#breaching-ad

1 messages · Page 3 of 1

steady gull
#

If you have some trouble run "Import-Module .\powerpxe\PowerPXE.ps1".

sly lantern
#

Hi, I would like to start with the Breaching AD network, but it says "Network state: Resetting" at least since one day now and I cannot click neither "start" nor "reset".

sly lantern
#

Nevermind. I left the room and re-entered, now it's working fine.

valid ridge
#

I did the config thing. Keeps timing out and showing my own server

wooden minnow
#

Can you show a screenshot?

And can I have your subnet please?

valid ridge
#

The 10.200.26.101?

#

I have to update discord on kali but I'll send via phone camera

wooden minnow
# valid ridge

I just had a check, everything is inactive, is the network started?

valid ridge
#

I'm officially blind 😎😎😎

wooden minnow
#

Yup, I can see everything coming online now 🙂

valid ridge
#

So when I do AD room I have to do it all at once. What if i want to come back to it? Just do all that again?

wooden minnow
#

Yup 🙂

valid ridge
#

I got a problem with line 4 request_ntlm on the python script

wooden minnow
valid ridge
#

Yeah forgot about that haven't really worked with python

valid ridge
#

What does wrong attribute type mean entry "cn=config"

#

Ldap I think it's for

valid ridge
#

What does the 1 day of access? I've seen threads on forums about it 15 months ago it was like 3 and 2 as well

valid ridge
#

Would anyone know why Get-FindCredentials I'm assuming its on powershell isn't working? 2nd last proper task not counting Conclusion task of this room

dense cedar
# valid ridge Would anyone know why Get-FindCredentials I'm assuming its on powershell isn't w...

Can you perhaps be more descriptive as to saying it is not working? That doesn't really provide us with a lot of information to be able to assist you. What is not working? What have you done? What have you tried? And what output are you getting?

Screenshots are the best in this case, as it will give us answers to all three of those questions, thus allowing us to provide you with support.

"Not working" could be a million things, help us narrow down your problem so we can assist.

dense cedar
valid ridge
valid ridge
#

How do I stop scp command from saying broken pipe

valid ridge
#

All sorted lol

west pine
#

hey any idea ?

image.png
#

But I did the connectuin and everything 😦

west pine
#

Good now

granite pelican
#

Hello, i can see some messages about issues trying to nslookup thmdc.za.tryhackme.com but I'm not sure if the issue is on my side as yesterday it was working

Adding some captures.

Not sure if someone can help? Thanks !

image.png image.png image.png
wooden minnow
#

Place it above your local host.

granite pelican
#

but i dont understand why this worked as in my other VM (a twin) this wasn't needed. Only needed to add it to /etc/hosts and good to go, as usual

#

also i dont know if this way to fix it has secondary consequences ?

wooden minnow
#

No, it just recognises it.

wooden minnow
granite pelican
#

When i read your message i went to /etc/hosts and i placed 10.200.20.101 thmdc.za.tryhackme.com on the 1st line

#

and didnt' work

wooden minnow
#

You don't need to add the thm..

granite pelican
#

but then i read a message in the forum saying to put it on the first position within /etc/resolve.conf

wooden minnow
#

Literally just nameserver $THMDC

wooden minnow
granite pelican
#

but then /etc/hosts is not needed to be populated? in the message you linked, you refer to resolve.conf

#

I'm no expert on this, but in the past i just used to add a line in the /etc/hosts and good to go. So not sure why is this different now

wooden minnow
#

It was a spelling error, I've changed it, I have no idea why it keeps reverting.

granite pelican
#

what was a spelling error?

wooden minnow
#

resolve.conf

torpid kraken
#

Hello, I have a "LDAP connection failed" on the task 4. Someone know what do to pls ?

wooden minnow
#

Which subnet are you on?

torpid kraken
#

THMDC 10.200.92.101

#

I am on the printer page

wooden minnow
#

Everyth is running, so you might need be doing something wrong.

torpid kraken
#

I am just on the printer page and click on the "test settings"'

#

LDAP Connection failed: The LDAP server is unavailable.

#

So I cant do the first step

#

no respond of the request in netcat when I change the ip to mine

wooden minnow
#

I checked your services and they're all running.

torpid kraken
#

ok thanks

#

I was restart the LDAP server and it works

#

I wait to catch the NTLMv2-SSP Hash but it didnt work

wooden minnow
#

Responder?

#

It can take 5 mins, it can take 20.

torpid kraken
#

yes

#

I dont know exactly which interfaces to use

#

I think its breachad from the attack box but I've been waiting more than 30 min

wooden minnow
#

Yeah, it will be, just make sure you didn't make a typo

torpid kraken
#

there is just to run the responder, nothing else ?

wooden minnow
#

Nah

sudo responder $INTERFACE

torpid kraken
#

ok I done it but I havent stop de ldap service

oak marten
#

everytime i try nslookup for the Active directory IP on the breaching AD course im still having issues connecting. i can ping the IP and google but when i try nslookup i keeps saying " communiction error" and then times out. would anyone have any insight?

wooden minnow
oak marten
oak marten
#

not sure what happened but i walked away from the breaching AD course for the weekend and now it wont allow to use openvpn configuration file. it keeps saying the HMAC authentication keeps failing. files already say "data-ciphers AES-256-CBC" instead of just cipher. Redownloading the file after walking away for a little to see if that helps but it still doesnt work

wooden minnow
oak marten
#

yes and still nothing

#

yooooooo i regen for the 6th time and it finally worked 😅

rough dew
#

just regened it???

oak marten
#

yes

rough dew
#

can i dm you?

oak marten
#

i also went back to a previous save state for my VM. not sure if that helped cause it was giving me the same error. then i regen the file and it just started working

#

yeah go ahead

#

im now having issues with not being able to ping the IP for the DC. ive already checked my network configuration and its still setup. i also have the login screen from task 3 coming up. when i try to type in the username and password that i got from the password spraying it says the site cant b reached

wooden minnow
#

What subnet are you on?

oak marten
#

also my vpn stopped working again. 🫠

#

im getting a fatelerror even after using sudo

wooden minnow
oak marten
oak marten
wooden minnow
oak marten
#

understood. ill keep that in mind in the future

wooden minnow
#

A different subnet to your breachad interface?

oak marten
#

yes

wooden minnow
#

That's fine, that won't be an issue

balmy void
#

Hi all, is there something wrong with this network or is it me? I've gotten the network running, connected to it with the proper ovpn file (breachingad) gotten my dns switched over, pinging the maching finds it without problem, nslookup resolves za.tryhackme.com to the DC IP but I can't pull up the login screen in the browser at ntlmauth.za.tryhackme.com. I've had this working before. Can someone tell me whats happening (or not happening)?

wooden minnow
balmy void
wooden minnow
balmy void
#

of course, sorry

#

it's 10.200.26.101

wooden minnow
balmy void
#

That's where my trouble is

wooden minnow
#

Ok.

Did you set up /etc/resolv.conf ?

balmy void
wooden minnow
#

you need to edit /etc/resolv.conf to look like this.

nameserver 10.200.26.101
nameserver 127.0.0.53
nameserver 8.8.8.8
options edns0 trust-ad
balmy void
#

Ok, That isn't getting that webpage up either

#

nslookup and ping make it look fine, until I try browsing to that page

balmy void
#

@wooden minnow thanks for you quick response earlier, with some fiddling I got it to work with the above

slate swanBOT
#

Gave +1 Rep to @wooden minnow

lethal pollen
#

I am experiencing very high latency in this room. Is that normal to see?

#

Extreme latency there as well

image.png
trim mica
#

have you tried the vpn script??

#

!vpnscript

outer timberBOT
trim mica
#

otherwise the only thing shadow can think of is restarting the network

lethal pollen
#

I have not tried that. I will though

#

I see that the script specifically looks for the tun0 interface but this room uses a different ovpn config which creates a breachad interface

trim mica
#

oh right..... hmmm so either the script needs updating or people need to manually change their vpn config so it uses tun0....

lethal pollen
#

I will try to adjust the script

#

Looks like there was a mtu issue so I changed that and pings are a little better but still unable to access the ntlmauth.za.tryhackme.com server via browser

#

Curl works

wooden minnow
#

It should use breachad

lethal pollen
#

I switched breachad to tun0 and set my mtu to 1350 and am able to connect

#

I am unable to hit the webserver from chrome but brave works and so does curl 🤷‍♂️

wooden minnow
#

What subnet are you on so I can check the services?

lethal pollen
#

10.200.4.x

wooden minnow
#

Yeah. everything is active.

lethal pollen
#

Im able to connect via Brave so Ill just use that and go as far as I can. Thank you for assisting

lethal pollen
#

I am now unable to resolve pxeboot.za.tryhackme.com as well as THMJMP1.za.tryhackme.com

wooden minnow
#

Hi there, I just had a check, and all your services are inactive.

You'll need to start the network, or vote to reset.

lethal pollen
#

Ah ok

#

Everything is working perfectly now. Fast too

wooden minnow
#

Ah amazing!

Happy hacking.

lethal pollen
#

Thank you @wooden minnow

slate swanBOT
#

Gave +1 Rep to @wooden minnow

wooden minnow
pale aspen
#

yes I'm able to access the webserver. It shows the login prompt.

wooden minnow
#

Then you're golden.

pale aspen
#

I tried to run the python script, but I get no output. Was there something I needed to edit for it to work?

wooden minnow
#

Can you screenshot?

and the syntax?

pale aspen
wooden minnow
pale aspen
#

no dice

#

I figured it out and got it to work.

pale aspen
slate swanBOT
#

Gave +1 Rep to @wooden minnow

pale aspen
#

Used "sudo responder -I breachad" as stated above, but ended up with these errors. Let it sit for 15 minutes, hoping it would capture a response, but no luck.

image.png
pine gyro
#

Is it correct to compare LLMNR to the ARP protocol but instead of querying for MAC addresses, it queries for DNS and when it finds the intended host it is looking for it recieves a callback in the form of DNS?

#

Because that is how i am picturing it

ashen notch
#

hello everyone! i had a problem with enumerating ad room and breaching ad room. The urls of the mission pages like http://printer.za.tryhackme.com/settings.aspx seem to be hijacked and are always redirecting me to a phishing page. Resetting didn't work. Does anyone know what's going on?

wooden minnow
inner wind
#

I did it a couple of hours ago and everything worked normally.

wooden minnow
#

Yeah, I suspect its their browser giving them a flash positive.

As you can't use the URL outside the box.

novel steppe
#

hi I am setting up my kali vm for tsk 1 for breaching I can ping the dc server ip, and do nslookup trhackme.com. but for some reason I can do nslookup tryhackme.com Dc server ip. I did the dns stuff but it still doesnt work

#

has anyne got this issue before?

wooden minnow
novel steppe
slate swanBOT
#

Gave +1 Rep to @wooden minnow

sage hare
#

struggling to get dns configured manually

Host win10
Hypervisor vmWare Workstation pro17

image.png
trim mica
#

would recommend instead setting it in network manager and restarting network manager to get it working

sage hare
#

ok, i saw this so thought i could do it through cpommand line...

I will give network manager a try, never monkeyed with tit before

image.png
wooden minnow
#

Kali yeah?

sage hare
#

yes

wooden minnow
ocean crown
#

I also have issues getting DNS ready. Set the DNS server in my network settings. I'm able to ping the THMDC but nslookup does not work. Other users and me reset the network but to no avail . Other people having the same issue? (nslookup of the inital acces site http://ntlmauth.za.tryhackme.com/ does work though..)

wooden minnow
ocean crown
jolly pawn
#

What does the red mean?

image.png
trim mica
jolly pawn
#

TY!

old plinth
median heart
#

Hi.
I've been stuck now for a couple of hours trying to get the DNS to work. My issue is that I can't access the first webpage: http://ntlmauth.za.tryhackme.com/.
I can ping the THMDC and I can run the nslookup for thmdc.za.tryhackme.com successfully.
I've check the /etc/resolv.conf file and made sure the thmdc IP is the first entry. I've tried with firefox and chrome but they both are unable to resolve the webpage. I have also tried to leave the room and re-enter it as it was suggested here. Any suggestions as to what might be wrong would be much appreciated!

image.png
wooden minnow
median heart
#

thanks for getting back to me 🙂 I figured it out yesterday after a couple of more tries. Solution was as simple as only having the DC as my sole DNS, and a quick restart of systemd-resolved and networkmanager. Turns out my VM did not like a second set of DNS

manic fractal
wooden minnow
#

What's the reset count?

manic fractal
#

0/5

median heart
#

you can restart with:
sudo systemctl restart NetworkManager
sudo systemctl restart systemd-resolved

and check status with:
sudo resolvectl status

image.png
wooden minnow
#

Don't use the GUI

#

That's over kill.

#

Just use the steps in my post, it will save you restarting network manager etc

median heart
#

well I did and it did not work

manic fractal
#

the first ip is DC ?

median heart
#

ye

manic fractal
#

Okay, thank. @median heart , i will test it

slate swanBOT
#

Gave +1 Rep to @median heart

median heart
#

good luck 🙂 Let me know if you get stuck!

clever sandal
#

hiya all, attempting to download the BCD file via TFTP however I get "Connect request failed". No typo's and able to ping the server okay from the windows box. Any suggestions, thanks! (Task 6 - MDT download)

full ermine
#

How are you supposed to get the ip for THMDC? It says it is in the network diagram, bnut there is no IP in the network diagram

sage knot
#

Is the network running?

full ermine
#

Yup, it says so

sage knot
#

Can you send a screenshot of the network diagram? You'd need to verify to do so

#

!docs verify

outer timberBOT
clever sandal
#

yep, its running. Do an nslookup on the host to get IP

sage knot
#

It should look like this at the top of the page

Screenshot_20231113-113513.png
full ermine
#

This is hjow it looks for me

image.png
sage knot
#

That looks bugged

clever sandal
#

yep, attempted to pull the bcd file from tehre but "connect request failed"

#

i have an IP for mine

sage knot
true imp
#

or can clean the cookies maybe

full ermine
#

Hmm.. none of that seems to do anything for me :/

clever sandal
true imp
clever sandal
#

running okay. Any help please would be fantastic. Thanks all!

wooden minnow
#

Is that subnet 99?

clever sandal
#

yep

full ermine
slate swanBOT
#

Gave +1 Rep to @true imp

clever sandal
#

file name is good too.

image.png
#

love it, attack box now messing up. Will try again

#

no luck 😦

image.png
wooden minnow
#

Which task you on?

clever sandal
#

6

#

@wooden minnow was you taking a look?

median heart
# clever sandal file name is good too.

Hey. Just looked through my notes here and I see that I grabbed the "x64uefi" file instead of the "x64" files you are grabbing. And I think I had the same problem as you, but I could complete the rest of the tasks with the uefi file:

image.png
wooden minnow
#

UEFI or not shouldn't matter.

median heart
#

I'm pretty sure I had trouble downloading the other too

#

however I did not write anything down in regards to that in my notes so I'm just guessing

clever sandal
#

@median heart good to know i'm not the only one. I'm back and going to try it again here in a sec 🤞🏻

#

if its not one thing its another. Now cannot SSH into one of the boxes 😦

#

can not even ping the host 😦

#

12m later, the box is up phew!!!

#

back to square one. Network reset too and still no luck

median heart
#

did you try with the uefi file?

median heart
# clever sandal

if not, then maybe try to leave the room, rejoin and try with another network?

clever sandal
#

ah, makes sense. I thought resetting the network would do it but re-joining will do it

#

thanks @median heart i'll give that a try

slate swanBOT
#

Gave +1 Rep to @median heart

clever sandal
#

Tried another network. No luck /cc @charred sandal @gaunt shell@limber grove @dense cedar @dreamy crater - Any chance someone can look into this? I just upgraded to paid subscription and things not working out as expect on 2x networks so far for this challenge. Thanks!

image.png
median heart
#

can you post, just for my own sanity here :D, a screenshot of you trying to grab the x64eufi file instead?

clever sandal
#

yep 🙂

image.png
median heart
clever sandal
#

let me try..

#

very odd!

median heart
#

give me a sec, il try and connect and see if it's the same for me

clever sandal
#

nice one, thanks!

gaunt shell
clever sandal
gaunt shell
clever sandal
median heart
#

Mine worked fine

gaunt shell
clever sandal
median heart
#

Idk, works on all the files for me

clever sandal
#

99 and 20 network failed for me :\

gaunt shell
clever sandal
median heart
#

this should be \Tmp

gaunt shell
# clever sandal

In that terminal, can you once again try running the tftp command?

gaunt shell
# median heart

You right, but it still shouldn't say "Connect request failed"

clever sandal
#

Uggghhh worked. Thanks guys on the typo. 99 network def had "Tmp" so may wanna look at that one

median heart
#

😄

clever sandal
#

right, bed time and carry this on in the morning. Thanks for your help. Jumping to a new network and spelling it right worked haha. @gaunt shell not sure if you guys wanna look at 99 network just incase

slate swanBOT
#

Gave +1 Rep to @gaunt shell

gaunt shell
#

Oh, actually it does say Conenct request failed with the typo

median heart
clever sandal
#

from earlier...i'm not loosing my mind haha

image.png
#

Thanks again for your help @median heart and @gaunt shell . Night guys

visual warren
#

Anyway to get this room reset other than the votes? Stuck at 3 out of 5 and dns seems to be borked on the dc, can ping it fine just running nslookup tryhackme.com 10.200.25.101 results in connection timed out

visual warren
#

Now it seems printer.za.tryhackme.com is also down, ntlmauth is fine, might move onto something else whilst this gets resolved

visual warren
#

Reset the network and it’s still broken

wooden minnow
visual warren
# wooden minnow Which subnet are you in?

I can not remember sorry, too many hours ago, I was attempting to get ldap to talk back to the attackbox but wasn’t able to get any response to nc or the ldap server and so decided to see if dns was working fine and everything seemed fine other than when I tried running nslookup tryhackme.com 10.200.25.101

wooden minnow
#

The network needs to be started.

visual warren
#

Oh sorry the network subnet, yes was subnet 25, this was 9 hours ago though, 7 when I tried refreshing the network, it was active at the time as I could reach printer.za.tryhackme.com refreshing the network fixed printer.za not working but the network was definitely active when I was attempting it

wooden minnow
#

I know, I just checked the network for you, it's not running.

visual warren
#

Yea it’s late here so my computers not even on, will give it another shot tomorrow and see how it goes, I assume though that simply having nc listen on port 389 then entering the attackbox ip into the printer settings portal and hitting test connection should within several try’s give me the response similar to what is shown in the task? I’m not missing any steps there am I?

wooden minnow
#

No, leave the printer settings alone,

It should auto be configured to the breached interface, and not ENS5.

visual warren
#

Ah maybe that’s where I was going wrong, cheers, will give it a shot tomorrow and see how it goes

visual warren
#

Just thought I’d update that I found the breachad network adapter this time and entering that into the printer ldap server settings let me receive a connection back, I think I just got confused with the task saying to use your vpn ip which made me assume the ip assigned when connecting over openvpn was what you’d use so being that I’m using the attackbox I assumed it was the attackbox ip and compounding that was the fact it talked earlier about a method of breaching the network being you could plug a device into a port in a board room so I assume the scenario was that, rather than we had our device connected into the network through a vpn.
Maybe the question could be slightly reworded to say your ip will be the breachad network adapter ip? Just a suggestion to clarify the wording slightly better

wooden minnow
tawny aurora
#

Any idea why I result to be connected to the network over VPN but I can't reach it?

wooden minnow
tawny aurora
#

I did, that's what resolv.conf looks like, yet I can't ping the DC.

#

search localdomain
nameserver 10.200.25.101

#

nameserver 172.16.13.2

wooden minnow
#

Whcih subnet are you in?

I can take a look

tawny aurora
#

10.50.23.0/24

#

it works now, bizarre

forest hinge
#

Hey guys

#

So I'm having this issue on this network

#

where I can't run the Get-FindCredentials command in pwsh

#

When it gets to the Finding Bootstrap.ini stage, it just errors out with:

Get-IniContent : Cannot process argument transformation on parameter 'FilePath'. Cannot convert value to type System.String.
At C:\powerpxe\PowerPXE.ps1:218 char:37
+         $Bootstrap = Get-IniContent $BootstrapPath
+                                     ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Get-IniContent], ParameterBindingArgumentTransformationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-IniContent
void rover
#

Hey everyone -- first time THM "network" user .. i've noticed a couple things recently as I try to get started with breachingad .. 1) the ovpn file generated for breachingad is 0 bytes, but i'm not having trouble using ovpn for the regular machine network(s) 2) when I try the attack box route, and create from the breaching ad room, it generates an enumad interface "3: enumad: <P..." that I can see from "ip a" .. 3) i noticed the breachingad DC box is 10.200.4.101 in the graphic but the pinned post shows 10.200.54.101 , I've never been able to ping the 10.200.4.101 host. ---- FWIW: when I use other networks (enum network for example) seems to work ok -- all RTFM type feedback welcome

lofty muralBOT
#

There are no URLs in that message.

short hatch
#

Hey Guys, I have an issue with DNS. I can ping the DC but not able to resolve tryhackme.com

wooden minnow
short hatch
#

That worked. Thank you

lusty shell
#

Hello. I'm having an issue with this room
i'm trying to perform a TFTP command on THMMDT but it keeps telling me "Connection Request Failed"

#

i can ping the dc though and every other machine

quaint ether
#

My ovpn file keeps downloading as an empty file, I've joined the room after leaving it due to connectivity issues, and clicked the regenerate button about 3 times now, each time the Download Configuration File downloads an empty file. Anyone else run into this issue?

#

I see fanofbacon had an issue back on the 20th, but I have successfully downloaded an ovpn file for this network on the 27th, so I'm not sure what's going on, I'll try the attack box, I think

wooden minnow
#

Attackbox should work, sometimes the VPN hangs.

quaint ether
#

attackbox is not working for me at the moment (it's launched and I'm connected to the attackbox), no breachingad interface and can't ping THMDC IP address

#

I give up, I'll go a different pathway today...

lusty shell
#

i finished the room yesterday. After a night the network worked properly

quaint ether
#

I can't avoid breachingad any longer, it is the next room in my paths...

#

I have resolv.conf set up as per pinned messages. Ping to DC works. nslookup for ntlmauth (and others) returns a result promptly. But browser just won't pick up resolv.conf settings. Does anyone know why they are being so difficult?

#

Chrome and firefox from VM:

#

to me it looks like, for whatever reason, that the browswers on the VM are not picking up the settings as specified in the resolv.conf file, and I have no idea where I'm going wrong

quaint ether
#

Attackbox even worse, can't even ping thmdc IP address directly

wooden minnow
#

Can you cat etc/resolv.conf

wooden minnow
# quaint ether

That's not the link you visit, that's just to set up the DC

#

Oh wait. It is.

quaint ether
#

You confused me there

wooden minnow
#

Yeah.

Can you cat the file?

#

If you give me your network subnet I can the services are running.

quaint ether
#

Right, so things are looking up in the attack box, I can now browse to ntlmauth

#

I didn't realise I had to edit resolv.conf from attack box, I thought that command from the set up instructions took care of everything

#

thmdc IP is 10.200.54.101

#

I appreciate the attempt to help Scrubs, out of interest, do you have any idea why my VM browsers do not seem to be picking up the resolv.conf settings?

wooden minnow
#

The vm can be a bum to set up, I've never had an issue, others have lots

round cove
# clever sandal

I tried the full dns name instead of the IP and it worked.

hm@THMJMP1 C:\Users\thm\Documents\Thomman>tftp -i thmmdt.za.tryhackme.com GET "\Tmp\x64{EEE0EC6D-6C07-488C-B1CD-D4CFB67CBF97}.bcd" conf.bcd
Transfer successful: 12288 bytes in 1 second(s), 12288 bytes/s

prisma thorn
#

sudo nmcli connection modify breachad ipv4.dns "10.200.25.101,8.8.8.8"

sudo nmcli connection modify breachad ipv4.dns-search "za.tryhackme.com"

sudo nmcli connection down breachad

sudo nmcli connection up breachad

#

NS lookup for DC is working fine but I can't ping it

quaint ether
# prisma thorn I'm facing the same problem. Any updates?

No updates, I got through this room using a combination of the attack box and my own VM. There are some DNS shenanigans going on because I couldn't make it through the next related room, enumerating-ad. I'm taking a break from this series of rooms, and I'll return to it later when I have a good block of time to dedicate to figuring out how to properly set the DNS settings required to work through this series of rooms, because they're essential to making through a couple of the pathways.

sage epoch
prisma thorn
# quaint ether No updates, I got through this room using a combination of the attack box and my...

Would you mind if we collaborate and find a solution to setup the DNS.

  1. The following configuration is required either do it via any network manager or manually using /etc/resolv.conf

nameserver 10.200.28.101
nameserver 127.0.0.53
options edns0 trust-ad
search hgu_lan za.tryhackme.com

  1. nslookup za.tryhackme.com
  2. nslookup ntlmauth.za.tryhackme.com

Note: We can successfully visit the webpage using IP address of the domain controller.

curl 10.200.25.201 ✅
curl za.tryhack.me

DNS resolution is not working

wooden minnow
prisma thorn
#

Nah

#

I can't visit anything since IP addresses are not resolved to domain names that's the issue we all are facing

wooden minnow
#

Did you use a network manager or resolv.conf ?

prisma thorn
#

I tried using both

#

Nothing worked

wooden minnow
#

And did you restart network manager?

prisma thorn
#

Yeah

quaint ether
#

What VM are you using, I'm using Kali, but I wonder if Parrot or something else would work more easily

prisma thorn
#

I am using kali too

wooden minnow
#

Kali is what I use.

quaint ether
#

What are you using Scrubz, you got it working I think you said?

#

What version?

wooden minnow
#

Version is irrelevant, I've got it working on different versions.

prisma thorn
#

Kali 6.5.0-kali3-amd64

quaint ether
#

it's not irrelevant, or else the setup instruction in the room would still work

#

Obviously something changed in the meantime

prisma thorn
#

Yeah I have a feeling too

#
  1. I tried resetting the network twice ❌
  2. Tried leaving the room thrice ❌
  3. Tried Kali default network manager to setup DNS ❌
  4. Tried nmcli to setup ❌
  5. Tried manually using /etc/resolv.conf ❌
#

I hate THM attack box. I am more comfortable doing boxes on my local machine rather.

quaint ether
prisma thorn
#

I tried to be productive today but wasted a lot of my time troubleshooting the DNS

#

Now I know why people say it's always the DNS

quaint ether
#

One of them respects the settings of resolv.conf

#

The other doesn't/others don't

#

If we could just figure out how to get the other system (the system curl and the browsers seem to rely on) to use the thmdc as their primary dns provider, I suspect that would solve it

#

Right, just rejoined breaching ad room, subnet number 92, downloaded ovpn file and connected, I can ping all the IP addresses listed on the main page 10.200.92.101/201/202/248, but can't ping by host name or nslookup (haven't made changes to resolv.conf yet, so that's expected)

wooden minnow
#

You're in the subnet as me.

quaint ether
#

added nameserver to resolv.conf, and I can nslookup thmdc, when I ping it, it attempts to ping the correct IP but there's a lot of packet loss. I can live with that for now though.

prisma thorn
#

DNS resolution is working?

quaint ether
#

Yes, but ping always worked for me once I added the nameserver to resolv.conf

#

ping and nslookup were fine

prisma thorn
#

Are you able to call FQDN in browser?

quaint ether
#

it does, and I don't know what's different today to previous days

prisma thorn
#

Damn

quaint ether
#

Yup

prisma thorn
#

Good for you. I am still unable to make it working

#

Can you share your /etc/resolv.conf last lines ?

quaint ether
#

Well, only kind of good for me, that I happened to not step on pavement cracks today is hardly a reliable solution 🤣

prisma thorn
#

🤣

quaint ether
prisma thorn
#

What's happening 😂

quaint ether
#

Are you able to run the systemd-resolve command from the notes in task 1?

prisma thorn
#

No

quaint ether
#

"systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com"

prisma thorn
#

systemd-resolve not found

quaint ether
#

That's consistent with me

prisma thorn
#

However I can restart the system md-resolved service

quaint ether
#

so you can ping and nslookup by IP and hostname, but curl and browser access are not working?

prisma thorn
#

Yeah exactly

#

Can you give me output of this command

quaint ether
prisma thorn
#

cat /proc/sys/net/ipv6/conf/all/disable_ipv6

quaint ether
#

sudo resolvectl dns your_interface your_dns_ip

prisma thorn
#

Sure let me try

quaint ether
prisma thorn
#

Okay thanks

quaint ether
#

Just don't ask me to run "sudo rm -rf /", I'm very gullible...

prisma thorn
#

Hahaha

prisma thorn
quaint ether
#

Well, as I said, it just magically worked today

prisma thorn
#

What exactly did you do. Tell me all steps with commands

#

Maybe I can reproduce

quaint ether
#

all i did was connect to VPN, vim into resolv.conf, added the name server, saved it and things worked better than they have so far

#

Prior to this I was in exactly the same position as you

prisma thorn
#

You added search "something" ?

quaint ether
#

Could ping, nslookup, but no browser access

#

nope

#

just "nameserver 10.200.92.101"

prisma thorn
#

I am so done

#

I need to sleep

quaint ether
prisma thorn
#

Nah

quaint ether
#

I was going to suggest we could jump into a voicechat and screenshare to make sure we're in lockstep, but if you're needing sleep, go get some sleep

prisma thorn
#

Sure let's do it

prisma thorn
#

@quaint ether I found the issue.

#

Sudo apt remove systemd-resolved

#

systemd-resolved was interfering with the name resolution

#

Using the basic NetworkManager worked fine

winter lion
#

Hey guys, I am not able to start the network. How long till it can reset?

Screenshot_2024-01-11_233821.png
#

Has the time run out and I am not able to access this room anymore?

wooden minnow
winter lion
wooden minnow
#

Does Ctrl and F5 do anything?

winter lion
wooden minnow
#

Might chuck you in a new subnet.

winter lion
#

okay, will try that

winter lion
winter lion
#

Guys, can I ask whos in charge of the breaching AD room network? it is still resetting....

wraith swan
wooden minnow
winter lion
wooden minnow
#

And select leave room

winter lion
wooden minnow
winter lion
slate swanBOT
#

Gave +1 Rep to @wooden minnow (current: #2 - 1832)

winter lion
#

New issue... having connectivity issues with the DC

Screenshot_2024-01-12_145740.png
#

I am able to ping it tho

wraith swan
winter lion
terse rapids
#

Hi Everyone, I am facing issue during configuration DNS but still give me error

sage epoch
terse rapids
#

After configure DNS still have issue

wraith swan
terse rapids
#

Still same

wraith swan
#

Make sure to set the DNS using the THMDC

#

IP addr

wraith swan
terse rapids
#

Yes machine is running

#

I am using web attack box

wraith swan
terse rapids
#

I have follow the steps that are in the instructions but still getting same issue

wraith swan
#

Show me your attackbox ip a

sage epoch
#

it's in the screenshot at the top

terse rapids
sage epoch
#

yeah you're not on the breachingAD vpn

#

did you start the attackbox from the breaching room?

terse rapids
sage epoch
#

and can you ping that IP

wraith swan
# terse rapids Yes

Hmm i think you need to terminate the attackbox and start from beginning 😅

terse rapids
sage epoch
#

your IP should be a 10.50 one

terse rapids
#

Let me start again

sage epoch
terse rapids
#

Thanks everyone issue resolved

#

Actually I was putting my attack box IP instead of DC ip

gentle finch
#

Nice

winter lion
#

Guys why is this happening?

Screenshot_2024-01-14_124106.png
#

apologies in advance, I am a noobie

wooden minnow
terse rapids
#

Hi Everyone the network state of lab is comming Resetting

#

Any body know how much time it takes to get back

wooden minnow
#

Which subnet?

winter lion
#

okay it does say connect request failed...

#

tftp -i (Resolve-DnsName thmmdt.za.tryhackme.com).IPAddress GET "\Tmp\x64{BFA810B9-DF7D-401C-B5B6-2F4D37258344}.bcd" conf.bcd <-- I tried this command but its still not working

winter lion
stable thorn
winter lion
stable thorn
#

Yeah. I am taking a break and gonna come back later today and see if it works when I start it up again.

sage epoch
#

just manually put in the IP address, and from my room when I did this, thmmdt was a .202 address. The .201 you had in your screenshot was thmiis.

stable thorn
sage epoch
stable thorn
#

I’m afk. Taking a break until later today. But the command was ‘tftp -i 10.200.97.202 GET “\Tmp\x64{whatever my guid was}.bcd” conf.bcd’

#

I also tried the host name instead of IP ‘-i thmmdt.za.tryhackme.com’ and the ‘dns-resolve’ method s4r4c3n showed

stable thorn
#

Update. after coming back the network had stopped, now that I started the network again, it worked fine...

terse rapids
#

Is Breaching Ad lab is working?

#

I am getting resetting state from yesterday?

woeful sail
wooden minnow
wooden minnow
woeful sail
slate swanBOT
#

Gave +1 Rep to @wooden minnow (current: #2 - 1846)

woeful sail
winter lion
# terse rapids

click on the cog in the top right corner, leave the room, and then after 15 mins join again.

winter lion
#

did anyone solve this issue?

Screenshot_2024-01-16_222124.png
#

I have had to look at writeups to fill in the answers to keep my streak up. It's actually doing my head in.

wooden minnow
winter lion
winter lion
sage epoch
winter lion
terse rapids
#

What's the issue I didn't get the breached interface

#

I am using thm attackbox

wooden minnow
#

ip a

sage epoch
# terse rapids

Can you paste the command you used (truncated in screenshot) - and confirm you used the correct IP address for THMDC. The command works just fine if you launch it from a terminal session on the Attackbox - the attackbox should be launched from the Breaching AD room itself to be safe.

terse rapids
slate swanBOT
#

Gave +1 Rep to @sage epoch (current: #295 - 15)

winter lion
#

haha

wraith swan
winter lion
snow pulsar
#

Hello , guys , i hope you are all doing well , i am in the breaching AD room , i try to connect to the , network with openvpn client , it shows me that is connected successfully , but when i go to check the access page i found that is not connected , what can , i do ?

wooden minnow
snow pulsar
wooden minnow
snow pulsar
wooden minnow
snow pulsar
winter lion
#

Alhamdulilah. Got this step to work.

Screenshot_2024-01-25_145745.png
#

after a week of not using thm

#

it worked.

forest ore
#

Guys how do i fix the systemd-resolve not found when trying to configure the dns in my kali

wraith swan
forest ore
wraith swan
#

i am using sudo nmtui and add my ip from VPN and set the DNS with THMDC IP add 1.1.1.1 as Search after that sudo systemctl restart NetworkManager and try to look the /etc/resolv.conf

#

to make sure the setup ok try nslookup thmdc.tryhackme.com

agile kraken
# 
root@ip:~# THMDCIP=10.200.92.101

root@ip:~# systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com

root@ip:~# ping $THMDCIP
PING 10.200.92.101 (10.200.92.101) 56(84) bytes of data.
64 bytes from 10.200.92.101: icmp_seq=1 ttl=127 time=1.39 ms
64 bytes from 10.200.92.101: icmp_seq=2 ttl=127 time=1.23 ms
64 bytes from 10.200.92.101: icmp_seq=3 ttl=127 time=1.28 ms
^C
--- 10.200.92.101 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.233/1.304/1.393/0.066 ms

root@ip:~# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    thmdc.za.tryhackme.com
Address: 10.200.92.101

root@ip:~# nslookup tryhackme.com $THMDCIP
;; connection timed out; no servers could be reached

I get this behaviour both on my Kali VM and on the Attackbox.
nslookup thmdc.za.tryhackme.com
works well but not
nslookup tryhackme.com $THMDCIP

Have I missed or misunderstood something?

wraith swan
civic axle
#

someone kindly walk me through this room in voc

latent stream
#

Hi guys! For me theres no breachad interface when I start the attackbox. And when I generate my openvpn config it will be 0 bytes. Any help is appreciated!

wraith swan
latent stream
#

attackbox:

#

there is no breachad interface

uncut crystal
pallid vigil
#

im connected via vpn i have breach interface i have added the dns ips and i still can't reach the dc

image.png image.png
#

any suggestions?

stray cobalt
#

It's impossible to connect with OpenVPN because the [username]-breachingad.ovpn file is empty
It's also impossible with Attackbox because there's no breachad interface and the AD itself is on a different network (even ping doesn't work)

Is there any way to do this room? It seems like there are dozens of people with similar problems and not a single solution other then "wait a few days and try again"

old plinth
old plinth
stray cobalt
old plinth
slate swanBOT
#

Gave +1 Rep to @stray cobalt (current: #1997 - 1)

old plinth
stray cobalt
old plinth
old plinth
stray cobalt
wanton loom
#

the vpn is empty wtf

brazen shale
hoary dagger
#

I've connected the VPN, configured the DNS, I can ping the DC, but it's not able to resolve the domain name.

wooden minnow
spark hollow
#

Hello all, I'm stuck with netcat, nothing seems to be catched with nc -lvp 389

#

Am i the only one ?

#

root@ip-10-10-57-81:~/Rooms/BreachingAD/task3# nc -lvp 389
Listening on [0.0.0.0] (family 0, port 389)

#

nothing happen ... 😦

wooden minnow
#

Why are you using port 389?

#

That requires sudo access

spark hollow
#

well, maybe I'm wrong but we're doing ldap pass-back attack here, and according to the lab we need to catch ldap traffic by altering the Server input box on the web application to point to our IP

#

and the lab says :

#

[thm@thm]$ nc -lvp 389
listening on [any] 389 ...
10.10.10.201: inverse host lookup failed: Unknown host
connect to [10.10.10.55] from (UNKNOWN) [10.10.10.201] 49765
0?DC?;
?
?x
objectclass0?supportedCapabilities

#

"You should see that we get a connection back"

#

in my case nothing happen

#

root@ip-10-10-57-81:~# sudo nc -lvp 389
Listening on [0.0.0.0] (family 0, port 389)

hoary dagger
hoary dagger
oak jolt
oak jolt
#

How to achieve sudo systemd-resolve --interface enumad --set-dns $THMDCIP --set-domain za.tryhackme.com on Kali Linux, preferably using the command line since WSL lacks graphical interfaces.

molten kiln
pure elbow
#

Hi there i cant join room for some reason..

wooden minnow
pure elbow
#

Yea i have both 🙂

#

I was in room yesterday and today when i try to continue i was removed from the room and need to join to continue, but when click on join room page just reloads but still asking to Join.

brittle raptor
#

can sm help me with setting up dns issue so this is how i set up my /etc/resolv.conf :

nameserver 10.200.75.101
nameserver 127.0.0.53
options edns0 trust-ad
search hgu_lan za.tryhackme.com

and when i try nslookup i get :

;; communications error to 10.200.75.101#53: timed out
;; communications error to 10.200.75.101#53: timed out
;; communications error to 10.200.75.101#53: timed out
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN
lone patrol
#

hi, i have an issue with the task 4 web page.
as the ss above, i can ping and resolve, but the webpage isnt responding.
what can be done to resolve this?

image.png image.png
wooden minnow
lone patrol
wooden minnow
#

Then you're good to go.

lone patrol
#

only 3 is working, but not 4

wooden minnow
lone patrol
molten kiln
#

does the network have the same IP for everyone?

wooden minnow
#

Everyone will be in different subnets.

molten kiln
#

ah

wooden minnow
#

I think you're in groups of a maximum of 5.

rocky compass
#

hi there, I'm doing step by step to configure the DNS

#

but the nslookup thmdc.za.tryhackme.com not resolve...

#

I'm using ElementaryOS as OS and I added the IP 10.200.XX.101 inside what is it my NetworkManager then reset as systemctl restart NetworkManager tried nslookup thmdc.za.tryhackme.com and received the error message above ^^

#

what could I be doing wrong?

wooden minnow
rocky compass
slate swanBOT
#

Gave +1 Rep to @wooden minnow (current: #2 - 2078)

rocky compass
#

who can help me to voting to reset breaching-ad?, 4 votes left...

rocky compass
#

how can be reset the machine without votes?, or when the machine expire?

rocky compass
#

hey anyone who can give me a hand, I did the pinned post steps but the issue persist, any help would be appreciate it

#

@wooden minnow can I DM?

wooden minnow
rocky compass
#

I did already @wooden minnow

wooden minnow
rocky compass
#

the nslookup dns resolution is not working | after added the nameserver on /etc/resolv.conf file but can reach the http://ntlmauth.za.tryhackme.com URL...., i really don't understand what is happening

#

I'm gonna try to run the script to see what happen

wooden minnow
rocky compass
#

it's cool..... but if you have a clue what could be happened in the first place I'd to hear about that...

wooden minnow
#

It's just the nslookup being annoying, I remember one time when I tried it out, it would only be successful when done with sudo

torpid lintel
#

Hello guys, I'am doing the LDAP Pass Back attack but when I launch the attack I obtain the following:

#

The user is not found in the database according to Wireshark log

#

But i cannot show you, since I cannot load image on the chanel by clicking on the plus button

torpid lintel
noble ingot
#

i gave up noot able to find solution

wooden minnow
#

For what?

noble ingot
wooden minnow
noble ingot
pulsar cloud
#

Hello guys! 👋

#

I’m having a problem with the DNS configuration debugging steps in task one, can anyone help with that?

wooden minnow
#

nslookup can still fail, but if you can go to the link in task 2/3 you should be fine.

#

If it still fails, you can give me your subnet and I can check if the services are running or not. 🙂

pulsar cloud
#

Alright

novel prawn
#

Hello!
I'm having a problem with the ldap (mis)configuration in task 4.
I'm trying to apply the olcSaslSecProps.ldif as described but without success.

This is before the application

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5

This is after

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

Does anyone know how to get only

supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

on ubuntu?

muted kernel
#

Hello I need help with debugging my dns for this room.
I followed the pinend section of this channel and get the follwoing error

image.png
wooden minnow
muted kernel
#

yup

#

surprisingly it is working now

#

I rebooted my system

delicate compass
#

guys

#

it says 0 streak required but I cant join

image.png
#

also, I cant find the servers

image.png
delicate compass
#

Anyone???

wooden minnow
delicate compass
wooden minnow
delicate compass
wooden minnow
delicate compass
wooden minnow
#

Once you join you van download the vpn

delicate compass
#

but this says, no streak required

image.png
wooden minnow
delicate compass
slate swanBOT
#

Gave +1 Rep to @wooden minnow (current: #1 - 2236)

ionic crystal
#

(started learning AD recently)

Hey guys,

On breachingad room, per guide we need to configure the dns. As I'm running a web based attack machine(Kali), systemd-resolve and resolvectl commands are not found nor it's installable (for obvious reason I think).

Any solutions? Correct me if I said anything wrong or over looking.

wooden minnow
ionic crystal
#

Tried the pinned suggestions, but I think the problem is the commands does not exists to run . I'll try restarting the web based attack box once

delicate compass
#

I downloaded systemd-resolved

#

but still its not showing

#

anyone???

#

@wooden minnow

ripe hound
delicate compass
ripe hound
delicate compass
#

I am

#

connected via vpn

ripe hound
#

can you show the output of /etc/resolv.conf

#

wait

delicate compass
#

so, do i have to manually change everything according to the screenshot in pinned message?

ripe hound
delicate compass
#

alright, let me try

delicate compass
ripe hound
# delicate compass what's this second nameserver ?

I don't know the author didn't specify, however given the scenario, it's most likely a VMware virtual ip, to demonstrate that you the THMDC ip needs to be at the top, and additionally you can add other DNS resolvers like 1.1.1.1, but only below the 10.x. ip

delicate compass
ripe hound
delicate compass
#

I edited the file, still no luck

ripe hound
#

you're querying the wrong domain

delicate compass
ripe hound
#

and does leaving and reconnecting to the network resolve the issues?

delicate compass
#

nope, tried this 4 times

#

I think the only issue is

ripe hound
#

noticed we had the same 10.x, the network is resetting now

#

since already 4 people voted i assume you're not the only one facing this issue

delicate compass
#

still the same issue

delicate compass
#

this shit is ridiculous

wooden minnow
#

Systemd is depreciated.

#

Please use the steps in the pinned post to connect.

#

Please state your subnet so I can check the services

mellow basin
mellow basin
wooden minnow
#

But it hardly works.now that's its not needed

delicate compass
#

guys, I am not able to connct to this rdp it just prompts me to enter password every time

image.png
ionic crystal
#

@delicate compass did you resolve the network setup issue?

#

QQ - why does it show "1 days of access left" on this room? even though I have a subscription

wooden minnow
ionic crystal
#

what if I missed to complete the room before mentioned time and I want to take part later?

wooden minnow
#

You're free to re-join.

ionic crystal
slate swanBOT
#

Gave +1 Rep to @wooden minnow (current: #1 - 2245)

delicate compass
ionic crystal
#

cool

analog anvil
#

ntlm_passwordspary python file error while running

mild dragon
#

hello everyone, i have a problem with task 3 "NTLM Authenticated Services". i have put this line into /etc/resolv.conf:
search za.tryhackme.com
nameserver 10.200.55.101

and nslookup output is:

nslookup thmdc.za.tryhackme.com
Server: 10.200.55.101
Address: 10.200.55.101#53

Name: thmdc.za.tryhackme.com
Address: 10.200.55.101

#

anyone can help me with this problem??

wooden minnow
#

Are you using the breached VPN?

mild dragon
wooden minnow
#

Can you double check you're not using https

wooden minnow
mild dragon
#

and got server not found

wooden minnow
mild dragon
#

i'm waiting for network reset and try again

mild dragon
mild dragon
hoary vale
#

No matter what I do, I can't get a tftp connection in Task 6!
Like many people here, I'm getting a "connect request failed" response.
I'm using the AttackBox and referring to the IP provided for THMDC in the network diagram

drifting cosmos
#

Guys I cant connect to the first challenge though i set up dns correctly.

┌──(kali㉿kali)-[~/Desktop]
└─$ dig ntlmauth.za.tryhackme.com

; <<>> DiG 9.19.19-1-Debian <<>> ntlmauth.za.tryhackme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52820
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ntlmauth.za.tryhackme.com.     IN      A

;; ANSWER SECTION:
ntlmauth.za.tryhackme.com. 0    IN      A       10.200.26.101

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Jun 09 10:30:18 EDT 2024
;; MSG SIZE  rcvd: 70
wooden minnow
drifting cosmos
#

Nah, I guess you are mentioning http://printer.za.tryhackme.com/settings.aspx. I can't reach it as well

wooden minnow
#

How are you connected?

#

Check the pinned posts and connect that way

drifting cosmos
#

Tried everything mentioned. Nothing works

#

I suggest you to remove this room so nobody wastes their time

wooden minnow
drifting cosmos
#

There's no doubt the room works but i'm just giving up.

#

Imagine a machine that has no open port 80 and a room that suggests connecting to it 😂 😂 😂

┌──(kali㉿kali)-[~/Desktop]
└─$ rustscan -a 10.200.26.101  --ulimit 5000 -- -sV -T4 -sV -Pn -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.200.26.101:22
Open 10.200.26.101:53
Open 10.200.26.101:88
Open 10.200.26.101:135
Open 10.200.26.101:139
Open 10.200.26.101:389
Open 10.200.26.101:445
Open 10.200.26.101:464
Open 10.200.26.101:593
Open 10.200.26.101:3389
Open 10.200.26.101:5985
Open 10.200.26.101:9389
wooden minnow
drifting cosmos
wooden minnow
#

It's a network, it runs 24/7 so it stops now and then to save resurces

drifting cosmos
wooden minnow
#

What does it say there?

drifting cosmos
wooden minnow
#

It's not actice now though.. 😄

drifting cosmos
#

Because I scanned it almost 1 hour ago

wooden minnow
#

I can only tell you what I'm looking at, and the scanner is saying they're inactive.

drifting cosmos
#

This full terminal output should be enough to convince you that it was active when I scanned

wooden minnow
#

And I have access to the scanners on the network granted by staff... 😎

#

They're all inactive.

image.png
drifting cosmos
wooden minnow
#

You need to be verified.

unkempt wrenBOT
drifting rain
#

@tight sleet ping?

#

Check that your network is still up, you'll need to lookup the MDT server for the uuid

#

As this is a simulation

tight sleet
#

Hey guys, Im in the room "Breaching Active Directory" and cannot solve the following two issues:
Task 6: I try to download a file via tftp and get all the time an error. Yesterday and today:
"connect request failed"
I couldn't solve it. The ip of the server was 10.200.24.202. This was shown in the network diagram and provided by nslookup. Ping worked as well. + the link of the x64…bcd showed another name, as the link was refering to.

Task 7:
The ssh connection to ssh thm@THMJMP1.za.tryhackme.com is established and working.
When I try to download the McAffee-db.mdb file, I always get the error "broken pipe".
I use the following command:
scp thm@THMJMP1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .

Any ideas?
Many thanks

drifting rain
#

Broken pipe usually indicated a connection error

#

Refresh the room page and make sure the network isn't stopped

#

Also try the tftp from the jump host

tight sleet
#

OK. The network is shown running. And I'm also connected via ssh to the thmjmp1. and can navigate through the directories

drifting rain
#

Scp should work then

tight sleet
#

When I perform a nslookup on the local bash, I get the ip of the server:
nslookup thmjmp1
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: thmjmp1.za.tryhackme.com
Address: 10.200.24.248

drifting rain
#

Looks alright

tight sleet
#

I've read something to check the config files of ssh but I not really experienced yet.

drifting rain
#

You set up your own DNS?

tight sleet
#

No, I'm using the thmdc

#

and the attackbox

drifting rain
#

Ah ok

#

Can't check at the moment, not on a PC

#

Try again I guess?

tight sleet
#

No problem. I'll have to leave now anyway. If you would find some time later, it would be very nice, if you could check, if it works for you.
Here's the link to the room: https://tryhackme.com/r/room/breachingad

drifting rain
junior geyser
#

I had a similar issue in task 7 last night. My ssh connection to THMJMP1 was disrupted after task 6 and I couldn't ping the machine. After network reset, I could ping the ip displayed in the network diagram for THMJMP1 (10.200.55.248), however nslookup revealed a different ip for the same machine (10.200.115.248). Ended up ssh'ing into 10.200.55.248 to get it done but wonder what could of caused that.

tight sleet
#

Thanks JM for your input as well. I'll back now and will try to figure it out.

tight sleet
#

Now, I was able to transfer the bcd-file from task 6. There was a c&p issue in the file's name ({ was replaced by %). So I'll first finish this one and then start over to task 7 again.
Good to know, that an error in the file's name will result in a "connect request failed" error, which points feeled more into the direction of a existing connection issue.

tight sleet
#

I didn't get the copy of the db.mdb to run. I've tried to create a config file in root directory for ssh. Contents:
Host *
ServerAliveInterval 60
ServerAliveCountMax 30
I'm not deep enough into it.
Any ideas?

tight sleet
#

the scp command worked now.
The problem was, that I directly followed the guideline 1:1, not realizing, that I would need to open another bash to perform the scp command in there. I navigated as shown in the screenshot on task 7 to the folder where the db is located and run the scp command from there. So it would have overwritten the ma.db in this location. This resultet in the error "broken pipe".
Many thanks for your help guys. 👍

echo compass
#

Hey I'm having an issue with Task 6

#

Steps aren't that complex and I've looked at three writeups, but the bcd transfer request fails every time

#

filname is copy/pastes, IP matches diagram and NS lookup, and I'm using attackbox for convenience

#

Even tried adjusting syntax, removing the brackets, // at beginning and nothing

echo compass
#

And after a network reset

#

I seem to be having a similar issue to DeepFakeNein but my c&P does not have an error in it that I can see

echo compass
drifting rain
#

there's a jumphost machine that you can connect to

echo compass
#

yeah I already ssh'd into that, that seems to be one of the normal steps, unless you're referring to something differenyt

#

?

echo compass
tough cedar
#

Yeah, the room states it can take over 10 minutes for that to occur. Were you experiencing longer wait times than that?

outer ridge
#

At the same time, I'm having an issue with downloading BCD file in task 6. Receiving "Connect request failed", did anybody get the same issue?

onyx sphinx
#

<resolved>

vast garden
#

Can anyone help me here ?
I can’t connect to the.jmp1
Error is could not resolve hostname … : name or service not known
My dns is working and I can ping the dmc

wooden minnow
#

What's your subent?

vast garden
delicate compass
#

Guys, I am not getting anything on my responder. I am connected very well and able to ping and perform nslookup and everything

#

also, is it ok if the responder has tcp server running on port 53?

delicate compass
#

Anyone??

old plinth
delicate compass
#

its working now, lol

image.png
old plinth
valid canopy
#

Can you checkout if the subnet is active(10.200.42.101)? @old plinth

image.png
wooden minnow
valid canopy
wooden minnow
#

I've checked the subnet. everythign is active.

valid canopy
valid canopy
past rose
#

i am not able to ping domain controller from attachbox

#

any one

trim mica
#

¯_(ツ)_/¯

#

mostly fixed by network reset

#

sometimes fixed by following the early tasks steps

tough cedar
#

I started the network (it was stopped for me) and followed the steps in task 1, including the nslookup step, and I'm good to go.

#

*from the attack box.

wooden minnow
#

Sometimes not fixed as it's windows.

silent pewter
#

Hi! I am configuring the network and i still get an error on the DNS and i can't see where i did something wrong, i'm using my own kali with vpn

#

it seems to not work on nslookup tryhackme.com

#

and i've read the pinned messages tho

#

and can access the ntlm url, so maybe is everything fine ?

wooden minnow
#

NSlookup is not essential.

mossy silo
#

Hi! Like many other people, I'm stuck on step 1. I'm currently using attackbox (launched from the room) and am running into the unknown interface problem. Looking at the NetworkConfigs folder on the desktop it looks like the vpn file is empty

#

Ping doesnt work either (probably because the VPN isnt working properly)

silent pewter
#

@wooden minnow managed to make it work finally, just don't ask how as i don't know hahaha
@mossy silo did you properly add the DNS to your connection and restarted the network manager?

mossy silo
#

Yes, it didn't do anything

silent pewter
#

can you cat /etc/resolv.conf please?

mossy silo
#

okay now i can post images lol

silent pewter
#

Did you check that it was the right IP? No typo?

mossy silo
#

Yup, that's the one

#

and can't ping either like I should allegedly be able to do

#

like, is this supposed to be empty?

image.png
#

it shouldn't be, right?

#

but that's how it's generated every time i launch the attackbox

silent pewter
#

it shouldn't, you'll have to download another vpn configuration, try regenarating it

mossy silo
#

deleting the file and restarting the attackbox causes it to regenerate as empty again fwiw
whoever owns the room might want to note that down as a bug :)

silent pewter
#

oh you're on an attackbox, you don't need vpn for that i think

mossy silo
#

yeah allegedly

#

still running into the same issues though lol

wooden minnow
#

You do need the VPN file for the attackbox

#

It's already running

#

You get a 401, so chances are you'll get the right link to work (printer)

mossy silo
#

okay yeah regenerating the VPN and running it manually works

#

so I guess whatever issue is causing it to generate as blank on the attackbox should probably be noted

#

because otherwise it's just not gonna work when the machine tries to run it automatically

paper spruce
#

need help on responder, can't still capture hashes is the box busted?

silent pewter
#

@paper spruce hiya! same thing, i've been waiting for 30 min, jsut restarted the network

wooden minnow
#

I can't see it.

paper spruce
#

just started it again

#

nice got the hash hahah thanks

wooden minnow
#

There we go!

gilded nimbus
#

Hi I am having an issue since yesterday

#

to connect to the room's network

#

anyone can help please?

prisma thorn
#

Hey I am New to AD Not Able to connect to it properly

#

I am albe to Ping the DC But Not Able to resolve the DNS Service on it

#

@phill

#

@thorn coral Here We Go

thorn coral
#

Oh, thanks!

quasi dome
#

?

thorn coral
prisma thorn
quasi dome
wooden minnow
#

Check the pins.

quasi dome
prisma thorn
#

Hey @wooden minnow I Found The Easy Best Way to Get Rid of That DNS Problem I am Giving the Solution if You find it Helpful pin the message

#

To Setup DNS In Linux Follow the Steps :

  1. Start the Network and Download the Openvpn (ovpn) File File.

  2. Connect to the Network Domain Controller Using OpenVPN

  3. Now Run the Following Commands to Configure DNS

    sudo apt install resolvectl -y
sudo resolvectl dns breachad <DC-IP>
sudo resolvectl domain breachad za.tryhackme.com

  4. After This Being Done Open /etc/resolv.conf File and Add nameserver <DC-IP> Above all Non Commented Entries.

  5. All Set !! To Confirm Run Nslookup or Try Visiting NTLM Authentication WebPage in Task 3 URL : http://ntlmauth.za.tryhackme.com/.

wooden minnow
#

That's just my post with extra un-needed steps.

prisma thorn
#

Didn't mean to Say you are wrong but when i yesterday just changed thr File and tried I was unable to Do it. i had to Run these commands too of resolvectl one

wooden minnow
#

But if it works, it works.

valid canopy
#

If that doesn't also work add your server in hosts file

elder arch
slate swanBOT
#

Gave +1 Rep to @valid canopy (current: #2196 - 1)

valid canopy
atomic pond
#

Hey @wooden minnow , how do I contact support. This is urgent as I've only three days access to the breaching ad network. Email will take time.

wooden minnow
#

You're removed from the room as it's a network room so it runs 24/7. The x day removal is for people who may complete the room, and then forget to leave, These machines don't behave like the normal room machines do, (they don't shut down after a timer)

wooden minnow
winter zenith
#

I am having issues as I can't ping the THMDC from Attackbox and VPN

ping 10.200.32.101

I left the room multiple times and joined to join different subnets but still same issue presists despite following the pinned post

winter zenith
silk jolt
storm sandal
#

nvm, I had setup dns provider to 1.1.1.1 in chrome. It works now when I update the option to OS default...

obsidian wind
#

Good morning! I've been trying to start the Breaching AD room, but I can't get passed Task 1. :/ At first I couldn't even do the first command, but I did download the OpenVPN file and was able to do hte systemd-resolve command, but I can't nslookup, it just fails. (See screenshot.)

I've tried to update /etc/resolv.conf as shown in the following messages, but I just get ;; Got SERVFAIL reply from 127.0.0.53, trying next server. :/ My resolv.conf is:

nameserver 10.200.157.101
nameserver 127.0.0.53
options edns0
search eu-west-1.compute.internal za.tryhackme.com

I've added the first nameserver to match the IP of the THMDC from the room. I have tried to leave the room, for more than 5 minutes, and coming back; but I still can't get it to work. :/ Any help would be much appreciated!

chrome_FfQmKoB0X7.png
wooden minnow
#

nslookup isn't required.

#

If you can visit the link in Task 3/4 you're good to go

obsidian wind
obsidian wind
#

Any other tips to resolve the issue?

stoic ivy
#

same, i have tried every thing that's mentioned above! still stuck

obsidian wind
prisma thorn
#

for any poor souls trying to get this incredibly confusing room to make sense and actually access the machines - here's my /etc/hosts file

#

and my /etc/resolv.conf file:

#

search localdomain

#

nameserver 10.200.55.101

#

nameserver 1.1.1.1

prisma thorn
woeful sail
# obsidian wind If anyone has any insight/tips/fixes it'd be much appreciated. I've been stuck o...

even if you use the AttackBox, you have to download the VPN config file for Breaching AD network
the VPN gives you an interface called breachad: with that you should be able to ping the DC (make sure the network is running)
if that does not work, leave/join the network, possibly multiple times; wait some minutes (15?) before joining back
read the Pinned Message for #breaching-ad
consider sharing what did work and what did not work for you: that will help the community

obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
slate swanBOT
#

Gave +1 Rep to @woeful sail (current: #67 - 111)

obsidian wind
woeful sail
# obsidian wind Oh, one thing I just remembered, I did try to ping THMDC's IP address last night...

that is what I am struggling with right now
I had left the network to come back after only 5 minutes: same issue
now, I have left again and will wait 15 minutes
I'll keep you updated
about this message you posted: #breaching-ad message : I have not come as far as Task 3 & 4 up to now: the suggestion from @prisma thorn is the obvious work-around (I have seen smilar messages for this or other networks to fix DNS) I'll see how it goes
right now, I am using the AttackBox

obsidian wind
# woeful sail that is what I am struggling with right now I had left the network to come back...

I've decided to retry this morning, but when I went to download the VPN file from the Access page, I decided to try the Regenerate option before downloading and it seems to have worked. So my steps were:

  1. Start the network
  2. Wait until the Network Time reached at least 5 minutes.
  3. Start the Attack Box
  4. On the Attack Box:
  5. Confirm that the breachad interface was not there.
  6. Follow the pinned message: #breaching-ad message by adding the nameserver entry with THMDC's IP at the top of /etc/resolv.conf.
  7. Do nslookup thmdc.za.tryhackme.com -> Which returned the result in my screenshot.
  8. Go to http://ntlmauth.za.tryhackme.com and did get prompted for credentials.

The gist of it seems that my issue stemmed from the OpenVPN connection file being borked for some reason. 🤔

image.png image.png
woeful sail
slate swanBOT
#

Gave +1 Rep to @obsidian wind (current: #2212 - 1)

obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
woeful sail
# obsidian wind I'm continuing mine, but if I can somehow help; why would I say no? 😛 So you go...

not that far: i regenerated the VPN config as per your procedure, then launched the VPN with openvpn and got Initialization Sequence Completed result which gives me a breachad interface
I observe a difference today from previous instances of openvpn: usually, after Initialization Sequence Completed I get a few lines of additional outputs, but not today
and the issue is that I cannot ping the DC, so no point going to /etc/resolv.conf at this stage

obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
woeful sail
obsidian wind
#

It has gone down to 1h 25m, so I assume it's not dead. 😛

#

Now if I can get passed the Python error...haven't really had my hand in Python much before... 😛

[*] Starting passwords spray attack using the following password: Changeme123
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/connection.py", line 175, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.6/dist-packages/urllib3-1.26.12-py3.6.egg/urllib3/util/connection.py", line 72, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.6/socket.py", line 745, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known
obsidian wind
woeful sail
obsidian wind
woeful sail
woeful sail
obsidian wind
woeful sail
# obsidian wind I actually just did `python` with what they had in the example and it worked. 🙂...

At last I got my DC to react to ping:

  • I am using my Kali VM
  • to check my sanity, I left Breaching AD and started 2 other AD networks (Lateral Movement and Pivoting, Enumerating Active Directory) and confirmed there I could ping the respective DC
  • by that time, about 15 minutes must have passed and I rejoined Breaching AD
    I have set up DNS as per instructions
    I have reached the same point that you did: I can browse ntlmauth.za.tryhackme.com and printer.za.tryhackme.com
ntlmprinter.png
obsidian wind
woeful sail
obsidian wind
kindred olive
#

hi all, i keep getting this error msg when using the attack machine..

#

systemd-resolve --interface breachad --set-dns 10.200.20.101 --set-domain za.tryhackme.com
Unknown interface breachad: No such device

#

i've added breachad into /etc/hosts file

#

against my ip address on attack machine

kindred olive
kindred olive
#

hihi anyone can help

#

network is unpingable now

#

┌──(kali㉿kali)-[~]
└─$ ping 10.200.80.101
PING 10.200.80.101 (10.200.80.101) 56(84) bytes of data.

#

┌──(kali㉿kali)-[~]
└─$ nslookup tryhackme.com 10.200.80.101
;; communications error to 10.200.80.101#53: timed out
;; communications error to 10.200.80.101#53: timed out
;; communications error to 10.200.80.101#53: timed out
;; no servers could be reached

wooden prairie
tacit zodiac
#

I had the same issue in attackbox and I just fixed it
The problem is with the empty vpn config files in /root/Desktop/NetworkConfigs
So to fix it, follow the below steps:

  1. Start the Attackbox
  2. Go to https://tryhackme.com/r/access, select breachingad VPN server and click on Regenerate. Now download the config file.
  3. Open breachingad.ovpn in /root/Desktop/NetworkConfigs, you may notice an empty config file. If that's the case, copy-paste the contents from the recently downloaded config file.
  4. Run the command sudo openvpn breachingad.ovpn
  5. Run the command given in the room i.e systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com
woeful sail
slate swanBOT
#

Gave +1 Rep to @tacit zodiac (current: #2215 - 1)

earnest knoll
#

@dense cedar Thanks for the Room, Really good content. TryFlagMe

slate swanBOT
#

Gave +1 Rep to @dense cedar (current: #29 - 289)

regal juniper
#

hello can someone help i get
nslookup tryhackme.com 10.200.25.101
;; connection timed out; no servers could be reached

#

using the attack box

#

but ping 10.200.25.101 is working

slate swanBOT
#

HTTP API (Edit Msg): 114.923413ms
Gateway: 131.435875ms

regal juniper
#

i added nameserver in sudo nano /etc/resolv.conf but still having the issue

regal juniper
#

nslookup tryhackme 10.200.54.101
Server: 10.200.54.101
Address: 10.200.54.101#53

** server can't find tryhackme.eu-west-1.compute.internal: SERVFAIL

#

HELP SOMEONE ?

regal juniper
#

HELP ?

regal juniper
#

└──╼ $nslookup tryhackme.com 10.200.25.101
;; communications error to 10.200.25.101#53: timed out
;; communications error to 10.200.25.101#53: timed out
;; communications error to 10.200.25.101#53: timed out
;; no servers could be reached

┌─[✗]─[parrot@parrot]─[~]
└──╼ $nslookup tryhackme.com 10.200.25.101
;; communications error to 10.200.25.101#53: timed out
^C
┌─[✗]─[parrot@parrot]─[~]
└──╼ $ping 10.200.25.101
PING 10.200.25.101 (10.200.25.101) 56(84) bytes of data.
64 bytes from 10.200.25.101: icmp_seq=1 ttl=127 time=97.3 ms
64 bytes from 10.200.25.101: icmp_seq=2 ttl=127 time=98.6 ms
64 bytes from 10.200.25.101: icmp_seq=3 ttl=127 time=101 ms
64 bytes from 10.200.25.101: icmp_seq=4 ttl=127 time=109 ms
^C
--- 10.200.25.101 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 97.329/101.487/109.223/4.629 ms
┌─[parrot@parrot]─[~]

#

tried this time with my parrot vm but nslookup command never works for me

wooden minnow
#

Don't worry about nslookup.

#

If you can get the url open in the browser in Task 4, you're fine.

regal juniper
wooden minnow
regal juniper
#

thanks it woks

#

works

coarse parcel
# 
└─# nslookup tryhackme.com 10.200.26.101
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; no servers could be reached```
 why is it not working?
https://tryhackme.com/r/room/breachingad
wooden minnow
#

Check the pins.

coarse parcel
# wooden minnow Check the pins.

1) Download your VPN. 2) Connect to it as normal (probably best you turn off the normal or VIP THM VPN) 3) When connected use the command sudo nano /etc/resolv.conf, your conf should look at the attached screenshot, the ip will come from 10.200.xxx.101, the x's will be your subnet, this can be obtained from the THMDC. 4) place the nameserver at the top, above all others, only then nslookup will work. you mean this? I already added the THMAD and 1.1.1.1 dns to my networkmanager

#

10.200.26.101, 1.1.1.1 like this in additional DNS server option

wooden minnow
#

Did you add in nameserver ?

coarse parcel
wooden minnow
coarse parcel
# 
nameserver 10.200.26.101
nameserver 1.1.1.1






``` its currencly like this