#site-bugs

Has it occurred to you that your flag might be wrong?

It's not flag 1

Delete the flag please.

It's a flag.

It's not flag 1 though.

Well, i mess up my copy/paste with the 2nd flag 😂 I can DM you the "should be" correct flag this time if you want
But it doesn't change the fact that the flag inside the file is incorrect. I even looked at writeups to be sure the flag is correct and even with this writeups, i can't complete the question. The flag i found (the correct one not the one i posted here with the wrong copy / paste) is the same as the one on writeups

@young hatch The flag you posted is not flag 1, but it is a valid flag for the box

Yeah i know its the second as i just said before x) Its just that the flag contained in the "flag1.txt" does not validate the question 5 asking for flag1

Try the standalone box.

can't, its a subscribers box 😦

hi, i give the right payload but flag doesnt appear "xss room ->filter evasion -> challenge 2"

Hi, i dont know why but my machine is not deploying anymore

Anyone knows what can i do?

im connected but when i try to enter in the machine ip that i deployed it loads forever

Some machines don't run a webserver so you can't access them using your browser

i tryed a webserver room that i already have done, but still not working 😦

Please go ask in #site-support as this doesn't appear to be a bug

OK!

Thanks

Hi, I think I found a bad answer for the Ice - T2 - #3. The real answer should be RHOSTS whereas RHOST is expected

I don't know if it's the right chan for that...

They're both valid

on metasploit ? because I take some time to understand that the answer wasn't with the S as it's shown in "show options"

Do you tell me that "set RHOST" is working under msf ? 😲

Yes. That's valid.

Cool I already learnt something here 😄 Sorry for bad feedback so

Box:
Investigating Windows

Problem:
Answer format: MM/DD/YY should be MM/DD/YYYY

Refer to: https://en.wikipedia.org/wiki/Date_format_by_country

Answer format gives you the len

Should have noticed

yy – two-digit year, e.g. 06
yyyy – four-digit year, e.g. 2006

Yes

It's a mistake

But use the answer format

Alright, just wasted tons of time on that question.

HI

i need help on Learn Lunux room

Step 4

#room-help

i have installed Putty

Please help on on user name password of putty step 4

#room-help

You're in the wrong chat.

Hi, May be another bad answer or I miss something

In google Dorking - T3 - #5 => Expected answer is pgp.cmnatic.co.uk where as tryhackme has a better score in the seo analyser (83 vs 88)

probably at the time of writing it was different

May be this answer was OK when the room was created 😄

yeah, agreed

@topaz venture ^

pinged the creator to update

Congratz to TryHackMe developers who increased their SEO score 😄

Thanks! I had to change the site as yeah the SEO changed for one of the sites

Obviously didnt think about that for the other question - will sort now. Ty @frosty cape and @rare swallow

I hazard a guess that it was me who made my seo score worse LMAO

https://tenor.com/view/congrats-djkhlaed-player-yourself-foolingyourself-gif-4961672

Mhm actually, I see the problem. I'll add a hint to use the screenshot used in the task as comparison - rather then what it currently is at @frosty cape

Yeah, directly in the question should be better I think.

Better idea

You could have the same issue for #3 if you make your seo score worse again 😉

I moved the answer to a domain that I don't need to touch to prevent that 🙂

ty for letting me know ^^

You're welcome @topaz venture

Hi

I think one of the flags in the linux challenge has permissions that aren't set up correctly

idk if you guys care about spoilers on the entry level stuff or if I should just use the "spoiler" tags

Any guidance so I don't break spoiler rules is appreciated

@unkempt herald Spoiler tags, but don't post the actual flag contents preferably

Flag 17 - Linux Challenge: ||Method should involve downloading Alice's private keys and logging in with her account via SSH. However, Flag17.txt is fully readable* with Bob's account||

It mentions the flag is broken, does it not?

The private keys at least

I didn't have to do anything with the private keys or use Alice's account

I'm just saying it's documented as broken

Oh I'm unaware of any documentation for that

it says on the room

oh well reading is important. I see it now

But still don't need to traverse to her account considering permissions of the file lets anyone read it

Not a bug but on discord everybody should not be allowed to ping @ (everyone), Your choice though

@everyone

You can't @fresh tide

oh ok

That's admin and above

while typing it showed up so just to make sure

Yeah, that's kind of a leap of faith demonstrating that...

Its possible to join completed koth games

Where can I submit new college mail ? My college mail is not recognized as a student mail

@ripe ferry email support@tryhackme.com

@covert kernel (I sorted that in #general a while back since it wasn't a bug)

(ah)

Im sorry, idk if its a bug but im getting the goal and not the flag in XSS room

i already did it in different ways

in the 2nd and 3rd flag at bypass filters

Draws in KoTH are possible but it allocates a winner

hello everyone. is it normal when i have deployed the LazyAdmin room the ip address is a network address??

it is normal

try pinging it

yes i can ping it, it seems strange to me

have you done any other rooms?

all the room machines are deployed inside a private network and therefore have an address of 10.10..

yes yes but it is the first time the last octect is 0. i don't even know that i can ping a network address

so, but if it is normal ok 🙂

i mean, you could redeploy the machine if it is bothering you :)

ahaha no no xD but thanks for the clarify

It's all good - it looks a bit odd but it's valid. It's to do with subnetting, I'd assume THM uses either CIDR /22 or /23 for deploying instances if they've got 10.10.9.0 as a host ip 🙂

same way 10.10.9.255 could be a valid host address too ^^

Hi, just to inform you that in cc room Task 16, there is an empty question

Still in /ccpentesting room : Task 21 (smbclient) #5. -P is not used to set the password (password is set via -U user%pass)

man smbclient (but wxithout ma openvpn IP in the background this time 🤣 ):

typo in https://tryhackme.com/room/juiceshop OWASP room. In task two, just after intercepting neverssl.com requests:

You may a;sp see lots of other request Burp picks up.
should probably be also

Hi there, I'm working on the "Blue" room and after looking at the official write up and comparing my terminal the the writeups it seems that some terminology has changed with recent updates of metasploit I suppose. Task 2, Question 3 appears to no longer be correct compared to what metasploit shows. I can provide more details if you'd like, but Im trying not to be too specific as to give away the answer to a task

I completed all the rooms in introduction learning path and got 100% but for some reason the WAS isn't green. Although I've done all the rooms in it

I get more "alert"s yesterday, and still doesnt give me the flag

i dont know if i've to keep trying, im frustrated right now

you should either word it a little bit better or give a hint out that it's similar to a function in excel
took me ages to understand what it's asked
from the context it points out to 'rename'
@rare swallow i need help with this 😦

i'm slightly out of context here, what's up?

yea sorry... is for the splunk room

lol haha, i'm not the creator of the room nor it is a bug ^^

check #room-help someone might lend you a hand over there

hello

hello

@pearl mist #general or #thm-community-media

@frozen thicket 10.10.15.0 isn't always a 'Network Address'. I don't know what subnet Skidy has allocated, but if I had to throw a guess it's likely a /23 or /22

/16 I think

or /8

You think? that seems like an extremely large space

Considering every time there's a new VPN server etc, it goes on 10.new.x.x

Just for the boxes, I mean

Last two octets can vary, I think

Yes, i always worked with /24 but I think is bigger the network

Last three octects vary

Hey @frosty cape , I have four unanswered emails (the oldest being from two weeks ago, the newest one from last week).
Could you/someone else take a look today?

It's 5am rn

I can bring it up if you remind me in like 12 hours @short jackal

👍

@short jackal this is responsible disclosure stuff right?

Two are bugs, one is a problem with a room and one is a reply to a thread for a bug that is being fixed

Is the room made by "tryhackme"? @short jackal

It shows up as made by "ben" who's Skidy iirc

Yep

Ok, fair enough

in day 9 (task 14) of the 25daysofchristmas room the ip doesnt seem to be responding

not responding to pings?

its fixed: 10.10.169.100. responds to ping, but not listening

fixed ip

not listening on 80

read the description

ignore me, im an idiot

25daysofchristmas Task11Day6 Sq00ky account doesn't exist.(the twitter link)
https://twitter.com/MrS1n1st3r

Invite link to the Discord on the little random quote on the website directs to a #staff channel? (https://discord.gg/72JvVaK)

The invite link under "Socials" -> "Discord" goes to #site-bugs (https://discord.gg/QgC6Tdk)

Would be good to get a standardised one that invites you to #general perhaps?

^ Nice catch there, I've updated them locally, will be made live when I next push:)

Thanks for reporting that

Neat, that'll be cool. Can update the Discord section on the docs once that gets pushed :^ ty

good idea, thanks:)

2 scheduled games that take me to 404 page:

Refresh and try now

I have completed the web application Security course under the complete beginner path, but it still shows as incomplete when i'm looking at the path.

There might be a question not yet complete that was recently added to a room

Every course has a green tick

Check the rooms manually

each one

Okay thanks

hello

how to decode with hashcat?

@potent sapphire you should read this article:
https://cryptokait.com/2020/02/24/password-cracking-with-hashcat/
and ask any other questions in #general. #site-bugs is for bugs. Not for help.

.

aha thnxx

@short jackal what do you mean by dots and escaped single quotes for Task 8 on https://tryhackme.com/room/cryptochallenges ? I'm looking at the challenge now and the answer format doesn't make any sense to me.

the answer contains some characters that the decrypted plaintext doesn't
I emailed about this so I hope this should be fixed soon

you can see the answer?

🙊

well, hopefully it gets fixed soon like you said

speaking of cryptochallenges, points are broken there

users have points for the 0 point questions

I have 90 points less than everyone else on the scoreboard despite answering the same questions 🤷‍♂️

yeah, there are three questions which shouldn't give points but when the points changed they somehow were set

there seems to be a bug in the christmas challenge

when i do ls in ftp it's giving me error 500

ls does not work in ftp

Uh...
Doesn't it?

it does for me

Pretty sure it does...

it should

That said, you may need to be in Passive mode

oh yeah

the mode.

the mode won't change

is the 500 error accompanied by a message like "bind address already in use"?

it's only stream

exit out and add a -p into the ftp command

it won't allow

"Passive mode refused. "

I think I remember needing binary mode in that challenge actually

It's usually passive mode though

nothing works

and without the file i can't log into the sql

i have nothing running on my end on port 21

can someone confirm if it's working for them ?

i'm using parrotOS

Drop me the IP and I'll try and connect

10.10.18.220

i'm not sure if it's on the same network though ?

Booting now

Huh?

It's all the same network

ohh cool

@coarse bronze

thanks

won't let me get the file

I had some problems with ftp on a room recently and I had to regenerate my vpn config to fix that

oof

wierd

everything else works though

yeah, everything worked except ftp

Either regen or switch servers and regen

ninja can you give me the contents?

of the file

please

Provide screenshots of it not working

And switch VPN servers and see if that fixes it

Switch VPN servers

on it

done good!

so weird though

why

It is still not really important but I am quite annoyed by the fact that I frist blooded this room but I am the last on the scoreboard.... https://tryhackme.com/room/yearoftherabbit

@polar sapphire Yeah scoreboard is kinda buggy

:c 60 points

You should have more but historical bloods are bugged @polar sapphire

It's in #685858111952781324

@polar sapphire technically you didn't blood it

It was released internally at Muri's uni first

@orchid remnant can confirm?

Mhm -- that's correct.
It was reset for release here, so Ekko would have got the first blood points and the position on the leaderboard, but it was given a dry run previously at a workshop I presented

Yeah so it's definitely broken

Yep, definitely

Ekko didn't get any of the bonus points either

So I think this is the same issue that we've had since the scoreboard reset

Mhm

Looks like it

ah

@frosty cape You're aware of the blood and bonus points bugs right?

No?

I submitted it

basically, any bonus points were removed on the points change

And any bloods were removed

For anyone now completing the room, they get the bonus points

Hi guys,
I'm doing the rpwebscanning room, Question #8 regarding XSS Alert in Zap.
I've done multiple scans (also tried to terminate the VM and use an other one) but I can't find the expected alert.
I've seen on DIscord that many people had this problem but I can't find how to solve this.

Does anyone knows how ?

Thank you.

@rotund forge The alert either appears or doesn't

It works reliably for me, but other people with the same VM and the same version of Zap have trouble

Oh... okay
Should I report this as a bug somewhere or it can't be considered as one ?

The room creator knows about it.

There's not much more we can do

Okay, thank you !

Access page openvpn not connected in the connected field but actively working

@covert kernel yeah it's a known thing

Access is unreliable

I've been pestering skidy to add a disclaimer for... Months now

Alright, thanks man

please, remove the screenshot as it has an answer 🙂

Doesn't mean it's right.
I can tell you now that's the wrong answer

(And possibly the wrong wordlist)

Ohh,okay thanks

ActiveDirectory method to dump ntds.dit?

read the secretsdump output

That is still not a bug

@lethal gazelle As Chevalier stated this not a bug, if you need help with a room, then please post in #room-help or #room-hints

anyone use the Learn Linux room there seems to be issues with that room, the VM keeps crashing and is really slow, but also running one of the binary's gives me an error

@barren gazelle if it gives you an error, it's because you're doing something wrong.

walkthrough says to run the binary, this is what I get
./shiba2
Segmentation fault (core dumped)

@barren gazelle Not a bug. That's you doing something wrong.

lol yeah I was being a moron

not reading the question properly either

yo

anyone a lead on investigatingwindows for the task name

im either blind or i cant seem to find it

#room-help

thx

i'm not sure where to post this, but it seems that smbmap has issues authenticating null sessions, which is particularly confusing if you are following some of the walkthroughs (i.e., skynet).

smbmap is just generally a bit weird

Null sessions aren't that widely supported

Hello #685858111952781324 #site-bugs I think there is a regression due to the last deployment in the public profile yearly activity. The last case was on 2nd, May

I think it's not on api side because the 3rd, 4th and 5th May are still returned.

Oooh yep

it just doesn't display

@frosty cape Submitted

Smalls suggestions regarding the description of Avenger's SQL injection:

• The sentence "as ' 1=1 we could trick the query into authenticating us as the ' character would break the SQL query" is wrong, as the user input is not being concatenated in a string literal. "Breaking" is maybe not the best word, maybe go for "change query's semantic"?
• The hint says "Have the username and password as ' or 1=1-- (include the apostrophe)"—the apostrophe is not needed at all. The resulting query will indeed authenticate the user (SELECT * FROM users WHERE username = ' or 1=1-- AND password = ' or 1=1--) but it does not really make sense!

Is it not being concatenated in a string literal in the backend?

How can you tell?

nope, the query is con.query('SELECT * FROM users WHERE username = ' + username + ' AND password = ' + password)

That's concatenation

when I say string literal, it's in a SQL string, not node ;)

by opposition to WHERE username = \''+something' , where the ' would be required.

yeah honestly that's what I'd expect

"WHERE username ='"

Wait

The alternative query does make sense

SELECT * FROM users WHERE username = ' or 1=1-- AND password = ' or 1=1-- is basically
SELECT * FROM users WHERE username = 'somestring' or 1=1--

You're putting part of the query in quotes

@sullen vessel

Yeah, if there's no apostrophe there, you'll be inverting what should be in quotes with what shouldn't

The apostrophe is breaking the single quote that's already there

yes, but that 's what written in the hint

Yeah which works

that's why I say it should be changed ;)

Because you're putting the AND in quotes so you can just use the OR

it works but it does not make sense to tell people to use quotes for this thing

I mean, you need an OR to bypass it

(i'll be back in ~40 minutes to discuss it, sorry)

If that doesn't have an extra quote added into it, you're just putting the password as 1=1

Which will obviously only work if the password actually is 1=1

(Funny though that would be)

wait

but SELECT * FROM Users WHERE username=Muri AND password=Veganism4TheWin wouldn't work, would it?

Because they need to be strings

I think the query logic is broken

inb4 I guessed muri's password

Correct -- the query will be SELECT * FROM Users WHERE username= 'Muri' AND password 'Veganism4TheWin'

Which is what the task shows just now

It'd need to be

But they dumped the code from the backend

Also, damn, I need to go change my password

So the code in the backend has no quotes

So it wouldn't work for valid users in the database

Do we have the code in the backend?

I don't

Flan claimed to, so I'll trust that one

You get RCE in that one don't you?

I'll go take a look 😁

I haven't done it

It said web so I skipped it

Think I did it at the Hackback

HB1 or HB2

HB2, sorry

Ah

Good grief they have this command execution locked down

@spiral flame @sullen vessel this is the source for it: javascript con.query('SELECT * FROM users WHERE username = ' + username + ' AND password = ' + password, function(error, results, fields) {

Immediately following by this line: // Made deliberately vulnerable.. Changed from con.query('SELECT * FROM users WHERE username = ? AND password = ?', [username, password] I might add

And that will definitely not work for SQLi unless you cancel out that single quote

Yeah, I mentioned that a while ago

It doesn't like GIFs

At all

It loads it as a PNG

Exactly

Does the same thing with mine

Sounds like it's just inserting the userid and then .png

Mhm

If you could control userid...

Hehe, we're thinking along the same lines here...

That's a difficult one to do though

You'd need to either create a new user account and get a room released publicly -- precisely 9 of us could enable that to happen, and none of us would

Wait

Or be able to change your name having already released a room

Unless it shows up elsewhere

It's either username or userid?

Or maybe it's upload name?

Huh -- it can't be upload name, given it's interpreting GIF as PNG

Odd that it's using JPEG there though?

Except it does handle gifs

Cryllic's room worked

Huh, so it did

In which case

What the heck is causing that?

Spicy.

And overjt has a PNG

https://tryhackme-images.s3.amazonaws.com/user-avatars/75115a888c91d323a7a640d404849c77.png

Yes

https://tryhackme-images.s3.amazonaws.com/user-avatars/4ed4c2f4c34a6a5c8792ce5455b6c4db.png

Access denied

But those point to (assumedly) different files

Mhm

I assume the one you posted there is from the notification bar?

The broken one

But that's weird that they'd save two copies of the same file -- especially when they already have the full scale one readily available

(And annoying that it's in the same folder)

https://tryhackme-images.s3.amazonaws.com/user-avatars/9e946af210ae86d6fbfda480d958b3fe.gif

https://tryhackme-images.s3.amazonaws.com/user-avatars/9e946af210ae86d6fbfda480d958b3fe.gif

It does seem to be filename tho

Those are the same URL

They are

From two different places

One from the notification bar, from from his profile

Meaning it's meant to be pointing to the same URL, but in that case isn't

Does your pfp work in the admin panel?

Presumably that one is just broken

It does, last I checked

Yep

Overjt's works on the admin panel

Maybe no xss then

Sad

Yeah, looks like just a bad URL 😢

I think it preserves the file title though

Wait

It's either username or a hash or something?

Where are you seeing that?
I've seen it preserved somewhere before actually, but it's usually not

My pfp keeps my uname

But that might have been my upload title

Yes, it does indeed

Updated it to the same thing

Difference there that I can see is that it's a Jpeg?

And now it's the hash or something

Either that or the system is just nuts

Ah, so maybe the system changed?

I think skidy changed how it works internally ye

That'd be it

Hmm, wonder how overjt's got messed up in notifications

Maybe they changed it

Huh, that's an interesting proposition actually

So, what’s your conclusion for the sqli? @orchid remnant @spiral flame

con.query('SELECT * FROM users WHERE username = ' + username + ' AND password = ' + password, function(error, results, fields) {```

That's the code

Which, afaik, will not work without quoting out at the very least the username

But it's true that that code wouldn't work for valid users

I have a feeling you might be right there

Oh, wait a second, I found some valid user accounts earlier

If you got root, dump the db

what do you mean by "quoting out at the very least the username"?

As in, closing that quote earlier

there is no quote

Oh?

it's ', not \''

What's that then?

A JS string literal

The string is "SELECT * FROM users WHERE username = "

you definitely do not need a quote in the parameter username to do the injection

Well, yeah...
It's literally a quotation mark that needs to be closed though

nope

No?

And yes, I agree, James -- I have a feeling that will be broken

@orchid remnant The single quotes aren't part of the query

I know

Just testing it now

What quotation mark needs to be closed though?

it would need to be closed if the code was con.query('SELECT * FROM users WHERE username = "' + username + '" AND password = "' + password + '"', function(error, results, fields) { , but it's not the case here

BTW, " makes it clearer

Prevents you having to escape single quotes

true

as the effective SQL query would then be SELECT * FROM users WHERE username = "foo" AND password = "bar"

Ok, confirmed that it breaks for real users @spiral flame

Also confirmed that it does not work without the single quote

@sullen vessel single quotes for sql

Although why, I can't actually see

what are your params @orchid remnant?

Using ' or 1=1 in both fields works

Dropping the single quote

Does not

yeah but that's wrong :P

@orchid remnant sql SELECT * FROM users WHERE username = ' or 1=1-- AND password = ' or 1=1--

See what it's doin?

Just going back to read through the code

+1, coloration helps

Ah, yeah, that makes sense 😆

That's why it works with both fields

Yep, definitely confirmed there

Just tried it with a single quote in the first field

Anything with just a single single quote won't work hopefully

If it does, the plot thickens

Nope, that just worked perfectly with only a single quote

Although it makes sense

wat

SELECT * FROM users WHERE username = 'AND password = ' or 1=1```

ye

That makes sense

Mhm

That's from just adding a single quote

But that's two single quotes

no, adding two

But keeping ' or 1=1 in the password field

Oh, I get what you're saying now

One per field

my whole point is that the description / hint is too complicated and vague, not that it's impossible using quotes

So the hint is probably wrong, but only because the webapp is broken for legitmate users too

Nice.

Mhm, the webapp is definitely broken for legitimate users

It's nodeJS, so it can be patched in the cloud without too much work

:)

But an admin would have to do it

Don't yah just love when an intended exploit works purely by accident?..

so, my suggestion would be to change the description / hint (I can suggest something) and add single quotes around the params in the query

@frosty cape Can you take a look at this?

I know it's an old room but it's also sub only official content~~ so should be slightly higher quality than this~~

and this room is made to be didactic, so…

while we are at it, i found another bug in another room :P

🤦

On step 17 of linuxctf (Login to alice’s account using her private key and get flag 17.), are we supposed to read /home/alicem/.ssh/id_rsa ? It seems to be impossible from garry and bob: .ssh/id_rsa is indeed world-readable but .ssh is not world-traversable. In addition, /home/alice/flag* are all world-readable so you can get the flags without logging as alice.

Oh yeah that's a known issue

The fix is in the task description

Well, the SSH key is known broken

oh, i did not find it in the know issues

But yeah the flag is readable and it shouldn't be

It's in the room

In the task description

hum ok

It says "Alice's SSH key is broken"

:v

it's not very explicit, but ok

that's all for me

thanks for taking time giving a look at it!

We love a good mystery

I know it's an old room but it's also sub only official content~~ so should be slightly higher quality than this~~
@spiral flame Which room sorry?

Linuxctf?

Avengers blog

The SQLi is uh

Spicy and broken

Reading back through the chat, basically the server side query doesn't work for legitimate users

And the content in the room to exploit it is (wrong? Misleading? Not as accurate as it could be?)

Ah I see what you mean

I've put it on my to-do list

Thanks

Not a bug

#room-help

How certain are you?

It's not empty

Other people have completed it.

ls -lah see if it is actually empty

Maybe that's not the flag.

The last flag is normally a root flag, not a www-data flag

Not 100% on this

But other people have completed it.

I would try a redeploy, and try searching harder

Then try a redeploy.

The last flag is a root flag

not a www-data flag.

I'm not convinced this isn't user error

I have the writeup in front of me

You created myflag didn't you?

In attempting to get the root flag.

So this is user error

You didn't get the root flag correctly

This is not a bug

Terminate. Redeploy.

"What flag to you set to analyze the binary upon entering the r2 console (equivalent to running aaa once your inside the console) " possibly missing a question mark as well but bolded some typos in the question this is cc:radare2 task 2 question 1

@covert kernel

fix pls

ahhhh

I rush to the fix!

Then try something different

Privesc

Not until you prove it's a mistake in the room

I don't appreciate the tone

It worked for others. The privesc isn't a bad one. Get a root shell.

Try harder is a mentality

I don't believe you

You should prove it with a root shell

No, I'm serious

Until that point, it seems like user error.

Are you running that script btw?

Yeah. Are you personally running it from your shell?

Then you're not understanding something

How is that script going to have access to the root flag?

Because other people have solved it and it very much seems like user error.

If you can prove it's a bug, then let me know

Another bug: Filters aren't applied on Hacktivities page.
To reproduce:
1/ Filter something
2/ Go in a room
3/ Go to previous page

I think you're clicking filtered before the page is fully loaded

Try wait until all rooms appear

Then try

@frosty cape Not clicking, it's going back

I did the reproduction steps of filtering going into a room and going to the previous page (hackitivities) and for me the filter boxed was checked but not actually doing anything

I think this is similar to the stuff I reported a while back

^^ I remember that

In the new room "Network Services" Task 7, Flag #2 ist bugged.
The welcome message is: ||SKIDY'S BACKDOOR. Type .HELP to view commands|| which can't be the flag, because the asteriks are totally different 😄

Yeah it's bugged

@turbid osprey oh the issue i have rn lol

also, please fix the bug in alfred room i asked previously. while i was doing the room, there was a 4th task which says Coming Soon.. and room won't let me to complete it because of that 4th task. after couple of days, 4th task is gone and alfred still looks incomplete in my list.

Learn Linux: [Task 29] [Section 5: Advanced file Operations]

Oi, @covert kernel

@covert kernel

Fix

plz

Now

😁

But

But

Now, Cooctus!

Am going outside rn

Me fix

When me get home

can anyone guide me how to crack the hash and deciper the message in cicada room? did anyone solve it

@plain willow #room-help

tq @spiral flame

Both Windows and Linux have directories
As an extra to Scrubby's message https://discordapp.com/channels/521382216299839518/559443389058252800/707404987831025745
Even the command cd for Windows stands for Change Directory

HackPark room: “What is the name of the abnormal service running” The service is WScheduler.exe but that doesn’t get accepted. WindowsScheduler.exe is accepted instead. This may trip a lot of people up.

On ccpentesting, Tasks'8 How would you set SMBPass to "username"? should be How would you set SMBUser to "username"? (same for SMBPass)

@covert kernel

On ccpentesting, Task 16, #12 is empty

@covert kernel fix plz

noots

Fixed task 16 but task 8 question 8 and 9 are fine

also, please fix the bug in alfred room i asked previously. while i was doing the room, there was a 4th task which says Coming Soon.. and room won't let me to complete it because of that 4th task. after couple of days, 4th task is gone and alfred still looks incomplete in my list.
@tall maple I also have this problem!

@modest marlin yeah james told me that somehow the room is waiting for 4th task to become its normal state and seems like somebody workin on it

Unfortunately, it cant be fixed at the moment

But it will be

ah thats fine. will just leave it until its fixed

bugs my OCD a bit xD

Yeah its buggin me either lol

@covert kernel: it's to make sure that everybody read the questions correctly? :)

yes

It's designed to mess with you 😉

CC pentesting is.... like 3500 points

On ccradare2, Task3, response to #4 does not match with I get with radare2 4.4.0 (11) (@covert kernel)

Yeah that room was made a while ago

Radare has had some updates which made some of the questions slightly off

Fix it pars

https://giphy.com/gifs/shiba-D6InoH7TLxMsM

do it for the shiba

But

But nothing

!shibe

https://giphy.com/gifs/shiba-xqF0Bzzc5leP6 happy taps

it's not very important, people can bf i guess :)

The answer isn't technically wrong

BUG in Network Services room on Task 7 - Question 2 fixed, fyi

@sullen vessel how do you get 11? I just ran mine on version 4.5 and believe it gives me 12 unless i'm reading it wrong

 -- This is just an existentialist experiment.
[0x00000530]> aaaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[Warning: Skipping -4 section
[x] Check for vtables
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[x] Finding function preludes
[x] Enable constraint types analysis for variables
[0x00000530]> afl
0x00000530    1 42           entry0
0x00000560    4 50   -> 44   sym.deregister_tm_clones
0x000005a0    4 66   -> 57   sym.register_tm_clones
0x000005f0    5 50           sym.__do_global_dtors_aux
0x00000630    4 48   -> 42   entry.init0
0x000004f8    3 23           sym._init
0x000006e0    1 1            sym.__libc_csu_fini
0x000006e4    1 9            sym._fini
0x0000066b    1 7            sym.secret_func
0x00000680    4 93           sym.__libc_csu_init
0x00000660    1 11           main
[0x00000530]> afl |wc -l
      11

is just aaa any different or debug mode? just running command now to check

it's a typo but still the same as aaa

That last function

I get something completely different running it through debug mode though

so what are actually "functions"

Constructs in assembly

PoloMint's Network Services Room, under Task 9: Enumerating FTP section, should be "Anonymous" instead of "anon"

Other than that, great room

RP: Metasploit [Task3] #10

Should be "...about how to change the value of variables...."

PLZ fix

@rare swallow Submitted

thank you.

these guys are not in sync on https://tryhackme.com

They're at different stages

The whole page is wobbly

In the clouds

so is my eyesight 😆

Maybe, uh, lay off the alcohol Chev?

nah bruv, we good

we good

Oh good

More alcohol!

.png is not accepted as an image format for avatars? Is this by design?

It seems to be?

Seems to be accepted or seems to be by design?

changing the file extension worked so it isn't a huge deal

@unkempt herald PNG is accepted https://tryhackme-images.s3.amazonaws.com/user-avatars/686163e52545fa32d57c7e86759d87dc.png

only happens with PNG files

jpg works though

hmm maybe it's this specifc PNG I have

I just tried another PNG and it uploaded

disregard

PEBCAK

Nah, it's layer 8

When trying to join koth public game

Dumping Router Firmware Task 3 Question 2 "Where" should be "What"

introtoresearch, task 3, #4, "If I wanted to exploit a 2020 buffer overflow" but the cve was reserved in 2019

@sullen vessel Not a bug, the CVE was published in 2020.

Hey not sure if this is a common thing or not but when I spun up my http server to transfer a file over from my THM Browser kali box to the box I am working on. I had an external Chinese IP enumerating my box, I'm sure the internet is full of masscan's and such but I grabbed the requests that where happening if anyone wants to look at them.

Yeah, that happens when you've got public facing IPs with ports open

are the thm kali boxes external facing?

yes

Not much you can do about it unfortunately -- just change the password when you first log in, and don't leave anything valuable open

Mhm, that's why you can download stuff from the internet and connect without the VPN

well there we go, I wasnt sure how the network infrastructure for them is routed

Ah, fair enough

It's also worth specifying to only serve the http server on the interface that's connected into the THM network

Shouldn't be a huge issue, it happening on all interfaces, but it's worth doing

yea, i mean its a benifit of having a "throw away" box spun up, nothing sensitive on there really

Indeed

@cinder crow good catch, I'll fix that rn

Fixed.

@rare swallow

I can't replicate, whats your monitor size?

@frosty cape

1080p, non sub account

Thanks, fixed locally (I think)

height: 5em

Is it css flex?

yes

Flex is our lord and saviour

indeedy

It's the answer to essentially all of my CSS problems

room goldeneye, Task 2, #3, the question "Inspect port 55007, what services is configured to use this port?" does not make sense

it should be something like "Which command can you use to connect to this port?" instead

nmap -sV -p55007

What's listening on that port

nope

It does make sense to me.

the answer is telnet :>

then telnet will be listening

no, it's a dovecot

o that's email then

So

🤷‍♂️

Hello. Ran into an issue with a box today.
Room: Joker CTF
Task 1 Question 18: List the image installed on the lxd-service, what is the ALIAS of this image?

Running lxc image ls doesnt show any images running.

@modest marlin Known bug.

It's hit or miss

ah cool 🙂

reexploit

yeah i tried redeploying and doing it again but still wasnt there. will try again later

I had to restart the box a few times before it showed.and then it went away quickly but you can priv esc without it if it doesn’t show up

So, not sure this is a bug, but is there maybe a Mod/Admin that I could throw this by before I blurt it out here? It does have to do with access to a machine.

@spiral flame ^

@autumn wave Sure

Ok to DM?

Thanks @spiral flame

I am very curios

I did some exceptionally stuff.

Avengers blog
@spiral flame I can verify the SQL Injection is broken. I tried every combination. I think the guys who completed the room, have the answers from the video.

Nah you can get it working

Uh...

Yeah, promise you that works...

It's not actually broken, it just won't work for valid users @analog garnet

Granted it's a complete and utter accident that it does work

But it works

@spiral flame ah so i have to try with a random user?

No

You have to

this isn't #room-help

Uh...

It's guided

Follow the guide

ok. thanks 🙂

Hi, I've a question about Buffer Overflow Room Task 8, it's broken?
I've tried everything and can't get the shell...

What happened to monthly updates?

hey!

i'm new here

and i need help

Simple CTF seems really unstable, anyone else had this issue? Once a port scan is finished, the host stops responding and you have to redeploy.

i did it a few days ago and it was really good

i mean, it wasnt unstable

Hmm

and i need help
@open bridge this is the room for bugs! if you need help, you can ask for it in community-help or hints

why do you say is stop responding?

I don't know if this is a bug, but i've found something similar in another room. The answer there should've been Apache.....

@slender laurel Side effect of using regular expressions to check the answer.

Jigsaw2 flag2 does not work properly, i just can't submit my correct flag,can someone help me

@neat lintel I think you need to copy the entire text ex: "flag2{.........}"

no, the flag format is pure symbols

Wrong username in https://tryhackme.com/room/networkservices T9: Instructed to login with "anon" but in fact to login to FTP anonymously with this box you have to use "anonymous"

What happened to monthly updates?
@ornate moss Let me update them

yesssss ^^

thx dad

sorry, uncle

dark is my dad

Room RP:TMUX - Banner is pointing to HTTP:// rather than HTTPS:// making the browser show the page as not secured

just fixed it 🙂

thank you

Hey @frosty cape could you check if my upload is being processed or not? It was stuck for a few minutes on 0.00% so i decided to refresh. and it's giving me this

It wont be, you'll have to log out and log back in.

I think @sly raft is working on that problem:)

interesting even after relogging in it seems to not show any progress. still stuck on 0.00%

it's a smaller vm it's about 5gb

I had the same issue @rare swallow logging out and going incognito seemed to fix it for me

let me try that

browser @topaz venture ?

Google chrome :^

nah. still 0.00%

idk if the issue is to do with sessions or something shrugs

mhhm that's odd

i'll leave it for a while

let's see if it updates itself or if it's borked

yeah, upload is not working i'll drop the vm on GDrive

No IP was given after deploying kali + no browser access

re-deploying did help, but that ^ was super strange

Hi, icecast, fix the first answer of the "gain acess" part of the room.

You have to type "Execut" instead of "Exec"

@modern vine refresh the page and you'll see what the actual answer was

No IP was given after deploying kali + no browser access
@olive drum I will look into this, I think I know the issue

okay! thanks <3

in Learning Path i'm done all Web Application Security , but its RED ?

@worldly pagoda check BurpSuite room

there's a question in connection task which is not green

Oh yes , is it added after i completed task ?

mhm

had the same thing lately

Network Service room, telnet exploitation task # 6 through 11. Task says to ping your local IP address, however it doesn't have the -c flag and runs infinitely. This prevents you from running the raw msfvenom shell command as the command is running on an infinite loop.

Oooh

@vernal dragon could you fix when you get a min?

Had to re-deploy the machine after having the same issue ^

I redeployed, tried -c 5 with the ping and it worked fine.

Just needs an instruction change in the course I imagine. Thank you for looking into it!

@autumn wave Apologies for this, oversight on my part. It's now been fixed- thank you for the feedback!

No worries. Was stumped while live streaming. Glad we got it sorted out. 🙂

Thank you @spiral flame for notifying me quickly, we've got a great Mod team. :)

My reputation as a tester rides on that box

vulnversity is bugged and is only awarding 8pts instead of 30pts for the task

If the room type is a walkthrough room, you only get 25% of those points added to your account score.

I would like to report a bug with room Common Linux Privesc by Polominst.
Task 6, #4 accepts a wrong answer.

Answer tolerance is unavoidable

You're allowed a small percentage of wrong characters

Expected entry: username:passwordhash:0:0:root:/root:/bin/bash
What I entered new:hash :0:root:/root:/bin/bash

You're allowed a small percentage of wrong characters
@spiral flame ahh okej.

But it looks like yours was correct?

Oh

You missed a :0

jepp

🇸🇪 ?

so I get a message that the user is missing a password.
Jepp swed

That's all the swedish I know

Haha XD I didn't realise I wrote the wrong okey 😛

I have a recurring problem that I lose connection to an VM when there is about 13-14 minutes left on it.
Extending it before the 14 min mark seems to keep it active.

@frosty cape Termination bug again

Doesn't matter which room. If that helps.

Hm, does this always happen? @signal zenith

@frosty cape whenever I have an VM active in a room and I only have about 13-14 minutes left on it I lose connection to it. Pressing "Add 1 hour" only gives an error message that something went wrong.
I always have to then Temrinate the VM and restart it.

Happend to me about 10 minutes ago in Common Linux Privesc

DMing you to fix this:)

@frosty cape now it droped out

10 min left on the clock

Error message: Uh-oh! A problem occured. Please try again later.

After I press "Add 1 hour"

Lost connection via ssh and no respons on ping.

hi

DM me:_

Changing the Order By tag before the Hacktivities page has loaded cause it to not change when selecting a new option

@frosty cape You didn't fix all of them, this is the same thing that I reported a while back

It also breaks the search

Ye

It should disable them until the page loads

This page seems to be the one that always has a bug haha

The find command task 3 octal format permission link no longer works

on some profiles like https://tryhackme.com/p/Tqup3, the Rooms in count is wrong (Rooms in < Rooms completed)

You can leave rooms after you completed them.

@frosty cape bug or feature?(borderlands)

@rare swallow I'll sort this now

cheerio

Fixed

^^

welcome back

o/

Low profile since being back

understood

Is ironcorp bugged? I can get a stable shell, but a meterpreter shell seems to be blocked and dies, even after I deactivated the firewall. Already talked with someone who rooted it and he can't get a meterpreter shell either

Doesn't sound like a bug

Sounds intended

@turbid osprey I just got root over a meterpreter shell

@round cave may I Pm you and ask a question regarding it?

i got issues with the web delivery module but a netcat did the job

Yeah sure @turbid osprey

thats a new one got this during mal:malware introductory I was just able to click through and access the machine however

@frosty cape Did aws licensing break?

O.o

The boxes are uploaded without a license because AWS should sort that

@frosty cape Did aws licensing break?
@spiral flame Ah hm, yeah we've configured it to handle this.

Maybe there is a bug

Looking into that now

Lemme know if there's an issue with anything that I need to look at :^

it's aws but yaknow

Yeah, I need my main pc to fix this, will be done Monday

I know the issue tho

RIP

@frosty cape I've been talking with Dark some about this. I've found it on a bunch of machines.

Sorry for the ping.

i have a speed issue when connect ovpn where can i ask ?

@frosty cape I've been talking with Dark some about this. I've found it on a bunch of machines.
@autumn wave I know what the issue is, just need to apply it to the boxes.

it's happening quite often on windows machines that the "Add 1 hour" does not work.
it did not work at all on HackPark for at least 3 times with me

the machine is reachable for about 5 minutes past the first 1h, then they're not available anymore. even if the time is showing 54 minutes+

If you try to extend if after the expire time, it wont be possible.

@summer tree Are you ensuring you're extending before it expires (> 1m expire time)?

People have reported it for hackpark before

It seems to die even if you extend it

It shouldn't be machine specific as its just a timestamp on an object in the dB

Hm, when I am home I will test it myself just incase

@summer tree do you mean the box is unreachable or does the whole IP/deploy section just disappear?

Hackpark pretends it's still up and dies

I mean that the box is unreachable. The ip/deploy section is still visible and shows the timer counting down.

I'm gonna give it a go because you're not the first to report it

People have reported it for hackpark before
@spiral flame i guess I am having the same outcome.

hmm HackPark is known to be an unstable box - we're looking at getting this box replaced but it may take a while 🙂

I can confirm it happens on Hackpark. I can extend, but literally it seems when it gets to 58 minutes left after an extension the machine falls out.

I had a similar problem with another box, was windows, on the same Path. I can check later which one was it

This has happened every time I do it.

I think skidy investigated

It gets the signal to extend and just doesn't

remind me in an hour

Hahah you just deployed it to test it out?

It's got 2 hours on it

So it shouldn't die.

Ok

15mins

After it hits the 1h mark, try letting it run for another 10 minutes. In my experience it did not stop working straight away, but like after 3-5 minutes

Yes James:)

I have an idea

Could there be a task scheduling a shutdown?

can someone check speed test over ovpn ?for me ?

Huh?

Oh

The VPN uses split tunnelling so you can't use any of the speedtest sites for it

i put file on my Kali THM , when i download it inside Tunnel its so slow

but when i download it over internet speed is good

VPN has overhead

but different is so much over vpn imy download speed is about 100kb

i put file on my Kali THM , when i download it inside Tunnel its so slow
@worldly pagoda If you use the Kali inbrowser machine on THM, you dont need the VPN

Mine's faster than that.

i know , but its normal ? i have low speed on vpn ?

can you test it ?

or can i change ovpn protol to tcp ?

That would make the speeds worse

And the server isn't set up for TCP

How’s with HackPark? Still up?

Just checking

Should port 80 be open?

Yes

Then it died

I'm guessing scheduled task or something that shuts down

when deploying a machine, there is a single space on the left of the IP and it's annoying to remove it manually when ssh'ing into it :o)

On “Ha Joker”, flag 18, you’re asked to list the LXD images, however there isn’t any. Is that intended?

@round cave: https://discordapp.com/channels/521382216299839518/559443389058252800/708025926230736947

👍

@round cave Sometimes it'll show it without the name

i know , but its normal ? i have low speed on vpn ?
@worldly pagoda It can be computer specific, network card specifik, network equipment specific, ISP specific. There are a lot of different factors that can affect your VPN speed.

You can't remove an upvote, only change to a downvote

Anyone I can ask some questions about the room Common Linux Privesc Task 9 #4?
I've read the hint and tried a bunch of things but can't seem to get the command syntaxt correct.

#room-help or #room-hints

ofc. I thought I was in the coorrect room 🙂

sorry

ASCService.exe is modifiable in Steel Mountain, making the exploit not actually an unquoted service path when you can simply replace the executable with one named the same.

@autumn wave Plus, I've never got the correct exploit working

AKA exe called "Advanced.exe"

It works fine for me.

Weird

I've only used the replace method

And the walkthrough for it isn't very clear since it uses the word replace

Just tested.

💢

You sure it's not running the ASC exe?

My other payload isn't there.

Ok

Hell, I just deleted it to make sure

Just me then

I've tried it a few times

Anyways, unquoted service path is pretty pointless if you can hijack the executable.

annual reminder that dogcat is showing the wrong first blood on /releases. He was second to root, but has more points due to blooding more of the questions

@worthy stag Raised with skidy, broken down and possibly diagnosed

I think it's blood on all questions

meh that's a poor way of doing it

full salt intended

@worthy stag What's your preferred system? root blood only? User blood only? What about challenges that aren't user/root?

Asking because it makes it easier to fix

for user/root bloods have it seperate, so there will be a user blood but that's not worth as much as a root blood

so if you get root you'll still be higher in points but only marginally

multiple rooms are the main thing but then again bloods shouldn't really have a place in rooms that have multiple flag submissions other than user/root

Adding it for you to #544951750801752079

Will talk to skidy again about it too

Hi. The room: tonythetiger - should have a service on 8080, tried a few deployments, still not getting anything on 8080. Just 22 and 80. Can anyone check?

Did you allow a good 5 minutes for that room? The service running on 8080 takes a lil' while to fully setup as it's a java application @trail stirrup

Most reliable way of exploiting that service is to wait until it loads in your browser before trying to exploit. Get's a bit iffy if you exploit it whilst it's setting up 🙂

Yep, it's like 10-11 mins now

I'd suggest redeploying in which case

Just java apps being java apps with that box

:)). Ok will try again. Thanks

gl hf! Lemme know how you get on

Hi, I think Ifound an issue in the following room:
https://tryhackme.com/room/rppsempire
Task3, #7, the expected answer doesn't exist anymore

read the hint @frosty cape

Hi! I was trying to upload a writeup and copied one of my writeup from medium:

https://tryhackme.com/thread/5eb89975f6b800761638fe72

URL encode the @ symbol

But I think there is some problem in it.

Is the problem that the site won't accept it?

"Invalid URL" or something?

I uploaded my write on the forum by creating the post.

That?

Yup but no content ...

@frosty cape -- bright ideas?

Why not submit it as a writeup on the room @shrewd marsh?

It won't accept the link for medium. So I saw the option to make Writeups on Forum and thats why I uploaded it.

But it seems I broke someting lol

Try adding it to the room, but URL encode the @

Ok, but what's the issue on forum ?

That, is a very good question

I can't even reply to the post or flag it ..

lol this can be used as shit posting on forum...

My guess is that the site borked at the fact you seem to have copy and pasted it from medium

I edited it after copy/paste

Are there any admins who can look into it whats going on ?

The length may also potentially have been a problem