and can just close it when you're done

Hoarder here

@slate reef No invite links.

lol why is the first part of the path marked as incomplete

Cuz new questions got added to those rooms

Go in and complete the new questions

@spark iron when you're back, probably worth removing the kali room and pointing them to my-machine instead?

Yess good idea:))

alright thanks all

@keen iris what is your machine? is it better to use than the in browser kali one

https://tryhackme.com/my-machine

my-machine is the replacement for the kali room

It is the in browser kali

Skidy also remove the access page connected rowwwwwwww

I think Skidy added a disclaimer, probably hasn't pushed the code yet 🤔

I can confirm the change was made in dev

Hi Everyone!
I have started solving CTF 1 month ago from different platforms, apart from that I have good knowledge in Web Application Testing. Now I am preparing for OSCP.
I am thinking to go for tryhackme subscription for Offensive Pentesting Path.
I need some guidance here

Generally speaking, the pathway is good for preparing.

I think the platform in general is worth the subscription cost if you can afford it. I benefitted greatly from it.

Thanks a lot. Sure I want to try this site.

are any of these rooms windows machines? im trying to make a list but dont wanna spoil anything from a writeup

• peak hill
• pepega
• year of the rabbit
• boilerctf
• cmess
  if not can anyone suggest some non buffer overflow windows machines? ive done blueprint, hackpark, ice, blaster, anthem, AD, corp, blue, steel mountain, alfred so far

#general

But to answer your question I haven’t done pepega or boiler

But I think the other 3 are Linux

Don’t entirely remember

So I’m doing the offensive path but had to do the burp part real quick. I’m doing burp suite and I get to a step that states “with the burp proxy on submit feedback. Once this is done find the post request in your http history in burp and send it to repeater”

Where is the submit feedback option for burpsuite?

Submit feedback in the webapp

Thanks. It didn’t seem clear to me. Maybe it means I need to head to bed 😂

I really recommend sleep

Sleep deprivation is very bad

Slickmmarek a new Windows room is coming on the 20th. I know it's a couple weeks away

21st for yours?

One of those

I really recommend sleep
@keen iris ironic

Sleep is good

Sleep ? What is this thing ?

ironic
@dense root I sleep 8-10 hours a night

😴

@dense root I sleep 8-10 hours a day
@keen iris

FTFY

I mean, per 24 hour span

It's night somewhere

I used to get 9 hours of sleep a night

Then I got dog

Now 7-8

🐱

HI i'm a beginner in this domain, I need help !

read channel descriptions please 🙂

head over to #general

Thank you very much !

read channel descriptions please 🙂
@dense root Want to be my friend ?

i like friends, so yea ill be your virtual friend. But still please head over to #general

i like friends, so yea ill be your virtual friend. But still please head over to #general
@dense root Okay I understood

i like friends, so yea ill be your virtual friend. But still please head over to #general
@dense root Please accept my friend request !

🙂

@noble glacier assist with your blob no plz

@noble glacier assist with your blob no plz
@dense root What is blob ?

#general

You are not so cool !

#general
@keen iris Okay I did it !

#general
@keen iris Please accept my friend request !

I doubt James will accept you if you keep going against his instructions of moving to General.

Okey I obey right now !

Doing the Skynet room. Worked out great till I tried to escalate, anyone I can talk with so as not to spoil things?

hmm.. ofc the moment I say this...

I think I may have found a typo

lol yep

nevermind 😄

anyone pls help me
Hackpark - Task 4 Question 2
nothing from sysinfo fits in answer form. maybe a little hint available for input formatting? thanks in advance

Did you run the enumeration scripts?

yes, windows-exploit-suggester

oh, maybe it's not enough

Should be

Did you look at the information you passed to exploit suggester?

sure, 'OS Version' doesn't fit in answer form

What does it say for that?

it says :
OS Version: x.3.xx00 N/A Build xx00

Can someone help me with Retro? I am in privesc but the exploit doesn’t seem to work

Sure @ornate flax Ask your question in #room-help

hi

@keen iris

👀

@past basin Please don't post flags.

@past basin Where did you find that room? It was made private if I recall 🤔

sorry

i joined through tryhackme

It doesn't show up on hacktivities👀

...is there any other way to join?

So I am doing the burp suite room. I am on task 10. It states to click around till you get a request header that includes “set-cookie”. I’ve clicked on everything and didn’t see this type of request under the proxy/http history tab

You need to be looking at responses

Set-Cookie is a header set in responses, not requests

Thank you for the help.

hi

Hello shub. Do you have a question about a room in the Offensive Pentesting path?

need help related to
OSCP Buffer Overflow Prep

Please be specific about which Room task, and your question in the future when asking. 🙂

Also, keep in mind that it's a brand new room, and we may not have an answer yet..

That said, what is the issue you're having?

its about the room "oscp buffer overflow prep" in overflow1 its about the bad characters

Ok. What about them?

i have checked twice

its wrong

What is wrong?

the bad characters i am getting are not the flags

i mean to say ans

can i tell you the bad characters i am getting ?

just want to verify i am wrong to right

i am new

Can you take a screenshot of the dump?

I can take a look, otherwise I have to spawn the machine and do it myself.

yes just a min

Can you take a screenshot of the dump, not the way the room has you do it?

You will have to right click on ESP in the Registers in Immunity Debugger, and select Follow in Dump.

yes

Ok, I figured it out with the above.

I really don't like that method.

Whatever the room has you doing with that mona module, it spits out a correct bad character, and an incorrect one. The hint says that bad characters affect the next byte as well, so the tool responds with the correct bad character, followed by one that isn't bad.

So in this case, the correct answer is \x00\x07\x2e\xa0

\x00 is always considered a bad character. The next three are correct, while the ones that come after each one respectively are incorrect.

ok got it

i was considering all 7 bad characters

I don't like that way. I would consider both of them bad characters.

thaks

y i did the same

ya

but in dump 07 and 08 ?

is 0A and 0D

ok iwill try thanks

So I had to use all of those bad characters in order to get the payload to work and get a shell.

That said, it worked without the entire string of bad charactres as well.

trying to do Daily Bugle, and I download and run joomblah.py to try and get credentials and I run into this error, any tips?

I'm downloading the same file everyone else in on write ups and videos...

#room-help message

@long vector

@dense root oh my gosh thank you!

Oh my lawdy you’re welcome 😉

Hi, can someone recommend the next path after Complete Beginner? Can we start with Offensive Pentesting?

you can 🙂

it depends what you wanna do

but this path isnt a bad place to go 😄

Just wanted to know if there are some other rooms recommended before I start with this path

I'd do the primer rooms tbh

At least the red primer

ok. thanks

Hi, Im doing "Kenobi" Room.

I have queries on the privilege escalation portion. Why is it that when "/usr/bin/menu" was run, it will look for the curl binary we created in the tmp folder ? Shouldn't it look for menu binary instead? Can anyone help me understand me the logic behind this ?

When you run /usr/bin/menu it gives three options. I’m sure that two of those options use curl to get information that you have requested by selecting a number.

All this is done as root so what you are doing is creating a file named curl with your netcat reverse shell in it. When you run the /usr/bin/menu file a second time, the file is finding your fake “curl” binary and is running whatever is inside as root. This then sends you the reverse shell for privilege escalation.

@arctic raptor

When you run /usr/bin/menu it gives three options. I’m sure that two of those options use curl to get information that you have requested by selecting a number.

All this is done as root so what you are doing is creating a file named curl with your netcat reverse shell in it. When you run the /usr/bin/menu file a second time, the file is finding your fake “curl” binary and is running whatever is inside as root. This then sends you the reverse shell for privilege escalation.

@arctic raptor
@covert scarab Many thanks for the clear explanation. I appreciate it very much. :))

Rooms path to OSCP? Guys? There's some recommendation? I have this one

Have you checked the Offensive Pentesting Path?

Bunch of stuff on there for THM, and what helped me.

Alfred isn't on my list, but it's a good one.

I have a couple rooms coming in the near future as well geared specifically for eCPPT/OSCP prep. And Tib3rius just released a BoF room.

@bright oxide I'd recommend Tib and TCM's privesc rooms, as walkthroughs

Definitely.

Nice!!! Thank you guys! 🙂

Welcome. Best of luck. 🙂

Have you checked the Offensive Pentesting Path?
@keen iris Not really, but it's one of my goals 🙂

@rancid vine what means VHL, vulnhub?

Virtual hacking lands

Virtual Hacking Labs

virtual hacking land. Love it.

Virtual Hacking Land seems like a cool place TBH

I’ll put it back for yalls satisfaction

Jeez phone autocorrec

Oh wow I didn't know that place

thank you then 🙂

Yes it’s a great land

A little expensive 😅

It is. But if you can afford it it is worth it.

Compared to THM or HTB

anyone have issues with Retro? Tried coming in from two different VPNs, nmap finding no open ports (even with -p-). Resorted to looking at a writeup, open ports should of shown up from the basic initial nmap scan.

n/m let the box sit for about 15 mins, could get to it then.

What do you mean by two different VPNs?

@sterile peak There's only one VPN you can use. It needs to be the tryhackme VPN.

I think he means different configs

Yea, can come in via us vpn, or europe. I find some boxes just don't work right, so you have to try both.

So far retro has just been an unstable pos.

That's not something that other people struggle with, now that the VPN routing issue is fixed. Retro isn't reported to be unstable, other than potentially dying after an hour like other windows machines sometimes do

I'd recommend running the troubleshooting script

@keen iris Apologies for the ignorance. What/where can I find that script?

n/m, just pulled the source code from github. That's a bit of "am I an idiot".

does anyone else keep a list evaluating comfort level for each OSCP objective? its really helping me pinpoint my weak areas

So, I've worked my way through the 8 default rooms. I've then moved on to the Learning Path entitled "Offensive Pentesting" and I was doing great until I hit Gatekeeper.

Having taken this path, I was particularly alarmed that I was at a TOTAL loss on how to approach the room once I had the executable. I mean, literally, a dead stop.

Is this worrying, or should I simply divert at this stage to another learning path? (The path does warn that if you're struggling with "basic reverse engineering concepts" then you ought to divert, but I'm so blind I don't even know if that's my issue.)

Grateful for any help.

It's a buffer overflow

Right. So, my learning path so far has taken me nowhere near this. Just a little concerned, that's all. Is the sensible thing to do to divert my learning at this stage?

To go learn buffer overflow in order to complete a buffer overflow? Sounds sensible to me

Yeah, fair enough. I was just wondering whether or not it was expected knowledge given the path I'd already taken. My question was more of a sanity check than anything. Cheers!

You can use my writeup for the room as well.

Linux privesc: This one looks up scanned SUIDs in gtfobins. https://github.com/Anon-Exploiter/SUID3NUM

If anyone knows other time-savers for the privesc checklist, please share. 🙂

It has an auto-pwn flag if I recall, wouldn't recommend it for OSCP, might disqualify you since, tools that automatically pwn aren't allowed
Through you could simply not use the flag, why risk it? 🤔
Through this is now the offensive pentesting path so 🤷

That is -e I believe.

Never heard of the tool until now. Kind of neat.

It has an auto-pwn flag if I recall, wouldn't recommend it for OSCP, might disqualify you since, tools that automatically pwn aren't allowed
@noble glacier Good point. I just do this as a hobby though. 🙂

The real world doesn't care if you auto pwn things.

Just the try harder parrot.

hi

Lol

s

taking the PATH now. prepare for oscp.

wanna ask a question about how long it will take to get the certificate? generally speaking

It all depends on you. You can buy 30 days lab access or 90 days lab access.

Or 60

sorry didn't make it clear

i meant the time before buying the PWK entry.

the time spent on THM or htb

100hrs, 200hrs?

hard to say, it all depends on your initial skill level. I have not taken the OSCP myself but have close friends which have both succeeded and failed and they are very clear that it is all about how well you structure your routines and if are good at spotting rabbitholes and go on.

I would definitively try to get to a level where you can nail 2-3 boxes on HTB on a daily basis before going for the OSCP. On that path remember that there are some really good pentest certs out there which benefit your path greatly.

I did 99% of OSCP and spent a good amount of time. I'd say around 120 hours maybe? I started from a good understanding.

I'd suggest trying something like eJPT first to make sure you've got your chops up. If you're confident and blasting THM medium/hard rooms and can do the same on HTB (maybe just medium boxes on there). Maybe u could go straight to OSCP

Hard to give an hour count, everyone comes into PWK with a different background/understanding even if they may have sunk the same amount of hours specifically prepping for OSCP.

Just go through the prepping resources like the offensive pentesting path, checking the PWK syllabus every now and then to see how comfortable you are with some of the topics.

You also don't have to understand everything in the syllabus to sign up (it's an entry-level course designed to teach you that stuff after all). ie: watch out for overprepping

I spent around three months preparing, but I took a different path and not the Offensive Security way. I didn't utilize the PWK or their lab environment, and instead chose to use a ton of TryHackMe, Virtual Hacking Labs, and CSL.

Why in Offensive Pentesting Path there are so many windows machines and very few linux machine?

Because typically Windows is harder for people

That's true for sure. When I started in the path, solvings windows machine feels to be hard and as I went on it kept getting easier and interesting too.

We have another Linux machine coming this week.

Should actually be two being added to the path.

@toxic mirage Real environments are about 90% windows anyways, and most of that being AD focused too.

That depends though. What about corporate environments? Doesn’t Linux see more usage there? Especially for servers? Or is it overwhelmingly Windows dominated?

cool, thanks guys

I work at a massive company and most of our servers are linux, just sayin'

windows is mostly used for end user computing (desktops...)

Excellent guys. TryHackMe just upgraded the Offensive Pentesting Path with some more content and tasks.

Shh, it's a secret. 😛

I just realized an hour ago while training hahaha

I've been working with Skidy to revamp and update the path. Two additional rooms that release this Friday will also be added.

for the OSCP prep BOF room. I'm trying to get the "oscp" program to move onto the second buffer overflow, but it never changes. I nc to the host and type "OVERFLOW2 test" but it remains on overflow 1's offset. What am I doing wrong?

Nice. You just finished the OSCP too didn’t you Mayor?

Yea about a month ago.

Is there a new machine on this path?

There are a couple, and more to come later this week.

I'm prepping for OSCP. Testing in December. Signed up woefully unprepared man.

THM is helping a lot though. Dunno if I'll pass on the first try, but it is what it is. I'll learn something from it either way.

Check the pinned messages for my prep list.

https://medium.com/cybersecpadawan/10-tips-for-success-on-your-oscp-exam-413db4e2ed1b

I also wrote that as well if you want to check it out.

And remember, don't force yourself into it. Take your time and do it when you're ready!

Thank you

Appreciate the article. Its a good read.

Thanks 🙂

good article, thanks for sharing

currently preparing with VirtualBox. is it necessary switch to VMware player for future exam? 👀

No I don’t believe so. They won’t provide tech support if you are using virtual box.

But you can use it. I intend on using it.

for Steel Mountain, I have everything complete except the question "What Powershell -c Command could we run to manually find out the service name". Its extremely vague and I have googled the hell out of it, any leads?..

You need a powershell verb that will get services

Get-Service cmdlet

but its format answer is *********** ** *************

well that didnt work ^ but it needs more tahn that, I have googled so hard and nothing really answers this super vague question.

it says powershell -c command

How would you run that cmdlet with powershell -c

Zero Idea.

99% done with this box but I have googled so hard for this last question and I dont find a good way to find this answer out

*Format is "powershell -c "command here"*

...

get-Service has to be ran from powershell, won't work from CMD

So you're running it with powershell -c

I disagree, but OK

How to decrypt BCRYPT password?

I believe hashcat has a feature https://hashcat.net/wiki/doku.php?id=example_hashes

So does john the ripper

@sterile elk Just FYI, bcrypt is a hard password hash to crack (NOT decrypt, different meanings, you can’t decrypt a hash). The hashing algorithm is slow, making it take longer to attempt each iteration when cracking.

It can be quite fast with a low round count

But it's designed to be about the same speed on CPUs or GPUs so that it's harder to crack

@keen iris good point 👍

There's a nice room on this, made by a great content creator. I think his name is "NinjaJc01" or something

👀

about the Game Zone room in oscp path. It feel some of the tools already been banned like SQLmap

Offensive Pentesting isn't just an OSCP prep path.

That's why tools like SQLmap are used and permitted. 🙂

good to know, thanks

although, hope there is a path for oscp only. that'll make it easier 🍻

You can always choose to follow the restrictions

yeah, but that'll take you more time for recognize which tool is restricted

Most of the rooms give you the opportunity to do it both with and without metasploit.

yeah, but that'll take you more time for recognize which tool is restricted
@lament nacelle you should get familiar with the list mow

Not a long list

It's easy to understand which tools you can't use in the exam and you can prevent yourself from using in the offensive path: commercial vuln scanners (Nessus), auto exploit tools (sqlmap), metasploit (besides multihandler)

Probably good practice to not touch them by accident too 😉

I just revamped the path so that it's more up to date and aligned a bit more with some of those things. Two brand new rooms that I made, Relevant and Internal, will be added to the path very soon as well.

But as Ninja said, it's really a good idea for you find those restrictions and base your plan of action on them.

thank you guys, i'll find a list

https://www.offensive-security.com/offsec/pwk-oscp-faq/

https://support.offensive-security.com/oscp-exam-guide/#exam-restrictions

Helloa, Can anybody recommend me an preperation path for ECCPT?

I have heard there are some differences between OSCP and ECCPT. For example the Pivoting part.

I think the offensive path is a good place to start after that moving onto a course like Throwback will teach more advanced techniques and methodology. I would then complete boxes from tjnulls list and practice your report writing with the boxes as you complete

It's the Mayor Null list now 😛

Hey I did'nt knew Tjnull's path was updated nice!

Thnx !

found a little more updated version 🙂

There's so many lists and crap out there I don't even know anymore

Well, it wasn't until I started reviewing OSCP that THM was added to the list. 🙂 So it's been diversified beyond the TJNull HTB stuff. Which I think is vital to learning.

Agreed. The truth imo is people have to find out for them self what suits them the best. Platform, learning style etc.

any order for thoses path or it's from top to bottow , left to right ?

I only did the VHL, TryHackMe and CyberSecLabs stuff.

I didn't do any HTB or Vulnhub.

I also didn't use the PWK labs.

passed both VHL cert it was excellent 🙂 tryharder Labs

Yea I really enjoyed VHL

🙂 Yeah was fun.

here to do the tryhackme Path. 😉

anybody did overflow 7? wanted to chat a bit about it

Is this specific to that overflow or a general bof question?

If the latter I can help

If the former I haven’t done that specific one yet

in OSCP BOF Prep - OVERFLOW5: bad_chars form doesn't accept right answer (it's right because I got reverse-shell using them)
maybe there is some bug here?

You can put extra bad chars when creating your reverse shell payload and it’ll still work

It doesn’t necessarily mean they’re all bad

understand, thanks

Hey 🙂 Where did some of you guys found a pre-compiled version of 'PrintSpoofer.exe'? Can't find it anywhere and compiling it by myself gives me some errors

https://github.com/dievus

I have it in there.

Thank you very much 👍

🙂

In SMB what is IPC$ share? On net it shows it used for RPC . I have connected to IPC$ share but how to make RPC from there? Any body can explain. Thank you

You just asked this in the TCM discord and someone was kind enough to answer you

Please check their response

The relevant room was one for the books! I was able to download the binary from mayors Github and find the flags but hit a wall trying to learn how to compile the exploit on my kali box and other exploits such as juicy potato. Can an exploit like PrintSpoofer (https://github.com/itm4n/PrintSpoofer/tree/master/PrintSpoofer) be compiled using Kali or is an Windows environment required? I read through a few guides and attempted to compile using different tools such mingw32, wine, and g++ but continue to receive the same error below.
PrintSpoofer.cpp:3:10: fatal error: Windows.h: No such file or directory
3 | #include <Windows.h>
| ^~~~~~~~~~~
compilation terminated.

it probably requires windows-only libraries/headers which probably aren't distributed because legal reason but i might be wrong

Hi all, I am stuck on privesc in Internal - if anyone could give me a nudge, I'd be very grateful

heya, what have you discovered or tried so far? @willow sand

oh on internal, jk i havent done that, you can still answer that and someone who has done it can answer you

Can DM me for help if you’d like.

Senpai, have you tried using wpscan to Fingerprinting the version

We got it sorted out. It's not something wpscan could assist with.

sounds good

Anyone got a sec regarding Relative?

PE

Relevant?

Sure.

Relevant sorry

So i was able to build the package in visual studio on a Win10 64 bit box, and it works flawlessly, but the binary doesnt appear to like the Server 2016 :/... Is there a trick to compile this bad boy?

when i say doesnt like i mean it doesnt do any thing 😮

tried both x86 and x64. maybe im missing something

Im referring to the Impersonate PE vector

I take back the questions. Im going to build it in a 2016 env... Didnt realize the evaluation OS exists. Try this again

You can grab it in my repos here https://github.com/dievus

check check. Appreciate it. Im going to figure out how to compile this anyway. Thanks!

guys, is brainstorm room still unstable and broken?
i got my exploit working on local, but not on remote machine

yes

sometimes it works, sometimes it doesnt

just try it a bunch of times if it doesnt work reboot the box, if it doesnt work chalk it up to the box being borked

thanks, i'll try

ROOTED, finally 🙂

after 5-10 reboots

woot!

@rancid vine Is Threader3000 supposed to find the high port on the 'Relevant' box ?

@viral scroll it should since it loops through all ports

Anyone use a stand alone version of incognito - or does it only work through meterpreter?

You can use the executable version.

https://github.com/FSecureLABS/incognito the binary got removed or I can't find it. So I downloaded the files from github but when I opened it in visual studio it found nothing to compile.

https://github.com/milkdevil/incognito2

Might work

ok thanks! will try that

is there a way to reset the completed learning paths?

not at the moment

Got 3month Gift Card for this One 🙂

off-topic question: is llmnr poisoning allowed in oscp exam?

You cannot use any of the following on the exam:

Spoofing (IP, ARP, DNS, NBNS, etc)
Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Features in other tools that utilize either forbidden or restricted exam limitations

i think llmnr falls under the first one

I think this is the right place to ask but, if it isn't, sorry, I'm new to the server. So, i've just started looking into some web penetration testing and I have a question: What is the difference beetween a directory bruteforce, a dns bruteforce and a vhost bruteforce. I used to use dirbuster in my attempts but i switched to gobuster recently and i saw these new things in the help menu. I'm afraid of forgeting to look for something during recon since I didn't even know there was a distinction between dns,directory and vhost bruteforce. Thanks in advance

Do you know what a VHOST is?

Do you know what DNS is?

Do you understand the concept of directories on a webserver?

Those are questions you should find answers to. Learn the absolute basics about those topics, then the difference should be very clear to you.

I thought I had a grasp of DNS but reading this made me think maybe I don't kkkk, okok I gonna look it up and find the magic

can you guys recommend me some good courses/sites/thm boxes about buffer overflow? thanks in advance

Brainpan, brainstorm, gatekeeper, Buffer overflow prep @fleet wedge

https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/buffer-overflow

The Offensive Pentesting path has several of these.

The Buffer Overflow Prep room really helped me out on BOFs, I completed that room the other day and have since completed Brainpan, Gatekeeper, and Brainstorm. Would highly recommend it.

I'm trying steel mountain. Both metasploit and python exploits doesn't work. Is there any I can reach out?

Someone ghost pinging me?

speaking of the offensive pentesting path buffer overflow lab, the first one... is anyone running into an issue with the first fuzzing script?

@hexed solstice what kind of issue?
as for me it was an issue with Python version I used to execute script. It should be just python not python3.

i didn't check to see if python 1 was installed, but running just python still had the issue

it would immediately hit the excpetion

*python2

Not python 1

i didn't check which version, but running python or python3 didn't work. It hit the overflow string and failed, it ended up being a type error. I had to convert it to bytes

bobloblaaw helped me

There was a beautiful VOD on twitch by room creator, but it was deleted, today I cant find it :(
It helped me a lot week ago

ah, that's alright.

#general or #thm-community-media

@shy stone

@dense root How does that even go in #thm-community-media?

🤷‍♂️

Streams, videos, blog posts, etc of TryHackMe content

man idk

I did

It

I survived class on a book I didn't read

#general 👀

Oh

I thought this was general

!rule 15

Rule 15: Please leave any disciplinary measures to the discord staff (Trial Mods, Mods, and Admins). This is also known as no 'mini-modding'. If something is happening, please just let the staff know and we can take care of it <3

😛

Let me dicipline myself smh

Very bad @fleet wedge go to #general

lmao

Nothing EC-Council should ever be equated to pentesting.

Anyone having trouble downloading JuicyPotato?

everytime I download it from github it results in zero bytes being downloaded

Im assuming it's a firewall/AV, but im in my VM, could my host AV be affecting the DL?

got around the problem

hi

i need help

how can get start oscp path?

It isn't a OSCP path, however it would certainly help with that exam.

The Offensive Pentesting path on the platform requires a subscription. Do you have a subscription to TryHackMe?

yes sir

i have subscription

So then you can enroll in the offensive pen testing path and follow the room order given 🙂

yes

i trying 25%

i have no idea next

step

Keep going on the path?

So, i am not sure if that room fits for my question but as the paths are somewhat guided(?) i thought that i can try ask my beginner question here.
Just trying to wrap my way around reverse shells. I get the concept but... aren't these quite dangerous for the 'attacker' himself? Like, i guess someone could do a reverse-reverse shell (with NAT drawbacks and stuff)? Thats probably a thing i dont want to have in a KotH room?

I'm sure there's rules against doing that in Koth

Jeah, i guess so, but just wondering, the thing is a thing, right? 😄

Could be a thread in the wild as a honeypot too?

I mean I know you can mess with other shells but I'm not 200% sure. I'll do some research and get back to you on that

Thanks! Probably don't even need to mess with the shell but maybe just the active connection?

I mean, for them to spawn a reverse shell they would most likely need execution of some sort, having the active connection may be useless. Only top of that the attacker would probably use some sort of encrypted connection so getting a reverse connection (if possible) may be a tough one.

Hmm, i see - going to look that up though. Netcat is unencrypted and used pretty often for that so i guess that would make it possible to just write to the connection file? Interessting stuff anyway

@sacred depot you're just listening for a raw TCP connection, an attacker won't be able to run commands on that

They can write to your listener sure

But no RCE

@keen iris Thanks for the info!

watch out with tcp scanning guys ur ip will be reported very fast on abuseip web....u can use a vpn but still haha

oow tcp connection

ooowwww oke heheh

huh?

^

Dont go around scanning random stuff on the internet

Masscan go brrrr

scan 8.8.8.8 'for fun'

nooooooo

i have a question, i'm working on Steel Mountain, and are stuck on the final step to become root, my reverse shell is not keeping a stable connection for some reason, i've tried a few variants on my payload and ports and nothing is working. I get a connection, but it immediately fails

What payload?

msfvenom windows/shell/reverse_tcp

And how are you listening for it? @normal saddle

nc -lvnp

Try using multi handler with the payload set correctly

Command shell works as well. But may want to consider an unstaged payload if the staged one isn't working.

You need a multi/handler listener for staged shells for sure

Good habit to get in to, as well as checking for differences in architecture.

You can use Netcat with unstaged payloads.

unstagged payload worked, thank you

anyone experienced this error with gatekeeper binary when opening with immunity? I can open chatserver from thm brainstorm room without errors

also used this method in additon to mget via share to transfer file . Same error

https://www.sevenlayers.com/index.php/348-tryhackme-gatekeeper-walkthrough

@fleet wedge

He says how to fix it

@dense root thanks man , that helps

No problem 🙂

Yep, this is a Visual C issue. Glad you got it sorted.

problem resolved!

@terse herald

Absolutely not. @fleet wedge

!rule 9

Rule 9: No discussion of illegal topics or actions.

We do not care for that sort of attitude nor mindset here.

Banned.

Well that escalated quickly.

ah I missed the banned convo

@inner lake Again, final warning. Do not post random discord invite links.

@bronze zenith Looks like spooky warned them here as well, guess it's 3 invite links now

Ban

Done

I need a sub to access the other offsec path room 😂 those free room are interesting which i learn a lot

Hi guys do you think that done this Offensive path and eCCPT is enough to begin the OSCP certification? and if is enough, how many months of lab you would buy?

I would also do VHL labs

I know that this could be more personal but in General

I would also do VHL labs
@terse perch is this really necessary or better HTB labs?

Yes, it is more inline with the PWK/OSCP environment....and there is a really great discord community for it. @rancid vine had recommended it a couple months back, so I gave it a try...and it is definitely worth the $99 for a month.

VHL is leaps and bounds better than HTB

But it's also more expensive.

This path and the eCPPT are a good start. I wouldn't expect to get much better prepared using the PWK labs and manual.

Best way to prepare for that exam, at least in my opinion, is to immerse yourself in as many practical environments as you can. HTB isn't that. So you're left with THM, CyberSecLabs, and VHL.

I am half way through VHL...and I wish I had done it so much earlier in my OSCP process...I have the OSCP scheduled for October 2nd...so I am trying to get through VHL as fast as possible

Hindsight suggests I should have wasted a month's worth of money on PWK rather than 3, and just spent 45 days before hand doing VHL.

Would have saved money in the long run.

FWIW...I still highly recommend HTB. I think it is important to get exposure to as many scenarios as possible. Going through Ippsec's videos early on for as many videos as possible was really important for me.

Maybe I take a look to the VHL for a month and try to approach it all that I can

What is VHL labs ?

Hi folks

I haved failed in my first attempt in OSCP certification

A different company with real world focused labs

Even doing the interally Offensive pentesting

I have failed, I think, because now the exam test much more misconfiguration on Services/Apps

And I was focused on CVE searching

What kind of rooms You recommend

?

OSCP, from what I hear, also tests CTF skills 👀

But mayor's guide is real good

Sorry to hear about the failure. Oftentimes people get really lucky with easier boxes, or really hard boxes that are next to impossible to solve.

Sorry to hear about the failure. Oftentimes people get really lucky with easier boxes, or really hard boxes that are next to impossible to solve.
I'm still convinced the RNG is a conspiracy to get more money out of people via retakes

Exam is 80% or more enumeration, 19% time management, and 1% actual exploitation.

I agree Ninja. Or some off the wall poor way to grab user metrics.

Thanks about the condolences folks

hahahaha

snhbyt3, my best advice is to immerse yourself in as many labs as you possibly can.

is very sad failure after many days of study

Stay practical for the most part. TryHackMe and CyberSecLabs do a good job of that.

VirtualHackingLabs is good if you can afford it.

But what kind of rooms

of Try Hack Me

you recommend ?

The path is good

I cant spend more money

retake is very expensive for me

The 10 a month for the THM sub is worth it to get access to the path I think. I helped revamp it recently and bring in some more practical labs.

But I have finished the path

Now I am stucked in continus learning

*continuous

That was my prep list. Didn't mess with the pwk labs

Thanks BRO !!!

Yeah i did vhl labs too

Finished Offensive Path it was very useful!

did not know about vhl labs and cyberseclabs, i guess i will give them a try too 🙂

VHL looks good but pretty expensive

Do people use Attackbox or Kali linux on THM?

my own VM

Oh i was wondering if you could do that

Ive got kali on WSL2 so might try that, wont always lose my settings that way

Run the VPN directly in WSL2

Seeing as WSL2 is a VM

and what do you think about this? https://www.offensive-security.com/labs/individual/?utm_source=hs_email&utm_medium=email&utm_campaign=proving grounds individual&utm_content=pg_launch

🙂

This is not necessarily the place for that however I have not heard a lot of good things about it the only thing I could see being a redeeming factor for it is retired oscp boxes

You're right

Yes, I guess that the best factor it's the retired machines

thx for your answer

Hi there, someone would help me to understand a "feature" of hydra 🙂 ?

Sure, ask away

I like to think my hydra knowledge is good

I did the room "Terminator" and did succeed to find the required login / password

However, when I try to bruteforce (with the correct login and a short list containing the correct password), I do not suceed to find the correct login / password

I think I might use an incorrect syntax or there is a bug. But i did read the documentation and did some research without any success

@keen iris do you want some screenshot / details ?

Oh sorry I didn't see this

The Skynet room?

yup

Can I see your command? For squirrel mail, people normally send the data to the wrong place

I can link you to a convo on it from the other day if that's the issue

I see 2 verbore "redirect" which IMO correspond to the correct password

Probably your success condition

I'd change it to a failure condition, because that tends to work better

I did try different conditions

with same results

I'm a bit perplex

Can I see your captured request real quick?

though burp ?

Or browser devtools

a failed request ?

is that enough @keen iris ?

Yeah I'm puzzled

My syntax is kinda correct !?

It looks it

I'd honestly try fuzzing with Zap instead

I did RTFM and tried different syntaxes without success

Hydra is... weird for web

Oh! good to know

It is indeed not the first time i have troubble with hydra in web

Thanks for the help anyway 😉 didn't knew Zap, will learn this new tool

There's a room on it

Yeah just saw it

another rabbit hole to jump in 😄

Can anyone please point me in a direction where I can effectively learn how to use msf. Am having challenges figuring out which exploit to use and payload. Thank you

https://www.offensive-security.com/metasploit-unleashed/

https://tryhackme.com/room/rpmetasploit

Thank you very much

Hi, someon would mind explain me something for OWASP-ZAP ?

Can try.

I launched a forced browse, i move in different menues

and the scan dissappear

I know it's still running thanks to the information above, but when I select the tab no results are showed aynmore

I would like to follow the scan but don't know where it went

Try pressing the play button?

Hmmm. scan finished apprently, I launched a second one.
Explored differents site in the context menu. The scan disappear and re appear normally. 😕

Maybe I stumbled into some bug, or a more realistic explanation is that i don't know how to properly use the tool yet 🙂 thanks for your help @rancid vine

You’re welcome.

yoo

wats good

im new

but why all the wiki links ded??

?

the hidden wiki lol

You're going to need to be more specific.

the hidden wiki?

the dark web

What hidden wiki

lol

you ever used tor before?

If you've come here to ask about the dark web you're in the wrong place

@grim pendant

shit yh sorry

where do i ask?

im new

Go ask people who use the dark web.............................

ok srry

Cuz a lot of them are illegal so people take them down. They’re not all removed you’re just looking in the wrong places @weary pecan

this never happened before this much tho

Idk what to tell you I have no authority over the dark web lol I’m just answering your question

How can u get invited in ElearnSecurity for pentest student

That's not really a question for this channel. Best to ask that sort of thing in #general. But you can find the link here. https://www.ethicalhacker.net/

ok thanks mayor

@rancid vine Im in, thank you very much

Hey, just got the subsciption, and want to get started on a pentesting path. On the thm subreddit I found this path that bee posted. Which one would u recommend I take, the one on site, or the one from bee?

@grim pendant

https://blog.tryhackme.com/going-from-zero-to-hero/ this is the post he made about it in case the writing is too small on the picture

That's still the old zero to hero

That wasn't bee's post

Yeah I’m sure bee just linked it

Ah I see

So the default pentesting path on thm is more updated?

Yes definitely

ok cool, thank you

I’ll try making an updated one if I get time and throw it on the subreddit

sounds good. Ill get working on the one on site. Thank you for the help.

Yes for sure!

The paths from sub are better than anything I could make

Since they feature better rooms and are kept more up to date

I’m posting an article soon for a free path for people, but in the article i talk about how subscribing is better than anything i could make too 😛

i need an analsyis/ network admin/ reverse engineer / digatial forenses help
like i installed an obvious do not install this will fuck ur shit up malwared out hacked new high end video game title and didnt do anything to it for about 6 months, when my laptop was getting to where it could have hurt its hardware and started to look at everything
and its been a nightmare
like ive done resets across multiple devices so many times
like i have the most crazy looking .pcap files
other wifi's in the area have duplicates running in the range of my pc
its fucked
like this has got to be some real deal hardcore pwnage
like im so pwned. my router login page is now gone. i discoverd that it had custom java script loaded into and has 3 wifi ids acossiated with it

sorry for the spam i love you all! ive spent a year trying to figure this out

Wrong place but you need to wipe everything clean

Is someone else having issue with the last kali update ? (in Virtualbox)

I am struggling too

anyone having this same issue ?

Is someone else having issue with the last kali update ? (in Virtualbox)
@devout plinth Nope i don't

check #announcements

aiit thanks mate

anyone having this same issue ?
@modest hatch yes I had the same issue too

Yeah

i think tryhackme is under a botnet attack

What makes you think that because they're definitely not

Just a query
The IP address doesn't redirect to the website
any ideas why?

@grave lion can you look into it?

I'm not a mod and #site-support is the place to ask for any THM related technical issues

@grave lion Nothing related to THM just asking

Wait what are you trying to connect to?

just a website

Welp that sounds sketch

Also wat

Nevermind

80% certain Kernal wasn't on VPN lmao

Good afternoon everyone. I'm on the buffer overflow prep section and I'm struggling with the syntax on the bad characters in mona. The instructions advise to update the !mona bytearray with the list of characters, however I can't figure out proper syntax for more than 1 bad character at a time. Can anyone advise?

And I might have just figured it out.

And I might have just figured it out.
@merry crater Backslash.

Good afternoon everyone. I'm on the buffer overflow prep section and I'm struggling with the syntax on the bad characters in mona. The instructions advise to update the !mona bytearray with the list of characters, however I can't figure out proper syntax for more than 1 bad character at a time. Can anyone advise?
@merry crater just add the remaining bad chars in quotes "\x00\x07\x08....so on"

what OS are you guys using?

i'm thinking of switching form kali to Arch

Kali

aight

I use Manjaro which is an Arch based distro but there’s no harm in checking out different systems to see which one you like best

i use ubuntu before, then install the tools that i only need

I didn't like Ubuntu's interface so I used Xubuntu