Hello,
Since I bought my new webcam (Logitech Brio 4K Stream), I've been struggling with Windows Hello facial recognition.
I remember when I first plugged it in into my Windows 11 I received a toast notification telling me that Windows Hello was available, shame I didn't click it. From there I've tried any possible combination of drivers, firmware, registry hacks, disabling every sort of protection, everything, but Windows Hello will never be able to find any compatible camera in my Windows 11.
So tonight I wanted to try something, I brought up a Windows 10 Virtual Machine and, connecting the webcam to the VM instead of the host, to my big surprise Windows Hello was working flawlessly inside the virtual machine! So the webcam is working, there must be something on my host machine preventing it to work with Windows Hello, but sadly I ran out of ideas at this point

I have both Adobe Premiere 2023 and 2024 installed. I have projects of both types but for stretches of time I will only be using projects that are 23 and then other stretches it will be 24 and these need to be kept as the versions they are. What I have found is that on any computer whatever I have set as the initial default app to open the project file is what it will always open as. To be more specific if I set 2023 to open the project file and then try to right click and use Open With and navigate to the 2024 executable it still opens 2023. If I manually go to that executable and open it then 2024 opens. If I try to change the default app to something other than Premiere it works (I changed it to Wordpad) but if I then do another Open With and go to 2024 it still opens with 2023. So I am wondering if there is a way to make the change other than registry hacks and preferably if there is a way to get the project files to have and use both 2023 and 2024 though the Open With option?

Filed simple standard deduction tax return on 1/27 accepted by the IRS on 1/29 per TurboTax filing records. I got the CP05 on 3/11 saying they are holding my refund for further review and wait 60days. 109 days since return was accepted. 67 since I got the wait longer and don't call us letter. I have called several times and never got a live person until today. Special thanks to the person who posted the instructions on how to hack the IRS autophone system amd get a live person. I have also emailed my reps and heard nothing yet. So the IRS rep was zero help. Just said wait longer up to 120 days from the arbitrary 3/11 date. The IRS apparently doesn't use the date you file they use the date on the form they send you telling you to wait longer. Sounds suspect and illegal. I was told call back in July and then they can contact the dept that is reviewing my tax return and ask them why is going on. Wow that's a good system. I was told there is no phone or email they can give me to contact the review dept myself and ask what the issue is and if they need something from me. The person I talked to reviewed my account and said she doesn't t see anything wrong with the numbers and no flags so she doesn't know why my return was chosen for review or what is holding it up.
Basically I was on hold for 90 minutes plus 30 minute call and was told they don't know why it's taking so long, wait longer, and check the where is my refund page.

I use Fedora, by the way.
Here is my Linux journey so you know where this is coming from:
I started with Ubuntu; ran it for one month and hated it. I used Kubuntu for 2 hours. I often dual-booted to Windows because I played Valorant (it was trending in my friend group at that time).
I switched to Manjaro, cause it got recommended on Reddit, (yes i searched stuff like "best Disto for gaming") and accidentally wiped my Windows partition. I liked Manjaro, but then an update destroyed my desktop, and I couldn't get Plasma to autostart. I always had to start it manually after booting and I wasn't experienced enough to fix it. (Manjaro is not stable; stop recommending it to newbies.)
I used Nobara for a while and loved the project (still do)! But I wanted a more supported project, so I switched to Fedora, and honestly, I never want to use anything else. My T480 runs Arch, but only because I like customizing it a lot.
I installed Fedora on my boyfriend's PC when Windows stopped working properly, and I think it is the best distro for getting into Linux if you are a bit tech-savvy.
But if someone is not techy and just wants to install and use it, then I recommend Linux Mint. Please, guys. Debian-based distros have more support from companies so far (e.g., Discord).
Before anyone says, "Eh, but you can run the Flatpak, and it is super easy," yes, you are right. You can, but think about it. A new Linux user who is not techy doesn't want to deal with it. They could, but they don't want to.
Even if they are techy, it's hard to understand. Hack even I was confused and I am working as an IT-Administrator (windows Domain).
And if thats the case then I think someone who only maybe was clicking in the registry editor or using the command prompt once won't understand it at all.
"But I easily installed Linux and immidiately understood all the Packages, what a DE/Windowmanager aswell as Display Server is and did Linux from scratch and Arch in my first 24h of using Linux" Good for you. I didn't. And I think most didn't either.
Yes, there are exceptions, and maybe a plunge into cold water is a good way to learn, but even then, just give them an easier start. Otherwise, you unintentionally gatekeep Linux.
So, in my opinion:
For non-tech users who want to try it: Linux Mint. Give them easy instructions for the GUI. Since you can use the GUI to install and it is honestly super nice and aproachable.
"But the terminal is faster and they should learn it!" No. They don't need to. They want Firefox or Chrome or whatever, not to speedrun the Linuxexperience.
For techy users: Recommend Fedora. It is the Goldilocks zone between stable and new.
"But Arch is better." Maybe, but not everyone wants to learn so much in the beginning. And honestly, if they are techy, they will probably distro-hop at some point anyway and if they like Arch they maybe stick to it.
Also, can we please agree that, in most situations, the distro is less important for a Linux experience than the DE?
Also, KDE and XFCE are goated; change my mind.

^{Edit due to comments: Be adviced this is very subjective}
Here is my Linux journey, to better understand where I am coming from:
I started with Ubuntu; ran it for one month and hated it. I used Kubuntu for 2 hours. I often dual-booted to Windows because I played Valorant (it was trending in my friend group at that time).
I switched to Manjaro, cause it got recommended on Reddit, (yes i searched stuff like "best Disto for gaming") and accidentally wiped my Windows partition. I liked Manjaro, but then an update destroyed my desktop, and I couldn't get Plasma to autostart. I always had to start it manually after booting and I wasn't experienced enough to fix it. (Manjaro is not stable; stop recommending it to newbies.)
I used Nobara for a while and loved the project (still do)! But I wanted a more supported project, so I switched to Fedora, and honestly, I never want to use anything else. My T480 runs Arch, but only because I like customizing it a lot.
I installed Fedora on my boyfriend's PC when Windows stopped working properly, and I think it is the best distro for getting into Linux if you are a bit tech-savvy.
But if someone is not techy and just wants to install and use it, then I recommend Linux Mint. Please, guys. Debian-based distros have more support from companies so far (e.g., Discord).
Before anyone says, "Eh, but you can run the Flatpak, and it is super easy," yes, you are right. You can, but think about it. A new Linux user who is not techy doesn't want to deal with it. They could, but they don't want to.
Even if they are techy, it's hard to understand. Hack even I was confused and I am working as an IT-Administrator (windows Domain).
And if thats the case then I think someone who only maybe was clicking in the registry editor or using the command prompt once won't understand it at all.
"But I easily installed Linux and immidiately understood all the Packages, what a DE/Windowmanager aswell as Display Server is and did Linux from scratch and Arch in my first 24h of using Linux" Good for you. I didn't. And I think most didn't either.
Yes, there are exceptions, and maybe a plunge into cold water is a good way to learn, but even then, just give them an easier start. Otherwise, you unintentionally gatekeep Linux.
So, in my opinion:
For non-tech users who want to try it: Linux Mint. Give them easy instructions for the GUI. Since you can use the GUI to install and it is honestly super nice and aproachable.
"But the terminal is faster and they should learn it!" No. They don't need to. They want Firefox or Chrome or whatever, not to speedrun the Linuxexperience.
For techy users: Recommend Fedora. It is the Goldilocks zone between stable and new.
"But Arch is better." Maybe, but not everyone wants to learn so much in the beginning. And honestly, if they are techy, they will probably distro-hop at some point anyway and if they like Arch they maybe stick to it.
Also, can we please agree that, in most situations, the distro is less important for a Linux experience than the DE?
Also, KDE and XFCE are goated; change my mind.
I use Fedora btw!
Edit: THIS IS MY OPINION. if you disagree: Ok. Why?
and the whole ```Fedora is the best``` is a joke

hi, i've been messing around with fl on linux for a while, and it works more or less perfectly, even the vsts i threw at it (though i havent tried that many tbf). the only real gripe i have with it is that using bridged plugins will just crash. on a discord server im in someone said that they managed to fix it via a regedit hack and didn't elaborate. the only thing online i dug up was a forum post from them asking about it and a mod saying their post will be deleted. cracked the registry open myself and didn't find anything that seemed like it could help. so i was wondering if anyone here knew anything about it?
using jbridge for that purpose works, but that just generates a whole other dll that has its own issues so thats not really great.

basically my PC doesnt have TPM 2.0 so I used registry hacks to upgrade to windows 11. Can I bypass the TPM check?

On ubuntu 22.04 LTS latest one
Things I've tried:
Only line out in output within sound settings
Installing pavucontrol Headphone available separate from lineout. Selecting it allows me to hear system audio through my headphones; like the sound that happens when you change the volume but no application audio like firefox
Installing alsa gui tools I opened hdajackretask and overrid both headphones and speakers according to forums online. No avail
I removed the headphone jack detection wire frm the header that connects to my motherboard because it used to randomly disconnect. Still I've been able to switch to my headphones in windows all these years via a registry hack.
I can hear system sounds normally when i switch via pavucontrol but it dosent play audio from firefox through.

before i get into this gonna say i understand the reasons for 5071c verification processes, i respect the reasons driving it
i got 5071c letter today, i got it b/c address change. i had address change since last years return in same city - PO Box to PO Box for good reasons.
i started paper filing a few years ago as the amount of verification information to e-file via turbotax & others was getting out of hand, i buy locally installed tax software and take my privacy and the security seriously as i dont trust TT not to get hacked. then i started omitting my bank info after post office sent my state tax return many states away. i was basically asking for a 5071c letter [no empathy expected].
i have trust issues with the ID.me process and dont like their terms/conditions, tried calling the number but they are too busy to get me queued up, call back tomorrow message, i have no desire to make repeated calls to IRS, is a time waster IMHO. expecting refund of less than $200 so no urgency felt on my end

So many various failed launch attempts under my belt!
This one feels like my final effort towards anything ressembling a conventional "career."
Full Text below, but it's better with images and links on the site - https://dirtsmith.com/seven-minutes-towards-action/
This is the third in a series about the most impactful seven minutes of my life. The second post covered my reflections on the event and its aftermath. This post addresses the question – Why Now? Why would I focus on this event two years after the fact? And What's Next?
A Year of Challenge The last year has been difficult. I suffered an emotional collapse that derailed my latest “career,” and forced me to address (with success!) a long misdiagnosed mood disorder. Meanwhile, my Mate has had to largely relocate to Europe.
But most critically, (via a lengthy process of disengagement, manipulation, and compassion-leveraging), my ex-wife has effectively kidnapped my daughter.
This last experience has been the most unexpected and devastating act of betrayal I have ever known. As of this moment I haven’t seen my kid in in more than seven months, and she hasn’t communicated with me in four.
Reinforcements About a month and a half ago my daughter was celebrating her 13th birthday, somewhere out of reach. I was engaged in legal efforts to regain contact, and found myself reflecting on that car fire. Perhaps the time had come to identify and connect with the other party to that experience? The exchange ought to at least lift my spirits. And if I wound up needing character witnesses he could furnish a powerful one.
I was able to identify him and get in contact! It was a process, involving a fair bit of detective work, but I eventually reached him by phone a couple weeks ago. (I would have just introduced myself in person but he had moved from the area and relocated 500 miles away). My call, out of the blue and two years after the incident, surprised him. But it was a very positive connection for both of us.
We shared our memories of the event (he only recalls awakening on the ground outside the vehicle). I sent him pictures from the scene, and he returned a lovely montage of photos depicting subsequent significant life events, with a note of gratitude. He also assured me that he will do everything in his power to help with my legal efforts, if required.
A Year of Fortune The last year has brought more than just challenges. It has also provided a precious opportunity to explore authentic living. The support I have received from Mate and others has allowed me to explore numerous avenues of self-expression. These had been stifled by a decades-long forced march through the grim landscapes of employment under the yoke of late-stage capitalism. In the forlorn hope of providing and maintaining an “adequate standard of living” for my family and myself, I had enabled society too long.
But I’ve tried to make the most of this sabbatical. Throughout, I have pondered conjuring a living out of any of these expressions, or somehow cobbling one together from the numerous pieces. This has yielded no confidence-inspiring solution. Meanwhile my window of contemplation is closing.
But I won’t return to Pushing the Wheel towards the Grey City.
Reflecting on the events of two years ago, one final, Hail Mary solution presented itself; I could try my hand as an Emergency Medical Technician (EMT).
Seven Minutes Towards Action My best friend is a paramedic and has worked in emergency medical services (EMS) for about a decade and a half. At the beginning he encouraged me to consider joining him. And I would have back then! But my biggest concern has always been my squeamishness. I was the kid who always had to close his eyes at the gory parts of the movie.
I’ve improved a bit over the years, but this is still a concern. There are others.
The hours (both the long, overnight shifts and the cumulative weekly totals) heavily impact any long-term viability. And while I would have opportunities to save lives, I would also witness profound, unredeemable tragedy. Furthermore, as my best friend notes, his primary daily role is to provide “a taxicab for derelicts.”1
Finally – this isn’t work I can port to Europe when I try to spend time over there.
Thus, I have some concerns about sustainability.
BUT…the skills themselves would be extremely valuable to master, and could prove essential at any moment in daily life. Meanwhile, as the pharmaceutical industry drives Western Medicine further from affordable basic care for the general population in favor of longevity advancement and luxury lifestyle enhancements for the elite, emergency medicine still humbly serves the most vital of human needs, without regard for social class.
So, I have signed up for a course in Emergency Medicine. This course will prepare me for the National Registry of Emergency Medical Technicians (NREMT) exam. After that, my best friend thinks he can get me hired on with his team, and should even be able to provide me with my field training!
Seven Minutes Towards Action Curb Your Enthusiasm My life has furnished a firm curriculum with an overarching message – “Lower Your Expectations (on Everything Outside Your Control).” So when I find myself getting excited about anything that will involve input from others, I reflexively try to reign it in. Thus the rather muted enthusiasm I am expressing.
But I AM excited by the chance to provide for the most basic human needs, in a local community, with no consideration for social class! And who knows? I might just love it! Furthermore, if I can’t hack it full-time, part-time is also an option!
Hope Is Not A Strategy, but sometimes it has value to offer nonetheless. So, fingers crossed!
He has described transporting indigent patients with vague claims of illness to the hospitals of their choice (on the other side of the city). Then, after completing his required paperwork, he has watched them exit the emergency room and depart the grounds. ↩︎

Function parameters of arrays sized m, n → m+n is the hello world of dependent types. I hacked this together over two evenings:

use 5.038; use strictures; use Kavorka qw(fun); use Moops; our %TypeVarRegistry; class MyTypes extends Type::Library :ro { use Type::Library -declare => qw(TypeVar TypeVarExpr); use Types::Common::String qw(NonEmptyStr); use Types::Standard qw(ArrayRef); use Types::Common::Numeric qw(PositiveOrZeroInt); my $TypeVar = Type::Tiny->new( name => 'TypeVar', constraint_generator => fun(NonEmptyStr $name → CodeRef) { fun {} } ); my $TypeVarExpr = Type::Tiny->new( name => 'TypeVarExpr', constraint_generator => fun(NonEmptyStr $name → CodeRef) { fun {} } ); my $SizedArray = Type::Tiny->new( name => 'SizedArray', parent => ArrayRef, constraint_generator => fun( Enum["type"] $literal_type, Type::Tiny $parameterized, Enum["length"] $literal_length, $expr → CodeRef ) { if (PositiveOrZeroInt->check($expr)) { fun { $expr == ArrayRef->of($parameterized)->assert_return($_)->@* } } elsif ('TypeVar' eq $expr->parent->name) { fun { $TypeVarRegistry{$expr->parameters->[0]} = ArrayRef->of($parameterized)->assert_return($_)->@*; 1 } } elsif ('TypeVarExpr' eq $expr->parent->name) { fun { my $eval; # world's worst symbolic expr parser if ( my ($var1, $op, $var2) = $expr->parameters->[0] =~ /(\w+)(\+)(\w+)/ ) { $eval = $TypeVarRegistry{$var1} + $TypeVarRegistry{$var2}; } else { die; } $eval == ArrayRef->of($parameterized)->assert_return($_)->@* } } else { die } }, ); __PACKAGE__->meta->add_type($_) for $TypeVar, $TypeVarExpr, $SizedArray; __PACKAGE__->meta->make_immutable; } use MyTypes qw(SizedArray TypeVar TypeVarExpr); fun add_ok( SizedArray[type => Str, length => TypeVar["m"]] $A, SizedArray[type => Str, length => TypeVar["n"]] $B → SizedArray[type => Str, length => TypeVarExpr["m+n"]] ) { [$A->@*, $B->@*] } use Data::Dx; Dx add_ok([qw(e r t)], [qw(e r t)]); fun add_broken( SizedArray[type => Str, length => TypeVar["m"]] $A, SizedArray[type => Str, length => TypeVar["n"]] $B → SizedArray[type => Str, length => TypeVarExpr["m+n"]] ) { [$A->@*, $B->@*, 'this must not work'] } use Data::Dx; Dx add_broken([qw(a s d f)], [qw(g h j k)]); 

edit - Title's incorrect obviously, it's EAP-TLS, not EAP-TTLS
So I've been through looking for others having this issue and found a couple. I've tried the connection probing registry hack, as well as allowing the CA to reissue the certificates in question.
We use a third-party cloud-based PKI and RADIUS (NPS doesn't touch ANY part of this process). We distribute our WiFi via Meraki access points. User and Machine certs are distributed via SCEP profiles, through Intune. The same CA is used to issue the User and Device certificate. Wireless connection profiles are distributed by Intune.
I have a wireless profile (CombWifi, for example) being distributed through Intune, authenticating with EAP-TLS set for Computer or User authentication. Everything works great after the user logs in.
However, as long as the profile connection method is "User or Computer", I cannot successfully connect when selecting "CombWifi" from the network before logging in (It says "Can't connect because you need a certificate to sign in. Contact your IT support person.)
If I log in with my user account, connect with this connection profile, it succeeds. I then open up the network control panel, go to the wireless adapter, and change the Wireless properties so that the "User or Machine" option is "Machine". Upon doing so and logging out, I am able to connect to the CombWifi profile prior to login without any problem.
I reset the authentication back to "User or Machine", and generated more failures, and looked at the wlanreport generated by the command:

netsh wlan show wlanreport 

The failure indicates "Network authentication failed. The user certificate required for the network can't be found on the computer".
Obviously the computer certificate is fine, because when the authentication is restricted to "Machine", it works fine. It appears that when "User or Machine" is selected, even during a pre-login phase, the user certificate is preferred? Anyone have any experience with this scenario before I have to surrender and open a support case with Microsoft?

Short: What is the most practical way to start off with a Synology 1219+ if I don't have hundreds of dollars to spend on disks?
Long version:
I have recently acquired a Synlogy 1219+ in a game of chance and am wondering the most practical way to go about putting it into service.
My current storage strategy is very poor. I have a small 1 Gbe network at home consisting of:

1. an ancient two bay DNS-323 with two ancient drives running as JBOD. This NAS is so old that it doesn't even support current SMB protocols and only a registry hack on my old Windows10 box lets met have access.
   
2. an old external HDD used for backing up photos and videos from my SLR camera and camcorder. I probably have about 100 GB of photos and videos or so (will need to verify this later)
   
3. an old i5-4670 desktop which served as my main platform for about 7 years up until about 3 months ago. It has 3 HDDs (1 Tb, 2Tb, 4TB). Two HDDs have failed in the time I have used it. It currently serves as the main archive for documents, photos, videos, movies, music, apps, etc.
   
4. My main desktop with a single 2TB nvme drive. Mostly games and apps since there isn't much space to spare for archival data
   
5. My (5th grade) daughter's desktop with a 512 SSD and 1 TB HDD
   
6. A bunch of laptops (rarely used), a few tablets and chromecast equipped TVs.
   

I was given the 8-bay 1219+ last week. I am guessing that the fan will run constantly so the current plan is to run Cat5 to a room where it will be housed. the main problem is that I currently have zero drives to go in the bays.
My last hard drive failure hurt as I lost a lot of data with sentimental value (old scans and other crap I used to IM back in the 90's). I still have the drive in hopes that I'll be able to afford data retrieval one day, but I can't see it being worth the exorbitant cost.
I want the 1219+ to serve as a the main server. It looks like the easiest thing to do would be to purchase a recertified 16GB HDD from serverpartdeals and add another one every year for 4 years until I have decent redundancy but
1 - Does going magnetic make sense if I am just starting from scratch? Should I sacrifice capacity in the short term for SSD technology? Are SSDs more reliable at this point?
2 - Should I wait until I can afford 2 or more drives before using the synology? Should i just purchase bargain basement used drives for now and slowly replace them over the next few years?
3 - Never used RAID before.. should I wait until I can start out with at least a RAID 3 setup?
Thanks in advance

In this post, we will cover the answers of TryHackMe Breaching Active Directory room in addition to demonstrating the concepts of Active Directory Penetration Testing.
Complete room answers can be found here.

Active Directory Credential Harvesting Methods

Before we can exploit AD misconfigurations for privilege escalation, lateral movement, and goal execution, you need initial access first. You need to acquire an initial set of valid AD credentials. Due to the number of AD services and features, the attack surface for gaining an initial set of AD credentials is usually significant.
When looking for that first set of credentials, we don’t focus on the permissions associated with the account; thus, even a low-privileged account would be sufficient. We are just looking for a way to authenticate to AD, allowing us to do further enumeration on AD itself.
The following techniques to recover AD credentials in a network:

• NTLM Authenticated Services
• LDAP Bind Credentials
• Authentication Relays
• Microsoft Deployment Toolkit
• Configuration Files

Understanding NTLM andNetNTLM

The set of security protocols called New Technology LAN Manager (NTLM) is what allows users to validate their identities in Active Directory. NetNTLM is a challenge-response-based method that leverages NTLM for authentication. The services on a network make extensive use of this authentication technique. NetNTLM-using services, however, may also be open to the internet. Listed below are a few well-known examples:

• Exchange (Mail) servers hosted internally that provide an Outlook Web App (OWA) login page.
• A server’s Remote Desktop Protocol (RDP) service that is available over the internet.
• VPN endpoints that were connected to AD were made public.
• Web apps that use NetNTLM and are accessible over the internet.

NetNTLM, also often referred to as Windows Authentication or just NTLM Authentication, allows the application to play the role of a middle man between the client and AD. When a challenge is successfully performed, all authentication material is sent to a Domain Controller, and the application will authenticate the user.
This means that the application is authenticating on behalf of the user and not authenticating the user directly on the application itself. This prevents the application from storing AD credentials, which should only be stored on a Domain Controller.

Credentials Brute Force Attacks on Active Directory

These exposed services offer a great place to test credentials that have been found in other ways. To retrieve a first set of legitimate AD credentials, these services can also be accessed directly. If during our first red team recon we were able to recover information like working email addresses, we might try using these for brute force attacks.
We won’t be able to conduct a full brute-force attack because account lockout is implemented in the majority of AD environments. Rather, we must execute a password-spraying attack. Rather than trying a number of different passwords, which could set off the account lockout mechanism, we select one password, utilize it, and try to authenticate with every username we have collected. It should be mentioned, though, that because of how many unsuccessful authentication attempts these attacks will produce, they can be identified and detected.

Task Description

You have been provided with a list of usernames discovered during a red team OSINT exercise. The OSINT exercise also indicated the organisation’s initial onboarding password, which seems to be “Changeme123”. Although users should always change their initial password, we know that users often forget. We will be using a custom-developed script to stage a password spraying against the web application hosted at this URL: http://ntlmauth.za.tryhackme.com.
If you are using the AttackBox, the password spraying script and usernames textfile is provided under the /root/Rooms/BreachingAD/task3/ directory. We can run the script using the following command:
python ntlm_passwordspray.py -u -f -p -a
We provide the following values for each of the parameters:

• — Textfile containing our usernames — “usernames.txt”
• — Fully qualified domain name associated with the organisation that we are attacking — “za.tryhackme.com”
• — The password we want to use for our spraying attack — “Changeme123”
• — The URL of the application that supports Windows Authentication — “http://ntlmauth.za.tryhackme.com”

LDAP Pass-back Attack

NTLM authentication and LDAP authentication are comparable. On the other hand, the program authenticates the user’s credentials directly while using LDAP authentication. The program can query LDAP using its pair of AD credentials before confirming the credentials of the AD user.
Below services are example of services that use LDAP authentication

• Gitlab
• Jenkins
• Custom-developed web applications
• Printers
• VPNs

If you could gain a foothold on the correct host, such as a Gitlab server, it might be as simple as reading the configuration files to recover these AD credentials. These credentials are often stored in plain text in configuration files since the security model relies on keeping the location and storage configuration file secure rather than its contents.
LDAP Pass-back attacks can be performed when we gain access to a device’s configuration where the LDAP parameters are specified. This can be, for example, the web interface of a network printer. Usually, the credentials for these interfaces are kept to the default ones, such as admin:admin or admin:password .
Here, we won’t be able to directly extract the LDAP credentials since the password is usually hidden. However, we can alter the LDAP configuration, such as the IP or hostname of the LDAP server.
In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials.

Task Description

There is a network printer in this network where the administration website does not even require credentials. Navigate to http://printer.za.tryhackme.com/settings.aspx to find the settings page of the printer.
You can follow through with the room to execute this task’s commands and get the answers shown below.

Understanding Server Message Block (SMB)

Clients (like workstations) and servers (like file shares) can communicate with each other over the Server Message Block (SMB) protocol. SMB controls everything in networks that make use of Microsoft AD, including remote administration and file sharing across networks. The SMB protocol is even responsible for the “out of paper” notification that appears on your computer when you attempt to print a document.
Nevertheless, it was determined that earlier iterations of the SMB protocol lacked adequate security. Numerous flaws and exploits that might be used to obtain code execution on devices or even retrieve credentials were found. Despite the fact that some of these vulnerabilities have been fixed in more recent protocol versions, organizations frequently do not mandate the use of these versions because outdated systems do not support them. We’ll examine two distinct attacks for SMB-based NetNTLM authentication:

• Since the NTLM Challenges can be intercepted, we can use offline cracking techniques to recover the password associated with the NTLM Challenge. However, this cracking process is significantly slower than cracking NTLM hashes directly.
• We can use our rogue device to stage a man in the middle attack, relaying the SMB authentication between the client and server, which will provide us with an active authenticated session and access to the target server.

Attacking Microsoft Deployment Toolkit

One Microsoft service that helps with automating the deployment of Microsoft Operating Systems (OS) is Microsoft Deployment Toolkit (MDT). Since base images can be updated and maintained centrally, large organizations employ services like MDT to help deploy new images in their estate more efficiently.
The System Center Configuration Manager (SCCM) from Microsoft, which controls all updates for all Microsoft services, operating systems, and apps, is typically connected with MDT. For fresh deployments, MDT is employed. In essence, it enables boot image preconfiguration and management for the IT staff. As a result, all users have to do to configure a new system is plug in a network wire; the rest happens on its own. They have the ability to modify the boot image in a number of ways, including pre-installing Office 365 and the preferred antivirus program for the company. Additionally, it may guarantee that the first installation to run uses the upgraded build.
One may consider SCCM to be MDT’s older brother and practically an extension of it. After the software is installed, what happens to it? In any case, SCCM handles this kind of patching. It enables all software installed throughout the estate to have its available upgrades reviewed by the IT team. Prior to centrally delivering these changes to every machine that has joined the domain, the team can additionally test them in a sandbox setting to make sure they are reliable. The IT team’s life is much made easier by it.
On the other hand, attackers may target anything that offers central management of infrastructure, such MDT and SCCM, in an effort to seize control of significant amounts of vital tasks within the estate. While there are other ways to setup MDT, for the sake of this job, we will only be focusing on a configuration known as Preboot Execution Environment (PXE) boot.
PXE boot is used by large organizations to enable new devices connected to the network to load and install the operating system directly over a network connection. PXE boot images can be created, managed, and hosted using MDT. Since PXE boot is typically integrated with DHCP, the host is permitted to request the PXE boot image and begin the network operating system installation procedure if DHCP grants an IP lease.
After the procedure is finished, the client will download the PXE boot image over a TFTP connection. The PXE boot image can be used for two distinct purposes:
After the PXE boot is finished, inject a privilege escalation vector, like a Local Administrator account, to obtain Administrative access to the OS. Use password scraping techniques to obtain the AD credentials that were used for the installation.

Task Description

The first piece of information regarding the PXE Boot preconfigure you would have received via DHCP is the IP of the MDT server. In our case, you can recover that information from the TryHackMe network diagram.
The second piece of information you would have received was the names of the BCD files. These files store the information relevant to PXE Boots for the different types of architecture. To retrieve this information, you will need to connect to this website: http://pxeboot.za.tryhackme.com. It will list various BCD files:
Usually, you would use TFTP to request each of these BCD files and enumerate the configuration for all of them. However, in the interest of time, we will focus on the BCD file of the x64 architecture. Copy and store the full name of this file. For the rest of this exercise, we will be using this name placeholder x64{7B...B3}.bcd since the files and their names are regenerated by MDT every day. Each time you see this placeholder, remember to replace it with your specific BCD filename. Note as well that if the network has just started, these file names will only update after 10 mintes of the network being active.
With this initial information now recovered from DHCP (wink wink), we can enumerate and retrieve the PXE Boot image. We will be using our SSH connection on THMJMP1 for the next couple of steps, so please authenticate to this SSH session using the following:
ssh thm@THMJMP1.za.tryhackme.com
and the password of Password1@ .
Follow along with the room’s instructions so that you get the answers shown below

Harvesting Active Directory Credentials from Config Files

Suppose you were lucky enough to cause a breach that gave you access to a host on the organisation’s network. In that case, configuration files are an excellent avenue to explore in an attempt to recover AD credentials.
Below configuration files usually contain many AD credentials.

• Web application config files
• Service configuration files
• Registry keys
• Centrally deployed applications

For example, McAfee embeds the credentials used during installation to connect back to the orchestrator in a file called ma.db. This database file can be retrieved and read with local access to the host to recover the associated AD service account and with below command we can open the database file
sqlitebrowser ma.db

Room Answers

Complete room answers can be found here.

Free Active Directory Penetration Testing Training

https://www.youtube.com/watch?list=PLqM63j87R5p6BXQK3VCL-9ZLVyyXs_Au1&v=0pcWviZcFVU

I made an XP theme for windows 10. I used different tools which I'll show right now in a list: -Luna10 -SecureUX Theme -Open-Shell and Classic Explorer -Quero Toolbar -3RVX -an app I forgot the name which shows xp internet icon on taskbar taskbar -RetroBar -Some registry hacks, I even brought back the tasks toolbar on the left of file explorer! -classic logon shell, for the logon screen -and last but not least, some windows 7 programs I took from different forums and virtualbox with 7!
Any tips for the customization?