#quiet-conversation

are you talking about ATT&CK or some other framework?

some mitre framework that can be used as an alternative to nist risk management framework

Would someone be able to help me with autopsy? I'm having some trouble viewing registry hives. These here that I found have a size of zero.

I feel like its really simple and I am a simpleton

Go up a dir

Oh. My. God. Thank you. I just wasted like 13 hours of research and pain because of a directory.

Gave +1 Rep to @burnt night

Ha, glad I could help. I was just doing this the other day on a real Windows machine

the number of times I've sat scratching my head as to why I cant find what I'm looking for and all I had to do was cd ..

How often are wireless attacks being done on a pentest?

Depends on the scope, but I would say most (90%+) are non wireless testing in my experience (typically targeting the website or imitating an inside actor via VPN or RDP).

Though I would still expend the effort to learn at least the Aircrack sweet of tools and how the WPA/WPA2/WPA3 handshake works. If you want to get really into it, you can use scapy library inside of python. David Bombal really preaches about Scapy a lot on youtube

i can not open an ip which is in hackme what could be the problem is anybody here to help

I have question about job!
Can I become penetration tester without learning Windows? I am asking this because tryhackme has windows course path, I am only linux user windows is very uncomfortable for me. Shoud I learn windows to become Penetration tester?

I want to skip windows courses is it true or not? Can someone gave me advice?!

you need to learn windows

A lot of companies use Active Directory which is also Windows

Unless you want to specifically be an application security tester which does APIs, web & mobile apps, etc.

Channel that discomfort into wanting to hack Windows boxes! I think a lot of people prefer Linux to Windows when it comes to hacking, but just on market share you need to know Windows.

I mean, if you want to go exclusively into webapp testing then you might be able to get away with it, mostly. Assuming the job description doesn't require understanding of a broad range of fundamentals.
Any kind of infrastructure testing, not on your life lmao

Hey guys hope everyone is having fun 🙂

This is good adivce : )

but getting a job as an app only tester without previous pentesting experience?

i have not seen any, at least in the uk

all (that i’ve seen) junior positions require both app and inf

Yeah, that

We're overwhelmingly app but you're expected to know both

It's probably a 70:30 split

Hello. Random question. For garage door openers that have WiFi or smart link, how secure are they? I need to upgrade a really old one, but was thinking about how someone could hack it and open it. Thoughts?

Lot of things can be hack, but targeting your garage door well, there is a low probability but you should look for information about the model and the softwares to upgrade security 🥲 I dont know if there is someone specialized in that here but I give you my opinion :c

Nothing, seriously nothing, on any site, can prepare you for the frustrations that await you when working with a client irl.

We're doing a pentest for a client and on top of them changing the assignment mid-way through (we're week 2 of 3 and they changed it completely yesterday), the system we're supposed to test is not complete at all (release should be in a week or so) and has ceased to work completely this afternoon.
We were supposed to test an API, but they're now having us test their IAM with a list of provided methods for each endpoint, but half of them don't work for the roles we should be testing. So we're basically trying to build their API requests for them to be able to test them in the first place. Test results are not reproducible, changing randomly.
Creating a role/account takes about 5 minutes of manual labor of their security admin, with which we are in an all-day long call.
Now this afternoon the system just stopped working. Nobody can log in. Access roles have been disabled with no trace in the logs.
They brought one of the third party backend developers/hosts into the call, but they can't even see us in their logs.
The worst imo was when the project manager dropped the line "I recognize this behavior, we have this in production all the time"...

Thanks. I’ve found a couple of ideas to make one more secure.

Gave +1 Rep to @real chasm

Some are really poor, some will likely be good. there's a few organizations out there that review security for IoT devices

Alright, thanks

Gave +1 Rep to @burnt night

@little kernel One of the biggest things I'd say as well as worrying about confidentiality is watch out if it depends on a cloud service.
Consider what would happen if that cloud service was to disappear overnight, IoT companies go bust and usually leave their customers in the dark

Yeah, the last sentence isn't an if. It's a when

Alright, thanks

Man that sounds tuff

@little kernel NIST has a lot of free publications for IOT related guidelines and recommendations.

https://www.nist.gov/itl/applied-cybersecurity/nist-cybersecurity-iot-program/publications

Thank you

Gave +1 Rep to @spark sun

On gitlab you get a token for a specific ci run that can serve as proper authentication for the registry of the same repo. https://docs.gitlab.com/ee/ci/jobs/ci_job_token.html for https://docs.gitlab.com/ee/user/packages/container_registry/authenticate_with_container_registry.html uploading to a registry in a CI. Is there an alternative for GitHub?

https://github.com/docker/login-action
is our current solution

ola

Upgraded my homelab from qemu/kvm + virt-manager just living on my old Linux install on a laptop to... Proxmox running on the same laptop lol.

Nice improvement though, Proxmox does have a vSphere like feature set. I honestly would have gone ESXi if my NIC was supported though 😢

Anyone interested in forming a team for CS50x Puzzle Day? https://cs50.ly/register

Hey all

@coarse knot Please interact with the community before posting your blog.

Hi today I came across a terminology "accelerated system sleep call" does anyone have any idea what it is about.

a

I despise Gen-Eds with such a passion that I'm about to drop out of my Bachelors and just go full blown focus on OSCP and hope that will compensate😭😭😭

Like why is my Bachelors dependant on weather or not I can memorize all the rivers, mountain ranges, and GDP in Eurasia. I hate it here man.

It won't compensate

Operating system feature that saves the current state of your system and goes to sleep / low power mode. Different from a regular sleep call as it prioritizes speed over other things

Gen-Eds are there to make you a more well rounded, productive, person. They are important, even if you don't enjoy them.

Pain

It does not. Also, the gen-ed electives will end up being the most valuable part of your degree, long term.

Yeah, I've been putting them off and now I have 7 weeks to finish 3 Gen Ed courses About to start handwriting all these things.

I have mixed feelings....with the way gen ed classes are taught, at least in the US, it hardly does any good. That's my main issue with it. As someone who's been in university on and off for 10 years, I can count on one hand the amount of professors that helped a subject stick.....I will say though, I think it should be a requirement to deep dive into ancient rome. Crazy how it mirrors the modern day. Eek.

yes

https://tenor.com/view/1984-gif-19260546

como programa ?? alguém me ensina.

https://tenor.com/view/shame-jerry-seinfeld-too-bad-thats-a-shame-gif-12571290

English only in this server please

Message above will self destruct in 10 secs ^

im a rookie, how can start to learn hacking?

well we all start somewhere... to start shadow would like to point you towards #start-here and then doing the paths on https://tryhackme.com/

thanks buddy

hello.

people.

Hey

https://tenor.com/view/toca-aqui-power-couple-brasil-bate-aqui-soquinho-high-five-gif-20482014

You need to verify if you want us to see your gifs 🙂

!docs verify

sorry.

You’d think living in a capital city would result in a nice little job pool to pick from, but from what I’m looking at right now, I might as well have been living in the backcountry

Welcome to that journey mate

Hello All, Im new and look forward to meeting other security techies!

welcome

because.

Hi and Welcome.
I was asked by a site owner to test his site against DDos attacks and calculate how long his site can survive before it goes down.
What are the most powerful tools or scripts to do this? I don't have a good background about this type of attacks.

@odd acorn

That is a complete

Oh I didn't finish my message

That is a complete lie @maiden hinge

And if it's not, I seriously question your ethics

Love!

I mean there are legit tools and uses, but this does look pretty suspect

And you'll usually not want to ddos

Hi, I am contracted by bank to hack them, give me credit card

I'm agreeing with you, though saying load testing is a thing

They usually wouldn't contract someone who doesn't know how to do it, and in all honestly it is highly unlikely that they would be contracted to do any load testing

True for the first part, they'll contract for anything tbh

The user maybe, but websites unlikely

You'd be surprised

I mean, consulting is still a thing

I mean my favourite tool will take down our dev environment with 12 simultaneous users

I was asked to reproduce a scenario that apparently only occured under load, and at that, randomly

Never saw that problem again until 5 years later in a different subsystem

Where it was repeatable, and again mysteriously disappeard

Nah, stress testing isn't an infrequent request for a new environment

Although yes, the contracting a non-professional is a l'il bit sus

But usually stress testing isn't farmed out to someone without a background in systems engineering.

or SRE

Yes, quite.

I'm trying to set this trilium widget up but I'm having trouble "attaching'' highlight.js - what do they mean by attach? https://github.com/antoniotejada/Trilium-SyntaxHighlightWidget/blob/main/SyntaxHighlightWidget.js

I just realised there's a trilum thread! I'll post there

https://usebottles.com
Wine alternative?

Looks like flatpak with extra steps

My friday.

lol

Hola team 🙂

Whats happening with everyone 🙂

hii.

htat's my impression of it too. I also wonder, does that actually include a windows system32 environment? It's got to be more than just a translation layer

Looks like it packages a wine and an app together

Well that's one way to reduce potential conflicts. Doesn't do anything about competitive game anticheat not knowing how to detects cheats on a linux env though

hi

Does anyone know how I can fix this problem?

!vpnscript

Run that.

Is it normal for it to be like this, it's been like this for a long time?

Yes

That is the highest level

really, because I've seen people at higher levels, so why is that?

Those are special levels

Red Teamer for e.g., it can be get from an event but that event is done now

Staffs have their own level

Also bug hunters from the site

wow, thanks for the info, that sounds really good

I basically have a private cloud at home and I want to implement network scale network monitoring. What are some good tools for this? I've looked at Logrythm NDR (part of XDR) but it looks like it's for enterprises and it's expensive

What specifically are you trying to monitor?

Could setup your own router - https://openwrt.org https://www.pfsense.org

Or if your interested only in DNS then you can setup something like pihole, adguardhome etc

logrythm is incredibly overkill if you are using it for actual monitoring of your home network

sonned

My friends.

Fellow lads.

Currently have the ETA Christoph 3343 90000, so about $65 electric razor. It does the job but the quality is shoddy (duh) and when shaving, I feel my facial hair being "pulled out" or plucked painfully rather than cleanly cut on the surface of my skin, for a lack of a better description.

I look my best by far when clean shaven, and if I don't shave for 1-2 days I just look bad.

Wondering if dropping a few hundred on a premium quality electric razor from phillips or siemens or something would improve the shaving experience.

I'm not a fan of electric razors. For that much money, I would get a good quality badger hair brush, real shaving soap, and a nice safety razor.

You shouldn’t just be using an electric razor tbh, you should trim it then shave it off using a razor or barber’s blade

Along with what @mighty echo said, i am working on getting a protectli vault to install pfsense on it, and use that as my router, and then bridge my router as a WAP. Eventually ill save up for a full home server with proxmox and on proxmox i plan to install pfsense and jellyfin to start out.

Be careful about running static appliances as VMs; if something happens to the host, you'll have completely lost the ability to connect to the network

Yes! I have been told a lot of people run proxmox and they love it but the same people telling me what you just said. I have been waiting to do that until i fully understand what I am doing and how to handle errors but still. Confusing. It's like they're telling me they love it but its a bad idea, but to do it haha

It's too much overhead, for a lack of a better word

I only clean shave with a razorblade before I go on a date or something similar

But I do need to shave ideally, on average, once every 1.5 days

Where as with an electric razor, I'm done in 5 minutes. The brunt of the question was - will a premium razor give me a less "painful" shave than the $65 one

No. All electric razors function in the same way; if they are pulling, you are letting your facial hair get too long before shaving or the blades are dull and old. If you want a more consistent shave, add it to your daily routine

I'll try sticking with it

Highly recommend a safety razor and brush and shave soap as juun said. I got an omega synthetic brush, proraso green soap, and a king c gillete razor and it was cheap and good @heady creek

How long does it take you? When I shave manually with a razor and shaving cream/foam, it's like legit 10-15 minutes

I can't fathom doing this ~5x a week

Not timed it but it's a ritual, like making nice coffee

Add 10 min to your shower routine

I do enjoy it actually, but specifically because I only shave when I go on a first / second date, job interview etc.

The core of the problem is: I'm lazy

For me I shower, brush teeth shave when needed, and clean bathroom as my routine. When i dont shave i just save 10 min. If being clean shaven is so important i cant imagine 10 min being a big deal to spare.

or rather it just feels like too much overhead

I mean thats like being too lazy to shower. You dont have to but 15 min to look and feel great is worth it. I feel and act much better when i condition, shampoo, and comb my beard

its important cuz I have great facial bone structure but look awful with facial hair. it makes no sense for me to not be clean shaven when going out etc.

But in the context of daily maintenance, I could do by with just electric razor shave

I found I could shave less frequently because it's closer

For me even after clean shave with razor manually, it takes 2, 3 days max before I have to do it again. idk life is hard xd

So shave again. As long as you arent destroying your skin, I don't see an issue. 2-3 days is about normal for hair to need to be shaven again if you are going to clean shaven.

so the lesson is: suck it up

Youll have to :/ or spend $3000 on laser hair removal lol

Yeah not doing that

As someone that loves being lazy, getting a routine down feels so good. I feel and quite literally act better as a human when I know I am fresh. Shampooing, conditioning, combing, trimming, and oiling my beard feels really nice. Get a ton of compliments on it too.

It sucks and can get expensive but its 100% worth it if its something you care about. Just don't impulse buy. You might get something trashy and think you shouldn't take care of your face / not worth it when in reality its judt bad product / limited knowledge.

I don't have a problem with lazyness, I have a problem with trying to be overly efficient in every faucet of my life.

I am perfectly happy with the $65 electric razor daily maintenance I have going on right now, it's just that I feel my facial hair being "pulled out" or plucked painfully rather than cleanly cut on the surface of my skin, for a lack of a better description

so I'm wondering if a $350 electric razor fixes this

some of the premium ones have crazy good reviews online but yea idk

Could be bad or old. Not necessarily cheap

nah I have ETA Christoph 3343 90000, it's been like this since I bought it

Not that long. 5 minutes at most. It's part of my daily hygiene routine.

Good.

hey

was sup

im having some trouble enumerating a box. I am trying to use gobuster to find some directories, but all non existing directories redirect to a static 404 page, so I get a 200 OK response for all of the entries. I tried to filter out character length using ffuf, and not follow redirects with gobuster but still came up short. Not sure what to do to get around this if anyone can help. Its not a THM box but any help is still appreciated. Pls ping and / or DM at will

daddy

try dirb

./gobuster dir -s '200' -w /usr/share/wordlists/SecLists/Discovery/Web-Content/CGIs.txt -u http://127.0.0.1

are ip addresses typically hashed?

considering theres probably no usage in them aside from validation

Three things:

1. Wut
2. IP addresses are just integers. What's the point of hashing them?
3. Wut

newer hear for hashed ip...

for privacy sake

https://twitter.com/vxunderground/status/1639325365867884553

the fact that breached logged IPs and didn't hash them

e.g. putting argon2 on them to prevent law enforcement from getting access to the ip's

Again, IP addresses are integers. Hashing them wouldn't make the slightest jot of difference -- all you need to do is be able to count to the maximum IPv4 integer and you'll have 95% of them anyway. Also makes things like rate limiting a lot slower

Hashing IPs certainly ain't standard practice afaik. Awful lot of effort and wasted computational power for not a lot of gain

Realistically, what's the goal of hashing an IP? The potential used keys in the set is so small, bruteforce is going to take a very small amount of time to crack.

That ^^

then there is the problem of the hashed ip not being helpful for when you need to forward data to it

that's certainly true in non logging context

one could use an expensive hash function like bcrypt or argon2

Which makes it even less useful for working with the data. Take rate limiting as a really simple example -- can you imagine how slow the site would be if you had to hash the damn IP address with a slow hashing algorithm before checking cache / DB for request count?
Same thing applies to any other uses for the data, including things like analytics which is presumably what they were using it for.

Regardless, it's not like you would be bruteforce cracking the hashes on a tight schedule. You could quite literally generate a hash table at your leisure and simply pluck the addresses out of it. When the number of possible hashes is that low, it really doesn't matter how slow your algorithm is -- those hashes (all of them) are breaking very quickly.

All you're doing is inconveniencing yourself and your users by wasting your own processing power and slowing down the application

why would I hash an IP address to something that takes 256 or 512 bits, when I can just use it as is as 32 or 64 bits?

I mean you could "hash" to an int if you don't like the presentation format

I mean you could in theory encrypt them, that's a different story

sort of; but I don't see a use case for encrypting IP address in logs. What would the exposure be?

I mean in a DB

don't know if an IP address is considered PII under the GDPR

I don't know how it could be

NALANLA, but I don't think an IP address is enough to get a search warrant issued without other evidences present. Like maybe domain name ownership tied to the DNS record for that public IP

how would you approach this kind of question: URL-encode the . symbol

It's not a question. It's a hint or relatively a statement to some obfuscation definition or meaning, telling you to encode the . symbol

Which in this case the URL encode for the . would be .%0A

. is %2e no?

Yes you are correct 🤔 Not sure why it output %2e this time

I tried on different website and it gave me .%0A again

looks like you didn't tell it to encode special characters

%0A is newline

There is a period at the top there

And when i went to this other site i get the %2e

and in the "encoded" bit too

https://i.imgur.com/uVmMMHR.gif

Yep i see now, i had encode all special characters

Yeah 0a is newline

noted

This is pretty cool, the way you did this small animation thing to point out

Hey all

Whats happening? hope everyone is having a great sunday happy hacking

what does NALANLA mean? im guessing something along the lines of Not a lawayer and not law advice ?

[+] Possibly interesting SGID files:
-rwxr-sr-x 1 root tty 22912 Feb 21 2022 /usr/bin/write.ul

Anyone knows if this is usable for privesc and how?
write.ul -h output:
Usage:
write.ul [options] <user> [<ttyname>]

Send a message to another user.

Options:
-h, --help display this help
-V, --version display version

For more details see write(1).

Appreciate the help... really stuck

doubt it as there is nothing on it in hacktricks or gtfobins

Yep.. there isn't

Is this THM content?

If so, the best place to receive assistance would be in #room-help

https://www.bleepingcomputer.com/news/security/new-dark-power-ransomware-claims-10-victims-in-its-first-month/

can anyone solve this issue? im connected with a wireless access point and my kali ( which is inside a Vm oracle's Vbox ) is not getting any ip , but when i switch to my router everything seems fine...

good morning

Did you bridge the VM?

If you connect another device to the AP, does it get an IP through DHCP?

:hammer: mohiuddinomar#2667 has been banned.

It's not 😦

Is it an active CTF?

@weak granite I am sorry but we cannot assist you with active CTFs. Also, I recommend reading the rules as unsolicited DMs are prohibited.

hello, Can I change name on certification? certification for aaaaaaaa does not prove me did the course you know.

No, you can't change it after you've generated it.

Oof, that sucks😅

You could always change your legal name

my white.

Hello guys, how are u all?

True!

hi and bye

!rank

Sure, it's possible, but I'm not sure you want to go down this path.

It's illegal and unethical just to do it outside of a professional agreement.

I have a general question- If I nmap someone's server they'll be able to see that /someone/ is systemically connecting to all their ports right? edit; assuming they read logs

You've spammed that in a bunch of channels

@jolly valve Please do not send unsolicited friend requests.

Be very careful about that. In many jurisdictions, scanning like that is seen as an attack itself. I would tread carefully on scanning things you don't have permission to scan

And by 'tread carefully' I mean don't do it.

I'm going through the nmap room and that question came to my mind

In many enterprises, the monitoring tooling will flag that activity and bring it to the attention of a human operator within seconds of it being detected. I know of several orgs that are capable enough and respond to that.

That's what I thought. I was reading about how you can nmap to create your landscape and my thought as a systems enginner was "wouldn't they know you're pinging all their ports systematically?" Thanks for confirming my suspicion.

If detecting port scans was more valuable, I want to implement a detection mechanism that detects x attempted comnects to closed ports in x time. On second thought, actually I might have done it that way in my dissertation project

do they really care to respond? it's just a scan

I am not saying it is cool to scan enterprises wothout their consent but why would they waste any of their resources responding in any way shape or form to somebody randomly scanning their network

unless by responding you mean blocking that ip address

Well, that's one way to respond

Seniors am asking to learn ethucal hacking u only need to know python

You don't even need to know python.

But it helps.

Wat do i need

Go over the fundamentals first.

Like

I'm sure other people have gave you plenty of documentation.

And you've probably been told to have a read over #start-here

That will give you enough information to make a start, then decide where you want to go.

Thanx please also share me some books to read

Have a look in #resources in the pins.

anyone know where I can find "declassified" DFIR reports?

something other than DFIRreport.com or whatever it's called

people will strip their pentest reports and put them on GitHub. I haven't found much of that with DFIR reports

you could look at dfirdiva.com and see if she has anything but generally if you hear of a high profile incident, you can google and find something but not sure of a site that lists them wholesale

Pretty sure Mandiant and Dragos have some stuff, but a lot of that material is NDA'd to all hell before they get permission to publish

I thought Verizon had posted some stuff too

very nice. I'll take a look, thank ya

Robert M. Lee, CEO of Dragos, has some stuff on his personal site too

It's ICS focused, but he did the DFIR for Ukraine Power Grid, the Saudi Aramco attack, and some others iirc

Report to Snapchat and police.

report it to the police

They're more than likely bluffing.

However, there is nothing anyone here can do.

oh no, the police can find so much using snapchat it's crazy. Don't think for a second that just because you have no info you have no case

I've seen police dig up unsent snapchat videos and use it in court cases

hello everyone, I would like to ask about threat hunting
currently I am trying to do an external threat hunts, where I don't have any access to the target environments.
I would like to know, how can I find any kind of leaked information for instance, gitlab projects.
do you guys have any suggestions on how to start, what to know to help me through this process?

thank you 🙂 (I am a beginner)

Hey @next thunder , welcome 🙂 kindly requesting you to keep your messages limited to the appropriate channels ( please dont post the same message over multiple channels ) 🙏

@tawdry dove I'm a fan of the name, really!

nice one XD

Hi

Hi

Hello

Helloo

I think I've eaten a fair amount of cat hairs in my life from owning cats

I think I've eaten a fair amount of keyboard hairs in my life from owning keyboards

After a while I don't think there's any point in trying to clean a keyboard anymore, better just to throw it away

I feel dumb for asking this, but is Kali considered a meme? And if so, why?

Not really. It's a pretty well maintained distribution of Linux that maintains repositories to make installing tools a lot easier than having to constantly maintain a pristine startup script or up-to-date iso.

The only things to meme on are (a) OffSec (the company) and (b) how it's the go to for beginners to start asking low-effort questions about without ever putting in the work to actually understand Linux and why things are the way they are.

I don't see the meme angle

Hi Guys,
Please I'm new to this discord and have a question:

What are the most active hacking/leaks forums (websites) of the moment ?

please don't ask the same question in multiple channels

ok

so, can i get the answer ?

What do you mean by “hacking/leaks”

nvm

Bought a home server and neglected to do enough research😭 its EOL was a few years ago

It seems like he means like information on actual hacks lol. And not blogs and news articles like the actual info, by "leaks" thats all i can assume

Best not presume 🙂

😎👍

To remote control the server i need java web start which stopped being updated and shipped in like 2021 lol. Depressing

Which model?

Dell poweredge r630

The issue is the remote control is accessed by a jnlp file. I spent a good 4 hours trying to open it

Ah there's a setting for HTML 5

I've got a 720 and it stumped me for a bit

Hmmm ill check it out for a bit when i get home, thank you😭

Gave +1 Rep to @burnt night

I'm waiting for someone to join this discord and ask how to join the shadow brokers.

LOL

That would be the day😭

AHA THANK YOU!!!

which OS do you have? mine came shipped with windows server 2019 but honestly i have no clue how to use it lol

sounds like a fun learning process though

TrueNAS Scale. I wouldn't recommend it.
I've got ESXi on my main VM host

oh i thought about esxi but did not look forward to a subscription, especially considering the price of their other things. I plan to install Ubuntu server and then proxmox on top of that.

Ok im going to be honest, from the front page, TrueNAS Scale looks pretty neat, besides the fact that it released less than a year ago LOL

Its a free trial for home

WHAT, im looking right now. I did not even bother checking because I would not be the least bit shocked if I looked and it was like $5K for a download

Or vmug for 200/yr if you want more products

You're looking at enterprise

But yeah run truenas normal if it's as a NAS.
I don't recommend scale, it's got some irritating issues and I didn't find the VMs so intuitive. ESXi was super intuitive for me

Ok Ok Ok ill look into it thank you. I know a few people that have had a server for a long time and they all said they loooove proxmox. I figured the fact that I needed an underlying Host OS was a shame but was not going to pay for ESXi so whatever lol.

I wanted to install TrueNAS

Honestly with Proxmox, it's not really what's used in industry

but my dell server refused to find it's boot loader

Less value as a homelab

I tried using openmediavault for a bit but when i tried to get it to utilize the root partition it broke too

so just went for plain debian which works fine

pain

is this one of those things that "Oh yeah thats normal and the error is overreacting, it's fine" Or is this some thing i should listen to lol

Yeah ypu should be able to run 7.0 but the license is harder to get

I shall restart the install with esxi 7.0 😮‍💨 thank you again

Not officially supported isn't a big deal

Oh ok so continue with ESXi 8.0? Or go for 7.0

Man you werent kidding lol, I found the download page and it says i dont have acess lol. Or at least i think i found the download page

I honestly had a feeling that that was the case. I mean I use it as my daily linux driver when I am using linux, and obviously for THM stuff, and I can see the value of the distro coming preloaded with a wide array of tools. I was in another server for the college I'm in and someone chimed in with saying Kali was a meme, and I felt like I had heard some rumblings of that elsewhere, so I wanted to check if it was a more common sentiment than I thought

Thank you for the response though, I appreciate the insight

Gave +1 Rep to @signal hull

I'd avoid using Kali as a daily driver, it has a tendency to break easily imo

sudo chop -a

It's mainly just the first thing script kiddies see. They go to youtube and type in "how to hack facebook account" and the first thing you see is kali, so you occasionally get a flood of them in and looking to hack random things

what would be a recommended daily driver? I see mint and ubuntu thrown around a lot

also, could you give an example of it breaking? I think I have an idea, but I am curious to gain additional insight.

There is a lot of fish in linux sea. you might need to search one that you might like. lots of ppl are on ubuntu and some like ubuntu that is more user friendly.

Fedora is super common, in general I'd recommend a LTS distro and run less stable branches in containers or vms as necessary

The APT repos that kali maintains have historically been not great, and not all packages are updated in time for the rolling release date. That has gotten better in the last couple of years, but I have still had occaisonal breakages in packages across the rolling update.

I actually got a Fedora VM for classwork, but we don't normally cover using it. Most of my experience with linux is using it with THM rooms, but I want to figure out how to expand to just use linux for normal stuff, to gain additional familiarity.

Who going to defcon

I'm not going until they release the videos from last year

They did ages ago?

For the talks at least...

There are many talks still missing for some reason

Everything I can remember from the schedule is on there
https://www.youtube.com/user/DEFCONConference/videos
What's missing?

Most the talks from the recon village and RF village

HRV?

what's HRV?

Ham Radio Village

Actually the RF village talks are online now, I take that back, it's just the Recon ones which are missing

No they renamed the wireless village to RF village,

Ah.. got it.

also most linux groups are swarmed with people asking how to get their kali running after they encountered ubuntu bugs, showing that they have zero knowledge of the subject matter and just want to be malicious

guys

hi

who is better (gtx or rtx)?

i need some advices before purchase a gpu

You're going to need to provide more information. How much are you willing to spend, how big can the GPU be, etc

Also, just for clarification, are you asking about AMD and Nvidia or just Nvidia. GTX and RTX are both Nvidia products.

just Nvidia

Budget?

RTX = Real Time Raytracing (Better reflections and shadow quality in games)
GTX = No Real time Raytracing, also the newer generations are always RTX. the newest GTX are GTX 16 series which are a revival of the 7 years old 10 series

so it's basically just a question of power vs price

Guys today i finished my frontend course please get me any contracts or remote jobs such that i can gain experience

yeah, very saddening 😦

AMD names with rtx number

Ok strike my last it's RX number ..

Bloody companies can't name things properly...

You can make a listing on fiver, and a post on LinkedIn, both will likely get you more work then on here, also, do you have a portfolio?

This is not the place for this sort of thing. Join a dev server

I JUST GOT A 90% ON MY AXELOS ITIL V4 FOUNDATIONS HAHAHA. This feels so good. I'm glad this cert lasts for life bc I am not taking that again

Well done 🔥🔥🔥🔥🔥

@radiant jacinth Please don't? No reason for that message, totally unrelated, and it's only going to cause issues.

The one in General ?

The one I deleted.

Acknowledged. And thank you for bringing this to my attention btw

Gave +1 Rep to @burnt night

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46640

yours ?

Yes

nice...

btw... you good? uni ?

Its a lot of work

as expected yea

Recently I've been doing a lot of support to the developers of projects

Since otherwise it would just be annoying each other due to skill set differences

E.g. I'd implement a bunch of overkill mechanisms which they couldn't understand

how to confuse ppl 101 🙂

btw migh i DM you ?

no car warranty

Suree

rtx

Hey guys, does any one understand malware analysis? Im really struggling with this assignment and cannot wrap my head around it

We don't help with assignments here I'm afraid, please ask your teacher.
And malware analysis is strictly restricted to #exploit-and-mal-studies, of which is limited to level 0xD on the website, OSCP or any cert that is considered to be 'advanced' and Infosec developers

Ahhh is that so? thank you anyways

Can you help me understand what is the level and benefit of comptia security+ exam

Security+ is a great base certification, many organizations, especially DoD require it to even have access to their networks.

It can be a difficult starting point for those new with technology, but it is definitely obtainable by a novice with the right amount of studying.

I think is worthless

It has a lot of general knowledge, and you will not be good at any specific task, correct. But many tech related jobs in the USA require it.

If you have a BS might get you a job in a government agency, but just the cert by it self wont get you in the door.

Definitely, I have a BS but most tech DoD jobs require Sec+ still. They say like, have Security+ or be able to get it within 60 days of start date.

Yeah in that case. Plus passing a polygraph lol

If I had to chose between a BS or a Sec+ I would chose BS, but I would not call Sec+ worthless

I see what you mean.

Also, BS is a lot of $$, and a Sec+ cert can get you in the door for a lot less, enough free resources online to just have to pay for the test.

I don’t think that just a sec+ will open doors. Ime is not enough even with a BS. What helped me the most was personal projects in combination with a BS and sec+
Maybe my area is saturated with entry level ppl looking for an opportunity

Or maybe im just dumb 😢

I know multiple people who got in the door with Sec+, new previous IT experience, making 80k+ a year on the help desk .

Where?

Google, LG, and Amazon.

So Seattle and cali?

Or are they remote?

I mean no previous IT experience , not new. And no, neither of those locations. All in person. Not saying where 😉

I just have not seen that

Im glad for those ppl

Sadly, most jobs today hire based on your ability to interview well and your linkedin profile instead of technical prowess

True

I feel so old just getting back into the security sector, last time I used Kali it was called Backtrack

and python3 didn't exist

It's actually the other way around. You can have a degree or experience but for most if not all technical positions you'll need to satisfy the appropriate 8570/8140 requirement. The most common category is IAT I or II, which sec+ satisfies both.

Government is also known to hire bodies, sometimes that happens for security.

For what I see they require a bs as well to even apply.

Poly is only very specific positions and locations

I have to take one /:

It really depends

For systems analyst at city hall

But security+ or associated cert for the category is pretty much mandatory

So, you're talking about local gov. Fed is different

They'll probably model their requirements off of the federal government, but they aren't required to follow those rules to the letter. Agencies that interact with the federal level are bound, by law and charter iirc

I guess I’m a little confused then

When you say government, the default assumption is typically federal in conversation.

If you mentioned local previously, I missed it and I apologize

Iat lvl 3 with no BS has some great jobs available, especially if you already have the clearance.

You have a link to one because there are probably some caveats?

https://www.clearancejobs.com/

whole bunch there, look at IT.

Ah, just clearancejobs in general. I thought you were looking at something specific.

On USAJobs you have to read carefully because there are so many modifiers

I've started listening to darkent diaries and I'm trying to solve the puzzle at the end of each episode but I'm stuck. Currently I'm at https://darknetdiaries.com/chessmaster/ with the Mr.Robot quote

did you check the background 🙂

Wait holdon there are puzzles at the end of each episode?💀

I guess someone didn’t finish a single episode all the way through

starting ep1 theres a voice calling out coordinates, then second episode there is morse code and so on

This confuses me even more but I woke up today and realized the magic word is right in front of me so I'm going off of that for now

Any CEH study groups ?? Pls reach me @olive crypt

dafdafg

You ok, mate?

m8, tryna b8 me not gonna t8ke that

im not afr8

1v1 me kid

The irony

Game recognise game

I dunno either

might basketball 1v1 ?

1v1 in Rust, MW-R

rap battle 1v1

;

Boom, bam, bop

Badapop boomb pow

you are bad

born out of your dad

Yeah @polar basin jokes about suicide or dying aren't appropriate here, regardless of how 'fire' your bars are

I deleted

I'm aware

But you're clearly not here for the right reasons 🙂

Hi guys

Hello

I am a newbie and I know absolutely nothing about hacking technology, can I learn here?

Yes.

Give #start-here a read over, then a read of the rules.

Okay, I don't really understand it, but I will try to learn it.

May I ask a rather stupid question?

No stupid questions

Meaning that you can ask any question @warm plume

Google doesn't answer my question very well

That's fine, go ahead and ask. We can't help you until you do.

I found a scam site, how do I hack into it and bring it down?

Welp wasn't expecting that. Someone will be with you shortly.

:hammer: Luna628#0049 has been banned.

At least they made it easy

Yeah, I wasn't expecting that line of questions at all

I knew it he would be banned

Something was wrong how he was asking questions

Ngl the question he asked was so ridiculous and funny

giggles

That took less time than usual.

Maybe he was just naive x) why ban him

That was impressive

Yeah I thought the same thing

But it happens

Zero tolerance for BlackHat behaviour #start-here

I understand he was more grayhat behavior but anyway

It’s vigilantism

No matter how could your intentions are, you’re still committing a crime

Call yourself whatever, you’re still a BlackHat /shrug

So you must be officially commissioned even for a scam site I understand. Otherwise it would be the wild west

Mhm, correct:)

The classic grey motto is exploration.
If you cause destruction, regardless of target, that's black.

But colours don't really mean anything... unless it's red 😉

I would say that that 99% of the gray "motto" is actually blackhat with poor justifications. Either one is acting ethically, or one is not. It's like breaking into someone's house just to see what kind cool stuff they have.

even if you don't take anything, it's still breaking and entering

I want to punch black hats 🙂

we don't condone violence here 🙂

Sorry

I'm emotional in last days

:))

only green hat matters, where are the bug bounties lebowski

symmetric encryption should be used whenever suitable and possible, right?

considering its safer (especially in post quantum time)

I have nginx running on port 80 for gitlab-ce. Problem is gitlab-ce did not install properly (no gitlab-ctl command) and I want to delete it. the process shows as:

root        8316  0.0  0.0  20068  6920 ?        Ss   12:33   0:00 nginx: master process /opt/gitlab/embedded/sbin/nginx -p /var/opt/gitlab/nginx

/var/opt/gitlab does not exist and I have restarted, something is trying to run the process for gitlab 🤔 I cannot find any services which run GitLab via systemctl list-unit-files | grep gitlab , nothing in Crontab....

Any ideas on how I can figure out what's actually running this non-existent GitLab command? 🤔

There are a lot of files mentioning gitlab is dockerised, but it's not in docker ps and it's running on port 80 🤔

$ sudo find / -type f -name "*gitlab*"
/var/lib/docker/overlay2/2f4cf7bc6cc817e2621d1b7a632e4a4237dc9e4f911853d7bee043972f5821c6/diff/opt/gitlab/embedded/cookbooks/cache/cookbooks/postgresql/templates/default/gitlab-psql-rc.erb```

It's mostly just faster. Key storage is more sensitive though

We aren't really post quantum yet, and isn't elliptic curve crypto resistant to that?

Gitlab is written in ruby, is there an interpreter or something?

Try docker ps -a, container may be stopped

I can get a source if needed but IIRC ecc is still vulnerable to Shor's algorithm

it is not. ECC is stronger against traditional attacks, but not quantum

Ok fair, it's mostly ignorance on my part here 🙂

not there 😦 ruby is not installed either

this is rather annoying me 😦

I am pretty sure gitlab is running with docker because of :

/var/lib/docker/overlay2/2f4cf7bc6cc817e2621d1b7a632e4a4237dc9e4f911853d7bee043972f5821c6/merged/opt/gitlab/bin/gitlab-redis-cli

that volume does not appear with docker volume ls, is there like a 2nd docker or something running here hahaha

sudo docker ps
CONTAINER ID   IMAGE                     COMMAND             CREATED        STATUS                   PORTS                                       NAMES
98ecc642e8f6   gitlab/gitlab-ce:latest   "/assets/wrapper"   3 months ago   Up 8 minutes (healthy)                                               GitLab

oh????

that's possible; have you checked the host to see a list of docker processes? could it be a manual start and a daemon both running?

it turns out docker and sudo docker are both different to me 🤔 somewhere along the way my docker install was messed up haha

that makes sense; docker runs as a unified process most of the time, so it's two instances: one running in user context, the other in the root context

Oh did they add a user context?

they added a rootless mode; not sure it compares to the containerd or podman rootless though

Yeah ok never got that working properly before switching to podman

I liked using podman, but a problem that I had a lot was the docker images being made specifically for being ran as root

like the ones from linuxserver.io

that shouldn't matter, really

because of how process ID mapping works in rootless podman

Not too sure about that, I kept getting errors like this

/run/s6/basedir/scripts/rc.init: line 20: /docker-mods: Permission denied
/run/s6/basedir/scripts/rc.init: warning: hook /docker-mods exited 126
[migrations] started
[migrations] no migrations found
groupmod: /etc/group.65: Permission denied
groupmod: cannot lock /etc/group; try again later.
usermod: /etc/passwd.66: Permission denied
usermod: cannot lock /etc/passwd; try again later.
───────────────────────────────────────
  _____ __ __ _____ _____ _____ _____ 
 |     |  |  |   __|_   _|     |     |
 |   --|  |  |__   | | | |  |  | | | |
 |_____|_____|_____| |_| |_____|_|_|_|
       _____ __ __ _ __    ____  
      | __  |  |  | |  |  |    \ 
      | __ -|  |  | |  |__|  |  |
      |_____|_____|_|_____|____/ 

  Based on images from linuxserver.io
───────────────────────────────────────

Which refused to work unless I specifically ran it as root

Makes sense

Hmm. Sounds more like whatever the docker-mods are, they are incompatible with podman

which means they are aren't 'pure' OCI formatted images

Yeah it's probably doing something funky

I only had issues with bind mounts and selinux

Phone always feels much heavier after it's done charging

it's a psychological thing 🙂

Hey all, I have question. If you don't understand a room, are you going to find answers or videos with explained how to do a task ? Or is that not really a great option to learn, because sometimes I'm confused, and I don't get how to deal with it. So is here anyone who has same problem or is just me ? How I supposed to deal with things, which one are really new for me? I know I'm new in pentest but sometimes I'm just wondering, is just only me or is someone else also 😅?

It's totally okay and common to use videos and writeups to learn new concepts / techniques! If you feel you'd learn more by following along to a writeup or video I think it's worth it, especially since there will always be more rooms for you to do

For challenges, I'll try to do some research to find out which app is being used, or try to test a site with various inputs to eliminate possibilities. Payloadsallthethings is nice for test payloads, hacktricks is a solid reference as well

It's a lot of exploration and seeing what breaks

how come my reaction 👎 to the latest announcement has removed ?

don't want to start the drama , just want to know

How much time have you spent trying to solve the task on your own before looking at a walkthrough? If you are jumping to walkthroughs within a few minutes of encountering difficulties then you aren't going to develop the right mindset to become a better hacker. Just be curious, ask "what if I did this?" "how does that work?". Give yourself some time to research the problem on your own. If you feel like you're hitting wall after wall and a lot of time has passed then have a look at a walkthrough, but only up to the part you are stuck on. Try not to read beyond that part and see if you can finish the rest of the room from there. It becomes a more rewarding experience.

After I finish a room, even if I didn't look at a walkthrough, I love looking at walkthroughs to see how other people approached the room. I have definitely found more efficient ways to solve certain tasks and discovered some new tools in the process.

Thanks. Normally I understand rooms and I try to get answers by myslef, but sometimes I'm reading a room and I have no idea what they're asking. Like totally I don't get a subject of the room, and all text and task is like nightmare, and now another question - do I have to remember everything what I'm doing from those rooms ? Is that even possible to remember everything?

I find the key is to take a lots and lots of notes. It would be impossible to remember every single tool and command because there is just so much to learn. It can feel overwhelming. That's why having good notes is so important. Every time you learn a cool command or useful instructions for a tool etc, note it down.

It may be weeks or months before you come across another similar problem and by then you may have forgotten how to use a specific tool to solve it by then. If you note it down, even if you have a vague recollection, you can quickly look it up in your notes rather than having to relearn or spend time researching it again.

Use your notes as a second brain 🙂

Also, if you are finding all the text to be a nightmare, maybe try to find rooms that interest you and are about topics that you find interesting. It will make it for a much more enjoyable experience. You don't have to follow the pathways if you aren't enjoying them. Try some of the CTFs. I like to take a break from all the theory heavy tasks and do the CTFs, then go back to the theory stuff in the pathways when I'm in that kind of mindset.

Well thank you for everything, I'm trying my best to remember everything but now I know I have to give myself time, I'm new as a hacker and is normal I think for everyone to be confused on the beginning- everything is hard from start. And I think in my case I have to slowdown and rest sometimes because I'm so hungry of this knowledge and I'm not doing that. Anyway I'm doing notes and I'm learning well I think sometimes I just have to spend more time in one subject and be more focused. Thanks

Gave +1 Rep to @vital vine

hey,'im locked in the page source thing,can someone dm me to help me ?

Press F12 again?

!notifyme

Ok @raven delta, you will now be notified of future announcements.

Did anyone have any problems in understanding how Network and Routers work? I understood the basic stuff I guess, but I don't know if it's because it's normal for people to not understand how it works or if I'm just a little slow to learn. This is just a question of course, I'll still try to understand. I just wanted to know if anyone has/had the same problem I'm having in understanding.

I can't really understand everything or somethings just by reading, with images is much easier XD. But the fakebank thing was nice and simple and I understood that much easier then a guy explaining step by step. If you have any tips for me in learning things that are hard to remember or focus please let me know. I was thinking of taking notes but I usually copy everything since I believe everything is important or sometimes I over-explain to myself so I can understand weeks later if I forget, or Putting the Network video on loop while doing a workout or just playing a game. I tried watching the video, and I did. but still nothing much.

My background is networking first, but let me tell you, SO MANY people forget the most basic things about networks and network equipment even if they do at some point learn them.

Best way to learn is if you can configure them. There are simulators and what not. I was lucky enough to have real routers to play with when I was learning

Well, there are different learning types some are more visual, some accoustic maybe visualizing it would help you, like drawing. But also there are really good and analog explanations on youtube. Or of course try packet tracer in combo with some tutorials for small packet tracer projects. Explaining it to someone who has no idea, has also proven quite effective. 🙂

Does the recent change in subscription price also affect the annual subscription fee?

Yes

What about networking do you not understand?

If I don't understand a concept I try to come up with questions regarding that concept and then search for the answers (Youtube, Google, people)

Sometimes we just need something presented in a certain way to get that "aha" moment.

https://www.youtube.com/watch?v=rhgwIhB58PA

just because its a really well-made video and people here are probably into those sort of things

Vertitasium is great.

"Until 16 seconds ago you were not aware there was a honeypot, this does not inspire confidence" - White Rose

mr.robot ?

One of my favorite scenes

@vital vine how do you take notes ? I'm interesting to do that because i always lost the name of the tools, their syntax, etc

obsidian

best note taking app

ms word

Thx

hi ! Just a question
Did they just changed the room OWASP top 10 for OWASP top 10 2021 for the "complete beginner" path ?

they swaped the one created by ben for the one created by TryHackme

Hey, yup, they've been swapped around. The pathway now has the 2021 version https://tryhackme.com/room/owasptop102021

You can still find the old OWASP Top Ten by searching 🙂

I was wondering why my progress got reset. I was thinking about resetting it and taking notes before it switched, so it tripped me up to see it already done with no memory of doing it myself

i was kinda surprised as i was just finishing the juice shop when the switch happened

if you're referring to owasptop102021, it's a entirely different/seperate room 🙂 your progress will still remain in the old room. Nothing has been reset

Hi guys, fairly new here, so excuse my noobishness, so picture this senario where all of your clients sites are getting hit from muiltiple aws ip range to from Ashburn VA, to Florida, to Germany, their primary objective is to crank up our websites bounch rate and when u got static ip from multiple locations coming into ur site and leaving, it starts to hurt our ranking over time, so I did some homework to pinpoint their ips

Whhhhh

Wait, what are you trying to do exactly? @balmy plover

Block those ips so that the bounce rate on our clients site dont take a hit

because client is freaking out about it

so I got cloudflare but I wanna take up a notch and got AWS server on the same IP range (n-virginia) ashburn

Mass blocking IPs is an option but you might be blocking official clients

Cloudflare should be load balancing everything fine

Ya but dont u think it would be fun if we can make their entire setup into botnet

and use arp dns poisoning against them idk

And straight into unethical hacking

Nice one

lol

I'm not laughing holmes

If you're the owner of the company, I would recommend performing R&D into how other companies handle this type of thing

If u hear the whole story and how long these assholes have been trying destroy all of our clients site

legitseoservicesinc.com

If you have cloudflare the worst thing they'll do is increase the load time while cloudflare tries to manage for the attack

If your website is getting defaced, that's poor security on your behalf

this is our company site legitseoservicesinc.com

and this company seoserviceinc.com

Do your company know you are outsourcing your knowledge to Discord?

🤨

is a scammy company who has been doing all then can to take out our clients site

And? Follow the proper procedures

I call it brainstorming

No

It's illegal

And you don't deserve to be prevailing if you take the nuclear option

So if u were on our shoes what would you do?

what would be the best rule of thumb or best practice in this types of cases

Speak to cloudflare about how they can protect you as a company, don't outsource to 19 y/o's in a Discord server, learn proper security practices, read upon law to ensure that you are not breaking it, research in reporting companies for breaking the law, get a legal team

how does one go about getting a 5 star rating from google

find the image and add it

james bond 007

tbf both websites kinda look like scam websites 😄

:hammer: james007#4103 has been banned.

I hope they wrote that down

https://tenor.com/view/facts-brother-true-smoke-gif-23157983

bro what is this site 😭

would even say that his "company" is the most fake looking

My favourite part,

any tips for a 17 year old freelance beginner

don't begin freelance, caused me years of misery, even though i was in a different field

one that can cause less damage, so if you MUST do freelance IT Security, you better have REALLY good insurance

What are you gonna freelance as a beginner?

Suuuu

making a website it is

Do not advertise here.

hii

why i can't connect to the vpn?

2023-05-11 16:43:12 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-05-11 16:43:12 OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 5 2022
2023-05-11 16:43:12 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2023-05-11 16:43:12 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:43:12 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:43:12 TCP/UDP: Preserving recently used remote address: [AF_INET]3.248.120.204:1194
2023-05-11 16:43:12 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-11 16:43:12 UDP link local: (not bound)
2023-05-11 16:43:12 UDP link remote: [AF_INET]3.248.120.204:1194

2023-05-11 16:45:23 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-05-11 16:45:23 OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 5 2022
2023-05-11 16:45:23 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2023-05-11 16:45:23 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:45:23 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:45:23 TCP/UDP: Preserving recently used remote address: [AF_INET]54.194.161.223:1194
2023-05-11 16:45:23 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-05-11 16:45:23 Attempting to establish TCP connection with [AF_INET]54.194.161.223:1194 [nonblock]

Have you checked the pinned messages in #site-support ?

DM me your OpenVPN configuration please

Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

this part may have the solution you need

Shh

I'd like to have a go at using VMwares ESXi which there seems to be a free license for, however when I try to register it requires a company, does anyone know if there is an option for personal hobby use?

Fill in the blanks 🙂 Exact same process for downloading Windows Server ISOs from Microsoft 🙂

Jayy's Creations has a nice ring to it

okiii thankss!

No worries, CEO 😄

It's *Sir now

The chosen One 🙂

I'm the new guy,

Hi the new guy

I don't know how to use this software yet.

I am studying it

#room-help

If this is an active CTF, homework, or work we cannot assist. If it's an inactive CTF there are generally approved writeups you can reference of you're stuck.

@candid tartan it's not THM

ah. it was not here when i reply the (...)

Hey guys I have a question about the Capstone network. How is it possible to create such a network only using virtual machines? Or is there much more behind the scenes than just Virtual Machines when creating such Networks? 🙂

It's the same as creating a network using physical machines, we just set it up on AWS infrastructure

So it's all virtualized?

Pretty much

That's amazing

https://tenor.com/view/how-do-you-do-fellow-kids-steve-buscemi-30rock-fellow-kids-one-of-us-gif-21904018

Idk why that message gives me these vibes lol

Hello! I have only been using TryHackMe for 10 days honestly and i am already considering premium subscription, any thought on that I was so sure until I saw the subscription price, I quit my job 2 weeks ago so thats another thing that made me hesitate.

I have the money, but I want to spend it very wisely (I am very seiously pursuing a career in Cybersecurity, even applying fo rmasters)

If money is an issue I'd say hold out on a subscription for now. There is more than enough free content on THM (80% I believe) and you can always subscribe when you do have the financial stability

Hyy gys any pro cybersecurity expert here?

@twin ridge

If you have a question, I would just ask

#room-help

Please don't point people in the wrong direction
That channel is only for tryhackme room help. They're not asking for that.

in which specialization in master cyber.?

Oh, I am not currently enrolled in one, I am just actively searching and preparing for applications, do I need to have a specific specialization in mind? 😅

I was assuming that they needed help with a room?

Best not to assume, ask if needed

Alright

Like information security, digital forensics, management,

Pondering extensively

Hmmm, well I guess network security

What's the average timescale (hours, days, months) for the average reconnaissance step in a red team engagement?

I think they vary, depending on the engagment.

why doesn't secure boot have a special mode for entering custom signatures?

since a virus can now enroll their own signatures, right?

You can add signatures to the database in the BIOS.

shh

You ok there?

Yeah, whenever I visit this channel, I feel like I'm in a library or something, the channel name generates a placebo effect.

Hmmm

Hello!

hi!

How are you?

doing fine, you?

I’m fine.

in the mood for some quiet conversation in the hacker server tonight

Nice! Me too.

just looking over some PDF books, burning some incense, getting ready for bed soon I think

Ok and, do you have any specific goals for coming to TryHackMe?

for the platform in general... not any super specific goals, I suppose? I've been interested in cybersecurity for a number of years. it's mostly a hobby for me, but it'd be cool to get some kind of cert and THM seems like a great way to pick up skills for that

?

Frankly, shut up, you're really embarrassing.

doubt you'd feel that way if something of yours was hacked lol

Ok 👌

:hammer: joe swanson#1234 has been banned.

what are your goals for THM?

:hammer: sped#4157 has been banned.

thanks mods

Gave +1 Rep to @civic root

wtf were those guys on about lol

Yayyy the blue snek came

Personally it would be to make absolutely all the rooms of the site slowly but surely with knowledge. And why not be in the top 10 and do honor to my country.

Because I would like to make it my job.

hey sounds awesome! a lofty goal but a worthy one for sure! 😊

Thanks a lot man! ❤️

Gave +1 Rep to @hasty atlas

honor your country, which one is that if you don't mind me asking?

It’s Monaco 🇲🇨.

Do you know?

just had to look up where in the world that is haha 😅 🌍

believe you are the first person I've ever met from there

Haha incredible, and where are you from?

😁

Montana, USA 🇺🇸 ⛰️

Wow, I love this country!

ah thanks! I've mostly only been to the western part of the United States

Gave +1 Rep to @steel perch

went up to Canada a time or two 🇨🇦 also the western part of our northern neighbor

I went there on vacation, it's beautiful.

sounds excellent 😁

Would you like to add me as a friend? You're cool.

yeah for sure!

always awesome to meet new people from other parts of the world

I have a very good friend from Estonia who I met online 🇪🇪 I visited him this year!

Yes me too.

is it worth it to reinstall the os for the vm every year due to updates?

or is a simple apt up{grad,dat}e enough

p

Hallo

hi

Hey! @primal grove, I really like your way of seeing things, would it tell you to add yourself as a friend to move forward together and why not help each other when we need it?

Sure, you can PM me when you need help

Gave +1 Rep to @timid badge

@safe musk That's great and all the best with it! But this isn't the place for advertising I'm afraid

@steel perch hi

ok sorry

Hi!

oh wait thats true yes

but if bootkits can enter signatures anyway, doesn't that make secure boot useless?

I also want to join you guys

We don't do that anymore.

hahha ok ok

that's where your admin blocks access ? :p

how do DFIR folks approach things when the same vpn ip address logs into a personal account and hackerman account of the suspect? I'm currently watching the following and 11:00 raised some questions https://www.youtube.com/watch?v=1fZWHeHICws

considering multiple users get the same ip address so one could argue that it are different users

most likely looking at all the meta data. i can't remember pompompurin specifically, but people have been caught because they "didn't turn on" TOR and you know... their browser still has all the same metadata

so if you fingerprint a system and it's 100 procent the same within a short timeframe, you can reasonably guess who it is

mind you, there's a lot of brain and machine power going into getting these high level targets.. average joe buying weed online probably will slip under the radar 😄

Ha 😂they should just move to a legal state

maybe they'd reach out to some authority who could then subpoena the vpn logs?

a lot of vpn services have some sort of logging.... which makes it trivial to send a warrant to get access to what ips were connected to a specific vpn server and by that way check if things line up in a time frame to figure out who is who

i need help in openvpnn

Options error: Unrecognized option or missing or extra parameter(s) in Atoz.ovpn:13: data-ciphers (2.4.7)

You need to change the line that says data-cipher to cipher. At least that was suggested a while back.

Your OpenVPN is outdated, update it

i downloaded newer , but still same error occur

Send the error?

sudo openvpn Atoz1.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in Atoz1.ovpn:13: data-ciphers (2.4.7)

You’re still in OpenVPN 2.4.7, newest version is 2.6.3 (but 2.6 should work fine)

im trying to update

using apt install openvpn

openvpn is already the newest version (2.4.7-1ubuntu2.20.04.4).

my machine printing this but why?

wait let me try to update

Hey

How can I root my phone ?

I hope it doesn't get brick and someone please guide me with their expertise.

Not the right place to ask here.
We can guide you but if your phone become bricked, it is entirely on you 🙂

Oh damn, that's scary

There are some very complete guides if you look, but modern android phones seem resistant to me, or I'm probably just not understanding something

hi! how do y'all take notes? been working through red team path again and doing notes on everything but wondering:

• do you take notes on everything or just the command syntax? on one hand, having everything would clutter and when you're just looking for syntax it'll slow you down, but on the other hand you have less details about the tool or the technique itself
• or, do you have separate notes for just commands and syntax and more for techniques?
• also, if your note taking software has it how do you use backlinks throughout your notes?

This is how I've come to organize my notes after much revision:

You split them into their functions, then further down into categories if needed. For the actual tool or technique you have title, a brief on what it is and what it's used for, quick useful pointers, syntax, different methods it can be used

I don't use backlinks I find it confuses my notes too much, if I need to reference another page I explicitly just say to go find that specific page

how come you don't use the same variable notation for the ip

thank you! can i see an example for something in privesc? (like i mean how do you write about techniques instead of tools, and reference the tools needed??)
but thank you, going to restructure my notes based on that

can I pop an example in ur dm?

ofc go ahead

That's just an inconsistency there tbh, I usually only use variable notations for flags

I absolutely have to take notes on paper for it to stick at all. Just how my brain works. I write down a summary of everything and I have a set of glitter highlighters that I use to color code. e.g. syntax = blue, headings = pink, terms = purple and so forth

Those will be fancy looking notes

What program is that? That looks really good! I need to do an overhaul of my notes. At the moment everything is just in a single, very long txt file. Whilst my notes are good, searching through them becomes really inefficient. Just looking for a better solution. Obsidian is at the top of my list at the moment, but syncing it between all my devices would be a pain if I don't want to pay the monthly subscription.

That is obsidian, I sync my notes by uploading the markdown files to google drive

I also use onenote but I save it locally and transfer it to obsidian because I absolutely despise onedrive

All my notes are in OneNote too because it was the first note taking system I came across that was cloud based and had an android app. It's been working well for me till now, but as I start getting more and more notes, it's getting very inefficient when trying to look up something on a whim. The most frustrating thing is that on android onenote doesn't have the ability the "find next" - so you can only find the first instance of a word, then the rest of the word matches are just highlighted. Really frustrating.

Oh man, I feel you. The find in general for OneNote is horrible

Compared to obsidian they are night and day

They are very fancy 😁 Glitter highlighters are def worth the $6 lol. I also have a cute notebook that matches, which I think really enhances my studying 😆

Good to hear. It'll surely improve the experience a lot

Same here, I used to take notes in a Blue notebook, but i lost it once. Since then i started Using oneNote. writing definitely feels more natural.

what is the best room to start after finish CompTIA+ Pentest+ room,
red teaming or offensive pentesting ?

Just do some more easy to medium boxes

Is there any beginner?

oh wow, that is very well organized