Escape is a Medium difficulty Windows Active Directory machine that starts with an SMB share that guest authenticated users can download a sensitive PDF file. Inside the PDF file temporary credenti...

Request Credentials Reverse DNS lookup and AXFR request doesn’t work /etc/hosts # THM STUFF 10.200.19.101 THMDC za.tryhackme.com THMDC.za.tryhackme.com 10.200.19.249 THMJMP2.za.tryhackme.co...

Credential Injection Runas Explained Have you ever found AD credentials but nowhere to log in with them? Runas may be the answer you’ve been looking for! In security assessments, you will often ...

Introduction to AD Breaches Alert!, This Room Is Aweful Active Directory (AD) is used by approximately 90% of the Global Fortune 1000 companies. If an organisation’s estate uses Microsoft Win...

Room Objectives In this room, we will learn about Active Directory and will become familiar with the following topics What Active Directory is What an Active Directory Domain is What compo...

Stocker is a medium difficulty Linux machine that features a website running on port 80 that advertises various house furniture. Through vHost enumeration the hostname dev.stocker.htb is identified...

Pre-engagement Briefing You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in three weeks.  Scope of Work The client re...

Info You have been assigned to a client that wants a penetration test conducted on an environment due to be released to production in seven days. Scope of Work The client requests that an engine...

Recon Forensics - Analyze the PCAP Use bettercap to parse packets (because I love bettercap) sudo bettercap set net.sniff.source overpass2.pcapng net.sniff on Questions What was the URL of ...

Recon Autorecon sudo $(which autorecon) -vv -m 3 --dirbuster.threads 50 --reports markdown --dirbuster.tool gobuster 10.10.74.153 Nmap # Nmap 7.94 scan initiated Tue Jun 20 08:30:14 2023 as:...

Recon Autorecon sudo $(which autorecon) -vv -m 5 --dirbuster.threads 100 --reports markdown --dirbuster.tool gobuster 10.10.67.8 AutoRecon never finishes, it just hangs or says there is 1 t...

Obtain access via SQLi Login form looks super suspicious Try payload admin' or 1=1 -- - Can try another payload : ' or 1=1 -- - Login success, redirected to /portal.php Single quote tes...

Recon Nmap # Nmap 7.94 scan initiated Sat Jun 17 09:53:59 2023 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/thm/HackPark/results/10.10.168.141/scans/...

Recon Nmap # Nmap 7.94 scan initiated Fri Jun 16 08:51:17 2023 as: nmap -sVC -p- -T4 -Pn -vv -oA alfred 10.10.145.150 Nmap scan report for 10.10.145.150 Host is up, received user-set (0.28s lat...