#enumerating-ad

In my limited experience, older versions work better

May need to try 4.1👌

thank you @ebon adder

Gave +1 Rep to @ebon adder

Can someone do the last reset for Enum AD lab please.

there's multiple instances tho, you have to specify your subnet

The DC ip is 10.200.67.101

Nice, I'm in that one

Thnx man

hey man

hey guys I've been having issues with importing the users.json file into the bloodhound. I was able to use scp to copy the .zip file from windows machine to mine but then when I imported all the json files, the users.json just hang in there and said that there is no data?? any help will be appreciated. (version of Bloodhound is 4.1.0)

Is it always guaranteed to have at least one ticket in the cmd session on the initial foothold?

From the provided queries you can list the node (it could be computer, user or any) and then click it. This will populate all the information in context of that node here

Are you using the same version of collectors and bloodhound?

Just confirming that it will not work in SYSVOL, because the CIFS is running as the DC machine account, not the local user on the DC machine.

Forcing NTLM authentication is a good trick to have in the book to avoid detection in these cases.

To make it work, we need to have the DSRM hash

Yo guys,

In the Enumerating Active Directory, TASK 2 Credential Injection:
Idk what I am suppose to write for -Name in command

$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Because, in the end, when I go with: nslookup za.tryhackme.com I get:
Server: UnKnown
Address: 2a00:cf00:0:4:ffff:ffff:ffafaf

*** UnKnown can't find za.tryhackme.com: Non-existent domain

did you change /etc/systemd/resolved.conf ?

Commands that I wrote is inserted from PowerShell from my own Windows machine which I am using rn. resolved.conf file I changed in AttackBox

Yes, nslookup in attackbox works fine

runas.exe /netonly /user:<domain><username> cmd.exe

^
|

for the <domain> I inserted "za.tryhackme.com" is that good?

Run the Get-NetAdapter to list the adapters first

Yes, I did it rn. Ethernet is name

But I still get same error

for domain name I inserter za.tryhackme.com

Although i completed the room w/o setting dns. It is actually not required i guess you can skip if

Try to ping za.tryhackme.com, it should work

Ping request could not find host za.tryhackme.com. Please check the name and try again.

after using ping za.tryhackme.com

Are you doing this on the cmd of thmjmp or pwsh on your linux host?

On my local Windows that I am using now I inserted runas.exe /netonly /user:<domain><username> cmd.exe

And when other CMD popped Up I open powershell with "powershell" command

then I setup this:

$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

I am doing all of this on my own Windows host

Gotcha, sorry cant help you here

Thanks anyway 🙂

but

where I am supposed to write all of this?

on my own Windows machine, right?

sry for @, idk if you saw my questions 😅

Do I need to insert this

$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

while I am in CMD with user credentials? After opening PowerShell with "powershell" command?

Get-NetAdapter is powershell cmdlet, it will not work in the cmd

This is only if you are actually using your own Windows VM for performing the enumeration techniques, there is a note that explains those steps are only for that specific case. It is mentioned since if you do perform actual AD testing out there, you do really need a windows VM to perform a lot of the tasks.

I realised mistakes. Thanks. Room is a little bit hard to undetstand tbh. By the way, when you say "It is mentioned since if you do perform actual AD testing out there, you do really need a windows VM to perform a lot of the tasks.", do you mean on performing a real Enumerating of AD that you want to attack?

Gave +1 Rep to @ebon adder

Not attack, but if you were doing a sanctioned security assessment. Such as an organisation paying for an assessment to have their AD reviewed. Having a Windows VM to host some tools will make your life significantly easier

understood. Salute!

Will these AD rooms be taken down in 2 days? I see this notice at the top of these rooms that says I only have 2 days left of access

The join to the room will expire, but you can re-join the room freely. This is to keep the network user allocation pool consist of active users, which saves on the amount of active network subnets. 🙂

Ah okay, thanks 🙂

Hello

I'm doing this room

And I'm having authentication failure on neo4j

Neo4j is username/passwd

Any idea ?

No one? 🙃

Ok thanks anyway

You might've changed the password and forgot

When you first login to neo4j, you prompted to change your password and you might've forgotten what you set it to

If that doesn't work just reinstall the package, assuming you don't have any important data you need to keep in neo

Yeah reinstalling the package might help
Thanks for the advice mate 👍👍

Gave +1 Rep to @prime wolf

You will need to use apt prune instead of apt remove to delete the database folder of the neo4j

@olive solstice Default credentials will not work with bloodhound, you'll have to change'em

Anyon else having trouble with the network performance at the moment - super slugish SSH connections and RDP as well ?

Would be happy if two guys would vote for a reset 😄

Would help if you mention your subnet.

Thats right - 10.200.58 😄

Hello I can't nslookup since yesterday thmdc.tryhackme.com: NXDOMAIN but i can nslookup za.tryhackme.com, IP is on DNS , localIP is : 10.50.63.171

someone know why?

was on box yesterday doing enumeration with cmd but all of the sudden no more connection and since no more ping or else on thmdc

found it:p

thmdc.tryhackme.com does not look correct, should be thmdc.za.tryhackme.com?

Task 5 Enumeration through PowerShell -> "When was the Tier 2 Admins group created?"

If you are checking created date using PowerView over runas.exe on your own local VM, then the timezone differences will make the answer incorrect! I would suggest to add this information into the Question Hint.

Ah, good catch. @ebon adder Do you want to add that or shall I?

Can you take this one? Good catch thanks for reporting!

Gave +1 Rep to @marble haven

Thanks for reporting!

out of interest, what timezone are you in, and what did that make the value (spoiler tagged if poss)? Feel free to DM me if you don't want to post that info here 🙂

UTC+7
I got

whenChanged                     : 2/25/2022 5:13:48 AM
whenCreated                     : 2/25/2022 4:58:38 AM

On remote SSH (THMJMP1), I see || "2/24/2022 10:04:41 PM"||

If you can spoiler tag that last one, that'd be great 🙂

Brill, thanks 🙂

Gave +1 Rep to @pallid crater

I've added If you remote from your own local machine and it is in a timezone other than UTC+0 you will have to take timezones into account. to the hint 🙂

Im unable to nslookup thmdc.za.tryhackme.com

Any suggestions?

Sorted!

How did you sort it out?

I dont remember now. Its been a while. Sorry

i get this message

What do I do now

Refresh the page, if it persists after a couple minutes, re-launch your VM/attackbox.

I have had to restart my attack box.

It really frustrating

Ah, that's a shame, guessing it expired?

I still had plenty off time, the attack box just stopped responding

ah, sometimes that time isn't accurate, refreshing the page updates it.

Hello for Task 6 bloodhound returns me no data for query when using path for tier 1 admins. I am using attackbox

Mmm, can you confirm that you get the path when you import the task files assigned to the task?

Hello, i would like to use my own windows machine for the task

However, after executing commands in powershell

i can't find the domain

i don't understand. Should i use my Kali VM or my own windows for this room ?

Should i first connect to the tryhackme using .ovpn file from my Windows ?

Using powershell maybe ?

think it wants you to use your own kali vm connected to the vpn and then logon to the networks windows machine using rdp from the kali vm

Ok, i will try that

mmm, that spelling does not look correct:

ohhh, i will try again

Cause connecting through RDP doesn't work also

But how can i see the domain if my windows machine is not connected to VPN

You will either need to run the VPN profile in your hypervisor or directly in your Windows machine. OpenVPN is supported on windows

Thanks @ebon adder

Gave +1 Rep to @ebon adder

Pretty sure someone shut down the jump box

network on this room seems really unstable.
using the attacker box, ping fail half of the time, DNS is working during 2min then fail ...

ping 10.200.49.201
PING 10.200.49.201 (10.200.49.201) 56(84) bytes of data.
64 bytes from 10.200.49.201: icmp_seq=7 ttl=127 time=1.40 ms
64 bytes from 10.200.49.201: icmp_seq=8 ttl=127 time=1.79 ms
64 bytes from 10.200.49.201: icmp_seq=9 ttl=127 time=2.45 ms
64 bytes from 10.200.49.201: icmp_seq=10 ttl=127 time=1.38 ms
64 bytes from 10.200.49.201: icmp_seq=11 ttl=127 time=1.52 ms
64 bytes from 10.200.49.201: icmp_seq=20 ttl=127 time=1.27 ms
64 bytes from 10.200.49.201: icmp_seq=21 ttl=127 time=1.48 ms
64 bytes from 10.200.49.201: icmp_seq=22 ttl=127 time=1.35 ms
64 bytes from 10.200.49.201: icmp_seq=23 ttl=127 time=1.41 ms
64 bytes from 10.200.49.201: icmp_seq=24 ttl=127 time=1.38 ms
^C
--- 10.200.49.201 ping statistics ---
29 packets transmitted, 10 received, 65% packet loss, time 28404ms
rtt min/avg/max/mdev = 1.274/1.547/2.455/0.333 ms

65% packet loss ...

nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

then few minutes later, it works

nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    thmdc.za.tryhackme.com
Address: 10.200.49.101

first time doing an smb exploit. after using smbclient, how do I know that I can use the username anonymous? Is it because under Username theres "none"?

hey , how many time did you have to wait to its works

@foggy garden
it never worked: D
i had to run ssh, quickly exec commands, then 2 min after, ssh connexion stop working.
network seems to be unstable. maybe to much people on thm today ...

I would like finish dat 2day, but whatever

The network itself is hosted in AWS so that is fairly stable. This seems to be more 'n vpn/Internet connecting to the network issue. Any chance you can try from another Internet line and see if it increases stability?

@ebon adder , i'am not launching command line from my computer, i'am launching it from the provided attackbox itself.

Can you run ip a and see if there are multiple vpn's running? If there's more than one 10.50.x.x IP then you may want to exit the other networks you've done in the last couple days, as the attackbox will automatically connect to all VPN profiles, and that causes issues.

@marble haven , hmmm .... it sounds very interesting ! i will check it next time, thx a lot !

Gave +1 Rep to @marble haven

Can someone explain the part inside the red marks please? If providing an IP forces the authentication type to be NTLM and organizations are monitoring for OverPass and Pass-The-Hash attacks, wouldn't using NTLM authentication increase my chances of being detected?

You'll really just look like every other auth traffic doing normal Windows network things.

In OverPass-The-Hash attacks, the attacker leverages the NTLM Hash to gain a Kerberos ticket. You can read here:

In order to launch an OverPass the Hash (PtH) attack, adversaries must have first obtained a hash of a valid NTLM or AES hash from LSASS memory on a compromised client system or the domain controller. Whereas that hash is used to authenticate in Pass the Hash attacks, in OverPass the Hash attacks, it is used to submit a signed request to the Kerberos Domain Controller (KDC) for a full Kerberos TGT (Ticket Granting Ticket) or service ticket on behalf of that compromised user. That ticket can provide access to a wide range of services and assets.

So essentially, instead of directly using the NTLM hash for authentication, you use it to gain a Kerberos ticket that is then used for authentication. A lot of EDRs out there, like Microsoft Defender for Identity (MDI) have become quite smart. So it will see the Kerberos ticket attempt, and then try to find the last record of that account authenticating on that device, since we are "cheating" by injecting the credentials into memory, it will not find the specific authentication attempt, hence leading it to raise an OverPass-The-Hash alert. Remember, by injecting into LSASS, there is no WinEventLog event that shows LOGON occurred.

However, Kerberos cannot work with IPs. So if we use IPs for our commands, then we can force NTLM authentication instead of Kerberos authentication, which will look absolutely normal, since this could be the user authenticating to a network share for example, hence it bypasses the MDI alert in this instance.

It is a lot more nuanced, but that is the gist of it. Really super interesting to setup a lab for yourself and play around with these techniques to see what logs get generated. Can really help with a lot of evasion techniques.

Anyone else experiencing connection issues? First I couldn't connect with the adenumeration ovpn key despite being able to connect with my normal thm ovpn key. I have premium so I decided I would just switch to the attack box, although I cant ping anything and nslookup fails to reference the thmdc despite being added to the resolved.conf file. I have also reset the network as well.

Can you please try to regenerate your VPN profile? We deployed a patch to all VPN servers yesterday

Yes, I had also tried that during the troubleshooting process. I’ll try again today though

is thmdc.za.tryhackme.com fine now?
I was doing tasks and got disconnected from ssh/rdp suddenly and can't get back.

who could share me his windows server machine with ad for vbox

You can go download these at a lot of different locations?

These are the images used in the AD labs: https://app.vagrantup.com/rgl/boxes/windows-server-2019-standard-amd64

point some

i see

It might help for you to specify your subnet so user's know which network you are talking about

Any quick google should find you more

okay thanks

Gave +1 Rep to @ebon adder

Now it's working. Did nothing.
Left room for 5 hours. Closed VM. :]

Having Issues.

• Connected to VPN
• Added DNS to my kali local box
• Able to resolve
• Cant connect to RDP at all using the creds provided by distributor

I have confirmed i am connected via VPN and DNS is working as i can access distributor.za.tryhackme.com

Not sure what to do.

SSH is working however, need rdp for the first task

Hi guys, i've some trouble in the DNS config

Can you perhaps make your domain just za and see what ahppens? Otherwise, can you try xfreerdp?

You will have to provide more verbose feedback on the issue if you want assistance

Thanks, i've done

Gave +1 Rep to @ebon adder

The machine was died?

Kick me out from RDP, and now if i try to resolve by nslookup it tell me "communcations error to 10.200.76.101"

If i ping it --> Destination Host Unreachable

Is ICMP disabled?

If the machine died and you can't ping it then 9 times out of 10 the network reached timeout. You should refresh the page and click Start again. If you unfortunately clicked Extend, then you brick the network. This is a known issue that is being fixed.

I didn't click on extend.. i hope ahahha

But still nothing, i tried to reset also

Sadly you are not the only person in the network, any of the other user's could brick the network upon timeout 😬 . Refresh your page, inspect element to re-enable the Start button and click it. Is that doesn't work will have to wait a bit for the brick to clear sadly. Hopefully they have a patch for it soon

Having a bit of trouble reaching ZA from my host machine. It has no problem finding it through nslookup, however the domain name is unavailable when trying to ping/SSH

Is it because My PC is not domain-joined?

I wonder if this is the issue, however I just spooled it up. It hasn't been running, if I'm not mistaken.

I'll probably need to do this from THMJMP1... I don't fully understand Domains, yet.

I'm guessing it's because i'm not part of their network. Maybe i'm a dummy

All good, yeah I wanted to say, if nslookup works, then the network should be live and working. Only when it is not, then we resort to using ping to test the network 🙂

Ping cannot find the host.

Nor can SSH

So, it's a little confusing, considering nslookup finds it.

You mean THMJMP?

anything. DC, Jump...

Your previous screenshot showed that it worked?

Run nmap -p22,3389 10.200.56.101 -Pn and send the output

Running from my Win Host? I'll have to find the win version.

Am I wrong to assume that I can join from my Host OS (Windows 10)?

Your nslookup is working, cause it is telling me that thmdc sits on 10.200.56.101. So I don't think it is a network error (yet).

But why your ping doesn't work I'm unsure.

Can you perhaps run ipconfig /all and get the output for your VPN interface and send it here please?

So you may have couple extra steps, but you should be able to do this. Usually however for actual AD pentests, it is good practice to use a windows VM. So you can keep it clean of results between assessments

OpenVPN seems to be acting up. Connecting/Disconnecting, repetitively ... It wasn't doing this previously.

Sheesh

Are you running the AttackBox or another VPN connection somewhere? If so, that would cause it.

Or whatever the problem is, just regenerating your VPN file should fix it.

Unless you are having Internet issues, then your are in for a bad time sadly

ahhh... yes

So constant VPN reconnect would also afffect your DNS

Here we are:

Unknown adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9 for OpenVPN Connect
   Physical Address. . . . . . . . . : 00-FF-71-7E-81-16
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d07e:2a27:2d53:b893%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.50.54.54(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 201391985
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2A-C6-97-34-3C-18-A0-1B-9C-3C
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

I had tried from Linux and left tun running by mistake. But now, here's my adapter on Windows:

I don't see DNS configured for that interface? Where did you configure DNS?

You should have 10.200.56.101 as your DNS server

Maybe on your ethernet adapter then?

I'll need to repeat the DNS steps again

Yeah I wasn't seeing DNS on that interface

Perhaps I need a system restart

Is your network still running?

Can you run ping 10.200.56.101for me?

It is up, at least "internet"

Does that ping work?

It does not.

Then the network is down...

well, that's odd... It says "running <time>" even after refresh

Yeah but see messages I've posted before this thread about the network brick. Then it is most likely that. How much time left on the network?

1h 18m

Do you mean to say this particular net is borked?

That's gonna be a while... But what gets me is in your first screenshots the network was live? Can you send me your VPN file? Just want to run a couple tests quickly

sure. one sec

That's what's confusing me as well.

"It's always DNS"... apparently not. xD

jk

I'm completely stumped. @pearl cave ?

Or anyone else.

Same result from my main host:

Setting DNS to thmdc.za.tryhackme.com. -> Ping request could not find host thmdc.za.tryhackme.com. Please check the name and try again. It will respond by pinging the IP but not the FQDN.

My hosts do not want to resolve names from za.thm

and the network is "Up and running", air-quotes

I'm in doubt about a question, How would you activate a script from the nmap script library would anyone know answer me

--script=<name.nse> ?

If that's what you mean...

hi all

i'm on bloodhound. so i ran Sharphound on target system and managed to obtain the zipped file. however, when i uploaded the json files on bloodhound, i got this.

seems like something is wrong. 0 number of users?

i did this twice alrdy and obtained the same results. can anyone help

hi all, i just did it for the third time and i'm getting the same outcome.

sharphound results

Did you try to refresh the database stats under "Database Info" tab ? (It is at the bottom)

oh i haven't

will try again.

tanks

i pressed on refresh but numbers r still the same

i have been facing the same issue with my commando vm. Were you able to resolve the problem?

Unfortunately, no. I've been experiencing similar problems in other rooms as well.

Part of domain, yet cannot reach DC. DNS doesn't behave either.

Set-DnsClientServerAddress seems to not work properly. I cannot figure it out.

They may not be mutually exclusive

I'm also in the active directory certificates room and it's the same issue. Posted in #site-support

I'm trying to remain patient. I don't have control over these boxes.

Other people claim it's fine for them.

#site-support message

hi can anyone help pls

Hi All, I'm having trouble with the syntax to RDP into THMJMP1. Is someone able to shed some light on this? Thanks!!

I'm connected and have my set of valid credentials that I can successfully SSH with. I'm using rdesktop but with no luck

Did you ever find a solution to this? Same issue for me.

@untold thunder , I downloaded the files in the end.

From the THM portal， bloodhound task

Hi everybody,
I start to learn AD and I have one question related to bloodhound output.
As stated in room itself:

• Local Admin Rights - Provides information on domain-joined hosts where the account has administrative privileges.
• Execution Rights - Provides information on special privileges such as the ability to RDP into a machine.

Although in the first task of room there is an instruction to join via the RDP to the THMJMP1 that is domain-joined machine itself, the output of bloodhound shows that there is no RDP ability of your user in "Execution Rights" category.

Moreover the same user (generated by the given webpage) has an administrative rights on THMJMP1 which is domain-joined machine but still there is nothing on BloodHound "Local Admin Rights" category.

Could someone give me a clear explanation what is wrong? Maybe I got something wrong??

P.S I could not attach an image itself so I drop the link
https://imgur.com/a/ZI68vNp

anyone with these ip ranges, :-; can you hit reset? 0-0 None of the system is actually up.

I have a challenge reaching the DC in this room

I have set up everything as mentioned in the room but l still can't reach it

I also the tried it using the attack box, still nothing😞

Are you using the attackbox or vm?

I know you listed both.

Hi guys.
I'm not that active on Discord, but just read through some of the problems people have described above. I got the network to work pretty consistently though the dns server is a bit sluggish - guessing it's because it's on udp.
I've reached the end task, about BloodHound. I got most of it to work l, though can't get the last part, where you have to trace the route to the tier 1 admin.
I need help 🙂
I'm doing the Enumerating at Task 6 Enumeration through Bloodhound.
At the end of the task, using Bloodhound, I cant get the enumerated attack path to show, like the one in the task description. Has anyone else had this problem.
I'm using the Attackbox and version 4.1.0 for Bloodhound.

OMG I'm such a noob 😄 ... finally saw the attached "bhsessioninjection" zip 😄
Injecting this into BloodHound made it work 😄
I wasted so much life on this one.

I had some trouble as well. Though after the network restarted it worked pretty consistently. I used a Windows 10 VM for most of this room, and occasionally the AttackBox

anyone know what the issue with setting up the DNS here is? I'm following what it says on the website. it's in task 2 of enum ad

nevermind, i figured out the issue

i was reading the page as one big line, since my screen is half size it looked like that instead of two

By the way, what does "9 days of access left" actually mean?

Regarding a room in a module

hi, is there any problem with the enum-ad net?

I have been kicked out from RDP and I'm not able to ping the THMIIS machine anymore

solved...

does running enum4linux under WSL2 (ubuntu) cause problems to anyone's knowledge? I have samba-client installed as well as polenum and ldap-utils, but when running I get errors at the start:
WARNING: polenum is not in your path. Check that package is installed and your PATH is sane.
WARNING: ldapsearch is not in your path. Check that package is installed and your PATH is sane.

where can I possibly check/correct the sanity of these paths?

I am using under WSL for a temporary reason and have no access to the full ubuntu OS, and when I try to do the challenge on network services I cannot retrieve the OS information because it states:

cant get OS info with smbclient

and also:

No response using rpcclient querydispinfo
No response using rpcclient enumdomusers

been poking at this for a while now but I get the gist of the tool, would like to move on vs investigate the workings on WSL

its concerning the last 3 questions from "Enumerating SMB" that i cannot answer for this reason

Hey how did you solve this? I was in this room yesterday with no issues. Wanted to continue today but can't ping the DC or set my DNS anymore

Just check that the time isn't expired. You may need to restart the lab in that case

oh I see, nah the network state is still running unfortunately

it's very strange

it is, I just solved in that way or possibly make sure that network manager isn't overwriting the resolv.conf file

right, but I can't even ping the DC IP directly, I'm getting a destination host unreachable

so even if my resolv is getting overwritten automatically, at least pinging should work right?

yes it should as far as the VPN its up

gonna restart the attack box and see if that changes anything

thanks for the quick response!

you're welcome happy to help

Hi all, anyone having issue with the DNS ? I'm connected to the the network, I can ping the THMDC IP, I have set up the DNS server to the THMDC IP, I restarted NetworkManager but I still can't resolve thmdc.za.tryhackme.com

Hello guys, I just started the room "Active Directory Enumeration" but I see at the top left of this room the creator and below this one a timer that says "9 days of access left", I went to see on the other modules on the AD, and the same I see timers. does this mean that at the end of the timer we will no longer be able to access it? Thank you for your answers

Hi guys,
i got stuck on Enumration AD, task 3
whether is RDP or SSH on THMJP1, the connection keeps tearing down (not the VPN) so I can do nothing ! i am facing the issue from my kali as well as THM KaliBox
i managed to make dns working (my kali) so it dosen't seem to be related to a dns issue
below the error msg i got via THM KaliBox :
SSL_read: I/O error: Connection reset by peer (104)
Failed to check FreeRDP file descriptor

does anyone come across this issue ?
could yoy help me out because, I spent 3 days on it whitout making progress !
the lab was reset though still the same instability...

I'm currently RDP'd to the jumpbox and playing around with MMC and the AD snapins. It is working flawlessly.

Hi, thank you i'll test again but for me it was disconnecting very often...
i assume that you used the following cmd to RDP into the Jumpbox :
xfreerdp /u:firstname.lastname /p:pwd /v:ip

Gave +1 Rep to @brave bear

I also include the domain option for xfreerdp, /d:za.tryhackme.com, and I specify the hostname in the /v:. My complete command xfreerdp /log-level:OFF /w:1600 /h:1024 /v:thmjmp1.za.tryhackme.com /d:za.tryhackme.com /u:firstname.lastname /p:password

Thank you very much, i forgot to specify the domain as stated in the task 😤
so far is working just fine !!

Gave +1 Rep to @brave bear

i struggled to make it working from my kali but now it seems all good !

The network associated with the room appears to have fallen over and cannot get back up. Cannot ping thmdc from attackbox. Email sent to support.

...and its back

is there anybody to good at domain controller and ad (windows machine)

it's happening again fwiw

room says network is up, but nothing is reachable

I left it and came back to it. It had restarted and I could continue.

my god anybody got a problem on bloodhound?

i used 4.1.0 still having problems

I even used attackbox with the lower version of neo4j and still having problems when doing the start and end target section

I am having huge issues with RPD and DNS on my VM.
I have set additional DNS servers to the labs IP and the googles DNS. However I cannot connect to the THMJMP1.za.tryhackme.com If I do a dns look up it will sometimes give me the IP, using the thmdc DNS server, and somtimes it will use google's DNS. If I try to RDP to the target domain name, it loads for a very long time, and then "cannot find it", if I try to RPD to the targets IP, I get connected, but I keep disconnecing, reconnecting etc. I am not connected to a VPN on my host.

My network settings ^

DNS lookups that keep using different servers

This is what happends when I RPD to the target using it's ip address instead of domain name

RPDing to the domain

try to edit /etc/resolv.conf file

add the DC IP there

It still does this weird thing, that it randomly goes over to google's DNS

which is why, I assume, I keep dcing because I keep losing connection

try to not to use 8.8.8.8

just the DC IP Only

Yeah that works, but now my VM does not have internett

like, I just don't understand why my other settings did not work. Everyone else seem to be able to do it like that

have you tried putting in your router's gateway

it might also help instead of google dns

i'll try that, but now I am getting this error while RPDing

can you ping the jmp1 ?

yeah

This is kinda crazy, I really wanna use my VM because the attackbox is super slow and you cannot copy paste stuff, so annoying

for the attackbox, open it to a new tab

and then try to copy something and then go back to the other tab where attackbox is on..there should be a prompt on your browser that will allow you to copy paste stuff

nevermind, finally made it worked. I also put the zip file included on the task

Fixing it was: Waiting for the network to reset and instal a brand new VM

what VM are you using btw? Have you tried setting your VM to bridged network instead of NAT?

Kali, I had bridge on my old one. The new one is NAT only

Is the system even up? Been working on it for a few hours then all of a sudden nothing despite pressing start 15mins ago

Can't ping the DC by IP so either tunnel or host

Hey! I am using bloodhound, in the enumerating AD room. I run the same version of bloodhound as the task says(4.1.0), however when I try to "find a path" from my user to a target, it gives the error "No data returned from query

I also get a shit ton of errors now that I am re-running the Sharphound.exe

If you look at the error, most likely the network stopped since it seems to not be able to hit the DC

Can you import the data from the task file? The primary issue is that the path relies on a user having a session, this data can be different depending on when you execute BH as explained in the task. So if you import the data from the task file, that was a Sharphound execution at a time that could grab the session data

yeah, that was what I ended up doing. I just used the task file and solved the lab with that 😛

Debugging your initial connection to the network.

As mentioned when the networks released, DNS is a part of AD testing whether you like it or not. This is because one of the two major AD authentication protocols, Keberos, relies on DNS to create tickets. Tickets cannot be associated with IPs, so DNS is a must.

If you are going to test AD networks on security assessment, you will have to equip yourself with the skills required to solve DNS. You therefore have two options:

• Hardcode entries in your /etc/hosts file - Works great, but on a network of 10000 hosts probably not the way to go
• Actually fix your DNS to point to the name servers in the network - Harder to do, but in the long run yields good results

Whenever a task is not working for you, your first thought should be: "Is my DNS working?" I've personally wasted countless hours on assessments wondering why my tooling is not working, only to realise my DNS has changed. 99% of the time, it's DNS.

How to connect your DNS to the THM AD network:

1. Follow the steps provided in the initial task on DNS configuration - If you use a different OS that AttackBox or Kali, you are probably going to have to google your equivalent configuration
2. Run ping <THM DC IP> - This will verify that the network is actually live. If you get no response, chances are your network is not started or in the "bricked mode" (see below) state
3. Run nslookup tryhackme.com <THM DC IP> - This will verify that the THM Name server is active. If the PING worked but this does not, time to contact support here since something is wrong. I'd also suggest hitting the network reset button
4. Run nslookup tryhackme.com - If the first nslookup command worked, but this second one does not, you did something wrong with your DNS configuration and need to go back to step 1.

These AD networks are rated medium, which means if you just joined THM, this is probably not where you should start your learning journey. AD is massive, and you will need to apply the mindset of "figuring stuff out" if you want to make a success of testing it. However, if above all it still fails for you, please be as descriptive on what your are trying and doing to enable support to help you as efficiently as possible.

Network Bricked Mode state

If you are unable to ping the DC, but the network on your network diagram shows that the network is started, your network has probably entered the "bricked state"

What has happened?

One of the users in your network subnet clicked on the UI "Extend" button when the network timer reached zero. This causes a bug where the backend thinks that they network is still live, but in fact it is not.

What can you do?

The best thing to do is to wait until the network time expires, then press the "Start" button again. However, you can also attempt a bypass, which does sometimes work:

1. Refresh your network THM room page
2. Right click on the Start button and say inspect element
3. Remove the disabled state from the HTML button
4. Click the Start button

In certain cases, this can help to resync the backend, so give it 5 minutes to see if that worked for you. Otherwise, we are back to square one about waiting for the network time to expire.

I'm on the EnumerateAD room and trying to RDP into THMJMP1 using rdesktop, but I get the following error "CredSSP required by server", anyone have a hint?

stupid question::
systemd-resolve --interface enumad --set-dns xx.xx.xx.xx --set-domain za.tryhackme.com

my kali unable to understand system-resolve command
cant i update this DC ip inside my /etc/hosts or /etc/resolv.conf to reach this network

That command is for the THM AttackBox, there's a section below in Task 1 covering what to do when using Kali as your attacking machine. 🙂

set here right...

I’m currently in this room, but still seems like I know nothing about Active Directory

Is the lab network working fine? For me it keeps starting and stopping, can't work

Hhjsjs

Hi all, it is a bit related to this network, is it possible to run responder via a tunnel? I have a compromised linux system which has access to the internal domain (and DC), but I cannot run responder on the linux host because it is missing a lot of dependencies. Hence I want to tunnel or port forward the responder, is that possible?

sure - just do a dynamic port forward - something like this: ssh -N -D 127.0.0.1:9001 user@TARGETIP -p SSH-PORT -vv
in this case you should have port 9001 in your proxychains.cnf

after that you should be able to run responder via proxychains

please note that this is operating on osi layer 3/4 - if responder is using arp stuff and something like that which operates on osi layer 2, this is not going to work

Hello, i am doing the Network services room and in Task 3 'Enumerating SMB' i can't seem to give the "correct" response to question no 2 . Even if i am pretty sure of my response [xx9/txx] , i get an error message when i submit it..
Anyone knows why?

Thanks man lol, I could have never remembered that there is a zip file 😛

Gave +1 Rep to @vapid venture

I think I got this error when I ran it with runas.exe, without it, on the thmjmpbox, it works fine.

Anyone having issues with lab DNS? Restarted my attack box three times and ran through the commands each time with no luck.

Also pinging DC returns zilch but don't know if that is an intended firewall thing.

hello everyone i have bought pen 200 (oscp) and i am doing pronving grounds play and practice before this i have done good amount of ctf machines on hacthebox i have experience and i will gave exam in 2.5 months so i want a partner to study with me but not beginner if anyone interested so please message me 🙂

Interested

what is the difference between using ffuf and using gobuster to enumerate? I recently got introduced to ffuf through a lesson and they seem to be the same

Fun network! Thanks @ebon adder Off to Lateral

Gave +1 Rep to @ebon adder

That was fast!

I had some experience with the task content, so that helped me carry along. Still picked up a few new things that will come in handy

Always helps! These are meant for introduction to AD. Since it is such a massive field, always more to learn!

Thanks @ebon adder for the room! Even though I have already worked years with AD from an Corp IT Perspective, I never got a chance to look at it from a redteam perspective, very interesting!

Gave +1 Rep to @ebon adder

Glad you are liked it!

@ebon adder Thanks for the great room and help 🙂

Gave +1 Rep to @ebon adder

Glad you liked it!

anyone here having a problem even on attackbox?

even the attackbox cannot resolve the IP of the domain controller

same

same

I cannot connect to adenumearting vpn anyone has same issue?

Do you get a cipher error?

Yes, cipher set to something but missing

the error message tells you what to do --data-ciphers <the one mentioned in the error>

hello, anyone encounter issues with connecting to THMJP1 machine via RDP or SSH ? i keep getting a permission denied error

in the ADenumeration there, there is a comment: /netonly - Since we are not domain-joined, we want to load the credentials for network authentication but not authenticate against a domain controller. So commands executed locally on the computer will run in the context of your standard Windows account, but any network connections will occur using the account specified here.

so whats the difference between network authentication and domain authentication?

It isn't so much that there is a difference between these two than there is a difference in setup. When your host is domain joined, the machine account of that host authenticates to AD. Meaning from there, the host itself can talk to AD.

However, your pentesting VM isn't domain joined since your VMs machine account is not registered on AD (not domain joined).

So the netonly command says, look, I know the host is not domain joined, so don't have the host try to interact with AD. However, when we run commands that perform actions on the network, instead of using my local host credentials (which are not authenticated on AD), rather use the follow credentials (which are valid AD credentials).

Domain authentication and network authentication aren't actually things. There are just network authentication methods that rely on speaking to a domain controller for authentication.

Without the netonly command, because you are adding a domain to the user, the host would attempt to authenticate to AD in order to verify your creds. Which would fail, since the host itself is not authenticated on AD (domain joined)

Hope that clears it a bit for you?

oh ok cool. thanks very much for the response.

oh , your the one who made the ADEnumeration room. thanks very much for making such a fun series and room to play with. before attempting this room i didnt even know any concepts of AD. THM is truly a blessing. thanks very much once again for all the hard work in making these rooms!!

Glad you are liking it!

hello everyone im having a problem connecting to rdp to the thmjmp1 machine here is the command i used xfreerdp /v:thmjmp1.za.tryhackme.com /dynamic-resolution +clipboard /u:za.tryhackme.com\kenneth.davies /p:Password1 i also tried from remmina and it didn't work as well, does anyone has a solution for this problem with xfreerdp im recieving this error [11:26:32:956] [8235:8236] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0 [11:26:32:956] [8235:8236] [WARN][com.freerdp.crypto] - CN = THMJMP1.za.tryhackme.com [11:26:33:158] [8235:8236] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server [11:26:33:158] [8235:8236] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014] [11:26:33:158] [8235:8236] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail [11:26:33:158] [8235:8236] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

guys i did this room https://tryhackme.com/room/adenumeration. at task3 (i use my own windows 10 pro btw) its said that we can install "RSAT: Active Directory Domain Services and Lightweight Directory Tools" with the step mentioned. but in my case i cannot find it inside my box. is there any way to install it?

tried add /cert:ignore at your command

got this error [11:36:33:285] [8603:8604] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation [11:36:33:288] [8603:8603] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

did you able to nslookup za.tryhackme.com?

yes Name: za.tryhackme.com Address: 10.200.14.101

okay try add this to your command /cert:ignore /d:za.tryhackme.com

still same error 🥲

instead of u:za.tryhackme.com\kenneth.davies change to u:kenneth.davies

Yeah thats what i did and i still get same error

actually this work just fine with me xfreerdp /u:natasha.howells /p:Donald2005 /cert:ignore /v:THMJMP1.za.tryhackme.com /workarea /d:za.tryhackme.com

I think the problem is from side then

@halcyon nebula thank you for your time

Gave +1 Rep to @halcyon nebula

you're welcome

It is a Windows feature. So you can install either by selecting Add Windows feature or through powershell

So task 6 says to use the attack box bloodhound as the sharphound is for bloodhound v4.1.0

which it is but it still does not fully load the results

Nevermind. Had enough info

okay i got it. thanks

Gave +1 Rep to @ebon adder

Hi! Is anyone still here? I see the last post was last month. Need some help with RDP-ing

remmina or xfreerdp????

Actually, it was exactly this lol I didn't know where to start, what app to use

this is what I needed, thanks a lot!

oh okay then... good luck

ok, im having a lot of trouble with kerbrute rn. it keeps recognizing the text list as part of the argument for a flag rather than the wordlist and i dunno how to fix that

Can a kind gentleman please vote for a reset on the network, it's next level messed up atm

Probably best stating your subnet.

The AD network subnet is 10.200.49.0/24

Unless you mean my machine subnet then it's 10.50.29.0/26

No, it's the 10.200.49.xxx

Yeah, that one, there's 4/5 reset votes but we just need one more

You can do it again after 30/60 min(s), if nobody does it in time.

Ok, perfect, thanks

Gave +1 Rep to @open moat

trying to connect to the AD enumeration network fails.... can't access http://distributor.za.tryhackme.com/creds and the nslookup only poops out this:

$ nslookup thmdc.za.tryhackme.com               
;; communications error to 10.200.68.101#53: timed out
;; communications error to 10.200.68.101#53: timed out
;; communications error to 10.200.68.101#53: timed out
Server:        192.168.x.x
Address:    192.168.x.x#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

changed the settings using network manager and the /etc/resolv.conf file to look like the following:

# Generated by NetworkManager
nameserver 10.200.68.101
nameserver 192.168.x.x
nameserver 127.0.2.1
nameserver 9.9.9.9

this is using the vpn and not the attackbox

tried the attackbox too and got failures on nslookup there too

had a discussion with scrubz about it in #site-support

still felt like it could be posted here too

how to rdp in...."Failed to connect, CredSSP required by server"...tried xfreerdp and get transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]... This whole AD tryhackme set of rooms is so frustrating. It feels like I spend more time fixing configuration issues than reading anything about active directory

also had to use attackbox to crack that password in breaching AD

feels like I have to take so many breaks trying to figure out configuration issues in order to move forward with doing anything in these rooms

OK so this seemed to work for me: xfreerdp /u:edward.hanson /p:Elvira2004 /cert:ignore /v:THMJMP1.za.tryhackme.com /workarea /d:za.tryhackme.com

hopefully all this troubleshooting will help in whole learning process 🙂

[ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_LOGOFF_BY_USER [0x0001000C]
random logoff no idea how

back to random config freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex ERRCONNECT_DNS_NAME_NOT_FOUND [0x00020005]

random time outs as soon as I get everything working in middle of tasks

Any pings from the DC?

ERRCONNECT_DNS_NAME_NOT_FOUND - Probably refers to a DNS issue. Can you try to instead use the IP of THMJMP1? Also, I'm pretty sure the room recommends using remmina and can't say that I've had issues with it before. CredSSP would be because that RDP client is trying to use an auth mechanism that is not supported. This is sadly an issue that you will face during an assessment as well. While you can go play with registry and config to fix it, easiest is to simply use remmina, which cycles through authentication mechanisms when connecting.

For your ERRINFO_LOGOFF_BY_USER I'd suggest just maybe getting an additional set of creds from distributor.

Lastly, these issues you are facing are issues you will face on a normal pentest. Yesterday I was pulling my hair out having issues with DNS and RDP to two remote machines that I had to review. Sadly however, when you are on a client assessment, you have no choice but to debug this. Telling your client that their "network is unstable", usually doesn't get any you or them anyway. So the frustration is sadly real out these in the world as well

If you want to read up on CredSSP: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cssp/e36b36f6-edf4-4df1-9905-9e53b7d7c7b7

Most annoying thing under the sun when you are on a pentest and half the boxes are outdated not support vanilla RDP

haha Good to know! Thanks so much! 🙂

Gave +1 Rep to @ebon adder

did not check... leaving and waiting 15 mins and then rejoining reassigned shadow to another subnet which worked perfectly and shadow finished the network today

Glad you got it sorted!

Hello everyone!
This screenshot from Lateral movement room of Off Sec path.
I need these commands explanation, where can I find it. I need more information about these commands

Try googling the powershell commands (format = Command-NameIs) on google and looking at the parameters/flags you pass here

Other question: I can't seem to be able to install RSAT?

nvm im actually dumb

Hi guys! I have a question regarding Attacktive Directory: How do I know that the Domain Controler is "spookysec.local" I couldn't find it anywhere when enumerating with nmap and enum4linux. Don't know how I would have used kerbrute without them telling me what the DC is...

nvm, I'm dumb too. It actually does show it on nmap...

Was RDP exposed here? Asking cause I don't know? But if RDP is exposed, using the -sC -sV flags for nmap will give you the domain name as well

This info should be exposed on SMB (port 445) and RDP (port 3389) usually

Yeah, that's how I found it actually! 🙂 Thanks for the answer!

Gave +1 Rep to @ebon adder

I do have another question during Attacktive Directory in case someone could help:

Why can't I login as the user "backup" + the valid password with the evil-winrm?

I get the following error all the time:

It worked with the Administrator + Hash without any problems.

I'm going to take a wild guess here and say that the backup account does not have the required privileges?

I believe the account would have been assigned replication privileges, given the name. That does not allow you to log into the domain controller

can anyone help with the last bit the bloodhound part, ive got everything set up on my machine and vie the the .zip file that sharphoundgenerated(most recent version of it) but when i drag and drop into bloodhound it doesnt upload and some files say invalid file type

Can you give more details on how you are trying to do the import? You should just drag and drop the zip on the Bloodhound UI and import should work. You might also have to use an older version, since this lab was created a year ago. I would use version 4.1.0

I was just drag and dropping

An older version of sharphound or of both?

If you ran sharphound yourself, then the two versions must match. If you are using the sharphound provided in the room, then you need to use version 4.1.0 for bloodhound

Ah ok thats the problem then i was using newest version of bloodhound

Cheers

Hi Shadow, was there a solution for this? I'm having problems accessing the network in both enumerating-ad as well as breaching-ad :/ Can't continue the path because of this and can't really find a solution

yeah the easiest way is to leave the network... wait 5-15 mins.... rejoin... and use start the attackbox again or go regenerate the vpn file

Alright, thanks for the quick response! By leaving the network you mean:

Gave +1 Rep to @violet panther

yuup that button

you won't lose any progress anyways

You're the best! Thank you ❤️

no problem

Task 3 : I can't see any AD data from the microsoft management console when launched from the host "thmjmp1" , when the mmc is started from the runas.exe. I can't find the RSAT features either from windows features. is there a specific way to access the management console that I am missing ?

If you are using the provided windows machine (THMJMP1), I think RSAT is already installed

Reading through this chat, it almost sounds like networks are shared between people, if that's true might be frustrating if it gets reset halfway through completing all the tasks

Did you add all three snap-ins out of curiosity

completed all the tasks today. It was great learning commands and tools used to enumerate AD.

Hi there, the first set of creds I received for the thmjmp1 didn't work, the second pair works, but ssh hangs up after authentication... It worked perfectly 2 days ago.

@minor hazel sup

yo, so i tried on my kali box to no avail(same issue) and have same issue on browser parrot VM. when I run nslookup za.tryhackme.com or thmdc.za.tryhackme.com it resolves to the DC IP as it should. But when i go to the http://distributor.za.tryhackme.com/creds and get credentials it wont let me SSH/RDP to the machine

tried with SSH and xfreerdp

ssh <user.name>@za.tryhackme.com@thmjmp1.za.tryhackme.com + ssh za.tryhackme.com\<user.name>@thmjmp1.za.tryhackme.com both dont work

like itll ask me for password, then after i put it in terminal freezes

ctrl + c/l wont work too when i try to ssh

IP has been added to both /etc/hosts and /etc/resolv.conf not exactly sure what the difference is

any ideas? @junior delta

Well it seems like you're set everything right VPN and DNS as the credentials web page is working. Do you get response when pinging THMJMP1?

The syntax for ssh is ssh za.tryhackme.com\\user.name@thmjmp1.za.tryhackme.com. You missed a back slash there, that might be it.

As for RDP i really dont know, it works for me ...

ill try rn

fuck this room jesus fuck

still cant get my shit to connect correctly. slim chance it is a something on my side i have tried everything. have no idea, tried everything and even left/rejoined room. Would appreciate any help, thx

Heres what I have done so far to try and fix:
Added the DC IP + za.tryhackme.com to /etc/hosts + /etc/resolv.conf (seperately, trying to get it to work). After I do this, when trying to SSH/RDP using ssh zza.tryhackme.com\\<username>@thmjmp1.za.tryhackme.com it will freeze after i input the credential password. RDP will get stuck on black screen when i try that.

This is the same for both my kali VM and the Browser Parrot VM.

Was able to finally SSH just using the standard ssh <username>@za.tryhackme.com (Task said to ssh to thmjmp1 but again, I couldnt get it to work but it let me SSH to the DC and was still able to complete task 2. Now for task 3 it wants me to RDP, however it wont work in my parrot VM, and after going back to my kali machine i couldnt even get DNS to resolve despite working fine yesterday.

Any help would me much much appreciated this is very aggravating so taking break

😦

i am getting the same issue on my kali VM as well. RDP also gets stuck on black screen

yea i have no idea, genuinely dont know what else to even try... Any ideas? left room and rejoined, reset progress; still nothing.

Plz help this my last path for the OffSec path so just wanna get it done but fuck

this room needs to fixed yo

photo on top right; let me connect to the domain controller for whatever reason but not the box im suppose to connect to for the task (thmjmp1)

tried adding nameserver $THMDCIP + search za.tryhackme.com to /etc/resolv.conf ---- still nothing

Send the internet IP in your VPN file and I'll take a look. So download the VPN file, open it, and send me the remote IP. I've jump into a network just now and verified that things were working as it should. So might be a subnet-specific issue

not sure if you need the 'remote' line from config or the pub IP when i activate the file so heres both (for ADenumeration VPN file=>
remote 52.17.61.249 1194

For whatever reason openvpn file wont activate rn just keeps resetting connection, was working fine yesterday.

Gonna try regenerating/downloading new ovpn file maybe, will lyk

enumad interface-- 10.50.64.72

yea just tried networking connection from parrot VM and no luck still, odd.

sheesh

still lets me SSH into za.tryhackme.com the domain controller itself just fine, not what the correct machine tho sadly. Should i just go thru room as is anyways see if itll work?
@ebon adder

That IP is the one. Will check it out in an hour. The reset may be if you run the VPN file and AttackBox, since both use the same profile and then conflict

You technically only need RDP access for the MMC task. So you can do everything else directly from the DC for your enumeration.

I had a check, the host is completely down in the network. I'll ask them to do a full reset of the network, but will be a couple of hours before they are online. You can vote reset as well. But THMJMP1 is currently fully offline and not accepting connections. So not sure if someone changed configuration there, but the host is not responding in this subnet

Is the bloodhound part broken ? I've done both the Sharphound and Bloodhound inside the attack box (so version 4.1.0) and yet I cannot find a path from the ad account to the tier 1 admins like in the example

Did you download the task files?

Will give it a shot in a little bit and will lyk, thank you for your help!

Gave +1 Rep to @ebon adder

Hard reset occurred. Network should be good to go now

No, I used a ZIP file fetched from Sharphound using SSH using the same commands as those in the course.

I also saw the disclaimer about Session Data but it didn't click in my brain considering I thought that this was only a disclaimer.

I guess we're supposed to use the tasks files ?

Indeed yes. Files are on the attackbox already under that folder. Remember "session" data is volatile. Since your network does not have that session, when you run Sharphound you won't get the session

I see, thanks !

Gave +1 Rep to @ebon adder

finally fucking worked. Thanks for yo help, I appreciate u! @ebon adder

Gave +1 Rep to @ebon adder

I'm NT Authority in server but i'm not able to run metasploit post tool post/windows/gather/enum_tokens.

Its saying - Aborted! Insufficient privileges. Please Help

Hello, is the enumerating AD room free? Or do I need a streak? Because I can't join it..

Streak of 7.

Ok thank you, for some reason it is not displayed like that for me.

What does it look like for you?

That is in room search

Yeah, if you go Learn and it shows the paths, scroll down.

Hi is this under maintenance, I cant download the openvpn configuration file, it is loading from a long time

what is your streak on tryhackme

I have 2-3 streak and I have a paid subscription for tryhackme

Recently completed the breaching ad and one other Active Directory room

@violet panther It says lab access only for 8 days, so how this works now, anyone can help me

Now am doing #holo-network

You get 8 days access because if you complete the room before the 8 days, it will remove you, these rooms run 24/7 and users being in them will just drive up costs,

You can re-enter after you leave/removed.

Ok thanks

i had the same issue and no enumad interface when connecting to attackbox. but i got it solved by leaving the room and then joining again.
(you just open adenumeration room, click on the setting and choose leave. then rejoin)

Thanks

So now following that procedure, I was able to start and download the vpn file.

Nice !

the file takes too long

how can i fix it?

Ayyy , me facing same error

Error resolved, thanks to Scrubz

can you tell me how did you fix it?

everything in #offensive-pentesting-path

Can someone please vote to reset the network

I'm trying to get credentials at distributor.za.tryhackme.com/creds but the page is not loading

Even tho pinging the DC IP works

Hi guys.,Smbmap always produces an error ///cannot access local variable 'priv_status'///

Any ideas?

Thanks, this is the only command that works, THM should have included this command in the room

Gave +1 Rep to @buoyant heron

the room is stuck on resetting text. It hasn't been active for hours, would you check?

Hi, guyz,

I'm a bit puzzled about runas credential injection. I'm using my non-domain-joined Windows machine and injected domain user creds through runas.

Why am I able to access SYSVOL using the domain name but not through the IP address? Can anybody help clear up my confusion?

Very strange issue with Task1 of all of them....I'm able to RDP with the given credentials but not SSH. I'll continue with the RDP session but still wanted to point this out.

Been a while since I have done this, but isn't it za.tryhackme.com not za.tryhackme.loc like you have at the start of the command?

Thanks for the reply, that threw me off too since the other domains are .loc - it has been updated to use .com.

yea, just tried again without luck...it allows the SSH session to establish with a username so the service is available on the destination thmjmp1 it just doesnt allow me to authenticate - its just a permission issue it seems. I haven't dug up enough info to figure out what group the user should be in to allow it to connect via SSH yet though. I had to redirect a local folder over RDP to get the bloodhound file from the sever 😦 ...that works...just not ideal

Network state says it's running, but I'm finding it unresponsive, anyone able to check if there are issues?

Using DC IP of 10.200.58.101

Okay, maybe never mind, consistency seems to have improved, this is a frustrating series of rooms

Hi i got error on connection VPN to adenumeration connection i am using kali on my laptop using wifi

2024-01-16 09:28:42 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2024-01-16 09:28:43 PUSH: Received control message: 'PUSH_REPLY,route 10.200.33.0 255.255.255.0,route-metric 1000,route-gateway 10.50.9.1,topology subnet,ping 5,ping-restart 120,ifconfig 10.50.9.23 255.255.255.0,peer-id 0'
2024-01-16 09:28:43 OPTIONS IMPORT: --ifconfig/up options modified
2024-01-16 09:28:43 OPTIONS IMPORT: route options modified
2024-01-16 09:28:43 OPTIONS IMPORT: route-related options modified
2024-01-16 09:28:43 Using peer cipher 'AES-256-CBC'
2024-01-16 09:28:43 Error: problem with tun vs. tap setting
2024-01-16 09:28:43 Exiting due to fatal error

what i am doing wrong ? i can not restart the network to

Could you provide a screenshot of the whole openvpn output?

Could try this #site-support message

On breacing AD it's running well

and i see like my ip listed on there is like my ip when using breaching AD

ifconfig 10.50.9.23 255.255.255. this look like my IP when running breacing AD

Ah I just meant follow the same idea, like change the dev enumad to dev tun and see if it works. This possible solution is what came up the most when I search your error in this discord server

That being said I have seen no one else having that issue with enumad so it is a bit odd

Hei ... it's run ... thank you for your help ... but i really want to know why this happen

Gave +1 Rep to @quasi rock (current: #50 - 138)

Guess its just some minor bug in the config file if I had to guess. Not really sure what ultimately caused this one ot break but all of the other network VPNs work find though

Hey , always with the same issue, when i launch attackbox enum AD I cant see enumad interface when i run ip a and i don’t know why , did i forget to do something to clear DNS config when i ended the previous room Breaching AD ?

I solved that you need to make sure the DNS configuration is well base on network on the room

Actually that exactly what i'm trying to do but i don't know how to do it, can you tell me how exactly you've managed to fix this problem ?

Like @quasi rock said in my case that’s bug on my VPN file but after check on access page that my connection was good then i configured my DNS with add Your IP from access page add gateway from VPN log and setup the DNS ip and set the search domain to 1.1.1.1 after that don’t forget to restart NetworkManager so the configuration apllied. And check the connection using nslookup

Hi guys, im facing an issue with the openvpn when i try to the ad network

any solutions for this?

works, thanks! 😄

Gave +1 Rep to @quasi rock (current: #47 - 151)

Hi, I've still the same problem with my attack boxes (I don't use VPN ) , when i launch attackbox on the enumad lab I've many interfaces ,running ip a or if config (like breachingad, lateralmovement) , but i can't have the interface enumad, i've got ens5 instead with the ip of my box. I've been waiting for the reset of the dns (every 3 hours) but nothing changes. My mates don't have this problem when they launch the attackbox they simply get the inertface enumad and they don't have to do anything else. I don't understand why does my attackbox seems misconfigured espacially for this lab and i admit that it's getting me upset insofar as I ranked up to premium to get more time to complete labs and I only manage to complete 1 AD box within 2 weeks , did somebody already faced that problem with attackboxes ?

#enumerating-ad message

I had already tried to do it so..... running out of solution now

Hi, when you left the room, how long did you wait before re-joining? What is your DCs IP?

Hi , thanks for your reply , its seems that the issue just solved by itself , after few days without joining the room, i finally got the right iface when joinning it and running ip a !

I am glad to hear :). If you encounter networking issues in future, waiting + 30mins before rejoining the room should put you on a different subnet, which should resolve most issues.
happy hacking!

Thanks !

normal ovpn work fine but network ovpn is giving error

enumad to tun (solved)

I have the same issue now. 😬 I guess I should just wait 30mins or a few days then. 🤪

You can try to leave the room and shutdown the machine but if it persists yes indeed

Yeah it works. Just had to wait about 30mins.

This should be in the description at the beginning i guess. 🤔

Hi, can I get 3 votes for reset ad enumeration room : https://tryhackme.com/room/adenumeration

i'm facing issue while login via RDP

same.. but my subnet is 56 i need 2 more votes

can you help me know which sharphound version is compitable with BloodHound 4.3.1? thank you

I tried https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors and the https://tryhackme-images.s3.amazonaws.com/user-uploads/6093e17fa004d20049b6933e/room-content/b7ae2e4f8e1824e25e69fa69d95c4a4e.png data is not uploaded, its says data not found

I'm having this exact issue, and can not find a fix, anyone know of a solution please?

Fixed it nevermind

Inside of the config file you have downloaded, there will be a line "dev enumad", change enumad to tun.

yeh I also did that

btw I leaved the solution of this problem below my msg

Yeah I saw, but it took me some time to figure out what it meant so I worded it differently 👍👍

When starting the attackbox, there is no connect to the server, also no interface named enumAD
Any recoomendations?

└─$ nslookup thmdc.za.tryhackme.com
;; communications error to 10.200.98.101#53: host unreachable
;; communications error to 10.200.98.101#53: host unreachable
;; communications error to 10.200.98.101#53: timed out
;; no servers could be reached

I connected to the ad enum ovpn, set the DNS to the THMDC IP, saved it, sudo systemctl restart NetworkManager ran the nslookup command again. Nothing works.

nvm, it works now

i any one alive here?

I just ran into this issue. what made it work? I'm on the attackbox web gui right now and I don't see the enumAD under ifconfig

hey, for me, I am using my kali and openvpn file. I have to edit my openvpn file

and change dev lateralmovement to dev tun

then saved the file, then

ran it again

then it worked.

dammm, I was missing so much cool stuff by not studying AD

What am I doing wrong here?I want to get my sharphound zip file to my attack machine. It is the same command from the website

@open moat

nvm I';m stupid

I never spotted the '.' at the end

anyone facing issue in AD Enummeration Room ?

Just got into that room today and having the issue with enumad interface missing on the attackbox. I see breachad & lateralmovement interfaces for those 2 rooms. netstat -rn shows routing for 10.200.26.0 network going to breachad interface and 10.200.78.0 network going to lateralmovement interface. There is no routing entry for 10.200.98.0 network to the enumad interface because the interface is missing. This means when you try to ping the THMDC_IP (10.200.98.101 for me) it fails.

same problem exists for the builtin Kali image. No enumad interface. Guess I'll have to try the VPN in with my own box

in enumerating active directory room the answer of task6 question 3 is "2" question is "How many machines do members of the Tier 1 Admins group have administrative access to?" however when i look at the tier 1 admin group with blood hound as specified in the task the answer i see is 0. i literally spent 1 and half hours figuring out why 0 is not the right answer finally had to look at a writeup. then i realized that something is wrong with the room

Hello, I'm currently working on the room "Ad enumeration" (https://tryhackme.com/r/room/adenumeration). Previously, I have completed the room "Breach AD". I can't connect using VPN (because I'm using a secure network), so I have to use AttackBox, but the issue is that the interface "enumad" does not appear when I launch attack box from the ad enumeration page, so I can't access to the network, setup the dns or anything. Rather to have "enumad" interface, I keep having "breachad" interface set up. What I had try to resolve this issue acutally: logout/login, change browser, reset network, restart attackbox, use Kali WebBased instead... Does anyone have an idea about what I can do to solve this issue ?

Same issue

Do you have a config in the folder?

Same issue, did you manage to resolve it ?

I will provide you a screenshot

@open moat Here is the screenshot

Is it empty?

No, do you want me to copy his content ?

What does it say in the dev part

Left : tried to manually connect to vpn

Right : dev line

Change it to dev tun and rerun it.

It worked, but I can't ping any machine on the network of "Enumeration AD"

Last openvpn logs were :

The computers coule be windows

I can't rmember off the top of my headf

yes I'm trying to ping a Windows, does it changes something ?

Windows blocks ICMP pings by default.

Okay, so to test, I tried to add the DC as DNS Server (requested in first step of the room) and ns lookup the domain but seems unreachable here too

I'm refering to step 1 accessible here : https://tryhackme.com/r/room/adenumeration

@open moat having error in connecting to ADenumeration network,

2024-06-25 08:51:06 OPTIONS IMPORT: --ifconfig/up options modified
2024-06-25 08:51:06 OPTIONS IMPORT: route options modified
2024-06-25 08:51:06 OPTIONS IMPORT: route-related options modified
2024-06-25 08:51:06 Using peer cipher 'AES-256-CBC'
2024-06-25 08:51:06 Error: problem with tun vs. tap setting
2024-06-25 08:51:06 Exiting due to fatal error

solved (changed {dev enumad} to {dev tun0} in file.ovpn)

I tried this to solve my issue but refering to my preivous message (last one before your message), I'm not able to ping or to connect to any machine on network... Did you do something particular after that ?

Are you on VIP ?

I was facing the same issue then i shifted to subscription based membership and issue resolved. I think that because they have mentioned for networks there must be either 7days streak or a VIP pass so this is how i got resolved.

Yes

On kali, how to use the command line to configure dns?

I am facing VPN issue too I can’t connect

Anyone can help and assist me in this matter

check the vpn file specifically the dev and dev-type variables

I just checked out the enumerating AD network for someone and found that my ovpn file was missing the "dev-type tun" line. hope that helps someone.

Can somene tell me why its skipping svc-admin

im dumb figured it out

okay I am back with another impacket issue, I have tried all sorts of combos of flags and I keep getting this.

This is the syntax that i used previously for kerberosting. PS:This image is of another lab.

Yeah thats the one I used from the TCM PEH corse as well

Hello guys, is there anyone facing a problem with connecting to Enumerating AD room VPN network?
2024-08-03 14:21:18 [server] Peer Connection Initiated with [AF_INET]54.171.116.83:1194
2024-08-03 14:21:18 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-03 14:21:18 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-03 14:21:19 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2024-08-03 14:21:19 PUSH: Received control message: 'PUSH_REPLY,route 10.200.33.0 255.255.255.0,route-metric 1000,route-gateway 10.50.9.1,topology subnet,ping 5,ping-restart 120,ifconfig 10.50.9.2 255.255.255.0,peer-id 0'
2024-08-03 14:21:19 OPTIONS IMPORT: --ifconfig/up options modified
2024-08-03 14:21:19 OPTIONS IMPORT: route options modified
2024-08-03 14:21:19 OPTIONS IMPORT: route-related options modified
2024-08-03 14:21:19 Using peer cipher 'AES-256-CBC'
2024-08-03 14:21:19 Error: problem with tun vs. tap setting
2024-08-03 14:21:19 Exiting due to fatal error

I tried to regenerate network vpn but its still not working.

Switch to eu

had the same issue last night

You can't switch servers with the network VPN?

sorry didnt see it was the networked room.

i had the same issues, is it solved sir?

how to fix

does your kali vm have internet access???
have you tried the troubleshooting script??
have you tried regenerating the vpn file for this network???
have you tried to see if the attackbox works for this network?? == this is basically just a check for reasons

The Config file error was fix just did network restart but the problem now as I have also mentioned in the subscriber room in this discord please help me with that

Anyone know how to fix that task 3 I have launched this using runas command only

i was having same issue with breach room and now same with enumerating-ad .why i cant ping DC from attachbox.

even from my kali i cant connect vpn .

just change dev tun in vpn file

need help on responder, can't still capture hashes is the box busted?

Is this breaching?

yeah wrong channel to post this

hi! there's a reference to a retired room in the text, first lines on task 3, it should point to https://tryhackme.com/r/room/winadbasics i think instead of https://tryhackme.com/r/room/activedirectorybasics

This whole AD set is frustrating. Still can't nslookup thmdc.za.tryhackme.com
From Kali VM

1. Changed dev breachad to dev tun in .vpn for the room
2. Updated /etc/resolve.conf to point to the DC
   search za.tryhackme.com
   nameserver 10.200.98.101
   options timeout:1
   options attempts:2
3. sudo systemctl restart networking.service
   From Attack box
4. .vpn for the room is empty!?
5. Terminating / Starting attack box didn't regen the .vpn
   This is starting from the network being offline and me starting it ~25 minutes ago.

You can't change the dev interface to a different one and assume it will work.

I changed it following your instructions 🤣

That was for a different issue

I'm confused - I had an issue with the vpn file failing to run because it was missing an interface. I added the interface, vpn file does run now and then and my next issue was I still get a timeout on nslookup.

nslookup won't work,

Which network are you doing?

enum-ad

There should be a link in the room you can visit

So from the attack box, downloaded the .vpn from the access page under my THM profile, ran the command the room instructs you to with the interface changed to match the update to the .vpn

What does the config say?

dev tun0 ?

.vpn file says "dev tun", creates tun0 when vpn is ran which can be views with ip a s

This ^ Thank you 🙂

Gave +1 Rep to @pallid crest (current: #95 - 73)

lol Np, glad it helped someone.

im having a little trouble understanding task 3 on https://tryhackme.com/r/room/adenumeration. It says if I try to run MMC normally I should get an error because the machine I am using is not domain-joined and so the local account can not be used to authenticate against the domain and so I should use credential injection to ensure everything through MMC is authenticated through the domain however, the box is already domain-joined so I don't have to use credential injection. I'm just unsure if ive missed a step or if im not understanding something clearly.

#enumerating-ad hihi mmc is not installed on THMJP1?

I can not setup the dns on the attck box, I did evreything but it is not working

Hi Do the Active directory labs work at all?
https://tryhackme.com/r/room/adenumeration I have not been able to request creds after requesting http://distributor.za.tryhackme.com/creds
Both from the Attackbox or VM the URL is not accessible

To me its not the lab, but the vpn... cant even log in 😦

https://tenor.com/view/somebody-help-me-saw3-i-need-help-asking-for-help-call-for-help-gif-21903008

@shrewd roost sorry for mention,
but someone can check the vpn of this network?

https://tenor.com/view/mr-bean-mrbean-bean-mr-bean-holiday-mr-bean-holiday-movie-gif-11625313334009911234

Love you mate.

just a little fix,
client dev enumad dev-type tun

any answer to a problem like this

Yes, the network is restarting, so it won't work.

alright seems like it cannot be fix today or tomorrow

i will just start offensive sec path for now hoping when i reach AD rooms in offsec path it is fix already 😅

Just fix the vpn, or the interface,, or the room tryhackme....

no interface on the enumad room... can't make the room (with my machine in WSL2 cause of the vEthernet interface sucks...(windows)) and can't make it through the attack box because it doens't have the interface to make the connection. Also the vpn manual fix kind of sucks aswell...

What if you removed or revoked the room until its fixed 😣

Don't forget it that you also mentioned it as a pre-requisite to other rooms and kind of make people stuck

Is there a problem with this room?

It has been in network status resetting for a few hours

Hi, has anyone successfully connected to this network's VPN from Windows? I can connect from a Kali WSL instance on the same box, but not the host OS. I checked the config file and dev-type tun is in there, but just for grins I tried renaming the dev enumad to dev tun0 and still no joy. Also tried changing proto tcp to proto udp just for grins. Even tried disabling Windows FW temporarily. Regular VPN and Breaching Active Directory VPN both work fine. Error I'm getting in the OpenVPN Connect is "Transport Error: Transport error on `79.125.116.96: NETWORK_EOF_ERROR".

months now not days

I mean like damn THM, fix the damn room!!!

I dont want to get stuck on this and skip this part of the series of ad compromising

Premium subsciber here like SMH 😒😒😒

Could anyone please help to get the logic of credentials injection attack in task 2 of enumerating AD

Initial we got username and pass is that one I need to use with runas command?

Also if so... I enter as that user on domain without cross checking password and user with DC? How it possible? How it works?

Hello, https://tryhackme.com/room/adenumeration on task 6, after importing the .zip file to bloodhound, absolutely nothing appears after all the data loads. Can someone check for me if it works for them?

(I ran sharphound on the target like it was detailed throughout the task, I did not download the pre-made task file)

No node.

Problem fixed - IDK why it didn't work directly but I had to wait 10 minutes for it to fully load and re-launch bloodhound. Probably attackbox performance issues.

in AD: Basic Enumeration, I'm not getting the ip route of 10.211.11.0 using the attack box. any ideas?

So after doing the "sed" command which is described in the first task, your nslookup doesn't work at all?

the photo is what i get, nothing more. no connection to 10.211.11.0

can't do any of the following tasks without being able to connect

Turn off your attackbox. Go to your access page, choose the VPN file that is made for the network and click on regenerate. Once done, launch back your attackbox, do the "sed" command as described and try to ping the DC.

its working now. thanks

Hi everyone,

I enrolled in AD enumeration room, but I am unable to connect to the AD network, tried both ways attackbox as well personal machine (windows 11), as mentioned in the room I still need to setup the dns which I did in the attackbox, but when I tried nslookup I got : server can't find thmdc.za.tryhackme.com: NXDOMAIN.
I am stuck here from past few weeks, can someone pls guide how to proceed..

Room: AD Enumeration - https://tryhackme.com/room/adenumeration

After connecting with a VPN with "adenumeration" config

The provided Host: http://distributor.za.tryhackme.com/creds is unreachable.

I cant join this lab:https://tryhackme.com/room/adenumeration. It is free and i complate it one time and i want to do it again. When i click "Join Room" it doestn appear anything

Hi, when I download the adenumeration.ovpn config from the Access page, the file is empty.
Any reason why ?

I am having the same issue as @Seb 4 days later

Same here

How do I get the VPN pack for this room? It doesn't show up on my list of Networks on the access page -- I have breachingad and exploitingad, but not this room

First join the room, make sure the network is in the state of Running, at which point the drop-down list with the available networks will have been updated

I don't have a button to join the room

I can't post screenshots here for some reason, but I've been on THM for a while now, and I've used the "Join Room" button in the past

This room doesn't have one for me

Is there something I need to do to make it appear?

I've clicked the question asking whether I've completed the BreachingAD network (I have)

screenshot shows where the Join Room button is for me
if it is not there for you, maybe refresh the web page and clear your browser cache
in order to post screenshots, you have to verify with Discord using the instructions from the link coming below

@indigo rover

Awesome -- thanks!

Gave +1 Rep to @gleaming trench (current: #52 - 183)

Here's what I see in the room:

And since I can answer questions in the room, I think I'm joined

indeed you have joined, and if you want to leave now, you use the Options button and select leave
sometimes leaving helps in case of VPN issue, and is also an alternative to waiting for enough votes for a network reset as leaving and joining back assigns you to a different network instance (if you wait enough minutes, like 5-15 mins)

beyond this, as it is confirmed you have joined the networik:

• make sure to press start in order for the network to be in the state of running
• at this point, in your access page, under the Network tab, you should have the VPN config file for this network that you use with the openvpn command
• in case you use THM AttackBox, you do not need the VPN config file (unless there is a bug)

Sorry -- had to go to work

To close the loop -- exiting the room and rejoining broke it free

I was able to download the VPN, and I'm working the room right now

delete browser cache then refresh browser
if that fails, use the Options button to leave, and join back a few minutes later

Gave +1 Rep to @fathom igloo (current: #13 - 846)

update this room, the bloodhound section was a miserable slog due to how outdated the version in the example is. otherwise great room

.

+1

Hey guys, on task 6 bloodhound, after I changed the password for neo4j, the bloodhound GUI want a mail for login and a password

Hi all, if you are having an issue connecting to the network on the Attackbox, check the OpenVPN logfile: /root/Desktop/NetworkConfigs/logs/enumerating_ad_v2.log

There is an issue with the VPN config being pushed where it doesn't have dev-type tun that needs to be added as a line. We will patch the VPN server to include this weekend, but you can add it yourself as well in the meantime

Patch applied. Should not be an issue anymore

is this room still up ?

having the same problem as this message

unless you are a subscriber, you need a 7-day streak

Hi

Anyone here today

2025-11-25 23:59:12 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2025-11-25 23:59:12 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
2025-11-25 23:59:12 OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2025-11-25 23:59:12 library versions: OpenSSL 3.5.2 5 Aug 2025, LZO 2.10
2025-11-25 23:59:12 DCO version: N/A
2025-11-25 23:59:12 TCP/UDP: Preserving recently used remote address: [AF_INET]54.75.88.173:1194
2025-11-25 23:59:12 Socket Buffers: R=[131072->131072] S=[16384->16384]
2025-11-25 23:59:12 Attempting to establish TCP connection with [AF_INET]54.75.88.173:1194
^C2025-11-25 23:59:17 SIGINT[hard,init_instance] received, process exiting

please help. i regenerated many times and still facing the issue

using emurating_ad_v2 vpn

Hi. My VPN is continuosly disconnecting. It was working just fine a few minutes ago. Anyone else facing the same issue?

Using the new VPN file: enumerating_ad_v2. Even regenerated and downloaded the file again too

nevermind, it fixed itself

Bro due to local servers this issue is happened
If you are using hotspot of android
Use wifi and then check

Everything is fine but tun0 ip comes when we connect with wifi only
And hotspot is not working

Translation

Not able to access http://distributor.za.tryhackme.com/creds

Help appreciated

👋

2nd

3rd

Complete the network then you can claim the spot 😂

little hard when DNS is giving problems again 😂

It's never DNS.

Steps for all the DNS:

1. Ping the DC - If this fails, check your VPN file
2. Load the DNS according to steps for AttackBox or Kali
3. systemd restart twice if attackbox
4. pray to the DNS deity
5. nslookup for hopes?
6. profit?

Lovely start for me, attackbox dns won't change and my VM is broken thinking it's running, but isn't

I blame Nameserve

cause of VMware services the vm started up in the background

Oh, you use

I thought you used VB.

when you have free VMware workstation pro, you'll use free VMware workstation pro 😄

Can you maybe send me what the issue is on the AttackBox? I've really followed these steps out of my head at this point and haven't had DNS fails on the attackbox ever before (except when it times out after like 2 hours but simple service restart does the trick).

Same

when doing nslookup it only shows loopback, having changed both /etc/systemd/resolv.conf and /etc/resolv.conf to have the DNS & Nameserver to be the ip of THMDC plus restarting service

already terminated the server to work on vm instead 😄

Have you restarted the service twice?

around 10 times

but will look into it later, dinner time 😄

Mmm, when you have a minute there, just run a ping for me. The only thing I can think of is the VPN not connecting in your attackbox. I'd like to fix the issue, but I've honestly never been able to replicate it. Both on my staff and my personal account

I agree.

Except mine wasn't free.

the ip does respond, I did do a ping

What's currently in your /etc/systemd/resolv.conf file?

Nooo

resolv

...

You are a subscriber right? Just want to check if that makes a difference

yes, I am a sub

/etc/resolv.conf

It is /etc/resolv.conf but IIRC /etc/systemd/resolved.conf

Yup, I got it lol.

I'm booting another AttackBox to give this a shot!

I have to change that everytime I want to use my VM for the AD rooms.

It always defaults back to 192.xxx.xxx.xxx

can't even change /etc/resolv.conf in attackbox

why im getting this error

I thoguht you were still in your VM xD

I think for server you should specify thmdc.za.tryhackme.com?

Ping confirmation

i will try

no, cause I need to restart my computer to fix some network problems at vmware service not starting after being put to manual

Changing DNS

ping works

Double restart and DNS works

Maybe it is Nano vs me using Vim? 😂

no cause it can find DNS

it's set as a DNS server

I had to set /etc/resolv.conf

I can't

still nothing from me

Why can't you change etc/resolv.conf?