#tryhack3m-special-module

🥳

🥳

Wasn’t expecting these to drop early 😀

Yeaaa

🥳

😮

oh, the colours got fixed too

Breaking: Timtaylor is not the first!

🥳

Looks like Tim wasn’t the handyman today

hehehe

Have fun everyone 🥳

nice release and fun that this is a new one without any answers out there 🙂

🥳

Which of the 5 challenge rooms has the coolest name? 🤔 Please post here. 🥳

Probably the TriCipher Summit.

Are we allowed to talk about solving the module in this channel?

Not yet, the same 72 hours of challenges applies, to keep it fair, and to guarantee that everyone has a fair chance to solve it on their own without hints/spoilers. 🙏

Okay.

Thank you for asking though.

Gave +1 Rep to @hazy jungle (current: #2059 - 1)

No problem, just wanted to be sure. (Stuck on the first challenge after 20 minutes so probably looking in the wrong place)

Same here - but i am still motivated
Edit: Got the first

Same 🙂

Man Challenge 1 question 4 is pain

i startet with question 4 now

I didn't understand task 5 from room sch3mad3mon very well, can anyone shed some light?

Im stuck on the last 2 question in Exploitation in Subscribe hopefully I can break through it soon

I got it here

1 lab down

sch3mad3mon task 4 is making me feel fully stupid lmao

Figured out what I was doing wrong lmao

Four more to go. 🥳

0 labs down
infinitely more to go

took me a minute but i finally got a shell on the first one ❤️

Had the same with Task3 for almost 2 hours... But solved Task4 in 1 minute. Sometimes my brain isn't working properly 😄

going nuts on the last flag of sch3mad3mon

Nice Firework simulation when you finish TryHack3M: Subscribe room and restore the sign up page, nice room thanks to all creators for this room @tardy sail @hallow crescent @covert bobcat and TryHackMe

Gave +1 Rep to @tardy sail (current: #158 - 41)

Goodluck everyone 🙂 cant wait to see you all crossing the winning line 🎉

I'm hard stuck on sch3ma task 5 lmao ahhhhhh

yapp, Challange 1 maybe is not easy haha

Hard stuck at Subscribe Task 2 Question 3

dude i'm hadstuck at the very last flag 😄 thats even more depressing 😄

Anybody has a hint for "What is the name of the suspicious process?"

I think I might've figured it out, it's been a while since I did any rooms so I'm very rusty lmao, forgot one of the basics

Sorry, no hints for the first 72 hours since room release, but you got this!

(I did not, in fact, figure it out lmao)

same stuck at this spot too

So I'm in task one and trying to find hidden txt with ffuf and gobuster but after 10000 requests I don't get response from server and search gets stuck??? What to do now

Read the tag line of the room and you'll get the hint.

Ok

Subscribe was a nice one 👍 I really enjoyed it

hello, has anyone managed to compile the malware from here? https://tryhackme.com/r/room/sch3mad3mon

I've compiled the script with nim, but I don't get the flag

i've installed the nimcrypto and winim but no chance 😦

What day are people going to be able to ask for hints? is that today?

This is not how to solve the challenge. I've done the entire room all by myself. I have errors with script while compiling it

is not necessary to be mean..

I am not sure who you are talking to rave, I was asking to ask for help for myself

up top of the channel it said 72 hours until hints but I wanted to verify heh

Ah sorry, when you replied to the chat, I thought it was addressed to me

no sir! sorry

I've managed to solve almost the entire room and I'm blocked at the last task with compiling a .nim file (which is the first time i'm doing it) and it feels frustrating because I'm not doing it right

good thing is not just me thinking is not that easy 😄 took me a fair bit to finish it

Tomorrow 7pm uk time

I am at the last 2 question for that hopefully I can figure it out

Thanks mate. I hope you can compile the code and get the flag. I’ve installed the required dependencies, but won’t work. Tbh? I think I have to see if it is nim installed on the machine and try to compile it from there 😅

I finished the room. Very rookie mistake

I was overthinking it too much. I tried to compile the script locally instead of compiling it on the machine 🤣

lol

Yeah I am stuck on the last question

No hints please.

23 hours.

Sorry.

Finally after 3 hours of thinking I solved the last question to TryHack3M: Sch3Ma D3Mon and have a writeup ready

me too, finally I got TryHack3M: Sch3Ma D3Mon, compiling the script was not an issue when I arrived to that step, I got stuck on reverse shell did not want to work for me and it was my mistake!! nice room @dusk crypt @MaxRobertson @arebel and TryHackMe

I only sticked with the os commands from sql, my mistake was that i tried to debug the code locally, i was overthinking too much 😅

Did exactly the same, debugged the code locally and made it running to realize its worthless 😄 but i didn't solved it yet

Currently stuck at subscribe question about secure token to admin panel, I feel I'm getting close to the answer but overlooking it

Finally got past the point I was stuck on for sch3mad3mon and I'm not even sure how lmaooooooo, must've been something silly that I won't theorize about until the embargo is lifted

I’ve found the secure token, but I can’t figure out what to do with it to get access to the admin panel 😦

For subscribe

https://tenor.com/view/its-always-sunny-in-philadelphia-charlie-confused-tired-gif-22483513

I just apparently broke my target machine lmao

Or the web server at least, time to terminate and start from the beginning

Oh now I'm hitting an extremely annoying problem, I think there's a workaround though

This is very realistic, a target becoming unresponsive. 🥳

Yeah, the ability to just start a fresh target is probably reinforcing some bad habits in me lmao

Less luck in an enterprise setting, that's why we practice on safe environment targets in THM. 😎

Glad you enjoyed 🙂

Okay now I'm stuck on something that I feel like shouldn't be an issue lmao aaaaahhhhhhhhh

We aim for realism here in THM 😛

Did that a lot lol

Me rn at burg3rbytes

The burger in zero-gravity looked way too tasty. 🍔

Second place is still up for grabs on Burg3r Bytes

Third place is also up for grabs on TriCipher Summit

Ok let me try, it might be my weekend project

I can't seem to find the hidden path in the unlisted task in sch3mad3mon room, any hints?

Hey,
I think this is the right channel to reach out to the TryHackMe Staff. I would like to thank you very much for the e-mail I received on Monday. It really made my day. What a great appreciation :)!
This is a great event. I think the Burger Bytes Challenge will be my favorite, even though I haven't found everything and come to a solution yet. I am looking forward to the writeups of the ones who are able to solve the room. There's a lot to learn here!

A couple of days with gastroenteritis is quite funny (now) but no excuse for not getting anything at all with burger challenge. Definitely need hint or writeup 😅

Have you tried using that token as your session ?

I didn’t do that room, but that would be my wild guess when I get a session token.

There are some transactions and some encrypted files, play around with them and you’ll find out

Tried adding a cookie with name as session and value as the token.. no luck. Same with the name set as PHPSESSID

I am assuming you are both staring at a ||forbidden page||?

I don't want to breach the hint embargo but I'll just say you may want to enumerate what you have access to thoroughly

I think it has been 72 hours already but let me double check

Oh actually I think it's lifting right this minute quite literally

In that case ||why tf is gpg failing to decode with a bad session key error no matter how I try it on or off the target system|| (for sch3mad3mon task 5)

Yes I am

I got stumped there too for a sec but had to take a step back and ||ask myself, just because I can’t see that page, doesn’t mean I wouldn’t be able to see other pages inside that directory. Just got to find them.||

Good point ty

Gave +1 Rep to @nova siren (current: #61 - 112)

Any hints on the ||security toke, or where is the admin page (is it the phpmyadmin?) || on the subscribe ?

The only hint I have for burgerbytes is ||🍔||

||poke around after getting logged in as guest and you’ll eventually find an unusual endpoint.||

because you're probably ||fetching it through a proxy tool and it is not entirely sent||. ||try some other way around to get the entire GPG message ||

I'm getting the same error on the target machine itself through a reverse shell

shadow feels to burnt out to try these and just gonna have fun reading writeups later

reverse shell won't work. at least for me

i've used only sql injections

but here is a thing,|| curl has its magic ways of working ||

It shoooould be possible with the batch option if I've understood the stackoverflow answers correctly. Would copying the file contents not work either? Because I did try that too, complete file with header and footer. I guess I'll try another exfiltration method when I get home

you can tranfer the files from the system. check with my suggestion above

Didn't do the gpg decrypt lol

||Am I correct in assuming you mean to use curl from the attacking machine with something like a simple python HTTP server running on the target?||

But I'll wait for a writeup to see if others have done it

that' some sort of solution, or ||netcat||

Interesting that it seems popping a shell wasn't necessary, I ended up spending a lot of time getting that to work lmao

yea it was the same for me, maybe the've limited some things from the docker, so I had to find other simpler ways

Seems like most standard routes were blocked in some way but I didn't bother trying to redirect stderr or anything to get detailed info

Still stuck on secure token, and the 2nd question of brick lol (didn't have much time to explore this one)

Will try after work, thought I've went through all of the dashboard

What is the full error you're getting? Is your shell stable? ||Mine wouldn't open the gpg decrypt because of the size but after I got a fully interactive stable shell it worked fine||

I'll see if I can repro it, just got home from work. ||I did originally get the size error via my reverse shell, which I thought was a full bash session but maybe it wasn't, then I tried workarounds to inline the passphrase in the command which ultimately yielded to bad session key error||

you made my day 🎉

Question regarding 3M room Sch3Ma D3Mon task 5:
||I'm unable to use lannister's credentials from users table to ssh into the machine, even tried password from task 1 but neither of them work. I even got bitcoin addresses for decrypting receipts as well as a portion of task 5's answer (/home/products/malware/4sale/) but can't figure out how to complete the rest. Tried to use mysql since it has /bin/sh as its shell but password was incorrect again, any hints on what I'm missing to log in?||

You are close, you have part of the answer already that you mention

@placid spear Stabilizing the shell was the move, got everything working nicely ||also I was trying the wrong address lmao||

Aaaand that's sch3mad3mon completed, really got hung up on that decryption step and it was just me shooting myself in the foot lmao

Nice!

||Did you defang it first? Always read the readme!||

I'll try again tomorrow, might have to check out your writeup for hints if I don't figure it out

Found it!, thx!

Gave 1 Rep to overseer92 (current: #2062 - 1)

Only the hard ones left now

same for me, only those two left. only TriCipher left and burger bytes 😄

Stuck now at Burg3r bytes 😂

the cipher one you've finished it ?

Are we supposed to get a rev shell on Sch3Ma D3Mon? I have tried several times and it has opened a few times but immediately closes...

not necessary. Some people here did it, I've done without the shell

Alright cool. I was having issues and couldn't figure out how to do the gpg stuff without it lol.

for the GPG i've used ||curl for exfiltration along with nc||

I'll give that a go.

Didn't try it yet

this secure token is kicking my tail

Are the drop downs supposed to work? Just curious, cause they aren't for me

which drop down you referring to ?

without giving anything away, inside the site after you log in, there are two drop downs at one point

If remember when you login you see 2 courses one free and one premium, are you at that point

past that

can you access premium course? if so easy way just check ||source code and look for strange named file|| so you can understand how the code work. as button for me too did not work

this isn't what I am after.

in my understanding you are looking for secure token

yup

what I propose is how you get it

the buttons are not in the premium course, your suggestion seemed to indicate that I should look at the premium course for the button thing.

sounded like you were mixing them up

ive been looking at the source for an hour now

which course you are looking at? free or premium?

all 4 pages

there are only 2 courses

Found it but I'm stuck after that even reading the code lol

yes I know that. I am looking at the source for all of the pages is what I meant

just concentrate on premium course after you have access to it

in tryhackme you click button you get split screen with vm, its same thing here, in my case I found the file the button suppose to launch

okay, maybe thats my issue as I am not using the VM

||ah I click on it after modifying a value, and gave me alert saying i have no access to it||

Not really, I am using VM just as comparison to reall tryhackme website

yes it do that, now read page source code, hint look for word ||split|||

may i dm you

what do you mean by have access?

1 course is free and the other is premium

yes

I see this, I have had access to this for a while, but you say have access. I am not sure if we mean the same thing

if you mean clicking on it, then anyone can do that

but not sure if you mean something else

|||such as the actual url not existing and instead redirecting to the subscribe page, cause I have looked both pages up and down and do not see the token|||

if redirecting to the subscribe page so it mean you do not have access to it, so first find a way to have access to it

Found the ||admin panel?||

okay, that clarifies things. now I know I need to move up

Got the secure token already

Kind stuck on the last question of the task 2

when you got the token, there were something else with it that help you to access admin portal

yup, trying to figure how to piece all of those together

Nice

Hey man, thanks for the tip! I managed to get what you were talking about and got it all nice and decrypted. I also managed to get a RevSell eventually lol. I realized I was going about the shell the wrong way ^_^

Gave +1 Rep to @floral umbra (current: #2062 - 1)

@red dagger Thanks for the wisdom and hints 🥳 it help me narrow down what I was overlooking

Gave +1 Rep to @red dagger (current: #264 - 19)

ugh this admin privesc is a pita

no it is 🍔

now i'm hungry

but for real, I think my machine is broken

holy hell how did I miss that...

you're more than welcome mate, I am glad that I helped

did you bypass the pin ? with the console

or is it a rabithole ?

pin?

on the burger bytes

i thought you're doing that 😅

not there yet

nope I found out how to move forward with the secure token. I overlooked something small

but I think i broke something or I am accessing it in a way I am not supposed to... so theres that

I took a break from burger bytes. found te console which is blocked by the pin and there is a secret and I don't know what do with it. because i need to use the secret without pin I guess

this isnt working for me for some reason. keeps timing out

The only thing I managed so far with burger was || find the console 😔||

Did you get the admin page?

Yea same here 😦 I have the secret(which as far as I remember is encoded) ||and is being used along with the pin. So it needs a bypass ||

Yeah, ||found some info on how to get the pin with the secret but would need to have the configuration file via LFO and couldn't find one||

Yea. I am stuck on that too. I gave up for today. I will take a fresh look tomorrow, maybe things will be clear

Apparently this room has been removed...

You can DM me if you still need assistance

which one ? I can still see all of them

Find the console but stuck on getting items for generating the PIN. Can some1 guide me to break the puzzle on the basket?

I didn't progressed much, hoping to get some gide as well

try to ignore the ||console|| and focus on the ||checkout|| / || voucher||

Hmmm. Nice thought. I will try as well

Discound Applied but still have no money

well, you at least need ||100%|| to buy stuff with your budget. Think about it, what could you do

Yups... still struggle with that.

and i think i need some rest 😅

after a few cigarettes

Got the First Flag....

But why it's error on revshell ?

I was able to create dodol.sh with nc mkififo to my ip why it's cannot run?

Need help to escape from docker please some1 give me some hint i was trying with ||mounting|| and there is no progress

Hi , @solemn wadi or @red dagger can you guide me please.. Sorry for tagging you guys

Sorry, I did not finish that room yet, still working on it

check if any ||cron script is running||

Yups .. there is a cron but not running ... it's escaping from docker to host

I think that python script is the way to get root

I will try the room again later

yupz... was trying to send my payload but how to trigger is my problem now

Need more rest for learn about python script

that script is like ftp, it can send and receive files to the container we want to be root at, so we just need to figure out what we need to send / receive from that root container.

yups ... i was able to send and receive file, was trying to send ||revshell.sh|| but can't trigger that file

I am not sure on that root container port 81 there is server, may be send the shell /var/www/html (add path on the python script) then call it on port 81, I am not sure it will work

Will try that next day ... i was to tired ...

Trying to get there

Any hints getting there?

Just play some logic

think about it like race condition in a sense where you can apply voucher more then once because of flaw on the website

Hi can you give me hint to escalation the Docker ?

as that python script is like an ftp you can put / get files, you can think of classic way of ssh to linux without a need to enter password, there is 2 well knows ways, one of them will work

Okey will try that.. hope found some burger to byte

You can get the pin too

Is that console gain access to the host or docker?

you can using it to get reverse shell, its another way to get reverse shell for initial access

access to the docker or to the host?

initial access, user flag

Hi bro sorry to bothering you, i sent you a DM

Still stuck for a few days ... and don't know what to do with the python script

Thank you for guiding me @red dagger i am so idiot not to think about that. Acctually the hard one look like easy after you know the right path

Gave +1 Rep to @red dagger (current: #252 - 20)

I did the same mistake until I read again the hint for root flag on the room Located in /root on the host machine, it state host machine!!

Many thanks! 🙂

Gave +1 Rep to @spare nova (current: #313 - 15)

So I must know the voucher right?

Yes

you can guess it or look for the links when you add to cart

damm, it must be getting over my head cause I can't find this thing

This link is redirect so check it slowly. I suggest using ||Burp suite||

I was trying to find something with ||burp but I could only find interesting the GET parameter itemid from add-to-basket and the err, can't think of how that could get me the voucher||

Collect the ||parameter value|| and try to brute the voucher from that

||Just to be sure, are we talking about the same parameter values? SUCCESS, NXITEM, INBASKET?|| Cause I can't see how I would brute the voucher from that, but if it is I'll keep trying

No check all items link and make them as payload to brute you will bytes the 🍔 for 50%

I'll try to figure this out tomorrow, need to sleep haha but thanks a lot for the guidance

Gave +1 Rep to @supple wedge (current: #191 - 31)

Keep spirits

Man I tried using || hashcat rules to make a list with every possible combination of the links only to see that the answer was the simplest one || Thanks a lot!

Gave +1 Rep to @supple wedge (current: #188 - 32)

Wow this really was a machine out of my league, but with all the help I finally could get at the end, reeeally learned a lot with this one, really enjoyed it, thanks to everyone who helped!

Finished too the burger bytes too. Nice chain of exploits for the web part. And interesting method of making privesc.

glad you enjoyed :3 was fun to make with me and my two teammates 😄

I have only solved subscribe but I can say that I quite enjoyed it. It was original and good.

Hi! What steps do you recommend me to compile the script?
I have never done compilation, and even with programming languages unfamiliar to me.
Do I need some programming tools and knowledge and fix something inside the code? Do you have any hints on the last question?
Room - sch3mad3mon

If you’ve found the script it means you are in the right direction. Just don’t do it locally, i remember that there was a readme file which was telling you something about debug. Check that as well. And for compile. Check the syntax for nim compile. The nim is on the docker

What about the tools?
Need to install nim, nimcryptoand winim, maybe something else?
I am confused by incomprehensible compilation errors.😕

What do you mean by "locally", do not do this on the local attacking host or on the victim's local host?

You should compile the script on the victim machine. Nim’s compiler is there 😄

Everything turned out to be much easier than I thought!!
I was expecting a complicated code correction process)) hahaha.
Thanks, friend, for the direction.😁

Gave +1 Rep to @floral umbra (current: #1383 - 2)

hehe no worries mate, I'm glad that I've helped. I was in the same rabbit hole. Never had experience with nim scripts before and I was doing it on my machine

The 3M Subscribe room VMs contain license error of Splunk because the trial date is expired. Can this be fixed?

Staff are aware.

Ok, thanks.

Gave +1 Rep to @hearty storm (current: #1 - 2421)

When can we expect a working VM without license errors?

Not sure.

Working on it as we speak, should be done by Monday at the latest, if not sooner

^

The Subscribe room VM has now been fixed!

Hay, does this apply to all Splunk rooms?

Hey - we're monitoring the licenses for them (I also think not all Splunk rooms require this), I do not believe the team has found a permanent fix. AFAIK no other Splunk rooms were reported broken, no?

Yeah, there has been quite a few.

Let me take a closer look then into our bug queue to make sure we have them all reported

Hi everyone
I am currently stuck in the TryHack3M:Subscribe room, is this right place to ask questions?

Yes, Splunk-related?

No the DB records from my Admin portal dump don't make sense

And the Admin credentials aren't working

@drifting phoenix can I DM screenshots of what I am talking about?

I haven't completed the room yet unfortunately so I'm not certain if I would be of much help in this case.

Thank you very much for the prompt response though🙏

I just got it, thank you very much for the help 🙏

Awesome room, shout out to the creators 🙌

TryHack3M: Burg3r Bytes
Hello everyone, there is no way I can get the application to reply to me POST (Status code 302), where I should see the redirect.
What am I doing wrong?
I'm ready to post screenshots, but there are a lot of spoilers.

NM
I found a workaround.
Which worked. (although I've tried 3 different ways before)

hi

@shell crescent

@celest knot

Can you update my role

Your level will automatically update within around 24 hours:)

alternatively you can reverify

O Okay

salut tout le monde

hi y'all good morning from here

Can someone mentor me to be a ethical hacker?

https://tryhackme.com/resources/blog/free_path

On the Linux Fundamentals 2, we are asked to pay for a premium.

Isn't it under the free path?

I don't see Linux fundamentals 2 in the article above

the next course after linux fundamental 1 is the 2, with a link to take me thr...

i guess its not for free plan..... and i was waiting to have it unlocked for me

Linux Fundamentals isn't in the free rooms article and it isn't a free room

Why the certificates so expensive?

Not all

What do you mean? 300$ is indeed expensive, at least in other country.

Fairs

Btw have you taken that pj1 cert?

Bout to

I wanna take too but I'm lacking behind the payment gateway, anyways if you want to discuss pt1, I would like to hear I am new too ; )
Anyways Good luck

I don’t understand what I’m doing wrong here. I know I have the command correct

You need to resolve the DNS conflict in the resolv.conf folder. There you may need to comment out (#) a line or change a nameserver.

Thank you

Hi

Hello, I would need help on this topic. I don't want the asnwer but may be mored etails on how to get the answer ? thanks in advance : Content Discovery, Task 3
Manual Discovery - Favicon

Practical Exercise:

On the AttackBox, open firefox and enter the url https://static-labs.tryhackme.cloud/sites/favicon/ here you'll see a basic website with a note saying "Website coming soon...", if you look at your tabs you'll notice an icon that confirms this site is using a favicon.

Viewing the page source you'll see line six contains a link to the images/favicon.ico file.

If you run the following command on the AttackBox, it will download the favicon and get its md5 hash value which you can then lookup on the
https://wiki.owasp.org/index.php/OWASP_favicon_database.

curl
user@machine$ curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum
Note: This curl will fail on the AttackBox if you are a free user, in which case you should use a VM for this. If your hash ends with 427e then your curl failed, and you may need to try it again. You could also run this on Windows in Powershell as shown below.

PowerShell
PS C:> curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico -UseBasicParsing -o favicon.ico

PS C:> Get-FileHash .\favicon.ico -Algorithm MD5
Answer the questions below
What framework did the favicon belong to?

Submit
Hint
Task 4
Manual Discovery - Sitemap.xml

hellow

Pls am looking for a cyber security mentor,am in need of someone to work with,help while growing myself

I need a hacker to hack my account back for me

ive just started doing the oentester junior and am having trouble with the viewing the page source when it asks to view the website in the comments. there is no website in the comments. am i missing simething

It's not allowed in here and can get you in jail.

Need to learn more about hacking

same

I can help with that