#enumerating-ad

!docs verify

ohh okay let me verify , i though i was already verified

If you were verified, might just need to reverify

okay doing it rightaway

I am getting this

when trying to connect to VPN and on access tab old VPN IP is shown already connected

Do you perhaps have the VPN running in two different places? Like kali and attackbox?

nope

Mmm, give me a second here

Quickly send me a screenshot of your network diagram in the room so I can confirm subnets there?

okay just a sec

That's looking like the openvpn 2.6 issue

Ahh yes your are right

That one there is the issue

This is the old VPN IP

which shows already connected

Line 14 forces the cipher spec to AES-256-CBC which I think your OpenVPN client does not support

strange had no issue untill the update && upgrade 8-12 hr before

okay will try to search what solution i get

thank you

Yeah, I think it was literally introduced with that last patch. Maybe just update your OpenVPN client? Or you could try to remove that line cipher AES-256-CBC from your VPN file which will downgrade the connection to a supported cipher

okay will try that thank you

There are 2 pinned messages in #site-support with solutions, so you don't have to search around yourself 🙂

thats helpfull , thanks

Thank you that worked was doing that only XD

Gave +1 Rep to @calm lotus

• @ebon adder Some recognition for you too 😄

Gave +1 Rep to @ebon adder

@shrewd roost You know if this is something they can change on THM's end?

While my janky fix might have worked, it was definitely not the best way to go 😆

I mean you'd hope it'll use the strongest mutually supported cipher right?

Good morning

We’re looking at it. I spent yesterday morning testing it.

TLDR the data-ciphers fix is only necessary in 2.6, and actually breaks some vpn versions that are still in package managers

So

Neat

Always fun...

We either break 2.5.x to fix 2.6

Or keep 2.6 broken so that a lot of 2.5’s and 2.4’s can work

Drop the ciphers line entirely and let it negotiate?

possibly ¯_(ツ)_/¯

We’re looking at updating the ciphers on the servers

Neat, glad you're all aware, thanks @shrewd roost

Gave +1 Rep to @shrewd roost

Indeed (:

It just sucks that 2.6 is in the release for kali apt

Cause it isn’t anywhere else

Hi, anyone knows what to put in the name server switch (-ns) for bloodhound-python?
Example:
bloodhound-python -c ALL,LoggedOn -u 't-skid' -p 'tj072889*' -d vulnnet-rst.local -ns <name server>

Name server probably means DNS server, so that should working with the IP of the DC? But vulnnet is def not the correct domain for this network

ok, got it, the domain is VULNNET-RST.LOCAL instead of vulnnet-rst.local, it is case sensitive for some reasons

Hello, I've tried to download the Vpn but get a 404 error and a darth vader head, please could you help

Try regenerate the VPN

hey @gusty inlet tried that already yesterday

Can you try it again now?

@gusty inlet yeah all good now, thank you

Gave +1 Rep to @gusty inlet

You're welcome

@gusty inlet 👍

Okay might be failing at first hurdle and doing something stupid but can't get DNS to resolve

can ping the DC and have entered the DNS into my kali box

Can you query against it manually?

Have you restarted the dns service?

yeah

Can you ping the ip?

yes can ping the ip

Where did you write the dns settings?

Additional DNS servers and the method set to Automatic DHCP for IP

Advance network configuration, don't have network manager

try edit /etc/systemd/resolved.conf instead

yeah tried that first didn't work and restarted

can you verify and send some screenshots of what you have

!docs verify

trying but keep getting can't msg

Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here

Are you using Kali? If so, run cat /etc/resolv.conf and see if the DNS IP you added is also there

you have the setting on that people cannot dm you

make sure this one is green

@ebon adder yeah i can see the name server on the second line above it is a local name server, want me to hash that out for now

Indeed. Comment that first one out please

@gusty inlet sorry not really up on discord, hardly use.

no worries, right click the server icon and press privacy settings

@ebon adder perfect, thank you

Gave +1 Rep to @ebon adder

Did that work for you?

@gusty inlet I'll sort verify now

Yes i have that on laready when just checked

I'm up and running if what i need to do room, is there support for this somewhere so not taking up the channel with this

#site-support

@gusty inlet Thanks as always

Hi all. In the Bloodhound task, I'm having the Bad JSON file error when importing the generated zip file using my own machine and Attackbox. I'm thinking this is a compatibility issue as I've encountered this before when I used a wrong version of SharpHound.ps1, but it should have worked this time with the SharpHound.exe on the jump host, right?

Hey there, the SharpHound.exe on THMJMP1 should work yes? Especially on the AttackBox since we upgraded BH for it. Could you perhaps try to download BH from source on your own machine and then try the import? If that fails chances are the Sharphound collection might have failed?

I retried using attackbox. it didn't got any errors on sharphound but it still generated a bad json file. can i send the info logs here?

oh i got it now. i just ran it with "-ep bypass"

Glad that worked for you

Are we supposed to find the plain text password for t1_henry.miller user? I have escalate my privileges on thmjmp1 and tried to dump the password as explained here (https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html#id4), but i am only seeing the NTLM hash for t1_henry.miller user and not the plain text password? Tried with PTH of t1_henry.miller but didn't work.

No exploitation is done in this network. This is purely for enumeration.

ok, thank you!

Hello..Why not nothing found on diagram ??? I started machine & still nothing found( sorry for my english).. Please someone help me ... thanks you ...

Screenshot?

Hey ! Network with DC 10.200.67.101 is acting weird , it was really slow 30 mins ago. I had issue with my VPN so I regenerated a new .ovpn file and now I can't even nslookup the DC anymore, can someone tell me if the network died or anything ?

network up time already 10M.

still black screen.

Hey there, are you able to ping the DC?

What browser are you using? Might be good to leave the room (click the little gear icon and then leave room) and then rejoin to see if that fixes it.

Nope nothing works anymore

And I still have the same configuration than yesterday when it was working fine

Can you screenshot your network diagram please? Just want to see things like uptime and the extension

It might be the network brick that was discussed in #lateral-movement-and-pivoting .

Can you inspect element to re-enable the Start button and press it? We have a frontend issue where if the network sleeps and you press extend it extends the timer without actually starting the network. Give it 10 minutes and then see if the network comes back alive?

I'll try it and let you know if it works, thank you

Gave +1 Rep to @ebon adder

@ebon adder Ok it works fine now, not sure if that was the issue or not, because it looked like I had 2 VPN connections to the network at the same time (dunno why). I reboot my kali and now I can ping the DC. Anyway, thanks for your help !

Gave +1 Rep to @ebon adder

Perfect, glad that worked!

Great rooms btw !

in Remmina what is the difference between server and domain? I keep getting server not found but the network is running

trying to RDP in

it says in the task "Remember to specify the domain of za.tryhackme.com when connecting" so I got that but nothing is working for Server

and the creds I was issued work for ssh on THMJMP1.za.tryhackme.com

oh hang on now ssh isn't working, maybe I have same issue as above 🤦‍♂️

omg it's always the simple things, I'm fine now haha

Hello,
I'm doing this room ( https://tryhackme.com/room/postexploit ) and having some issues here.

From the cmd i run powershell -ep bypass as instructed and then i try to run PowerView.ps1 which ends instantly without any error. To my understanding, this should enable me with a serie of additional commands for enumeration but these are not working so i assume PowerView did not run correclty. But I'm not doing anything outside the normal. Any ideas?

. .\PowerView.ps1

see the above.... you are missing a dot from the command

True. Just now was coming back here to say that i found the mistake. What that dot is for? with the second dot you are referring to the actual folder .\PowerView.ps1

first dot is probably meaning to import it into here the second dot is for the path of the file

not sure exactly though

hmm never heard of that usage. But anyway, thanks !

If you just run .\PowerView.ps1 it executes the PowerView script which does nothing. Since there is nothing in main and everything is written as functions.

You need to run Import-Module .\PowerView.ps1 which would import all the functions in the ps1 script for you to use, including Get-NetUser. . .\PowerView.ps1 is the shorthand for Import-Module.

Hope that helps 🙂

Also the second . means the current folder.

If you do ls -al on linux, you would see a directory called . and one called ... . refers to the current working directory and .. refers to the parent directory. That's why cd .. takes you up a directory. Same with windows, . means current directory so .\PowerView.ps1 mean in the current directory, look for the script

So many dots 😂

oh so it is an alias for import-module.... today shadow learned..... thanks

Gave +1 Rep to @ebon adder

after i break i come to this and having new issue that im stuck already..

I've been running the bloodhound command:
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

That seems to work but at the end when it 'completes' and says Happy Graphing.. it stays like doing something and never ending the process. Earlier i stopped it and dropped the zip in bloodhound but it fails. 'BAD JSON' among other errors

CONTROLLER.LOCAL is not the correct domain to use. Also, if you have import errors, chances are it is your version of Bloodhound that needs to be updated.

thanks bro.. I will try ..

Gave +1 Rep to @ebon adder

Going to try that. I'm not concerned about the bloodhound version because i was making sure that is up to date, same for neo4j. Coming shortly with result

The behaviour is the same

But anyway it was good the controller.local i believe

It does not seem like you are doing the Enumerating AD room. Since that is not our DC. For more general support, I recommend #site-support

Hey @ebon adder just got done with this room and it was very informative thanks! Noticed a quick typo in the MMC instructions, it says to right click but I think you mean left click? Right-click on Active Directory Users and Computers in the left-hand pane Click on View -> Advanced Features

Gave +1 Rep to @ebon adder

Hey there! Glad you liked it! 🙂

So you can either go way at the top and click View->Advanced Features. Or you can right click on AD Users and Groups/Computers and perform the same thing:

Second way which is left click 🙂

Both ways work 🙂

Oh woops. I didn't notice that hah. Sorry! In the powershell enumeration you specify the domain. Is this just good habit in case you're in multiple? As the command was working without.

No worries! So to specify the domain serves two purposes:

• If you do an actual assessment against an organisation, almost all of them will have multiple domains. You might have creds for za.tryhackme.loc, but you want to enumerate uk.tryhackme.loc, since there is domain trust between those two, you can actually do this. By specifying the domain, you are deliberate in what domain you are enumerating, meaning you don't confuse yourself.
• Often on an assessment your "testing windows system" will not actually be domain joined. For example, they gave you AD creds and a VPN file. In these cases, you need to deliberately specify the domain so the powershell cmdlet knows you are talking to the client's domain, and not your local WORKGROUP domain.

Hope that explains its use cases! Even if for this room you could skip it 🙂

Ah brilliant thanks for the detailed answer. The rooms are great, it must take a lot of work to set up the populated active directory for us to learn on, thanks! Looking forward to the next stage,

Gave +1 Rep to @ebon adder

Glad you are enjoying it! They do take quite a bit of setup, but as long as users are able to use them for a learning opportunity I'm happy to put in the work. Good luck with the remaining three AD networks, hope you enjoy those as well!

Hi! I finished the room more or less, but with sharphound, it always returns me no users, any idea why ?

hey @shut gulch , if you are using Kali, try to sudo apt remove bloodhound and install fresh realease from Github

@crystal dragon I used the kali box vm, I installed bloodhound from apt, bad idea ? 😄

Damn ok, I redid the box with the attackbox to save me hassle, and it did work. I couldn't print the path from my user to T1 Tier Admins though, I don't know if I was supposed to, but I found that pretty unfortunate

AttackBox is parrot, not Kali right? I've faced exactly same issue and found discussion in Bloodhound Github issues where devs saying they are not maintaining releases /repo for Kali 🙂 and maybe for Parrot is different situation, so installing fresh from github seems like a good idea anyway 🙂

Attackbox is a customised Ubuntu distro iirc (and we install tools as required for rooms)

EnumAD it's a nice room, enjoyed doing it.

I got disconnected from the thmjmp1 machine and now I can't connect at all back with ssh, neither reach the distributor.za.tryhackme.com/creds and nslookup fails what's wrong

I disconnected reconnected to the VPN, same DNS ips, restarted both services but nothing huh

well

looks like to many users are signed in

i was signed out as well

doesn't work on attackbox either

Oh damn ok welp we have to try another time I guess

That's frustrating why do we have to be disconnected when we were already connected wth instead of refusing the newer connections

don't know but thats how it is i guess. not much we can do about it

I was right in the middle of the room

same, i was in the powershell section

yeah same

Well at least I'm not a pepiga who messed up something without knowing I guess

nope. just the pepigas who got kicked off lol

question. why is mine showing the SID value for the users and not the user names?

Your version of bloodhound is not the same as the Sharphound binary. V4.1.0 was used in the network. If you want to use an older or newer version of Bloodhound, you will have to download the Sharphound binary associated with that version. Easier option is just to download version 4.1.0 and run it directly from the release folder

If the network drops, can you run two things:

• ping the DC using its IP
• Run nslookup za.tryhackme.com <DC IP>

If the ping does not work then it is most likely that the network went to sleep. If someone pressed extend instead of Start when the network sleeps, it bricks out. So you have to use inspect element to reenable the Start button and press it (Frontend team is working on a fix)

If both commands work, then the issue if you local DNS configuration.

If the nslookup command fails but the ping works, then there is a network issue that must be inspected. You can then let me know and I'll look into it from the backend

thanks!

Gave +1 Rep to @ebon adder

I ran the ping yesterday, it succeeded

I'm gonna retry again, let me 5 mins to setup

It works again

(the network was stopped, i just started it, ping and nslookup works now)

Perfect, glad that worked

Can I ask something? What does "domain-joined" mean? Since we are on the same network and can connect via Ssh or RDP, wouldn't we be in the domain?

Hey there, good question!

When you have a Windows host, by default, it is joined to the default WORKGROUP workgroup. Meaning it is not domain joined. Once you change this to the actual domain and enroll the host using credentials that have the permission, this value is changed to the domain.

Since we are on the same network and can connect via Ssh or RDP, wouldn't we be in the domain? - Same network does not really have anything to do with it. But that second part, either SSH or RDP to a domain-joined machine means yes, you are domain joined! 🙂

However, if you perform red team assessments or security testing of networks, a lot of the time your testing VM would not be domain-joined. Simply running the organisation's VPN profile won't make the machine domain-joined and since you don't have an AD account with permissions (usually) to domain-join that machine, you need to be more creative with your enumeration. Hence this is why the room shows how you can perform these techniques from a non-domain-joined Windows machine.

Hope that makes sense 🙂 Let me know if anything is unclear and I'll try to explain it better

Thank you very much. I got the answer to my question.

Gave +1 Rep to @ebon adder

added dns server(THMDC) restarted service, but it doesnt work for some reason i nslookup returns error
(server is accessible)
why can it happen?

Please provide more details such:

1. DNS technique you are using
2. OS you are running
3. Can you ping the DC
4. Does nslookup za.tryhackme.com <DC IP> work

You need to provide more details please if you want assistance

i followed the example on my kali host, changed /etc/systemd/resolved.conf, restarted service, but got error from nslookup thmdc.za.tryhackme.com
but it started to work, after i have changed /etc/resolv.conf

If you scroll down in the task you will see there are instructions specifically for Kali since Kali uses network manager. Changing network manager config would have automatically changed /etc/resolv.conf for you. Of course you can also change it manually for the same effect.

ok, i didnt know
thank you)

Gave +1 Rep to @ebon adder

i did everything as in example, but looks like its not configured properly

nah, that's working, I got the same output and the next steps work, it shows the exact task output you see in the attackbox afaik

oh, yes
thanks)

Gave +1 Rep to @winged crystal

Thank you @ebon adder for this free networks.
will there be released more networks for subscribers, or this are all?

Gave +1 Rep to @ebon adder

Task6: Hi there, Any idea why I don't get nodes information?....same results with uploaded file on that task or running sharpHound and getting the .zip...

I think you have to search for your user account first. THen select it in the graph view and the node properties shows up then.

Glad you like them. For now it is these 5 networks that have been released, but there are plans in the future to create more

hello, should task 2 be done or can just skip ?

like do i have to do all that it does like inject credentials inside THMJMP1

?

i keep getting no data in file

You should use v4.1.0 of Bloodhound. You can download it from the releases and execute directly from its folder.