#quiet-conversation

copped several domains like tryhackme.nl

https://i.imgur.com/3W575TF.png

^for the record that is not for phishing. they all redirect to my personal website

You could also be a good Samaritan and have them all redirect to tryhackme.com

okay fine but I want to keep .nl

Meh, better than nothing 🤷‍♂️

done

and suddenly lau uses tryhackme.nl to do writeups for tryhackme.com

just SEO boosting at this point

hello shadow
did you make that pixel art yourself? 👀

no it was a paid commission.... and sadly the artist is not making any more commissions currently

i love it

yeah it is really nice and absolutely worth the price shadow paid for it considering how often they use it

Aw, how nice of you!

Do anti cheats look for RDP?

PLEASE PUT IT BACK

Just finished “h4cked” was really fun, but it could’ve also been fun if the attacker patched after themselves and we had to use their patch against them or something

anyways, it was very enjoyable :)

ghidra vs cutter (r2 or the thing we don't put on pizza) and why

Haven't used cutter, I mainly use gdb-pwndbg or peda with ghidra for a high level overview.

Cutter is good, it uses ghidra's decompiler

Cutter multiplatform

ur talking about the new fork then,
how about the radare2 fork?

The old fork that used r2 still integrated ghidra's decompiler...

Cutter is now based on rizen or whatever but that changes absolutely nothing

https://tenor.com/view/its-quiet-in-here-ruby-mitchell-wentworth-its-peaceful-here-its-so-silent-here-gif-23010246

https://tenor.com/view/elmer-fudd-very-quiet-vewy-quiet-hunting-wabbits-gif-21896551

changed the .nl one as well in before I get sued

..again

Again

ok feels good getting rick rolled in morning

is this like the quiet carriage? 😂

question for the informed ones

which one is better ?
ettercap and mitm the whole subnet, but only for a short timeframe to prevent DoS
or
bettercap alongside targeting only machines you need
?

I'd say targeted is always better

anyone know if theres a list of standard linux services that run with the S perm flag, and are therefor not a security issue?

there's a few

su, and sudo for one

Also they are not services.

@meager mason

you are of course correct, and also a pedant 😛

awww baybeee

Please tell me if there’s a better channel for this. Just wondering if people have tips of mobile-only learning resources to fill some dead time when you don’t have your main driver. Could be an app, a short blog or other. No audio. Personally focused on the pentest track.

cybrary, some books

Does anyone use phone AV?

If so what kind?

I run IOS but looking to switch back to android soon so for either OS is nice

Hello, what are the study room voice channels for? are they accessible to non-subscribers too?

it's open for everyone & you can join to chill with peoples while doing some CTFs / study together

thanks @radiant jacinth

Gave +1 Rep to @turbid gust

hmm whats S perm flag?

Technically? SUID/SGID without the executable bit (making it useless)

I suspect they mean the s (lowercase) flag

Which is SUID/SGID

Either way, there is no reason to give a service executable SUID ot SGID as the user account and group to run as are specified in the service file @static otter

passwd Is designed to run that way

I must admit I didn't mean service I just brain farted and ment command in general

In essence I'm trying to come up with a list of usual suspects when I search for misconfiguration so I can remove them

ohhh thaaanks man

Easy solution?
Create a VM using your target OS and just look at what has it by default.

It would be the case if I was targeting one specific box

I'm probably going to start a git repo list that I'll add to. Sucks that there's not already one tho

It's honestly pretty standard across most *nix systems. Most Linux distros have a few small differences, but you learn to catch them by eye and just see what's unusual and what isn't from experience.

like when you check for suid files, certain things are supposed to have it, so you learn to exclude those by experience and notice the "unusual" files

I dont know if this is an every-year thingy, but I was doing this room called 'advert of cyber 2020', just wanna know if there'll be a similar thing for this Christmas?

yep! #announcements message and #895344613873836132

wow, thanks!

(welp, didn't scroll down enough)

Discord does that

why is the voice channel locked?

I take it you haven't read through #start-here then? 😄

oh thanks i didn't notice that😅

Gave +1 Rep to @quaint basin

Np

how does that kinda bug even happen

I don't even think it was a bug

It was pushed by the devs to a stable release

https://www.gamingonlinux.com/2021/11/system76-patches-apt-for-pop-os-to-prevent-users-breaking-their-systems/

"For some reason, an i386 version of a package was never published on Launchpad. Steam being an i386 package, when trying to install it, it had to downgrade that package to the Ubuntu version to resolve dependencies, which removed Pop!_OS packages.".

https://twitter.com/jeremy_soller/status/1453008808314351628

that article is great for pointing out the finger pointing

I think this video raises some interesting points too

https://youtu.be/OTY620NUdPk

he talks a lot of crap about gnome3, and loves KDE plasma, but the most unreliable DE experiences I've had have been KDE plasma. gnome may not be perfect, but it's a LOT more stable. I've been running gnome on my work laptop for close to 2 years, my problems have been BT and audio drivers, not gnome.

The biggest upcoming issue that's going to enrage the neckbeards is the move from xorg to wayland - it's going to happen, and it probably won't be painless

Yeah, I don't really have an opinion either way. I just use what's given to me

Linus broke his popOS because of this lol

good. Wayland is better

I used to hop between DE's and I think I've tried most of them until one day I installed cinnamon on kali Linux and never looked back, its the perfect balance of eye candy , good UX out of the box and easily/extensively customizable ,what's not to love ?

Yes this is why the memes exist

Yes

I still pity him for not checking the terminal and reading stuff in his screen

I wrote my practice English essay today as an exam with low weight. ended up with 350 words with a maximum of 250

I don't understand how someone can write an entire essay in 250 words

What was the essay type?

It was a plea with title, intro, body (3 arguments) and a conclusion, about filthy comments on social media

I could easily hit a thousand words on that

Yeaah exactly

I would add the Mike Tyson Quote.

you have to learn to be succinct and concise

get straight to the point and remove all the fluff

you ok, ben?

(might be meant for elsewhere?)

OH

🤣

yes

thanks Hbomb

hello guys what certifications do you recommend for me to take after the eJPT

what certifications do you have? whats your overall goal?

i currently posses the eJPT and i took the A+ course and the CEH course but didnt get the certificates

my overall goal is pentesting and get some knowledge on blue team/forensics

also i need a good certificate that is recognized and can help me with my freelance career but not very expensive

OSCP is recognized, depends how you define expensive but it won't be enough to freelance unless you already have experience otherwise

Do you have a lawyer to consult for freelance pentesting?

I can easily hit 150. Would be a struggle for me to hit 200 but I could do it if I had a week or two

I had 50 minutes

OSCP is really great but i feel its a bit expensive idk maybe its just from my pov

nope i started freelance not long ago on upwork

well honestly, there is no other cert that would meet your qualifications

reason juun asked about lawyer is generally you want someone aware of laws to look over your contract as you can end up in trouble

if your contract isn't specific enough, you could go out of what your customer feels is out of bounds

Retain an attorney

Without having that legal counsel, you are opening yourself up to a lot of potential risk. The contract itself, the systems you are engaging, all need to checked out before beginning any engagement.

Unless you're intimately familiar with contract law and other regulations, you're going to "get got" at some point. When that happens it's going to be you vs the company as Zojja and Juun said

Ah okay thanks a lot for telling me about this, because i started new to freelancing and there aren’t that many sources about what to do or how to stay careful from these type of things

i know that before starting any pentest there is an engagement between me and the client that specifies exactly what to test and what are the boundaries

specially to not cause any damage to the system itself

Very very important. And yes, you'd need to have that as a contract.

You'll also need insurance

Thanks a lot guys for putting me into the image

In addition to legal representation

Like big money insurance

Even a small company (eg freelancee) could cause a lot of damage and get sued

accidentally bringing down a backend db or auth mechanism could result in an outage that costs more than than you'd make on 10 engagements

Yeah ik that, i tried finding info like this online but couldnt really find anything that goes into detail but after this i will have to put a pause on freelance until i sort everything out

Yeah i forget the specific insurance type, the name it slipping my mind

contract needs to specify potential damages and risks, and what risk acceptance process should look like for both sides

damn man, the cybersec/hacking industry really need to be careful in these situations

Yes. That's the point all of us are trying to get across.

One of the most sensitive professions if not done correctly

yes and its great that there are communities made so we can all help eachother out

thats the thing i love about cybersec everyone’s constantly looking out for eachother

and "getting got" here may land you jail time

No way I could do more than 100 words in 50 minutes😫

what does getting got mean

It's the future tense of got got

The appropriate definition for this use is getting in trouble with guaranteed punishment

There's other slang but not for here

does someone need to gab=ve legal counsel to start with penetration testing or just can start on bug bounty programs directly

main main goal is penetration testing and bug hunting , can someone guide me for the same as i am a beginer currenlty i am doing ore security path on try hackme and PEH on TCM

Usually, you would do pentesting through a company as an employee.

You'd need legal counsel to run your own company etc

Remember that bug bounty is not stable income

okok

Never thought I'd say it, but damn I want to go to school

In 6 days I haven't been to school for 24 months

like 3 times, probably

time went by quick

well thats sounds like a lot...

i can relate despite i havent been to school for a less long time

ikr!

Would pivot be the same as lateral privesc?

In a network I mean

Pivot means using one machine to access another

A lateral priv sec is gaining access to a different account with a similar level of privilege on the same machine in general

Though I suppose if you get a user account on a different machine it could also be a lateral priv esc

I would say that’s still no different, I’d say a pivot is only privesc if it’s for the purpose of privesc
All semantics I suppose, just my thought

a pivot is specifically using a machine to access another

priv esc aside

but yeah we're saying the same thing 🙂

Yeah we are hehe

Thank you 🙂

Gave +1 Rep to @twin ridge

@mortal venture @twin ridge @pine iron

• Pivot: using one network device as a jumpbox to access otherwise inaccessible devices from your own box
• Lateral Privesc: moving between two accounts with the same level of permission (locally or AD)
• Lateral Movement: Moving between two target devices (usually in AD).

So a pivot can be used for the purposes of lateral movement, although it isn't usually necessary as most C2 frameworks can just chain agents.

That's mostly what I said ;)

Despite how right someone else is Muiri’s input just relaxes me more idk man

Appreciate it once again Muir 😄

Creator of python himself could declare Muir wrong and I would go “but is he really though? Who are you anyways🤨”

is there a site dedicated to tools to drop on target systems
like winpeas but other stuff like a portable scanner etc?

No but there's plenty of static binaries out there

Whether you can trust precompiled code is a different question

Hello, im just a beginner that needs a little bit of help. Can someone tell me why when i try scanning with Nmap while connected to a VPN (IpVanish in my case) it says that Using raw sockets because ppp0 is not an ethernet device. This probably won't work on Windows.

Ok, why are you scanning over that VPN?

Security ?

How does scanning over that VPN relate to security?

Hides my IP address wich is the source of the scan

Why does that matter?

I dont want the other guy to see that im scanning his device

Why not?

He may think im doing something bad

To me, it sounds like you're scanning something that you shouldn't be. Are you?

No

🤔

Then why does it matter if they know?

Its a machine of a hosting company

Do you have explicit permission to test in the form of a legal contract?

You should not be enumerating public facing companies unless you have strict access

Or any company

My friend is the owner

Of what?

Hellhost.eu

I was just confused why i cant scan over VPN :/

You're doing something unethical for certain. Please stop. Get a legal contract before doing anything. As much for your own safety.

Don't scan without explicit permission.

hii

i want to join staff here

I know that. But is there any way of scanning over VPN ?

-ban @sullen temple Admitted to unethical/illegal activity and carried on asking. Ban appeals are bans@tryhackme.com

🔨 Banned Sting#8547 indefinitely

Unfortunately that's not how it works here

soo?

@burnt night can u tell me pls?

Tell you what?

Eventful morning already ninja ☠️

umm how to join staff team here?

You mean discord staff or tryhackme staff?

discord

☠️

Discord staff are selected from the community. They're not selected from people who ask, in fact if you ask to be staff you're practically disqualified from ever being staff.

ohk

It does kinda put you on my veto list 😆

That sounds dangerous

The two energy drinks is the dangerous part. Dosages that high in the US aren't uncommon

I'm new to cyber security and really wanna read a book, any recommendations?

Look older messages + pinned in #bookclub

thank you!

ello

anytime

I am new to hacking but I have a good background of programming, I kinda need a roadmap, any ideas?

Depends on what pathway u wanna go

What specifically interests you etc etc

If you don’t know, I suggest you try everything

you'll already have some knowledge but this site goes over a good foundation https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

A moment of silence for people who followed nintendo's advice

Did they...
Did they actually just tell you to forward all UDP ports to the switch..?

Really?

https://www.nintendo.co.uk/Support/Nintendo-Switch/How-to-Set-Up-a-Router-s-Port-Forwarding-for-a-Nintendo-Switch-Console-1498000.html

Oh Lord. I wonder if Nintendo do bug bounty

They historically have

Certainly for the switch

Whose brilliant idea was it to have regular customers forward all UDP ports to a single IP address?
Like, I'd expect the switch to not be vulnerable to anything (touch wood, fingers crossed), but that still seems exceptionally dumb

Whose brilliant idea was to name a connected device Switch 🙂

I also think their games use hard-coded ports
One of my room-mates has a switch that couldn't do any online play unless I enabled static port in OPNSense which prevents the firewall from changing the source port between receiving the packet for the hop and sending it back out

So what I'd assume is their services are just made to fire back packets on a set port and don't take into account what the source port of the original packet came in on

I massively prefer the code name: 'Nintendo NX'

"I'm just gonna go forward some ports from the router to the switch. BRB!"

How to confuse a network engineer 101

Took me a moment to decipher when they originally said that "something is throttling the network between the switches"

what does threads mean in terms of gobuster? whats to stop me from using 10000 threads and finish a scan in 3 seconds? I have noticed i get a plethora of errors going above 200 threads but..why?

client timeout while awaiting headers is the error i notice when going above 200 threads ish

In general, threads are sort of sub processes. In terms of gobuster every additional thread is an additional interaction with the website. Using 4 threads will allow you to run through your wordlist 4 times faster. However, at a certain point, either your device or the server won't be able to handle all the connections (its usually the server) and either it'll start moving so slow that your requests time out or it'll crash entirely

Thank you for the in depth reply 😄

Gave +1 Rep to @gray hinge

Np. If you want a better understanding of threads vs processes you can take a look at this video. It's short but it explains it pretty well

https://youtu.be/O3EyzlZxx3g

I’ll watch it right now thank you again

1. Go to /etc/locale.gen
2. Un-comment the line that correspond to the layout you want
3. Comment the old one
4. Save + Exit & do sudo locale-gen

it should be good

I'd think the device would crash out first. Server CPUs are usually pretty beefy

Huh, isn't a process below a thread?

Which is why multiprocessing is better than threads for performance

Threads are lightweight processes, but the CPU can only support so many at once

Multiprocessing abuses scheduling on a limited number of threads

Especially when there are a lot of idle periods in an operation, is waiting for a response

For cpu-intensive loads, multiprocessing is not much better than threading, possibly a bit less overhead

I am interested In actually hacking like white hat of course but I am interested in being in action

Good point

'Threads' are also context sensitive to the language being used. A 'thread' in Go is a concurrent action, not necessarily a thread in the same sense as in C++. The reason you see a speed increase with 400 Go threads (and you probably won't see an increase in C, C++ or Python) is because 'concurrency' means a different thing in Go than it does in C++.

At least, out of the box with the language-native tooling. Setting up a producer-consumer work division system in C++ threads would be closer to the goroutine model, but still not quite the same construct.

Go "threads" are more like coroutines no?

That's my understanding

They are more like concurrent building blocks, and the programmer gets little to no control over their actual execution

In the java world it would be more like what Vert.X does

Or scala actors

Or probably kotlin coroutines as well

Should try making a buster type application see how it goes compared to gobuster

Or at least a traditionally threaded app

Java is apparently getting goroutine like virtual threads.

https://openjdk.java.net/jeps/8277131

Ha

can i how to use kali linux without installing the os and not using the vmware or box

I guess it's possible to use a live cd/dvd/usb

oooo

why don't you want to use vmware ?

I can't confirm at the moment, but isn't there a Kali VM you can install from the Windows store (assuming you're running Windows)?

That's WSL(1/2)

Not exactly a VM, and certainly not as versatile

Yeah, I looked at it when it first came out, and it looked like they were having issues with the KDM GUI. Still better than dual booting off of a live flash drive, although I guess if you can't install anything (shared/locked down PC), then a live USB might be best.

What about docker?

why

also to any spanish people here, is celular actually used in conversation? or do you just use telefono? because cellphone is not really used in english anymore

Oh man I haven't used duolingo in ages

I should pick up korean again

in Spain, yes

I mean lots of text I've gone through and talked to with my teacher, celular is used

móvil is popular though

ohhh i see thank you

haven't learnt movil yet but thanks 😅

actually I might've gotten that switched, celular may be more South America, but I used to read a variety of texts/listen to various audios

is this duolingo?

is it okay to ask if someone here knows any resources for how to use binwalk to extract a jffs2 (and also maybe squashfs) file system?

Yes it is

okay well does anyone have any advice on using binwalk to extract jffs2 filesystems?

yassss

Do you genuinely not know why? Or are you just showing it?

Their answer is correct compared to yours

i don't know why mine wasn't accepted

Because you use la and an -a

In Spanish the male is always dominant, so if a gender isn’t specified then it’s o and el

In Spanish the male is always dominant
oh i didn't know that

okay makes sense then ty

I wonder

Does duo lingo actually teach you tenses or do they just expect you to pick it up?

because there can be some weird rules

yeah it does go through different tenses

only at present atm though

This is also sadly true in French

that's also good to know when i learn french too 😅

Does anyone know if there's a tool that is able to detect steganography on multiple files (in a folder)?

For future reference if someone asks about a jffs2 file binwalk extraction there is a THM room for dumping firmware

cd myFolder && stegoveritas *

Ok thanks BAHAHA I genuinely had no clue so I was going to allow someone more knowledgeable to answer

Gave +1 Rep to @bold coral

what do you guys use as primary os? I'm having a bad time distrohopping for that just works perfect distro here any recommendation

Windows with Linux VMs

anyone here watched new girl

/ played true american i wanna play

Linux w linux VMs

@queen owl Depends on what I'm doing. Most of my work stuff is hosted on a cluster running enterprise-like hypervisor as a host for VMs. My work gives me complete freedom for my work lappy, so I run F35 there. My personal desktop is the only windows machine in my house, and it hosts a couple of playing around VMs. I have another personal dev machine that runs Ubuntu LTS and a couple more VMs for dev related activities

I need to get a personal dev machine because dev work on windows is sad

Windows as main OS & some school dev on Debian 11 ( One VM for laptop & desktop, never dual-booting )

Hey folks, sorry to interrupt conversation. I'm looking for a good file-sync program that is both frequent and has a desktop client for Windows & Ubuntu/Debian. I have two copies of a VM across two hosts that I need to maintain an up-to-date versions of files across the VMs and both hosts.

I used to self-host Nextcloud which I think will do the trick for what I need, however, I don't really want to fork out any more money to self-host. Any ideas?

Why not store the files on one and mount the drive as an SMB share on whatever else?

Rsync over SSH might also work Unix -> Windows 🤷‍♂️

Networking limitations

I got nothing then 🤷‍♂️
If you can't network it then you're gonna struggle a bit

I can network over internet np but no port forwarding and no discovering other hosts afaik

I think Nextcloud might be only option

Something like ZeroTier maybe?

I just hate having to plug-in a USB on one machine, copy files over to it from a VM and then plug it into my desktop and copy to a shared folder on there and vice versa all the time

I second that

Do I need to port forward for zero tier?

Nah -- just run the service on any relevant clients

I.e. I go to uni, work on labs and then come home and have to copy stuff over 4/5 times and make sure I have the most up to date on each

Sounds like you need a cloud solution. Would it make sense for you to do something like the AWS workspace vm?

either that, or VPN back home so you can VNC into your VM

^^^
Honestly just using a single VPS w/ remote access options from anywhere 🤷‍♂️

Halls will limit that

Yeeee

I’ll just fork out for another vps I think

It’s worth saving me the hassle

That way I can use Nextcloud, have cross platform and web app too

Wait

If Nextcloud is an option

Why not just Google Drive / Mega / something along those lines?

Mine didn't fwiw

It’s an option but I will have to spend more money monthly

Eduroam is now blocking openvpn though for me

Halls let you portforward to a VPN server in your room?

Connect to a VPN server

Cross platform issues plus I’ve always had issues with file extensions being incompatible / janky

Puts you on the same network ezpz

Now that is interesting.
My Wireguard VPN server at home can be reached through Eduroam

That's how I work most of the time at uni

I've only tried the THM VPN

Interesting

I had to get vpn mac-address whitelisted for my thm work even outgoing

it's okay

I just use attackboxes when in uni

It's easier anyway

I don't have the luxury of attackboxes for my work ahaha

I pretty much thought that just buying another box and running nextcloud would be only solution so I think I'll just go with that

thanks y'all ((:

Wait. @burnt night I definitely managed to connect to THM in a Kali VM on my laptop from uni a while back

appreciate your comments

Me too

Like, three weeks ago

Might try it again from a different room

Was in the uni library at the time, will try a classroom

So due to limitations SFTP isn't an option right?

I was just quickly reading through and thought of Filezilla but I haven't read everything yet

If I host the SFTP somewhere else I.e. the cloud yeah

But then I still have to upload and download things

I just want it to sync automatically 😄

Probably nextcloud then unless you want to fork out for something like Dropbox or drive

im a tad confused as to what is going on but very interested

can someone pretend to explain to a 12 year old pls

wait nevermind is it just ben is having vpn issues and muir and james are confused as to why, is that it

Not even remotely 😆

Ben needs a way to sync files between two VMs -- one in his halls of residence, one at university. Halls have restrictive wireless access that you can't port forward into, so no setting up VPN servers or public SMB (unwise anyway), etc

oohh noted noted

will hamachi not work?

wait i think i misunderstand still, ignore me

Uuuhh TOS?

wait what

terms of service?

They're saying ELI5

Didn't see the word pretend. I am a dummy

Sorry

I use kali linux kde edition and sometimes I experience a screen blackout that lasts about 2 seconds, it randomly happens.

The reason I mention this is to see if someone else uses kde kali and is experiencing the same every now and then.

Sorry, I use a setup on WSL2 with only the CLI for companionship

seems like something like this and that's amazing.

@quaint basin sir did u make introductory networking and nmap room?

https://tryhackme.com/p/MuirlandOracle

Yes

The concepts were like a mountain for me
But slowly I climb it like a mountain goat within few days 👍
The room was awesome and clear all my concept
Thanks you sir 👍

Gave +1 Rep to @quaint basin

Hi

Hello

hi

hi

hey

did anyone here actually buy sublime

really love the text editor but not enough to buy it. nano is easy to use just boring and i guess i could learn vim

nah, using VS Code.

I've never seen someone buy sublime, like winrar

it depends on your use cases but I mostly use vim & vscodium

learning Vi/VIM is one of the things that is in practically every linux environment. and, it is usually a huge productivity boost to know Vi, because the hotkeys are all oriented around never moving your hands away from the standard typing position to perform any operation

noted

Yeah but it's complicated when you don't use standard typing position...

hey ppl

this isnt for thm, i wonder did anyone ever use trape?

hey im having some trouble with django. any time i insert path('helium/', include('helium.urls)), into my urls.py folder under "urlpatterns" i get an error along the lines of Python Runtime Error: Maximum recursion depth exceeded

and my webserver crashes. Its for the django room if this would be more appropriate to ask in #room-help

the log it drops is probably a few hundred lines long and stackoverflow says its because im including the url inside itself but its Ctrl+C Ctrl+V what the room says so im a bit lost :/

One message removed from a suspended account.

sorry i have it included, i typed that paragraph by hand

One message removed from a suspended account.

One message removed from a suspended account.

no linux

One message removed from a suspended account.

One message removed from a suspended account.

its okay you tried :/ thats all that matters B

Use Flask. Ez

rip to getting this path cert then lol

hey if Muir said it then i gotta do it

@warped gust your room. Help

Or @glacial nebula given you're around and kinda know a very small amount about Django

A very small amount? Am literally a django senior dev

That’s an infinite loop

why is it in the room then

or am i just stoopid

I think what was happening is the main app was called “helium” and then you imported the urls from “helium” so it was infinite loop

oh i have two things called helium and im not supposed to?

Probably

It was calling itself as far as I can see there

noted. ill just wipe and restart, hopefully it fixes

thanks

Gave +1 Rep to @glacial nebula

oh wait its fawaz you changed your name. youre a django dev? Thats interesting actually

I taught django for 5 years

Muir said flask tho so 👍 but still interesting

Muir never developed a real application

I did

https://github.com/MuirlandOracle/Rickroll-Server

Hobbyist projects hehe

yeah but Muir has his OSCP and CRTO. you only have every cert in existence. I think this speaks volume here. Flask

Yes am better in every way possible

And am not scottish

You dont use flask like Muir said so youre already behind

I used flask, probably more than Muir did lol

Big talk from someone who doesnt have a rickroll server

Have you heard of tryhcakme.com? 🤣

nah sounds like something script kiddies go to get malware. whats that site?

out of curiosity why flask over django Muir??

doesn't django use flask as an engine?

Yes

It's a lot less complicated and gives you a lot more control. I can do fuckery with Flask that would be 10x harder in Django, but Fawaz is right to say that Django makes big applications easier.

That said, there are some really big flask apps out there now

looking at flask rn and so far django is looking a lot easier :/ besides that error i had and took hours to troubleshoot ig

but noted, ill give them both a solid go

Flask is as simple as:

from flask import Flask

app = Flask(__name__)

@app.route("/")
def home():
    return "It works!"

app.run()

No fancy tools to manage different aspects of the app. It's all pure python. All your own code. All under your control.

i wish i knew python but noted once again

fastspi

Ive been looking at getting into the maker space to try to force myself to learn some python. robotics seems fun and python seems like a usable language for it

I wouldn't use python for anything big though

I’m looking to learn python and code wars is too big of a task for me although I have a account, and self teaching is dreadful. What do you guys recommend?

Feel free to ping me with ideas^^ I was thinking pay for classes? Idk man

I mean, Netflix and Reddit do

Muir teach me python 😐

I still think it'd make a mess

Again, the Netflix and Reddit backends are Flask, and that's just two examples 😆
Django is a lot more common in production, but it's up there with NodeJS Express

I mean I suppose for microservices, why not?

Not sure I would call Netflix a microservice, but sure 😆

I mean they split everything into microservices

like getting a show's info is a different server than getting the video feed itself

and probably a different database, etc

flask is bad, why? code is a mess

I am sure they use a flask, along side a whole wine factory of other home-made tools

never said it was bad, just that I can't figure out how to cleanly map out an architecture for a python app

and at least 30 different languages because the teams are different

I came to hate python lately

just a personal preference

I discovered my love for ruby and cpp

U vile creature ||joke||

My condolences

I wouldn't say that , not really

cpp is surprisingly awesome

yeah but ruby...

cpp is...dangerous

whatever works for you I guess

ruby on rails rocks

and cpp can run on a rock , and makes more sense in some syntax stuff

U don’t have to justify liking something man, to each their own :)

yeah I'm not a fan of ruby, personally

justifying shows why the other party may consider something

also ruby on rails powers github

thats for people saying its dying

Gitlab uses ruby as well

I think ruby is a great language that was ruined by the community

if you like Ruby and C++ you should checkout Crystal. It has the same syntax as Ruby, but has types and compiles down to native code. https://crystal-lang.org/

yea interesting,i am just not gonna see it cause i don't cheat on my combiled cpp

: >

I simply wish to be a top shelf RTO so am forcing myself to learn python

Every time I have used ruby, I have been disgusted and appalled at the language design choices

so flask is cool with ya?

sun cat

🌞

yes

Can I copy paste my own medium blogs onto my website without getting copyclaimed?

Check their terms

Which you totally read when signing up

Hey there 🙂
I'm searching for a program (app) that I can use to keep track of my progress during ctfs. I know there's a lot out there. I also know this has been asked in the past, and I could rememeber something like "Obsidian" being someones favourite. What do you guys use? Any recommandations?

Notion is nice but there are a lot of options, OneNote, GitNotes, Notion, Trilium, Joplin, Obsidian, and I probably forgot someone's favorite

Thanks 🙂 Havent seen anything about Trilium, yet..

Gave +1 Rep to @scarlet moth

Cherrytree for CTF notes

Trilium for your normal notebook

Trilium > *

Thanks 🙂

Gave +1 Rep to @quaint basin

Obsidian is great... until you start learning Windows exploitation

Plain text files just sitting on the disk get destroyed by antivirus as soon as you start adding any malicious code

RIP my c# sc runner

Precisely

Cherrytree uses encrypted SQLite DBs, meaning AV doesn't get a look into it

thankfully had backups so wasn't that big of a loss

BUT it gets unstable at higher node counts.

Another reason to let Windows alone lol

Trilium has the same system (encrypted SQLite DB, albeit much more efficiently structured) but has a tonne more features including things like sync and server setups, and doesn't get unstable at higher counts

note migration tho

gpedit.msc > computer config > admin templates > windows components > windows defender > ...

Unless you're using home version of Windows, then get-wrecked x'D

Yeah, migrating cherrytree to, well, anything, is a main in the arse

I mean, you can administer Defender on Windows Home just as easily.

just delete all the sigs easy peasy

yeah, just can't make a GPO you can just copy/paste between machines.

But if you're having to put rules into your AV to leave your notes alone then you're doing something wrong

How many computers do you have that you'd want your notes on..?

More like, how many times do you intend to reformat/reset 😄

Another advantage of Trilium

Self-hosted sync server. It's as easy as logging in 🤷‍♂️

Thank you so much guys 🙂

Does anyone know, how to redirect all wifi users from a specific website to another website through? I am using OpenWRT.

Why would you want to do that?

To test a phishing attack. I have Raspberry Pi 4 B with OpenWRT

I'm not a moderator, but I'd probably say that's more for #advanced-general

@patent gate If you would be so kind as to weight in here

Agreed

Also, You're still a mentor, Jabz 🙂

Sorry Sky - We gotta make sure that folk on here aren't using the server to do anything unethical. What you are building is on the line, and we don't really know you. However, remain active kepp learning on the site and over time you can get access to the advanced channels 🙂

I am not doing anything unethical. You can visit my repo https://github/sky9262/phishEye

Phishing is rarely an ethical topic.

I want to create my own router and after that, if any user will search facebook.com oy anything else using my router it should be redirect to my local ip

Just 4 Education purpose

Oh, yikes, yeah that is not an ethical practice either.

I know exactly what you're trying to do.

I'd probably suggest that you avoid discussing it^^

I think, all the topics in hacking could be ethical and unethical

Yup, but some are strictly unethical.

i know a telegram group 1k ppl
all r just buying scamas proxies
sendouts and etc.
on montly membership

Phishing is one of those that could be practiced but there's rarely a time when you would actually use it ethically.

BrokenSyntax, when someone is told not to discuss something, you don't then go and discuss it.

until a time came
what we see in mr robot
phishing for network tower admin logins

But yeah, as @odd acorn says. The only time it's actually borderline ethical (And that REALLY is up to debate) is as part of a training scenario, and so long as all phish are released unharmed.

@patent gate reeeeeeee

You're aware that Mr Robot is a TV Series, right? 🙂

yes 🙂

Phishing - Be aware of it so you can avoid it.

But it's a waste of your talent to actually create one

So, I won't get any help

It's useful for redteamers, but if you're a redteamer and are asking in this discord how to do it then I'm unsure how you got the job in the first place

The moment you redirect someone in the sense you describe, it stops being educational purpose.

It's weird how often that happens ngl

Makes me think they hand out "red team" jobs in cereal boxes

Depends who's definition you go by; if we take the SANS definition, then Red Team means emulating TTPs of real adversaries to make the Blue Team better. No real industry standard for the term itself, so we get interesting alternatives. 😄

Is SQL injection ever ethical? :)))

Yes...

But only in correcting someone elses incompetent or unethical practice.

Yes. I did it at work today

👍🏻

Also always the "within the parameters of a defined and executed red team operation"

Remember that it's not only redteaming

Pentesting, QA, all sorts

Fair

I hate my life, I hate web development and I hate programming

I just spent 10 hours writing a backend for my writeups

Turns out that the headless CMS' content creation UI only exports JSON and not HTML

so I need to write a JSON to HTML parser

Don't want to use an off-the-shelf one?

psst. It's a boy! Just wanted to share.

Nah 1) that's boring and 2) I want to integrate it with the rest of my website, thus give it exactly the same format/looks

Which is why I went with a headless CMS that has a GraphQL API

one thing is learning black hat technique in order to protect yourself and your organization, the bad thing is that you practice this techniques.

I believe you must know both sides if you plan on actually doing something.

you can't counter the cybercriminals blinded.

I also believe auditing should be done with a mixture of "good techniques"/blackhat techniques, how do you expect to improve a organizations security by restraining yourself, you have to simulate a real "evil" attack and of course they have to agree on to that.

obviously you have to make sure you don't cause any damages in the process.

there is an actual company in my country that operates this way and the state it in the "about section".

what room would you guys say "if you can complete this, the PenTest+ should be pretty easy"

The whole point of ethical hacking is that "good" techniques and "blackhat" techniques are literally the same.
It's how you use them that makes a difference.

Learning to phish + write/spot realistic phishing contexts is one thing. Deploying them yourself is another.

Tends to be fully fledged red teamer roles tho

Not strictly true. We offer it as a standalone service to pentest clients 🤷‍♂️

Either way though, it's one that is very rarely used legitimately

-ban 755865727029739580 Bot DMing server invites

🔨 Banned ./ythreshzin.py#5593 indefinitely

Yeah we very very very rarely have SE in scope

Oh, we very very rarely have it in scope for a pentest

I think it's been one gig so far, out of a metric tonne of others

If we do it then it's usually standalone

Or a separate phase of the engagement

Does anyone know any proper geo/gps trackers that last atleast 3 months and do not use a sim card?

What are you tracking?

Jabba listening to Rxseboy? Niceee. I have a whole playlist dedicated to him, powfu, and sadboyprolific. And a few small others like them :).

A car

Hello you all, one quick question what if the Bot does not recognize my Discord token? You know who I can contact?

#site-support

Try "Tile"

That might be something they do.

Or have a black box fitted by your insurance.

Whose car, and why

My dad wants one because a seller fcked him over and he made a deal with him about repairing the car et cetera. he doesn't believe the seller so he wants to put a tracker on it to be sure

Once the car is out of your dad's ownership, regardless of the deal, that's not an ethical use

Tell your dad to speak to the police

If your dad was treated poorly, the local action news investigative team may be a better route to social justice

You can put a tracker on your own car, but we ain't helping with it

It's not that difficult to do

What's "local action news"?

Local news paper, probably.

Well that's the issue; in my country the buyer needs to do research on the car, which my dad asked the seller to do (which is a rtard move, and I told him) and he said there was no damage. A few weeks later we found out that the car had a crash a while earlier, but was repaired in an insufficient way

Now he asked the seller to take a look at it once again, but do it right

And well, he doesn't trust him. The issue is that the seller technically did nothing illegal because he can claim he didn't know there was damage

You can literally find out the full history of a car based on it's reg.

Yeah, that's how we found out

Was it a private sale?

Doesn't give you the right to start messing around with trackers 🤷‍♂️
Call the police

Vigilantism is never good

Two wrong's don't make a right.

However three rights make a left.

any of yall got a keychron k2?

thinking of buying one

https://tenor.com/view/anchorman-jump-yay-gif-5940723

Stay classy San Diego.™️

He'll read anything off the teleprompter, and I mean anything

hi, everyone

any tips on going back to learning cybersecurity or in general? fell into a slump and been binging social all media all year.

Figure out why you wanted to learn. Repeat it. Personally I do little things and think about a cyber application. “Wow I wonder if this self checkout is vulnerable. Let me look up the software version so I can report it if it is” type of thing

hello, welcome to the TryHackMe discord.

How do you guys deal with burn out? (without taking a break, I don't have that luxury) I'm at that point where I feel like I'm spinning my wheels and getting nowhere fast.

Take breaks. Daily ones at minimum. Do not work for extended periods of time.

Yeah and try to think clear for a moment

Focus might help as well. Do not try to cover everything at once.

Remind yourself to up every hour

One of the reasons I use the pomodoro method for managing my workday is the frequent breaks

This is a good one

hello hacker peeps

hi

thy fellow hacker is not verified, why?

I just certified myself

Was goin on!

shhhhhh you are too loud

oop

purple gang

whats going on!

Purple gang, but I wonder if I am really entitled to this title lmfao

bro, if they gave it to you take it lmao

how do you get gang-affiliated

first you need to be verified

i believe i am

like 10 mins ago tho

weird, probably just have to logout and back in again

Nah roles sometimes take time to appear. To my knowledge at least that’s possibly the reason

ah, that makes sense

ty

It was instant for me though

same

though, for the subcriber one i had to re-verify

should be instant

That's what I as under the impression of

My name took a few hours to get changed.

Mine happened instantly when I reverified for the subscriber role

ohhhh thats what it is

im not subscribed yet

There it is

😄

i had to verify with the bot with the token

Happens to the best of us 😅

watch todayisnew yt on his daily routine

anyone participated in @hack

hello does anyone know how to connect to a physically remote computer? I am using Ubuntu and try to connect to another Ubuntu machine with ssh username@ipaddress but looks like it's not that simple.

The target system will need to have an SSH server listening for the connection

And if there's NAT in the way you'll need to deal with that

how do i turn the listening system on from the target system? thx

Gave +1 Rep to @burnt night

Now that sounds like a google question

ok thx

love the pomodoro method! i combine it with focus mode on my phone and some ambient playlists on youtube to force myself back into productive mindset.

What's the difference between AD and SCCM?

AD for communicating and permissions and SCCM for software?

yeah kind of... AD is a lot more than that

if you aren't sure what AD is, I'd just go read some Microsoft docs on it

when you say AD you mean Active Directory?

Yes

ello

I’m having some issues with Firefox and I’m not sure what to call it so I’m having trouble using google for help if anyone can at least let me know what it’s called? When I click on a different tab it I see a weird mixture of the tab I’m switching to and the tab I am switching from and it won’t load unless I switch tabs again multiple times

Quite aggravating 😐 a fresh install didn’t help. Not sure if the issue is Firefox esr, my vm, or kali.

You have to be militant in this field. All jokes aside

Discipline is how to avoid costly mistakes

Sounds like an issue with performance tbh, can’t load the full tab in time or something

Check ur drivers for everything

download firefox latest version not esr

Finally finished my maths exam

spent 180 minutes on a 100 minute exam

It had vague af questions like drawing the income distribution of a country

That's litterally what the question said, nothing more

I could've done it using standard deviations and averages, graphs, charts

relative, cumulative, absolute, frequency based, etc.

so I just drew a class based frequency bar chart

Did you get the result of said exam? or do you have to wait?

Nope. I'm probably getting it this week

I'm expecting atleast 70% but I'm incredibly triggered about those vague questions

Absolutely nuking the score (probably)

What's your passmark, 60%?

55%, but I want to be secure for my finals

Which require a 60%

Will you get penalised for taking longer?

Nah, I got some physical issues while writing on paper so the principal gave me permission to take as long as I need to see how much time I need extra for the finals

That's good of them, in my class if you have Dyslexia you get an extra 15 min(s)

Noted

Esr comes default with kali I just keep it 🤷‍♂️

https://www.humblebundle.com/books/hacking-by-no-starch-press-books does this look like it's worth a buy?

Yeah, it looks pretty good. I've got 3-4 of the books already and they're great.

No Starch tends to be pretty good

malwaretech is looking for people to test some rev challenges hes making, said so in his discord. Just a heads up

oh dang, I wonder if they updated black hat python, got that a long time ago

o dam, I got first edition, that's second, and came out this year. I think this is a buy for me

its python3 I think

Would be pretty sad if it wasn't

wish there was an update to practical malware analysis, from 2012, but oh well

noooo THM is on a cloudflare waiting room

ahhh at last

yeah that happens with AoC

so basically this

pretty much

Oh

I saw OllyDBG - or whatever it's spelled like - in description of that book so I was like "hmm this book isn't from 2011. it's made by outdated people like with the buffer overflows tutorials"

It's a good start with malware analysis.

I say this as someone who's worked through many of the challs and read a lot of it

pog

hii

Hi

hey

Lookin >> 2 it & def enjoy the learning. 🇬🇧 🇳🇵

God damn he really wanted the top of the month spot so bad

1056 points in two days

Who @dusty sleet

damn

https://twitter.com/offsectraining/status/1466036636450492422?t=kwdrZTtqG7k-q2NA5NsAnw&s=19

🧐 🧐 🧐

TL;DR: They're being transparent about the exam content and points, and they're adding a domain controller with 2 clients as part of the new exam

Who's behind this aggressive activitiy 🤔

Hi

hi

Hi

Interesting

^

I mean

there are is a room that gives 3000 points I believe

I can confirm theres one with 1500 but would need to confirm the other one

which one?

@frail rapids how did you get the countdown 👀

the one with 1600 is https://tryhackme.com/room/ccradare2

don't use THM to grind points though

use the platform to learn and earn those points

I dont think it will contribute even 500 to the monthly points

Ah like that.

Yeah it would only contribute 25%, so 400 points, but it was released more than a month ago so it doesn't count towards monthly points

This was a good day

Woah 4 screens what what what

rooted 3 med new machines

*2

grats man

thx

why is room counter different ?

They're different metrics

One is Rooms In
The other is Rooms Complete.

Do "rooms in "get less by 1- time 2- changing room content 3- sth else ?

I believe the rooms in might use only public rooms as a metric

Why are sockets part of the transport layer?

Shouldn't they be in the application layer because it's used in the software?

Or they may have left some rooms

Because they provide a service used by app layer

you may want to verify to be able to embed gifs 🙂

!docs verify

Read this ^

ok, thank you

Gave +1 Rep to @twin ridge

you also get bonus colours

read the link

😉

reading now, thanks

there's a token on your Tryhackme profile, DM the @deft fossil bot in order to set it

think of sockets as an instrument that connects the application layer with the transport layer, they are as if they were in layer four and a half

done

https://tenor.com/view/sorry-blue-bird-bam-coyote-gif-16519405

there ya go

thank you for your help, I appreciate it.

np

Sweet

there's a #870288406054334465 btw 🙂

thanks

Gave +1 Rep to @twin ridge

!

I picked up an advent calendar the other day and it's the best thing ever.

hey mates, im new to this world and ive been looking for some help regarding remote access to the labs from my own testing environment, im not a complete noob, i play with tryhackme/htb/BTLO for a couple of months now, if anyone has some time, how can i have GUI remote access to, for example, tryhackme's windows challenges? because i cant ssh on those

Either THM's in browser access or the RDP protocol.

The room will have instructions if it's a walkthrough

thanks a lot, so i cant use RDP for every room i join?

RDP needs to be enabled
You need creds

i see, okep 😄

https://www.youtube.com/watch?v=IPukuYb9xWw

This is going to be shown at CES 2022

https://www.reddit.com/r/pcmasterrace/comments/r7c8px/this_is_happening_to_my_two_week_old_3080ti/

Yes

This is the most genuinely creepy android proof of concept project I think I've seen...

the eye tracking is probably the scariest part

It is and it's also really freaking cool!

It's amazing! The movement and everything is super smooth

It also gives me really strong "I Robot" vibes tho lol

I totally want to work with robots

Between these guys and boston dynamics, some cool robotics stuff is being done

Machine Learning/Virtual Intelligence would need to come a little bit further before working with these kinds of robots would be possible. Well, 'possible' already probably, 'productive' is another thing

I can't wait for more sophisticated VR systems

but above all like household helper robots like in the jettsons

inb4 detroit: become human is a little too close for comfort

when searching using / how can i cycle through the matches? Any key i press seems to end the search rather than iterate through them

n

I think.

no that just types n into the search

Not sure. Try in #general. More active in there. And no slowmode

Thank you anyways

👋

CTRL + i should go forward i believe and then i think CTRL + o goes backwards?

If not, try CTRL+ p and CTRL + n

@mortal venture work?

none :/

I think you're vi/Vim is broke

Google isn't returning anything else

Assuming they're using Vi/m

True

I assumed when they said they were searching with /

Searching with / you can advance with n and go back to previous with N

okay i realize my mistake and once i did a quick google search answered me..... I was asking how to use it in firefox but i have also been wondering this too so thank you

quick find in firefox. idk why the hotkeys are diff between linux and windows despite being the same browser

the answer was F3 and CTRL + G

See, mentioning what you were using would've been helpful. Everyone assumed you were using Vi(m).

i realized that yes

When I do Tab+Enter in bash, it freezes and I don't know how to get out of it. Does anybody experience the same thing?

I guess it's tab that's borked.

Now I get it. It's trying to do tab completion.

Please I don't know to fix this issue.The attackbox is not displaying

@snow rose enable cookies in browser

Okay