#breaching-ad

``` this is THMAD

nameserver is alright?

i am using vbox kali over NAT

Can you visit the link in Task 4.

└─# nslookup tryhackme.com 10.200.26.101
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; no servers could be reached

                                                                                  
┌──(root㉿kali)-[~]
└─# nslookup tryhackme.com              
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   tryhackme.com
Address: 104.22.55.228
Name:   tryhackme.com
Address: 104.22.54.228
Name:   tryhackme.com
Address: 172.67.27.10
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
;; communications error to 10.200.26.101#53: timed out
Name:   tryhackme.com
Address: 2606:4700:10::ac43:1b0a
Name:   tryhackme.com
Address: 2606:4700:10::6816:37e4
Name:   tryhackme.com
Address: 2606:4700:10::6816:36e4
```  etc/resolv -> ```# Generated by NetworkManager
nameserver 10.200.26.101
nameserver 1.1.1.1```

i can visit over 1.1.1.1 or 10.0.2.2

Can you visit this link?

http://printer.za.tryhackme.com/settings.aspx

I check all services on your subnet and they're all running.

i am checking

yes i can thats printer setting

Then you'fe good to go, Nslookup isn't needed.

why those domain and dns were not resolving?

Changes made so they work sporadically, it's not THM's fault

okkk

thanks bro

Gave +1 Rep to @wooden minnow (current: #1 - 2800)

└─# tcpdump -SX -i breachad tcp port 389 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on breachad, link-type RAW (Raw IP), snapshot length 262144 bytes

                                                                                  
                                                                                  
                                                                                  
       ```

nothing is showing in tcpdump

http://printer.za.tryhackme.com/settings

Did yu conre the LDAP properly?

means?

Did you configure, and start the LDAP server properly?

And set it up for plain text etc.

yes

yes

Is the interface called breached, yes?

yes.

checked using ifconfig

we're you able to fix the communications error? have the same problem using kali, but if attackbox it's working

yes

Can you share pls?

i installed vbox kali. and change the name server to # Generated by NetworkManager
nameserver 10.200.26.101
nameserver 1.1.1.1

also enable vpn of thm

in my main linux i use smart dns. so it was causing problem. thats why i installed vbox kali

there are two kinds of vpn . another one is network. try that

i see, will try, thank you

Gave +1 Rep to @coarse parcel (current: #2243 - 1)

Anyone know if it's possible to run responder through a pivoting tunnel, like ligolo-ng?

Never tried

In a lab where I've compromised a linux host connected to an internal network with an AD domain...so can't run responder directly from my attack box, and ssh tunneling doesn't do much good, since responder is run against an interface...

Are you using the attackbox for something else?

hello i m connected to the network , pinging the DC works but nslookup tryhackme.com <DC IP> doesn't work !

i did add the dc ip into dns config

does anyone knows what could be the problem . ? maybe a reset ?

you do not need nslookup tryhackme.com for the room

I am not able to join the breaching ad room, neither I can see it in my access page

Do you have a streak of > than 7?

Yeah can't access it due to streak thing

Intentional.

Someone pointed it out in other channel

Hello @woeful sail

This does not make sense for me.

When i saw that in screen shot provided by THM that the username hollie.powell shd work

I'll have a look

i manually can do it and got through the user:pass thing

worked for me

not sure what can be the issue

here is my command, compare character per character with yours:
python ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com

python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme -p Changeme123 -a http://ntlmauth.za.tryhackme.com/

got it

you are the best thank you

Hello, working on this room and having trouble using the attackbox to listen on port 389. I disabled the slapd service and I can access things via hostname.

root@ip-10-10-139-242:~# service slapd stop
root@ip-10-10-139-242:~# nc -lvp 389
nc: getnameinfo: Temporary failure in name resolution

Anyone that can provide assistance on this?

DNS

@teal acorn It seems like DNS.

That was really common when I did it.

@teal acorn I had the same problem with netcat and figured it out. I can help you out if you still need it

Hello I actually have the same issue and still didn't get how to solve it. I have this same issue on the lateral-movement-and-pivoting-room but I assume the technique to solve it is the same, feel free to dm me in case you can help 🙂

i made a guide to help you resolve first issues in Breaching AD issues : Step 1: Connect to the TryHackMe VPN
Make sure to download and start your VPN connection using the .ovpn file provided by TryHackMe.
Guide: Configuring a Kali Linux Machine for TryHackMe VPN and DNS Issues
This step-by-step guide will help anyone using their own Kali Linux machine to properly configure the network and resolve DNS issues while connected to the TryHackMe VPN.

Step 1: Connect to the TryHackMe VPN
Make sure to download and start your VPN connection using the .ovpn file provided by TryHackMe.
Step 2: Configure DNS with resolvectl
To properly set up the DNS for the TryHackMe network:

Assign the TryHackMe DNS server:

resolvectl dns breachad "YOUR THMDC IP"
Set the domain name for the network:

resolvectl domain breachad za.tryhackme.com Step 3: Update /etc/hosts File
Edit the /etc/hosts file to hardcode specific domain entries: sudo nano /etc/hosts
Add the following lines:

10.200.55.101 thmdc.za.tryhackme.com
10.200.55.201 ntlmauth.za.tryhackme.com
10.200.55.201 printer.za.tryhackme.com
Save the file (Ctrl + O, then Enter) and exit (Ctrl + X).

Step 4: Update /etc/resolv.conf File
Ensure the correct DNS server is listed in /etc/resolv.conf with the following configuration:

sudo nano /etc/resolv.conf

Replace the content with:
nameserver 10.200.55.101 with THMDC IP in top of file

nameserver 10.200.55.101
nameserver 127.0.0.53
options edns0 trust-ad
search lan

Make sure the IP of THMDC is the first nameserver

Step 5: Refresh Package Manager
To test the setup and ensure the network is properly configured, update your system:

sudo apt update

Key Notes
Always ensure you are connected to the VPN before running any of the steps.
The resolvectl commands will configure your DNS settings dynamically, but you must keep your /etc/hosts and /etc/resolv.conf files updated for specific entries.
If any domain is still not resolving, double-check the entries in /etc/hosts and /etc/resolv.conf.

That's all

😀

Hello
I am trying to do ldap pass-back attack in https://tryhackme.com/r/room/breachingad room, I am using attackbox
tcpdump request is not coming
When I use "ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms" command
I get "dn:
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN" output
Connection is dropped with nc but tcpdumpa content is not coming can you help me

hey i am trying to access the breaching ad room

but it does not allow me to join

Do you have a 7 day streak or a subscriber.

Hello,

I am resolving the room https://tryhackme.com/r/room/breachingad, in the login section it tells me to enter the command "systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com" I enter the IP address given in the room instead of THMDCIP but there is no breached in the interface section. I use Attackbox, I used Attackbox in the previous rooms, in those, when I ran ifconfig in the interface section, it was showing breached, now it is not showing, I closed and opened Attackbox several times but the problem did not change

I'm having this same problem

I'm having the same issue too, any solution

if there is no breachad network adapter, download the VPN config file from the Access page for the Breaching AD network and run openvpn <VPN config file>
doing ip a will display the breachad interface that will allow to ping the DC
if that fails, regenerate the config file and try again
@pliant turtle @plain blade

In my case, if I click on initial Join To Room, button doesn't work and room not starts.

you need to be a subscriber or have a 7-day streak to join any THM network

No in this case, i can see 0 streaks needed

You need a 7 day streak for non subscription users.

Hello. It doesn't work for me. The specified IP address resets automatically... After running the command - > systemd-resolve --interface lateralmovement --set-dns 10.200.48.101 --set-domain za.tryhackme.com

hello
i'm currentlyu facing this
i don't know how to solve

have you done sudo systemctl restart NetworkManager?

yea stll rthe same

can you ping 10.200.55.101?

Host unreachable

that address is the DC and DNS server
regenerate your VPN, download and run with openvpn
make sure it is different from the previous VPN file (you can compare the hashes of both files to make sure they are different)

You don't need to nslookup.

There is no breachad network adapter from vpn download, can someone help me?

Hi, this occurs when you are no longer joined in the room's network (or have not joined the room yet). Leaving the room and rejoining it will make it appear for the ovpn file. 🙂

hi, how to open Breaching AD network ?

Are you a subscriber, or a free user with a steak => 7?

I'm a subscriber

my steak is 3

Ok, can you verify and show a screenshot?

Ah, you need to use options and leave the room, and re-join in 15 mins

@crimson dirge Is it yourself we still ping about network subnets?

Hey, could you try clearing your browsers cache or using an incognito tab?

Breaching AD, Enum AD, Wreath, all the network VPNs are not connecting and timing out for me. Tried regenerating but didnt work. BTW I am on M2 Macbook

You'll be better installing brew, then installing openVPN on the CLI via brew and running it there.

Thanks, this solved the problem.

cc: @woeful meadow

Gave +1 Rep to @wooden minnow (current: #2 - 3537)

appreciate it man! I will try it out!

Hello network is not opening , saying "Failed to start the network"

if @admins pls check

i can't attach SS here

Hi, when i do the ldapsearch command to verify the rogue LDAP server's configuration, I dont have the PLAIN and LOGIN

I had the same issue. Restarted the room from scratch, followed the exact steps without improvising and it finally worked.

Active Directory breaching room not working?

I don't see the VPN file to connect

Have you joined the room?

what am i doing wrong ?

hello every one here

i had the same issue like this one while trying to configure with the ldif file , and it outputsto me with

dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM

i donot know what i am missing now , it some how the slapd service is not reading or writing the new ldif file configiration to the rogue ldap server

if any one have any idea to solve this would be appreciated

thanks in advance

Gave +1 Rep to @delicate ore (current: #2914 - 1)

I should be getting an actual webpage for the printer in Task 4, right? I've unjoined and rejoined the room, can ping the network, DNS resolves correctly, the NTLM auth popup from Task 3 worked just fine. What have I over looked? Or, should I try resetting/unjoining? Thanks for any suggestions!

nm. Something reset, my nameserver was missing again.....😕

hey guys i have a problem with the breaching active directory room and what ever i do i cannot resovle the za.tryhackme.com domain from the THMDC ip address it always responds with NXDomain here are my commands and kali network configuration state
nslookup za.tryhackme.com 10.200.4.101
Server: 10.200.4.101
Address: 10.200.4.101#53

** server can't find za.tryhackme.com: NXDOMAIN
dig @10.200.4.101 za.tryhackme.com -type ANY
;; Warning, ignoring invalid type ype

; <<>> DiG 9.20.9-1-Debian <<>> @10.200.4.101 za.tryhackme.com -type ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7972
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;za.tryhackme.com. IN A

;; AUTHORITY SECTION:
tryhackme.com. 1102 IN SOA kip.ns.cloudflare.com. dns.cloudflare.com. 2374853812 10000 2400 604800 1800

;; Query time: 28 msec
;; SERVER: 10.200.4.101#53(10.200.4.101) (UDP)
;; WHEN: Wed Jun 11 14:18:27 EDT 2025
;; MSG SIZE rcvd: 122

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51458
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 1, flags:; MBZ: 0x5126, udp: 512
;; QUESTION SECTION:
;ANY. IN A

;; AUTHORITY SECTION:
. 86310 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025061101 1800 900 604800 86400

;; Query time: 408 msec
;; SERVER: 10.200.4.101#53(10.200.4.101) (UDP)
;; WHEN: Wed Jun 11 14:18:28 EDT 2025
;; MSG SIZE rcvd: 107
and i can ping the host just fine

hey guys does the dns of this box woks for anyone still if not is there a way to find the ntlmauth.za.tryhackme ipadress manually ?

Everything works fine. I used the attackbox and followed the steps.

oh really so it must be some confusing problem with my kali dns then i wasted too many hours trying to fix it

thanks btw

Gave +1 Rep to @ivory spear (current: #47 - 198)

I cant seem to ping THMDC

Same issue on attackbox

fixed, just waited on the shutdown of network

I am trying to do the Breaching Active Directory room... issues with resolving DNS to the DC and the NTLMauth URL.
Is there an issue atm?

My issues:

nameserver 10.200.26.101
nameserver 169.254.169.253
root@ip-10-10-26-77:~# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

root@ip-10-10-26-77:~# nslookup ntlmauth.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find ntlmauth.za.tryhackme.com: NXDOMAIN

root@ip-10-10-26-77:~# ping 10.200.26.101
PING 10.200.26.101 (10.200.26.101) 56(84) bytes of data.
64 bytes from 10.200.26.101: icmp_seq=1 ttl=127 time=2.18 ms
^C
--- 10.200.26.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.183/2.183/2.183/0.000 ms
root@ip-10-10-26-77:~# **ping thmdc.za.tryhackme.com**
ping: thmdc.za.tryhackme.com: Name or service not known```

I tried to run the python script anyway and it failed:

python3 ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com/

This error happened a few times in the output of the terminal on the Attackbox.

Failed to establish a new connection: [Errno -2] Name or service not known'

are you in the same path than ntlm_pass[...] and username.txt ?

Yes.

I was able to solve it. It was DNS... I had to edit the /etc/resolv.conf file directly and add the DC as the first line.
Really frsutrating.

cat /etc/resolv.conf
,,,
nameserver 10.200.26.101 <<<< I added this line manually... the command in Task 1 did not work.
nameserver 127.0.0.53

i've made the same mistake

Thanks for chiming in... it feels good to make progress.

Gave +1 Rep to @languid sable (current: #664 - 9)

is anyone on here using macos & openvpn while having issues connecting to the THM network?

anyone know if this is a common error when trying to start the network, and if there's a fix client side?

I have never seen it before. I started the network just a few hours ago and it worked fine.

hey guys i've finally managed to fix my dns issues for the room and decided to share it it might be useful to you
install resolvectl on kali
and run
sudo resolvectl dns <tun interface> <dns server ip>
installing this might brake your normal dns lookup you can fix it by running the same command and putting one of the googles or cloud flares dns servers eg 1.1.1.1
and if you ran to any problems just restart the systemd-resolved service with systemctl

👍

Hello, I don't see you currently joined to any instance of the breachingad Network?
Leaving and rejoining the room probably will solve it.

Ahhh

Ty

thanx fixed

I'm stuck in this Breaching AD room. I can't seem to get the DNS settings to work in the attack box. They were working the other day in my VM, but I can't use that right now. Any advice?

What box are you using?

Thanks for replying. I was using the standard attack box, not Kali. I added the DC IP to resolv.conf instead of resolv-dnsmasq like the tutorial recommended. Maybe I was just overlooking something obvious. But that worked enough for me to finish the room.

Yeah the DNS is tricky. I used a Kali VM with custom configs I found out how to set up by watching various YouTube videos

@dull wedge are you currently working through this room?

I finished it over the weekend as part of prepping for PT1

Oh, cool. I'm preparing for the CompTIA pentest+, and it's on that track. I'm on task 6.

The Microsoft Deployment Toolkit section. I've never heard of MDT before.

Guys I have issues in the box I have followed the steps but it shows invalid DN error

0....D..wc....;..
..
.......x.....objectclass0.......supportedCapabilities
0    ..wd...0.0...we.
......
0....F..xc....=..
..
.......x.....objectclass0.......supportedSASLMechanisms
04..xd/..0+0)..supportedSASLMechanisms1...LOGIN..PLAIN0...xe.
......
0....D..yc....;..
..
.......x.....objectclass0.......supportedCapabilities
0    ..yd...0.0...ye.
......
0....<..z`....3.....NTLM.(NTLMSSP.........................
.cE....
0...za.
."...
invalid DN

The TCP Stream of LDAP

nahh never mind I tried a few more times I got the password

Hey, I think something is wrong with my network. I just started this room and saw the reset count over 100. Not sure how it got there, but the network doesn't seem to want to work for me. First time I connected I was able to ping it and received smt. Now I can't despite being connected to the private network. The network has been in this resetting state for a few days now. Any ideas on how to resolve?

I suggest you leave the room via the Options button and join back a few minutes later You will be assigned to a different network instance If you land back on the same network instance, repeat the process but wait a bit longer

Ah okay, I will give that a shot later today. Thank you

Gave +1 Rep to @woeful sail (current: #13 - 645)

I have an issue, I am sure that I configured everything correctly but when trying to test connection from printer webpage am not being able to get the password.

My DNS configuration is correct and I tested it. Moreover, when I also tried to test connection using nc it doesn't work.

@woeful sail its all right here

trying to figure out what step hes on and remember how i did this room

took a look at it but i'm out of time right now. if no one has answered this once i get back i'll look further into it

can you screenshot ping to printer.za.tryhackme.com from the terminal where you ran nc -lvp 389?

thanks
and 10.50.29.20 is the IP of your breachad interface, right?

Gave +1 Rep to @blissful quartz (current: #3163 - 1)

Right

I have just started redoing that task, but I am using THM AttackBox, and I did not have the problem

Yes I do it in Attack-Box and it works but on my own machine it does not. Now I tested this command to see if my local ldapd server responding:
ldapsearch -x -H ldap://localhost -b "" -s base
and the output was:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I will try to fix the ldapd service it may cause the issue because it doesn't respond to printer packets, I saw in Wireshark they arrived but no response from my side.

testing your local ldap server would be useful beyond the step with nc, right?, I mean after you have done the section "Hosting a Rogue LDAP Server"

I am going to formulate my idea, hopefully better:
if you can succesfully run nc -lvp 389, that means port 389 is not used, hence no other server is in the way to capture your LDAP packets
hence, maybe something else is in the way, like firewall?

You are right I'll check.

Thank you, it works I have forgotten the ufw firewall.

Gave +1 Rep to @woeful sail (current: #13 - 825)

.

Hi can somone help me ? . I was trying to use the attack box but my dns can't solve that the DC thmdc.za.tryhackme.com ?

check that:

• you can ping the IP of the DC
• you have updated /etc/resolv-dnsmasq as per room material
• do /etc/init.d/dnsmasq restart
  then you can perform DNS lookups for the server names

Hi thank you

Gave +1 Rep to @woeful sail (current: #12 - 866)

I'm facing trouble with this room, I may or may not have attempted it in the past, which explains the 7% room progress

I am unable to reset the room, or join the room 😢

Please help me firgure out the issue

Hi!

Is the AttackBox buggy getting connected to the network?
i cant reach to the DC with the THM Attackbox..

pinging the IP dont work.. correcting the dns and pinging does neither work.

• I have started the attackbox from the room where im in.
• i have reverted the attackbox

I have tried to finish the module "Compromise the active directory" but the struggle to get the network up with working attackbox takes the fun out of it.. it works sometimes.... but oftenly not..

this could be an issue with the browser
I suggest you disable all browser extensions for the moment, clear browser cache and reload the web page

make sure:

• the network is in the state of running
• you have an network adapter called breachad
  after that, if pinging the DC IP fails, I suggest you leave the room and join a few minutes later (you should have different IPs)

It actually turned out to be the streak requirement issue, turns out I didn't see the thumbnail in Networks section which specified you needed a minimum of 7 day streak to access it

I paid for the sub and now am able to access it without having 7 day streak

I've submitted a ticket through THM and uploaded screen shots, but this is not the first time ive had to submit a ticket. Is the system being updated site wide? there have been quite a few issues with operability and things not working, lagging etc. Is there anything that THM can at-least publish to users to inform everyone? so at least we dont have to waste time trying to figure things out especially if its broken. I am a paying premium user and have been for a few years and this is the worst i've ever experienced on the THM platform. My yearly subscription renews next month, and if we cant get some feedback and/or issues resolved i may not renew my subscription. I really like the THM platform and have learned a lot but at this point, with all the issues, I feel this is wasting my time and hindering my growth, along with wasting my money on a sub-standard product. Some feedback would be greatly appreciated. thx

I've been experiencing the same issue in the "Breaching AD" room. Even downloading and running its associated VPN file doesn't work. I've been stuck for two days because of this issue.
I join you, at kindly requesting feedback on this issue.

I have the same issues i leaved the room yesterday and joined now again and again i have the same IPs

Anyone help...

Can you please retry?

Now im trying i got the same results i cannot connect

Im sure that i follow all the steps ...

I don't know what else i have to do i hope THM see that & fix it..

@old plinth
Hi Tim
About your message here (#breaching-ad message), if you do not mind , here is the feedback from my personal experience

• context
  • Breaching Active Directory (topology as per first screenshot)
  • results obtained in the past half-hour
• connecting using personal VM (Parrot):
  • it works
  • VPN file is breaching_ad_v2
  • check attached VPN log finishing with Initialization Sequence Completed
  • pinging of DC IP successfull (second screenshot)
• connecting wtih THM AttackBox (Ubuntu):
  • did not work initially after startup:
    • no other THM VPN instance running
    • no route to 10.200.70.X, hence no ping (screenshot #3)
  • did work after running openvpn with same VPN file as downloaded earlier for Parrot (screenshot #4)
    Conclusion:
• it works, for the moment
• earlier today (10-12 hours ago), tests with 3 AD rooms were disappointing:
  • it worked either with local VM or THM Ubuntu Attackbox or THM Kali, but not with 2 or all 3 ways of connecting
  • the 3 AD rooms were: Breaching Active Directory, Enumerating Active Directory and Exploiting Active Directory

Hey,

We migrated to v2 networks Friday last week. All but Holo and RTCC were migrated.

But there was a slight issue in the migration with the VPN server templates. Which causes several of the networks to have issues. Especially breaching AD.

About an hour ago, a patch was launched for the networks, which seems to be working, but we will continue to monitor this week.

It did however mean that we have to forcibly kill all existing network instances to force their restart. So this might mean you need to rejoin the network and then regenerate your VPN file.

We do apologise for the inconvenience, but hopefully it is now resolved. V2 networks should also be significantly more stable.

One thing to note though, your subnet will now persist. So regardless of what network you are actually in, the IPs in the room will remain constant. This is a new feature of v2 networks.

We are in the process of also updating the AD content, which will then reflect this change of static IPs as well.

Just two more things to be aware of:

• Make sure you don't run the network VPN locally and the Attackbox at the same time, given they are the same profile they will disconnect each other
• On the AttackBox, run tryconnectme to do network debugging. Often a simple profile regen by following the instructions it gives can help resolve the issue

Thanks for the feed'back, I was not able to get the attack box working. But i was able to regen the v2 and connect through my own machine on the vpn

Gave +1 Rep to @dense cedar (current: #34 - 332)

So now we use the v2 VPN config file ?

Im using the V2 VPN config file and not working !

Did you regenerate your VPN file and lastly what region are you?

Im in Europe Greece

Should not be regional blocking then. Did you regen your VPN profile and ensure the network was running?

Well here ia 7 in the morning i was trying last night until 2 pm hahaha i'll drink some coffee and i'll again haha...thanks for the help btw

For v2 networks, if the network goes into the sleep state, the VPN server does as well, meaning you won't be able to connect. V1 networks kept the VPN server active but this added to confusion, since was it a network issue or just network sleeping. So with v2 we sleep the VPN server as well. That way you know what is the actual state.

Anytime, hopefully sorted for you else DM me your THM username and I can Che your specific network instance

Thank you i' ll give it a try later and i will reach out again if the issue remains !!

Gave +1 Rep to @dense cedar (current: #33 - 333)

@dense cedar Good Morning from Greece again i regenerated my VPN config. file and it worked fine !!! Thanks a lot...💪

Gave +1 Rep to @dense cedar (current: #33 - 334)

Perfect, enjoy!

Hello All, I'm not using VPN but directly the AttackBox and I can't connect to the VM DC of the lesson, is this normal ? Is there an issue still persisting please ?

Just a summary of what I'm facing :

• I use AttackBox directly, no OVPN usage
• When i do an ip route command, I have no route to the dedicated subnets where DC is located (10.200.70.101)
• Ping does not work
• I restarted the attackbox many times over the previous days with the same result
• Let me share some screenshots

HUm do not know how we can add screenshot there, sorry I'm new ...

as per #breaching-ad message, run tryconnectme

The attackbox does not work for this room. It does not reach THMDC. However, the VPN works, but why the attack box is not working, it seems it is a long pending issue now.

check the latest from here: #breaching-ad message

Hello Sir, I ran tryconnectme but it puts me the question on what OVPN I'm using, but I'm not using OVPN, I'm using directly the attackbox, it does not require to have a VPN connectivity. Do I miss something ? As I can't provide an OVPN name, the tryconnectme stops with no more diagnostic.

the VPN file is used by the AttackBox Normally, it is automatic, but in case of problems you have to feed it yourself
the VPN file is called breaching_ad_v2

Hello Sir, does it mean that I must run manually this file from the AttackBox, right ?

that is correct, that is if THM AttackBox has not done its job properly when booting up
in the past, I have seen that situation often for another AD room (Exploiting AD), but it seems to affect Breaching AD too at the moment (for how long?: i do not know)
context: you are doing troubleshooting based on a particular situation that may be different next time you come around

Could you provide the steps for the 'profile regen' process?

There you go. It is also mentioned in the rooms as well in Task 1. You will notice the names of the VPN profiles are slightly different that what are in the tasks, we will still update the rooms to show the new names. But same VPN profile and same steps

Connecting through Attackbox still does not work, not even with the tryconnectme and regenerating the vpn script with server breaching_ad_v2.

Please share more detailed output from running the script and from the log file it asks you to provide output from for more help. We have tested it several times and were working, so having more output helps understand what the potential issue could be

2025-10-24 17:50:43 OPTIONS IMPORT: timers and/or timeouts modified
2025-10-24 17:50:43 OPTIONS IMPORT: --ifconfig/up options modified
2025-10-24 17:50:43 OPTIONS IMPORT: route options modified
2025-10-24 17:50:43 OPTIONS IMPORT: route-related options modified
2025-10-24 17:50:43 OPTIONS IMPORT: peer-id set
2025-10-24 17:50:43 Using peer cipher 'AES-256-CBC'
2025-10-24 17:50:43 net_route_v4_best_gw query: dst 0.0.0.0
2025-10-24 17:50:43 net_route_v4_best_gw result: via 10.10.0.1 dev ens5
2025-10-24 17:50:43 ROUTE_GATEWAY 10.10.0.1/255.255.0.0 IFACE=ens5 HWADDR=02:8b:c5:31:34:c9
2025-10-24 17:50:43 TUN/TAP device breachad opened
2025-10-24 17:50:43 net_iface_mtu_set: mtu 1500 for breachad
2025-10-24 17:50:43 net_iface_up: set breachad up
2025-10-24 17:50:43 net_addr_v4_add: 10.50.79.20/26 dev breachad
2025-10-24 17:50:43 net_route_v4_add: 10.200.80.0/24 via 10.50.79.1 dev [NULL] table 0 metric 1000
2025-10-24 17:50:43 Data Channel: using negotiated cipher 'AES-256-CBC'
2025-10-24 17:50:43 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2025-10-24 17:50:43 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2025-10-24 17:50:43 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2025-10-24 17:50:43 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
2025-10-24 17:50:43 Initialization Sequence Completed
2025-10-24 18:00:21 event_wait : Interrupted system call (fd=-1,code=4)
2025-10-24 18:00:21 SIGTERM received, sending exit notification to peer
2025-10-24 18:00:24 net_route_v4_del: 10.200.80.0/24 via 10.50.79.1 dev [NULL] table 0 metric 1000
2025-10-24 18:00:24 Closing TUN/TAP interface
2025-10-24 18:00:24 net_addr_v4_del: 10.50.79.20 dev breachad
2025-10-24 18:00:24 SIGTERM[soft,exit-with-notification] received, process exiting

That SIGTERM received.

The only reason to get that line is the VPN server is forcefully disconnecting you. The only reason that can happen for is the VPN profile is running at more than one location at the same time.

Are you perhaps running both the Attackbox and your VPN profile somewhere else at the same time?

If not, can you run ps aux | grep "openvpn" on the AttackBox and sent the output?

Thank you. I appreciate it

Gave +1 Rep to @dense cedar (current: #33 - 335)

Hi, thanks for the response, I can assure I do not use VPN connection (not it is used elsewhere) when I use Attackbox (I am aware since I am facing this problem from a long time now). I am posting the text output here (new connection, same problem, thus sending only ps aux | grep "openvpn"), as I cannot upload: root@ip-10-10-142-120:~# ps aux | grep "openvpn"
root 4719 0.0 0.1 7680 5448 ? Ss 15:13 0:00 openvpn --config /root/Desktop/NetworkConfigs/breachingad.ovpn --daemon --log /root/Desktop/NetworkConfigs/logs/breachingad.log
root 6150 0.0 0.0 9044 720 pts/0 S+ 15:16 0:00 grep --color=auto openvpn

Gave +1 Rep to @dense cedar (current: #33 - 337)

Sorry, was away yesterday. Can you send the output from that log file as well? At the same time? Reason I ask is that if the openvpn command did a SIGTERM, then it should not be running anymore, but here you can see that it is actually still running, so something is going on.

Also, can you just make sure that:

• The network is running
• You regen your VPN profile. Also send me your VPN profile via DM

OMG! It is now working from Attackbox. Many thanks for your responses and troubleshooting

Gave +1 Rep to @dense cedar (current: #33 - 338)

for me the room it is not working i can't even ping THMDC, what am I missing? I also tried openvpn but with the same result

troubleshoot by running tryconnectme
also, check the latest from this: #breaching-ad message

I dont now what is mean by that

tahnk you, but i want to connect via attackbox not openvpn, and it was the same result, no ping possible

enter breaching_ad_v2 at the prompt where it requests the OVPN connection: tryconnectmejust wants a name

sorry: I made a correction from breach_ad_v2 to breaching_ad_v2 🙃

it is breachingad i thing

how can i regenerate my profile? i am not sure

use my screenshot earlier: #breaching-ad message, where you can see the regenerate button just on the right of the largest red rectangle

wow finally i made it 😄 hopefuly i will be lucky with DNS too, thank you 🙂

🥳 🥳 🥳 🥳 🥳

hm but now before i finish room, attack box crash and i had to reconnect it, and now it is no working again, and the steps before didnt help 🙁

that text file is from THM AttackBox?

yes this is logs from /root/Desktop/NetworkConfigs/logs/breaching_ad_v2.log

do killall openvpn

ok i did but at the access page it still seems connected

refresh?

still

that page has been reported as unreliable for a long time, but I thought it was OK by now
I would rather trust ip a: if you have a breachad network adapter with an IP, you are connected, otherwise you are not

it is very short time for me when attack box is working 😄 only 20 minutes now 🙁 and i have to start from scratch again

what is your Server Region under Profile > Manage Account > Account Details?
do not confuse it with Access via OpenVPN though

you can try to switch to US-East to see whether you have a better experience
no guarantee though 🙃

hm just 5 minutes now 😄 ok i will leave it

Hey everyone, I've been trying to get this room to work for weeks and I'm pretty certain at this point the reason why I'm having so much trouble is because I am making a silly mistake.

Well I can't share screenshots but this is what I've been doing. For reference, I am using the attackbox:

sed -i '1s|^|nameserver 10.200.70.101\n|' /etc/resolv-dnsmasq
systemctl restart dnsmasq
nslookup thmdc.za.tryhackme.com

Error:

;; communications error to ::1#53: timed out
;; communications error to ::1#53: timed out
Server: ::1
Address: ::1#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

The THMDC IP address is 10.200.70.101. Am I making an obvious mistake?

You need to verify your account first before you can share screenshots.

You need to provide more info as well:

• Are you using the Attackbox or your own machine?
• If the Attackbox, have you used tryconnectme to debug what is happening?
• Can you ping the domain controller?

That’s strange. I have my email and phone number verified

• Using the attack box
• Tried debugging with tryconnectme but will attempt again so I can get the specific messages
• I cannot ping THMDC (10.200.70.101)

On TryHackMe, go get your discord token and use /verify to verify your token

If you cannot even ping the DC, then the VPN profile isn't active or the network itself isn't active. tryconnectme will give you the steps required

Ah, I thought that the attackbox automatically connected to the VPN profile if launched in the room?

Yeah, the OpenVPN profile itself is not connected. I've refreshed the configuration file for breaching_ad_v2 and restarted the attackbox

Wait is the nameserver supposed to be the name of the Network VPN server?

Welp it's working now. Not 100% sure what fixed it but I'll take it!

Thanks for your help

It does automatically connect you. But sometimes something can go wrong (you leave the room and rejoin but don't regenerate your VPN profile), tryconnectme helps to figure out where in the process something is going wrong.

The "automatic" connection of the Attackbox is nothing more than the system automatically downloading your OVPN profile from your account and running it 😅

Glad you got it working!

Ah, okay! I tend to do rooms in increments instead of in one sitting so that is likely what happened

Hey, I just tried to start this room with a web based attack box, but sadly when I try to ping the THMDC.za.tryhackme.com host it doesnt work.

Also I ran tryconnect me, so I am not sure if I should paste the logs here.
Any help would be much appreciated

Never mind, it seems to work now

i tried to run the password sprayer from my kali VM and it says there's no module named requests_ntlm

i reinstalled it several times and rolled back to version 0.0.3 like suggested on https://stackoverflow.com/questions/27660034/python-requests-ntlm-import-error but it still won't work

Hello
I'm trying to go thru the configuration of the Rogue LDAP server, but I cannot get it to only accept PLAIN LOGIN mechanisms
(looks like i cant post screenshots here)

have you tried python3 instead of just 'python' in the command

yes

same error

can you screenshot:

• the connection back on your Netcat LDAP listener when you do nc -lvp 389?
• cat olcSaslSecProps.ldif?
  in order to uplood screenshots, you first have to verify your THM account with Discord, using the instructions coming the link below

@worthy sedge

i tried creating a venv and running it from there but i still get the exact same issue

including installing it and it saying it's already installed

actually, i ran the same script from the downloads folder i was using before. i feel like i should move it to the folder it created when i created teh venv, but where do i even find it?

oh i found it

the w3 page says it should include a folder called Scripts but it's not here so i'm gonna create one

i'm still getting the exact same issue

how am i even supposed to use venvs

all i did was set up the default kali linux VM and go straight into tryhackme

normalizer (symlink missing or pointing to unexpected location)
this line worries me a little

i tried to log into discord on my VM and the VM completely froze

restarted the VM and it made me do two captchas in a row and booted me back to the beginning

using pip instead of pipx within the venv installed requests

as well as requests_ntlm and the script ran

i think i skipped a few steps when i started this room, i'm in a little over my head

Hi, I'm tring to have the network working for a few days, and it never works 🙁 I cannot have the ip subnet accessible, from the Attackbox or from my own machine with the specific openvpn configuration. Do you have any hint to help me ? Thx

Verify your THM discord profile using /verify so you can send screenshots. Then, make sure you are ONLY using either the AttackBox or the VPN profile. Never use both at the same time. Then, using the Attackbox, run tryconnectme and provide the results here

Thanks for your tips. I've followed all the steps with the tryconnectme command, and now the VPN is up and running in the Attackbox! Definitely, this tool should be more advertised 🙂

Gave +1 Rep to @dense cedar (current: #33 - 343)

Happy to help. We are revamping the AD content. So haven't really updated the old networks. Should hopefully be resolved with the updates we are pushing.

Should I then wait for new/updated rooms on AD ? Maybe the revamped version will be more interesting for me? Wdyt?

I'd do these still, they are pretty decent, and the revamp will take a couple of months. The content here is still relevant to get you started

hello, i am having trouble to connect to the breachingad vpn

check this: #breaching-ad message

question: should we use breaching_ad_v2 or breachingad.ovpn

Help, i still cannot ping THMDC after following all the debugging steps from tryconnectme, here is my log:

Have you tried to regenerate your VPN profile?

And it should be the v2 profile

work now thanks!

Is my configuration correct? Reason is the site mentions that :

"Finally, run nslookup tryhackme.com - If you now get a different response than the one in step three, it means there is something wrong with your DNS configuration. Go back to the configuration steps at the start of the task and follow them again. A common issue seen on Kali is that the DNS entry is placed as the second one in your /etc/resolv.conf file. By making it the first entry, it will resolve the issue."

But as you can see from my screenshot that my nslookup tryhackme.com is different versus nslookup za.tryhackme.com <THM DC IP>

Niether me nor my students can connect to the breaching_ad_v2 VPN (to work on the Breaching Active Directory room). Can someone verify if there's a technical problem on THM's side or if everything is fine??

if you are using THM AttackBox, use tryconnectme for troubleshooting
also:

• personally , I have not used that network in the past days, but I have interacted with other users who could connect to the network
• I suggest you review the recent messages of this channel till Oct 30, concentrating on the messages by Am03baM4n

Jesus…. This room scarred me but I learnt a LOOOT about AD. Took me 3 days to complete

Hello the community !!! I can't do the room because I'm facing a network error. No possibility to ping the servers ... I have no specific configuration, I'm only using the AttackBox machine. But once network has been starting and attackbox too ... no ping succeeded. Then no needs to go farest ... network does not work. Someone could help please ? I'd like so much complete this room. Thank you very much by advance !!!

root@ip-10-80-72-114:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 0a:30:8d:9d:77:19 brd ff:ff:ff:ff:ff:ff
altname enp0s5
inet 10.80.72.114/18 metric 100 brd 10.80.127.255 scope global dynamic ens5
valid_lft 3556sec preferred_lft 3556sec
inet6 fe80::830:8dff:fe9d:7719/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:99:d1:5f:9c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:99ff:fed1:5f9c/64 scope link
valid_lft forever preferred_lft forever

5: veth2546fe7@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether a6:67:e8:e2:90:cc brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::a467:e8ff:fee2:90cc/64 scope link
valid_lft forever preferred_lft forever
7: veth88f62df@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ba:96:74:be:64:05 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::b896:74ff:febe:6405/64 scope link
valid_lft forever preferred_lft forever
8: breachad: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.50.94.11/26 scope global breachad
valid_lft forever preferred_lft forever
inet6 fe80::1f7:5176:71e9:cb2d/64 scope link stable-privacy
valid_lft forever preferred_lft forever
root@ip-10-80-72-114:~# ping 10.200.70.101
PING 10.200.70.101 (10.200.70.101) 56(84) bytes of data.

I have the same problem

Hum, I assume that this is not possible now to use the AttackBox for completing this room ... will try with a VPN from my home. I'm a little bit disappointed about the lack of support on this ... 🙁

attackbox wont work

it just wont ping

the DC

yup same problem

did it work?

@plush pond @slender talon @leaden fable when using THM AttackBox, do troubleshooting with tryconnectme

Thank you very much, that did indeed fix the problem. 🎉

Gave +1 Rep to @woeful sail (current: #8 - 1122)

Have a nice day 😁

🔥

ty

Gave +1 Rep to @woeful sail (current: #8 - 1123)

i cant get the printer to connect back to me

my ip is in the 10.50.x.x subnet breachad interface

🤷‍♂️

Hi All
I am unable to ping THMDC itself.. Struck in the first step itself.. Iam using Room's attackbox..
Plese help..

maybe this helps: #breaching-ad message

For the Breaching AD environment. I am showing it as paused right now, when I go to Start it back up, it redirects to the 500 error page. Anything else I could try here?

still having this issue

I tried this and tried connecting via my own machine (thru ovpn) and I'm still unable to reach the DC IP

are you getting a breachad interface after running openvpn?

Yes I am.

And it still cant reach the DCIP and I am still unable to resolve its domain name

please screenshot ip a and ip route

you seem to have output similar to mine
and you cannot ping 10.200.70.101 right? I mean, literally that IP address?

yup. I can't

for the VPN, you used the v2 file, right?

yes, I am using the v2 ovpn file

is the Breaching AD network running?

I mean, the Start button is greyed out, as per screenshot?

Yes it is running

For some odd reason, I can now ping the IP address, but nslookup is still unable to resolve the dns lol

the odd thing for me also is that your network topoloy looks different to mine

for the DNS, I would run again sudo systemctl restart NetworkManager

I tried this multiple times already and it didn't work

please share /etc/resolv.conf

[@gritty hornet back in 30-45 minutes :up]

I think i got it working now lol. Whenever I run this command, sudo systemctl restart NetworkManager it removes the nameserver IP i add to the resolv.conf file. Also, I was having the hunch the IP addresses in this conf file has to be in a certain order? I used to put the THM DC IP address after the 192 IP address

Anyway, thanks for your help! 😄

hey guys! when i go to the access page at https://tryhackme.com/access there are no servers listed in the network tab, i cant download the VPN conf file...
What's up with this ?

you first need to join the room, and possibly refresh the access page

.

this issue doesnt exist on other networks similar to it

i would like to keep learning AD but this is borderline unusable

the vms randomly freeze and they're highly reliant upon the trust that previous people did not destroy anything

still nothing... ;/

then use the Options button to leave the room and join again a few minutes later

you are a subscriber, right?

yes, i am

does anyone get an ldap error when trying to downgrade the ldap thing

Authentication method not supported (7)

screennshot shows what I have
did leave/join improve? can you download the VPN file for normal machines?
also:

• once you joined the network, start the network with the green button before you try to download the VPN file
• good precaution: disable all browser extensions, clear browser cache and refresh the page too Possibly, switch to another browser

Hi everybody , i'm trying "to get the password from the ma.db", i have installed "pycryptodome" lib but i get this error everytime i use the script "from Cryptodome.Cipher import DES3
ModuleNotFoundError: No module named 'Cryptodome'"

hi im try to do ldap task but the websiters doesnt load any idea why i can ping the dc and nslookup the name server to the ntlm task but not ldap ?

is the import spelt correctly ?

Hi, paying well for a few hour job to write a script, someone who knows how to use fiddler or burp cuz also we will need to intercept, ill explain more in private, if anyones interested shoot me a dm 🙂

This page for me has nothing in the dropdown, even after leaving and rejoining

Is the network running? I suggest you refresh the web page for the network and confim that there is an uptime value at the bottom right of the topology

There was, 16 hours, this was after restarting browsers and trying different browsers as well to verify it wasn't just Firefox acting up as per DKob's input

I do not know that the issue is, however I have done live troubleshooting with other users who, it seems, had to wait a little bit for the v2 file to come up I do not have a specific reference but you can check here (#wreath-network message) another user who had that experience for the v2 VPN file of the Wreath network (go back the message chain if you want, which shows how confusing it can be)
BTW are you using THM Attackbox or your own VM like Kali for this? THM Attackbox maybe the prefererred way at first, although I have found that the tryconnectme troubleshooting script has been failing with me for a couple of weeks Also, do not use both THM AttackBox and THM VPN at the same time
additional suggestions:

• do not do high-speed clicking with whatever VPN-related: give seconds-minutes for the system to settle
• when checking for the VPN file in the drop-down menu, do a hard refresh (Ctrl-F5) of the web page (instead of using the refresh button further above); same as earlier when checking for the uptime of the network topology
• check another network, like "Enumerating Active Directory" or "Persisting Active Directory" (https://tryhackme.com/room/adenumeration or https://tryhackme.com/room/persistingad): it would be interesting to see whether you are getting the right VPN file listed in the drop-down menu for these networks
• I guess you are not using browser extensions when troubleshooting this

@night dock Please slow down. Further spam will result in a short timeout.

The instructions on Task 1 state "If you are using the Web-based AttackBox, you will be connected to the network automatically if you start the AttackBox from the room's page. You can verify this by running the ping command against the IP of the THMDC.za.tryhackme.com host." But when I run ping 10.200.70.101 within the attack box it is unable to reach it. Anyone know why this would be happening?

Also when I try on my own kali vm I get this:

sudo openvpn breaching_ad_v2.ovpn 
sudo: unable to resolve host ip-10-67-68-27: Name or service not known
2026-03-09 00:49:51 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2026-03-09 00:49:51 OpenVPN 2.6.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2026-03-09 00:49:51 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
2026-03-09 00:49:51 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2026-03-09 00:49:51 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2026-03-09 00:49:51 TCP/UDP: Preserving recently used remote address: [AF_INET]54.228.134.173:1194
2026-03-09 00:49:51 Socket Buffers: R=[212992->212992] S=[212992->212992]
2026-03-09 00:49:51 UDPv4 link local: (not bound)
2026-03-09 00:49:51 UDPv4 link remote: [AF_INET]54.228.134.173:1194
2026-03-09 00:49:51 TLS: Initial packet from [AF_INET]54.228.134.173:1194, sid=41c97f45 3508695d
2026-03-09 00:49:51 VERIFY OK: depth=1, CN=ChangeMe
2026-03-09 00:49:51 VERIFY KU OK
2026-03-09 00:49:51 Validating certificate extended key usage
2026-03-09 00:49:51 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2026-03-09 00:49:51 VERIFY EKU OK
2026-03-09 00:49:51 VERIFY OK: depth=0, CN=server

Can anyone help in resetting the network im unable to download the bcd file using tftp

في عرب؟

Did you make it work?

hello, i am having an issue while trying to connect on breaching-ad network vpn.

i have both tried to connect to it using my in-browser kali box, but dns not replying, and tried to use openvpn but it stucks while trying to connect.

any ideas?

i think it's fixed now

Hi,

I am having issue connecting with the AD network

Paying the price of permium subscription and this kind of access issue is unexpected

I won't be renewing my subscription with THM

hi

hi can you help me anybody with ldap downgrading in ldap pass-back attack? it still supports many methods 🙁 I dont know what am I doing wrong

Yeah

good

https://tryhackme.com/room/breachingad 👋

@dense cedar 👋

Will answer support questions here 🙂

Shouldn't this go under the networks category?

So uhm, all credential pairs is valid?

use crackmapexec to verify the passwords.

You are using the IP, not the hostname, which means it resolves to the default website that gives a 200 OK, fooling your brute forcer into thinking the credentials are valid

ahhh

This is why you need DNS, 10.200.4.201 is hosting three different websites using virtual hosting, only one of those support NTLM authentication

Now it works

the dns can't find za.tryhackme.com even though I have changed it to said DNS, but if I just change the ip into hostname via /etc/hosts it works

Are you using the AttackBox or your own machine? If you are using your own machine, you need to alter whatever is doing DNS on your machine. That may be systemd-resolv, but could also be Network Manager or even something else. So if you follow the exact steps in your own machine, that may not solve DNS for you.

Safest way to verify DNS is to embed it directly in the /etc/resolv.conf file, but most network managers overwrite that file so it is not persistent

yup, I am using my own machine and has changed /etc/resolv.conf file

Good point - yes - can you move it please?

What is your current /etc/resolv.conf file contents?

nvm, a second reset of systemd-resolved fixed the problem

gosh dam DNS

DNS is a massive pain, but since kerberos uses hostnames and not IPs, you just have to grind your teeth and get through it. No different on assesments though

yeah, good thing I have some hard candy to grind my teeth on instead 😛

Lol, mine won't work 😂

I can't download Breachingadbovpn file. On Access - Machines my connection status is shown in green but not on the Networks side. If I click to download breachad file I get an 404 error. Any suggestions?

@charred sandal can you maybe check this one please?

Is this right?

Should be good now

<THM DC> Should be your actual DC IP

D'oh!

Look at your network diagram for the IP to your DC

Top one?

Indeed, one that says THMDC.za.tryhackme.com

Still can't find it 😂

Oh, not a good night for me.

should look like this

Yup.

That's the one I have.

that's the ip you'll put in

My bad, forgot we removed the actual FQDN and just named it THMDC

The one I have. 🙂

Yeah, if you add that and reboot the service twice should start to get DNS resolution

Still nothing.

Infact

My issue could be the VPN

It's constantly restarting.

is anyone else getting. Uh-oh, this page has been lost in the matrix. when you try to download the VPN file for the new network. After

1. regenerate vpn key again
2. log out and back in
3. use a browser with no add block enabled
4. use a browser without add block on windows instead

Yeah, if the VPN is not stable, DNS won't be either.

Are you perhaps running the VPN in two different locations? That might cause the constant reboot

No, just the one.

What is your assigned subnet? I'll need @charred sandal to just take a look at this. It may be the VPN server in your network

Not running the AttackBox as well right? Since that loads the VPN profile automatically?

Nah, 🙂

I'm running out of ideas. Have you tried turning the machine on and off again? 😂 Otherwise might have to regen your VPN profile

10.200.24.0/24

I'll give that a bash later tonight. 🙂

The team is looking into the VPN servers, just give them a bit to fix it

Why I have only 3 days to use this room?

This is to ensure that inactive users are removed freeing up some of the networks. You will be automatically removed from the room after three days, but can just rejoin again then

Makes sense, thanks

Says file not found, just do a dir and confirm the filename

it was the correct filename, ps just wanted .\ in front 😄

when you have to debug code

Then chances are good you are doing something wrong...

I don't have crypto installed on my VM and crypto can't be installed for some reason 😄

I still can't even do the dns 😂

Ah yes, the lovely old mcafee password decrypt script that only works in Python2. That's why I have a VM just for that script 😂

gib vm

don't I'll just open up attackbox

Lol, almost like you can read my mind guessing what I was going to say

I have dealt with @dark carbon a lot, so I know how to read minds now

Looks good, did you reboot the service? Also, what is currently in your /etc/resolv.conf file while we are at it?

I rebooted the service and the machine

what about /etc/resolv.conf?

Blank

Run nslookup za.tryhackme.com for me please, want to see where it is trying to do the resolution

Also has your VPN issue cleared up? Or is it still trying to reconnection constantly?

I regen'd it and it's fine now

Yeah, that is not the 10.200.4.101 IP, meaning something else is controlling DNS there

nice room

@dense cedar thx for the support and a nice network

Gave +1 Rep to @dense cedar

Okay, let's try to add the entry to /etc/resolv.conf - nameserver 10.200.4.101 and then run the nslookup again and see what happens. If that doesn't work, need to find whatever is controlling DNS on your machine

In task 5 I've been waiting for 30 min for responder to intercept a request still no request (using attackbox)

Issue should be resolved now, can you please regenerate your VPN file and test?

Issue should be resolved now, can you please regenerate your VPN file and try again?

I got it.

Thanks!

Gave +1 Rep to @dense cedar

What is your tunnel IP and specific subnet? Just so I can check what is happening

send message to you and thanks

Gave +1 Rep to @dense cedar

Gave +1 Rep to @dense cedar

same

Network is 10.200.27.0/24

Let me ask the team to check it. This is the one thing I can't fix

Should be fixed now if you regen your VPN file

Thanks, it worked 🙂

Gave +1 Rep to @dense cedar

in the breachingAD room I can't get the DNS to resolve even after adding the DC's IP Address to my /etc/systemd/resolved.conf and running systemctl restart systemd-resolved (x2) or completely rebooting my vm. when i run nslookup thmdc.za.tryhackme.com I get my default gateways IP. Is there any other way to run the configuration besides changing my nameserver in /etc/resolv.conf or changing the default route? It seems I won't be able to access the internet that way. @dense cedar

i'm in the same boat

If you are using your own VM, I can't really do a lot to help with regards to the DNS, since I won't be sure what is setting DNS for your VM.

However, what you can do is basically hardcode the IPs in your /etc/hosts file. So for every DNS entry that will be used, just make a new entry:

<IP> <Hostname>

I'm using the attackbox

Yea I figured that could potentially be a work-around but wasn't sure. I added it to /etc/hosts as well but it also happened on the attackbox for me.

If you are using the attackbox, DNS should work with the provided steps. Can you ping the DC?

I can ping the DC on both the vm and attackbox

yes

On the attackbox it should not happen.

Let me try it again I'll let you know

hmmm, no it pings out, no packets back

Yeah that's your issue, your VPN profile may only be active on one machine at any given time. Running the VPN profile in both VM and attackbox means they are fighting, causing the VPN to reboot constantly

Then chances are your VPN did not connect in the attackbox. Run ifconfig to see if you have any adapters? Also just confirm the network is actually started and active?

actually no I can't ping from the attackbox only from my vm

You can't have the VPN active in both your VM and the attackbox. It causes a reset of the VPN constantly on both.

I'll restart the box 1 mo. I haven't used my own VM today so I know there's no conflict for me there

AttackBox automatically pulls and runs the VPN profile for the network for you. So just something to note if you want to switch to your own machine, make sure to terminate the attackbox first

there is a script you can run to ensure there's no clashes also. James sent it to me before

still no ping reply i'm afraid

What's your subnet?

pm'd

Thank you for the suggestion. I was struggling with the DNS

Gave +1 Rep to @brave niche

i can't access

#breaching-ad message

Might need to pin this.

I’m trying the ntlm_passwordspray.py script and inputting all the right switches. But it’s resulting in so many errors that I don’t know where to start

It’s mentioning Failed to establish a new connection. Name or service not known. As well as a BUNCH of other errors on different lines

Try ping to ..*.101, if no response, try to check your vpn connection

for task 5 how long we need to wait till it hits our responder?

I can get a response from pinging

But nslookup doesn’t work

I’m using THM attack box, am I supposed to be making ANY changes to my config? DNS, etc/hosts?

you need to change dns as showed in taks 1

are you setting DNS server?

F*ck that worked. What’s wrong with my brain?

It’s literally described in task 1

done and time to go to bed

Not sure if they're still looking into vpn download issues, but just wanted to mention I'm not able to download the ovpn file for the network/getting the 404 error as well, subnet is 10.200.52.0/24

when I run the command "sudo responder -I tun0" for some reason it reset the dns and I have to enter the command "systemctl restart systemd-resolved" on the attackBox again

for nslookup to resolve the hostnames

are you able to retrive the hash?

no i have not been able to retrive the hash?

on task 5

i have waited over an hour

i stoped responder after 30 min

i guess i will have to wait

thank you

On the AttackBox, can someone please check to see if they have either of these IPs 10.50.x.x or 10.51.x.x IP. I only have a 10.10.x.x. I'm also connecting using the room to access the AttackBox.
Thanks,

the interface tun0 or tun1 should be ip you are looking for if you enter "ip a"

@rigid wasp that is what I thought, it is not present. I terminated the machine x2 no luck.

try to ping THMDC.za.tryhackme.com

yes, I tried that too and no luck. Going to restart one more time and call it a day and try tomorrow.

or rejoin the the room

That I have not done, but will try. thanks again for the help. Also, could not download the VPN files, something seems wrong there as well.

Third time, no luck. I'll try again tomorrow. At least of someone is having the same problems, they will see these messages.

Can you please send me your subnet and VPN IP so I can quickly investigate what is happening there?

Can you please send me your subnet and VPN IP so I can quickly investigate what is happening there?

If your VPN is not connecting and you cannot download the VPN file since it gives you a 404, please send me your subnet so we can look into the issue

@dense cedar i have dm you the subnet and vpn ip info

I did what Lassi had mentioned above and nslookup still doesn't seem to work (I'm using kali in my own vm, not the attackbox... my friend is trying the attackbox and nslookup doesn't work there either)

Can you ping the DC?

Yup, I can ping the DC, the iis site, but browser doesn't resolve ntlmauth

But I was able to ping them without having to add the additional ip in network manager (so while icmp works, dns resolution doesnt)

ICMP works by default. DNS needs configuration. I just want to make sure the network is actually live.

Ah ok :) :)

Perform an nslookup for za.tryhackme.com

What resolving server does it use?

Name: za.tryhackme.com
Address: 10.200.54.101

Can you send me the full output? Cause that looks like DNS is working?

Yup, lemmie install discord on my pc, one sec :)

Try nslookup thmiis.za.tryhackme.com?

awe i cant post screenshots, but maybe itll work now

its resolving now, when it wasnt before

🤷‍♂️

Glad it got sorted

and password spray python script is working 😄

Am03, can y'all reach out to the creator of this room and have them add the comments about Network Manager and such if using kali for personal vm?

I'm the creator of the room.

We cater these rooms specifically for the attackbox, since we can't cater for every flavour of VM out there. But I'll see if I can add a small comment there about it

definitely understandable 🙂 I just made the comment since a lot of people seem to either use Kali or Parrot for their attack vm

thats way cool ur the creator, loving the room thus far 😄 😄

@tender flame Hi. please don't DM me without speaking first.

anyone else getting this

PS C:\Users\thm\Documents\warm> Import-Module .\PowerPXE.ps1
PS C:\Users\thm\Documents\warm> $BCDFile = "conf.bcd"
PS C:\Users\thm\Documents\warm> Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd 
Invoke-CimMethod : Access denied  
At C:\Users\thm\Documents\warm\PowerPXE.ps1:1695 char:32
+ ...      $OpenStoreResult = Invoke-CimMethod @OpenStoreArg @CimMethodArgs     
+                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     
    + CategoryInfo          : PermissionDenied: (ROOT/WMI:BcdStore:String) [In  
   voke-CimMethod], CimException
    + FullyQualifiedErrorId : HRESULT 0x80041003,Microsoft.Management.Infrastr  
   ucture.CimCmdlets.InvokeCimMethodCommand
 
Get-BCDStore : Unable to open BCD store. Likely reason: You do not have the  
required permissions to open the BCD store.
At C:\Users\thm\Documents\warm\PowerPXE.ps1:106 char:17
+     $BCDStore = Get-BCDStore -FilePath $bcdFile
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorExcep  
   tion
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorExceptio  
   n,Get-BCDStore

Documented this as a known issue. Will quickly fix this for your network and patch will be applied for all networks a bit later

Am i the only one not receiving the printer connection back?

ok, i am dump af

dumb*

Hi guy. I need help. I a using my kali box I try to configure the rogue LDAP following the task descriptin.

For all users, we are currently aware of two issues in the network:

• Responder not capturing the challenge in the 15 minute timeframe
• PXEBoot permissions of the THM user is incorrect

We almost have a patch ready for both these issues, but if you experience them in the mean time, please just send me a message here and I'll apply the patch manually

Cat your ldif file and send the output here please

Empty newline at the start of the file should be removed

ok let me try and back

the output after remove the empty newline.

with the last command it thing something is wrong. but i dont know how to fix it

this is the output from tryhackme lab description.

Yeah if you get that output I don't think it applied correctly. But try to continue with the task and see what happens? I can sadly not debug this on your specific kali and ldap server version

You may have to restart with the config from scratch

ok. I will try to restart config

tanks @dense cedar

I have the issue with pxeboot permissions. I'm happy to just wait for the patch though if the manual method is a pain.

Patch should be going out real soon still today. Will keep you posted else I'll fix manually

happy to wait for the patch. ty for the work on the room 🙂

Patch just went live. If you reset the network the patch should work 🙂

ty

remember when holo held a competition 👀 jk

Maybe submission of a report for all the AD rooms? 🤔

I plan to write up my experience in these rooms.

But I won't release them, they'll be for my notes.

same issue after reset all my config. I will try it later with the attackbox maby

Even with the issue, did you try to do the rest of the attack? Might just be an output issue but the config did take hold?

Today I still had the problem that I couldn't download the breachingadb.ovpn file where I got 404 error. Regenerating this file worked for me and after that, the download works.

yes but cant get any output using this command sudo tcpdump -SX -i eth0 tcp port 389 i switch eth0 with tun0

What IP are you specifying on the website? Did the nc -lvp command work for you?

nc -lvp command dit not work. by default by rogue Ldap turn with the 389 port

On the web page i use my tun0 Ip 10.50.x.y

You can turn of the rogue ldap service and use nc first just to verify you are at least getting the callback

That one should work for you. If it doesn't then probably something wrong with the ldap server config

same any solutions ?

Thanks!!! I was stuck with this step and now it works on my Kali box.

Gave +1 Rep to @brave niche

Thank you for this , issue resolved

Gave +1 Rep to @brave niche

I think same. With my ldapd stop nc -lvp 389 work and I get some output like on the lab description.

I try to reconfigure the ldap and try to continue the lab. @dense cedar thanks for your support and help. appreciate

Gave +1 Rep to @dense cedar

Perfect, that means the LDAP connection is working. So then it is the LDAP server config that is causing the issue. Best would be to use the attackbox then.

ok good

I'm unable to download openvpn config file, is that temporary issue or i'm missing something?

Are you getting a 404 error? Have you tried regenerating the VPN config file

Yeah, getting 404 error. Tried couple times with regenerating a new vpn config file

What is your network subnet? I'll send it to the team to investigate

10.200.52.0/24

Sent to the team. It is the one issue I can't fix myself

finaly work after reset, and reinstall ldap after purge all config file.

It might be worth you leaving the room, wait a minute, rejoin it, then go back to the access page and try download again / regenerate and download again.

Should be fixed now. Just regen your config

We still have an active issue open on the network VPNs. Permanent fix for this will be applied end of the week. Seems like it is some miscomms between the VPN server and the THM website. If it happens, no amount of resets will get that VPN back.

Its working

Fair enough, i was wondering if the leave and re-join would possibly assign a different subnet

I also have a Responder without results within 25 min. A manual patch would be appreciated. My responder gives errors on port 5986, 443, 389 and 53. If these ports are used in communication than perhaps this is the cause of not working.

Have you reset the network? Just checking since that is required for the patch to apply

You might hit it lucky, or you might get it even worse and just join a brand new network which would cause the exact same issue again. But 50/50 odds is better than nothing 🙂

No I didn't. I will reset now. Did restart Kali en latest version Responder but that didn't help.

I requested reset but 4 others need to ask this too in order for it to reset. But thanks for fast response and assistance! 👍

Gave +1 Rep to @dense cedar

Sorry about that, I can't do a manual reset of the networks but if you don't get the votes in an hour send me your subnet and I'll ask the team to see if they can do it

@dense cedar can you patch my PXEBoot permissions of the THM user?

Still stuck at 2 of 6 votes for reset. If you could ask the team that would be nice. Does it also patch the pxeboot issue?

Give me your subnet pls

Quickly DM me your VPN file and I'll do the patch manually. Should fix both issues yes.

@dense cedar 10.200.49.x

Fixed

@dense cedar just so you know i can't cleanup directory I created because when i try to delete pxeboot.wim it give me the error "Access is denied."

All good, members should just perform as much cleanup as possible. Good practice for assessments 😉

There is a script that runs every 30 minutes and performs a full cleanup. Files are locked since the PXE boot image is mounted, so the script solves that.

does it delete the directory i made?

or just the files inside it

cause i made that directory yesterday

It flushes the files that take the most space. You are technically extracting a full blown ISO on that host. It only has 60Gb of HDD space. If 30 users do that at the same time that HDD is going to get full quite quickly. So it flushes most of the large files and the things that you used to stage the attack (so others can't just use it)

Also only runs if the network has been active for longer than 60 minutes

@dense cedar can you fix the pxeboot for me? 10.200.47.x

DM me your VPN file and I'll quickly fix it

Hello, i can't get responder to capture, is there something special to do ? (using attackbox)

(10.200.25.0)

has anyone manage to get kali accepting the olcSaslSecProps.ldif ? (task4)

I'm almost there. Using latest version of Kali with task 7 I get an error with python2 mcafee_sitelist_pwd_decrypt.py <SECRETPASSWORD>. File "mcafee_sitelist_pwd_decrypt.py", line 15, in <module> from Crypto.Cipher import DES3 ImportError: No module named Crypto.Cipher. Any suggestions how to fix this?

Patch was released earlier today. Please reset the network

Latest kali does not support the crypto lib you need. I have a vm just for running these outdated python2 scripts. Best is to quickly use the attackbox

Also DM me your vpn file if there isn't enough votes for a reset, then I'll do a quick manual patch

Uhhh

Let’s not edit/ send out your VPN files please

Oh wait

You’re staff, I’m so sorry

No worries 😂

Yes, it did work with my latest version of Kali. The ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms didn't display results but the reverse connection worked and credentials were sent.

The colour of your looks slightly lighter and I’m half blind 😆

@dense cedar Can I get a manual patch as well? reset has been 3/6 for about an hour. Responder not working for attackbox or VPN.

Ok, I will switch to the Attackbox.

Sure, just send VPN file and your subnet. I'm calling it for the day in the next 30 min so let's get those patches in

iam using the attackbox, do you need subnet?

I need the external IP of your VPN to SSH into. Can you quickly go pull the VPN file via Profile -> Access? Then download VPN file there and quickly send it to me on DM

done 🙂

Does anyone have info on the 3 days of access left for this room? Is this just a resources thing or a new THM subscription thing I missed?

Thank you!!

@brave niche @dense cedar = poggers

me too. @dense cedar, perhaps it should be more explicitly stated that you recommend using the attackbox?

I'll make a bold note about that quickly tomorrow 😉 But all THM-staff created rooms are created specifically with the AttackBox in mind

@dense cedar Little suggestion, in the text of Task 7 "it can be found in /root/rooms/BreachingAD/task7/ directory". You have "rooms" and it should be "Rooms". This avoids an error if people copy and paste your URL.

🤔 I was pretty sure I fixed that during the stress test. Might have forgotten to press the save button. Good catch thanks. I'll quickly change that

Gave +1 Rep to @jovial nacelle

Fixed

Recommendation added

I have finished, @dense cedar thanks for the nice room and assistance with the patches. Great!!!

Gave +1 Rep to @dense cedar

Glad you liked it! 🙂

thanks @dense cedar it's working now 🙂

Gave +1 Rep to @dense cedar

hi all
ive modified my resvolved.conf file, restarted it and still cant seem to access sites in the network
any ideas?

Ok I just finished ! Thanks you for the room @dense cedar and for the patch 🙂

Gave +1 Rep to @dense cedar

Could we put this in the room took me some time to figure this out may help others that are not in the discord

Great stuff 🙂 Will let you know of any bugs I find on my run though !

My bad I thought you was staff haha

responder not capturing anything ,passed since 20mins

hmmm, using the Attack_Box, I modified the systemd/resolve.conf DNS entry with the Domain Controller IP , I then restarted the service but can't nslookup ?? Also, it clearly says the network config should be already working on the attackbox, however if I do a ip -c a there is no tun interface

Can you download your VPN file? Try to regen the VPN file and download. If that fails let me know then we need to apply a fix

Patch was applied yesterday. Can you reset the network? If you don't get sufficient votes send me your network subnet and VPN file and I'll do a manual reset

im using the attackbox, shouldnt I be able to be connected to the network right away ?

We are adding a small extra section to explain this. The THM-Staff rooms are made for the AttackBox, so everything is stress tested using this. We can't cater for every type of VM out there, but agree for Kali should have something since this is a popular one

I'm trying to debug whether it is the known VPN issue or something else. Can you please follow the provided steps so I can debug the problem?

I could regenerate the file and downloaded it rn

Okay so the download actually worked? Then it is not the VPN issue. Can you quickly terminate your AttackBox and DM me your VPN file so I can run a quick check?

Sure, thanks

Got pushed to the room content this morning

permission issue on task 6

Can you reset the network to apply the patch? if you don't have votes send me your VPN file and I'll do a manual patch

its from yesterday, I just started fresh now today, same problem

We released a patch yesterday, but the patch only applies in the network if it receives a reset. So you can either reset the network or send me your VPN file and I can manually run the patch

I am not using VPN, using web base access, I will try reset again