#lateral-movement-and-pivoting

i voted but its 1/5

I guess you're gonna have to wait a total of 4 hours to vote reset or less if you can ask other in the network to vote 😦

yeah

its fine

i read and learn some AD on hackthebox in their "Active Directory Enumeration & Attacks" room in the academy

Hi! Shouldn't I be able to ping the DC IP if I'm connected to the VPN? I tried to do the room yesterday and now again, but apart from not getting DNS to work on the attack box or my own machine I can not even ping the different machines in the network. Is it me or is the network kind of broken?

I'm getting the same problems, got the vpn to work(smbclient wouldn't work tho) on my machine for a while then it suddenly stopped and refuses to work again now, I've tried with the attackbox yesterday but not much luck, :/

the network I'm on is 10.200.77.x

DC might still block pings cause of firewall. Can you run an nslookup za.tryhackme.com <THMDC IP> and see if that works? If it doesn't, there may be something wrong with the network

Same here, can you confirm if the DC is responding to DNS queries. If it isn't, that might be the issue which will require a network reset

nslookup says, connection timed out and ping doesn't return anything

For both of you that is not great. Can you please either send me your VPN file, or in your VPN file look for the remote IP and send that to me so I can run a quick check?

Will be doing this room after work tonight 🙂

not sure if this should be private but here it is 52.208.106.243

This is fine, but VPN file better to send that DM

Thanks for looking into it!

From the VPN server I'm not seeing any of the hosts active? Can you confirm that the network is active? Just hit F5 on the room page

nmap -p22,53,3389 10.200.77.101 10.200.77.201 10.200.77.249 -Pn

Starting Nmap 7.60 ( https://nmap.org ) at 2022-06-27 10:12 UTC
Nmap scan report for ip-10-200-77-101.eu-west-1.compute.internal (10.200.77.101)
Host is up.

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   filtered domain
3389/tcp filtered ms-wbt-server

Nmap scan report for ip-10-200-77-201.eu-west-1.compute.internal (10.200.77.201)
Host is up.

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   filtered domain
3389/tcp filtered ms-wbt-server

Nmap scan report for ip-10-200-77-249.eu-west-1.compute.internal (10.200.77.249)
Host is up.

PORT     STATE    SERVICE
22/tcp   filtered ssh
53/tcp   filtered domain
3389/tcp filtered ms-wbt-server

Nmap done: 3 IP addresses (3 hosts up) scanned in 3.05 seconds

Will check yours in a minute

yeh, it says its running

@rose kernel Zeeshan is on the same subnet as me, I think he's having the same issue I was.

Is the start button pressable? What does it show the network active time?

no

But the extend does not show any time active?

yep, it's been the same as that

Should our network uptimes match?

Or does that not matter @rose kernel ?

I mean technically they should? Do you have the same there?

No

Yeah then that network is not running. And F5 refresh of the room page does not allow you to hit the start button?

Network states it is running.

yeh, I've done multiple refreshes, it stays the same

Okay, then I'm pretty sure it is a website fault perhaps. Let me check in with the team there.

When I did the network I had multiple outages on the DNS, that got fixed after just restarting the DNS service, I don't know if this might help others that has outages when doing the room, as in where when you're done with a task the DNS isn't working properly, then just restart the DNS service on your machine 2 times, like usual, then it fixes the problem, (from my experience)

if anyone is doing the room right now, can you try it out and see if that happens, and report back, just as a temporary fix

systemctl restart systemd-resolved

(note this works when you have change the /etc/systemd/resolved.conf file, not /etc/resolv.conf)

It's the server.

that sounds like an attackbox issue, I've done the previous ad network on my machine and didn't need to restart anything once it started working

The DC in our case.

it can be a bit of both

cause it's always DNS that is the problem

This really helps on the attackbox. I've done that before as well. However, issue here is port 53 (DNS) on the DC is dead. So you are not getting DNS to save your life 😂 Together with the control ports on all the other hosts, leading me to believe the network in this case is dead entirely 😬

I've sent in a request to the website support team. Sadly I don't have access to the PROD instance so can't debug it any further. In the mean time you can try to vote for reset, which should fix the issue as well

Currently 3/5.

Unsure if Zeeshan has voted again.

plz gib one more reset on 10.200.77.101 🥺

If not one of us can vote again in an hour.

If anyone wants to be lucky I can send my VPN in a bit

wouldn't you need to be on the same DC for it to work?

The 80 network should be working

You're connected to a whole different subnet

So it's basically the same, just change the 2nd period in the ip

@feral granite or @toxic harness you wanna try it out with my VPN?

I've moved on to a different box

fair

I left for a meeting, place I was supposed to go to has had IT problems, blanket message sent out not to attend, then I got a call asking to go in with my "it background" 😂

But I've just voted to have our network reset so Zeeshan should be good to go.

That's .77. subnet good to go.

Hi,
This command works for me alright, but I can't access http://ntlmauth.za.tryhackme.com/

That means your DNS configuration is not working. What OS are you on?

Kali

Which configuration option did you perform?

Modifying the resolved file to add the ip address of the THMDC

That option is for the attackbox. On kali, the suggestion is to use network manager since that is used for configuration. If you do it correctly, and run cat /etc/resolv.conf then the IP for the DC should be the first one. Then DNS will work for you

Scroll past the resolved section and you will see a section for Kali

oh yeah. I just saw it. Thanks

Gave +1 Rep to @rose kernel

So I made the modifications but I still get this..

I'll give it a go shortly but when I was in the room the state was 'Running' with, I believe, 177 people in the room. I did hit the start button just in case. The timer had approximately 32 minutes uptime remaining at this point. I pressed the restart request button, 1 of 5 and later this was 1 of 6.

This time I was able to download the vpn file but I received an error:
2022-06-27 10:01:49 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

The solution to this was to modify the VPN file and change the line

cipher AES-256-CBC
to
data-ciphers cipher AES-256-CBC

yup, that we know, if you have a look in #site-support

I'm connected now and all looks good 🙂 Thanks for your help

Gave +1 Rep to @lost tinsel

for future reference, this command will do the trick
sed -i 's/cipher AES-256-CBC/data-ciphers AES-256-CBC/' *.ovpn

Send me the output of cat /etc/resolv.conf please?

you have to be in the folder that the vpn is laying at

Cool 🙂 I do love the quirks of all our toys 🙂 And now, onto the room!

Ne1 currently on the .89 network and having it work fine?

In Task 3 connecting to SMB fails with the following message session setup failed: NT_STATUS_CONNECTION_RESET

I have also tried to psexec but it never connects.

can you ping 10.200.89.101? If the network is started and you can't I might have to check that network.

What network are you on?

I cant. I have SSHed as jenna.field though, in THMJMP2

why should I ping 10.200.89.101 The IIS IP is 10.200.88.201

You shouldn't be able to ping that. That was a response to another request

@rough shore, so you are on task 3. Could you send me the command you're using?

No. I cannot ping 10.200.89.101.

smbclient -c 'put myservice.exe' -U t1_leonard.summers -W ZA.TRYHACKME.COM '//thmiis.za.tryhackme.com/admin$/' EZpass4ever

I get Destination Host Unreachable

Alright. Let me try to get the network reset for you.

Thanks

Gave +1 Rep to @shadow linden

I have also tried to simply login the SMB server using the Workspace/username/Password but still fails misserably.

@shadow linden I found this interesting in the logs: 2022-06-27 16:34:29 net_route_v4_add: 10.200.89.0/24 via REDACTED dev [NULL] table 0 metric 1000. Shouldn't that [NULL] be mapped to the lateralmovement interface?

is that in the output of your openvpn command?

Ya

I'll try to reproduce. Just gimme 1 min

Obviously REDACTED is the IP THM issued me

can you try smbclient -c 'put myservice.exe' -U t1_leonard.summers -W ZA.TRYHACKME.COM '//10.200.88.201/admin$/' EZpass4ever

@shadow linden .89 is up now

And DNS is now resolving. All good. Thanks for the net reset

I will try it tomorrow, I have left my PC now. I am sure that it will work with a Network reset.

Still same VPN problem where 10.200.79.x can't be reached. Do you have some suggestions to fix this?

Could you DM me to check

Wow, done 🙂 Thanks for the room! I believe every Windows-Admin and their management should be forced to do these networks so they understand what kind of dangerous configurations most of them still allow in their company networks.

After the initial hiccup the network was running fine now. Did it all with my own parrotOS machine. 👍

That command worked. It seems that thmiis is not resolving properly.

THMIIS was not resolving in my lab, too.

try restarting the DNS

so basically just running systemctl restart systemd-resolvedx2

had the same problem where this fixed it

smh attackbox specific problems

did you ever finish the network?

it needs a lot of trouble-shooting to work on openvpn, I just gave up for a while

even though the attackbox has these problems it is a lot easier to do it through the attackbox than VPN right now

No, I mean I finished the lab yesterday. I was able to resolve THMJMP2 and THMDC through the DNS-server but THMIIS only workd via IP. I used my own machine, not the attack box. Was not a big problem for me but I guess some people might have trouble.

So it was not on my client side I guess but the DC (with DNS) had a problem.

yeah

The hiccups need some fine tuning maybe 😄 Because the network is otherwise very well done and it would be a shame if people gave up because of DNS (it's always DNS).

Just finished the room. It was a great one, especially the pivoting part was pure joy. You should think of adding some more pivoting tools as well, especially Metasploit portfwd , chisel and plink.

I think the wreath uses chisel to pivot.

Don't quote me though, I haven't done it

it does

or it has some tasks about how to

you can choose not to

and use socat instead or other tools

Muiri made it -- ofc you can use socat for everything 😄

Wreath does plink and chisel

@shadow linden Can I DM you with a question that I have?

for sure!

can anyone check 10.200.77.101 if it's down, I was connected for an hour or so and then it suddenly crashed and is unresponsive now :/

Hey there, could you please DM me about it

sure

Anyone had any joy reaching the 10.200.80.xxx network from the attack box? No response from ping and no 10.5x ip address

If you have no 10.50 IP, it means your VPN file is probably broken (yes even in the AttackBox since the AttackBox just pulls your VPN file for you). Can you please try to:

1. Terminate the AttackBox
2. Go to Profile -> Access
3. Go to Network VPNs and select Lateral Movement
4. Click regenerate VPN file.
5. Wait 20 seconds and then see if you can download the file.
6. If you can, restart the AttackBox and check if you have a 10.50 IP now

That sorted out the ip, thank you very much. Still getting 'destination host unreachable' when pinging the dc though

Gave +1 Rep to @rose kernel

Make sure to start the network. It stops if inactive for a while

if this doesnt' work, just let me know

OK, it does say it's running. I clicked to extend, and got an acknowledgement, but nothing doing on the ping.

Dunno if there's anyone else using that subnet, but I have to call it a day now, anyway. I'll try again tomorrow

Alright. I'll check just in case

Much appreciated. I'm really enjoying this series btw 👍

I got stuck on task 5, I used mimikatz pth command for user t1_toby.beck with rc4 hash and reverse shell to attacker machine on port 5556. The reverse shell works but with whoami I still see the initial ssh user I used and winrs.exe gives server name resolve error with domain name and ip address of THMISS server isn't allowed. Any suggestions?

@shadow linden I'm stuck now but really like this and the other AD rooms. 👍

Sorry for that, I replied to the wrong msg 😅 . But do check if you are typing THMIIS instead of THMISS

@shadow linden, can I send you the command I used and error message in DM to avoid spoiling it for others?

for sure

I have been having trouble myself once the network stopped. I then started it, but have not been able to connect for over 40+ mins. Is anyone else having trouble?

I cannot access the THMJMP2 or get creds from THMIIS, after the network stopped on me as I was working on task # 7

what network are you on?

Lateralmovementandpivoting, do you need the internal VIP?

Just the one you get on the network diagram. Should be 10.200.x.y

80.101

thanks for checking

that network is being restarted

might take a bit

interesting, it shows running on my side. it was up and I was working on task # 7 and it just stopped on me. So, I restart it and have not been able to connect sicne then

Here is what I have seen for over 1 hr

Just sent the request for the network to get reset. Might be a couple of minutes.

I even refreshed the page many times, just to make sure it it really running

Thanks @shadow linden and @rose kernel for another awesome lab!

Gave +1 Rep to @shadow linden

This one is all @shadow linden 🙂 I'll see you for my next one 😉

Looking forward to it!

I'm using the Attack box and am connected properly (the nslookup command works correctly) but I cannot recieve the reverse shell on task 3

I'm using the latermovement inet Ip address for the msfvenom payload and the metasploit reverse shell

but not getting anything

couldn't get it to work tonight which is a shame i was looking forward to that 😭

so is Rejetto HFS actually running on port 80 on THMDC?

Yes, but do check the IP. Should be 101

i see it. trying to use portfwd through 201 and meterpreter to exploit HFS

I think you are making a forward of port 80 of thmiis rather than thmdc

i think your right lol

Hi Im having issues connecting to the network

Im running the ovpn and I can't ping the dc

its says I am successfully connected as well

Be sure to check if the network has been started

You can do so in the room

Hi,
is there anyone who faced this issue on Task 3?

I won't be able to upload the service that I made to admin share using smbclient

Could you perhaps try with the IP of THMIIS instead of the hostname? That might work better?

Same error

Am I doing something wrong? ugh

Error looks a tad bit different. You sure that host is online?

Also I'm pretty sure you need to use t1 credentials for THMIIS since it is a server?

I try it, and I will try it again

But first just make sure the host is actually active. You can use nmap -p22,445,3389 thmiis.za.tryhackme.com -Pn to confirm. If 22 and 445 is not open, chances are the network stopped

Yeah, then that SMB connection will not work since port 445 is no open there. Might be best to reset the network there

yes I fix it

but still the executable wont be able to upload 😦

Done Done Done

https://tenor.com/view/yes-baby-goal-funny-face-gif-13347383

Thanks @rose kernel

Gave +1 Rep to @rose kernel

Perfect!

finally completed the network 🥳

smh, why you take so long

cuz network died twice

excuses

just get it done before it died

I don't think the DC likes me.

We actually figured this one out this morning (we think and hope). It seems like the issue occurs when the network timer expires and a user clicks extend instead of refreshing the page and clicking start. What this does is, extends the time on a dead network. The team is busy with an investigation and will make an update to the frontend so if the timer times out, extend will be disabled and start re-enabled. Had this exact same issue this morning on a network. Quick fix is use inspect element to re-enable your Start button and then click it. That worked for us

actually testing that out right now, just keeping a network extended, right now has been running for almost 3 hours

Well to test it out you need to have the network time expire. But then instead of refreshing the page that would allow you to click start, you click extend. Network will expire if extend does not show a time but rather shows Extend -, then if you click that you bork the network

yeah, but I am testing it on running for a long time and then see if it borks, then letting it run out and extend it

nice to know you're aware of the issue and there's a semi fix for it, thanks :)

Gave +1 Rep to @rose kernel

Ah fair enough, but yeah, network should remain stable for fairly long. In our TEST and DEV environments those networks have been active for more than a month, so we should hit similar timelines in PROD

but now we're talking PROD and not TEST 😛

jk jk

also waiting for gpupdate is meh

If you have to wait to long let me know and I'll force apply it myself.

been only waiting for 4 mins, so it's fine

Sounds like you could do with a coffee break to get those 15 minutes over faster

coffee break? this is my coffee break, work is boring right now, I don't understand how 500+ companies can't have any problems, they are bound to have something wrong that I can fix

Just wait until the opposite and you're swimming in tickets.

easy enough, on a normal day we get like 70-80 tickets

waiting time is over!

Perfect 🙂

is it possible for you to dm me the creds of svcServMan as I don't want to go through all that again so I can exploit the GPOs

Sure

@rose kernel great room! Looking forward to another!

This one is @shadow linden ! Glad you liked it! 🙂 Next one to come out very soon!

Had some issues with port forwarding and metasploit so I used another way to hop on the DC

AD is all about having extra options. As you saw in the lateral movement room, there are many ways to perform the same thing. Each having their benefits and specific use cases. If one does not work for you, best to move to another one 🙂

Exactly! Rooms like these help test several methods before whipping them around in real engagements. You all rock!!!!

Hi @shadow linden the network is in the resetting mode for quite some time . Do you know how long it shall take to be operational again?

Try Ctrl and F5.

@feral granite .. I have done that .. to no avail

Guess, I am among the ones who requested the resetting of the box .. can't do much

Usually when it resets it reverts back to 0/5

that's for sure .. hopefully, one more request and we are good to go.

You can do it again after 60 min(s)

Well noted, thanks @feral granite for the info

Gave +1 Rep to @feral granite

For those having issues -- I was the one who managed to break the network last night with @rose kernel watching. The fix (for me) was to right click the "Start" button and click "Inspect" and then just delete the "Disabled" string. After that, click "Start" again because it will be enabled and the network should be working again in 5 minutes or so.

I actually streamed part 1 of the box last night on Twitch (with teaching & comments from @rose kernel). I am uploading the YouTube video now and I do this exact fix in it. I'll post and timestamp when it is uploaded for those running into the issue.

Okay, I have the YouTube video ready to premier at 2pm cst. I worked through the first 4 tasks slowly and with explanations. I also had TryHackMe staff member and creator @rose kernel on the stream explaining concepts in more depth. If anyone is stuck or would like to work through it with this next to you, here's the link:
https://www.youtube.com/watch?v=basSfhSJW0Y -- I'll try to monitor the chat but I am currently at work. If you are stuck on anything, feel free to DM me and I'll be happy to help 😃

I'll be streaming part 2 live tonight at https://twitch.tv/hack_smarter

Probably worth posting about this in #thm-community-media too 🙂

Hey! Thanks. I will do that!

Gave +1 Rep to @lilac kite

Is it me or is this network still pretty much dead? (infini resetting) the start trick doesn't work, and voting for resets doesn't work

Was working for me

Got up to task 5 or 6. Will continue tomorrow

These AD rooms are the best

Infinite reset does not sound good. What's your subnet so I can report it?

Glad you are liking them! 🙂

Hey all,
I have one question. When we create remote service with SC.exe and then run it with the exe file generated from msfvenom we get back reverse shell with "nt authority\system" account. My question is we are Running/Creating the service with user "t1_leonard.summers" how we are getting reverse shell with "nt authority\system" ? Isn't that the user "t1_leonard.summers" tells the system to run this service and for this reason we get reverse shell with "nt authority\system" ?

Thank you in advance

Hey there! That is a really good question!

So when you create the service, by default, it will run as SYSTEM. You can specify a different user for the service using the sc command, but if you don't specify a user, it will automatically run as SYSTEM. This is why your account (t1_leonard.summers) need to be part of the Administrators localgroup on the host you are creating the service, since this is a pretty privileged function.

Hence, when the service executes, you get a shell as SYSTEM and not the t1 AD account 🙂

These are the sc parameters you would want to specify should you wish to execute the service as a different user

Is this meant to show t1_toby.beck's session?

he doesn't show up when i do query session either

I'm not 100% sure, I think @shadow linden can help here

Thank you very much for the great explanation. I'm going to try it.

Gave +1 Rep to @rose kernel

This is what shows up for query session 🙂

are you running that as nt authority/system, try using psexec64.exe -s cmd.exe and then run the same command in the cmd

yea i did run that lemme try again

well actually

it does say im system here

hmm, idk what's wrong then :/

dam would you mind dm me the flag so i can finish the room or something?

or i can try restart or whatever if you thinkt thatll fix it

Can you send me your vpn file? Then I'll quickly admin in and reboot that machine and see if that gets it going 🙂

am using the attackbox rn.

it's the same

ah cool one sec

network configs folder

AttackBox uses your VPN file. I'm not going to use your VPN, just need the IP deats in there to admin in

sorry for disturbing you again @rose kernel just one more question. Is it possible to be made user which is not in the Local Administrators group but to have assign rights to create a services in the remote machines ? or for sure need to be member of the Local Administrators Group

I might be wrong, but I'm 99% sure that you can't create remote services on a machine unless you are a member of the Local Administrators group. I don't think there is a more granular permission group that you could be assigned. But take that with a pinch of salt since it has been a while since I actually looked at this

Okay thank you again for the help

Hi not sure if my network instance is screwed, but on task 5 when I dump the NTLM hashes from LSASS memory I can only find instances of t1_tony.beck (i.e t1_tony.beck2- t1_tony.beck5). I've tried pth/ptt/oth with each hash and get nowhere. Am I missing something?

I think it should be toby not tony? And how are you trying to use those? Maybe if you show some of those commands someone here will be able to assist

Yeah sorry for typo I was using toby not tony. So from mimikatz privilege::debug, token::elevate to impersonate nt authority\system token, then sekurlsa::msv . Output shows t1_toby.back2 - t1_toby.beck5. Can't see a t1_toby.beck. The point is I can't find the correct account to get the correct hash to then inject.

Also using token::revert before attempting to inject with the hashes I've found for each instance of the toby account...

Mmm those other toby beck's credentials should be okay to work with?

yeh still infini-reseting

If they don't work, send me your VPN file and I'll quickly check if I can find them

Let me report this

thanks

appreciate you

Sent, hopefully they can fix it

Thanks, must be something I'm doing/not doing then. I'll try again later 🙂

Gave +1 Rep to @rose kernel

👍 If it fails, send me your VPN file and I'll admin in to see if there is anything funny going on

just finished the room was great thanks for the help everyone

Hey there, they should all have the same password hash. However, when doing pth/ptk/opth be sure to do it against the t1_Toby.beck with no numbers at the end

It should probably work with the other accounts as well, but I need to check if this will still grant you the flag

Just finished this room last night while live streaming. I'll share the video once it's done being uploaded to help those who are stuck. I take the time to do all 3 attacks in it (Pass the Hash, Pass the Key, and Overpass the Hash) so it should hopefully help those who are stuck on one of those. Excellent room @shadow linden!

I finished 😉 @shadow linden compliments for this nice room!!! And your assistance to get me through some difficulties. Thanks! 👍

Gave +1 Rep to @shadow linden

Hey there, watched your video (pt1). It got me some insight to add a couple of clarifications to the room. Nice work on that, totally recommended 😎

Glad you both liked it

Hey!! Glad you found it helpful! I try to stream all the new rooms but if you come out with a room, just DM me and I'd be happy to go through it on stream and work through it out loud (and invite others to join me).

If you haven't done so yet, go for Exploiting AD by @rose kernel , did the room yesterday and it is quite amazing!

@rose kernel is actually joining me on stream tonight and sharing how to set up an AD lab with vagrant! I stream on Tuesdays, Wednesdays, and Thursdays and the plan is to start Exploiting AD next Tuesday. I'm looking forward to it!

I cannot show the juicy ways we make these networks vulnerable and our specific configuration for obvious IP reasons, but can at least show how to create a simple AD network to start playing in 😉

For task 5, I can get to t1_toby.beck2's account. But I don't see the regular t1_toby.beck's info. Am I blind or is it something else?

See @shadow linden 's comment few message above. Should be the same hash, just make sure to specify t1_toby.beck as the account username

Hmmm I couldn't get it to work like that. But I'll check again. Might've mistyped something

Whoop got it! Thanks again!

Network should be sorted now. If you request a reset then the network will reset correctly this time

already up and I didn't even needed to do anything 👍

thanks

hey guys, Does the lab have a time limit of a number of days you can access the same as 'enumerating and breaching AD labs'?

Yes, 9 days

@lost tinsel is that cumulative for all 3 labs or are they 9 days each?

they kick you out of the networks but you can simply click "join" to get back in

@toxic harness@lost tinsel thanks guys, so even if 9 days passes I can go again.

Gave +1 Rep to @toxic harness

yes, as long as you're subbed you'll have access

@toxic harness perfect 🙂

yeah, 9 days each, the older network are also like that, but with a different amount of time iirc

@lost tinsel thank you

• @lost tinsel

Gave +1 Rep to @lost tinsel

Is the Lateral Movement and Pivoting room broken?

I don't reach the host, Destination Host Unreachable throws me from my machine and from AttackBox

If the network appears as started, could you please attempt to reset it?

I'd just add to this that based on my experience just now you need to use something other than the AES key for this to work

Still having trouble with task 5. Got a shell back with pass the hash but the winrs command is not working… What am I doing wrong?

winrs error: The user name or password is incorrect

Do you have the video uploaded Tyler?

Try going back to when you executed runas. Chances are that you made a mistake while inputting the password. Runas will accept any password without validation so you have to be careful with it

Wait a sec… which runas command?

Oh wait. I may be in the wrong task

Make sure you are using t1_toby.beck without a number at the end

If you are doing so, it should work. If not, feel free to DM me and we can check what might be happening

I do! https://m.youtube.com/watch?v=yD-HCclrpgA&t

Hello all,
i am doing task 3 in the room.
Am i supposed to get a stable shell as leonard summers on my attackbox when i execute the runas with nc64?

Stable-ish. You are running netcat, so it is stable, but it isn't fully interactive, so you can't use arrows or tab

Thanks for your quick reply and your neat rooms!
Okay, so the thought is to from there run sc.exe?

Gave +1 Rep to @rose kernel

you can get a little more stability with rlwrap tho (rlwrap nc -lnvp 1234)

Yes, since the t1 user has the rights required to create the remote service. Your normal AD user does not.

Just note that with the /netonly flag with the runas command, there are two things:

• If you type whoami, it will still show your normal AD user. This is expected since netonly means to only run network commands as the user
• If you got the password wrong, you will get Access Denied. With netonly, any password is accepted since we do not authenticate to a DC. You can verify that your credentials were valid by running dir \\za.tryhackme.com\sysvol\ as explained in the Enumerating AD room

run the Flag.exe of task 3 and it gives me the following message: "Sorry! You are still missing something. No flag for you yet. (7)" I don't understand why that happens.

That will happen if you are trying to read the flag with a method from a previous (or future) task. Which method did you try for lateral movement?

Got it! Thanks Tyler, you used t1_toby.beck5 hash and it worked so I guess that was the trick, I was using the wrong hash👍🏻

Gave +1 Rep to @dull crystal

Hey, the network doesn't looks to work for me, anyone got the same ?

Can you do the nslookup?

Have you changed /etc/resolv.conf?

yess, i can't even ping the network. I was at task 5, the network restarted, and now i can't reach any targets

I had regenerate a new vpn config, restart my NetworkManager etc..

Are you sure the network has actually started? It might be that someone pressed extend instead of start. Which would brick the network. The frontend team is aware of this and working on a fix. However, in the mean time, if this happens, use inspect element to re-enabled the start button and press it. Then give it 5 or 10 minutes and try again

I'm pretty sure you are wright. I'm testing this out

I can't access the page http://distributor.za.tryhackme.com/creds from attackbox

did you configure the DNS servers of the attackbox to point to the THMDC server already?

yes i already did that

can you try running the following command: nslookup thmdc.za.tryhackme.com 10.200.x.101 replacing x with your network addressing

Having the same issue. I can nslookup thmdc.za.tryhackme.com all fine.

What network are you on?

You thinking about task or logical address?

75 subnet

Task 3

Let me check if all is working on 75

The distributor is working on 75

Hmm

I can access it there

try curl http://10.200.75.201/creds -H 'Host: distributor.za.tryhackme.com' and send me the output

Shouldnt be more to it than modifying resolved-conf right?

I was on it the other day

once you have configured your DNS, you should be able to run nslookup distributor.za.tryhackme.com and get IP .201 as a result

if that doesn't work, might be an issue with DNS configuration

I am back on the Pc in alittle, thanks for being awesome and dedicated both you and am0.

@shadow linden Back. Still no luck through firefox to reach the distributor. But i did the curl command, i can send you the console output but can you DM me here?

sure

If anyone is using the AttackBox and DNS gets funky, try running systemd-resolve --interface lateralmovement --set-dns $THMDCIP --set-domain za.tryhackme.com (replace $THMDCIP with your assigned DC IP address) and that should do the trick!

Is there a chance this line could interfere with the smbclient transfer?

it shouldn't

are you getting any errors?

Not sure it is related, but i keep getting a NT_STATUS_CONNECTION_RESET.

Also tried nuking the box and trying over

just to make sure, what task are you referring to?

Task 3 sorry

I am trying to transfer my msfvenom payload with smbclient

can you try using the THMIIS IP address in the command?

Might just be it, sec 🤦🏿‍♂️

it should work with the name, but I'll check just in case

IP worked, i feel like a fool for not trying that tbf

I've experience that, with the previous rooms aswell

interesting. I'll try to reproduce it and see what happens

Btw. Small thing, the room doens't have the tag "AD" like the other rooms do.

The smbclient command in the room has been fixed

and the tag added

Thanks for the feedback!

for some reason the command is only working with the short version of the domain in the -W option.

I am once again stuck on getting a nc shell, to my understanding we need to first get the netcat shell and then run our service payload and gain lateral movement like that

that sounds right

any particular error you are getting?

I feel really stupid, this is my second day being stuck on this ****.
I try to execute the runas command but not quite sure, if i have to use tun0 or eth0 and also if maybe i can replace za.tryhackme.com with an IP

i don't get any connections on my nc listener is all

So for this room your attackbox should have an interface called "lateralmovement"

that's the IP you need

There's a note on that at the end of task 1

T_T

Let's see if that is it

This is the way

👀

I'm stuck on the last flag

Has anyone seen this dns related issue before? nslookup thmjmp2.za.tryhackme.com;; Got recursion not available from 10.200.71.101, trying next server however if I use nslookup interactively it will resolve > thmjmp2.za.tryhackme.com Server: 10.200.71.101 Address: 10.200.71.101#53 Name: thmjmp2.za.tryhackme.com Address: 10.200.71.249 - just before starting the room the network was reset by other player(s) - ok on attackbox so presume something kali/nslookup(lib) related

I'll have a check at this

I can't reproduce the error. However I think it could be related to your DNS configuration. It might be the case that you have 2 DNS servers configured and some search domain as well? Does the behaviour change if you try the command with a dot at the end? nslookup thmjmp2.za.tryhackme.com.

Yes ending with the full root path works - first time I have seen this - using the same kali vm worked for all the other AD rooms perfectly - will spin up a clean instance but all good with full path or attackbox - many thanks for your time to check!

Gave +1 Rep to @shadow linden

Can i scp the mimikatz output .txt from my attackbox, so i can properly inspect it? (task 5)

What do you mean?

Haha.. Yes, good question!
The mimikats output is long, so i want to open it in gedit or something

just copy paste the text from the terminl into a text file?

Well mimikatz lets you log it into txt, but i never open txt files in windows cmd 😄 so maybe i should just look that up instead

if you already used log, then you should be able to use the type command to dump the file

scp should work with your given credentials, so that's an option as well

Thanks, yeh i could also setup the cmd terminal length to unlimited. But i don't remember where and it's attack box I am on🤣

Hey guys, did anyone run into this issue?

it keeps preventing me from setting LHOST as the walkthrough suggested

hey @indigo haven , plz post output of show options in msf, and also try set verbose true before running exploit

show options

verbosity doesn't change the output, and I couldn't track down the issue exactly for past two hours

tried the AttackBox, will try now my own VM

It should work both on the attackbox and the latest kali

that's kind of a weird issue. If you get it in your other machine, let me know to have a check at it

The network reset itself repeatedly tonight and eventually kicked me out

I kept having to rerun systemctl restart..... after almost every command

The last task has me almost dizzy from reading 😄 hope i will get through it

Pivoting is crazy to wrap your mind around but it is such a very important task. In a super brief summary:

• Network segregation means you can sometimes not reach a service on a host from your starting location. Hence you need to pivot.
• Your two options for pivoting are remote (server you are trying to access) or local (attackbox). Meaning you can either expose something that you have local to the remote or you can pull something from the remote to make it available local.
• Pivots can be chained together. So we could create a pivot from local -> remote (port 3389) and then used that to create another pivot from remote (port 3389) -> remote 2 (port 445). Which will now create pivot local -> remote 2 (port 445) that executes through remote (port 3389).

Best to take it one pivot at a time and draw it out as a diagram, that usually helps me not to get lost in the sauce of pivots 🙂

Wow.. The engagement from you guys, just crazy. I will have to read your message once i am done with the room.
I am right now trying to use the rejetto_hfs_exec from msfconsole but i get the error: "Failed to bind to 127.0.0.1:7777, already in use"

Last piece of the puzzle and i believe i've followed the guide every step

have you got it running twice? or have you checked what service is running on that port?

you might be able to just kill that service and repeat it.

And by that service, we mean the ssh from thmjmp2, right?

by that service, i mean whatever is running on 7777

it's either that, or if you can change what port is used, just switch to a different port.

(I haven't had time to do this room yet, so can't guarantee that my advice is the best for this, but those two options generally help 🙂 )

netstat -anlt | grep 7777 will tell you if something is running on that port

I will try that first and foremost, thanks!

There are enough details to keep track of with this room/task 😄 It does say there is a LISTEN active on 7777

Just looking through the task to see if it's something i've set up

are you using the attackbox or your own kali machine? sometimes there are other services running that help with other exploits are running on ports you want to use.

Attackbox, can i kill the ps using port 7777 via netstat?

I am so close to home with this one 😄 just wanna get there

If you get this error, you can just change the port to something else. So for example, perhaps try to use 7878? Just make sure to change all 7777 to 7878 and it should work 🙂

I fear if i change the listen port, it wont recieve from my ssh at thmjmp2

probably, might want to check what it is first, as i can't remember. htop might tell you what's running on a port? otherwise you can always nmap -A -p 7777 attackboxIP to check.

If you change it everywhere, then it should work. But yeah, sanity check yourself there not to miss one, else it will fail

Now i can atleast see a few steps to maybe solving my problem

I've had so much fun with these AD rooms, been a real mind bender.

10.200.77.101 is not serving DNS correctly. I am using the attack box and set it in the resolved.conf file. I cant resolve anything under za.tryhackme.com

root@ip-10-10-128-175:~# nslookup thmdc.za.tryhackme.com
Server: 127.0.0.53
Address: 127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

root@ip-10-10-128-175:~# ping za.tryhackme.com
ping: za.tryhackme.com: Name or service not known

I ran an nmap scan for port 53 and it shows open

I am able to ping the IP.

This is following a reboot for the same issue. The last time I tried this room was a few days ago and I had major DNS issues that day before it eventually kicked me out

I had to keep running the systemd restart command that time

But when it kicked me out, I didn't have time to rebuild my attack

can you try running nslookup thmdc.za.tryhackme.com 10.200.x.101

replacing x with your network number

sure. Give me a few mins to sign in

root@ip-10-10-104-226:~# nslookup thmdc.za.tryhackme.com 10.200.77.101
Server: 10.200.77.101
Address: 10.200.77.101#53

** server can't find thmdc.za.tryhackme.com: REFUSED

Let me check what might be happening

The network just went down

the server was busted, but should be alright when the network restarts

OK, I will probably try again tomorrow. Thanks!

Gave +1 Rep to @shadow linden

I'm doing Pass the Ticket, is it normal mimikatz shows no tickets for t1_toby.beck but t1_toby.beck4 and t1_toby.beck5 ?

It shouldn't be. t1_toby.beck should make a new connection every 5-10 minutes, so if it isn't appearing, it should connect after a while

Ok thanks for explaining. I already had the flag and did all the methods to learn so anyway I just performed the method for toby.beck5 and moved on.

I'm having issues reaching thmiis. I can reach jmp2, rdp in, ssh in. But uploading service for task 3 I can't reach thmiis. (I can't ping from jmp2 either)

what network are you on?

10.50.67.0/24 for my own box

what is the address of THMJMP2 for you?

10.200.75.249

I misunderstood, my apologies

no worries 🙂 let me check

I'm also having trouble with the command asking for the password even when I put the EZpass4ever at the end. I think that's an error on my end with smbclient though.

the server is up

you can't ping it however

the firewall won't allow you to

Gotcha. Okay it's on my end then. Thank you!

if you have trouble with smbclient, that may be because there are two smbclients out there

I'm getting NT_STATUS_IO_TIMEOUT for thmiis, but if I try the command against thmjmp2 I get ACCESS_DENIED, so that's why I thought it might be on thm side

you are probably using your own machine, right?

Yeah

you may have the other smbclient with a slightly different syntax

you can also use it, but you need to figure out the correct command options

Newest kali. I had some impacket issues the other day and I had to mess with it this morning a lot.
I have both smbclient, and smbclient.py. The syntax seems to be the same

Let me just try to upload anything to thmiis to make sure it is all working as expected

thank you!
I have tried messing with the user by putting the domain in there, messing with / and \ but I'm getting the same error on it for some reason

Not sure why this is happening on your network

but try the same command replacing THMIIS.za.tryhackme.com with the IP of the server

it should work that way

oof, that worked lol thank you!

the thing I didn't try

Anyone having issues with the 10.200.75.0/24 network. It is showing that it's running but only the 10.200.75.250 is showing alive and I don't think that's part of the engagement. (Using the Attack Box)

Hey there, is the network started?

Hey, Yeah it's shows running and up time is 1h 45m. When I Fping -a -g only the .200 is coming back as alive

there should be no .200

oh sorry .250 is the one that is showing alive

Oh, that makes sense

did you try refreshing your browser

the timer sometimes gets stuck

if it still appears as started, you'll need to vote for a restart

Yeah I did my vote guess I'll just wait for a couple move votes

you can vote again every hour

Ok great I'll come back in an hour and see if the reset fixes it

I'm back in Lateral Movement and the DNS is consistently dropping

can you tell me the IP of your DC?

I haven't been able to finish Task 3 because it's consistently dropping. This has been happening for like 2 weeks

One sec

10.200.64.101

it currently works for me

can you tell me more about what you are experiencing?

DNS resolution drops and I have to rerun systemctl restart to get it back

is this on the attackbox?

I've had to run it like 3 times already right at the beginning of task 3

Yes

can you try with this

.

you shouldn't need to restart any service at all with that command and hopefully it should be more reliable

jsut make sure to replace $THMDCIP

OK, it's working for now. Thanks @shadow linden

Gave +1 Rep to @shadow linden

There might be another issue. I keep getting permission denied when I SSH into thmjmp2

ssh za\natasha.howells@thmjmp2.za.tryhackme.com
zanatasha.howells@thmjmp2.za.tryhackme.com's password:
Permission denied, please try again.

I generated three different accounts and they all came back with the same thing

that's weird

can you DM me the credentials you got

hi. just wondering why the flag.exe binary doesnt give flag when I use something like psexec.py or evil-winrm from my kali machine? Got them working and got a shell but the flag binary doesnt give out the flag. I did get the flag when I used the method which was explained. But just wondering why these dont work.

Hey there, some of them are customized for specific methods. It's kind of hard to think of all possible methods and make a validation that still works 😅

Okay thats understandable thankss

Hi, I have constant problem with access this page: http://distributor.za.tryhackme.com/creds to get credentials when using web based AttackBox. (Firefox pop up: Hmm. We are having trouble finding that site). I have well configured DNS, can get tun0, just problem is with getting credentials from this page, Any idea what could be the problem, how to investigate/solve ?

can someone vote for a reset?

hey guys ssh connection for you is normal? for me typing command is really annoying :S

e.g

Hello, if for some reason you tried to access distributor before getting the DNS to work properly, chances are firefox cached your previous DNS request. It should fix after a while, but you can try closing and opening the browser

You can always make sure DNS is working properly by doing nslookup distributor.za.tryhackme.com and see if the result matches the IP address you expect from the network graph

RDP isn't working on THMJMP2 😦

Let me have a quick check at that

This server is working

tried with the same credentials

just worked 🤔

maybe the machine was starting

they do take a while 😅

Thanks for advice, Indeed I follow your suggestion and it shows DNS working well eg. showed IP match graph IP. However when try to access the http://distributor.za.tryhackme.com/creds still get firefox pop up (ie. not connecting to page with credential)

Gave +1 Rep to @shadow linden

I've been having issues with Task 7, specifically the HFS exploit.
I've tried all IPs for the tunnel and mfs. I've tried a bunch of different ports and when I run the exploit I get a connection on the ssh tunnel but always get "Connection reset by peer"

there is no "lateralmovement" ip on the attackbox either *edit: rebooted attackbox and it's there now. Still having issues with the connection reset

nslookup thmdc.za.tryhackme.com
;; Got recursion not available from 10.200.78.101, trying next server

I'm getting this error when trying to setup network.Can anyone help mw with this??

Hey there, that is probably due to your specific dns configuration

you can probably overcome it by putting a dot at the end of each name

like nslookup thmdc.za.tryhackme.com.

Let me know if this helps 🙂

this is mostly due to your machine having a search domain configured

I tried doing as u suggested , but unfortunately it is showing me the same error even after that

are you using the attackbox or your own machine?

Feel free to DM me and we can check

my own machine

sure

My DNS got funky and I tried entering this with the DC IP address - but still not working

Hello, could you send me the IP of your THMDC?

10.200.62.101

The network has already been reset this morning and I've tried a new Attackbox with no luck.

if you try to run host thmdc.za.tryhackme.com 10.200.62.101 do you get any output?

Output: ;; connection timed out; no servers could be reached

"lateralmovement" is listed as an IP in my interfaces

Can you refresh your browser and make sure if the network is started? Sometimes it hangs as started until you refresh it

Just refreshed and it has "Network state: Running"

In this case the only way to go is vote for a reset, sadly

ok, no problem. thanks 🙂

can someone vote for a reset?

Probably be best/easier stating the third octet of the 10.200.xxx.101

10.200.64.101?

There you go. 🙂

Same as myself.

thanks @feral granite 😊

Gave +1 Rep to @feral granite

It should be up and running now.

Can someone help reset the 10.200.75.101 network? Can't ping any of the machines

i cant access after adding to DNS settings

its definately down

can we please et a reset on lateral

can you cat /etc/resolve.conf ?

systemd as well

Hey there, some people using kali are having issues specifically with the nslookup command

chances are that everything else works anyways

can you try opening http://distributor.za.tryhackme.com/creds

if you see the website, then it's just your nslookup being picky

yeah that works for me

then you are set to go!

so its only the NS command thats being a douche?

no idea why nslookup is getting mad at the network

hmm thanks for the help i was wondering what i did

try ping thmdc.za.tryhackme.com and see if it resolves

it should probably work

yeah its all up

just ns being stupid

then you are set! 😁

tyvm

those curious, i left a playlist on TB4'S paint job 😉