https://www.fortinet.com/blog/threat-research/cve-2021-42278-cve-2021-42287-from-user-to-domain-admin-60-seconds

I found some nifty python scripts that leverage full capabilities of impacket. Little bit of magic and I was in....

Such a magic CVE 😅 Almost like the new certificate template CVE where you alter the DNS hostname attribute. Well done!

Thank you. Apologies for reaching out of scope. It's not everyday I get a chance to throw some stuff on the wall to see what sticks lol. Looking forward to your next release

Gave +1 Rep to @dense cedar

All good, as long as you don't disrupt the network for others it is fine. Also better to do that on THM network than on a real assessment 😬

I think they should be fine. Your absolutely right.

Hey guys I am still having a bit of grief with DNS and password spray with python.
To begin with regarding the DNS I running this from Kali and IIRC the IP address should be set via the network manager to my VPN ip address from tun0?
Also I was wondering if anyone else has been having issues trying to run the python script I have tried with the python and python3 command and both error out.

There is a section in Task 1 that explains how to configure the DNS in kali. You can follow those steps. Verify that DNS is working before you try the rest of the room.

In terms of the python script, "error out" is not very descriptive. If you provide more details that would help. However the python script will not work if DNS is not working, so that is step one.

Ahh fair enough, I am just reviewing the instructions again on the site and in regards to the python script error, in which I do believe that you are right and it's most likely to do with DNS issue that I am getting.

Also when I try to run an NSLOOKUP this is what I get

It's probably something really obvious that I am missing right now

Yeah, those timeouts occur cause of DNS not working

This tells me that your configuration of DNS is not working, since it is still using your home route as DNS source (192.168.1.1). Can you provide the steps you took to configure your DNS?

ahh I think I got it now, just had to restart the network manager daemon hopefully 😅

ok all good to go, thanks for you guidance @dense cedar!

Gave +1 Rep to @dense cedar

Perfect! Good luck with the room

I think it's the resolv one you told me to do, It seems sometimes you change the settings, the namesarve doesn't change from 192.xxx.xxx.xx and I have to do it manually everytime I boot up the VM, which isn't a problem.

Hi

I've been battling DNS on this for 3 days. I tried manually entering the server using nslookup and it doesn't connect. I also can't ping the server.

root@ip-10-10-189-124:~# nslookup

server 10.200.52.101
Default server: 10.200.52.101
Address: 10.200.52.101#53
za.tryhackme.com
;; connection timed out; no servers could be reached
tryhackme.com
;; connection timed out; no servers could be reached

10.200.52.101 is listed as THM DC

Is this room working right because I see other complaints. I am using the Attack Box

It worked for me the first day or two that the room was up and hasn't worked since at least Saturday

Are you using your own kali machine? I've seen that some of the version of kali this happens but the attack should still work. Just the output that doesn't

Hey! If you can't ping the server then it isn't a DNS issue, I think it is the issue that you are currently placed in a subnet different to the one in your room. So your VPN profile is connecting to the wrong instance. Can you please, terminate your attackbox, regenerate your VPN file (Profile -> Access), then boot the attackbox again, and then retry ping and tell me what happens?

Even if the output does not display, the configuration should be good. Just continue with the rest of the steps and try to get the connection

Yeah I got that issue am03. Tried to delete and add the default route back with a && to the tun0 if. Attackbox didn't like that. 💀

Hi, I used the AttackBox and did nslookup. It shows that the server cannot find za.tryhackme.com

Amy try killing the attackbox instance, regen your ovpn file on Tryhackme, and restart attackbox after 30s

That fixed it for me

Attackbox auto pulls your ovpn config from the THM website

oh, ok. Thanks, Dad! I checked the connection. It was ok. I finally got it to work and have just completed task 3. It took me a while to find the IP address for DNS in the config file. And, it's just right there on the page. LOL

It's fun once you completed the task 😅

Fun room. Thanks again am03

I got dns working and now it doesn't work anymore. Is it this hard to use computers

@plucky mist

😂 thanks

try run the dns reset command again, sometimes it resets on the attackbox for some reason

Also just make sure you can ping the actual DC. If you can't that is either a VPN issue or just that the network went to sleep

Yeah i think it went back to sleep, i had to refresh the page to be able to click on the start button, hope this fixes my issue

For the responder task - how long on average have you had to wait for an authentication/event capture? I've had responder running for over 35 minutes and nothing yet. I can still ping the DC and other boxes, just not getting any responder traffic.

Should be 15ish minutes tops. Can you send me your VPN file so I can do a quick inspection?

Will do, in transit at the moment, will send later. Thanks

I'm not getting a challenge either

Can you send me your VPN file and i'll quickly take a look?

It's working today. I was an am currently using the THM attack box. I did the profile/access trick that you suggested. I noticed that the THMDC IP is different today (10.200.4.101 insead of 10.200.52.101).

Does the "Access" profie impact the THM attack box or is that only for OpenVPN?

Thanks @dense cedar

Anytime. It does impact the AttackBox. All the AttackBox does is through an API call it requests your VPN file from your profile and automatically run the OpenVPN command for you. Just to make your life a bit easier 🙂

But for that same reason, if you VPN file is broken, the AttackBox will pull a "broken" VPN file. You can actually search for and find the VPN file that your AttackBox pulls. It has the same name as the one you get when you download it.

Hi

$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

and then I do

$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN

I do have PLAIN and LOGIN but I can't remove the GSSAPI for some reasons, any hint on what is going on ? Because of that when I do test connection I receive the GSSAPI method, not the plaintext user/password

On the Kali Box it works as planned, but not on my personal box (ubuntu 22.04)

and you defintely have the same contents in the olcSaslSecProps.ldif ? If so i'd maybe check slapd and ldapmodify version numbers? may have different behaviours

yes same content

I know the file by heart now, i've tested it tens of times 😄

task 5 no juice. Tried twice with fresh attackbox. Maybe I try with my Kali next

did you check if you were using the right interface for responder? might be eth0 rather than tun0 in some cases

Yeah I had my personal Kali box running responder for a few hours last night with no capture from task 5/Authentication relays, tried with the attackbox as well for an hour or two with no luck, sounds like I potentially fall into the broken ovpn file. Anyone in particular i should ship the contents of that file to? I haven't tried again today.

The same problem

Which subnet? Same question for @hot swallow too

my host is on 10.50.18.x, THM machines are on 10.200.20.x

my host is on 10.50.2.x

machines on 10.200.4.x

im getting errors when running responder

error starting tcp server
error srtarting ssl server

etc

"check permissions or other services running"

any ideas?

i get that when tryign tun0 and eth0

Same problem as @unborn mountain and @hot swallow

damn

is it possible i can get the username and hash so that i can move on with the room?

by DM maybe

My Host is 10.50.25.x Machines on 10.200.27.x

@flat scaffold you have services/other things running on those ports already, so responder isn't going to start a listener on those ports

i don't know what though

why would anything be running on those ports

slapd?

ill stop slapd and try again

maybe youre right

nope still getting the same problem

could someone maybe DM the username and hash for that task?

task5 that is

ill try it on a new attackbox and see if that does anything too

Nope. still same issues 😦

Even tried if on a kali virtual machine and still no luck

responder task is not workin. i'M giving up. restartedd the network and tried with kali and attackbox. waited approx over 1 h.

dislike this task

@prisma thorn I understand your pain going through the same with that Task 5

I had to find the answer on a youtube video in order to finish it

can anyone help me with DNS. I did everything but still it isnt showing the IP of DC
Im using my own VM (Parrot)

Hey, can you please send me your tun0 IP so I can take a look for you?

Does Parrot use Network Manager?

@wispy tulip Network Manager -> Advanced Network Configuration -> Your Connection -> IPv4 Settings
Set your DNS IP here to the IP for THMDC in the network diagram above
Add another DNS such as 1.1.1.1 or similar to ensure you still have internet access
Run sudo systemctl restart NetworkManager and test your DNS similar to the steps above.

Yeah I did that too, I tried both ways

Can you perhaps ping the DC? Just to confirm network access first?

Yeah I could

Hey, we have an issue with the VPN keeping DHCP leases too long we are trying to fix. If you still want to try it pop me your VPN file and I'll do a quick fix for you

Mmm, okay, then it is a DNS issue. I'm not familiar with parrot's configuration, only did it in AttackBox and Kali. What is currently in your /etc/resolv.conf file?

Its just the default file with the added DNS

Not /etc/systemd/resolved.conf, /etc/resolv.conf

I want to try another DNS method in parrot

Can you remove that first nameserver or move it after the second one?

let me try

Yup its working now

Excellent! Issue is DNS servers take precedence in that order. So it would never hit that second server. Just note that file might revert back at some point so just keep an eye on it

thanks @dense cedar

Gave +1 Rep to @dense cedar

Weird I was just about to post about this. What error are you getting? I found that the bolded section mentioned the VPN IP (10.50.x.x) was very relevant. Make sure to use the correct adapter with tcpdump

If you did, TCP dump might have screwed you up

I struggled with this for a while. The bolded section and choosing the right adapter worked for me. ||It was not eth01||

yeah I did all other tasks in the room, been trying responder for a few days now, reseted, switched network, tried in attack box tried in my own machine nada

I don't think I caught a freshly reset network (thought it did reset while I was asleep), so maybe it's something that stops working after a bit?

If you send me your VPN file I can maybe take a look for you there if the responder task is working.

It terms of LDAP, that should work 100%. If it doesn't, should perhaps do a network reset

Thx appreicate it. Will do later when I have a minute. Just 2 more hours before I see if the new reset will work

Hey guys, i have a question. i connect with the breachingad.ovpn but i can`t connect to the http://ntlmauth.za.tryhackme.com Webside. What is my fault?

i use Firefox

Did you add the AD IP address as a DNS resolver?

ohhhhhhhhhhhhh, ok i forget 😄

I completed the room in the end. Thanks very much for replying though 🙂

Gave +1 Rep to @dense cedar

I've tried numerous times with numerous attack boxes, both local and on THM, and still cannot get the NTLM hash for task 5. DNS is working. I've let responder run for an hour. Still no luck.

Pop your VPN file to me please

@dense cedar just got the challenge, thanks a bunch for your help! 🙂

Gave +1 Rep to @dense cedar

Messaged you it. Thanks!

Gave +1 Rep to @dense cedar

Could you help me please? I have the same problem with task 5.

Sure, just send me your tun0 IP and VPN file and I'll take a look

I am using the THM AttackBox

Please go to Profile->Access and download your VPN file there and send it to me. I need it to confirm the network I'm patching

Ok... I will do that

Hi all, the permanent patch for the responder issue is being deployed. VPN service may drop for the next ten minutes. Apologies for the inconvenience.

Hello! So task 5 is supposed to not be working?

I'm also stuck there

The responder didn't not work for me in this room, but, It's possible to get the user credentials from Task 5 using the data from the other tasks.

Should be working. Patch is going live now. In the mean time, can you DM me your ifconfig IP and vpn file?

TL;DR of the issue was that the DHCP leases were active too long, meaning the IPs went out of range. This is why the patch is on the VPN server and they are rebooting currently

Thanks for the reply! I would, but I can't

Gave +1 Rep to @dense cedar

Any specific reason why you can't?

Discord does not let me, maybe I need some discord role idk

If you click on my user, there should be the option for direct message

I just got the hash using responder on local machine interface tun0.

Perfect! This should mean the patch is working. We are pushing it to the primary template as well, so the issue should now be forever resolved.

Got it as well on my local machine

Good job!

Perfect!

When running responder on a real network, does it break things? I mean, will a user experience problems?

DNS is tough lol

I've added it but just get connection refused when using nslookup

If you're using your own machine, add the IP to /etc/resolv.conf file and save it

It did the trick for me

It is added there too

Add the DC IP as the first entry. I had similar issue

So just switch them?

yeah

Same error

You dont need to restart systemd-resolved once you edit that file

I figured I'd try everything

This is my conf and it works

I didnt restart any service after editing

Hmmm idk then

Indeed yes. So with LMNR poisoning, you force them to connect to you instead of their intended connection. So yeah, they will start to complain. I'm pretty sure there are some configuration changes that you can make where it is less disruptive, but if you are running this on a real network it is not very stealthy

Can you please confirm that you can ping the DC?

Quickly pop me your VPN file, I just want to check one thing

That's not the DC IP? DC IP should end with 101?

Where should I see that?

The network diagram should show you the IP of the DC

Yeah, this is not your DC's IP, that's your VPN IP. Look at the network diagram for THMDC, that's the IP you want to use

Perfect, that is the IP you should add to resolv, not your VPN IP

I'm dumb

@dense cedar Thanks so much for your help!

Gave +1 Rep to @dense cedar

All good!

Happy to report that the latest patch seems to be holding stable. Responder issues should now be a thing of the past. If you do experience issues, please post a message so we can investigate

Hey all -
I did a full walkthrough/teaching in 2 parts on this network. I hope you find this helpful 🙂
[Part 1] - https://www.youtube.com/watch?v=Qg-yriM3mBg&t=3155s
[Part 2] - https://www.youtube.com/watch?v=1gq_qNog8Ts&t=912s

That's awesome!

for me nslookup says cant find the server, using attackbox

Verify whether you have added the domain controller IP and not anyother IP

adeed THMCD's IP

Can you ping the DC?

nope

Then the network is not online? Did you press the start button?

Or the IP for the DC is incorrect. What is your subnet?

And please verify that you have a tun connection with ifconfig

127.0.0.53, clicked start, network state: running, ifconfig>running

127 cannot be the DC? The DC IP should start with 10.200.X.X. What does it say in your network diagram?

10.200.51.101

Is this the IP you configured for DNS?

yes

What is your tun0 IP?

Also, can you please run find / | grep ".ovpn" and the cat the breachingad.ovpn file and send me the internet facing IP so I can check from the VPN server

hey guys , I keep facing this error after the dns setup when I try to connect to the AD new rooms on thm (Breaching AD/AD enum)
sudo nslookup thmdc.za.tryhackme.com
Server: 192.168.79.99
Address: 192.168.79.99#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN
any solu?

Are you connected to the VPN for the room?

& applied the DNS settings.

yes and i can ping the DC

yes but it doesnt want to work

idn kn what am i missing here

did that , then uncommen. the dns , and I add the thmdc ip there , then restart , then nslookup

but nthng

this

that worked for me

yikes

thank u guys

The room has a countdown that says "3 days of access left". What is that about?

Done! Today I setup the responder and later I got the hash.

You are placed in a subnet for 3 days. After those three days, you are automatically kicked from the network. However, you can just click join room again. We do this so we can kick inactive accounts, meaning we need less active networks

Thanks

Gave +1 Rep to @dense cedar

This is excellent news. I'm pretty sure our latest patch is the one that will stop the responder issues permanently. So it should be a thing of the past after the network base template was patched last night.

Great news!

Absolute banger of a room, day by day I get more interested in AD

just a typo, NetBIOS Name Service (NBT-NS)

(6) is missing :/

https://tryhackme-images.s3.amazonaws.com/user-uploads/6093e17fa004d20049b6933e/room-content/f8b172fe8934125813481fc9da20801c.png

is it legal to pwn the DC now xD

As long are you are not disruptive to other users on the network. Go for it 🙂 There are a couple easy ways!

Thanks for the lovely feedback!

Gave +1 Rep to @plucky mist

https://github.com/The-Viper-One/ActiveDirectoryAttackTool

i see that everyone have issues with /etc/systemd/resolved.conf when putting DNS IP there

for me also worked only /etc/resolv.conf

no restart needed

Responder is pretty cool- it will listen for everything;). Here it captures ldap and NTLM hashes. Some assembly required, batteries not included, ymmv;)

Thanks @dense cedar Great AD room! and I've done a lot of them. I was successful the 1st time on MDT but wanted to rinse and repeat- tried many things short of restarting room -keep making PS bleed red- do you know the cause?

1st time was no issue and dumps creds as expected.

Completed this room. It brought up new things to think about and new tools. Thanks for setting it up. @dense cedar

Gave +1 Rep to @dense cedar

Glad you liked it!

So the PXEBoot script is not the greatest. Also why I have us do the steps manually in the room. In essence the issue is that it is trying to mount the WIM boot image twice.

In order to "redo" the steps, the best approach is to create a brand new folder for yourself under Documents and perform the steps there again. Also help just to exit your current SSH session as THM and SSH back in again, clearing all environment variables.

If that doesn't work for you, let me know!

Glad you liked it!

Responder is quite the tool to have in your pocket when you do an assessment. However just be aware of two things:

1. It can only intercept challenges on the LAN, since it uses LLMNR (or equivalent) poisoning and for everything not on the LAN, DNS is usually used.
2. It is disruptive. If someone is trying to connect to a service, this will force them to connect to you. So be mindful not to just run it unattended or for a prolonged amounts of time. Otherwise you might get an angry client call.

@dense cedar thanks again for the great lessons and answers to a couple "mysteries"😋

Gave +1 Rep to @dense cedar

The reason we don't recommend this is because /etc/resolv.conf is often overwritten by generated values from the contents of other files (like /etc/systemd/resolved.conf). On the attackbox this would happed every hour or so, and you don't want to lose DNS an hour into the network 🙂

Yeah, but otherwise it just doesnt work🙄

On what OS?

Just a review/ feedback of Enumerating Active Directory and Breaching Active Directory:
Its great having those chunks of AD machines to play around. Learnt quite a lot of new techniques in Breaching AD, hopefully we can expect more of those later (if that network is updated). Content was to the point and precise.

Meanwhile, I expected more from enumerating AD network, more of LDAP, powerview, and sql server enum as well, cross forest enum and so on,

Likely, you have promised plenty of new networks - like enumerating AD for weaknesses, I'm really excited for that. You've done awesome work and I can't wait to pwn them all.

@dense cedar another happy user ^ (:

Thank you for the feedback! Really appreciate it.

I think one of the problems with AD is it is such a massive "thing"

So my hope with the five networks/rooms that will be released is to cover AD101 from red team's perspective. Working through breaching it, enumerating it, exploiting it and then deploying persistence. Even with five networks, we are only really scratching the surface. So the overall goal is:

• Introduce users to the wonderful world of AD hacking
• Get them comfortable to explore new AD concepts and not just have everything be completely new to them. That thing of converting unknown unknowns to known unknowns that they can now explore themselves.

Then, once we have established a good baseline, we should be getting ready for AD201, the more advanced module where we can focus on some more niche things.

I would love to hear your feedback again about AD101 when all five networks have been results, if you feel that gives users at least a good foundation to start with.

Gave +1 Rep to @young hinge

So can someone help me with breachingad's password cracking part

Nvm

so this network will be unaccessible for me after "limited time"?

You just rejoin the room.

all progress will be lost?

No.

🙂

what for "limited time" then? )

i was scared that i have only 3 days left

Because the networks are constantly running, if people are inactive it will just remove them.

ty

Gave +1 Rep to @wooden minnow

Are the new rooms still coming out weekly or...?

It looks like the 3rd one is out
Hopefully the 4th is out before next Sunday

oh and there's a 5th
Well, my OSCP is next Sunday so oh well

Thanks for putting these together!

I have completed the room but just curious how can i escalate and get a shell on the DC? did anybody tried to get a shell on the DC?

Fourth one should come out bit later this week. Fifth one next week. In terms of OSCP, I think the fifth one (persisting AD) will be the least important. Good luck with your OSCP!

One or two of the users escalated their privileges there. There are a couple ways you can do it as long as you don't disrupt the network for others. Breaching AD was just about getting the initial breach, not a full compromise. Full compromise will come in Exploiting AD

Thanks!

Gave +1 Rep to @dense cedar

Were you able to solve this python error ?

Looks like they just needed to sort DNS

If you get that error, it means your DNS is not working. So once you fix your DNS and can run nslookup za.tryhackme.com then the script should work

Thank you! offcourse i wouldn't disrupt the network for other users. I did try some techniques and turned out that only 1 users is able to access only the smb shares on DC. I also dumpe and analyzed AD information with bloodhound but still no luck. could you give some pointers?

Gave +1 Rep to @dense cedar

a user has gotten DC and even posted the blog/cve they used for it in this channel 👀

Thank you!!

Got it! CVE was enough of a hint. Just popped the DC. Thank you both !!!! 😄

Yeah just check the history of the channel. The DC is fairly outdated 🙂

Ah was just typing that message. Glad you got it!

Very fun room. Thank you @dense cedar . AD Enumeration is next.

Gave +1 Rep to @dense cedar

Yes, the hint of "CVE" was enough from Zeeshan1234! The first CVE came into my mind worked like a charm and gave system access on DC.

yeah, are you stuck?

Do we do the breaching-ad before enumating-ad? Feels right order 🙂

Think of the stages of pentesting

You enumerate before you breach, right? (:

You re spot on! Keep think enum is post breach. I am sorry for asking such a lame question🙈

Not a lame question at all

You're both right here. You can enum, breach, enum, escalate, enum, and repeat until you're Domain Admin and have all the info.

Hi there, I am getting "Connect Request Failed" when doing the tftp command in task 6. I see that this has been mentioned here before, but it just suddenly started working for those people. I can ping the MDT server from the JMP Server. Does anyone know the solution, or should I just let the room timer run out and have it reset and hope for the best?

you should also specify the network instance you're on, so others can check if something's wrong

Sorry, not sure what you mean by network instance? Do you mean the VPN fi

if you mean the IP range, then it's the 10.200.25.x range

Hi Guys, I am trying to configure the DNS settings on my Kali VM, I changed the IPv4 Settings to the IP address of the THM DC, but when i do nslookup on thmdc it returns NXDOMAIN?

Hey there, can you run cat /etc/resolv.conf please and send results here?

If you get "Connect Request Failed" there can be a couple of reasons:

• TFTP uses names as security, so if you specify even one character miss it will just say connection failed
• The TFTP server might have rotated the valid BCD file names. Just go back to the website and confirm the BCDs there
• The TFTP server is having a bad time - This should be unlikely, but if it happens best is to reset the network

If the issue persists, send me your VPN file and I'll take a look later, just currently busy with client calls.

Got it to work, had to put the DC IP at the top of resolv.conf!

Perfect, that's usually the issue 🙂

Thanks, The network has just timed out and reset, so I will take another look after lunch

Gave +1 Rep to @dense cedar

It appears to be working now. Had to regenerate my VPN and revert my Parrot OS box back to a known good snapshot, but all good now. Cheers @dense cedar

Anyone had issues running the ntlm_passwordspray.py on their kali machine?

It throws python errors. I’ve tried in python2.7 and 3.9/3.10

Could you show the errors plz? You'll have to verify to send screenshots

!docs verify

Try removing the quotes around http://ntlm

I did that before. I added them in just to see if it would work

You should use python3. That first error I'm pretty sure occurs when your DNS is not working 100%

Can you run nslookup ntlmauth.za.tryhackme.com and see if that resolves?

Seems like dns is good. Just the script that fails on me

Try a different version of python 3

I’ve tried 3.9 and 3.10

Anyone know what the attackbox uses? I’m not at my pc right now

Well I got it to work on the attack box. But now the ldapmodify command fails on my kali box too

Is there a plan to get this room updated to use the latest tools?

The room is only a few weeks old..

Are you on your attackbox now?

Yeah I know…but it seems like it’s not really compatible with the latest build of kali. Like it only works on the attackbox

No I’d like to be able to use my own machine so I have all the tools setup on it that I’d need

I did the room in my up-to-date kali 🤷

I even built a fresh box last night just in case I had some misconfigurations over time and I’m still getting errors

Maybe the pimpmykali script had something to do with it

What is the latest error you're getting?

The pictures above

Password sprayer, have you unzipped the files?

And entered that directory?

Yeah i ended up just doing that part on the attackbox. I moved back to my box to do the ldap task and the 2 pictures above is what I get

I also noticed I never got the option to choose MDB as the ldap database.

sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

Did you run that when you weren't connected to the VPN?

No I’ve been connected the whole time

Do you have a separate connection so you're not not set the DNS to the DC?

So I need to take dns off for that step?

I mean it went out and downloaded slapd just fine

Ah, mine didn't.

I had to add a new network adapter.

I guess dns stopped working. Had to restart network manager again

If you rebooted your VM it would have.

Not stopped working, but reset it your own settings in /etc/resolv.conf

Nope just stopped. It’s weird. I restart network manager and it works then randomly stops

Now it’s back and the commands go through but the output of ldap search shows nothing about supported mechanisms

We cater for the AttackBox since that is what THM provides. We can't cater for every OS and version out there. All attacks in this room use the latest versions of all tools, with the exception of the ma.db attack, since the script required to decrypt the password uses a legacy package that is not available on python 3. Such is the life of penetration testing, some tools will require you to use legacy software and part of what makes a great security tester, is someone who can adapt to this and get their tools to still work.

We do support the most up to date Kali, but this is secondary to the support we provide for the AttackBox.

For your python issue, reading the issue it seems like your hashlib does not support NTLM authentication, which is used by the requests library. So you would probably need to upgrade your version of hashlib and ideally requests to get it to work.

With regards to the ldap passback attack. Again, it supports the latest version of slapd. If you follow the configuration procedures, you should be able to reconfigured your slapd to become a malicious ldap server. Once done you can use the ldapmodify command to downgrade the communication spec of your ldap server.

In terms of the ldapsearch command not returning output on which authentication mechanisms are allowed, this seems to happen exclusively on some versions of Kali. However, if you read some of the messages on this channel you will see that your ldap server should still work for the attack if you did the configuration correctly, even if ldapsearch does not show the authentication methods.

I would highly recommend you search this channel should you encounter an issue, since there has probably been a solution for most of them.

It did work and yeah I’ll start searching first. Rest of the room went without issue 👍

Academic question about Task 5 (intercepting NetNTLM w/ Responder). When you poison authentication requests, you break the clients ability to access the legit service. How long does this happen? Does the client ever flush their request cache so they will eventually be able to access the legit service?

Indeed yes! So this type of behaviour may be detected.

IIRC, this would occur as long as responder is running. Remember even if their cache is cleared, once they make a new LLMNR request, responder would still intercept it.

Now I may be wrong because it has been a while since I've actually done an onsite assessment and use responder (Covid and all that jazz), but I think there is a way you can get responder to ignore LLMNR requests that have already been intercepted. That way, you would only poison their requests once, which is like a "fail to connect" but then on the second attempt it would actually work

This is helpful, thanks! So I'm reading this if you intercept a NetNTLM and are sitting at the terminal, you can essentially stop Responder and then the client will be able to connect as usual (or use a config option/modify the code to only intercept the LLMNR request once). You'll just get into trouble if you set up Responder and then leave it running for X hours/days, where X is the time that they can get some analysis going to see wtf up. Loving the module. Thanks!

Gave +1 Rep to @dense cedar

How long does it take to intercept the challenge with responder in task 5?

Not sure, I kicked off Responder and went and had breakfast and it had collected when I returned.

What was the timeframe for that?

Ive tried a new ovpn file as well

Maybe 20 minutes? You sure you are listening to the right interface? Either -I tun0 or -I tun1?

ya im on tun0

you should try tun2

This is how I solved it

there was not other tun interface tho?

ill give it a go tho

do u use attackbox ?

no its my own vm

The amount of tun interfaces depends on how many vpns you have running

yea i had only the ovpn file running

ill try it on the attackbox

I thought you were using attackbox

no worries, but i havent tried the room yet through the attackbox

if it catches the challenge faster haha

good luck xD

Be vary by having the VPN running on your VM while using the attackbox

oh i wouldnt be doing that

Yeah, it breaks it

Im using the attackbox now and was wondering if its okay to get these errors when I start responder?

nvm, finally got the hash

Not able to connect to the machine even after setting dns

Pls help!!

As mentioned before, you will need to provide more details if you want assistance. Start with the following:

• Verify the network is running
• Verify that your VPN is connected
• Verify that you can ping the DC
• Verify if you get output from the following nslookup za.tryhack.com <DC IP>

Once you have done that, for best help, provide the following:

• Are you using kali, AttackBox, something else?
• What DNS steps have you tried and send screenshots?

I'm getting the same script death when I try to run as the person above. DNS is fine. Did anyone else?

Does it look the exact same?

Yeah, same errors on same lines.

Traceback (most recent call last):
File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/kali/Desktop/thm/BreachingAD/ntlm_passwordspray.py", line 72, in <module>
main(sys.argv[1:])
File "/home/kali/Desktop/thm/BreachingAD/ntlm_passwordspray.py", line 63, in main
sprayer.password_spray(password, attackurl)
File "/home/kali/Desktop/thm/BreachingAD/ntlm_passwordspray.py", line 24, in password_spray

Exact same error as the guy above.

That's the password spray. not the responder.

Yeah, there's a guy above with photos (?) of this python script failing.

^

Pardon my confusion.

What's your syntax for the password sprayer?

Sorry my bad, I'd been scrolling and got lost in the screenshots.

Haha, it's no worries.

$ python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com

You're in the same directory as the python script and username.txt?

I find that helps me

Yep, all in same directory.

try just python

take out the 3? lol, I don't know about this, it's always worked for me

It's the same. Script invokes Python3 anyway. I wonder if it's some weird hashlib thing, since it's a python 2 library.

Run nslookup ntlmauth.za.tryhackme.com please?

└─$ nslookup ntlmauth.za.tryhackme.com
Server: 10.200.24.101
Address: 10.200.24.101#53

Name: ntlmauth.za.tryhackme.com
Address: 10.200.24.201

Okay, so then it is def not resolution. Looking at the following:

File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
    return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

It seems like there is an issue in your hashlib pip package and how it works with the requests library. Which is not really a script issue so much as a pip package dependency issue

Can you check your version of the hashlib and requests pip packages please?

Ahh. So kali doesn't appear to come iwth hashlib, and since it's a python2 lib it's not easy to pip isntall. Will get it installed for python2 and see.

Or rather, trying to pip install it throws errors.

It is a python3 lib?

Should be under /usr/lib/python3.10/hashlib.py?

It is joined with your OpenSSL

Try the following:

python

import hashlib

hashlib.algorithms_available

Send that output

{'sha384', 'sha512_224', 'md5', 'blake2b', 'blake2s', 'sha3_384', 'sha224', 'sha3_512', 'shake_128', 'md5-sha1', 'sha3_224', 'sha3_256', 'sha1', 'shake_256', 'sha512_256', 'sha256', 'sm3', 'sha512'}

Yeah I don't see md4 and that's need for NTLMAuth

It's the md4 boop

Which would explain the issue at hand

Might be a Kali thing, if the other guy had it with a fresh install too.

I'm unsure how to get support back for MD4? Maybe something with the SSL installation?

Why kali would kill support for md4 is beyond me. Such a bloated attack system and then they kill support for a vital NTLM authentication protocol

Option to try?

Add this to your /usr/lib/openssl.cnf to 're-enable' md4 to hashlib

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Was just reading this haha.

Lol give it a spin and let's see. I use a very old version of kali that I stripped of all the bloatware. Not looking to upgrade anytime soon. But a lot of our stress testers use kali. So this has to be a change literally with the very latest kali image

Well it didn't work and I've given up for now trying to find a fix. I've bounced through some Kali snapshots and it's been like that for this whole Kali release.

If I find a fix I'll let you know, it might happen again!

Lemme know if you sort this out. It was me having the same issues.

Right. One of these things fixed it.

In my host OS (Ubunutu 22) everything was fine. I noticed Kali uses a custom openSSL, so I copied my Ubuntu OpenSSL config to Kali. (/etc/ssl) I also included:
[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1 at the bottom

I also copied my host hashlib.py (cp /usr/lib/python3.10/hashlib.py) and put that in Kali.

Now I have MD4 in hashlib. Interestingly, MD4 was showing in OpenSSL but still not available in hashlib, potentially a hashlib problem rather than SSL, but I'm not inclined to test which of these was the fix. It's possible an issue happening with the latest Kali image, so you might see it happening more.

import hashlib

hashlib.algorithms_available
{'sha3_384', 'sha3_512', 'sha1', 'sha512', 'whirlpool', 'md5', 'ripemd160', 'sha512_256', 'sha3_224', 'sha384', 'blake2b', 'md4', 'blake2s', 'shake_128', 'md5-sha1', 'sha256', 'shake_256', 'sha224', 'sha3_256', 'sha512_224', 'sm3'}

Hope this helps anyone else in the future.

Thanks for the help here. This is sadly not a THM room issue, but an issue on Kali's side. NTLM authentication is used by a significant amount of tools. So for them to drop support for md4 is going to break a lot of the windows tools on Kali. Let's hope they readd support in the future

Gave +1 Rep to @daring silo

You'd probably be able to condense it into a reasonably quick fix (a new ssl.cnf and a working hashlib.py, or probably even just one of these). I appreciate THM's main focus is the attack box but a huge number of THM users are on Kali and if it is a problem of the latest image it'll filter through to other people.

It could just be the two of us, but this worked for me haha.

I'll see if I can create a condensed solution.

However, what I'm trying to say is, this new update from Kali is not just breaking a THM room. It will break tools that are used by security professionals on assessments. So while we can provide a condensed solution for the THM room, you probably have a couple of actual pentesters out there having this issue with the new kali on actual assessments. So anything that uses the python hashlib library and tries to perform NTLM conversion of passwords will have issues. So for example, I'm pretty sure this might even impact tools like Hydra or Impacket, unless they do their own md4 hashing. So the creators of Kali will have to fix this overall IMO. So while I can create a fix for our room, it still won't fix the actual root issue here that the kali creators have caused.

Oh sorry I understand what you mean, yeah there'll be loads of blow back if this is a wider problem; not just THM. It may just be a coincidence. I could re-download the latest release and install it if I was inclined to test the problem, all I did was bounce through some snapshots to see if it was something I did. Have you only had two people (inc myself) raise this issue so far?

I submitted it as a potential bug in case.

Just to add in here…I had just downloaded the 2022.2 and setup a new vm before starting the room. The only thing I did was run the pimpmykali script with new vm option

Did you see above I was able to resolve this? Copied /etc/ssl and hashlib.py from my host OS (ubuntu 22) to kali.

Now all good:
python ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com
[*] Starting passwords spray attack using the following password: Changeme123
[-] Failed login with Username: anthony.reynolds

Yup I may try out another fresh build to test with

Only two users thus far. But will see if more users start to complain. Thanks for the potential bug, let's see what they say!

Gave +1 Rep to @daring silo

I forgot to add that I went through the room yesterday and it was very informative, thanks. No issues once that was fixed other than the crypto python2 thing, thankfully only had to spend 60 seconds inside the attack box ;-D

Gave +1 Rep to @dense cedar

Glad you liked it!

As mentioned before, sometimes you need legacy tools. I have an old kali just for that ma.db password since I still find it on assessments 🙂

Hello guys, I ran into an issue with the LDAP part in this room, when I run ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms command it doesn't show a "dn" with PLAIN/LOGIN values

I've already created the file and put these values in it:

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

and have you restarted the slapd service?

Yup, I did

Looks like it might be a bug on some Kali (or other) distros. The exploit should still work?

Not sure actually, anyway will continue with the AttackBox, thank you :)

When you did sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart were you inside the directory of your olcsaslsecprops.ldif file?

I have encountered that also but I just continued and got the password on the tcpdump

Hi @dense cedar is the DNS thing still an issue? I'm able to ping thmdc , but editing the systemd/resolved.conf with the DNS IP does no good. Tried editing /etc/conf and adding it as a nameserver does not work as well upon saving and the nameserver gets reset to 127.0.0.53 if i perform a systemctl restart . Btw I'm using the attackbox. The odd thing is systemd-resolve -- status shows 10.200.4.101 as my current dns server but when running nslookups, it uses 127.0.0.53

DNS is working and hasn't been an issue before?

Can you run nslookup za.tryhackme.com 10.200.4.101. This will confirm if the DC is online and serving DNS. If so and on the AttackBox, you just need to modify systems-resolved and then restart the service twice

seems to work today after i reset the network and restarted my attackbox 🙂

can confirm I have the same issue on a Kali 2022.2 vm. i'm trying to figure out if this is an issue caused by kali or debian repos

yeah seems like an issue with the openssl 3.x package that got pushed to kali recently which doesn't provide support for legacy providers (ie; md4) by default anymore: https://gitlab.com/kalilinux/packages/kali-tweaks/-/issues/27

to fix, edit /etc/ssl/openssl.conf, and move line 8 (.include /etc/ssl/kali.cnf) down below line 19 (openssl_conf = default_conf). then update/add the following sections near the bottom of the file:

[default_conf]
ssl_conf = ssl_sect
providers = provider_sect

[ssl_sect]
system_default = kali_wide_compatibility

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

verify it worked by running: echo 'test' | openssl dgst -md4

im on my kail machine and able to ping the thmdc but can't access the http://ntlmauth.za.tryhackme.com

got it

i wonder if this is the reason for the ldapsearch - H ldap:// -X -LLL -s base -b "" error. This step while making the LDAP server does not show up. It skips this step. It goes straight to the purged step

it doesn't ask for the MDB backend

It seems to be more a kali thing. But the attack should at least still work

yeah the attack still works. i had to spend a lot of time trying to troubleshoot it before i watched a video and saw what they did. it looked the same for them and it worked for them and me

Anyone able to connect using parrot os

I am able to ping thmdc but not able to connect to ntlmauth.za.tryhackme.com

I configured the dns to thmdc ip in the network config manager and restarted the service as well but not working

Anyone pls?

Have you also changed /etc/resolv.conf ?

That used to be my downfall.

is this a normal output for the responder section of breachingad?

i ran ss --udp --tcp --listen --process and nothing was running on port 389

looks like i got the hash anyway

I think it's still in use from the ldap server on task before it.

oh it could be

yup, you're right @daring silo thanks

Gave +1 Rep to @daring silo

i was able to stop the service with kill pgrep slapd

@dense cedar what flavor of linux did you use for the vm made special for that script?

Thank you very much. I'm another Parrot user who had the same issue and used what you suggested and it started resolving properly for me.

Gave +1 Rep to @wooden minnow

If yall are doing breaching AD and get to task 7 with the mcafee python script but don't wanna use the attackbox. I got you :)

Apt-get install python2-dev
Pip2 install pycrypto
Then run the script using python2 and ull be set

If this was already answered, I apologize, I'm not in this server very often

guys is it just me or is the breaching ad network down ? I was doing task 6 for my write up and accidentally closed my SSH session to the windows machine and from that point I can't connect to the network.. it says that the destination host is unreachable even though I'm connected to the network.. I can't ping any of the machines nor can I do the DNS resolution (obviously).. thought it's my kali but I can't do it with AttackBox either

so the file that Task 6 of breaching ad wants to copy x64{7b..b3} doesn't exist in the pxeboot.za. do we just the 2nd x64 on this list?

it looks like its now {27...1D}

never mind there all down

It is a 2018 stripped down Kali vm 🙂

That mcafee script was never ported to python3. Which is sad, since I used it still today on assessments, which is why I have a stripped down kali for it. Best to do this on the AttackBox and save yourself the hassle honestly

pyenv

for using newer kali linux with python2 scripts

I dont personally like using the attack box, so I wanted to figure out a way to get it working on my vm :) :)

Might be that the network time expired? if this happens, make sure to refresh the page and then click start. If you just click extend it will brick the network (frontend team is working on a fix). If this happens, inspect element and enable the start button to press it

Fully understand and that is good practice, @trim mica's suggestion is a good one to try then. 🙂

See comment above about network timeout and what to do

thanks for the praise there

Getting the error "Connect request failed" while trying to download the BCD file

TFTP is a finicky thing. It does "authorisation" through the file names. They must be 100% accurate else it will fail to download. Maybe just make sure you have the correct file name and path

@trim knoll its the syntax on tryhack. They put Tmp.

it should be tmp

After restarting a couple of time, it worked without changing the syntax I was using before. Tried again to run the same command, got a new error " tftp: can't write to local file 'conf.bcd' " 🙃

even with TMP it's working not a syntax error

Can we do this same process with Hydra and John and How?

Thank you, ran into this issue too !

Gave +1 Rep to @hoary otter

You can as mentioned there, but that would be self-study.

HI ! I have an issue for task 4 Hosting a Rogue LDAP Server :

when i try to ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
I only got dn:

and when i do "test settings" it prints me : LDAP Connection failed: The distinguished name contains invalid syntax.

this happened to me too. make sure the network is still active. do sudo service slapd stop and start from the begining

ok thank you i will try

Gave +1 Rep to @tardy lion

sure! let me know if it works or not

On kali you do sometimes not get the output. If this happens but your configuration worked, the attack should still work. Give it a go with the next steps

Hey guys! on Task7, i'm stuck trying to run the python script on Kali. getting this error:

$ python2 ./mcafee_sitelist_pwd_decrypt.py jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

Traceback (most recent call last):
  File "./mcafee_sitelist_pwd_decrypt.py", line 15, in <module>
    from Crypto.Cipher import DES3
ImportError: No module named Crypto.Cipher

running pip2 install pycrypto or pip2 install Crypto didn't help

Just suffer through the attackbox for the 2 mintues it takes to crack the hash. I spent ages trying to fix it without success. It literally takes 2 minutes to get in and out of attackbox.

Although am03bam4n does suggest keeping a VM to run this script in an engagement, for the sake of getting through this task you can worry about a custom Kali VM set up for pentesting in the future haha.

thanks @daring silo this worked and saved me a few more hours!

Gave +1 Rep to @daring silo

Haha no worries. You can try and fix it when you're on a pentest and come across Mcafee!

Hey so when using a Kali VM and trying to get DNS setup for this room, cant you just add nameserver THMDC-IP to /etc/resolv.conf? Im struggling to get my DNS configured right, I usually just add the DNS servers to /etc/resolv.conf when I do real AD pentests but nslookup isnt resolving here

I got DNS working via network manager GUI but Im just curios, because Im so used to just dropping a new nameserver into /etc/resolv.conf

You can use whichever method you want for DNS. I also usually just drop it in /etc/resolv.conf but that is not always the most stable since if you read the comment in that file, it tells you that the file gets overwritten. But if you are comfortable with DNS configuration, you can use whichever method you want. If you do choose to drop it in /etc/resolv.conf, just make sure it is the first entry though

Ahh okay, it wasn't the first entry so maybe I missed that

Yeah that is a prioritised list, so if it isn't the first entry, it probably won't resolve

makes sense okay

Hi , I have issue connecting to network.I have configured everything and able to ping the dc but couldn't resolve the nslookup

Please help to resolve it

Can you cat /etc/resolv.conf and show the result please.

Generated by NetworkManager

search thmdc.za.tryhackme.com
nameserver 10.200.26.101
nameserver 8.8.8.8

This is what i included

Did you put add THM dc up in the additional dns servers section of the network manager gui?

I'd remove that search. I think it is too specific.

Also, run nslookup za.tryhackme.com 10.200.26.101 and confirm that you are getting output

Following the initial instructions in the room for setting DNS doesn't seem to work for me. I edit /etc/systemd/resolved.conf and restart the service, but /etc/resolv.con doesn't get updated and manually inserting nameserver 10.200.20.101 in there still won't allow nslookup THMDC.za.tryhackme.com to work.

Are there any issues with the network itself?

That is a possibility.

Can you reset it?

Is the Network started?

Yes. dig @10.200.20.101 THMDC.za.tryhackme.com works. It's just systemd-resolved seems to want to be difficult

Terminated the machine and created a new one and finally the instructions in Task 1 worked

I had a same problem unfortunately :/

idk how can i add md4 hash type to my kali linux machine

Just scroll up in the messages, a solution was provided by some of the community members. Hopefully kali will fix this with their next iteration

I ping the dc IP is 300 ms up and down, but curl it settings.aspx got Failed to connect to printer.za.tryhackme.com port 80 after 220503 ms. I have success once, but i don't has ldap that time. My Attackbox seems Success but got 404 Error that address.
So, i stuck on Task4.Help

IP 201 and 101 also 300 ms up and down

Is your DNS working? Pings should not be that long though? Especially from the attackbox? If it takes that long, might require a network reset?

working

DNS is success.

I have voted to reset.

If the DNS is working, then the network should be working. DM me your VPN file and I'll remotely reboot the IIS server to see if that might help

Thx.

Hi there, I'm doing task5 but dunno why using this command in hashcathashcat -m 5600 hash-svcFileCopy passwordlist.txt --force I'm getting exhausted message 😦, anyone who can help?

try john

thx I just figure it out... the problem is that copying the hash to mousepad it creates and new line so just use echo -n 'NTLMv2hash' to avoid that

Gave +1 Rep to @dawn spoke

For Task 7, decrypting the ma.db password, I couldn't even get the python3 script to work in the latest kali. Getting an error about Crypto library. I did, however, find that PowerUp.ps1 had a Get-DecryptedSitelistPassword function for PowerShell that worked fantastically within the latest Kali when run in pwsh. I extracted just that function from PowerUp and put it in a gist in case anyone else struggles: https://gist.github.com/rufflabs/8890bccf85cc2544898abf4c4308f561

Hey @dense cedar I reported the MD4 / OpenSSL / hashlib.py issue to the Kali bug team and have been informed today it's resolved and will be pushed out to repositories in a day or two, so hopefully if you get any more people they can just fix with an update.

🎉 This is excellent news! Thanks for your contribution to the Windows hacking community 🙂

Gave +1 Rep to @daring silo

Haha well, I'm sure smarter people than me would've found it sooner or later; your rooms have opened the world of AD hacking to me - it's a fun and oh so deep rabbit hole :-s

Hi all, task 5 has got me! I cannot run responder... this is the error...

You need to install python-netifaces or run Responder with python3...
Try "apt-get install python-netifaces" or "pip install netifaces"

Any ideas please? I am really stuck, I have of course tried what its telling me in the error. I have also tried to reinstall responder.

What version of python are you using? It seems like you are trying to run responder with python2? Can you navigate to the /opt/ directory where it should be installed and run it directly with the python3 responder.py command?

I will try that thank you

Gave +1 Rep to @dense cedar

Hi, i'm using parrot VM on a windows 10 host..

i am not able to ping the DC 10.200.82.101 even if after connecting to the network VPN.. it was working but stopped

@dreamy crater May you help me?

Hi all, I am really stuck on task 4 question 1. I have researched online also and I cannot see that anyone else has answered the question either. Has anyone on here managed to answer this question? Could anyone please help?

still getting the same error, I am clearly doing something silly but no idea what...

This is very weird. Is this on the AttackBox or your own machine?

It is one of the titles in the task

this is on the AttackBox

Is it still active? Can you DM me your AttackBox url and I'll quickly take a look?

thank you yeah will do

much appreciated thank you

Gave +1 Rep to @dense cedar

Having the same issue as baffon :S
Is there a work around for this ? (Using the attackbox)
Can not get past this and its the only task remaining 😦

I now have this working on a Kali VM, Attack box still has issues however.

run it with python3.9 rather than python3, that did the trick

Yeah, as @agile canopy said, go to /opt/responder/ and then run it using python3.9 Responder.py -I tun0. We are aware of the issue and the AttackBox should be patched this week

Cheers!

I have network manager installed but updating the dns for the connection doesn't seem to work. So I tried changing in resolved.conf which doesn't too.
Now I'm confused which dns manager is even running and how do I set it up.

what does it list as the dns in nmtui

hmm the dns seems to be active :-;

Its shows the updated one but idk why its not working.

Maybe its something with dnsmasq

It throws me an error when executing the python script that comes with the room in task 3.

DNS works according to a priority list. So with your first DNS server being set to 8.8.8.8 and that being an authoritative server, it won't ever go to the second DNS server. You need to change the priority of your DNS servers to have the room's server be first.

Please go read #rules on how to ask for help.

You can also directly dump the DNS server in the first line of /etc/resolv.conf, not /etc/systemd/resolved.conf, which should then kick in and give you DNS. However certain network managers will overwrite that file when the network updates.

thx.
dnsmasq was having some issues, it's service wouldn't restart and would give out a error. I didn't look into it and just straight away uninstalled dnsmasq and set dns=none in networkmanager's config. manually setting up the namerservers after that worked. https://serverfault.com/questions/905903/networkmanager-dnsmasq-ignore-auto-dns-settings

Glad that worked for you

python ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com
[*] Starting passwords spray attack using the following password: Changeme123
Traceback (most recent call last):
File "/usr/lib/python3.10/hashlib.py", line 160, in __hash_new
return _hashlib.new(name, data, **kwargs)
ValueError: [digital envelope routines] unsupported

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/ntlm_passwordspray.py", line 73, in <module>
This error throws me when executing the script

If you look at the messages posted previously in this channel, you will see that the issue is that the latest version of kali has dropped support for md4 hashing, which is used for NTLM hashes. One of the users has reported this as a bug for kali and they will be fixing it in the next version. In the mean-time, users have posted messages here on steps that can be followed to update your kali's hashlib.py and openssl configuration which will re-enable md4 hashing for you

@compact hawk , see here.

Thanks 👍

Gave +1 Rep to @dense cedar

I believe it should be in the latest repositories now, if you update Kali.

https://gitlab.com/kalilinux/packages/kali-defaults/-/commit/d545748ae2d5c703000d7199565d8abf4131a3c8

From the Kali dev Arnaud Rebillout
I made the necessary changes to kali-tweaks and kali-defaults (which is the package that provides the Kali's version of openssl.cnf). The updated packages will hit the mirror within 24 hours or so, so please run apt update && apt full-upgrade to get it. The versions with the fix are kali-defaults 2022.3.2 and kali-tweaks 2022.3.0.

Can anyone help me with this error? I am trying to do Task 3, where it asks us to run the script for password spraying, but I keep getting this error when running the command.

This error happened to me both on the VM and the attackbox

thanks

anyone else getting LDAP server down?

printer and ldif file cant connect to the LDAP server

On Task 5 I've been running responder now for some time and haven't seen any credentials come thru. Is is possible this weird deprecation error would mess this up? I've seen this error before and responder still worked fine

stop the slapd server?

I will give that a try

Hihi

I seem to have problems with LDAP Pass-back Attacks

not sure why is it that after i did this, my SASL supported mechanism remained the same

Are they remaining the same or disappearing? If you are using Kali and they disappear, then just continue with the rest of the steps and it should work. Seems to be something with Slapd with Kali

oh i'm using browser kali

let me try again

they r remaining the same...

If they remain the same then you are probably doing something wrong with your configuration. Might be good for you to provide all the steps you are performing and the output so the community can check and perhaps provide assistance.

ok sure

i'll re-do it again

u may see my steps here

i realise i can't upload files

You have to verify first to be able to

!docs verify

sorry i just came bk from dinner.

may i know what does it mean when they say : Once in the server you can echo your level on the TryHackMe website across to the Discord server. This is important as you will not be able to access the voice channels, send images, embed links, or perform various other actions until you have done so.

Once you verified your lvl will be shown in your discord profile on this server, also your THM lvl will be updated automatically in here.
I think the rest is self-explanatory

i alrdy copied my token

but can't find this...

The Bot is in purple and has the THM logo as shown later on with a Discord-coloured blue next to it.

Can't find what?
You have to send !verify yourtokenhere to @outer timber in a DM

i'm following the steps here

https://docs.tryhackme.com/docs/discord/verify/

ok thanks

i can upload files now

thanks

these are my steps

but my SASLmechanisms remain the same 😦

repeated many times and reverted the machine too

Sorry I was out. Could you maybe screenshot your ldif file? Not sure if it makes a difference but there shouldn't be spaces there

Did the steps on the AttackBox just now and they are working. Are you sure your olc file is correct?

From your output, there seems to be a lot of additional spacing there?

Sorry I was out playing tennis . Will look at it tml. Thanks. It's 1030 pm in my country

thanks it works now!!!!!

Glad that worked for you

u r so brilliant..thanks!

for the next part, i did this

but when i did this, i didn't capture the password

ok i managed to get it ...ignore my qns 🙂

hihi, not sure why responder seems to be non existent even though we r told that it's alrdy installed on the attacker machine..

Go to the /opt/Responder directory and execute using python3.9 responder.py . Team is busy upgrading the AttackBox from Python3.9 to Python3.10